From 3e8bc9f16ac31e593dbc9655a02d72fe27d02826 Mon Sep 17 00:00:00 2001
From: MoerAI <friendnt@g.skku.edu>
Date: Mon, 16 Mar 2026 12:11:58 +0900
Subject: [PATCH 001/133] fix(daemon): accept 'Last Result' schtasks key
 variant on Windows (#47726)

Some Windows locales/versions emit 'Last Result' instead of 'Last Run Result' in schtasks output, causing gateway status to falsely report 'Runtime: unknown'. Fall back to the shorter key when the canonical key is absent.
---
 src/daemon/schtasks.test.ts | 14 ++++++++++++++
 src/daemon/schtasks.ts      |  4 +++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/daemon/schtasks.test.ts b/src/daemon/schtasks.test.ts
index 633df0fee7e..469ca584a7d 100644
--- a/src/daemon/schtasks.test.ts
+++ b/src/daemon/schtasks.test.ts
@@ -23,6 +23,20 @@ describe("schtasks runtime parsing", () => {
       lastRunResult: "0x0",
     });
   });
+
+  it("parses 'Last Result' key variant (without 'Run') (#47726)", () => {
+    const output = [
+      "TaskName: \\OpenClaw Gateway",
+      "Status: Running",
+      "Last Run Time: 2026/3/16 8:34:15",
+      "Last Result: 267009",
+    ].join("\r\n");
+    expect(parseSchtasksQuery(output)).toEqual({
+      status: "Running",
+      lastRunTime: "2026/3/16 8:34:15",
+      lastRunResult: "267009",
+    });
+  });
 });
 
 describe("scheduled task runtime derivation", () => {
diff --git a/src/daemon/schtasks.ts b/src/daemon/schtasks.ts
index 2216e93bfd9..816ade13390 100644
--- a/src/daemon/schtasks.ts
+++ b/src/daemon/schtasks.ts
@@ -178,7 +178,9 @@ export function parseSchtasksQuery(output: string): ScheduledTaskInfo {
   if (lastRunTime) {
     info.lastRunTime = lastRunTime;
   }
-  const lastRunResult = entries["last run result"];
+  // Some Windows locales/versions emit "Last Result" instead of "Last Run Result".
+  // Accept both so gateway status is not falsely reported as "unknown" (#47726).
+  const lastRunResult = entries["last run result"] ?? entries["last result"];
   if (lastRunResult) {
     info.lastRunResult = lastRunResult;
   }

From abe7ea4373ae1ac75171ee63604119f29bf11732 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 05:20:08 +0000
Subject: [PATCH 002/133] fix: accept schtasks Last Result key on Windows
 (#47844) (thanks @MoerAI)

---
 CHANGELOG.md                  |  1 +
 src/cli/program.smoke.test.ts |  4 +--
 src/cli/program.test-mocks.ts | 54 ++++++++++++++++++++---------------
 3 files changed, 34 insertions(+), 25 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ce45052af01..d8040d79aef 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -81,6 +81,7 @@ Docs: https://docs.openclaw.ai
 - Gateway/watch mode: restart on bundled-plugin package and manifest metadata changes, rebuild `dist` for extension source and `tsdown.config.ts` changes, and still ignore extension docs. (#47571) thanks @gumadeiras.
 - Gateway/watch mode: recreate bundled plugin runtime metadata after clean or stale `dist` states, so `pnpm gateway:watch` no longer fails on missing `dist/extensions/*/openclaw.plugin.json` manifests after a rebuild. Thanks @gumadeiras.
 - Plugins/context engines: enforce owner-aware context-engine registration on both loader and public SDK paths so plugins cannot spoof privileged ownership, claim the core `legacy` engine id, or overwrite an existing engine id through direct SDK imports. (#47595) Thanks @vincentkoc.
+- Windows/gateway status: accept `schtasks` `Last Result` output as an alias for `Last Run Result`, so running scheduled-task installs no longer show `Runtime: unknown`. (#47844) Thanks @MoerAI.
 
 ## 2026.3.13
 
diff --git a/src/cli/program.smoke.test.ts b/src/cli/program.smoke.test.ts
index 259dd3b0360..9b8fc6dc454 100644
--- a/src/cli/program.smoke.test.ts
+++ b/src/cli/program.smoke.test.ts
@@ -4,10 +4,10 @@ import {
   ensureConfigReady,
   installBaseProgramMocks,
   installSmokeProgramMocks,
-  onboardCommand,
   runTui,
   runtime,
   setupCommand,
+  setupWizardCommand,
 } from "./program.test-mocks.js";
 
 installBaseProgramMocks();
@@ -68,6 +68,6 @@ describe("cli program (smoke)", () => {
     await runProgram(["setup", "--remote-url", "ws://example"]);
 
     expect(setupCommand).not.toHaveBeenCalled();
-    expect(onboardCommand).toHaveBeenCalledTimes(1);
+    expect(setupWizardCommand).toHaveBeenCalledTimes(1);
   });
 });
diff --git a/src/cli/program.test-mocks.ts b/src/cli/program.test-mocks.ts
index cf71122749f..8f82e71fca5 100644
--- a/src/cli/program.test-mocks.ts
+++ b/src/cli/program.test-mocks.ts
@@ -2,34 +2,39 @@ import { vi, type Mock } from "vitest";
 
 type AnyMock = Mock<(...args: unknown[]) => unknown>;
 
-const programMocks = vi.hoisted(() => ({
-  messageCommand: vi.fn(),
-  statusCommand: vi.fn(),
-  configureCommand: vi.fn(),
-  configureCommandWithSections: vi.fn(),
-  setupCommand: vi.fn(),
-  onboardCommand: vi.fn(),
-  callGateway: vi.fn(),
-  runChannelLogin: vi.fn(),
-  runChannelLogout: vi.fn(),
-  runTui: vi.fn(),
-  loadAndMaybeMigrateDoctorConfig: vi.fn(),
-  ensureConfigReady: vi.fn(),
-  ensurePluginRegistryLoaded: vi.fn(),
-  runtime: {
-    log: vi.fn(),
-    error: vi.fn(),
-    exit: vi.fn(() => {
-      throw new Error("exit");
-    }),
-  },
-}));
+const programMocks = vi.hoisted(() => {
+  const setupWizardCommand = vi.fn();
+  return {
+    messageCommand: vi.fn(),
+    statusCommand: vi.fn(),
+    configureCommand: vi.fn(),
+    configureCommandWithSections: vi.fn(),
+    setupCommand: vi.fn(),
+    setupWizardCommand,
+    onboardCommand: setupWizardCommand,
+    callGateway: vi.fn(),
+    runChannelLogin: vi.fn(),
+    runChannelLogout: vi.fn(),
+    runTui: vi.fn(),
+    loadAndMaybeMigrateDoctorConfig: vi.fn(),
+    ensureConfigReady: vi.fn(),
+    ensurePluginRegistryLoaded: vi.fn(),
+    runtime: {
+      log: vi.fn(),
+      error: vi.fn(),
+      exit: vi.fn(() => {
+        throw new Error("exit");
+      }),
+    },
+  };
+});
 
 export const messageCommand = programMocks.messageCommand as AnyMock;
 export const statusCommand = programMocks.statusCommand as AnyMock;
 export const configureCommand = programMocks.configureCommand as AnyMock;
 export const configureCommandWithSections = programMocks.configureCommandWithSections as AnyMock;
 export const setupCommand = programMocks.setupCommand as AnyMock;
+export const setupWizardCommand = programMocks.setupWizardCommand as AnyMock;
 export const onboardCommand = programMocks.onboardCommand as AnyMock;
 export const callGateway = programMocks.callGateway as AnyMock;
 export const runChannelLogin = programMocks.runChannelLogin as AnyMock;
@@ -71,7 +76,10 @@ vi.mock("../commands/configure.js", () => ({
   },
 }));
 vi.mock("../commands/setup.js", () => ({ setupCommand: programMocks.setupCommand }));
-vi.mock("../commands/onboard.js", () => ({ onboardCommand: programMocks.onboardCommand }));
+vi.mock("../commands/onboard.js", () => ({
+  onboardCommand: programMocks.onboardCommand,
+  setupWizardCommand: programMocks.setupWizardCommand,
+}));
 vi.mock("../runtime.js", () => ({ defaultRuntime: programMocks.runtime }));
 vi.mock("./channel-auth.js", () => ({
   runChannelLogin: programMocks.runChannelLogin,

From e627a5069ff1b2f9d08a63acb323ed0b4de118cd Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Sun, 15 Mar 2026 22:23:19 -0700
Subject: [PATCH 003/133] refactor(plugins): move auth profile hooks into
 providers

---
 docs/concepts/model-providers.md              |  29 ++--
 docs/tools/plugin.md                          |  76 ++++++----
 extensions/anthropic/index.test.ts            |  33 ++++
 extensions/anthropic/index.ts                 |  46 +++++-
 extensions/copilot-proxy/index.ts             |   8 +
 extensions/github-copilot/index.ts            |  60 +++++++-
 extensions/google/gemini-cli-provider.test.ts |  16 ++
 extensions/google/gemini-cli-provider.ts      |  41 +++++
 extensions/openai/openai-codex-provider.ts    |  31 ++++
 extensions/openai/openai-codex.test.ts        |  28 +++-
 extensions/qwen-portal-auth/index.test.ts     |  32 ++++
 extensions/qwen-portal-auth/index.ts          |  16 ++
 src/agents/auth-profiles/doctor.ts            |  28 +++-
 ...auth.openai-codex-refresh-fallback.test.ts |  31 +++-
 src/agents/auth-profiles/oauth.ts             | 115 ++++++--------
 .../auth-choice.apply.api-key-providers.ts    |  55 +++++++
 src/commands/auth-choice.apply.byteplus.ts    |  46 ------
 .../auth-choice.apply.copilot-proxy.ts        |  14 --
 .../auth-choice.apply.github-copilot.ts       |  63 --------
 ...uth-choice.apply.google-gemini-cli.test.ts |  86 -----------
 .../auth-choice.apply.google-gemini-cli.ts    |  37 -----
 src/commands/auth-choice.apply.qwen-portal.ts |  14 --
 src/commands/auth-choice.apply.ts             |  14 --
 ...h-choice.apply.volcengine-byteplus.test.ts | 141 ------------------
 src/commands/auth-choice.apply.volcengine.ts  |  46 ------
 src/commands/auth-choice.apply.xai.ts         |  65 --------
 src/commands/auth-choice.test.ts              |  27 ++++
 src/plugin-sdk/core.ts                        |   1 +
 src/plugin-sdk/index.ts                       |   1 +
 src/plugins/provider-runtime.runtime.ts       |   3 +
 src/plugins/provider-runtime.test.ts          | 107 +++++++++----
 src/plugins/provider-runtime.ts               |  54 ++++---
 src/plugins/types.ts                          |  41 +++++
 33 files changed, 712 insertions(+), 693 deletions(-)
 create mode 100644 extensions/qwen-portal-auth/index.test.ts
 delete mode 100644 src/commands/auth-choice.apply.byteplus.ts
 delete mode 100644 src/commands/auth-choice.apply.copilot-proxy.ts
 delete mode 100644 src/commands/auth-choice.apply.github-copilot.ts
 delete mode 100644 src/commands/auth-choice.apply.google-gemini-cli.test.ts
 delete mode 100644 src/commands/auth-choice.apply.google-gemini-cli.ts
 delete mode 100644 src/commands/auth-choice.apply.qwen-portal.ts
 delete mode 100644 src/commands/auth-choice.apply.volcengine-byteplus.test.ts
 delete mode 100644 src/commands/auth-choice.apply.volcengine.ts
 delete mode 100644 src/commands/auth-choice.apply.xai.ts

diff --git a/docs/concepts/model-providers.md b/docs/concepts/model-providers.md
index 8767d108132..8e8f17f4a67 100644
--- a/docs/concepts/model-providers.md
+++ b/docs/concepts/model-providers.md
@@ -25,7 +25,8 @@ For model selection rules, see [/concepts/models](/concepts/models).
   cases such as Anthropic API-key-first onboarding.
 - Provider plugins can also own provider runtime behavior via
   `resolveDynamicModel`, `prepareDynamicModel`, `normalizeResolvedModel`,
-  `capabilities`, `prepareExtraParams`, `wrapStreamFn`,
+  `capabilities`, `prepareExtraParams`, `wrapStreamFn`, `formatApiKey`,
+  `refreshOAuth`, `buildAuthDoctorHint`,
   `isCacheTtlEligible`, `buildMissingAuthMessage`,
   `suppressBuiltInModel`, `augmentModelCatalog`, `isBinaryThinking`,
   `supportsXHighThinking`, `resolveDefaultThinkingLevel`,
@@ -52,6 +53,12 @@ Typical split:
 - `capabilities`: provider publishes transcript/tooling/provider-family quirks
 - `prepareExtraParams`: provider defaults or normalizes per-model request params
 - `wrapStreamFn`: provider applies request headers/body/model compat wrappers
+- `formatApiKey`: provider formats stored auth profiles into the runtime
+  `apiKey` string expected by the transport
+- `refreshOAuth`: provider owns OAuth refresh when the shared `pi-ai`
+  refreshers are not enough
+- `buildAuthDoctorHint`: provider appends repair guidance when OAuth refresh
+  fails
 - `isCacheTtlEligible`: provider decides which upstream model ids support prompt-cache TTL
 - `buildMissingAuthMessage`: provider replaces the generic auth-store error
   with a provider-specific recovery hint
@@ -73,19 +80,21 @@ Typical split:
 
 Current bundled examples:
 
-- `anthropic`: Claude 4.6 forward-compat fallback, usage endpoint fetching,
-  and cache-TTL/provider-family metadata
+- `anthropic`: Claude 4.6 forward-compat fallback, auth repair hints, usage
+  endpoint fetching, and cache-TTL/provider-family metadata
 - `openrouter`: pass-through model ids, request wrappers, provider capability
   hints, and cache-TTL policy
-- `github-copilot`: forward-compat model fallback, Claude-thinking transcript
-  hints, runtime token exchange, and usage endpoint fetching
+- `github-copilot`: onboarding/device login, forward-compat model fallback,
+  Claude-thinking transcript hints, runtime token exchange, and usage endpoint
+  fetching
 - `openai`: GPT-5.4 forward-compat fallback, direct OpenAI transport
   normalization, Codex-aware missing-auth hints, Spark suppression, synthetic
   OpenAI/Codex catalog rows, thinking/live-model policy, and
   provider-family metadata
 - `google` and `google-gemini-cli`: Gemini 3.1 forward-compat fallback and
-  modern-model matching; Gemini CLI OAuth also owns usage-token parsing and
-  quota endpoint fetching for usage surfaces
+  modern-model matching; Gemini CLI OAuth also owns auth-profile token
+  formatting, usage-token parsing, and quota endpoint fetching for usage
+  surfaces
 - `moonshot`: shared transport, plugin-owned thinking payload normalization
 - `kilocode`: shared transport, plugin-owned request headers, reasoning payload
   normalization, Gemini transcript hints, and cache-TTL policy
@@ -93,9 +102,9 @@ Current bundled examples:
   policy, binary-thinking/live-model policy, and usage auth + quota fetching
 - `mistral`, `opencode`, and `opencode-go`: plugin-owned capability metadata
 - `byteplus`, `cloudflare-ai-gateway`, `huggingface`, `kimi-coding`,
-  `minimax-portal`, `modelstudio`, `nvidia`, `qianfan`, `qwen-portal`,
-  `synthetic`, `together`, `venice`, `vercel-ai-gateway`, and `volcengine`:
-  plugin-owned catalogs only
+  `modelstudio`, `nvidia`, `qianfan`, `synthetic`, `together`, `venice`,
+  `vercel-ai-gateway`, and `volcengine`: plugin-owned catalogs only
+- `qwen-portal`: plugin-owned catalog, OAuth login, and OAuth refresh
 - `minimax` and `xiaomi`: plugin-owned catalogs plus usage auth/snapshot logic
 
 The bundled `openai` plugin now owns both provider ids: `openai` and
diff --git a/docs/tools/plugin.md b/docs/tools/plugin.md
index 32b9850a221..560d25930d5 100644
--- a/docs/tools/plugin.md
+++ b/docs/tools/plugin.md
@@ -220,7 +220,7 @@ Provider plugins now have two layers:
 - manifest metadata: `providerAuthEnvVars` for cheap env-auth lookup before
   runtime load
 - config-time hooks: `catalog` / legacy `discovery`
-- runtime hooks: `resolveDynamicModel`, `prepareDynamicModel`, `normalizeResolvedModel`, `capabilities`, `prepareExtraParams`, `wrapStreamFn`, `isCacheTtlEligible`, `buildMissingAuthMessage`, `suppressBuiltInModel`, `augmentModelCatalog`, `isBinaryThinking`, `supportsXHighThinking`, `resolveDefaultThinkingLevel`, `isModernModelRef`, `prepareRuntimeAuth`, `resolveUsageAuth`, `fetchUsageSnapshot`
+- runtime hooks: `resolveDynamicModel`, `prepareDynamicModel`, `normalizeResolvedModel`, `capabilities`, `prepareExtraParams`, `wrapStreamFn`, `formatApiKey`, `refreshOAuth`, `buildAuthDoctorHint`, `isCacheTtlEligible`, `buildMissingAuthMessage`, `suppressBuiltInModel`, `augmentModelCatalog`, `isBinaryThinking`, `supportsXHighThinking`, `resolveDefaultThinkingLevel`, `isModernModelRef`, `prepareRuntimeAuth`, `resolveUsageAuth`, `fetchUsageSnapshot`
 
 OpenClaw still owns the generic agent loop, failover, transcript handling, and
 tool policy. These hooks are the seam for provider-specific behavior without
@@ -254,31 +254,39 @@ For model/provider plugins, OpenClaw uses hooks in this rough order:
    Provider-owned request-param normalization before generic stream option wrappers.
 8. `wrapStreamFn`
    Provider-owned stream wrapper after generic wrappers are applied.
-9. `isCacheTtlEligible`
-   Provider-owned prompt-cache policy for proxy/backhaul providers.
-10. `buildMissingAuthMessage`
+9. `formatApiKey`
+   Provider-owned auth-profile formatter used when a stored auth profile needs
+   to become the runtime `apiKey` string.
+10. `refreshOAuth`
+    Provider-owned OAuth refresh override for custom refresh endpoints or
+    refresh-failure policy.
+11. `buildAuthDoctorHint`
+    Provider-owned repair hint appended when OAuth refresh fails.
+12. `isCacheTtlEligible`
+    Provider-owned prompt-cache policy for proxy/backhaul providers.
+13. `buildMissingAuthMessage`
     Provider-owned replacement for the generic missing-auth recovery message.
-11. `suppressBuiltInModel`
+14. `suppressBuiltInModel`
     Provider-owned stale upstream model suppression plus optional user-facing
     error hint.
-12. `augmentModelCatalog`
+15. `augmentModelCatalog`
     Provider-owned synthetic/final catalog rows appended after discovery.
-13. `isBinaryThinking`
+16. `isBinaryThinking`
     Provider-owned on/off reasoning toggle for binary-thinking providers.
-14. `supportsXHighThinking`
+17. `supportsXHighThinking`
     Provider-owned `xhigh` reasoning support for selected models.
-15. `resolveDefaultThinkingLevel`
+18. `resolveDefaultThinkingLevel`
     Provider-owned default `/think` level for a specific model family.
-16. `isModernModelRef`
+19. `isModernModelRef`
     Provider-owned modern-model matcher used by live profile filters and smoke
     selection.
-17. `prepareRuntimeAuth`
+20. `prepareRuntimeAuth`
     Exchanges a configured credential into the actual runtime token/key just
     before inference.
-18. `resolveUsageAuth`
+21. `resolveUsageAuth`
     Resolves usage/billing credentials for `/usage` and related status
     surfaces.
-19. `fetchUsageSnapshot`
+22. `fetchUsageSnapshot`
     Fetches and normalizes provider-specific usage/quota snapshots after auth
     is resolved.
 
@@ -291,6 +299,9 @@ For model/provider plugins, OpenClaw uses hooks in this rough order:
 - `capabilities`: publish provider-family and transcript/tooling quirks without hardcoding provider ids in core
 - `prepareExtraParams`: set provider defaults or normalize provider-specific per-model params before generic stream wrapping
 - `wrapStreamFn`: add provider-specific headers/payload/model compat patches while still using the normal `pi-ai` execution path
+- `formatApiKey`: turn a stored auth profile into the runtime `apiKey` string without hardcoding provider token blobs in core
+- `refreshOAuth`: own OAuth refresh for providers that do not fit the shared `pi-ai` refreshers
+- `buildAuthDoctorHint`: append provider-owned auth repair guidance when refresh fails
 - `isCacheTtlEligible`: decide whether provider/model pairs should use cache TTL metadata
 - `buildMissingAuthMessage`: replace the generic auth-store error with a provider-specific recovery hint
 - `suppressBuiltInModel`: hide stale upstream rows and optionally return a provider-owned error for direct resolution failures
@@ -312,6 +323,9 @@ Rule of thumb:
 - provider needs transcript/provider-family quirks: use `capabilities`
 - provider needs default request params or per-provider param cleanup: use `prepareExtraParams`
 - provider needs request headers/body/model compat wrappers without a custom transport: use `wrapStreamFn`
+- provider stores extra metadata in auth profiles and needs a custom runtime token shape: use `formatApiKey`
+- provider needs a custom OAuth refresh endpoint or refresh failure policy: use `refreshOAuth`
+- provider needs provider-owned auth repair guidance after refresh failure: use `buildAuthDoctorHint`
 - provider needs proxy-specific cache TTL gating: use `isCacheTtlEligible`
 - provider needs a provider-specific missing-auth recovery hint: use `buildMissingAuthMessage`
 - provider needs to hide stale upstream rows or replace them with a vendor hint: use `suppressBuiltInModel`
@@ -384,11 +398,12 @@ api.registerProvider({
 
 ### Built-in examples
 
-- Anthropic uses `resolveDynamicModel`, `capabilities`, `resolveUsageAuth`,
-  `fetchUsageSnapshot`, `isCacheTtlEligible`, `resolveDefaultThinkingLevel`,
-  and `isModernModelRef` because it owns Claude 4.6 forward-compat,
-  provider-family hints, usage endpoint integration, prompt-cache
-  eligibility, and Claude default/adaptive thinking policy.
+- Anthropic uses `resolveDynamicModel`, `capabilities`, `buildAuthDoctorHint`,
+  `resolveUsageAuth`, `fetchUsageSnapshot`, `isCacheTtlEligible`,
+  `resolveDefaultThinkingLevel`, and `isModernModelRef` because it owns Claude
+  4.6 forward-compat, provider-family hints, auth repair guidance, usage
+  endpoint integration, prompt-cache eligibility, and Claude default/adaptive
+  thinking policy.
 - OpenAI uses `resolveDynamicModel`, `normalizeResolvedModel`, and
   `capabilities` plus `buildMissingAuthMessage`, `suppressBuiltInModel`,
   `augmentModelCatalog`, `supportsXHighThinking`, and `isModernModelRef`
@@ -399,20 +414,22 @@ api.registerProvider({
 - OpenRouter uses `catalog` plus `resolveDynamicModel` and
   `prepareDynamicModel` because the provider is pass-through and may expose new
   model ids before OpenClaw's static catalog updates.
-- GitHub Copilot uses `catalog`, `resolveDynamicModel`, and
+- GitHub Copilot uses `catalog`, `auth`, `resolveDynamicModel`, and
   `capabilities` plus `prepareRuntimeAuth` and `fetchUsageSnapshot` because it
-  needs model fallback behavior, Claude transcript quirks, a GitHub token ->
-  Copilot token exchange, and a provider-owned usage endpoint.
+  needs provider-owned device login, model fallback behavior, Claude transcript
+  quirks, a GitHub token -> Copilot token exchange, and a provider-owned usage
+  endpoint.
 - OpenAI Codex uses `catalog`, `resolveDynamicModel`,
-  `normalizeResolvedModel`, and `augmentModelCatalog` plus
+  `normalizeResolvedModel`, `refreshOAuth`, and `augmentModelCatalog` plus
   `prepareExtraParams`, `resolveUsageAuth`, and `fetchUsageSnapshot` because it
   still runs on core OpenAI transports but owns its transport/base URL
-  normalization, default transport choice, synthetic Codex catalog rows, and
-  ChatGPT usage endpoint integration.
+  normalization, OAuth refresh fallback policy, default transport choice,
+  synthetic Codex catalog rows, and ChatGPT usage endpoint integration.
 - Google AI Studio and Gemini CLI OAuth use `resolveDynamicModel` and
   `isModernModelRef` because they own Gemini 3.1 forward-compat fallback and
-  modern-model matching; Gemini CLI OAuth also uses `resolveUsageAuth` and
-  `fetchUsageSnapshot` for token parsing and quota endpoint wiring.
+  modern-model matching; Gemini CLI OAuth also uses `formatApiKey`,
+  `resolveUsageAuth`, and `fetchUsageSnapshot` for token formatting, token
+  parsing, and quota endpoint wiring.
 - OpenRouter uses `capabilities`, `wrapStreamFn`, and `isCacheTtlEligible`
   to keep provider-specific request headers, routing metadata, reasoning
   patches, and prompt-cache policy out of core.
@@ -430,9 +447,10 @@ api.registerProvider({
 - Mistral, OpenCode Zen, and OpenCode Go use `capabilities` only to keep
   transcript/tooling quirks out of core.
 - Catalog-only bundled providers such as `byteplus`, `cloudflare-ai-gateway`,
-  `huggingface`, `kimi-coding`, `minimax-portal`, `modelstudio`, `nvidia`,
-  `qianfan`, `qwen-portal`, `synthetic`, `together`, `venice`,
-  `vercel-ai-gateway`, and `volcengine` use `catalog` only.
+  `huggingface`, `kimi-coding`, `modelstudio`, `nvidia`, `qianfan`,
+  `synthetic`, `together`, `venice`, `vercel-ai-gateway`, and `volcengine` use
+  `catalog` only.
+- Qwen portal uses `catalog`, `auth`, and `refreshOAuth`.
 - MiniMax and Xiaomi use `catalog` plus usage hooks because their `/usage`
   behavior is plugin-owned even though inference still runs through the shared
   transports.
diff --git a/extensions/anthropic/index.test.ts b/extensions/anthropic/index.test.ts
index 172a7099e4d..0bfa830f14f 100644
--- a/extensions/anthropic/index.test.ts
+++ b/extensions/anthropic/index.test.ts
@@ -58,6 +58,39 @@ describe("anthropic plugin", () => {
     });
   });
 
+  it("owns auth doctor hint generation", () => {
+    const provider = registerProvider();
+    const hint = provider.buildAuthDoctorHint?.({
+      provider: "anthropic",
+      profileId: "anthropic:default",
+      config: {
+        auth: {
+          profiles: {
+            "anthropic:default": {
+              provider: "anthropic",
+              mode: "oauth",
+            },
+          },
+        },
+      } as never,
+      store: {
+        version: 1,
+        profiles: {
+          "anthropic:oauth-user@example.com": {
+            type: "oauth",
+            provider: "anthropic",
+            access: "oauth-access",
+            refresh: "oauth-refresh",
+            expires: Date.now() + 60_000,
+          },
+        },
+      },
+    });
+
+    expect(hint).toContain("suggested profile: anthropic:oauth-user@example.com");
+    expect(hint).toContain("openclaw doctor --yes");
+  });
+
   it("owns usage snapshot fetching", async () => {
     const provider = registerProvider();
     const mockFetch = createProviderUsageFetch(async (url) => {
diff --git a/extensions/anthropic/index.ts b/extensions/anthropic/index.ts
index 84d584e554f..ba2a1a55cb5 100644
--- a/extensions/anthropic/index.ts
+++ b/extensions/anthropic/index.ts
@@ -5,8 +5,11 @@ import {
   type ProviderResolveDynamicModelContext,
   type ProviderRuntimeModel,
 } from "openclaw/plugin-sdk/core";
-import { upsertAuthProfile } from "../../src/agents/auth-profiles.js";
+import { listProfilesForProvider, upsertAuthProfile } from "../../src/agents/auth-profiles.js";
+import { suggestOAuthProfileIdForLegacyDefault } from "../../src/agents/auth-profiles/repair.js";
+import type { AuthProfileStore } from "../../src/agents/auth-profiles/types.js";
 import { normalizeModelCompat } from "../../src/agents/model-compat.js";
+import { formatCliCommand } from "../../src/cli/command-format.js";
 import { parseDurationMs } from "../../src/cli/parse-duration.js";
 import {
   normalizeSecretInputModeInput,
@@ -120,6 +123,41 @@ function matchesAnthropicModernModel(modelId: string): boolean {
   return ANTHROPIC_MODERN_MODEL_PREFIXES.some((prefix) => lower.startsWith(prefix));
 }
 
+function buildAnthropicAuthDoctorHint(params: {
+  config?: ProviderAuthContext["config"];
+  store: AuthProfileStore;
+  profileId?: string;
+}): string {
+  const legacyProfileId = params.profileId ?? "anthropic:default";
+  const suggested = suggestOAuthProfileIdForLegacyDefault({
+    cfg: params.config,
+    store: params.store,
+    provider: PROVIDER_ID,
+    legacyProfileId,
+  });
+  if (!suggested || suggested === legacyProfileId) {
+    return "";
+  }
+
+  const storeOauthProfiles = listProfilesForProvider(params.store, PROVIDER_ID)
+    .filter((id) => params.store.profiles[id]?.type === "oauth")
+    .join(", ");
+
+  const cfgMode = params.config?.auth?.profiles?.[legacyProfileId]?.mode;
+  const cfgProvider = params.config?.auth?.profiles?.[legacyProfileId]?.provider;
+
+  return [
+    "Doctor hint (for GitHub issue):",
+    `- provider: ${PROVIDER_ID}`,
+    `- config: ${legacyProfileId}${
+      cfgProvider || cfgMode ? ` (provider=${cfgProvider ?? "?"}, mode=${cfgMode ?? "?"})` : ""
+    }`,
+    `- auth store oauth profiles: ${storeOauthProfiles || "(none)"}`,
+    `- suggested profile: ${suggested}`,
+    `Fix: run "${formatCliCommand("openclaw doctor --yes")}"`,
+  ].join("\n");
+}
+
 async function runAnthropicSetupToken(ctx: ProviderAuthContext): Promise<ProviderAuthResult> {
   await ctx.prompter.note(
     ["Run `claude setup-token` in your terminal.", "Then paste the generated token below."].join(
@@ -311,6 +349,12 @@ const anthropicPlugin = {
       fetchUsageSnapshot: async (ctx) =>
         await fetchClaudeUsage(ctx.token, ctx.timeoutMs, ctx.fetchFn),
       isCacheTtlEligible: () => true,
+      buildAuthDoctorHint: (ctx) =>
+        buildAnthropicAuthDoctorHint({
+          config: ctx.config,
+          store: ctx.store,
+          profileId: ctx.profileId,
+        }),
     });
   },
 };
diff --git a/extensions/copilot-proxy/index.ts b/extensions/copilot-proxy/index.ts
index 6fad48228cd..2c517d9c26c 100644
--- a/extensions/copilot-proxy/index.ts
+++ b/extensions/copilot-proxy/index.ts
@@ -147,6 +147,14 @@ const copilotProxyPlugin = {
           },
         },
       ],
+      wizard: {
+        setup: {
+          choiceId: "copilot-proxy",
+          choiceLabel: "Copilot Proxy",
+          choiceHint: "Configure base URL + model ids",
+          methodId: "local",
+        },
+      },
     });
   },
 };
diff --git a/extensions/github-copilot/index.ts b/extensions/github-copilot/index.ts
index 41c9deed5ec..8dadad31903 100644
--- a/extensions/github-copilot/index.ts
+++ b/extensions/github-copilot/index.ts
@@ -1,6 +1,7 @@
 import {
   emptyPluginConfigSchema,
   type OpenClawPluginApi,
+  type ProviderAuthContext,
   type ProviderResolveDynamicModelContext,
   type ProviderRuntimeModel,
 } from "openclaw/plugin-sdk/core";
@@ -8,6 +9,7 @@ import { listProfilesForProvider } from "../../src/agents/auth-profiles/profiles
 import { ensureAuthProfileStore } from "../../src/agents/auth-profiles/store.js";
 import { normalizeModelCompat } from "../../src/agents/model-compat.js";
 import { coerceSecretRef } from "../../src/config/types.secrets.js";
+import { githubCopilotLoginCommand } from "../../src/providers/github-copilot-auth.js";
 import { DEFAULT_COPILOT_API_BASE_URL, resolveCopilotApiToken } from "./token.js";
 import { fetchCopilotUsage } from "./usage.js";
 
@@ -72,6 +74,46 @@ function resolveCopilotForwardCompatModel(
   return undefined;
 }
 
+async function runGitHubCopilotAuth(ctx: ProviderAuthContext) {
+  await ctx.prompter.note(
+    [
+      "This will open a GitHub device login to authorize Copilot.",
+      "Requires an active GitHub Copilot subscription.",
+    ].join("\n"),
+    "GitHub Copilot",
+  );
+
+  if (!process.stdin.isTTY) {
+    await ctx.prompter.note("GitHub Copilot login requires an interactive TTY.", "GitHub Copilot");
+    return { profiles: [] };
+  }
+
+  try {
+    await githubCopilotLoginCommand({ yes: true, profileId: "github-copilot:github" }, ctx.runtime);
+  } catch (err) {
+    await ctx.prompter.note(`GitHub Copilot login failed: ${String(err)}`, "GitHub Copilot");
+    return { profiles: [] };
+  }
+
+  const authStore = ensureAuthProfileStore(undefined, {
+    allowKeychainPrompt: false,
+  });
+  const credential = authStore.profiles["github-copilot:github"];
+  if (!credential || credential.type !== "token") {
+    return { profiles: [] };
+  }
+
+  return {
+    profiles: [
+      {
+        profileId: "github-copilot:github",
+        credential,
+      },
+    ],
+    defaultModel: "github-copilot/gpt-4o",
+  };
+}
+
 const githubCopilotPlugin = {
   id: "github-copilot",
   name: "GitHub Copilot Provider",
@@ -83,7 +125,23 @@ const githubCopilotPlugin = {
       label: "GitHub Copilot",
       docsPath: "/providers/models",
       envVars: COPILOT_ENV_VARS,
-      auth: [],
+      auth: [
+        {
+          id: "device",
+          label: "GitHub device login",
+          hint: "Browser device-code flow",
+          kind: "device_code",
+          run: async (ctx) => await runGitHubCopilotAuth(ctx),
+        },
+      ],
+      wizard: {
+        setup: {
+          choiceId: "github-copilot",
+          choiceLabel: "GitHub Copilot",
+          choiceHint: "Device login with your GitHub account",
+          methodId: "device",
+        },
+      },
       catalog: {
         order: "late",
         run: async (ctx) => {
diff --git a/extensions/google/gemini-cli-provider.test.ts b/extensions/google/gemini-cli-provider.test.ts
index 21e7f505521..75619863b4b 100644
--- a/extensions/google/gemini-cli-provider.test.ts
+++ b/extensions/google/gemini-cli-provider.test.ts
@@ -146,6 +146,22 @@ describe("google plugin", () => {
     });
   });
 
+  it("owns OAuth auth-profile formatting", () => {
+    const { providers } = registerGooglePlugin();
+    const provider = findProvider(providers, "google-gemini-cli");
+
+    expect(
+      provider.formatApiKey?.({
+        type: "oauth",
+        provider: "google-gemini-cli",
+        access: "google-oauth-token",
+        refresh: "refresh-token",
+        expires: Date.now() + 60_000,
+        projectId: "proj-123",
+      }),
+    ).toBe('{"token":"google-oauth-token","projectId":"proj-123"}');
+  });
+
   it("owns usage snapshot fetching", async () => {
     const { providers } = registerGooglePlugin();
     const provider = findProvider(providers, "google-gemini-cli");
diff --git a/extensions/google/gemini-cli-provider.ts b/extensions/google/gemini-cli-provider.ts
index 5a3d784a866..926913f7390 100644
--- a/extensions/google/gemini-cli-provider.ts
+++ b/extensions/google/gemini-cli-provider.ts
@@ -30,6 +30,20 @@ function parseGoogleUsageToken(apiKey: string): string {
   return apiKey;
 }
 
+function formatGoogleOauthApiKey(cred: {
+  type?: string;
+  access?: string;
+  projectId?: string;
+}): string {
+  if (cred.type !== "oauth" || typeof cred.access !== "string" || !cred.access.trim()) {
+    return "";
+  }
+  return JSON.stringify({
+    token: cred.access,
+    projectId: cred.projectId,
+  });
+}
+
 async function fetchGeminiCliUsage(ctx: ProviderFetchUsageSnapshotContext) {
   return await fetchGeminiUsage(ctx.token, ctx.timeoutMs, ctx.fetchFn, PROVIDER_ID);
 }
@@ -48,6 +62,24 @@ export function registerGoogleGeminiCliProvider(api: OpenClawPluginApi) {
         hint: "PKCE + localhost callback",
         kind: "oauth",
         run: async (ctx: ProviderAuthContext) => {
+          await ctx.prompter.note(
+            [
+              "This is an unofficial integration and is not endorsed by Google.",
+              "Some users have reported account restrictions or suspensions after using third-party Gemini CLI and Antigravity OAuth clients.",
+              "Proceed only if you understand and accept this risk.",
+            ].join("\n"),
+            "Google Gemini CLI caution",
+          );
+
+          const proceed = await ctx.prompter.confirm({
+            message: "Continue with Google Gemini CLI OAuth?",
+            initialValue: false,
+          });
+          if (!proceed) {
+            await ctx.prompter.note("Skipped Google Gemini CLI OAuth setup.", "Setup skipped");
+            return { profiles: [] };
+          }
+
           const spin = ctx.prompter.progress("Starting Gemini CLI OAuth…");
           try {
             const result = await loginGeminiCliOAuth({
@@ -81,9 +113,18 @@ export function registerGoogleGeminiCliProvider(api: OpenClawPluginApi) {
         },
       },
     ],
+    wizard: {
+      setup: {
+        choiceId: "google-gemini-cli",
+        choiceLabel: "Gemini CLI OAuth",
+        choiceHint: "Google OAuth with project-aware token payload",
+        methodId: "oauth",
+      },
+    },
     resolveDynamicModel: (ctx) =>
       resolveGoogle31ForwardCompatModel({ providerId: PROVIDER_ID, ctx }),
     isModernModelRef: ({ modelId }) => isModernGoogleModel(modelId),
+    formatApiKey: (cred) => formatGoogleOauthApiKey(cred),
     resolveUsageAuth: async (ctx) => {
       const auth = await ctx.resolveOAuthToken();
       if (!auth) {
diff --git a/extensions/openai/openai-codex-provider.ts b/extensions/openai/openai-codex-provider.ts
index a11902608ac..17ee1348de2 100644
--- a/extensions/openai/openai-codex-provider.ts
+++ b/extensions/openai/openai-codex-provider.ts
@@ -1,3 +1,4 @@
+import { getOAuthApiKey } from "@mariozechner/pi-ai/oauth";
 import type {
   ProviderAuthContext,
   ProviderResolveDynamicModelContext,
@@ -5,6 +6,7 @@ import type {
 } from "openclaw/plugin-sdk/core";
 import { listProfilesForProvider } from "../../src/agents/auth-profiles/profiles.js";
 import { ensureAuthProfileStore } from "../../src/agents/auth-profiles/store.js";
+import type { OAuthCredential } from "../../src/agents/auth-profiles/types.js";
 import { DEFAULT_CONTEXT_TOKENS } from "../../src/agents/defaults.js";
 import { normalizeModelCompat } from "../../src/agents/model-compat.js";
 import { normalizeProviderId } from "../../src/agents/model-selection.js";
@@ -132,6 +134,34 @@ function resolveCodexForwardCompatModel(
   );
 }
 
+async function refreshOpenAICodexOAuthCredential(cred: OAuthCredential) {
+  try {
+    const refreshed = await getOAuthApiKey("openai-codex", {
+      "openai-codex": cred,
+    });
+    if (!refreshed) {
+      throw new Error("OpenAI Codex OAuth refresh returned no credentials.");
+    }
+    return {
+      ...cred,
+      ...refreshed.newCredentials,
+      type: "oauth" as const,
+      provider: PROVIDER_ID,
+      email: cred.email,
+    };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    if (
+      /extract\s+accountid\s+from\s+token/i.test(message) &&
+      typeof cred.access === "string" &&
+      cred.access.trim().length > 0
+    ) {
+      return cred;
+    }
+    throw error;
+  }
+}
+
 async function runOpenAICodexOAuth(ctx: ProviderAuthContext) {
   let creds;
   try {
@@ -221,6 +251,7 @@ export function buildOpenAICodexProviderPlugin(): ProviderPlugin {
     resolveUsageAuth: async (ctx) => await ctx.resolveOAuthToken(),
     fetchUsageSnapshot: async (ctx) =>
       await fetchCodexUsage(ctx.token, ctx.accountId, ctx.timeoutMs, ctx.fetchFn),
+    refreshOAuth: async (cred) => await refreshOpenAICodexOAuthCredential(cred),
     augmentModelCatalog: (ctx) => {
       const gpt54Template = findCatalogTemplate({
         entries: ctx.entries,
diff --git a/extensions/openai/openai-codex.test.ts b/extensions/openai/openai-codex.test.ts
index bbf77320b26..1e9efd3bfbc 100644
--- a/extensions/openai/openai-codex.test.ts
+++ b/extensions/openai/openai-codex.test.ts
@@ -1,4 +1,4 @@
-import { describe, expect, it } from "vitest";
+import { describe, expect, it, vi } from "vitest";
 import type { ProviderPlugin } from "../../src/plugins/types.js";
 import {
   createProviderUsageFetch,
@@ -6,6 +6,16 @@ import {
 } from "../../src/test-utils/provider-usage-fetch.js";
 import openAIPlugin from "./index.js";
 
+const getOAuthApiKeyMock = vi.hoisted(() => vi.fn());
+
+vi.mock("@mariozechner/pi-ai/oauth", async () => {
+  const actual = await vi.importActual<object>("@mariozechner/pi-ai/oauth");
+  return {
+    ...actual,
+    getOAuthApiKey: getOAuthApiKeyMock,
+  };
+});
+
 function registerCodexProvider(): ProviderPlugin {
   let provider: ProviderPlugin | undefined;
   openAIPlugin.register({
@@ -22,6 +32,22 @@ function registerCodexProvider(): ProviderPlugin {
 }
 
 describe("openai codex provider", () => {
+  it("owns refresh fallback for accountId extraction failures", async () => {
+    const provider = registerCodexProvider();
+    const credential = {
+      type: "oauth" as const,
+      provider: "openai-codex",
+      access: "cached-access-token",
+      refresh: "refresh-token",
+      expires: Date.now() - 60_000,
+    };
+
+    getOAuthApiKeyMock.mockReset();
+    getOAuthApiKeyMock.mockRejectedValueOnce(new Error("Failed to extract accountId from token"));
+
+    await expect(provider.refreshOAuth?.(credential)).resolves.toEqual(credential);
+  });
+
   it("owns forward-compat codex models", () => {
     const provider = registerCodexProvider();
     const model = provider.resolveDynamicModel?.({
diff --git a/extensions/qwen-portal-auth/index.test.ts b/extensions/qwen-portal-auth/index.test.ts
new file mode 100644
index 00000000000..f5e7f599f78
--- /dev/null
+++ b/extensions/qwen-portal-auth/index.test.ts
@@ -0,0 +1,32 @@
+import { describe, expect, it, vi } from "vitest";
+import { registerSingleProviderPlugin } from "../../src/test-utils/plugin-registration.js";
+import qwenPortalPlugin from "./index.js";
+
+const refreshQwenPortalCredentialsMock = vi.hoisted(() => vi.fn());
+
+vi.mock("../../src/providers/qwen-portal-oauth.js", () => ({
+  refreshQwenPortalCredentials: refreshQwenPortalCredentialsMock,
+}));
+
+describe("qwen portal plugin", () => {
+  it("owns OAuth refresh", async () => {
+    const provider = registerSingleProviderPlugin(qwenPortalPlugin);
+    const credential = {
+      type: "oauth" as const,
+      provider: "qwen-portal",
+      access: "stale-access-token",
+      refresh: "refresh-token",
+      expires: Date.now() - 60_000,
+    };
+    const refreshed = {
+      ...credential,
+      access: "fresh-access-token",
+      expires: Date.now() + 60_000,
+    };
+
+    refreshQwenPortalCredentialsMock.mockReset();
+    refreshQwenPortalCredentialsMock.mockResolvedValueOnce(refreshed);
+
+    await expect(provider.refreshOAuth?.(credential)).resolves.toEqual(refreshed);
+  });
+});
diff --git a/extensions/qwen-portal-auth/index.ts b/extensions/qwen-portal-auth/index.ts
index 446070b0a6b..774b1329acf 100644
--- a/extensions/qwen-portal-auth/index.ts
+++ b/extensions/qwen-portal-auth/index.ts
@@ -7,6 +7,7 @@ import {
 } from "openclaw/plugin-sdk/qwen-portal-auth";
 import { ensureAuthProfileStore, listProfilesForProvider } from "../../src/agents/auth-profiles.js";
 import { QWEN_OAUTH_MARKER } from "../../src/agents/model-auth-markers.js";
+import { refreshQwenPortalCredentials } from "../../src/providers/qwen-portal-oauth.js";
 import { loginQwenPortalOAuth } from "./oauth.js";
 
 const PROVIDER_ID = "qwen-portal";
@@ -157,6 +158,21 @@ const qwenPortalPlugin = {
           },
         },
       ],
+      wizard: {
+        setup: {
+          choiceId: "qwen-portal",
+          choiceLabel: "Qwen OAuth",
+          choiceHint: "Device code login",
+          methodId: "device",
+        },
+      },
+      refreshOAuth: async (cred) => ({
+        ...cred,
+        ...(await refreshQwenPortalCredentials(cred)),
+        type: "oauth",
+        provider: PROVIDER_ID,
+        email: cred.email,
+      }),
     });
   },
 };
diff --git a/src/agents/auth-profiles/doctor.ts b/src/agents/auth-profiles/doctor.ts
index ee743a06000..220d20f2294 100644
--- a/src/agents/auth-profiles/doctor.ts
+++ b/src/agents/auth-profiles/doctor.ts
@@ -5,12 +5,36 @@ import { listProfilesForProvider } from "./profiles.js";
 import { suggestOAuthProfileIdForLegacyDefault } from "./repair.js";
 import type { AuthProfileStore } from "./types.js";
 
-export function formatAuthDoctorHint(params: {
+let providerRuntimePromise:
+  | Promise<typeof import("../../plugins/provider-runtime.runtime.js")>
+  | undefined;
+
+function loadProviderRuntime() {
+  providerRuntimePromise ??= import("../../plugins/provider-runtime.runtime.js");
+  return providerRuntimePromise;
+}
+
+export async function formatAuthDoctorHint(params: {
   cfg?: OpenClawConfig;
   store: AuthProfileStore;
   provider: string;
   profileId?: string;
-}): string {
+}): Promise<string> {
+  const normalizedProvider = normalizeProviderId(params.provider);
+  const { buildProviderAuthDoctorHintWithPlugin } = await loadProviderRuntime();
+  const pluginHint = await buildProviderAuthDoctorHintWithPlugin({
+    provider: normalizedProvider,
+    context: {
+      config: params.cfg,
+      store: params.store,
+      provider: normalizedProvider,
+      profileId: params.profileId,
+    },
+  });
+  if (typeof pluginHint === "string" && pluginHint.trim()) {
+    return pluginHint;
+  }
+
   const providerKey = normalizeProviderId(params.provider);
   if (providerKey !== "anthropic") {
     return "";
diff --git a/src/agents/auth-profiles/oauth.openai-codex-refresh-fallback.test.ts b/src/agents/auth-profiles/oauth.openai-codex-refresh-fallback.test.ts
index 23381d89a05..eff06553752 100644
--- a/src/agents/auth-profiles/oauth.openai-codex-refresh-fallback.test.ts
+++ b/src/agents/auth-profiles/oauth.openai-codex-refresh-fallback.test.ts
@@ -17,6 +17,18 @@ const { getOAuthApiKeyMock } = vi.hoisted(() => ({
   }),
 }));
 
+const {
+  refreshProviderOAuthCredentialWithPluginMock,
+  formatProviderAuthProfileApiKeyWithPluginMock,
+  buildProviderAuthDoctorHintWithPluginMock,
+} = vi.hoisted(() => ({
+  refreshProviderOAuthCredentialWithPluginMock: vi.fn(
+    async (_params?: { context?: unknown }) => undefined,
+  ),
+  formatProviderAuthProfileApiKeyWithPluginMock: vi.fn(() => undefined),
+  buildProviderAuthDoctorHintWithPluginMock: vi.fn(async () => undefined),
+}));
+
 vi.mock("@mariozechner/pi-ai/oauth", () => ({
   getOAuthApiKey: getOAuthApiKeyMock,
   getOAuthProviders: () => [
@@ -25,6 +37,12 @@ vi.mock("@mariozechner/pi-ai/oauth", () => ({
   ],
 }));
 
+vi.mock("../../plugins/provider-runtime.runtime.js", () => ({
+  refreshProviderOAuthCredentialWithPlugin: refreshProviderOAuthCredentialWithPluginMock,
+  formatProviderAuthProfileApiKeyWithPlugin: formatProviderAuthProfileApiKeyWithPluginMock,
+  buildProviderAuthDoctorHintWithPlugin: buildProviderAuthDoctorHintWithPluginMock,
+}));
+
 function createExpiredOauthStore(params: {
   profileId: string;
   provider: string;
@@ -55,6 +73,12 @@ describe("resolveApiKeyForProfile openai-codex refresh fallback", () => {
 
   beforeEach(async () => {
     getOAuthApiKeyMock.mockClear();
+    refreshProviderOAuthCredentialWithPluginMock.mockReset();
+    refreshProviderOAuthCredentialWithPluginMock.mockResolvedValue(undefined);
+    formatProviderAuthProfileApiKeyWithPluginMock.mockReset();
+    formatProviderAuthProfileApiKeyWithPluginMock.mockReturnValue(undefined);
+    buildProviderAuthDoctorHintWithPluginMock.mockReset();
+    buildProviderAuthDoctorHintWithPluginMock.mockResolvedValue(undefined);
     clearRuntimeAuthProfileStoreSnapshots();
     tempRoot = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-codex-refresh-fallback-"));
     agentDir = path.join(tempRoot, "agents", "main", "agent");
@@ -72,6 +96,9 @@ describe("resolveApiKeyForProfile openai-codex refresh fallback", () => {
 
   it("falls back to cached access token when openai-codex refresh fails on accountId extraction", async () => {
     const profileId = "openai-codex:default";
+    refreshProviderOAuthCredentialWithPluginMock.mockImplementationOnce(
+      async (params?: { context?: unknown }) => params?.context as never,
+    );
     saveAuthProfileStore(
       createExpiredOauthStore({
         profileId,
@@ -91,7 +118,7 @@ describe("resolveApiKeyForProfile openai-codex refresh fallback", () => {
       provider: "openai-codex",
       email: undefined,
     });
-    expect(getOAuthApiKeyMock).toHaveBeenCalledTimes(1);
+    expect(refreshProviderOAuthCredentialWithPluginMock).toHaveBeenCalledTimes(1);
   });
 
   it("keeps throwing for non-codex providers on the same refresh error", async () => {
@@ -122,7 +149,7 @@ describe("resolveApiKeyForProfile openai-codex refresh fallback", () => {
       }),
       agentDir,
     );
-    getOAuthApiKeyMock.mockImplementationOnce(async () => {
+    refreshProviderOAuthCredentialWithPluginMock.mockImplementationOnce(async () => {
       throw new Error("invalid_grant");
     });
 
diff --git a/src/agents/auth-profiles/oauth.ts b/src/agents/auth-profiles/oauth.ts
index edc1ddfb24e..f09b972fd36 100644
--- a/src/agents/auth-profiles/oauth.ts
+++ b/src/agents/auth-profiles/oauth.ts
@@ -7,20 +7,27 @@ import {
 import { loadConfig, type OpenClawConfig } from "../../config/config.js";
 import { coerceSecretRef } from "../../config/types.secrets.js";
 import { withFileLock } from "../../infra/file-lock.js";
-import { refreshQwenPortalCredentials } from "../../providers/qwen-portal-oauth.js";
 import { resolveSecretRefString, type SecretRefResolveCache } from "../../secrets/resolve.js";
 import { refreshChutesTokens } from "../chutes-oauth.js";
-import { normalizeProviderId } from "../model-selection.js";
 import { AUTH_STORE_LOCK_OPTIONS, log } from "./constants.js";
 import { resolveTokenExpiryState } from "./credential-state.js";
 import { formatAuthDoctorHint } from "./doctor.js";
 import { ensureAuthStoreFile, resolveAuthStorePath } from "./paths.js";
 import { suggestOAuthProfileIdForLegacyDefault } from "./repair.js";
 import { ensureAuthProfileStore, saveAuthProfileStore } from "./store.js";
-import type { AuthProfileStore } from "./types.js";
+import type { AuthProfileStore, OAuthCredential } from "./types.js";
 
 const OAUTH_PROVIDER_IDS = new Set<string>(getOAuthProviders().map((provider) => provider.id));
 
+let providerRuntimePromise:
+  | Promise<typeof import("../../plugins/provider-runtime.runtime.js")>
+  | undefined;
+
+function loadProviderRuntime() {
+  providerRuntimePromise ??= import("../../plugins/provider-runtime.runtime.js");
+  return providerRuntimePromise;
+}
+
 const isOAuthProvider = (provider: string): provider is OAuthProvider =>
   OAUTH_PROVIDER_IDS.has(provider);
 
@@ -58,14 +65,13 @@ function isProfileConfigCompatible(params: {
   return true;
 }
 
-function buildOAuthApiKey(provider: string, credentials: OAuthCredentials): string {
-  const needsProjectId = provider === "google-gemini-cli";
-  return needsProjectId
-    ? JSON.stringify({
-        token: credentials.access,
-        projectId: credentials.projectId,
-      })
-    : credentials.access;
+async function buildOAuthApiKey(provider: string, credentials: OAuthCredential): Promise<string> {
+  const { formatProviderAuthProfileApiKeyWithPlugin } = await loadProviderRuntime();
+  const formatted = formatProviderAuthProfileApiKeyWithPlugin({
+    provider,
+    context: credentials,
+  });
+  return typeof formatted === "string" && formatted.length > 0 ? formatted : credentials.access;
 }
 
 function buildApiKeyProfileResult(params: { apiKey: string; provider: string; email?: string }) {
@@ -76,13 +82,13 @@ function buildApiKeyProfileResult(params: { apiKey: string; provider: string; em
   };
 }
 
-function buildOAuthProfileResult(params: {
+async function buildOAuthProfileResult(params: {
   provider: string;
-  credentials: OAuthCredentials;
+  credentials: OAuthCredential;
   email?: string;
 }) {
   return buildApiKeyProfileResult({
-    apiKey: buildOAuthApiKey(params.provider, params.credentials),
+    apiKey: await buildOAuthApiKey(params.provider, params.credentials),
     provider: params.provider,
     email: params.email,
   });
@@ -92,23 +98,6 @@ function extractErrorMessage(error: unknown): string {
   return error instanceof Error ? error.message : String(error);
 }
 
-function shouldUseOpenaiCodexRefreshFallback(params: {
-  provider: string;
-  credentials: OAuthCredentials;
-  error: unknown;
-}): boolean {
-  if (normalizeProviderId(params.provider) !== "openai-codex") {
-    return false;
-  }
-  const message = extractErrorMessage(params.error);
-  if (!/extract\s+accountid\s+from\s+token/i.test(message)) {
-    return false;
-  }
-  return (
-    typeof params.credentials.access === "string" && params.credentials.access.trim().length > 0
-  );
-}
-
 type ResolveApiKeyForProfileParams = {
   cfg?: OpenClawConfig;
   store: AuthProfileStore;
@@ -171,15 +160,24 @@ async function refreshOAuthTokenWithLock(params: {
 
     if (Date.now() < cred.expires) {
       return {
-        apiKey: buildOAuthApiKey(cred.provider, cred),
+        apiKey: await buildOAuthApiKey(cred.provider, cred),
         newCredentials: cred,
       };
     }
 
-    const oauthCreds: Record<string, OAuthCredentials> = {
-      [cred.provider]: cred,
-    };
+    const { refreshProviderOAuthCredentialWithPlugin } = await loadProviderRuntime();
+    const pluginRefreshed = await refreshProviderOAuthCredentialWithPlugin({
+      provider: cred.provider,
+      context: cred,
+    });
+    if (pluginRefreshed) {
+      return {
+        apiKey: await buildOAuthApiKey(cred.provider, pluginRefreshed),
+        newCredentials: pluginRefreshed,
+      };
+    }
 
+    const oauthCreds: Record<string, OAuthCredentials> = { [cred.provider]: cred };
     const result =
       String(cred.provider) === "chutes"
         ? await (async () => {
@@ -188,18 +186,13 @@ async function refreshOAuthTokenWithLock(params: {
             });
             return { apiKey: newCredentials.access, newCredentials };
           })()
-        : String(cred.provider) === "qwen-portal"
-          ? await (async () => {
-              const newCredentials = await refreshQwenPortalCredentials(cred);
-              return { apiKey: newCredentials.access, newCredentials };
-            })()
-          : await (async () => {
-              const oauthProvider = resolveOAuthProvider(cred.provider);
-              if (!oauthProvider) {
-                return null;
-              }
-              return await getOAuthApiKey(oauthProvider, oauthCreds);
-            })();
+        : await (async () => {
+            const oauthProvider = resolveOAuthProvider(cred.provider);
+            if (!oauthProvider) {
+              return null;
+            }
+            return await getOAuthApiKey(oauthProvider, oauthCreds);
+          })();
     if (!result) {
       return null;
     }
@@ -234,7 +227,7 @@ async function tryResolveOAuthProfile(
   }
 
   if (Date.now() < cred.expires) {
-    return buildOAuthProfileResult({
+    return await buildOAuthProfileResult({
       provider: cred.provider,
       credentials: cred,
       email: cred.email,
@@ -379,7 +372,7 @@ export async function resolveApiKeyForProfile(
     }) ?? cred;
 
   if (Date.now() < oauthCred.expires) {
-    return buildOAuthProfileResult({
+    return await buildOAuthProfileResult({
       provider: oauthCred.provider,
       credentials: oauthCred,
       email: oauthCred.email,
@@ -403,7 +396,7 @@ export async function resolveApiKeyForProfile(
     const refreshedStore = ensureAuthProfileStore(params.agentDir);
     const refreshed = refreshedStore.profiles[profileId];
     if (refreshed?.type === "oauth" && Date.now() < refreshed.expires) {
-      return buildOAuthProfileResult({
+      return await buildOAuthProfileResult({
         provider: refreshed.provider,
         credentials: refreshed,
         email: refreshed.email ?? cred.email,
@@ -445,7 +438,7 @@ export async function resolveApiKeyForProfile(
             agentDir: params.agentDir,
             expires: new Date(mainCred.expires).toISOString(),
           });
-          return buildOAuthProfileResult({
+          return await buildOAuthProfileResult({
             provider: mainCred.provider,
             credentials: mainCred,
             email: mainCred.email,
@@ -456,26 +449,8 @@ export async function resolveApiKeyForProfile(
       }
     }
 
-    if (
-      shouldUseOpenaiCodexRefreshFallback({
-        provider: cred.provider,
-        credentials: cred,
-        error,
-      })
-    ) {
-      log.warn("openai-codex oauth refresh failed; using cached access token fallback", {
-        profileId,
-        provider: cred.provider,
-      });
-      return buildApiKeyProfileResult({
-        apiKey: cred.access,
-        provider: cred.provider,
-        email: cred.email,
-      });
-    }
-
     const message = extractErrorMessage(error);
-    const hint = formatAuthDoctorHint({
+    const hint = await formatAuthDoctorHint({
       cfg,
       store: refreshedStore,
       provider: cred.provider,
diff --git a/src/commands/auth-choice.apply.api-key-providers.ts b/src/commands/auth-choice.apply.api-key-providers.ts
index ac3690bf3cd..078dac8d0a1 100644
--- a/src/commands/auth-choice.apply.api-key-providers.ts
+++ b/src/commands/auth-choice.apply.api-key-providers.ts
@@ -3,6 +3,8 @@ import type { SecretInput } from "../config/types.secrets.js";
 import { normalizeApiKeyInput, validateApiKeyInput } from "./auth-choice.api-key.js";
 import { ensureApiKeyFromOptionEnvOrPrompt } from "./auth-choice.apply-helpers.js";
 import type { ApplyAuthChoiceParams, ApplyAuthChoiceResult } from "./auth-choice.apply.js";
+import { ensureModelAllowlistEntry } from "./model-allowlist.js";
+import { applyPrimaryModel } from "./model-picker.js";
 import type { ApiKeyStorageOptions } from "./onboard-auth.credentials.js";
 import {
   applyAuthProfileConfig,
@@ -36,6 +38,8 @@ import {
   applyVeniceProviderConfig,
   applyVercelAiGatewayConfig,
   applyVercelAiGatewayProviderConfig,
+  applyXaiConfig,
+  applyXaiProviderConfig,
   applyXiaomiConfig,
   applyXiaomiProviderConfig,
   KILOCODE_DEFAULT_MODEL_REF,
@@ -58,11 +62,15 @@ import {
   setTogetherApiKey,
   setVeniceApiKey,
   setVercelAiGatewayApiKey,
+  setVolcengineApiKey,
+  setByteplusApiKey,
+  setXaiApiKey,
   setXiaomiApiKey,
   SYNTHETIC_DEFAULT_MODEL_REF,
   TOGETHER_DEFAULT_MODEL_REF,
   VENICE_DEFAULT_MODEL_REF,
   VERCEL_AI_GATEWAY_DEFAULT_MODEL_REF,
+  XAI_DEFAULT_MODEL_REF,
   XIAOMI_DEFAULT_MODEL_REF,
 } from "./onboard-auth.js";
 import type { AuthChoice, SecretInputMode } from "./onboard-types.js";
@@ -114,6 +122,9 @@ type SimpleApiKeyProviderFlow = {
   noteTitle?: string;
 };
 
+const VOLCENGINE_DEFAULT_MODEL_REF = "volcengine-plan/ark-code-latest";
+const BYTEPLUS_DEFAULT_MODEL_REF = "byteplus-plan/ark-code-latest";
+
 const SIMPLE_API_KEY_PROVIDER_FLOWS: Partial<Record<AuthChoice, SimpleApiKeyProviderFlow>> = {
   "ai-gateway-api-key": {
     provider: "vercel-ai-gateway",
@@ -178,6 +189,18 @@ const SIMPLE_API_KEY_PROVIDER_FLOWS: Partial<Record<AuthChoice, SimpleApiKeyProv
     applyProviderConfig: applyXiaomiProviderConfig,
     noteDefault: XIAOMI_DEFAULT_MODEL_REF,
   },
+  "xai-api-key": {
+    provider: "xai",
+    profileId: "xai:default",
+    expectedProviders: ["xai"],
+    envLabel: "XAI_API_KEY",
+    promptMessage: "Enter xAI API key",
+    setCredential: setXaiApiKey,
+    defaultModel: XAI_DEFAULT_MODEL_REF,
+    applyDefaultConfig: applyXaiConfig,
+    applyProviderConfig: applyXaiProviderConfig,
+    noteDefault: XAI_DEFAULT_MODEL_REF,
+  },
   "mistral-api-key": {
     provider: "mistral",
     profileId: "mistral:default",
@@ -332,6 +355,38 @@ const SIMPLE_API_KEY_PROVIDER_FLOWS: Partial<Record<AuthChoice, SimpleApiKeyProv
     normalize: (value) => String(value ?? "").trim(),
     validate: (value) => (String(value ?? "").trim() ? undefined : "Required"),
   },
+  "volcengine-api-key": {
+    provider: "volcengine",
+    profileId: "volcengine:default",
+    expectedProviders: ["volcengine"],
+    envLabel: "VOLCANO_ENGINE_API_KEY",
+    promptMessage: "Enter Volcano Engine API key",
+    setCredential: setVolcengineApiKey,
+    defaultModel: VOLCENGINE_DEFAULT_MODEL_REF,
+    applyDefaultConfig: (cfg) => applyPrimaryModel(cfg, VOLCENGINE_DEFAULT_MODEL_REF),
+    applyProviderConfig: (cfg) =>
+      ensureModelAllowlistEntry({
+        cfg,
+        modelRef: VOLCENGINE_DEFAULT_MODEL_REF,
+      }),
+    noteDefault: VOLCENGINE_DEFAULT_MODEL_REF,
+  },
+  "byteplus-api-key": {
+    provider: "byteplus",
+    profileId: "byteplus:default",
+    expectedProviders: ["byteplus"],
+    envLabel: "BYTEPLUS_API_KEY",
+    promptMessage: "Enter BytePlus API key",
+    setCredential: setByteplusApiKey,
+    defaultModel: BYTEPLUS_DEFAULT_MODEL_REF,
+    applyDefaultConfig: (cfg) => applyPrimaryModel(cfg, BYTEPLUS_DEFAULT_MODEL_REF),
+    applyProviderConfig: (cfg) =>
+      ensureModelAllowlistEntry({
+        cfg,
+        modelRef: BYTEPLUS_DEFAULT_MODEL_REF,
+      }),
+    noteDefault: BYTEPLUS_DEFAULT_MODEL_REF,
+  },
   "synthetic-api-key": {
     provider: "synthetic",
     profileId: "synthetic:default",
diff --git a/src/commands/auth-choice.apply.byteplus.ts b/src/commands/auth-choice.apply.byteplus.ts
deleted file mode 100644
index a3b0fea1d81..00000000000
--- a/src/commands/auth-choice.apply.byteplus.ts
+++ /dev/null
@@ -1,46 +0,0 @@
-import { normalizeApiKeyInput, validateApiKeyInput } from "./auth-choice.api-key.js";
-import {
-  ensureApiKeyFromOptionEnvOrPrompt,
-  normalizeSecretInputModeInput,
-} from "./auth-choice.apply-helpers.js";
-import type { ApplyAuthChoiceParams, ApplyAuthChoiceResult } from "./auth-choice.apply.js";
-import { applyPrimaryModel } from "./model-picker.js";
-import { applyAuthProfileConfig, setByteplusApiKey } from "./onboard-auth.js";
-
-/** Default model for BytePlus setup auth. */
-export const BYTEPLUS_DEFAULT_MODEL = "byteplus-plan/ark-code-latest";
-
-export async function applyAuthChoiceBytePlus(
-  params: ApplyAuthChoiceParams,
-): Promise<ApplyAuthChoiceResult | null> {
-  if (params.authChoice !== "byteplus-api-key") {
-    return null;
-  }
-
-  const requestedSecretInputMode = normalizeSecretInputModeInput(params.opts?.secretInputMode);
-  await ensureApiKeyFromOptionEnvOrPrompt({
-    token: params.opts?.byteplusApiKey,
-    tokenProvider: "byteplus",
-    secretInputMode: requestedSecretInputMode,
-    config: params.config,
-    expectedProviders: ["byteplus"],
-    provider: "byteplus",
-    envLabel: "BYTEPLUS_API_KEY",
-    promptMessage: "Enter BytePlus API key",
-    normalize: normalizeApiKeyInput,
-    validate: validateApiKeyInput,
-    prompter: params.prompter,
-    setCredential: async (apiKey, mode) =>
-      setByteplusApiKey(apiKey, params.agentDir, { secretInputMode: mode }),
-  });
-  const configWithAuth = applyAuthProfileConfig(params.config, {
-    profileId: "byteplus:default",
-    provider: "byteplus",
-    mode: "api_key",
-  });
-  const configWithModel = applyPrimaryModel(configWithAuth, BYTEPLUS_DEFAULT_MODEL);
-  return {
-    config: configWithModel,
-    agentModelOverride: BYTEPLUS_DEFAULT_MODEL,
-  };
-}
diff --git a/src/commands/auth-choice.apply.copilot-proxy.ts b/src/commands/auth-choice.apply.copilot-proxy.ts
deleted file mode 100644
index 3906846972e..00000000000
--- a/src/commands/auth-choice.apply.copilot-proxy.ts
+++ /dev/null
@@ -1,14 +0,0 @@
-import type { ApplyAuthChoiceParams, ApplyAuthChoiceResult } from "./auth-choice.apply.js";
-import { applyAuthChoicePluginProvider } from "./auth-choice.apply.plugin-provider.js";
-
-export async function applyAuthChoiceCopilotProxy(
-  params: ApplyAuthChoiceParams,
-): Promise<ApplyAuthChoiceResult | null> {
-  return await applyAuthChoicePluginProvider(params, {
-    authChoice: "copilot-proxy",
-    pluginId: "copilot-proxy",
-    providerId: "copilot-proxy",
-    methodId: "local",
-    label: "Copilot Proxy",
-  });
-}
diff --git a/src/commands/auth-choice.apply.github-copilot.ts b/src/commands/auth-choice.apply.github-copilot.ts
deleted file mode 100644
index 1ef474682af..00000000000
--- a/src/commands/auth-choice.apply.github-copilot.ts
+++ /dev/null
@@ -1,63 +0,0 @@
-import { toAgentModelListLike } from "../config/model-input.js";
-import { githubCopilotLoginCommand } from "../providers/github-copilot-auth.js";
-import type { ApplyAuthChoiceParams, ApplyAuthChoiceResult } from "./auth-choice.apply.js";
-import { applyAuthProfileConfig } from "./onboard-auth.js";
-
-export async function applyAuthChoiceGitHubCopilot(
-  params: ApplyAuthChoiceParams,
-): Promise<ApplyAuthChoiceResult | null> {
-  if (params.authChoice !== "github-copilot") {
-    return null;
-  }
-
-  let nextConfig = params.config;
-
-  await params.prompter.note(
-    [
-      "This will open a GitHub device login to authorize Copilot.",
-      "Requires an active GitHub Copilot subscription.",
-    ].join("\n"),
-    "GitHub Copilot",
-  );
-
-  if (!process.stdin.isTTY) {
-    await params.prompter.note(
-      "GitHub Copilot login requires an interactive TTY.",
-      "GitHub Copilot",
-    );
-    return { config: nextConfig };
-  }
-
-  try {
-    await githubCopilotLoginCommand({ yes: true }, params.runtime);
-  } catch (err) {
-    await params.prompter.note(`GitHub Copilot login failed: ${String(err)}`, "GitHub Copilot");
-    return { config: nextConfig };
-  }
-
-  nextConfig = applyAuthProfileConfig(nextConfig, {
-    profileId: "github-copilot:github",
-    provider: "github-copilot",
-    mode: "token",
-  });
-
-  if (params.setDefaultModel) {
-    const model = "github-copilot/gpt-4o";
-    nextConfig = {
-      ...nextConfig,
-      agents: {
-        ...nextConfig.agents,
-        defaults: {
-          ...nextConfig.agents?.defaults,
-          model: {
-            ...toAgentModelListLike(nextConfig.agents?.defaults?.model),
-            primary: model,
-          },
-        },
-      },
-    };
-    await params.prompter.note(`Default model set to ${model}`, "Model configured");
-  }
-
-  return { config: nextConfig };
-}
diff --git a/src/commands/auth-choice.apply.google-gemini-cli.test.ts b/src/commands/auth-choice.apply.google-gemini-cli.test.ts
deleted file mode 100644
index 50a17014908..00000000000
--- a/src/commands/auth-choice.apply.google-gemini-cli.test.ts
+++ /dev/null
@@ -1,86 +0,0 @@
-import { beforeEach, describe, expect, it, vi } from "vitest";
-import { applyAuthChoiceGoogleGeminiCli } from "./auth-choice.apply.google-gemini-cli.js";
-import type { ApplyAuthChoiceParams } from "./auth-choice.apply.js";
-import { applyAuthChoicePluginProvider } from "./auth-choice.apply.plugin-provider.js";
-import { createExitThrowingRuntime, createWizardPrompter } from "./test-wizard-helpers.js";
-
-vi.mock("./auth-choice.apply.plugin-provider.js", () => ({
-  applyAuthChoicePluginProvider: vi.fn(),
-}));
-
-function createParams(
-  authChoice: ApplyAuthChoiceParams["authChoice"],
-  overrides: Partial<ApplyAuthChoiceParams> = {},
-): ApplyAuthChoiceParams {
-  return {
-    authChoice,
-    config: {},
-    prompter: createWizardPrompter({}, { defaultSelect: "" }),
-    runtime: createExitThrowingRuntime(),
-    setDefaultModel: true,
-    ...overrides,
-  };
-}
-
-describe("applyAuthChoiceGoogleGeminiCli", () => {
-  const mockedApplyAuthChoicePluginProvider = vi.mocked(applyAuthChoicePluginProvider);
-
-  beforeEach(() => {
-    mockedApplyAuthChoicePluginProvider.mockReset();
-  });
-
-  it("returns null for unrelated authChoice", async () => {
-    const result = await applyAuthChoiceGoogleGeminiCli(createParams("openrouter-api-key"));
-
-    expect(result).toBeNull();
-    expect(mockedApplyAuthChoicePluginProvider).not.toHaveBeenCalled();
-  });
-
-  it("shows caution and skips setup when user declines", async () => {
-    const confirm = vi.fn(async () => false);
-    const note = vi.fn(async () => {});
-    const params = createParams("google-gemini-cli", {
-      prompter: createWizardPrompter({ confirm, note }, { defaultSelect: "" }),
-    });
-
-    const result = await applyAuthChoiceGoogleGeminiCli(params);
-
-    expect(result).toEqual({ config: params.config });
-    expect(note).toHaveBeenNthCalledWith(
-      1,
-      expect.stringContaining("This is an unofficial integration and is not endorsed by Google."),
-      "Google Gemini CLI caution",
-    );
-    expect(confirm).toHaveBeenCalledWith({
-      message: "Continue with Google Gemini CLI OAuth?",
-      initialValue: false,
-    });
-    expect(note).toHaveBeenNthCalledWith(
-      2,
-      "Skipped Google Gemini CLI OAuth setup.",
-      "Setup skipped",
-    );
-    expect(mockedApplyAuthChoicePluginProvider).not.toHaveBeenCalled();
-  });
-
-  it("continues to plugin provider flow when user confirms", async () => {
-    const confirm = vi.fn(async () => true);
-    const note = vi.fn(async () => {});
-    const params = createParams("google-gemini-cli", {
-      prompter: createWizardPrompter({ confirm, note }, { defaultSelect: "" }),
-    });
-    const expected = { config: {} };
-    mockedApplyAuthChoicePluginProvider.mockResolvedValue(expected);
-
-    const result = await applyAuthChoiceGoogleGeminiCli(params);
-
-    expect(result).toBe(expected);
-    expect(mockedApplyAuthChoicePluginProvider).toHaveBeenCalledWith(params, {
-      authChoice: "google-gemini-cli",
-      pluginId: "google",
-      providerId: "google-gemini-cli",
-      methodId: "oauth",
-      label: "Google Gemini CLI",
-    });
-  });
-});
diff --git a/src/commands/auth-choice.apply.google-gemini-cli.ts b/src/commands/auth-choice.apply.google-gemini-cli.ts
deleted file mode 100644
index e2aa1d02398..00000000000
--- a/src/commands/auth-choice.apply.google-gemini-cli.ts
+++ /dev/null
@@ -1,37 +0,0 @@
-import type { ApplyAuthChoiceParams, ApplyAuthChoiceResult } from "./auth-choice.apply.js";
-import { applyAuthChoicePluginProvider } from "./auth-choice.apply.plugin-provider.js";
-
-export async function applyAuthChoiceGoogleGeminiCli(
-  params: ApplyAuthChoiceParams,
-): Promise<ApplyAuthChoiceResult | null> {
-  if (params.authChoice !== "google-gemini-cli") {
-    return null;
-  }
-
-  await params.prompter.note(
-    [
-      "This is an unofficial integration and is not endorsed by Google.",
-      "Some users have reported account restrictions or suspensions after using third-party Gemini CLI and Antigravity OAuth clients.",
-      "Proceed only if you understand and accept this risk.",
-    ].join("\n"),
-    "Google Gemini CLI caution",
-  );
-
-  const proceed = await params.prompter.confirm({
-    message: "Continue with Google Gemini CLI OAuth?",
-    initialValue: false,
-  });
-
-  if (!proceed) {
-    await params.prompter.note("Skipped Google Gemini CLI OAuth setup.", "Setup skipped");
-    return { config: params.config };
-  }
-
-  return await applyAuthChoicePluginProvider(params, {
-    authChoice: "google-gemini-cli",
-    pluginId: "google",
-    providerId: "google-gemini-cli",
-    methodId: "oauth",
-    label: "Google Gemini CLI",
-  });
-}
diff --git a/src/commands/auth-choice.apply.qwen-portal.ts b/src/commands/auth-choice.apply.qwen-portal.ts
deleted file mode 100644
index b8c975c591f..00000000000
--- a/src/commands/auth-choice.apply.qwen-portal.ts
+++ /dev/null
@@ -1,14 +0,0 @@
-import type { ApplyAuthChoiceParams, ApplyAuthChoiceResult } from "./auth-choice.apply.js";
-import { applyAuthChoicePluginProvider } from "./auth-choice.apply.plugin-provider.js";
-
-export async function applyAuthChoiceQwenPortal(
-  params: ApplyAuthChoiceParams,
-): Promise<ApplyAuthChoiceResult | null> {
-  return await applyAuthChoicePluginProvider(params, {
-    authChoice: "qwen-portal",
-    pluginId: "qwen-portal-auth",
-    providerId: "qwen-portal",
-    methodId: "device",
-    label: "Qwen",
-  });
-}
diff --git a/src/commands/auth-choice.apply.ts b/src/commands/auth-choice.apply.ts
index b01fd65c875..798d8991199 100644
--- a/src/commands/auth-choice.apply.ts
+++ b/src/commands/auth-choice.apply.ts
@@ -3,17 +3,10 @@ import type { RuntimeEnv } from "../runtime.js";
 import type { WizardPrompter } from "../wizard/prompts.js";
 import { applyAuthChoiceAnthropic } from "./auth-choice.apply.anthropic.js";
 import { applyAuthChoiceApiProviders } from "./auth-choice.apply.api-providers.js";
-import { applyAuthChoiceBytePlus } from "./auth-choice.apply.byteplus.js";
-import { applyAuthChoiceCopilotProxy } from "./auth-choice.apply.copilot-proxy.js";
-import { applyAuthChoiceGitHubCopilot } from "./auth-choice.apply.github-copilot.js";
-import { applyAuthChoiceGoogleGeminiCli } from "./auth-choice.apply.google-gemini-cli.js";
 import { applyAuthChoiceMiniMax } from "./auth-choice.apply.minimax.js";
 import { applyAuthChoiceOAuth } from "./auth-choice.apply.oauth.js";
 import { applyAuthChoiceOpenAI } from "./auth-choice.apply.openai.js";
 import { applyAuthChoiceLoadedPluginProvider } from "./auth-choice.apply.plugin-provider.js";
-import { applyAuthChoiceQwenPortal } from "./auth-choice.apply.qwen-portal.js";
-import { applyAuthChoiceVolcengine } from "./auth-choice.apply.volcengine.js";
-import { applyAuthChoiceXAI } from "./auth-choice.apply.xai.js";
 import type { AuthChoice, OnboardOptions } from "./onboard-types.js";
 
 export type ApplyAuthChoiceParams = {
@@ -42,13 +35,6 @@ export async function applyAuthChoice(
     applyAuthChoiceOAuth,
     applyAuthChoiceApiProviders,
     applyAuthChoiceMiniMax,
-    applyAuthChoiceGitHubCopilot,
-    applyAuthChoiceGoogleGeminiCli,
-    applyAuthChoiceCopilotProxy,
-    applyAuthChoiceQwenPortal,
-    applyAuthChoiceXAI,
-    applyAuthChoiceVolcengine,
-    applyAuthChoiceBytePlus,
   ];
 
   for (const handler of handlers) {
diff --git a/src/commands/auth-choice.apply.volcengine-byteplus.test.ts b/src/commands/auth-choice.apply.volcengine-byteplus.test.ts
deleted file mode 100644
index 0f86d06f3cd..00000000000
--- a/src/commands/auth-choice.apply.volcengine-byteplus.test.ts
+++ /dev/null
@@ -1,141 +0,0 @@
-import { afterEach, describe, expect, it, vi } from "vitest";
-import { applyAuthChoiceBytePlus } from "./auth-choice.apply.byteplus.js";
-import { applyAuthChoiceVolcengine } from "./auth-choice.apply.volcengine.js";
-import {
-  createAuthTestLifecycle,
-  createExitThrowingRuntime,
-  createWizardPrompter,
-  readAuthProfilesForAgent,
-  setupAuthTestEnv,
-} from "./test-wizard-helpers.js";
-
-describe("volcengine/byteplus auth choice", () => {
-  const lifecycle = createAuthTestLifecycle([
-    "OPENCLAW_STATE_DIR",
-    "OPENCLAW_AGENT_DIR",
-    "PI_CODING_AGENT_DIR",
-    "VOLCANO_ENGINE_API_KEY",
-    "BYTEPLUS_API_KEY",
-  ]);
-
-  async function setupTempState() {
-    const env = await setupAuthTestEnv("openclaw-volc-byte-");
-    lifecycle.setStateDir(env.stateDir);
-    return env.agentDir;
-  }
-
-  function createTestContext(defaultSelect: string, confirmResult = true, textValue = "unused") {
-    return {
-      prompter: createWizardPrompter(
-        {
-          confirm: vi.fn(async () => confirmResult),
-          text: vi.fn(async () => textValue),
-        },
-        { defaultSelect },
-      ),
-      runtime: createExitThrowingRuntime(),
-    };
-  }
-
-  type ProviderAuthCase = {
-    provider: "volcengine" | "byteplus";
-    authChoice: "volcengine-api-key" | "byteplus-api-key";
-    envVar: "VOLCANO_ENGINE_API_KEY" | "BYTEPLUS_API_KEY";
-    envValue: string;
-    profileId: "volcengine:default" | "byteplus:default";
-    applyAuthChoice: typeof applyAuthChoiceVolcengine | typeof applyAuthChoiceBytePlus;
-  };
-
-  async function runProviderAuthChoice(
-    testCase: ProviderAuthCase,
-    options?: {
-      defaultSelect?: string;
-      confirmResult?: boolean;
-      textValue?: string;
-      secretInputMode?: "ref"; // pragma: allowlist secret
-    },
-  ) {
-    const agentDir = await setupTempState();
-    process.env[testCase.envVar] = testCase.envValue;
-
-    const { prompter, runtime } = createTestContext(
-      options?.defaultSelect ?? "plaintext",
-      options?.confirmResult ?? true,
-      options?.textValue ?? "unused",
-    );
-
-    const result = await testCase.applyAuthChoice({
-      authChoice: testCase.authChoice,
-      config: {},
-      prompter,
-      runtime,
-      setDefaultModel: true,
-      ...(options?.secretInputMode ? { opts: { secretInputMode: options.secretInputMode } } : {}),
-    });
-
-    const parsed = await readAuthProfilesForAgent<{
-      profiles?: Record<string, { key?: string; keyRef?: unknown }>;
-    }>(agentDir);
-
-    return { result, parsed };
-  }
-
-  const providerAuthCases: ProviderAuthCase[] = [
-    {
-      provider: "volcengine",
-      authChoice: "volcengine-api-key",
-      envVar: "VOLCANO_ENGINE_API_KEY",
-      envValue: "volc-env-key",
-      profileId: "volcengine:default",
-      applyAuthChoice: applyAuthChoiceVolcengine,
-    },
-    {
-      provider: "byteplus",
-      authChoice: "byteplus-api-key",
-      envVar: "BYTEPLUS_API_KEY",
-      envValue: "byte-env-key",
-      profileId: "byteplus:default",
-      applyAuthChoice: applyAuthChoiceBytePlus,
-    },
-  ];
-
-  afterEach(async () => {
-    await lifecycle.cleanup();
-  });
-
-  it.each(providerAuthCases)(
-    "stores $provider env key as plaintext by default",
-    async (testCase) => {
-      const { result, parsed } = await runProviderAuthChoice(testCase);
-      expect(result).not.toBeNull();
-      expect(result?.config.auth?.profiles?.[testCase.profileId]).toMatchObject({
-        provider: testCase.provider,
-        mode: "api_key",
-      });
-      expect(parsed.profiles?.[testCase.profileId]?.key).toBe(testCase.envValue);
-      expect(parsed.profiles?.[testCase.profileId]?.keyRef).toBeUndefined();
-    },
-  );
-
-  it.each(providerAuthCases)("stores $provider env key as keyRef in ref mode", async (testCase) => {
-    const { result, parsed } = await runProviderAuthChoice(testCase, {
-      defaultSelect: "ref",
-    });
-    expect(result).not.toBeNull();
-    expect(parsed.profiles?.[testCase.profileId]).toMatchObject({
-      keyRef: { source: "env", provider: "default", id: testCase.envVar },
-    });
-    expect(parsed.profiles?.[testCase.profileId]?.key).toBeUndefined();
-  });
-
-  it("stores explicit volcengine key when env is not used", async () => {
-    const { result, parsed } = await runProviderAuthChoice(providerAuthCases[0], {
-      defaultSelect: "",
-      confirmResult: false,
-      textValue: "volc-manual-key",
-    });
-    expect(result).not.toBeNull();
-    expect(parsed.profiles?.["volcengine:default"]?.key).toBe("volc-manual-key");
-    expect(parsed.profiles?.["volcengine:default"]?.keyRef).toBeUndefined();
-  });
-});
diff --git a/src/commands/auth-choice.apply.volcengine.ts b/src/commands/auth-choice.apply.volcengine.ts
deleted file mode 100644
index 420dd506a26..00000000000
--- a/src/commands/auth-choice.apply.volcengine.ts
+++ /dev/null
@@ -1,46 +0,0 @@
-import { normalizeApiKeyInput, validateApiKeyInput } from "./auth-choice.api-key.js";
-import {
-  ensureApiKeyFromOptionEnvOrPrompt,
-  normalizeSecretInputModeInput,
-} from "./auth-choice.apply-helpers.js";
-import type { ApplyAuthChoiceParams, ApplyAuthChoiceResult } from "./auth-choice.apply.js";
-import { applyPrimaryModel } from "./model-picker.js";
-import { applyAuthProfileConfig, setVolcengineApiKey } from "./onboard-auth.js";
-
-/** Default model for Volcano Engine setup auth. */
-export const VOLCENGINE_DEFAULT_MODEL = "volcengine-plan/ark-code-latest";
-
-export async function applyAuthChoiceVolcengine(
-  params: ApplyAuthChoiceParams,
-): Promise<ApplyAuthChoiceResult | null> {
-  if (params.authChoice !== "volcengine-api-key") {
-    return null;
-  }
-
-  const requestedSecretInputMode = normalizeSecretInputModeInput(params.opts?.secretInputMode);
-  await ensureApiKeyFromOptionEnvOrPrompt({
-    token: params.opts?.volcengineApiKey,
-    tokenProvider: "volcengine",
-    secretInputMode: requestedSecretInputMode,
-    config: params.config,
-    expectedProviders: ["volcengine"],
-    provider: "volcengine",
-    envLabel: "VOLCANO_ENGINE_API_KEY",
-    promptMessage: "Enter Volcano Engine API key",
-    normalize: normalizeApiKeyInput,
-    validate: validateApiKeyInput,
-    prompter: params.prompter,
-    setCredential: async (apiKey, mode) =>
-      setVolcengineApiKey(apiKey, params.agentDir, { secretInputMode: mode }),
-  });
-  const configWithAuth = applyAuthProfileConfig(params.config, {
-    profileId: "volcengine:default",
-    provider: "volcengine",
-    mode: "api_key",
-  });
-  const configWithModel = applyPrimaryModel(configWithAuth, VOLCENGINE_DEFAULT_MODEL);
-  return {
-    config: configWithModel,
-    agentModelOverride: VOLCENGINE_DEFAULT_MODEL,
-  };
-}
diff --git a/src/commands/auth-choice.apply.xai.ts b/src/commands/auth-choice.apply.xai.ts
deleted file mode 100644
index 68e9ac651c3..00000000000
--- a/src/commands/auth-choice.apply.xai.ts
+++ /dev/null
@@ -1,65 +0,0 @@
-import { normalizeApiKeyInput, validateApiKeyInput } from "./auth-choice.api-key.js";
-import {
-  createAuthChoiceAgentModelNoter,
-  ensureApiKeyFromOptionEnvOrPrompt,
-  normalizeSecretInputModeInput,
-} from "./auth-choice.apply-helpers.js";
-import type { ApplyAuthChoiceParams, ApplyAuthChoiceResult } from "./auth-choice.apply.js";
-import { applyDefaultModelChoice } from "./auth-choice.default-model.js";
-import {
-  applyAuthProfileConfig,
-  applyXaiConfig,
-  applyXaiProviderConfig,
-  setXaiApiKey,
-  XAI_DEFAULT_MODEL_REF,
-} from "./onboard-auth.js";
-
-export async function applyAuthChoiceXAI(
-  params: ApplyAuthChoiceParams,
-): Promise<ApplyAuthChoiceResult | null> {
-  if (params.authChoice !== "xai-api-key") {
-    return null;
-  }
-
-  let nextConfig = params.config;
-  let agentModelOverride: string | undefined;
-  const noteAgentModel = createAuthChoiceAgentModelNoter(params);
-  const requestedSecretInputMode = normalizeSecretInputModeInput(params.opts?.secretInputMode);
-  await ensureApiKeyFromOptionEnvOrPrompt({
-    token: params.opts?.xaiApiKey,
-    tokenProvider: "xai",
-    secretInputMode: requestedSecretInputMode,
-    config: nextConfig,
-    expectedProviders: ["xai"],
-    provider: "xai",
-    envLabel: "XAI_API_KEY",
-    promptMessage: "Enter xAI API key",
-    normalize: normalizeApiKeyInput,
-    validate: validateApiKeyInput,
-    prompter: params.prompter,
-    setCredential: async (apiKey, mode) =>
-      setXaiApiKey(apiKey, params.agentDir, { secretInputMode: mode }),
-  });
-
-  nextConfig = applyAuthProfileConfig(nextConfig, {
-    profileId: "xai:default",
-    provider: "xai",
-    mode: "api_key",
-  });
-  {
-    const applied = await applyDefaultModelChoice({
-      config: nextConfig,
-      setDefaultModel: params.setDefaultModel,
-      defaultModel: XAI_DEFAULT_MODEL_REF,
-      applyDefaultConfig: applyXaiConfig,
-      applyProviderConfig: applyXaiProviderConfig,
-      noteDefault: XAI_DEFAULT_MODEL_REF,
-      noteAgentModel,
-      prompter: params.prompter,
-    });
-    nextConfig = applied.config;
-    agentModelOverride = applied.agentModelOverride ?? agentModelOverride;
-  }
-
-  return { config: nextConfig, agentModelOverride };
-}
diff --git a/src/commands/auth-choice.test.ts b/src/commands/auth-choice.test.ts
index 35456109117..515291feb34 100644
--- a/src/commands/auth-choice.test.ts
+++ b/src/commands/auth-choice.test.ts
@@ -968,6 +968,33 @@ describe("applyAuthChoice", () => {
   it("sets default model when selecting github-copilot", async () => {
     await setupTempState();
 
+    resolvePluginProviders.mockReturnValue([
+      {
+        id: "github-copilot",
+        label: "GitHub Copilot",
+        auth: [
+          {
+            id: "device",
+            label: "GitHub device login",
+            kind: "device_code",
+            run: vi.fn(async () => ({
+              profiles: [
+                {
+                  profileId: "github-copilot:github",
+                  credential: {
+                    type: "token",
+                    provider: "github-copilot",
+                    token: "github-device-token",
+                  },
+                },
+              ],
+              defaultModel: "github-copilot/gpt-4o",
+            })),
+          },
+        ],
+      },
+    ] as never);
+
     const prompter = createPrompter({});
     const runtime = createExitThrowingRuntime();
 
diff --git a/src/plugin-sdk/core.ts b/src/plugin-sdk/core.ts
index 025efaff67a..0ddedea92f8 100644
--- a/src/plugin-sdk/core.ts
+++ b/src/plugin-sdk/core.ts
@@ -26,6 +26,7 @@ export type {
   ProviderWrapStreamFnContext,
   OpenClawPluginService,
   ProviderAuthContext,
+  ProviderAuthDoctorHintContext,
   ProviderAuthMethodNonInteractiveContext,
   ProviderAuthResult,
 } from "../plugins/types.js";
diff --git a/src/plugin-sdk/index.ts b/src/plugin-sdk/index.ts
index 5fe73cd91da..6e70c8b7c19 100644
--- a/src/plugin-sdk/index.ts
+++ b/src/plugin-sdk/index.ts
@@ -109,6 +109,7 @@ export type {
   PluginInteractiveTelegramHandlerContext,
   PluginLogger,
   ProviderAuthContext,
+  ProviderAuthDoctorHintContext,
   ProviderAuthResult,
   ProviderAugmentModelCatalogContext,
   ProviderBuiltInModelSuppressionContext,
diff --git a/src/plugins/provider-runtime.runtime.ts b/src/plugins/provider-runtime.runtime.ts
index 34a46e1bdac..d4f036e1cf8 100644
--- a/src/plugins/provider-runtime.runtime.ts
+++ b/src/plugins/provider-runtime.runtime.ts
@@ -1,4 +1,7 @@
 export {
   augmentModelCatalogWithProviderPlugins,
+  buildProviderAuthDoctorHintWithPlugin,
   buildProviderMissingAuthMessageWithPlugin,
+  formatProviderAuthProfileApiKeyWithPlugin,
+  refreshProviderOAuthCredentialWithPlugin,
 } from "./provider-runtime.js";
diff --git a/src/plugins/provider-runtime.test.ts b/src/plugins/provider-runtime.test.ts
index 23234be8109..266abe24556 100644
--- a/src/plugins/provider-runtime.test.ts
+++ b/src/plugins/provider-runtime.test.ts
@@ -14,7 +14,9 @@ vi.mock("./providers.js", () => ({
 
 import {
   augmentModelCatalogWithProviderPlugins,
+  buildProviderAuthDoctorHintWithPlugin,
   buildProviderMissingAuthMessageWithPlugin,
+  formatProviderAuthProfileApiKeyWithPlugin,
   prepareProviderExtraParams,
   resolveProviderCacheTtlEligibility,
   resolveProviderBinaryThinking,
@@ -28,6 +30,7 @@ import {
   normalizeProviderResolvedModelWithPlugin,
   prepareProviderDynamicModel,
   prepareProviderRuntimeAuth,
+  refreshProviderOAuthCredentialWithPlugin,
   resolveProviderRuntimePlugin,
   runProviderDynamicModel,
   wrapProviderStreamFn,
@@ -87,6 +90,10 @@ describe("provider-runtime", () => {
       baseUrl: "https://runtime.example.com/v1",
       expiresAt: 123,
     }));
+    const refreshOAuth = vi.fn(async (cred) => ({
+      ...cred,
+      access: "refreshed-access-token",
+    }));
     const resolveUsageAuth = vi.fn(async () => ({
       token: "usage-token",
       accountId: "usage-account",
@@ -96,34 +103,7 @@ describe("provider-runtime", () => {
       displayName: "Demo",
       windows: [{ label: "Day", usedPercent: 25 }],
     }));
-    resolvePluginProvidersMock.mockImplementation((params: unknown) => {
-      const scopedParams = params as { onlyPluginIds?: string[] } | undefined;
-      if (scopedParams?.onlyPluginIds?.includes("openai")) {
-        return [
-          {
-            id: "openai",
-            label: "OpenAI",
-            auth: [],
-            buildMissingAuthMessage: () =>
-              'No API key found for provider "openai". Use openai-codex/gpt-5.4.',
-            suppressBuiltInModel: ({ provider, modelId }) =>
-              provider === "azure-openai-responses" && modelId === "gpt-5.3-codex-spark"
-                ? { suppress: true, errorMessage: "openai-codex/gpt-5.3-codex-spark" }
-                : undefined,
-            augmentModelCatalog: () => [
-              { provider: "openai", id: "gpt-5.4", name: "gpt-5.4" },
-              { provider: "openai", id: "gpt-5.4-pro", name: "gpt-5.4-pro" },
-              { provider: "openai-codex", id: "gpt-5.4", name: "gpt-5.4" },
-              {
-                provider: "openai-codex",
-                id: "gpt-5.3-codex-spark",
-                name: "gpt-5.3-codex-spark",
-              },
-            ],
-          },
-        ];
-      }
-
+    resolvePluginProvidersMock.mockImplementation((_params: unknown) => {
       return [
         {
           id: "demo",
@@ -143,6 +123,11 @@ describe("provider-runtime", () => {
             ...model,
             api: "openai-codex-responses",
           }),
+          formatApiKey: (cred) =>
+            cred.type === "oauth" ? JSON.stringify({ token: cred.access }) : "",
+          refreshOAuth,
+          buildAuthDoctorHint: ({ provider, profileId }) =>
+            provider === "demo" ? `Repair ${profileId}` : undefined,
           prepareRuntimeAuth,
           resolveUsageAuth,
           fetchUsageSnapshot,
@@ -152,6 +137,27 @@ describe("provider-runtime", () => {
           resolveDefaultThinkingLevel: ({ reasoning }) => (reasoning ? "low" : "off"),
           isModernModelRef: ({ modelId }) => modelId.startsWith("gpt-5"),
         },
+        {
+          id: "openai",
+          label: "OpenAI",
+          auth: [],
+          buildMissingAuthMessage: () =>
+            'No API key found for provider "openai". Use openai-codex/gpt-5.4.',
+          suppressBuiltInModel: ({ provider, modelId }) =>
+            provider === "azure-openai-responses" && modelId === "gpt-5.3-codex-spark"
+              ? { suppress: true, errorMessage: "openai-codex/gpt-5.3-codex-spark" }
+              : undefined,
+          augmentModelCatalog: () => [
+            { provider: "openai", id: "gpt-5.4", name: "gpt-5.4" },
+            { provider: "openai", id: "gpt-5.4-pro", name: "gpt-5.4-pro" },
+            { provider: "openai-codex", id: "gpt-5.4", name: "gpt-5.4" },
+            {
+              provider: "openai-codex",
+              id: "gpt-5.3-codex-spark",
+              name: "gpt-5.3-codex-spark",
+            },
+          ],
+        },
       ];
     });
 
@@ -241,6 +247,45 @@ describe("provider-runtime", () => {
       expiresAt: 123,
     });
 
+    expect(
+      formatProviderAuthProfileApiKeyWithPlugin({
+        provider: "demo",
+        context: {
+          type: "oauth",
+          provider: "demo",
+          access: "oauth-access",
+          refresh: "oauth-refresh",
+          expires: Date.now() + 60_000,
+        },
+      }),
+    ).toBe('{"token":"oauth-access"}');
+
+    await expect(
+      refreshProviderOAuthCredentialWithPlugin({
+        provider: "demo",
+        context: {
+          type: "oauth",
+          provider: "demo",
+          access: "oauth-access",
+          refresh: "oauth-refresh",
+          expires: Date.now() + 60_000,
+        },
+      }),
+    ).resolves.toMatchObject({
+      access: "refreshed-access-token",
+    });
+
+    await expect(
+      buildProviderAuthDoctorHintWithPlugin({
+        provider: "demo",
+        context: {
+          provider: "demo",
+          profileId: "demo:default",
+          store: { version: 1, profiles: {} },
+        },
+      }),
+    ).resolves.toBe("Repair demo:default");
+
     await expect(
       resolveProviderUsageAuthWithPlugin({
         provider: "demo",
@@ -376,12 +421,8 @@ describe("provider-runtime", () => {
       },
     ]);
 
-    expect(resolvePluginProvidersMock).toHaveBeenCalledWith(
-      expect.objectContaining({
-        onlyPluginIds: ["openai"],
-      }),
-    );
     expect(prepareDynamicModel).toHaveBeenCalledTimes(1);
+    expect(refreshOAuth).toHaveBeenCalledTimes(1);
     expect(prepareRuntimeAuth).toHaveBeenCalledTimes(1);
     expect(resolveUsageAuth).toHaveBeenCalledTimes(1);
     expect(fetchUsageSnapshot).toHaveBeenCalledTimes(1);
diff --git a/src/plugins/provider-runtime.ts b/src/plugins/provider-runtime.ts
index 41c0a70ec4d..189b5ccef0c 100644
--- a/src/plugins/provider-runtime.ts
+++ b/src/plugins/provider-runtime.ts
@@ -1,7 +1,9 @@
+import type { AuthProfileCredential, OAuthCredential } from "../agents/auth-profiles/types.js";
 import { normalizeProviderId } from "../agents/model-selection.js";
 import type { OpenClawConfig } from "../config/config.js";
 import { resolveOwningPluginIdsForProvider, resolvePluginProviders } from "./providers.js";
 import type {
+  ProviderAuthDoctorHintContext,
   ProviderAugmentModelCatalogContext,
   ProviderBuildMissingAuthMessageContext,
   ProviderBuiltInModelSuppressionContext,
@@ -46,19 +48,6 @@ function resolveProviderPluginsForHooks(params: {
   });
 }
 
-const GLOBAL_PROVIDER_HOOK_PLUGIN_IDS = ["openai"] as const;
-
-function resolveGlobalProviderHookPlugins(params: {
-  config?: OpenClawConfig;
-  workspaceDir?: string;
-  env?: NodeJS.ProcessEnv;
-}): ProviderPlugin[] {
-  return resolveProviderPluginsForHooks({
-    ...params,
-    onlyPluginIds: [...GLOBAL_PROVIDER_HOOK_PLUGIN_IDS],
-  });
-}
-
 export function resolveProviderRuntimePlugin(params: {
   provider: string;
   config?: OpenClawConfig;
@@ -174,6 +163,36 @@ export async function resolveProviderUsageSnapshotWithPlugin(params: {
   return await resolveProviderRuntimePlugin(params)?.fetchUsageSnapshot?.(params.context);
 }
 
+export function formatProviderAuthProfileApiKeyWithPlugin(params: {
+  provider: string;
+  config?: OpenClawConfig;
+  workspaceDir?: string;
+  env?: NodeJS.ProcessEnv;
+  context: AuthProfileCredential;
+}) {
+  return resolveProviderRuntimePlugin(params)?.formatApiKey?.(params.context);
+}
+
+export async function refreshProviderOAuthCredentialWithPlugin(params: {
+  provider: string;
+  config?: OpenClawConfig;
+  workspaceDir?: string;
+  env?: NodeJS.ProcessEnv;
+  context: OAuthCredential;
+}) {
+  return await resolveProviderRuntimePlugin(params)?.refreshOAuth?.(params.context);
+}
+
+export async function buildProviderAuthDoctorHintWithPlugin(params: {
+  provider: string;
+  config?: OpenClawConfig;
+  workspaceDir?: string;
+  env?: NodeJS.ProcessEnv;
+  context: ProviderAuthDoctorHintContext;
+}) {
+  return await resolveProviderRuntimePlugin(params)?.buildAuthDoctorHint?.(params.context);
+}
+
 export function resolveProviderCacheTtlEligibility(params: {
   provider: string;
   config?: OpenClawConfig;
@@ -231,10 +250,9 @@ export function buildProviderMissingAuthMessageWithPlugin(params: {
   env?: NodeJS.ProcessEnv;
   context: ProviderBuildMissingAuthMessageContext;
 }) {
-  const plugin = resolveGlobalProviderHookPlugins(params).find((providerPlugin) =>
-    matchesProviderId(providerPlugin, params.provider),
+  return (
+    resolveProviderRuntimePlugin(params)?.buildMissingAuthMessage?.(params.context) ?? undefined
   );
-  return plugin?.buildMissingAuthMessage?.(params.context) ?? undefined;
 }
 
 export function resolveProviderBuiltInModelSuppression(params: {
@@ -243,7 +261,7 @@ export function resolveProviderBuiltInModelSuppression(params: {
   env?: NodeJS.ProcessEnv;
   context: ProviderBuiltInModelSuppressionContext;
 }) {
-  for (const plugin of resolveGlobalProviderHookPlugins(params)) {
+  for (const plugin of resolveProviderPluginsForHooks(params)) {
     const result = plugin.suppressBuiltInModel?.(params.context);
     if (result?.suppress) {
       return result;
@@ -259,7 +277,7 @@ export async function augmentModelCatalogWithProviderPlugins(params: {
   context: ProviderAugmentModelCatalogContext;
 }) {
   const supplemental = [] as ProviderAugmentModelCatalogContext["entries"];
-  for (const plugin of resolveGlobalProviderHookPlugins(params)) {
+  for (const plugin of resolveProviderPluginsForHooks(params)) {
     const next = await plugin.augmentModelCatalog?.(params.context);
     if (!next || next.length === 0) {
       continue;
diff --git a/src/plugins/types.ts b/src/plugins/types.ts
index ac40aa9f912..bea63007fb2 100644
--- a/src/plugins/types.ts
+++ b/src/plugins/types.ts
@@ -9,6 +9,7 @@ import type {
   ApiKeyCredential,
   AuthProfileCredential,
   OAuthCredential,
+  AuthProfileStore,
 } from "../agents/auth-profiles/types.js";
 import type { ModelCatalogEntry } from "../agents/model-catalog.js";
 import type { ProviderCapabilities } from "../agents/provider-capabilities.js";
@@ -367,6 +368,20 @@ export type ProviderFetchUsageSnapshotContext = {
   fetchFn: typeof fetch;
 };
 
+/**
+ * Provider-owned auth-doctor hint input.
+ *
+ * Called when OAuth refresh fails and OpenClaw wants a provider-specific repair
+ * hint to append to the generic re-auth message. Use this for legacy profile-id
+ * migrations or other provider-owned auth-store cleanup guidance.
+ */
+export type ProviderAuthDoctorHintContext = {
+  config?: OpenClawConfig;
+  store: AuthProfileStore;
+  provider: string;
+  profileId?: string;
+};
+
 /**
  * Provider-owned extra-param normalization before OpenClaw builds its generic
  * stream option wrapper.
@@ -732,8 +747,34 @@ export type ProviderPlugin = {
    */
   isModernModelRef?: (ctx: ProviderModernModelPolicyContext) => boolean | undefined;
   wizard?: ProviderPluginWizard;
+  /**
+   * Provider-owned auth-profile API-key formatter.
+   *
+   * OpenClaw uses this when a stored auth profile is already valid and needs to
+   * be converted into the runtime `apiKey` string expected by the provider. Use
+   * this for providers whose auth profile stores extra metadata alongside the
+   * bearer token (for example Gemini CLI's `{ token, projectId }` payload).
+   */
   formatApiKey?: (cred: AuthProfileCredential) => string;
+  /**
+   * Provider-owned OAuth refresh.
+   *
+   * OpenClaw calls this before falling back to the shared `pi-ai` OAuth
+   * refreshers. Use it when the provider has a custom refresh endpoint, or when
+   * the provider needs custom refresh-failure behavior that should stay out of
+   * core auth-profile code.
+   */
   refreshOAuth?: (cred: OAuthCredential) => Promise<OAuthCredential>;
+  /**
+   * Provider-owned auth-doctor hint.
+   *
+   * Return a multiline repair hint when OAuth refresh fails and the provider
+   * wants to steer users toward a specific auth-profile migration or recovery
+   * path. Return nothing to keep OpenClaw's generic error text.
+   */
+  buildAuthDoctorHint?: (
+    ctx: ProviderAuthDoctorHintContext,
+  ) => string | Promise<string | null | undefined> | null | undefined;
   onModelSelected?: (ctx: ProviderModelSelectedContext) => Promise<void>;
 };
 

From 304703f1654a142acf69747f4d91eb3d7220c96b Mon Sep 17 00:00:00 2001
From: Joey Krug <joeykrug@gmail.com>
Date: Sun, 15 Mar 2026 21:04:39 -0400
Subject: [PATCH 004/133] fix: resume orphaned subagent sessions after SIGUSR1
 reload

Closes #47711

After a SIGUSR1 gateway reload aborts in-flight subagent LLM calls, the gateway now scans for orphaned sessions and sends a synthetic resume message to restart their work. Also makes the deferral timeout configurable via gateway.reload.deferralTimeoutMs (default: 5 minutes, up from 90s).
---
 src/agents/subagent-orphan-recovery.test.ts | 316 ++++++++++++++++++++
 src/agents/subagent-orphan-recovery.ts      | 185 ++++++++++++
 src/agents/subagent-registry.ts             |   8 +
 src/config/schema.help.ts                   |   2 +
 src/config/types.gateway.ts                 |   7 +
 src/config/zod-schema.ts                    |   1 +
 src/gateway/server-reload-handlers.ts       |   1 +
 src/infra/restart.deferral-timeout.test.ts  | 119 ++++++++
 src/infra/restart.ts                        |   5 +-
 9 files changed, 642 insertions(+), 2 deletions(-)
 create mode 100644 src/agents/subagent-orphan-recovery.test.ts
 create mode 100644 src/agents/subagent-orphan-recovery.ts
 create mode 100644 src/infra/restart.deferral-timeout.test.ts

diff --git a/src/agents/subagent-orphan-recovery.test.ts b/src/agents/subagent-orphan-recovery.test.ts
new file mode 100644
index 00000000000..7792140e3db
--- /dev/null
+++ b/src/agents/subagent-orphan-recovery.test.ts
@@ -0,0 +1,316 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import type { SubagentRunRecord } from "./subagent-registry.types.js";
+
+// Mock dependencies before importing the module under test
+vi.mock("../config/config.js", () => ({
+  loadConfig: vi.fn(() => ({
+    session: { store: undefined },
+  })),
+}));
+
+vi.mock("../config/sessions.js", () => ({
+  loadSessionStore: vi.fn(() => ({})),
+  resolveAgentIdFromSessionKey: vi.fn(() => "main"),
+  resolveStorePath: vi.fn(() => "/tmp/test-sessions.json"),
+  updateSessionStore: vi.fn(async () => {}),
+}));
+
+vi.mock("../gateway/call.js", () => ({
+  callGateway: vi.fn(async () => ({ runId: "test-run-id" })),
+}));
+
+function createTestRunRecord(overrides: Partial<SubagentRunRecord> = {}): SubagentRunRecord {
+  return {
+    runId: "run-1",
+    childSessionKey: "agent:main:subagent:test-session-1",
+    requesterSessionKey: "agent:main:signal:direct:+1234567890",
+    requesterDisplayKey: "main",
+    task: "Test task: implement feature X",
+    cleanup: "delete",
+    createdAt: Date.now() - 60_000,
+    startedAt: Date.now() - 55_000,
+    ...overrides,
+  };
+}
+
+describe("subagent-orphan-recovery", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  it("recovers orphaned sessions with abortedLastRun=true", async () => {
+    const sessions = await import("../config/sessions.js");
+    const gateway = await import("../gateway/call.js");
+
+    const sessionEntry = {
+      sessionId: "session-abc",
+      updatedAt: Date.now(),
+      abortedLastRun: true,
+    };
+
+    vi.mocked(sessions.loadSessionStore).mockReturnValue({
+      "agent:main:subagent:test-session-1": sessionEntry,
+    });
+
+    const activeRuns = new Map<string, SubagentRunRecord>();
+    activeRuns.set("run-1", createTestRunRecord());
+
+    const { recoverOrphanedSubagentSessions } = await import("./subagent-orphan-recovery.js");
+
+    const result = await recoverOrphanedSubagentSessions({
+      getActiveRuns: () => activeRuns,
+    });
+
+    expect(result.recovered).toBe(1);
+    expect(result.failed).toBe(0);
+    expect(result.skipped).toBe(0);
+
+    // Should have called callGateway to resume the session
+    expect(gateway.callGateway).toHaveBeenCalledOnce();
+    const callArgs = vi.mocked(gateway.callGateway).mock.calls[0];
+    const opts = callArgs[0];
+    expect(opts.method).toBe("agent");
+    const params = opts.params as Record<string, unknown>;
+    expect(params.sessionKey).toBe("agent:main:subagent:test-session-1");
+    expect(params.message).toContain("gateway reload");
+    expect(params.message).toContain("Test task: implement feature X");
+  });
+
+  it("skips sessions that are not aborted", async () => {
+    const sessions = await import("../config/sessions.js");
+    const gateway = await import("../gateway/call.js");
+
+    vi.mocked(sessions.loadSessionStore).mockReturnValue({
+      "agent:main:subagent:test-session-1": {
+        sessionId: "session-abc",
+        updatedAt: Date.now(),
+        abortedLastRun: false,
+      },
+    });
+
+    const activeRuns = new Map<string, SubagentRunRecord>();
+    activeRuns.set("run-1", createTestRunRecord());
+
+    const { recoverOrphanedSubagentSessions } = await import("./subagent-orphan-recovery.js");
+
+    const result = await recoverOrphanedSubagentSessions({
+      getActiveRuns: () => activeRuns,
+    });
+
+    expect(result.recovered).toBe(0);
+    expect(result.skipped).toBe(1);
+    expect(gateway.callGateway).not.toHaveBeenCalled();
+  });
+
+  it("skips runs that have already ended", async () => {
+    const gateway = await import("../gateway/call.js");
+
+    const activeRuns = new Map<string, SubagentRunRecord>();
+    activeRuns.set(
+      "run-1",
+      createTestRunRecord({
+        endedAt: Date.now() - 1000,
+      }),
+    );
+
+    const { recoverOrphanedSubagentSessions } = await import("./subagent-orphan-recovery.js");
+
+    const result = await recoverOrphanedSubagentSessions({
+      getActiveRuns: () => activeRuns,
+    });
+
+    expect(result.recovered).toBe(0);
+    expect(gateway.callGateway).not.toHaveBeenCalled();
+  });
+
+  it("handles multiple orphaned sessions", async () => {
+    const sessions = await import("../config/sessions.js");
+    const gateway = await import("../gateway/call.js");
+
+    vi.mocked(sessions.loadSessionStore).mockReturnValue({
+      "agent:main:subagent:session-a": {
+        sessionId: "id-a",
+        updatedAt: Date.now(),
+        abortedLastRun: true,
+      },
+      "agent:main:subagent:session-b": {
+        sessionId: "id-b",
+        updatedAt: Date.now(),
+        abortedLastRun: true,
+      },
+      "agent:main:subagent:session-c": {
+        sessionId: "id-c",
+        updatedAt: Date.now(),
+        abortedLastRun: false,
+      },
+    });
+
+    const activeRuns = new Map<string, SubagentRunRecord>();
+    activeRuns.set(
+      "run-a",
+      createTestRunRecord({
+        runId: "run-a",
+        childSessionKey: "agent:main:subagent:session-a",
+        task: "Task A",
+      }),
+    );
+    activeRuns.set(
+      "run-b",
+      createTestRunRecord({
+        runId: "run-b",
+        childSessionKey: "agent:main:subagent:session-b",
+        task: "Task B",
+      }),
+    );
+    activeRuns.set(
+      "run-c",
+      createTestRunRecord({
+        runId: "run-c",
+        childSessionKey: "agent:main:subagent:session-c",
+        task: "Task C",
+      }),
+    );
+
+    const { recoverOrphanedSubagentSessions } = await import("./subagent-orphan-recovery.js");
+
+    const result = await recoverOrphanedSubagentSessions({
+      getActiveRuns: () => activeRuns,
+    });
+
+    expect(result.recovered).toBe(2);
+    expect(result.skipped).toBe(1);
+    expect(gateway.callGateway).toHaveBeenCalledTimes(2);
+  });
+
+  it("handles callGateway failure gracefully", async () => {
+    const sessions = await import("../config/sessions.js");
+    const gateway = await import("../gateway/call.js");
+
+    vi.mocked(sessions.loadSessionStore).mockReturnValue({
+      "agent:main:subagent:test-session-1": {
+        sessionId: "session-abc",
+        updatedAt: Date.now(),
+        abortedLastRun: true,
+      },
+    });
+
+    vi.mocked(gateway.callGateway).mockRejectedValue(new Error("gateway unavailable"));
+
+    const activeRuns = new Map<string, SubagentRunRecord>();
+    activeRuns.set("run-1", createTestRunRecord());
+
+    const { recoverOrphanedSubagentSessions } = await import("./subagent-orphan-recovery.js");
+
+    const result = await recoverOrphanedSubagentSessions({
+      getActiveRuns: () => activeRuns,
+    });
+
+    expect(result.recovered).toBe(0);
+    expect(result.failed).toBe(1);
+  });
+
+  it("returns empty results when no active runs exist", async () => {
+    const { recoverOrphanedSubagentSessions } = await import("./subagent-orphan-recovery.js");
+
+    const result = await recoverOrphanedSubagentSessions({
+      getActiveRuns: () => new Map(),
+    });
+
+    expect(result.recovered).toBe(0);
+    expect(result.failed).toBe(0);
+    expect(result.skipped).toBe(0);
+  });
+
+  it("skips sessions with missing session entry in store", async () => {
+    const sessions = await import("../config/sessions.js");
+    const gateway = await import("../gateway/call.js");
+
+    // Store has no matching entry
+    vi.mocked(sessions.loadSessionStore).mockReturnValue({});
+
+    const activeRuns = new Map<string, SubagentRunRecord>();
+    activeRuns.set("run-1", createTestRunRecord());
+
+    const { recoverOrphanedSubagentSessions } = await import("./subagent-orphan-recovery.js");
+
+    const result = await recoverOrphanedSubagentSessions({
+      getActiveRuns: () => activeRuns,
+    });
+
+    expect(result.recovered).toBe(0);
+    expect(result.skipped).toBe(1);
+    expect(gateway.callGateway).not.toHaveBeenCalled();
+  });
+
+  it("clears abortedLastRun flag before resuming", async () => {
+    const sessions = await import("../config/sessions.js");
+
+    vi.mocked(sessions.loadSessionStore).mockReturnValue({
+      "agent:main:subagent:test-session-1": {
+        sessionId: "session-abc",
+        updatedAt: Date.now(),
+        abortedLastRun: true,
+      },
+    });
+
+    const activeRuns = new Map<string, SubagentRunRecord>();
+    activeRuns.set("run-1", createTestRunRecord());
+
+    const { recoverOrphanedSubagentSessions } = await import("./subagent-orphan-recovery.js");
+
+    await recoverOrphanedSubagentSessions({
+      getActiveRuns: () => activeRuns,
+    });
+
+    // updateSessionStore should have been called to clear the flag
+    expect(sessions.updateSessionStore).toHaveBeenCalledOnce();
+    const calls = vi.mocked(sessions.updateSessionStore).mock.calls;
+    const [storePath, updater] = calls[0];
+    expect(storePath).toBe("/tmp/test-sessions.json");
+
+    // Simulate the updater to verify it clears abortedLastRun
+    const mockStore: Record<string, { abortedLastRun?: boolean; updatedAt?: number }> = {
+      "agent:main:subagent:test-session-1": {
+        abortedLastRun: true,
+        updatedAt: 0,
+      },
+    };
+    (updater as (store: Record<string, unknown>) => void)(mockStore);
+    expect(mockStore["agent:main:subagent:test-session-1"]?.abortedLastRun).toBe(false);
+  });
+
+  it("truncates long task descriptions in resume message", async () => {
+    const sessions = await import("../config/sessions.js");
+    const gateway = await import("../gateway/call.js");
+
+    vi.mocked(sessions.loadSessionStore).mockReturnValue({
+      "agent:main:subagent:test-session-1": {
+        sessionId: "session-abc",
+        updatedAt: Date.now(),
+        abortedLastRun: true,
+      },
+    });
+
+    const longTask = "x".repeat(5000);
+    const activeRuns = new Map<string, SubagentRunRecord>();
+    activeRuns.set("run-1", createTestRunRecord({ task: longTask }));
+
+    const { recoverOrphanedSubagentSessions } = await import("./subagent-orphan-recovery.js");
+
+    await recoverOrphanedSubagentSessions({
+      getActiveRuns: () => activeRuns,
+    });
+
+    const callArgs = vi.mocked(gateway.callGateway).mock.calls[0];
+    const opts = callArgs[0];
+    const params = opts.params as Record<string, unknown>;
+    const message = params.message as string;
+    // Message should contain truncated task (2000 chars + "...")
+    expect(message.length).toBeLessThan(5000);
+    expect(message).toContain("...");
+  });
+});
diff --git a/src/agents/subagent-orphan-recovery.ts b/src/agents/subagent-orphan-recovery.ts
new file mode 100644
index 00000000000..fc30af26038
--- /dev/null
+++ b/src/agents/subagent-orphan-recovery.ts
@@ -0,0 +1,185 @@
+/**
+ * Post-restart orphan recovery for subagent sessions.
+ *
+ * After a SIGUSR1 gateway reload aborts in-flight subagent LLM calls,
+ * this module scans for orphaned sessions (those with `abortedLastRun: true`
+ * that are still tracked as active in the subagent registry) and sends a
+ * synthetic resume message to restart their work.
+ *
+ * @see https://github.com/openclaw/openclaw/issues/47711
+ */
+
+import crypto from "node:crypto";
+import { loadConfig } from "../config/config.js";
+import {
+  loadSessionStore,
+  resolveAgentIdFromSessionKey,
+  resolveStorePath,
+  updateSessionStore,
+  type SessionEntry,
+} from "../config/sessions.js";
+import { callGateway } from "../gateway/call.js";
+import { createSubsystemLogger } from "../logging/subsystem.js";
+import type { SubagentRunRecord } from "./subagent-registry.types.js";
+
+const log = createSubsystemLogger("subagent-orphan-recovery");
+
+/** Delay before attempting recovery to let the gateway finish bootstrapping. */
+const DEFAULT_RECOVERY_DELAY_MS = 5_000;
+
+/**
+ * Build the resume message for an orphaned subagent.
+ */
+function buildResumeMessage(task: string): string {
+  const maxTaskLen = 2000;
+  const truncatedTask = task.length > maxTaskLen ? `${task.slice(0, maxTaskLen)}...` : task;
+
+  return (
+    `[System] Your previous turn was interrupted by a gateway reload. ` +
+    `Your task was:\n\n${truncatedTask}\n\nPlease continue where you left off.`
+  );
+}
+
+/**
+ * Send a resume message to an orphaned subagent session via the gateway agent method.
+ */
+async function resumeOrphanedSession(params: {
+  sessionKey: string;
+  task: string;
+}): Promise<boolean> {
+  const resumeMessage = buildResumeMessage(params.task);
+
+  try {
+    await callGateway<{ runId: string }>({
+      method: "agent",
+      params: {
+        message: resumeMessage,
+        sessionKey: params.sessionKey,
+        idempotencyKey: crypto.randomUUID(),
+        deliver: false,
+        lane: "subagent",
+      },
+      timeoutMs: 10_000,
+    });
+    log.info(`resumed orphaned session: ${params.sessionKey}`);
+    return true;
+  } catch (err) {
+    log.warn(`failed to resume orphaned session ${params.sessionKey}: ${String(err)}`);
+    return false;
+  }
+}
+
+/**
+ * Scan for and resume orphaned subagent sessions after a gateway restart.
+ *
+ * An orphaned session is one where:
+ * 1. It has an active (not ended) entry in the subagent run registry
+ * 2. Its session store entry has `abortedLastRun: true`
+ *
+ * For each orphaned session found, we:
+ * 1. Clear the `abortedLastRun` flag
+ * 2. Send a synthetic resume message to trigger a new LLM turn
+ */
+export async function recoverOrphanedSubagentSessions(params: {
+  getActiveRuns: () => Map<string, SubagentRunRecord>;
+}): Promise<{ recovered: number; failed: number; skipped: number }> {
+  const result = { recovered: 0, failed: 0, skipped: 0 };
+
+  try {
+    const activeRuns = params.getActiveRuns();
+    if (activeRuns.size === 0) {
+      return result;
+    }
+
+    const cfg = loadConfig();
+    const storeCache = new Map<string, Record<string, SessionEntry>>();
+
+    for (const [runId, runRecord] of activeRuns.entries()) {
+      // Only consider runs that haven't ended yet
+      if (typeof runRecord.endedAt === "number" && runRecord.endedAt > 0) {
+        continue;
+      }
+
+      const childSessionKey = runRecord.childSessionKey?.trim();
+      if (!childSessionKey) {
+        continue;
+      }
+
+      try {
+        const agentId = resolveAgentIdFromSessionKey(childSessionKey);
+        const storePath = resolveStorePath(cfg.session?.store, { agentId });
+
+        let store = storeCache.get(storePath);
+        if (!store) {
+          store = loadSessionStore(storePath);
+          storeCache.set(storePath, store);
+        }
+
+        const entry = store[childSessionKey];
+        if (!entry) {
+          result.skipped++;
+          continue;
+        }
+
+        // Check if this session was aborted by the restart
+        if (!entry.abortedLastRun) {
+          result.skipped++;
+          continue;
+        }
+
+        log.info(`found orphaned subagent session: ${childSessionKey} (run=${runId})`);
+
+        // Clear the aborted flag before resuming
+        await updateSessionStore(storePath, (currentStore) => {
+          const current = currentStore[childSessionKey];
+          if (current) {
+            current.abortedLastRun = false;
+            current.updatedAt = Date.now();
+            currentStore[childSessionKey] = current;
+          }
+        });
+
+        // Resume the session with the original task context
+        const resumed = await resumeOrphanedSession({
+          sessionKey: childSessionKey,
+          task: runRecord.task,
+        });
+
+        if (resumed) {
+          result.recovered++;
+        } else {
+          result.failed++;
+        }
+      } catch (err) {
+        log.warn(`error processing orphaned session ${childSessionKey}: ${String(err)}`);
+        result.failed++;
+      }
+    }
+  } catch (err) {
+    log.warn(`orphan recovery scan failed: ${String(err)}`);
+  }
+
+  if (result.recovered > 0 || result.failed > 0) {
+    log.info(
+      `orphan recovery complete: recovered=${result.recovered} failed=${result.failed} skipped=${result.skipped}`,
+    );
+  }
+
+  return result;
+}
+
+/**
+ * Schedule orphan recovery after a delay.
+ * The delay gives the gateway time to fully bootstrap after restart.
+ */
+export function scheduleOrphanRecovery(params: {
+  getActiveRuns: () => Map<string, SubagentRunRecord>;
+  delayMs?: number;
+}): void {
+  const delay = params.delayMs ?? DEFAULT_RECOVERY_DELAY_MS;
+  setTimeout(() => {
+    void recoverOrphanedSubagentSessions(params).catch((err) => {
+      log.warn(`scheduled orphan recovery failed: ${String(err)}`);
+    });
+  }, delay).unref?.();
+}
diff --git a/src/agents/subagent-registry.ts b/src/agents/subagent-registry.ts
index d9c593c3e84..68fd499cbee 100644
--- a/src/agents/subagent-registry.ts
+++ b/src/agents/subagent-registry.ts
@@ -30,6 +30,7 @@ import {
   SUBAGENT_ENDED_REASON_KILLED,
   type SubagentLifecycleEndedReason,
 } from "./subagent-lifecycle-events.js";
+import { scheduleOrphanRecovery } from "./subagent-orphan-recovery.js";
 import {
   resolveCleanupCompletionReason,
   resolveDeferredCleanupDecision,
@@ -684,6 +685,13 @@ function restoreSubagentRunsOnce() {
     for (const runId of subagentRuns.keys()) {
       resumeSubagentRun(runId);
     }
+
+    // Schedule orphan recovery for subagent sessions that were aborted
+    // by a SIGUSR1 reload. This runs after a short delay to let the
+    // gateway fully bootstrap first. (#47711)
+    scheduleOrphanRecovery({
+      getActiveRuns: () => subagentRuns,
+    });
   } catch {
     // ignore restore failures
   }
diff --git a/src/config/schema.help.ts b/src/config/schema.help.ts
index d591ba53533..8a71c0e9035 100644
--- a/src/config/schema.help.ts
+++ b/src/config/schema.help.ts
@@ -427,6 +427,8 @@ export const FIELD_HELP: Record<string, string> = {
   "gateway.reload.mode":
     'Controls how config edits are applied: "off" ignores live edits, "restart" always restarts, "hot" applies in-process, and "hybrid" tries hot then restarts if required. Keep "hybrid" for safest routine updates.',
   "gateway.reload.debounceMs": "Debounce window (ms) before applying config changes.",
+  "gateway.reload.deferralTimeoutMs":
+    "Maximum time (ms) to wait for in-flight operations to complete before forcing a SIGUSR1 restart. Default: 300000 (5 minutes). Lower values risk aborting active subagent LLM calls.",
   "gateway.nodes.browser.mode":
     'Node browser routing ("auto" = pick single connected browser node, "manual" = require node param, "off" = disable).',
   "gateway.nodes.browser.node": "Pin browser routing to a specific node id or name (optional).",
diff --git a/src/config/types.gateway.ts b/src/config/types.gateway.ts
index 88a5350ab1d..385ece27aad 100644
--- a/src/config/types.gateway.ts
+++ b/src/config/types.gateway.ts
@@ -211,6 +211,13 @@ export type GatewayReloadConfig = {
   mode?: GatewayReloadMode;
   /** Debounce window for config reloads (ms). Default: 300. */
   debounceMs?: number;
+  /**
+   * Maximum time (ms) to wait for in-flight operations to complete before
+   * forcing a SIGUSR1 restart. Default: 300000 (5 minutes).
+   * Lower values risk aborting active subagent LLM calls.
+   * @see https://github.com/openclaw/openclaw/issues/47711
+   */
+  deferralTimeoutMs?: number;
 };
 
 export type GatewayHttpChatCompletionsConfig = {
diff --git a/src/config/zod-schema.ts b/src/config/zod-schema.ts
index 20b8b232157..7c9b510080f 100644
--- a/src/config/zod-schema.ts
+++ b/src/config/zod-schema.ts
@@ -728,6 +728,7 @@ export const OpenClawSchema = z
               ])
               .optional(),
             debounceMs: z.number().int().min(0).optional(),
+            deferralTimeoutMs: z.number().int().min(0).optional(),
           })
           .strict()
           .optional(),
diff --git a/src/gateway/server-reload-handlers.ts b/src/gateway/server-reload-handlers.ts
index 008f0977d37..b92d71889bc 100644
--- a/src/gateway/server-reload-handlers.ts
+++ b/src/gateway/server-reload-handlers.ts
@@ -219,6 +219,7 @@ export function createGatewayReloadHandlers(params: {
 
       deferGatewayRestartUntilIdle({
         getPendingCount: () => getActiveCounts().totalActive,
+        maxWaitMs: nextConfig.gateway?.reload?.deferralTimeoutMs,
         hooks: {
           onReady: () => {
             restartPending = false;
diff --git a/src/infra/restart.deferral-timeout.test.ts b/src/infra/restart.deferral-timeout.test.ts
new file mode 100644
index 00000000000..167fe95ccdc
--- /dev/null
+++ b/src/infra/restart.deferral-timeout.test.ts
@@ -0,0 +1,119 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { __testing, deferGatewayRestartUntilIdle, type RestartDeferralHooks } from "./restart.js";
+
+describe("deferGatewayRestartUntilIdle timeout", () => {
+  beforeEach(() => {
+    vi.useFakeTimers();
+    __testing.resetSigusr1State();
+    // Add a listener so emitGatewayRestart uses process.emit instead of process.kill
+    process.on("SIGUSR1", () => {});
+  });
+
+  afterEach(() => {
+    vi.useRealTimers();
+    vi.restoreAllMocks();
+    __testing.resetSigusr1State();
+    process.removeAllListeners("SIGUSR1");
+  });
+
+  it("uses default 5-minute timeout when maxWaitMs is not specified", () => {
+    const hooks: RestartDeferralHooks = {
+      onTimeout: vi.fn(),
+      onReady: vi.fn(),
+    };
+
+    // Always return 1 pending item to prevent draining
+    deferGatewayRestartUntilIdle({
+      getPendingCount: () => 1,
+      hooks,
+    });
+
+    // Advance to just before 5 minutes — should NOT have timed out yet
+    vi.advanceTimersByTime(299_999);
+    expect(hooks.onTimeout).not.toHaveBeenCalled();
+
+    // Advance past 5 minutes — should time out
+    vi.advanceTimersByTime(1);
+    expect(hooks.onTimeout).toHaveBeenCalledOnce();
+    expect(hooks.onReady).not.toHaveBeenCalled();
+  });
+
+  it("respects custom maxWaitMs configuration", () => {
+    const hooks: RestartDeferralHooks = {
+      onTimeout: vi.fn(),
+      onReady: vi.fn(),
+    };
+
+    const customTimeoutMs = 120_000; // 2 minutes
+
+    deferGatewayRestartUntilIdle({
+      getPendingCount: () => 1,
+      maxWaitMs: customTimeoutMs,
+      hooks,
+    });
+
+    // Advance to just before 2 minutes
+    vi.advanceTimersByTime(119_999);
+    expect(hooks.onTimeout).not.toHaveBeenCalled();
+
+    // Advance past 2 minutes
+    vi.advanceTimersByTime(1);
+    expect(hooks.onTimeout).toHaveBeenCalledOnce();
+  });
+
+  it("calls onReady and does not timeout when pending count drops to 0", () => {
+    const hooks: RestartDeferralHooks = {
+      onTimeout: vi.fn(),
+      onReady: vi.fn(),
+    };
+
+    let pending = 3;
+
+    deferGatewayRestartUntilIdle({
+      getPendingCount: () => pending,
+      hooks,
+    });
+
+    // Advance a few poll intervals, then drain
+    vi.advanceTimersByTime(1000);
+    expect(hooks.onReady).not.toHaveBeenCalled();
+
+    pending = 0;
+    vi.advanceTimersByTime(500); // Next poll interval
+    expect(hooks.onReady).toHaveBeenCalledOnce();
+    expect(hooks.onTimeout).not.toHaveBeenCalled();
+  });
+
+  it("immediately restarts when pending count is 0", () => {
+    const hooks: RestartDeferralHooks = {
+      onReady: vi.fn(),
+      onTimeout: vi.fn(),
+    };
+
+    deferGatewayRestartUntilIdle({
+      getPendingCount: () => 0,
+      hooks,
+    });
+
+    // onReady should be called synchronously
+    expect(hooks.onReady).toHaveBeenCalledOnce();
+    expect(hooks.onTimeout).not.toHaveBeenCalled();
+  });
+
+  it("handles getPendingCount error by restarting immediately", () => {
+    const hooks: RestartDeferralHooks = {
+      onCheckError: vi.fn(),
+      onReady: vi.fn(),
+    };
+
+    deferGatewayRestartUntilIdle({
+      getPendingCount: () => {
+        throw new Error("store corrupted");
+      },
+      hooks,
+    });
+
+    expect(hooks.onCheckError).toHaveBeenCalledOnce();
+    expect(hooks.onReady).not.toHaveBeenCalled();
+  });
+});
diff --git a/src/infra/restart.ts b/src/infra/restart.ts
index 3e0379f25f2..1238b4954d0 100644
--- a/src/infra/restart.ts
+++ b/src/infra/restart.ts
@@ -19,8 +19,9 @@ export type RestartAttempt = {
 const SPAWN_TIMEOUT_MS = 2000;
 const SIGUSR1_AUTH_GRACE_MS = 5000;
 const DEFAULT_DEFERRAL_POLL_MS = 500;
-// Cover slow in-flight embedded compaction work before forcing restart.
-const DEFAULT_DEFERRAL_MAX_WAIT_MS = 90_000;
+// Default to 5 minutes to avoid aborting in-flight subagent LLM calls.
+// Configurable via gateway.reload.deferralTimeoutMs.
+const DEFAULT_DEFERRAL_MAX_WAIT_MS = 300_000;
 const RESTART_COOLDOWN_MS = 30_000;
 
 const restartLog = createSubsystemLogger("restart");

From 0311ff05d77ad6a5f10cb0c49f8800b8b4a80e81 Mon Sep 17 00:00:00 2001
From: Joey Krug <joeykrug@gmail.com>
Date: Sun, 15 Mar 2026 21:16:24 -0400
Subject: [PATCH 005/133] fix: address Greptile review feedback

- Remove unrelated pnpm-lock.yaml changes
- Move abortedLastRun flag clearing to AFTER successful resume
  (prevents permanent session loss on transient gateway failures)
- Use dynamic import for orphan recovery module to avoid startup
  memory overhead
- Add test assertion that flag is preserved on resume failure
---
 src/agents/subagent-orphan-recovery.test.ts | 14 ++++++++---
 src/agents/subagent-orphan-recovery.ts      | 28 +++++++++++++--------
 src/agents/subagent-registry.ts             | 15 +++++++----
 3 files changed, 38 insertions(+), 19 deletions(-)

diff --git a/src/agents/subagent-orphan-recovery.test.ts b/src/agents/subagent-orphan-recovery.test.ts
index 7792140e3db..351e1079dc7 100644
--- a/src/agents/subagent-orphan-recovery.test.ts
+++ b/src/agents/subagent-orphan-recovery.test.ts
@@ -186,7 +186,7 @@ describe("subagent-orphan-recovery", () => {
     expect(gateway.callGateway).toHaveBeenCalledTimes(2);
   });
 
-  it("handles callGateway failure gracefully", async () => {
+  it("handles callGateway failure gracefully and preserves abortedLastRun flag", async () => {
     const sessions = await import("../config/sessions.js");
     const gateway = await import("../gateway/call.js");
 
@@ -211,6 +211,10 @@ describe("subagent-orphan-recovery", () => {
 
     expect(result.recovered).toBe(0);
     expect(result.failed).toBe(1);
+
+    // abortedLastRun flag should NOT be cleared on failure,
+    // so the next restart can retry the recovery
+    expect(sessions.updateSessionStore).not.toHaveBeenCalled();
   });
 
   it("returns empty results when no active runs exist", async () => {
@@ -246,8 +250,12 @@ describe("subagent-orphan-recovery", () => {
     expect(gateway.callGateway).not.toHaveBeenCalled();
   });
 
-  it("clears abortedLastRun flag before resuming", async () => {
+  it("clears abortedLastRun flag after successful resume", async () => {
     const sessions = await import("../config/sessions.js");
+    const gateway = await import("../gateway/call.js");
+
+    // Ensure callGateway succeeds for this test
+    vi.mocked(gateway.callGateway).mockResolvedValue({ runId: "resumed-run" } as never);
 
     vi.mocked(sessions.loadSessionStore).mockReturnValue({
       "agent:main:subagent:test-session-1": {
@@ -266,7 +274,7 @@ describe("subagent-orphan-recovery", () => {
       getActiveRuns: () => activeRuns,
     });
 
-    // updateSessionStore should have been called to clear the flag
+    // updateSessionStore should have been called AFTER successful resume to clear the flag
     expect(sessions.updateSessionStore).toHaveBeenCalledOnce();
     const calls = vi.mocked(sessions.updateSessionStore).mock.calls;
     const [storePath, updater] = calls[0];
diff --git a/src/agents/subagent-orphan-recovery.ts b/src/agents/subagent-orphan-recovery.ts
index fc30af26038..f36096d95b2 100644
--- a/src/agents/subagent-orphan-recovery.ts
+++ b/src/agents/subagent-orphan-recovery.ts
@@ -129,25 +129,31 @@ export async function recoverOrphanedSubagentSessions(params: {
 
         log.info(`found orphaned subagent session: ${childSessionKey} (run=${runId})`);
 
-        // Clear the aborted flag before resuming
-        await updateSessionStore(storePath, (currentStore) => {
-          const current = currentStore[childSessionKey];
-          if (current) {
-            current.abortedLastRun = false;
-            current.updatedAt = Date.now();
-            currentStore[childSessionKey] = current;
-          }
-        });
-
-        // Resume the session with the original task context
+        // Resume the session with the original task context.
+        // We intentionally do NOT clear abortedLastRun before attempting
+        // the resume — if callGateway fails (e.g. gateway still booting),
+        // the flag stays true so the next restart can retry.
         const resumed = await resumeOrphanedSession({
           sessionKey: childSessionKey,
           task: runRecord.task,
         });
 
         if (resumed) {
+          // Only clear the aborted flag after confirmed successful resume.
+          await updateSessionStore(storePath, (currentStore) => {
+            const current = currentStore[childSessionKey];
+            if (current) {
+              current.abortedLastRun = false;
+              current.updatedAt = Date.now();
+              currentStore[childSessionKey] = current;
+            }
+          });
           result.recovered++;
         } else {
+          // Flag stays as abortedLastRun=true so next restart can retry
+          log.warn(
+            `resume failed for ${childSessionKey}; abortedLastRun flag preserved for retry on next restart`,
+          );
           result.failed++;
         }
       } catch (err) {
diff --git a/src/agents/subagent-registry.ts b/src/agents/subagent-registry.ts
index 68fd499cbee..c1cab60dd82 100644
--- a/src/agents/subagent-registry.ts
+++ b/src/agents/subagent-registry.ts
@@ -30,7 +30,6 @@ import {
   SUBAGENT_ENDED_REASON_KILLED,
   type SubagentLifecycleEndedReason,
 } from "./subagent-lifecycle-events.js";
-import { scheduleOrphanRecovery } from "./subagent-orphan-recovery.js";
 import {
   resolveCleanupCompletionReason,
   resolveDeferredCleanupDecision,
@@ -688,10 +687,16 @@ function restoreSubagentRunsOnce() {
 
     // Schedule orphan recovery for subagent sessions that were aborted
     // by a SIGUSR1 reload. This runs after a short delay to let the
-    // gateway fully bootstrap first. (#47711)
-    scheduleOrphanRecovery({
-      getActiveRuns: () => subagentRuns,
-    });
+    // gateway fully bootstrap first. Dynamic import to avoid increasing
+    // startup memory footprint. (#47711)
+    void import("./subagent-orphan-recovery.js").then(
+      ({ scheduleOrphanRecovery }) => {
+        scheduleOrphanRecovery({ getActiveRuns: () => subagentRuns });
+      },
+      () => {
+        // Ignore import failures — orphan recovery is best-effort.
+      },
+    );
   } catch {
     // ignore restore failures
   }

From 44304ba24af8d9fffb581308fbb6bc9a3cf2b947 Mon Sep 17 00:00:00 2001
From: Joey Krug <joeykrug@gmail.com>
Date: Sun, 15 Mar 2026 21:25:21 -0400
Subject: [PATCH 006/133] fix: add retry with exponential backoff for orphan
 recovery
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Addresses Codex review feedback — if recovery fails (e.g. gateway
still booting), retries up to 3 times with exponential backoff
(5s → 10s → 20s) before giving up.
---
 src/agents/subagent-orphan-recovery.ts | 47 ++++++++++++++++++++++----
 1 file changed, 40 insertions(+), 7 deletions(-)

diff --git a/src/agents/subagent-orphan-recovery.ts b/src/agents/subagent-orphan-recovery.ts
index f36096d95b2..02dfa1528be 100644
--- a/src/agents/subagent-orphan-recovery.ts
+++ b/src/agents/subagent-orphan-recovery.ts
@@ -174,18 +174,51 @@ export async function recoverOrphanedSubagentSessions(params: {
   return result;
 }
 
+/** Maximum number of retry attempts for orphan recovery. */
+const MAX_RECOVERY_RETRIES = 3;
+/** Backoff multiplier between retries (exponential). */
+const RETRY_BACKOFF_MULTIPLIER = 2;
+
 /**
- * Schedule orphan recovery after a delay.
+ * Schedule orphan recovery after a delay, with retry logic.
  * The delay gives the gateway time to fully bootstrap after restart.
+ * If recovery fails (e.g. gateway not yet ready), retries with exponential backoff.
  */
 export function scheduleOrphanRecovery(params: {
   getActiveRuns: () => Map<string, SubagentRunRecord>;
   delayMs?: number;
+  maxRetries?: number;
 }): void {
-  const delay = params.delayMs ?? DEFAULT_RECOVERY_DELAY_MS;
-  setTimeout(() => {
-    void recoverOrphanedSubagentSessions(params).catch((err) => {
-      log.warn(`scheduled orphan recovery failed: ${String(err)}`);
-    });
-  }, delay).unref?.();
+  const initialDelay = params.delayMs ?? DEFAULT_RECOVERY_DELAY_MS;
+  const maxRetries = params.maxRetries ?? MAX_RECOVERY_RETRIES;
+
+  const attemptRecovery = (attempt: number, delay: number) => {
+    setTimeout(() => {
+      void recoverOrphanedSubagentSessions(params)
+        .then((result) => {
+          if (result.failed > 0 && attempt < maxRetries) {
+            const nextDelay = delay * RETRY_BACKOFF_MULTIPLIER;
+            log.info(
+              `orphan recovery had ${result.failed} failure(s); retrying in ${nextDelay}ms (attempt ${attempt + 1}/${maxRetries})`,
+            );
+            attemptRecovery(attempt + 1, nextDelay);
+          }
+        })
+        .catch((err) => {
+          if (attempt < maxRetries) {
+            const nextDelay = delay * RETRY_BACKOFF_MULTIPLIER;
+            log.warn(
+              `scheduled orphan recovery failed: ${String(err)}; retrying in ${nextDelay}ms (attempt ${attempt + 1}/${maxRetries})`,
+            );
+            attemptRecovery(attempt + 1, nextDelay);
+          } else {
+            log.warn(
+              `scheduled orphan recovery failed after ${maxRetries} retries: ${String(err)}`,
+            );
+          }
+        });
+    }, delay).unref?.();
+  };
+
+  attemptRecovery(0, initialDelay);
 }

From c780b6a6ab2aeb1a6ae183600013f2d6f015613d Mon Sep 17 00:00:00 2001
From: Joey Krug <joeykrug@gmail.com>
Date: Sun, 15 Mar 2026 23:05:08 -0400
Subject: [PATCH 007/133] fix: address all review comments on PR #47719 +
 implement resume context and config idempotency guard

---
 src/agents/subagent-orphan-recovery.test.ts | 109 ++++++++++++++++++++
 src/agents/subagent-orphan-recovery.ts      | 101 +++++++++++++++---
 src/cli/daemon-cli/lifecycle.ts             |   6 +-
 3 files changed, 201 insertions(+), 15 deletions(-)

diff --git a/src/agents/subagent-orphan-recovery.test.ts b/src/agents/subagent-orphan-recovery.test.ts
index 351e1079dc7..56b652b3b42 100644
--- a/src/agents/subagent-orphan-recovery.test.ts
+++ b/src/agents/subagent-orphan-recovery.test.ts
@@ -19,6 +19,14 @@ vi.mock("../gateway/call.js", () => ({
   callGateway: vi.fn(async () => ({ runId: "test-run-id" })),
 }));
 
+vi.mock("../gateway/session-utils.fs.js", () => ({
+  readSessionMessages: vi.fn(() => []),
+}));
+
+vi.mock("./subagent-registry.js", () => ({
+  replaceSubagentRunAfterSteer: vi.fn(() => true),
+}));
+
 function createTestRunRecord(overrides: Partial<SubagentRunRecord> = {}): SubagentRunRecord {
   return {
     runId: "run-1",
@@ -45,6 +53,7 @@ describe("subagent-orphan-recovery", () => {
   it("recovers orphaned sessions with abortedLastRun=true", async () => {
     const sessions = await import("../config/sessions.js");
     const gateway = await import("../gateway/call.js");
+    const subagentRegistry = await import("./subagent-registry.js");
 
     const sessionEntry = {
       sessionId: "session-abc",
@@ -78,6 +87,10 @@ describe("subagent-orphan-recovery", () => {
     expect(params.sessionKey).toBe("agent:main:subagent:test-session-1");
     expect(params.message).toContain("gateway reload");
     expect(params.message).toContain("Test task: implement feature X");
+    expect(subagentRegistry.replaceSubagentRunAfterSteer).toHaveBeenCalledWith({
+      previousRunId: "run-1",
+      nextRunId: "test-run-id",
+    });
   });
 
   it("skips sessions that are not aborted", async () => {
@@ -321,4 +334,100 @@ describe("subagent-orphan-recovery", () => {
     expect(message.length).toBeLessThan(5000);
     expect(message).toContain("...");
   });
+
+  it("includes last human message in resume when available", async () => {
+    const sessions = await import("../config/sessions.js");
+    const gateway = await import("../gateway/call.js");
+    const sessionUtils = await import("../gateway/session-utils.fs.js");
+
+    vi.mocked(sessions.loadSessionStore).mockReturnValue({
+      "agent:main:subagent:test-session-1": {
+        sessionId: "session-abc",
+        updatedAt: Date.now(),
+        abortedLastRun: true,
+        sessionFile: "session-abc.jsonl",
+      },
+    });
+
+    vi.mocked(sessionUtils.readSessionMessages).mockReturnValue([
+      { role: "user", content: [{ type: "text", text: "Please build feature Y" }] },
+      { role: "assistant", content: [{ type: "text", text: "Working on it..." }] },
+      { role: "user", content: [{ type: "text", text: "Also add tests for it" }] },
+      { role: "assistant", content: [{ type: "text", text: "Sure, adding tests now." }] },
+    ]);
+
+    const activeRuns = new Map<string, SubagentRunRecord>();
+    activeRuns.set("run-1", createTestRunRecord());
+
+    const { recoverOrphanedSubagentSessions } = await import("./subagent-orphan-recovery.js");
+    await recoverOrphanedSubagentSessions({ getActiveRuns: () => activeRuns });
+
+    const callArgs = vi.mocked(gateway.callGateway).mock.calls[0];
+    const params = callArgs[0].params as Record<string, unknown>;
+    const message = params.message as string;
+    expect(message).toContain("Also add tests for it");
+    expect(message).toContain("last message from the user");
+  });
+
+  it("adds config change hint when assistant messages reference config modifications", async () => {
+    const sessions = await import("../config/sessions.js");
+    const gateway = await import("../gateway/call.js");
+    const sessionUtils = await import("../gateway/session-utils.fs.js");
+
+    vi.mocked(sessions.loadSessionStore).mockReturnValue({
+      "agent:main:subagent:test-session-1": {
+        sessionId: "session-abc",
+        updatedAt: Date.now(),
+        abortedLastRun: true,
+      },
+    });
+
+    vi.mocked(sessionUtils.readSessionMessages).mockReturnValue([
+      { role: "user", content: "Update the config" },
+      { role: "assistant", content: "I've modified openclaw.json to add the new setting." },
+    ]);
+
+    const activeRuns = new Map<string, SubagentRunRecord>();
+    activeRuns.set("run-1", createTestRunRecord());
+
+    const { recoverOrphanedSubagentSessions } = await import("./subagent-orphan-recovery.js");
+    await recoverOrphanedSubagentSessions({ getActiveRuns: () => activeRuns });
+
+    const callArgs = vi.mocked(gateway.callGateway).mock.calls[0];
+    const params = callArgs[0].params as Record<string, unknown>;
+    const message = params.message as string;
+    expect(message).toContain("config changes from your previous run were already applied");
+  });
+
+  it("prevents duplicate resume when updateSessionStore fails", async () => {
+    const sessions = await import("../config/sessions.js");
+    const gateway = await import("../gateway/call.js");
+
+    vi.mocked(gateway.callGateway).mockResolvedValue({ runId: "new-run" } as never);
+    vi.mocked(sessions.updateSessionStore).mockRejectedValue(new Error("write failed"));
+
+    vi.mocked(sessions.loadSessionStore).mockReturnValue({
+      "agent:main:subagent:test-session-1": {
+        sessionId: "session-abc",
+        updatedAt: Date.now(),
+        abortedLastRun: true,
+      },
+    });
+
+    const activeRuns = new Map<string, SubagentRunRecord>();
+    activeRuns.set("run-1", createTestRunRecord());
+    activeRuns.set(
+      "run-2",
+      createTestRunRecord({
+        runId: "run-2",
+      }),
+    );
+
+    const { recoverOrphanedSubagentSessions } = await import("./subagent-orphan-recovery.js");
+    const result = await recoverOrphanedSubagentSessions({ getActiveRuns: () => activeRuns });
+
+    expect(result.recovered).toBe(1);
+    expect(result.skipped).toBe(1);
+    expect(gateway.callGateway).toHaveBeenCalledOnce();
+  });
 });
diff --git a/src/agents/subagent-orphan-recovery.ts b/src/agents/subagent-orphan-recovery.ts
index 02dfa1528be..320d96f3727 100644
--- a/src/agents/subagent-orphan-recovery.ts
+++ b/src/agents/subagent-orphan-recovery.ts
@@ -19,7 +19,9 @@ import {
   type SessionEntry,
 } from "../config/sessions.js";
 import { callGateway } from "../gateway/call.js";
+import { readSessionMessages } from "../gateway/session-utils.fs.js";
 import { createSubsystemLogger } from "../logging/subsystem.js";
+import { replaceSubagentRunAfterSteer } from "./subagent-registry.js";
 import type { SubagentRunRecord } from "./subagent-registry.types.js";
 
 const log = createSubsystemLogger("subagent-orphan-recovery");
@@ -30,14 +32,45 @@ const DEFAULT_RECOVERY_DELAY_MS = 5_000;
 /**
  * Build the resume message for an orphaned subagent.
  */
-function buildResumeMessage(task: string): string {
+function buildResumeMessage(task: string, lastHumanMessage?: string): string {
   const maxTaskLen = 2000;
   const truncatedTask = task.length > maxTaskLen ? `${task.slice(0, maxTaskLen)}...` : task;
 
-  return (
+  let message =
     `[System] Your previous turn was interrupted by a gateway reload. ` +
-    `Your task was:\n\n${truncatedTask}\n\nPlease continue where you left off.`
-  );
+    `Your original task was:\n\n${truncatedTask}\n\n`;
+
+  if (lastHumanMessage) {
+    message += `The last message from the user before the interruption was:\n\n${lastHumanMessage}\n\n`;
+  }
+
+  message += `Please continue where you left off.`;
+  return message;
+}
+
+function extractMessageText(msg: unknown): string | undefined {
+  if (!msg || typeof msg !== "object") {
+    return undefined;
+  }
+  const m = msg as Record<string, unknown>;
+  if (typeof m.content === "string") {
+    return m.content;
+  }
+  if (Array.isArray(m.content)) {
+    const text = m.content
+      .filter(
+        (c: unknown) =>
+          typeof c === "object" &&
+          c !== null &&
+          (c as Record<string, unknown>).type === "text" &&
+          typeof (c as Record<string, unknown>).text === "string",
+      )
+      .map((c: unknown) => (c as Record<string, string>).text)
+      .filter(Boolean)
+      .join("\n");
+    return text || undefined;
+  }
+  return undefined;
 }
 
 /**
@@ -46,11 +79,17 @@ function buildResumeMessage(task: string): string {
 async function resumeOrphanedSession(params: {
   sessionKey: string;
   task: string;
+  lastHumanMessage?: string;
+  configChangeHint?: string;
+  originalRunId: string;
 }): Promise<boolean> {
-  const resumeMessage = buildResumeMessage(params.task);
+  let resumeMessage = buildResumeMessage(params.task, params.lastHumanMessage);
+  if (params.configChangeHint) {
+    resumeMessage += params.configChangeHint;
+  }
 
   try {
-    await callGateway<{ runId: string }>({
+    const result = await callGateway<{ runId: string }>({
       method: "agent",
       params: {
         message: resumeMessage,
@@ -61,6 +100,10 @@ async function resumeOrphanedSession(params: {
       },
       timeoutMs: 10_000,
     });
+    replaceSubagentRunAfterSteer({
+      previousRunId: params.originalRunId,
+      nextRunId: result.runId,
+    });
     log.info(`resumed orphaned session: ${params.sessionKey}`);
     return true;
   } catch (err) {
@@ -84,6 +127,8 @@ export async function recoverOrphanedSubagentSessions(params: {
   getActiveRuns: () => Map<string, SubagentRunRecord>;
 }): Promise<{ recovered: number; failed: number; skipped: number }> {
   const result = { recovered: 0, failed: 0, skipped: 0 };
+  const resumedSessionKeys = new Set<string>();
+  const configChangePattern = /openclaw\.json|openclaw gateway restart|config\.patch/i;
 
   try {
     const activeRuns = params.getActiveRuns();
@@ -104,6 +149,10 @@ export async function recoverOrphanedSubagentSessions(params: {
       if (!childSessionKey) {
         continue;
       }
+      if (resumedSessionKeys.has(childSessionKey)) {
+        result.skipped++;
+        continue;
+      }
 
       try {
         const agentId = resolveAgentIdFromSessionKey(childSessionKey);
@@ -129,6 +178,18 @@ export async function recoverOrphanedSubagentSessions(params: {
 
         log.info(`found orphaned subagent session: ${childSessionKey} (run=${runId})`);
 
+        const messages = readSessionMessages(entry.sessionId, storePath, entry.sessionFile);
+        const lastHumanMessage = [...messages]
+          .toReversed()
+          .find((msg) => (msg as { role?: unknown } | null)?.role === "user");
+        const configChangeDetected = messages.some((msg) => {
+          if ((msg as { role?: unknown } | null)?.role !== "assistant") {
+            return false;
+          }
+          const text = extractMessageText(msg);
+          return typeof text === "string" && configChangePattern.test(text);
+        });
+
         // Resume the session with the original task context.
         // We intentionally do NOT clear abortedLastRun before attempting
         // the resume — if callGateway fails (e.g. gateway still booting),
@@ -136,18 +197,30 @@ export async function recoverOrphanedSubagentSessions(params: {
         const resumed = await resumeOrphanedSession({
           sessionKey: childSessionKey,
           task: runRecord.task,
+          lastHumanMessage: extractMessageText(lastHumanMessage),
+          configChangeHint: configChangeDetected
+            ? "\n\n[config changes from your previous run were already applied — do not re-modify openclaw.json or restart the gateway]"
+            : undefined,
+          originalRunId: runId,
         });
 
         if (resumed) {
+          resumedSessionKeys.add(childSessionKey);
           // Only clear the aborted flag after confirmed successful resume.
-          await updateSessionStore(storePath, (currentStore) => {
-            const current = currentStore[childSessionKey];
-            if (current) {
-              current.abortedLastRun = false;
-              current.updatedAt = Date.now();
-              currentStore[childSessionKey] = current;
-            }
-          });
+          try {
+            await updateSessionStore(storePath, (currentStore) => {
+              const current = currentStore[childSessionKey];
+              if (current) {
+                current.abortedLastRun = false;
+                current.updatedAt = Date.now();
+                currentStore[childSessionKey] = current;
+              }
+            });
+          } catch (err) {
+            log.warn(
+              `resume succeeded but failed to update session store for ${childSessionKey}: ${String(err)}`,
+            );
+          }
           result.recovered++;
         } else {
           // Flag stays as abortedLastRun=true so next restart can retry
diff --git a/src/cli/daemon-cli/lifecycle.ts b/src/cli/daemon-cli/lifecycle.ts
index 53efaff9495..76099fe956c 100644
--- a/src/cli/daemon-cli/lifecycle.ts
+++ b/src/cli/daemon-cli/lifecycle.ts
@@ -50,8 +50,12 @@ function resolveGatewayPortFallback(): Promise<number> {
 }
 
 async function assertUnmanagedGatewayRestartEnabled(port: number): Promise<void> {
+  const cfg = await readBestEffortConfig().catch(() => undefined);
+  const tlsEnabled = !!(cfg as { gateway?: { tls?: { enabled?: unknown } } } | undefined)?.gateway
+    ?.tls?.enabled;
+  const scheme = tlsEnabled ? "wss" : "ws";
   const probe = await probeGateway({
-    url: `ws://127.0.0.1:${port}`,
+    url: `${scheme}://127.0.0.1:${port}`,
     auth: {
       token: process.env.OPENCLAW_GATEWAY_TOKEN?.trim() || undefined,
       password: process.env.OPENCLAW_GATEWAY_PASSWORD?.trim() || undefined,

From 98f6ec50aadbc90e4aafa3bedfe1f432b6a4cea6 Mon Sep 17 00:00:00 2001
From: bot_apk <apk@cognition.ai>
Date: Mon, 16 Mar 2026 03:36:56 +0000
Subject: [PATCH 008/133] fix: address 6 review comments on PR #47719
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1. [P1] Treat remap failures as resume failures — if replaceSubagentRunAfterSteer
   returns false, do NOT clear abortedLastRun, increment failed count.

2. [P2] Count scan-level exceptions as retryable failures — set result.failed > 0
   in the outer catch block so scheduleOrphanRecovery retry logic triggers.

3. [P2] Persist resumed-session dedupe across recovery retries — accept
   resumedSessionKeys as a parameter; scheduleOrphanRecovery lifts the Set to
   its own scope and passes it through retries.

4. [Greptile] Use typed config accessors instead of raw structural cast for TLS
   check in lifecycle.ts.

5. [Greptile] Forward gateway.reload.deferralTimeoutMs to deferGatewayRestartUntilIdle
   in scheduleGatewaySigusr1Restart so user-configured value is not silently ignored.

6. [Greptile] Same as #4 — already addressed by the typed config fix.

Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
---
 src/agents/subagent-orphan-recovery.ts | 20 +++++++++++++++++---
 src/cli/daemon-cli/lifecycle.ts        |  3 +--
 src/infra/restart.ts                   |  7 ++++++-
 3 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/src/agents/subagent-orphan-recovery.ts b/src/agents/subagent-orphan-recovery.ts
index 320d96f3727..ed2eac6d8f3 100644
--- a/src/agents/subagent-orphan-recovery.ts
+++ b/src/agents/subagent-orphan-recovery.ts
@@ -100,10 +100,16 @@ async function resumeOrphanedSession(params: {
       },
       timeoutMs: 10_000,
     });
-    replaceSubagentRunAfterSteer({
+    const remapped = replaceSubagentRunAfterSteer({
       previousRunId: params.originalRunId,
       nextRunId: result.runId,
     });
+    if (!remapped) {
+      log.warn(
+        `resumed orphaned session ${params.sessionKey} but remap failed (old run already removed); treating as failure`,
+      );
+      return false;
+    }
     log.info(`resumed orphaned session: ${params.sessionKey}`);
     return true;
   } catch (err) {
@@ -125,9 +131,11 @@ async function resumeOrphanedSession(params: {
  */
 export async function recoverOrphanedSubagentSessions(params: {
   getActiveRuns: () => Map<string, SubagentRunRecord>;
+  /** Persisted across retries so already-resumed sessions are not resumed again. */
+  resumedSessionKeys?: Set<string>;
 }): Promise<{ recovered: number; failed: number; skipped: number }> {
   const result = { recovered: 0, failed: 0, skipped: 0 };
-  const resumedSessionKeys = new Set<string>();
+  const resumedSessionKeys = params.resumedSessionKeys ?? new Set<string>();
   const configChangePattern = /openclaw\.json|openclaw gateway restart|config\.patch/i;
 
   try {
@@ -236,6 +244,10 @@ export async function recoverOrphanedSubagentSessions(params: {
     }
   } catch (err) {
     log.warn(`orphan recovery scan failed: ${String(err)}`);
+    // Ensure retry logic fires for scan-level exceptions.
+    if (result.failed === 0) {
+      result.failed = 1;
+    }
   }
 
   if (result.recovered > 0 || result.failed > 0) {
@@ -265,9 +277,11 @@ export function scheduleOrphanRecovery(params: {
   const initialDelay = params.delayMs ?? DEFAULT_RECOVERY_DELAY_MS;
   const maxRetries = params.maxRetries ?? MAX_RECOVERY_RETRIES;
 
+  const resumedSessionKeys = new Set<string>();
+
   const attemptRecovery = (attempt: number, delay: number) => {
     setTimeout(() => {
-      void recoverOrphanedSubagentSessions(params)
+      void recoverOrphanedSubagentSessions({ ...params, resumedSessionKeys })
         .then((result) => {
           if (result.failed > 0 && attempt < maxRetries) {
             const nextDelay = delay * RETRY_BACKOFF_MULTIPLIER;
diff --git a/src/cli/daemon-cli/lifecycle.ts b/src/cli/daemon-cli/lifecycle.ts
index 76099fe956c..d3e01f66412 100644
--- a/src/cli/daemon-cli/lifecycle.ts
+++ b/src/cli/daemon-cli/lifecycle.ts
@@ -51,8 +51,7 @@ function resolveGatewayPortFallback(): Promise<number> {
 
 async function assertUnmanagedGatewayRestartEnabled(port: number): Promise<void> {
   const cfg = await readBestEffortConfig().catch(() => undefined);
-  const tlsEnabled = !!(cfg as { gateway?: { tls?: { enabled?: unknown } } } | undefined)?.gateway
-    ?.tls?.enabled;
+  const tlsEnabled = !!cfg?.gateway?.tls?.enabled;
   const scheme = tlsEnabled ? "wss" : "ws";
   const probe = await probeGateway({
     url: `${scheme}://127.0.0.1:${port}`,
diff --git a/src/infra/restart.ts b/src/infra/restart.ts
index 1238b4954d0..f671df382e2 100644
--- a/src/infra/restart.ts
+++ b/src/infra/restart.ts
@@ -1,6 +1,7 @@
 import { spawnSync } from "node:child_process";
 import os from "node:os";
 import path from "node:path";
+import { loadConfig } from "../config/config.js";
 import {
   resolveGatewayLaunchAgentLabel,
   resolveGatewaySystemdServiceName,
@@ -476,7 +477,11 @@ export function scheduleGatewaySigusr1Restart(opts?: {
         emitGatewayRestart();
         return;
       }
-      deferGatewayRestartUntilIdle({ getPendingCount: pendingCheck });
+      const cfg = loadConfig();
+      deferGatewayRestartUntilIdle({
+        getPendingCount: pendingCheck,
+        maxWaitMs: cfg.gateway?.reload?.deferralTimeoutMs,
+      });
     },
     Math.max(0, requestedDueAt - nowMs),
   );

From 680eff63fbf82536caf45a6f6909e3a030bef27e Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 05:31:41 +0000
Subject: [PATCH 009/133] fix: land SIGUSR1 orphan recovery regressions
 (#47719) (thanks @joeykrug)

---
 CHANGELOG.md                                |  1 +
 src/agents/subagent-orphan-recovery.test.ts | 14 +++++----
 src/agents/subagent-orphan-recovery.ts      |  3 ++
 src/cli/gateway-cli/run-loop.test.ts        | 33 +++++++++++++++++++++
 src/cli/gateway-cli/run-loop.ts             | 19 +++++++++---
 src/config/schema.labels.ts                 |  1 +
 src/infra/infra-runtime.test.ts             |  4 +--
 7 files changed, 64 insertions(+), 11 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d8040d79aef..4aaf84db974 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -58,6 +58,7 @@ Docs: https://docs.openclaw.ai
 - Agents/openai-compatible tool calls: deduplicate repeated tool call ids across live assistant messages and replayed history so OpenAI-compatible backends no longer reject duplicate `tool_call_id` values with HTTP 400. (#40996) Thanks @xaeon2026.
 - Security/device pairing: harden `device.token.rotate` deny handling by keeping public failures generic while logging internal deny reasons and preserving approved-baseline enforcement. (`GHSA-7jrw-x62h-64p8`)
 - Slack/interactive replies: preserve `channelData.slack.blocks` through live DM delivery and preview-finalized edits so Block Kit button and select directives render instead of falling back to raw text. (#45890) Thanks @vincentkoc.
+- Gateway/restart: defer externally signaled unmanaged restarts through the in-process idle drain, and preserve the restored subagent run as remap fallback during orphan recovery so resumed sessions do not duplicate work. (#47719) Thanks @joeykrug.
 - Zalo/plugin runtime: export `resolveClientIp` from `openclaw/plugin-sdk/zalo` so installed builds no longer crash on startup when the webhook monitor loads from the packaged extension instead of the monorepo source tree. (#46549) Thanks @No898.
 - CI/channel test routing: move the built-in channel suites into `test:channels` and keep them out of `test:extensions`, so extension CI no longer fails after the channel migration while targeted test routing still sends Slack, Signal, and iMessage suites to the right lane. (#46066) Thanks @scoootscooob.
 - Browser/profiles: drop the auto-created `chrome-relay` browser profile; users who need the Chrome extension relay must now create their own profile via `openclaw browser create-profile`. (#45777) Thanks @odysseus0.
diff --git a/src/agents/subagent-orphan-recovery.test.ts b/src/agents/subagent-orphan-recovery.test.ts
index 56b652b3b42..66b8097154c 100644
--- a/src/agents/subagent-orphan-recovery.test.ts
+++ b/src/agents/subagent-orphan-recovery.test.ts
@@ -65,8 +65,9 @@ describe("subagent-orphan-recovery", () => {
       "agent:main:subagent:test-session-1": sessionEntry,
     });
 
+    const run = createTestRunRecord();
     const activeRuns = new Map<string, SubagentRunRecord>();
-    activeRuns.set("run-1", createTestRunRecord());
+    activeRuns.set("run-1", run);
 
     const { recoverOrphanedSubagentSessions } = await import("./subagent-orphan-recovery.js");
 
@@ -87,10 +88,13 @@ describe("subagent-orphan-recovery", () => {
     expect(params.sessionKey).toBe("agent:main:subagent:test-session-1");
     expect(params.message).toContain("gateway reload");
     expect(params.message).toContain("Test task: implement feature X");
-    expect(subagentRegistry.replaceSubagentRunAfterSteer).toHaveBeenCalledWith({
-      previousRunId: "run-1",
-      nextRunId: "test-run-id",
-    });
+    expect(subagentRegistry.replaceSubagentRunAfterSteer).toHaveBeenCalledWith(
+      expect.objectContaining({
+        previousRunId: "run-1",
+        nextRunId: "test-run-id",
+        fallback: run,
+      }),
+    );
   });
 
   it("skips sessions that are not aborted", async () => {
diff --git a/src/agents/subagent-orphan-recovery.ts b/src/agents/subagent-orphan-recovery.ts
index ed2eac6d8f3..60408c09ae9 100644
--- a/src/agents/subagent-orphan-recovery.ts
+++ b/src/agents/subagent-orphan-recovery.ts
@@ -82,6 +82,7 @@ async function resumeOrphanedSession(params: {
   lastHumanMessage?: string;
   configChangeHint?: string;
   originalRunId: string;
+  originalRun: SubagentRunRecord;
 }): Promise<boolean> {
   let resumeMessage = buildResumeMessage(params.task, params.lastHumanMessage);
   if (params.configChangeHint) {
@@ -103,6 +104,7 @@ async function resumeOrphanedSession(params: {
     const remapped = replaceSubagentRunAfterSteer({
       previousRunId: params.originalRunId,
       nextRunId: result.runId,
+      fallback: params.originalRun,
     });
     if (!remapped) {
       log.warn(
@@ -210,6 +212,7 @@ export async function recoverOrphanedSubagentSessions(params: {
             ? "\n\n[config changes from your previous run were already applied — do not re-modify openclaw.json or restart the gateway]"
             : undefined,
           originalRunId: runId,
+          originalRun: runRecord,
         });
 
         if (resumed) {
diff --git a/src/cli/gateway-cli/run-loop.test.ts b/src/cli/gateway-cli/run-loop.test.ts
index bff37742254..ce8fbccbe93 100644
--- a/src/cli/gateway-cli/run-loop.test.ts
+++ b/src/cli/gateway-cli/run-loop.test.ts
@@ -8,6 +8,15 @@ const acquireGatewayLock = vi.fn(async (_opts?: { port?: number }) => ({
 const consumeGatewaySigusr1RestartAuthorization = vi.fn(() => true);
 const isGatewaySigusr1RestartExternallyAllowed = vi.fn(() => false);
 const markGatewaySigusr1RestartHandled = vi.fn();
+const scheduleGatewaySigusr1Restart = vi.fn((_opts?: { delayMs?: number; reason?: string }) => ({
+  ok: true,
+  pid: process.pid,
+  signal: "SIGUSR1" as const,
+  delayMs: 0,
+  mode: "emit" as const,
+  coalesced: false,
+  cooldownMsApplied: 0,
+}));
 const getActiveTaskCount = vi.fn(() => 0);
 const markGatewayDraining = vi.fn();
 const waitForActiveTasks = vi.fn(async (_timeoutMs: number) => ({ drained: true }));
@@ -35,6 +44,8 @@ vi.mock("../../infra/restart.js", () => ({
   consumeGatewaySigusr1RestartAuthorization: () => consumeGatewaySigusr1RestartAuthorization(),
   isGatewaySigusr1RestartExternallyAllowed: () => isGatewaySigusr1RestartExternallyAllowed(),
   markGatewaySigusr1RestartHandled: () => markGatewaySigusr1RestartHandled(),
+  scheduleGatewaySigusr1Restart: (opts?: { delayMs?: number; reason?: string }) =>
+    scheduleGatewaySigusr1Restart(opts),
 }));
 
 vi.mock("../../infra/process-respawn.js", () => ({
@@ -292,6 +303,28 @@ describe("runGatewayLoop", () => {
     });
   });
 
+  it("routes external SIGUSR1 through the restart scheduler before draining", async () => {
+    vi.clearAllMocks();
+    consumeGatewaySigusr1RestartAuthorization.mockReturnValueOnce(false);
+    isGatewaySigusr1RestartExternallyAllowed.mockReturnValueOnce(true);
+
+    await withIsolatedSignals(async ({ captureSignal }) => {
+      const { close, start } = await createSignaledLoopHarness();
+      const sigusr1 = captureSignal("SIGUSR1");
+
+      sigusr1();
+      await new Promise<void>((resolve) => setImmediate(resolve));
+
+      expect(scheduleGatewaySigusr1Restart).toHaveBeenCalledWith({
+        delayMs: 0,
+        reason: "SIGUSR1",
+      });
+      expect(close).not.toHaveBeenCalled();
+      expect(start).toHaveBeenCalledTimes(1);
+      expect(markGatewaySigusr1RestartHandled).not.toHaveBeenCalled();
+    });
+  });
+
   it("releases the lock before exiting on spawned restart", async () => {
     vi.clearAllMocks();
 
diff --git a/src/cli/gateway-cli/run-loop.ts b/src/cli/gateway-cli/run-loop.ts
index 13ef073a80d..23ec7dd584d 100644
--- a/src/cli/gateway-cli/run-loop.ts
+++ b/src/cli/gateway-cli/run-loop.ts
@@ -10,6 +10,7 @@ import {
   consumeGatewaySigusr1RestartAuthorization,
   isGatewaySigusr1RestartExternallyAllowed,
   markGatewaySigusr1RestartHandled,
+  scheduleGatewaySigusr1Restart,
 } from "../../infra/restart.js";
 import { createSubsystemLogger } from "../../logging/subsystem.js";
 import {
@@ -186,10 +187,20 @@ export async function runGatewayLoop(params: {
   const onSigusr1 = () => {
     gatewayLog.info("signal SIGUSR1 received");
     const authorized = consumeGatewaySigusr1RestartAuthorization();
-    if (!authorized && !isGatewaySigusr1RestartExternallyAllowed()) {
-      gatewayLog.warn(
-        "SIGUSR1 restart ignored (not authorized; commands.restart=false or use gateway tool).",
-      );
+    if (!authorized) {
+      if (!isGatewaySigusr1RestartExternallyAllowed()) {
+        gatewayLog.warn(
+          "SIGUSR1 restart ignored (not authorized; commands.restart=false or use gateway tool).",
+        );
+        return;
+      }
+      if (shuttingDown) {
+        gatewayLog.info("received SIGUSR1 during shutdown; ignoring");
+        return;
+      }
+      // External SIGUSR1 requests should still reuse the in-process restart
+      // scheduler so idle drain and restart coalescing stay consistent.
+      scheduleGatewaySigusr1Restart({ delayMs: 0, reason: "SIGUSR1" });
       return;
     }
     markGatewaySigusr1RestartHandled();
diff --git a/src/config/schema.labels.ts b/src/config/schema.labels.ts
index d2c0cb29e48..c8fb887924b 100644
--- a/src/config/schema.labels.ts
+++ b/src/config/schema.labels.ts
@@ -279,6 +279,7 @@ export const FIELD_LABELS: Record<string, string> = {
     "OpenAI Chat Completions Image Timeout (ms)",
   "gateway.reload.mode": "Config Reload Mode",
   "gateway.reload.debounceMs": "Config Reload Debounce (ms)",
+  "gateway.reload.deferralTimeoutMs": "Restart Deferral Timeout (ms)",
   "gateway.nodes.browser.mode": "Gateway Node Browser Mode",
   "gateway.nodes.browser.node": "Gateway Node Browser Pin",
   "gateway.nodes.allowCommands": "Gateway Node Allowlist (Extra Commands)",
diff --git a/src/infra/infra-runtime.test.ts b/src/infra/infra-runtime.test.ts
index 2072f8f2da3..97f2336fd11 100644
--- a/src/infra/infra-runtime.test.ts
+++ b/src/infra/infra-runtime.test.ts
@@ -190,8 +190,8 @@ describe("infra runtime", () => {
         await vi.advanceTimersByTimeAsync(0);
         expect(emitSpy).not.toHaveBeenCalledWith("SIGUSR1");
 
-        // Advance past the 90s max deferral wait
-        await vi.advanceTimersByTimeAsync(90_000);
+        // Advance past the 5-minute max deferral wait
+        await vi.advanceTimersByTimeAsync(300_000);
         expect(emitSpy).toHaveBeenCalledWith("SIGUSR1");
       } finally {
         process.removeListener("SIGUSR1", handler);

From ad97c581e21f9dbb895ac2ed18b8b1a76c5ae9ab Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Sun, 15 Mar 2026 22:38:49 -0700
Subject: [PATCH 010/133] refactor: move channel messaging hooks into plugins

---
 docs/refactor/plugin-sdk.md                   |  22 ++
 extensions/discord/src/channel.ts             |  45 ++++
 extensions/slack/src/channel.ts               |  47 ++++
 extensions/telegram/src/channel.ts            | 117 ++++++++++
 src/auto-reply/reply/route-reply.ts           |  28 ++-
 src/channels/plugins/message-actions.ts       |  17 +-
 src/channels/plugins/types.adapters.ts        |  61 ++++++
 src/channels/plugins/types.core.ts            |  74 +++++++
 src/channels/plugins/types.plugin.ts          |   6 +
 src/channels/plugins/types.ts                 |   5 +
 src/channels/reply-prefix.ts                  |  15 +-
 src/commands/agent/run-context.ts             |   4 +-
 src/commands/channels/add.ts                  |  37 ++--
 src/commands/channels/remove.ts               |  17 +-
 src/infra/exec-approval-forwarder.ts          | 201 ++++++------------
 src/infra/exec-approval-surface.test.ts       | 127 +++++------
 src/infra/exec-approval-surface.ts            |  49 +----
 src/infra/outbound/channel-adapters.ts        |  39 +---
 .../outbound/message-action-params.test.ts    |  40 +++-
 src/infra/outbound/message-action-params.ts   |  62 +-----
 src/infra/outbound/message-action-runner.ts   |  30 +--
 src/infra/outbound/outbound-session.ts        |  14 ++
 22 files changed, 658 insertions(+), 399 deletions(-)

diff --git a/docs/refactor/plugin-sdk.md b/docs/refactor/plugin-sdk.md
index a6a10cf9472..05d519a0d24 100644
--- a/docs/refactor/plugin-sdk.md
+++ b/docs/refactor/plugin-sdk.md
@@ -212,3 +212,25 @@ Notes:
 - External plugins can be developed and updated without core source access.
 
 Related docs: [Plugins](/tools/plugin), [Channels](/channels/index), [Configuration](/gateway/configuration).
+
+## Implemented channel-owned seams
+
+Recent refactor work widened the channel plugin contract so core can stop owning
+channel-specific UX and routing behavior:
+
+- `messaging.buildCrossContextComponents`: channel-owned cross-context UI markers
+  (for example Discord components v2 containers)
+- `messaging.enableInteractiveReplies`: channel-owned reply normalization toggles
+  (for example Slack interactive replies)
+- `messaging.resolveOutboundSessionRoute`: channel-owned outbound session routing
+- `threading.resolveAutoThreadId`: channel-owned same-conversation auto-threading
+- `threading.resolveReplyTransport`: channel-owned reply-vs-thread delivery mapping
+- `actions.requiresTrustedRequesterSender`: channel-owned privileged action trust gates
+- `execApprovals.*`: channel-owned exec approval surface state, forwarding suppression,
+  pending payload UX, and pre-delivery hooks
+- `lifecycle.onAccountConfigChanged` / `lifecycle.onAccountRemoved`: channel-owned cleanup on
+  config mutation/removal
+- `allowlist.supportsScope`: channel-owned allowlist scope advertisement
+
+These hooks should be preferred over new `channel === "discord"` / `telegram`
+branches in shared core flows.
diff --git a/extensions/discord/src/channel.ts b/extensions/discord/src/channel.ts
index 0af60e096bc..26a69cf79e0 100644
--- a/extensions/discord/src/channel.ts
+++ b/extensions/discord/src/channel.ts
@@ -1,3 +1,4 @@
+import { Separator, TextDisplay } from "@buape/carbon";
 import { createScopedChannelConfigBase } from "openclaw/plugin-sdk/compat";
 import {
   buildAccountScopedDmSecurityPolicy,
@@ -31,11 +32,15 @@ import {
   resolveDiscordGroupToolPolicy,
   type ChannelMessageActionAdapter,
   type ChannelPlugin,
+  type OpenClawConfig,
   type ResolvedDiscordAccount,
 } from "openclaw/plugin-sdk/discord";
 import { resolveOutboundSendDep } from "../../../src/infra/outbound/send-deps.js";
+import { normalizeMessageChannel } from "../../../src/utils/message-channel.js";
+import { isDiscordExecApprovalClientEnabled } from "./exec-approvals.js";
 import { getDiscordRuntime } from "./runtime.js";
 import { createDiscordSetupWizardProxy, discordSetupAdapter } from "./setup-core.js";
+import { DiscordUiContainer } from "./ui.js";
 
 type DiscordSendFn = ReturnType<
   typeof getDiscordRuntime
@@ -59,8 +64,37 @@ const discordMessageActions: ChannelMessageActionAdapter = {
     }
     return ma.handleAction(ctx);
   },
+  requiresTrustedRequesterSender: ({ action, toolContext }) =>
+    Boolean(toolContext && (action === "timeout" || action === "kick" || action === "ban")),
 };
 
+function buildDiscordCrossContextComponents(params: {
+  originLabel: string;
+  message: string;
+  cfg: OpenClawConfig;
+  accountId?: string | null;
+}) {
+  const trimmed = params.message.trim();
+  const components: Array<TextDisplay | Separator> = [];
+  if (trimmed) {
+    components.push(new TextDisplay(params.message));
+    components.push(new Separator({ divider: true, spacing: "small" }));
+  }
+  components.push(new TextDisplay(`*From ${params.originLabel}*`));
+  return [new DiscordUiContainer({ cfg: params.cfg, accountId: params.accountId, components })];
+}
+
+function hasDiscordExecApprovalDmRoute(cfg: OpenClawConfig): boolean {
+  return listDiscordAccountIds(cfg).some((accountId) => {
+    const execApprovals = resolveDiscordAccount({ cfg, accountId }).config.execApprovals;
+    if (!execApprovals?.enabled || (execApprovals.approvers?.length ?? 0) === 0) {
+      return false;
+    }
+    const target = execApprovals.target ?? "dm";
+    return target === "dm" || target === "both";
+  });
+}
+
 const discordConfigAccessors = createScopedAccountConfigAccessors({
   resolveAccount: ({ cfg, accountId }) => resolveDiscordAccount({ cfg, accountId }),
   resolveAllowFrom: (account: ResolvedDiscordAccount) => account.config.dm?.allowFrom,
@@ -183,11 +217,22 @@ export const discordPlugin: ChannelPlugin<ResolvedDiscordAccount> = {
   },
   messaging: {
     normalizeTarget: normalizeDiscordMessagingTarget,
+    buildCrossContextComponents: buildDiscordCrossContextComponents,
     targetResolver: {
       looksLikeId: looksLikeDiscordTargetId,
       hint: "<channelId|user:ID|channel:ID>",
     },
   },
+  execApprovals: {
+    getInitiatingSurfaceState: ({ cfg, accountId }) =>
+      isDiscordExecApprovalClientEnabled({ cfg, accountId })
+        ? { kind: "enabled" }
+        : { kind: "disabled" },
+    hasConfiguredDmRoute: ({ cfg }) => hasDiscordExecApprovalDmRoute(cfg),
+    shouldSuppressForwardingFallback: ({ cfg, target }) =>
+      (normalizeMessageChannel(target.channel) ?? target.channel) === "discord" &&
+      isDiscordExecApprovalClientEnabled({ cfg, accountId: target.accountId }),
+  },
   directory: {
     self: async () => null,
     listPeers: async (params) => listDiscordDirectoryPeersFromConfig(params),
diff --git a/extensions/slack/src/channel.ts b/extensions/slack/src/channel.ts
index 9a67597ae19..04c9706bd95 100644
--- a/extensions/slack/src/channel.ts
+++ b/extensions/slack/src/channel.ts
@@ -38,6 +38,7 @@ import { resolveOutboundSendDep } from "../../../src/infra/outbound/send-deps.js
 import { buildPassiveProbedChannelStatusSummary } from "../../shared/channel-status-summary.js";
 import { getSlackRuntime } from "./runtime.js";
 import { createSlackSetupWizardProxy, slackSetupAdapter } from "./setup-core.js";
+import { parseSlackTarget } from "./targets.js";
 
 const meta = getChatChannelMeta("slack");
 
@@ -94,6 +95,37 @@ function resolveSlackSendContext(params: {
   return { send, threadTsValue, tokenOverride };
 }
 
+function resolveSlackAutoThreadId(params: {
+  cfg: Parameters<typeof resolveSlackAccount>[0]["cfg"];
+  accountId?: string | null;
+  to: string;
+  toolContext?: {
+    currentChannelId?: string;
+    currentThreadTs?: string;
+    replyToMode?: "off" | "first" | "all";
+    hasRepliedRef?: { value: boolean };
+  };
+}): string | undefined {
+  const context = params.toolContext;
+  if (!context?.currentThreadTs || !context.currentChannelId) {
+    return undefined;
+  }
+  if (context.replyToMode !== "all" && context.replyToMode !== "first") {
+    return undefined;
+  }
+  const parsedTarget = parseSlackTarget(params.to, { defaultKind: "channel" });
+  if (!parsedTarget || parsedTarget.kind !== "channel") {
+    return undefined;
+  }
+  if (parsedTarget.id.toLowerCase() !== context.currentChannelId.toLowerCase()) {
+    return undefined;
+  }
+  if (context.replyToMode === "first" && context.hasRepliedRef?.value) {
+    return undefined;
+  }
+  return context.currentThreadTs;
+}
+
 const slackConfigAccessors = createScopedAccountConfigAccessors({
   resolveAccount: ({ cfg, accountId }) => resolveSlackAccount({ cfg, accountId }),
   resolveAllowFrom: (account: ResolvedSlackAccount) => account.dm?.allowFrom,
@@ -235,9 +267,24 @@ export const slackPlugin: ChannelPlugin<ResolvedSlackAccount> = {
       resolveSlackReplyToMode(resolveSlackAccount({ cfg, accountId }), chatType),
     allowExplicitReplyTagsWhenOff: false,
     buildToolContext: (params) => buildSlackThreadingToolContext(params),
+    resolveAutoThreadId: ({ cfg, accountId, to, toolContext, replyToId }) =>
+      replyToId
+        ? undefined
+        : resolveSlackAutoThreadId({
+            cfg,
+            accountId,
+            to,
+            toolContext,
+          }),
+    resolveReplyTransport: ({ threadId, replyToId }) => ({
+      replyToId: replyToId ?? (threadId != null && threadId !== "" ? String(threadId) : undefined),
+      threadId: null,
+    }),
   },
   messaging: {
     normalizeTarget: normalizeSlackMessagingTarget,
+    enableInteractiveReplies: ({ cfg, accountId }) =>
+      isSlackInteractiveRepliesEnabled({ cfg, accountId }),
     targetResolver: {
       looksLikeId: looksLikeSlackTargetId,
       hint: "<channelId|user:ID|channel:ID>",
diff --git a/extensions/telegram/src/channel.ts b/extensions/telegram/src/channel.ts
index 4b648b667e6..1f0d94057a2 100644
--- a/extensions/telegram/src/channel.ts
+++ b/extensions/telegram/src/channel.ts
@@ -37,13 +37,24 @@ import {
   type ResolvedTelegramAccount,
   type TelegramProbe,
 } from "openclaw/plugin-sdk/telegram";
+import { resolveExecApprovalCommandDisplay } from "../../../src/infra/exec-approval-command-display.js";
+import { buildExecApprovalPendingReplyPayload } from "../../../src/infra/exec-approval-reply.js";
 import {
   type OutboundSendDeps,
   resolveOutboundSendDep,
 } from "../../../src/infra/outbound/send-deps.js";
+import { normalizeMessageChannel } from "../../../src/utils/message-channel.js";
+import { buildTelegramExecApprovalButtons } from "./approval-buttons.js";
+import {
+  isTelegramExecApprovalClientEnabled,
+  resolveTelegramExecApprovalTarget,
+} from "./exec-approvals.js";
 import { getTelegramRuntime } from "./runtime.js";
+import { sendTypingTelegram } from "./send.js";
 import { telegramSetupAdapter } from "./setup-core.js";
 import { telegramSetupWizard } from "./setup-surface.js";
+import { parseTelegramTarget } from "./targets.js";
+import { deleteTelegramUpdateOffset } from "./update-offset-store.js";
 
 type TelegramSendFn = ReturnType<
   typeof getTelegramRuntime
@@ -140,6 +151,32 @@ async function sendTelegramOutbound(params: {
   );
 }
 
+function resolveTelegramAutoThreadId(params: {
+  to: string;
+  toolContext?: { currentThreadTs?: string; currentChannelId?: string };
+}): string | undefined {
+  const context = params.toolContext;
+  if (!context?.currentThreadTs || !context.currentChannelId) {
+    return undefined;
+  }
+  const parsedTo = parseTelegramTarget(params.to);
+  const parsedChannel = parseTelegramTarget(context.currentChannelId);
+  if (parsedTo.chatId.toLowerCase() !== parsedChannel.chatId.toLowerCase()) {
+    return undefined;
+  }
+  return context.currentThreadTs;
+}
+
+function hasTelegramExecApprovalDmRoute(cfg: OpenClawConfig): boolean {
+  return listTelegramAccountIds(cfg).some((accountId) => {
+    if (!isTelegramExecApprovalClientEnabled({ cfg, accountId })) {
+      return false;
+    }
+    const target = resolveTelegramExecApprovalTarget({ cfg, accountId });
+    return target === "dm" || target === "both";
+  });
+}
+
 const telegramMessageActions: ChannelMessageActionAdapter = {
   listActions: (ctx) =>
     getTelegramRuntime().channel.telegram.messageActions?.listActions?.(ctx) ?? [],
@@ -282,6 +319,8 @@ export const telegramPlugin: ChannelPlugin<ResolvedTelegramAccount, TelegramProb
   },
   threading: {
     resolveReplyToMode: ({ cfg }) => cfg.channels?.telegram?.replyToMode ?? "off",
+    resolveAutoThreadId: ({ to, toolContext, replyToId }) =>
+      replyToId ? undefined : resolveTelegramAutoThreadId({ to, toolContext }),
   },
   messaging: {
     normalizeTarget: normalizeTelegramMessagingTarget,
@@ -290,6 +329,84 @@ export const telegramPlugin: ChannelPlugin<ResolvedTelegramAccount, TelegramProb
       hint: "<chatId>",
     },
   },
+  lifecycle: {
+    onAccountConfigChanged: async ({ prevCfg, nextCfg, accountId }) => {
+      const previousToken = resolveTelegramAccount({ cfg: prevCfg, accountId }).token.trim();
+      const nextToken = resolveTelegramAccount({ cfg: nextCfg, accountId }).token.trim();
+      if (previousToken !== nextToken) {
+        await deleteTelegramUpdateOffset({ accountId });
+      }
+    },
+    onAccountRemoved: async ({ accountId }) => {
+      await deleteTelegramUpdateOffset({ accountId });
+    },
+  },
+  execApprovals: {
+    getInitiatingSurfaceState: ({ cfg, accountId }) =>
+      isTelegramExecApprovalClientEnabled({ cfg, accountId })
+        ? { kind: "enabled" }
+        : { kind: "disabled" },
+    hasConfiguredDmRoute: ({ cfg }) => hasTelegramExecApprovalDmRoute(cfg),
+    shouldSuppressForwardingFallback: ({ cfg, target, request }) => {
+      const channel = normalizeMessageChannel(target.channel) ?? target.channel;
+      if (channel !== "telegram") {
+        return false;
+      }
+      const requestChannel = normalizeMessageChannel(request.request.turnSourceChannel ?? "");
+      if (requestChannel !== "telegram") {
+        return false;
+      }
+      const accountId = target.accountId?.trim() || request.request.turnSourceAccountId?.trim();
+      return isTelegramExecApprovalClientEnabled({ cfg, accountId });
+    },
+    buildPendingPayload: ({ request, nowMs }) => {
+      const payload = buildExecApprovalPendingReplyPayload({
+        approvalId: request.id,
+        approvalSlug: request.id.slice(0, 8),
+        approvalCommandId: request.id,
+        command: resolveExecApprovalCommandDisplay(request.request).commandText,
+        cwd: request.request.cwd ?? undefined,
+        host: request.request.host === "node" ? "node" : "gateway",
+        nodeId: request.request.nodeId ?? undefined,
+        expiresAtMs: request.expiresAtMs,
+        nowMs,
+      });
+      const buttons = buildTelegramExecApprovalButtons(request.id);
+      if (!buttons) {
+        return payload;
+      }
+      return {
+        ...payload,
+        channelData: {
+          ...payload.channelData,
+          telegram: {
+            buttons,
+          },
+        },
+      };
+    },
+    beforeDeliverPending: async ({ cfg, target, payload }) => {
+      const hasExecApprovalData =
+        payload.channelData &&
+        typeof payload.channelData === "object" &&
+        !Array.isArray(payload.channelData) &&
+        payload.channelData.execApproval;
+      if (!hasExecApprovalData) {
+        return;
+      }
+      const threadId =
+        typeof target.threadId === "number"
+          ? target.threadId
+          : typeof target.threadId === "string"
+            ? Number.parseInt(target.threadId, 10)
+            : undefined;
+      await sendTypingTelegram(target.to, {
+        cfg,
+        accountId: target.accountId ?? undefined,
+        ...(Number.isFinite(threadId) ? { messageThreadId: threadId } : {}),
+      }).catch(() => {});
+    },
+  },
   directory: {
     self: async () => null,
     listPeers: async (params) => listTelegramDirectoryPeersFromConfig(params),
diff --git a/src/auto-reply/reply/route-reply.ts b/src/auto-reply/reply/route-reply.ts
index ae31a15ec90..15036d0878f 100644
--- a/src/auto-reply/reply/route-reply.ts
+++ b/src/auto-reply/reply/route-reply.ts
@@ -11,7 +11,7 @@ import { parseSlackBlocksInput } from "../../../extensions/slack/src/blocks-inpu
 import { isSlackInteractiveRepliesEnabled } from "../../../extensions/slack/src/interactive-replies.js";
 import { resolveSessionAgentId } from "../../agents/agent-scope.js";
 import { resolveEffectiveMessagesConfig } from "../../agents/identity.js";
-import { normalizeChannelId } from "../../channels/plugins/index.js";
+import { getChannelPlugin, normalizeChannelId } from "../../channels/plugins/index.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import { buildOutboundSessionContext } from "../../infra/outbound/session-context.js";
 import { INTERNAL_MESSAGE_CHANNEL, normalizeMessageChannel } from "../../utils/message-channel.js";
@@ -80,6 +80,8 @@ export async function routeReply(params: RouteReplyParams): Promise<RouteReplyRe
     return { ok: true };
   }
   const normalizedChannel = normalizeMessageChannel(channel);
+  const channelId = normalizeChannelId(channel) ?? null;
+  const plugin = channelId ? getChannelPlugin(channelId) : undefined;
   const resolvedAgentId = params.sessionKey
     ? resolveSessionAgentId({
         sessionKey: params.sessionKey,
@@ -100,7 +102,8 @@ export async function routeReply(params: RouteReplyParams): Promise<RouteReplyRe
   const normalized = normalizeReplyPayload(payload, {
     responsePrefix,
     enableSlackInteractiveReplies:
-      channel === "slack" ? isSlackInteractiveRepliesEnabled({ cfg, accountId }) : false,
+      plugin?.messaging?.enableInteractiveReplies?.({ cfg, accountId }) ??
+      (channel === "slack" ? isSlackInteractiveRepliesEnabled({ cfg, accountId }) : false),
   });
   if (!normalized) {
     return { ok: true };
@@ -118,7 +121,8 @@ export async function routeReply(params: RouteReplyParams): Promise<RouteReplyRe
       : [];
   const replyToId = externalPayload.replyToId;
   const hasInteractive = (externalPayload.interactive?.blocks.length ?? 0) > 0;
-  let hasSlackBlocks = false;
+  let hasChannelData =
+    externalPayload.channelData != null && Object.keys(externalPayload.channelData).length > 0;
   if (
     channel === "slack" &&
     externalPayload.channelData?.slack &&
@@ -126,17 +130,17 @@ export async function routeReply(params: RouteReplyParams): Promise<RouteReplyRe
     !Array.isArray(externalPayload.channelData.slack)
   ) {
     try {
-      hasSlackBlocks = Boolean(
+      hasChannelData = Boolean(
         parseSlackBlocksInput((externalPayload.channelData.slack as { blocks?: unknown }).blocks)
           ?.length,
       );
     } catch {
-      hasSlackBlocks = false;
+      hasChannelData = false;
     }
   }
 
   // Skip empty replies.
-  if (!text.trim() && mediaUrls.length === 0 && !hasInteractive && !hasSlackBlocks) {
+  if (!text.trim() && mediaUrls.length === 0 && !hasInteractive && !hasChannelData) {
     return { ok: true };
   }
 
@@ -147,7 +151,6 @@ export async function routeReply(params: RouteReplyParams): Promise<RouteReplyRe
     };
   }
 
-  const channelId = normalizeChannelId(channel) ?? null;
   if (!channelId) {
     return { ok: false, error: `Unknown channel: ${String(channel)}` };
   }
@@ -155,12 +158,21 @@ export async function routeReply(params: RouteReplyParams): Promise<RouteReplyRe
     return { ok: false, error: "Reply routing aborted" };
   }
 
+  const replyTransport =
+    plugin?.threading?.resolveReplyTransport?.({
+      cfg,
+      accountId,
+      threadId,
+      replyToId,
+    }) ?? null;
   const resolvedReplyToId =
+    replyTransport?.replyToId ??
     replyToId ??
     ((channelId === "slack" || channelId === "mattermost") && threadId != null && threadId !== ""
       ? String(threadId)
       : undefined);
-  const resolvedThreadId = channelId === "slack" ? null : (threadId ?? null);
+  const resolvedThreadId =
+    replyTransport?.threadId ?? (channelId === "slack" ? null : (threadId ?? null));
 
   try {
     // Provider docking: this is an execution boundary (we're about to send).
diff --git a/src/channels/plugins/message-actions.ts b/src/channels/plugins/message-actions.ts
index e6488bff91f..53bc14cfc10 100644
--- a/src/channels/plugins/message-actions.ts
+++ b/src/channels/plugins/message-actions.ts
@@ -4,17 +4,26 @@ import { getChannelPlugin, listChannelPlugins } from "./index.js";
 import type { ChannelMessageCapability } from "./message-capabilities.js";
 import type { ChannelMessageActionContext, ChannelMessageActionName } from "./types.js";
 
+type ChannelActions = NonNullable<NonNullable<ReturnType<typeof getChannelPlugin>>["actions"]>;
+
 const trustedRequesterRequiredByChannel: Readonly<
   Partial<Record<string, ReadonlySet<ChannelMessageActionName>>>
 > = {
   discord: new Set<ChannelMessageActionName>(["timeout", "kick", "ban"]),
 };
 
-type ChannelActions = NonNullable<NonNullable<ReturnType<typeof getChannelPlugin>>["actions"]>;
-
 function requiresTrustedRequesterSender(ctx: ChannelMessageActionContext): boolean {
-  const actions = trustedRequesterRequiredByChannel[ctx.channel];
-  return Boolean(actions?.has(ctx.action) && ctx.toolContext);
+  const plugin = getChannelPlugin(ctx.channel);
+  const fromPlugin = plugin?.actions?.requiresTrustedRequesterSender?.({
+    action: ctx.action,
+    toolContext: ctx.toolContext,
+  });
+  if (fromPlugin != null) {
+    return fromPlugin;
+  }
+  return Boolean(
+    trustedRequesterRequiredByChannel[ctx.channel]?.has(ctx.action) && ctx.toolContext,
+  );
 }
 
 export function listChannelMessageActions(cfg: OpenClawConfig): ChannelMessageActionName[] {
diff --git a/src/channels/plugins/types.adapters.ts b/src/channels/plugins/types.adapters.ts
index 257985e133c..c8255f07542 100644
--- a/src/channels/plugins/types.adapters.ts
+++ b/src/channels/plugins/types.adapters.ts
@@ -1,6 +1,7 @@
 import type { ReplyPayload } from "../../auto-reply/types.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import type { GroupToolPolicyConfig } from "../../config/types.tools.js";
+import type { ExecApprovalRequest, ExecApprovalResolved } from "../../infra/exec-approvals.js";
 import type { OutboundDeliveryResult, OutboundSendDeps } from "../../infra/outbound/deliver.js";
 import type { OutboundIdentity } from "../../infra/outbound/identity.js";
 import type { PluginRuntime } from "../../plugins/runtime/types.js";
@@ -21,6 +22,19 @@ import type {
   ChannelStatusIssue,
 } from "./types.core.js";
 
+export type ChannelExecApprovalInitiatingSurfaceState =
+  | { kind: "enabled" }
+  | { kind: "disabled" }
+  | { kind: "unsupported" };
+
+export type ChannelExecApprovalForwardTarget = {
+  channel: string;
+  to: string;
+  accountId?: string | null;
+  threadId?: string | number | null;
+  source?: "session" | "target";
+};
+
 export type ChannelSetupAdapter = {
   resolveAccountId?: (params: {
     cfg: OpenClawConfig;
@@ -377,6 +391,53 @@ export type ChannelCommandAdapter = {
   skipWhenConfigEmpty?: boolean;
 };
 
+export type ChannelLifecycleAdapter = {
+  onAccountConfigChanged?: (params: {
+    prevCfg: OpenClawConfig;
+    nextCfg: OpenClawConfig;
+    accountId: string;
+    runtime: RuntimeEnv;
+  }) => Promise<void> | void;
+  onAccountRemoved?: (params: {
+    prevCfg: OpenClawConfig;
+    accountId: string;
+    runtime: RuntimeEnv;
+  }) => Promise<void> | void;
+};
+
+export type ChannelExecApprovalAdapter = {
+  getInitiatingSurfaceState?: (params: {
+    cfg: OpenClawConfig;
+    accountId?: string | null;
+  }) => ChannelExecApprovalInitiatingSurfaceState;
+  hasConfiguredDmRoute?: (params: { cfg: OpenClawConfig }) => boolean;
+  shouldSuppressForwardingFallback?: (params: {
+    cfg: OpenClawConfig;
+    target: ChannelExecApprovalForwardTarget;
+    request: ExecApprovalRequest;
+  }) => boolean;
+  buildPendingPayload?: (params: {
+    cfg: OpenClawConfig;
+    request: ExecApprovalRequest;
+    target: ChannelExecApprovalForwardTarget;
+    nowMs: number;
+  }) => ReplyPayload | null;
+  buildResolvedPayload?: (params: {
+    cfg: OpenClawConfig;
+    resolved: ExecApprovalResolved;
+    target: ChannelExecApprovalForwardTarget;
+  }) => ReplyPayload | null;
+  beforeDeliverPending?: (params: {
+    cfg: OpenClawConfig;
+    target: ChannelExecApprovalForwardTarget;
+    payload: ReplyPayload;
+  }) => Promise<void> | void;
+};
+
+export type ChannelAllowlistAdapter = {
+  supportsScope?: (params: { scope: "dm" | "group" | "all" }) => boolean;
+};
+
 export type ChannelSecurityAdapter<ResolvedAccount = unknown> = {
   resolveDmPolicy?: (
     ctx: ChannelSecurityContext<ResolvedAccount>,
diff --git a/src/channels/plugins/types.core.ts b/src/channels/plugins/types.core.ts
index fc6d1b91731..22b2c9387e7 100644
--- a/src/channels/plugins/types.core.ts
+++ b/src/channels/plugins/types.core.ts
@@ -1,3 +1,4 @@
+import type { TopLevelComponents } from "@buape/carbon";
 import type { AgentTool, AgentToolResult } from "@mariozechner/pi-agent-core";
 import type { TSchema } from "@sinclair/typebox";
 import type { MsgContext } from "../../auto-reply/templating.js";
@@ -237,6 +238,38 @@ export type ChannelStreamingAdapter = {
   };
 };
 
+export type ChannelCrossContextComponentsFactory = (params: {
+  originLabel: string;
+  message: string;
+  cfg: OpenClawConfig;
+  accountId?: string | null;
+}) => TopLevelComponents[];
+
+export type ChannelReplyTransport = {
+  replyToId?: string | null;
+  threadId?: string | number | null;
+};
+
+export type ChannelFocusedBindingContext = {
+  conversationId: string;
+  parentConversationId?: string;
+  placement: "current" | "child";
+  labelNoun: string;
+};
+
+export type ChannelOutboundSessionRoute = {
+  sessionKey: string;
+  baseSessionKey: string;
+  peer: {
+    kind: ChatType;
+    id: string;
+  };
+  chatType: "direct" | "group" | "channel";
+  from: string;
+  to: string;
+  threadId?: string | number;
+};
+
 export type ChannelThreadingAdapter = {
   resolveReplyToMode?: (params: {
     cfg: OpenClawConfig;
@@ -260,6 +293,24 @@ export type ChannelThreadingAdapter = {
     context: ChannelThreadingContext;
     hasRepliedRef?: { value: boolean };
   }) => ChannelThreadingToolContext | undefined;
+  resolveAutoThreadId?: (params: {
+    cfg: OpenClawConfig;
+    accountId?: string | null;
+    to: string;
+    toolContext?: ChannelThreadingToolContext;
+    replyToId?: string | null;
+  }) => string | undefined;
+  resolveReplyTransport?: (params: {
+    cfg: OpenClawConfig;
+    accountId?: string | null;
+    threadId?: string | number | null;
+    replyToId?: string | null;
+  }) => ChannelReplyTransport | null;
+  resolveFocusedBinding?: (params: {
+    cfg: OpenClawConfig;
+    accountId?: string | null;
+    context: ChannelThreadingContext;
+  }) => ChannelFocusedBindingContext | null;
 };
 
 export type ChannelThreadingContext = {
@@ -293,6 +344,11 @@ export type ChannelThreadingToolContext = {
 
 export type ChannelMessagingAdapter = {
   normalizeTarget?: (raw: string) => string | undefined;
+  buildCrossContextComponents?: ChannelCrossContextComponentsFactory;
+  enableInteractiveReplies?: (params: {
+    cfg: OpenClawConfig;
+    accountId?: string | null;
+  }) => boolean;
   targetResolver?: {
     looksLikeId?: (raw: string, normalized?: string) => boolean;
     hint?: string;
@@ -314,6 +370,20 @@ export type ChannelMessagingAdapter = {
     display?: string;
     kind?: ChannelDirectoryEntryKind;
   }) => string;
+  resolveOutboundSessionRoute?: (params: {
+    cfg: OpenClawConfig;
+    agentId: string;
+    accountId?: string | null;
+    target: string;
+    resolvedTarget?: {
+      to: string;
+      kind: ChannelDirectoryEntryKind | "channel";
+      display?: string;
+      source: "normalized" | "directory";
+    };
+    replyToId?: string | null;
+    threadId?: string | number | null;
+  }) => ChannelOutboundSessionRoute | Promise<ChannelOutboundSessionRoute | null> | null;
 };
 
 export type ChannelAgentPromptAdapter = {
@@ -374,6 +444,10 @@ export type ChannelMessageActionAdapter = {
   listActions?: (params: { cfg: OpenClawConfig }) => ChannelMessageActionName[];
   supportsAction?: (params: { action: ChannelMessageActionName }) => boolean;
   getCapabilities?: (params: { cfg: OpenClawConfig }) => readonly ChannelMessageCapability[];
+  requiresTrustedRequesterSender?: (params: {
+    action: ChannelMessageActionName;
+    toolContext?: ChannelThreadingToolContext;
+  }) => boolean;
   extractToolSend?: (params: { args: Record<string, unknown> }) => ChannelToolSend | null;
   handleAction?: (ctx: ChannelMessageActionContext) => Promise<AgentToolResult<unknown>>;
 };
diff --git a/src/channels/plugins/types.plugin.ts b/src/channels/plugins/types.plugin.ts
index cf09af29048..713eff20bbe 100644
--- a/src/channels/plugins/types.plugin.ts
+++ b/src/channels/plugins/types.plugin.ts
@@ -4,16 +4,19 @@ import type {
   ChannelCommandAdapter,
   ChannelConfigAdapter,
   ChannelDirectoryAdapter,
+  ChannelExecApprovalAdapter,
   ChannelResolverAdapter,
   ChannelElevatedAdapter,
   ChannelGatewayAdapter,
   ChannelGroupAdapter,
   ChannelHeartbeatAdapter,
+  ChannelLifecycleAdapter,
   ChannelOutboundAdapter,
   ChannelPairingAdapter,
   ChannelSecurityAdapter,
   ChannelSetupAdapter,
   ChannelStatusAdapter,
+  ChannelAllowlistAdapter,
 } from "./types.adapters.js";
 import type {
   ChannelAgentTool,
@@ -71,6 +74,9 @@ export type ChannelPlugin<ResolvedAccount = any, Probe = unknown, Audit = unknow
   auth?: ChannelAuthAdapter;
   elevated?: ChannelElevatedAdapter;
   commands?: ChannelCommandAdapter;
+  lifecycle?: ChannelLifecycleAdapter;
+  execApprovals?: ChannelExecApprovalAdapter;
+  allowlist?: ChannelAllowlistAdapter;
   streaming?: ChannelStreamingAdapter;
   threading?: ChannelThreadingAdapter;
   messaging?: ChannelMessagingAdapter;
diff --git a/src/channels/plugins/types.ts b/src/channels/plugins/types.ts
index e56262efb41..a2abcc12dea 100644
--- a/src/channels/plugins/types.ts
+++ b/src/channels/plugins/types.ts
@@ -11,6 +11,9 @@ export type {
   ChannelCommandAdapter,
   ChannelConfigAdapter,
   ChannelDirectoryAdapter,
+  ChannelExecApprovalAdapter,
+  ChannelExecApprovalForwardTarget,
+  ChannelExecApprovalInitiatingSurfaceState,
   ChannelResolveKind,
   ChannelResolveResult,
   ChannelResolverAdapter,
@@ -19,12 +22,14 @@ export type {
   ChannelGatewayContext,
   ChannelGroupAdapter,
   ChannelHeartbeatAdapter,
+  ChannelLifecycleAdapter,
   ChannelLoginWithQrStartResult,
   ChannelLoginWithQrWaitResult,
   ChannelLogoutContext,
   ChannelLogoutResult,
   ChannelOutboundAdapter,
   ChannelOutboundContext,
+  ChannelAllowlistAdapter,
   ChannelPairingAdapter,
   ChannelSecurityAdapter,
   ChannelSetupAdapter,
diff --git a/src/channels/reply-prefix.ts b/src/channels/reply-prefix.ts
index 247109fb59d..c76b6175157 100644
--- a/src/channels/reply-prefix.ts
+++ b/src/channels/reply-prefix.ts
@@ -5,6 +5,7 @@ import {
   type ResponsePrefixContext,
 } from "../auto-reply/reply/response-prefix-template.js";
 import type { GetReplyOptions } from "../auto-reply/types.js";
+import { getChannelPlugin } from "../channels/plugins/index.js";
 import type { OpenClawConfig } from "../config/config.js";
 
 type ModelSelectionContext = Parameters<NonNullable<GetReplyOptions["onModelSelected"]>>[0];
@@ -50,10 +51,16 @@ export function createReplyPrefixContext(params: {
       channel: params.channel,
       accountId: params.accountId,
     }).responsePrefix,
-    enableSlackInteractiveReplies:
-      params.channel === "slack"
-        ? isSlackInteractiveRepliesEnabled({ cfg, accountId: params.accountId })
-        : undefined,
+    enableSlackInteractiveReplies: params.channel
+      ? (getChannelPlugin(params.channel)?.messaging?.enableInteractiveReplies?.({
+          cfg,
+          accountId: params.accountId,
+        }) ??
+        (params.channel === "slack"
+          ? isSlackInteractiveRepliesEnabled({ cfg, accountId: params.accountId })
+          : undefined) ??
+        undefined)
+      : undefined,
     responsePrefixContextProvider: () => prefixContext,
     onModelSelected,
   };
diff --git a/src/commands/agent/run-context.ts b/src/commands/agent/run-context.ts
index b9d3c3a69d0..b6c121a6c0a 100644
--- a/src/commands/agent/run-context.ts
+++ b/src/commands/agent/run-context.ts
@@ -42,8 +42,8 @@ export function resolveAgentRunContext(opts: AgentCommandOpts): AgentRunContext
     merged.currentThreadTs = String(opts.threadId);
   }
 
-  // Populate currentChannelId from the outbound target so that
-  // resolveTelegramAutoThreadId can match the originating chat.
+  // Populate currentChannelId from the outbound target so channel threading
+  // adapters can detect same-conversation auto-threading.
   if (!merged.currentChannelId && opts.to) {
     const trimmedTo = opts.to.trim();
     if (trimmedTo) {
diff --git a/src/commands/channels/add.ts b/src/commands/channels/add.ts
index b2a092780a8..0079e7ea881 100644
--- a/src/commands/channels/add.ts
+++ b/src/commands/channels/add.ts
@@ -312,20 +312,7 @@ export async function channelsAddCommand(
     return;
   }
 
-  let previousTelegramToken = "";
-  let resolveTelegramAccount:
-    | ((
-        params: Parameters<
-          typeof import("../../../extensions/telegram/src/accounts.js").resolveTelegramAccount
-        >[0],
-      ) => ReturnType<
-        typeof import("../../../extensions/telegram/src/accounts.js").resolveTelegramAccount
-      >)
-    | undefined;
-  if (channel === "telegram") {
-    ({ resolveTelegramAccount } = await import("../../../extensions/telegram/src/accounts.js"));
-    previousTelegramToken = resolveTelegramAccount({ cfg: nextConfig, accountId }).token.trim();
-  }
+  const prevConfig = nextConfig;
 
   if (accountId !== DEFAULT_ACCOUNT_ID) {
     nextConfig = moveSingleAccountChannelSectionToDefaultAccount({
@@ -334,6 +321,12 @@ export async function channelsAddCommand(
     });
   }
 
+  let previousTelegramToken = "";
+  if (channel === "telegram") {
+    const { resolveTelegramAccount } = await import("../../../extensions/telegram/src/accounts.js");
+    previousTelegramToken = resolveTelegramAccount({ cfg: prevConfig, accountId }).token.trim();
+  }
+
   nextConfig = applyChannelAccountConfig({
     cfg: nextConfig,
     channel,
@@ -341,13 +334,19 @@ export async function channelsAddCommand(
     input,
     plugin,
   });
-
-  if (channel === "telegram" && resolveTelegramAccount) {
-    const { deleteTelegramUpdateOffset } =
-      await import("../../../extensions/telegram/src/update-offset-store.js");
+  await plugin.lifecycle?.onAccountConfigChanged?.({
+    prevCfg: prevConfig,
+    nextCfg: nextConfig,
+    accountId,
+    runtime,
+  });
+  if (channel === "telegram") {
+    const [{ resolveTelegramAccount }, { deleteTelegramUpdateOffset }] = await Promise.all([
+      import("../../../extensions/telegram/src/accounts.js"),
+      import("../../../extensions/telegram/src/update-offset-store.js"),
+    ]);
     const nextTelegramToken = resolveTelegramAccount({ cfg: nextConfig, accountId }).token.trim();
     if (previousTelegramToken !== nextTelegramToken) {
-      // Clear stale polling offsets after Telegram token rotation.
       await deleteTelegramUpdateOffset({ accountId });
     }
   }
diff --git a/src/commands/channels/remove.ts b/src/commands/channels/remove.ts
index 58354170135..b7d012d0fac 100644
--- a/src/commands/channels/remove.ts
+++ b/src/commands/channels/remove.ts
@@ -1,4 +1,3 @@
-import { deleteTelegramUpdateOffset } from "../../../extensions/telegram/src/update-offset-store.js";
 import { resolveChannelDefaultAccountId } from "../../channels/plugins/helpers.js";
 import {
   getChannelPlugin,
@@ -103,6 +102,7 @@ export async function channelsRemoveCommand(
   const accountKey = resolvedAccountId || DEFAULT_ACCOUNT_ID;
 
   let next = { ...cfg };
+  const prevCfg = cfg;
   if (deleteConfig) {
     if (!plugin.config.deleteAccount) {
       runtime.error(`Channel ${channel} does not support delete.`);
@@ -113,9 +113,14 @@ export async function channelsRemoveCommand(
       cfg: next,
       accountId: resolvedAccountId,
     });
-
-    // Clean up Telegram polling offset to prevent stale offset on bot token change (#18233)
+    await plugin.lifecycle?.onAccountRemoved?.({
+      prevCfg,
+      accountId: resolvedAccountId,
+      runtime,
+    });
     if (channel === "telegram") {
+      const { deleteTelegramUpdateOffset } =
+        await import("../../../extensions/telegram/src/update-offset-store.js");
       await deleteTelegramUpdateOffset({ accountId: resolvedAccountId });
     }
   } else {
@@ -129,6 +134,12 @@ export async function channelsRemoveCommand(
       accountId: resolvedAccountId,
       enabled: false,
     });
+    await plugin.lifecycle?.onAccountConfigChanged?.({
+      prevCfg,
+      nextCfg: next,
+      accountId: resolvedAccountId,
+      runtime,
+    });
   }
 
   await writeConfigFile(next);
diff --git a/src/infra/exec-approval-forwarder.ts b/src/infra/exec-approval-forwarder.ts
index 5d197d6ae62..0c0c8e30e48 100644
--- a/src/infra/exec-approval-forwarder.ts
+++ b/src/infra/exec-approval-forwarder.ts
@@ -1,6 +1,5 @@
-import { buildTelegramExecApprovalButtons } from "../../extensions/telegram/src/approval-buttons.js";
-import { sendTypingTelegram } from "../../extensions/telegram/src/send.js";
 import type { ReplyPayload } from "../auto-reply/types.js";
+import { getChannelPlugin } from "../channels/plugins/index.js";
 import type { OpenClawConfig } from "../config/config.js";
 import { loadConfig } from "../config/config.js";
 import type {
@@ -8,7 +7,7 @@ import type {
   ExecApprovalForwardTarget,
 } from "../config/types.approvals.js";
 import { createSubsystemLogger } from "../logging/subsystem.js";
-import { normalizeAccountId, parseAgentSessionKey } from "../routing/session-key.js";
+import { parseAgentSessionKey } from "../routing/session-key.js";
 import { compileConfigRegex } from "../security/config-regex.js";
 import { testRegexWithBoundedInput } from "../security/safe-regex.js";
 import {
@@ -17,7 +16,6 @@ import {
   type DeliverableMessageChannel,
 } from "../utils/message-channel.js";
 import { resolveExecApprovalCommandDisplay } from "./exec-approval-command-display.js";
-import { buildExecApprovalPendingReplyPayload } from "./exec-approval-reply.js";
 import { resolveExecApprovalSessionTarget } from "./exec-approval-session-target.js";
 import type {
   ExecApprovalDecision,
@@ -111,91 +109,22 @@ function buildTargetKey(target: ExecApprovalForwardTarget): string {
   return [channel, target.to, accountId, threadId].join(":");
 }
 
-function resolveChannelAccountConfig<T>(
-  accounts: Record<string, T> | undefined,
-  accountId?: string,
-): T | undefined {
-  if (!accounts || !accountId?.trim()) {
-    return undefined;
-  }
-  const normalized = normalizeAccountId(accountId);
-  const direct = accounts[normalized];
-  if (direct) {
-    return direct;
-  }
-  const fallbackKey = Object.keys(accounts).find(
-    (key) => key.toLowerCase() === normalized.toLowerCase(),
-  );
-  return fallbackKey ? accounts[fallbackKey] : undefined;
-}
-
-// Discord has component-based exec approvals; skip text fallback only when the
-// Discord-specific handler is enabled for the same target account.
-function shouldSkipDiscordForwarding(
-  target: ExecApprovalForwardTarget,
-  cfg: OpenClawConfig,
-): boolean {
-  const channel = normalizeMessageChannel(target.channel) ?? target.channel;
-  if (channel !== "discord") {
-    return false;
-  }
-  const discord = cfg.channels?.discord as
-    | {
-        execApprovals?: { enabled?: boolean; approvers?: Array<string | number> };
-        accounts?: Record<
-          string,
-          { execApprovals?: { enabled?: boolean; approvers?: Array<string | number> } }
-        >;
-      }
-    | undefined;
-  if (!discord) {
-    return false;
-  }
-  const account = resolveChannelAccountConfig(discord.accounts, target.accountId);
-  const execApprovals = account?.execApprovals ?? discord.execApprovals;
-  return Boolean(execApprovals?.enabled && (execApprovals.approvers?.length ?? 0) > 0);
-}
-
-function shouldSkipTelegramForwarding(params: {
+function shouldSkipForwardingFallback(params: {
   target: ExecApprovalForwardTarget;
   cfg: OpenClawConfig;
   request: ExecApprovalRequest;
 }): boolean {
   const channel = normalizeMessageChannel(params.target.channel) ?? params.target.channel;
-  if (channel !== "telegram") {
+  if (!channel) {
     return false;
   }
-  const requestChannel = normalizeMessageChannel(params.request.request.turnSourceChannel ?? "");
-  if (requestChannel !== "telegram") {
-    return false;
-  }
-  const telegram = params.cfg.channels?.telegram;
-  if (!telegram) {
-    return false;
-  }
-  const telegramConfig = telegram as
-    | {
-        execApprovals?: { enabled?: boolean; approvers?: Array<string | number> };
-        accounts?: Record<
-          string,
-          { execApprovals?: { enabled?: boolean; approvers?: Array<string | number> } }
-        >;
-      }
-    | undefined;
-  if (!telegramConfig) {
-    return false;
-  }
-  const accountId =
-    params.target.accountId?.trim() || params.request.request.turnSourceAccountId?.trim();
-  const account = accountId
-    ? (resolveChannelAccountConfig<{
-        execApprovals?: { enabled?: boolean; approvers?: Array<string | number> };
-      }>(telegramConfig.accounts, accountId) as
-        | { execApprovals?: { enabled?: boolean; approvers?: Array<string | number> } }
-        | undefined)
-    : undefined;
-  const execApprovals = account?.execApprovals ?? telegramConfig.execApprovals;
-  return Boolean(execApprovals?.enabled && (execApprovals.approvers?.length ?? 0) > 0);
+  return (
+    getChannelPlugin(channel)?.execApprovals?.shouldSuppressForwardingFallback?.({
+      cfg: params.cfg,
+      target: params.target,
+      request: params.request,
+    }) ?? false
+  );
 }
 
 function formatApprovalCommand(command: string): { inline: boolean; text: string } {
@@ -309,6 +238,7 @@ async function deliverToTargets(params: {
   targets: ForwardTarget[];
   buildPayload: (target: ForwardTarget) => ReplyPayload;
   deliver: typeof deliverOutboundPayloads;
+  beforeDeliver?: (target: ForwardTarget, payload: ReplyPayload) => Promise<void> | void;
   shouldSend?: () => boolean;
 }) {
   const deliveries = params.targets.map(async (target) => {
@@ -321,25 +251,7 @@ async function deliverToTargets(params: {
     }
     try {
       const payload = params.buildPayload(target);
-      if (
-        channel === "telegram" &&
-        payload.channelData &&
-        typeof payload.channelData === "object" &&
-        !Array.isArray(payload.channelData) &&
-        payload.channelData.execApproval
-      ) {
-        const threadId =
-          typeof target.threadId === "number"
-            ? target.threadId
-            : typeof target.threadId === "string"
-              ? Number.parseInt(target.threadId, 10)
-              : undefined;
-        await sendTypingTelegram(target.to, {
-          cfg: params.cfg,
-          accountId: target.accountId,
-          ...(Number.isFinite(threadId) ? { messageThreadId: threadId } : {}),
-        }).catch(() => {});
-      }
+      await params.beforeDeliver?.(target, payload);
       await params.deliver({
         cfg: params.cfg,
         channel,
@@ -356,41 +268,45 @@ async function deliverToTargets(params: {
 }
 
 function buildRequestPayloadForTarget(
-  _cfg: OpenClawConfig,
+  cfg: OpenClawConfig,
   request: ExecApprovalRequest,
   nowMsValue: number,
   target: ForwardTarget,
 ): ReplyPayload {
   const channel = normalizeMessageChannel(target.channel) ?? target.channel;
-  if (channel === "telegram") {
-    const payload = buildExecApprovalPendingReplyPayload({
-      approvalId: request.id,
-      approvalSlug: request.id.slice(0, 8),
-      approvalCommandId: request.id,
-      command: resolveExecApprovalCommandDisplay(request.request).commandText,
-      cwd: request.request.cwd ?? undefined,
-      host: request.request.host === "node" ? "node" : "gateway",
-      nodeId: request.request.nodeId ?? undefined,
-      expiresAtMs: request.expiresAtMs,
-      nowMs: nowMsValue,
-    });
-    const buttons = buildTelegramExecApprovalButtons(request.id);
-    if (!buttons) {
-      return payload;
-    }
-    return {
-      ...payload,
-      channelData: {
-        ...payload.channelData,
-        telegram: {
-          buttons,
-        },
-      },
-    };
+  const pluginPayload = channel
+    ? getChannelPlugin(channel)?.execApprovals?.buildPendingPayload?.({
+        cfg,
+        request,
+        target,
+        nowMs: nowMsValue,
+      })
+    : null;
+  if (pluginPayload) {
+    return pluginPayload;
   }
   return { text: buildRequestMessage(request, nowMsValue) };
 }
 
+function buildResolvedPayloadForTarget(
+  cfg: OpenClawConfig,
+  resolved: ExecApprovalResolved,
+  target: ForwardTarget,
+): ReplyPayload {
+  const channel = normalizeMessageChannel(target.channel) ?? target.channel;
+  const pluginPayload = channel
+    ? getChannelPlugin(channel)?.execApprovals?.buildResolvedPayload?.({
+        cfg,
+        resolved,
+        target,
+      })
+    : null;
+  if (pluginPayload) {
+    return pluginPayload;
+  }
+  return { text: buildResolvedMessage(resolved) };
+}
+
 function resolveForwardTargets(params: {
   cfg: OpenClawConfig;
   config?: ExecApprovalForwardingConfig;
@@ -454,11 +370,7 @@ export function createExecApprovalForwarder(
             resolveSessionTarget,
           })
         : []),
-    ].filter(
-      (target) =>
-        !shouldSkipDiscordForwarding(target, cfg) &&
-        !shouldSkipTelegramForwarding({ target, cfg, request }),
-    );
+    ].filter((target) => !shouldSkipForwardingFallback({ target, cfg, request }));
 
     if (filteredTargets.length === 0) {
       return false;
@@ -493,6 +405,17 @@ export function createExecApprovalForwarder(
       cfg,
       targets: filteredTargets,
       buildPayload: (target) => buildRequestPayloadForTarget(cfg, request, nowMs(), target),
+      beforeDeliver: async (target, payload) => {
+        const channel = normalizeMessageChannel(target.channel) ?? target.channel;
+        if (!channel) {
+          return;
+        }
+        await getChannelPlugin(channel)?.execApprovals?.beforeDeliverPending?.({
+          cfg,
+          target,
+          payload,
+        });
+      },
       deliver,
       shouldSend: () => pending.get(request.id) === pendingEntry,
     }).catch((err) => {
@@ -529,17 +452,17 @@ export function createExecApprovalForwarder(
               resolveSessionTarget,
             })
           : []),
-      ].filter(
-        (target) =>
-          !shouldSkipDiscordForwarding(target, cfg) &&
-          !shouldSkipTelegramForwarding({ target, cfg, request }),
-      );
+      ].filter((target) => !shouldSkipForwardingFallback({ target, cfg, request }));
     }
     if (!targets || targets.length === 0) {
       return;
     }
-    const text = buildResolvedMessage(resolved);
-    await deliverToTargets({ cfg, targets, buildPayload: () => ({ text }), deliver });
+    await deliverToTargets({
+      cfg,
+      targets,
+      buildPayload: (target) => buildResolvedPayloadForTarget(cfg, resolved, target),
+      deliver,
+    });
   };
 
   const stop = () => {
diff --git a/src/infra/exec-approval-surface.test.ts b/src/infra/exec-approval-surface.test.ts
index 17f6789967c..c4b959c5042 100644
--- a/src/infra/exec-approval-surface.test.ts
+++ b/src/infra/exec-approval-surface.test.ts
@@ -1,32 +1,41 @@
 import { beforeEach, describe, expect, it, vi } from "vitest";
 
 const loadConfigMock = vi.hoisted(() => vi.fn());
-const listEnabledDiscordAccountsMock = vi.hoisted(() => vi.fn());
-const isDiscordExecApprovalClientEnabledMock = vi.hoisted(() => vi.fn());
-const listEnabledTelegramAccountsMock = vi.hoisted(() => vi.fn());
-const isTelegramExecApprovalClientEnabledMock = vi.hoisted(() => vi.fn());
+const getChannelPluginMock = vi.hoisted(() => vi.fn());
+const listChannelPluginsMock = vi.hoisted(() => vi.fn());
 const normalizeMessageChannelMock = vi.hoisted(() => vi.fn());
 
 vi.mock("../config/config.js", () => ({
   loadConfig: (...args: unknown[]) => loadConfigMock(...args),
 }));
 
-vi.mock("../../extensions/discord/src/accounts.js", () => ({
-  listEnabledDiscordAccounts: (...args: unknown[]) => listEnabledDiscordAccountsMock(...args),
+vi.mock("../channels/plugins/index.js", () => ({
+  getChannelPlugin: (...args: unknown[]) => getChannelPluginMock(...args),
+  listChannelPlugins: (...args: unknown[]) => listChannelPluginsMock(...args),
 }));
 
-vi.mock("../../extensions/discord/src/exec-approvals.js", () => ({
-  isDiscordExecApprovalClientEnabled: (...args: unknown[]) =>
-    isDiscordExecApprovalClientEnabledMock(...args),
+vi.mock("../../extensions/discord/src/channel.js", () => ({
+  discordPlugin: {},
 }));
 
-vi.mock("../../extensions/telegram/src/accounts.js", () => ({
-  listEnabledTelegramAccounts: (...args: unknown[]) => listEnabledTelegramAccountsMock(...args),
+vi.mock("../../extensions/telegram/src/channel.js", () => ({
+  telegramPlugin: {},
 }));
 
-vi.mock("../../extensions/telegram/src/exec-approvals.js", () => ({
-  isTelegramExecApprovalClientEnabled: (...args: unknown[]) =>
-    isTelegramExecApprovalClientEnabledMock(...args),
+vi.mock("../../extensions/slack/src/channel.js", () => ({
+  slackPlugin: {},
+}));
+
+vi.mock("../../extensions/whatsapp/src/channel.js", () => ({
+  whatsappPlugin: {},
+}));
+
+vi.mock("../../extensions/signal/src/channel.js", () => ({
+  signalPlugin: {},
+}));
+
+vi.mock("../../extensions/imessage/src/channel.js", () => ({
+  imessagePlugin: {},
 }));
 
 vi.mock("../utils/message-channel.js", () => ({
@@ -42,10 +51,8 @@ import {
 describe("resolveExecApprovalInitiatingSurfaceState", () => {
   beforeEach(() => {
     loadConfigMock.mockReset();
-    listEnabledDiscordAccountsMock.mockReset();
-    isDiscordExecApprovalClientEnabledMock.mockReset();
-    listEnabledTelegramAccountsMock.mockReset();
-    isTelegramExecApprovalClientEnabledMock.mockReset();
+    getChannelPluginMock.mockReset();
+    listChannelPluginsMock.mockReset();
     normalizeMessageChannelMock.mockReset();
     normalizeMessageChannelMock.mockImplementation((value?: string | null) =>
       typeof value === "string" ? value.trim().toLowerCase() : undefined,
@@ -71,8 +78,21 @@ describe("resolveExecApprovalInitiatingSurfaceState", () => {
   });
 
   it("uses the provided cfg for telegram and discord client enablement", () => {
-    isTelegramExecApprovalClientEnabledMock.mockReturnValueOnce(true);
-    isDiscordExecApprovalClientEnabledMock.mockReturnValueOnce(false);
+    getChannelPluginMock.mockImplementation((channel: string) =>
+      channel === "telegram"
+        ? {
+            execApprovals: {
+              getInitiatingSurfaceState: () => ({ kind: "enabled" }),
+            },
+          }
+        : channel === "discord"
+          ? {
+              execApprovals: {
+                getInitiatingSurfaceState: () => ({ kind: "disabled" }),
+              },
+            }
+          : undefined,
+    );
     const cfg = { channels: {} };
 
     expect(
@@ -103,7 +123,15 @@ describe("resolveExecApprovalInitiatingSurfaceState", () => {
 
   it("loads config lazily when cfg is omitted and marks unsupported channels", () => {
     loadConfigMock.mockReturnValueOnce({ loaded: true });
-    isTelegramExecApprovalClientEnabledMock.mockReturnValueOnce(false);
+    getChannelPluginMock.mockImplementation((channel: string) =>
+      channel === "telegram"
+        ? {
+            execApprovals: {
+              getInitiatingSurfaceState: () => ({ kind: "disabled" }),
+            },
+          }
+        : undefined,
+    );
 
     expect(
       resolveExecApprovalInitiatingSurfaceState({
@@ -127,30 +155,19 @@ describe("resolveExecApprovalInitiatingSurfaceState", () => {
 
 describe("hasConfiguredExecApprovalDmRoute", () => {
   beforeEach(() => {
-    listEnabledDiscordAccountsMock.mockReset();
-    listEnabledTelegramAccountsMock.mockReset();
+    listChannelPluginsMock.mockReset();
   });
 
   it("returns true when any enabled account routes approvals to DM or both", () => {
-    listEnabledDiscordAccountsMock.mockReturnValueOnce([
+    listChannelPluginsMock.mockReturnValueOnce([
       {
-        config: {
-          execApprovals: {
-            enabled: true,
-            approvers: ["a"],
-            target: "channel",
-          },
+        execApprovals: {
+          hasConfiguredDmRoute: () => false,
         },
       },
-    ]);
-    listEnabledTelegramAccountsMock.mockReturnValueOnce([
       {
-        config: {
-          execApprovals: {
-            enabled: true,
-            approvers: ["a"],
-            target: "both",
-          },
+        execApprovals: {
+          hasConfiguredDmRoute: () => true,
         },
       },
     ]);
@@ -158,37 +175,21 @@ describe("hasConfiguredExecApprovalDmRoute", () => {
     expect(hasConfiguredExecApprovalDmRoute({} as never)).toBe(true);
   });
 
-  it("returns false when exec approvals are disabled or have no DM route", () => {
-    listEnabledDiscordAccountsMock.mockReturnValueOnce([
+  it("returns false when no plugin reports a DM route", () => {
+    listChannelPluginsMock.mockReturnValueOnce([
       {
-        config: {
-          execApprovals: {
-            enabled: false,
-            approvers: ["a"],
-            target: "dm",
-          },
-        },
-      },
-    ]);
-    listEnabledTelegramAccountsMock.mockReturnValueOnce([
-      {
-        config: {
-          execApprovals: {
-            enabled: true,
-            approvers: [],
-            target: "dm",
-          },
+        execApprovals: {
+          hasConfiguredDmRoute: () => false,
         },
       },
       {
-        config: {
-          execApprovals: {
-            enabled: true,
-            approvers: ["a"],
-            target: "channel",
-          },
+        execApprovals: {
+          hasConfiguredDmRoute: () => false,
         },
       },
+      {
+        execApprovals: undefined,
+      },
     ]);
 
     expect(hasConfiguredExecApprovalDmRoute({} as never)).toBe(false);
diff --git a/src/infra/exec-approval-surface.ts b/src/infra/exec-approval-surface.ts
index 8cf43c79a3e..2147baffe02 100644
--- a/src/infra/exec-approval-surface.ts
+++ b/src/infra/exec-approval-surface.ts
@@ -1,7 +1,4 @@
-import { listEnabledDiscordAccounts } from "../../extensions/discord/src/accounts.js";
-import { isDiscordExecApprovalClientEnabled } from "../../extensions/discord/src/exec-approvals.js";
-import { listEnabledTelegramAccounts } from "../../extensions/telegram/src/accounts.js";
-import { isTelegramExecApprovalClientEnabled } from "../../extensions/telegram/src/exec-approvals.js";
+import { getChannelPlugin, listChannelPlugins } from "../channels/plugins/index.js";
 import { loadConfig, type OpenClawConfig } from "../config/config.js";
 import { INTERNAL_MESSAGE_CHANNEL, normalizeMessageChannel } from "../utils/message-channel.js";
 
@@ -37,46 +34,18 @@ export function resolveExecApprovalInitiatingSurfaceState(params: {
   }
 
   const cfg = params.cfg ?? loadConfig();
-  if (channel === "telegram") {
-    return isTelegramExecApprovalClientEnabled({ cfg, accountId: params.accountId })
-      ? { kind: "enabled", channel, channelLabel }
-      : { kind: "disabled", channel, channelLabel };
-  }
-  if (channel === "discord") {
-    return isDiscordExecApprovalClientEnabled({ cfg, accountId: params.accountId })
-      ? { kind: "enabled", channel, channelLabel }
-      : { kind: "disabled", channel, channelLabel };
+  const state = getChannelPlugin(channel)?.execApprovals?.getInitiatingSurfaceState?.({
+    cfg,
+    accountId: params.accountId,
+  });
+  if (state) {
+    return { ...state, channel, channelLabel };
   }
   return { kind: "unsupported", channel, channelLabel };
 }
 
-function hasExecApprovalDmRoute(
-  accounts: Array<{
-    config: {
-      execApprovals?: {
-        enabled?: boolean;
-        approvers?: unknown[];
-        target?: string;
-      };
-    };
-  }>,
-): boolean {
-  for (const account of accounts) {
-    const execApprovals = account.config.execApprovals;
-    if (!execApprovals?.enabled || (execApprovals.approvers?.length ?? 0) === 0) {
-      continue;
-    }
-    const target = execApprovals.target ?? "dm";
-    if (target === "dm" || target === "both") {
-      return true;
-    }
-  }
-  return false;
-}
-
 export function hasConfiguredExecApprovalDmRoute(cfg: OpenClawConfig): boolean {
-  return (
-    hasExecApprovalDmRoute(listEnabledDiscordAccounts(cfg)) ||
-    hasExecApprovalDmRoute(listEnabledTelegramAccounts(cfg))
+  return listChannelPlugins().some(
+    (plugin) => plugin.execApprovals?.hasConfiguredDmRoute?.({ cfg }) ?? false,
   );
 }
diff --git a/src/infra/outbound/channel-adapters.ts b/src/infra/outbound/channel-adapters.ts
index da62e2932bb..0c752854e8d 100644
--- a/src/infra/outbound/channel-adapters.ts
+++ b/src/infra/outbound/channel-adapters.ts
@@ -1,5 +1,5 @@
-import { Separator, TextDisplay, type TopLevelComponents } from "@buape/carbon";
-import { DiscordUiContainer } from "../../../extensions/discord/src/ui.js";
+import type { TopLevelComponents } from "@buape/carbon";
+import { getChannelPlugin } from "../../channels/plugins/index.js";
 import type { ChannelId } from "../../channels/plugins/types.js";
 import type { OpenClawConfig } from "../../config/config.js";
 
@@ -17,40 +17,17 @@ export type ChannelMessageAdapter = {
   buildCrossContextComponents?: CrossContextComponentsFactory;
 };
 
-type CrossContextContainerParams = {
-  originLabel: string;
-  message: string;
-  cfg: OpenClawConfig;
-  accountId?: string | null;
-};
-
-class CrossContextContainer extends DiscordUiContainer {
-  constructor({ originLabel, message, cfg, accountId }: CrossContextContainerParams) {
-    const trimmed = message.trim();
-    const components = [] as Array<TextDisplay | Separator>;
-    if (trimmed) {
-      components.push(new TextDisplay(message));
-      components.push(new Separator({ divider: true, spacing: "small" }));
-    }
-    components.push(new TextDisplay(`*From ${originLabel}*`));
-    super({ cfg, accountId, components });
-  }
-}
-
 const DEFAULT_ADAPTER: ChannelMessageAdapter = {
   supportsComponentsV2: false,
 };
 
-const DISCORD_ADAPTER: ChannelMessageAdapter = {
-  supportsComponentsV2: true,
-  buildCrossContextComponents: ({ originLabel, message, cfg, accountId }) => [
-    new CrossContextContainer({ originLabel, message, cfg, accountId }),
-  ],
-};
-
 export function getChannelMessageAdapter(channel: ChannelId): ChannelMessageAdapter {
-  if (channel === "discord") {
-    return DISCORD_ADAPTER;
+  const adapter = getChannelPlugin(channel)?.messaging?.buildCrossContextComponents;
+  if (adapter) {
+    return {
+      supportsComponentsV2: true,
+      buildCrossContextComponents: adapter,
+    };
   }
   return DEFAULT_ADAPTER;
 }
diff --git a/src/infra/outbound/message-action-params.test.ts b/src/infra/outbound/message-action-params.test.ts
index f72bd2d26aa..3442711eab4 100644
--- a/src/infra/outbound/message-action-params.test.ts
+++ b/src/infra/outbound/message-action-params.test.ts
@@ -2,6 +2,8 @@ import fs from "node:fs/promises";
 import os from "node:os";
 import path from "node:path";
 import { describe, expect, it } from "vitest";
+import { slackPlugin } from "../../../extensions/slack/src/channel.js";
+import { telegramPlugin } from "../../../extensions/telegram/src/channel.js";
 import type { ChannelThreadingToolContext } from "../../channels/plugins/types.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import {
@@ -9,8 +11,6 @@ import {
   normalizeSandboxMediaList,
   normalizeSandboxMediaParams,
   resolveAttachmentMediaPolicy,
-  resolveSlackAutoThreadId,
-  resolveTelegramAutoThreadId,
 } from "./message-action-params.js";
 
 const cfg = {} as OpenClawConfig;
@@ -30,19 +30,25 @@ function createToolContext(
 describe("message action threading helpers", () => {
   it("resolves Slack auto-thread ids only for matching active channels", () => {
     expect(
-      resolveSlackAutoThreadId({
+      slackPlugin?.threading?.resolveAutoThreadId?.({
+        cfg,
+        accountId: undefined,
         to: "#c123",
         toolContext: createToolContext(),
       }),
     ).toBe("thread-1");
     expect(
-      resolveSlackAutoThreadId({
+      slackPlugin?.threading?.resolveAutoThreadId?.({
+        cfg,
+        accountId: undefined,
         to: "channel:C999",
         toolContext: createToolContext(),
       }),
     ).toBeUndefined();
     expect(
-      resolveSlackAutoThreadId({
+      slackPlugin?.threading?.resolveAutoThreadId?.({
+        cfg,
+        accountId: undefined,
         to: "user:U123",
         toolContext: createToolContext(),
       }),
@@ -51,7 +57,9 @@ describe("message action threading helpers", () => {
 
   it("skips Slack auto-thread ids when reply mode or context blocks them", () => {
     expect(
-      resolveSlackAutoThreadId({
+      slackPlugin?.threading?.resolveAutoThreadId?.({
+        cfg,
+        accountId: undefined,
         to: "C123",
         toolContext: createToolContext({
           replyToMode: "first",
@@ -60,13 +68,17 @@ describe("message action threading helpers", () => {
       }),
     ).toBeUndefined();
     expect(
-      resolveSlackAutoThreadId({
+      slackPlugin?.threading?.resolveAutoThreadId?.({
+        cfg,
+        accountId: undefined,
         to: "C123",
         toolContext: createToolContext({ replyToMode: "off" }),
       }),
     ).toBeUndefined();
     expect(
-      resolveSlackAutoThreadId({
+      slackPlugin?.threading?.resolveAutoThreadId?.({
+        cfg,
+        accountId: undefined,
         to: "C123",
         toolContext: createToolContext({ currentThreadTs: undefined }),
       }),
@@ -75,7 +87,9 @@ describe("message action threading helpers", () => {
 
   it("resolves Telegram auto-thread ids for matching chats across target formats", () => {
     expect(
-      resolveTelegramAutoThreadId({
+      telegramPlugin?.threading?.resolveAutoThreadId?.({
+        cfg,
+        accountId: undefined,
         to: "telegram:group:-100123:topic:77",
         toolContext: createToolContext({
           currentChannelId: "tg:group:-100123",
@@ -83,7 +97,9 @@ describe("message action threading helpers", () => {
       }),
     ).toBe("thread-1");
     expect(
-      resolveTelegramAutoThreadId({
+      telegramPlugin?.threading?.resolveAutoThreadId?.({
+        cfg,
+        accountId: undefined,
         to: "-100999:77",
         toolContext: createToolContext({
           currentChannelId: "-100123",
@@ -91,7 +107,9 @@ describe("message action threading helpers", () => {
       }),
     ).toBeUndefined();
     expect(
-      resolveTelegramAutoThreadId({
+      telegramPlugin?.threading?.resolveAutoThreadId?.({
+        cfg,
+        accountId: undefined,
         to: "-100123",
         toolContext: createToolContext({ currentChannelId: undefined }),
       }),
diff --git a/src/infra/outbound/message-action-params.ts b/src/infra/outbound/message-action-params.ts
index 9f23419f7dc..30991639129 100644
--- a/src/infra/outbound/message-action-params.ts
+++ b/src/infra/outbound/message-action-params.ts
@@ -1,15 +1,9 @@
 import path from "node:path";
 import { fileURLToPath } from "node:url";
-import { parseSlackTarget } from "../../../extensions/slack/src/targets.js";
-import { parseTelegramTarget } from "../../../extensions/telegram/src/targets.js";
 import { loadWebMedia } from "../../../extensions/whatsapp/src/media.js";
 import { assertMediaNotDataUrl, resolveSandboxedMediaSource } from "../../agents/sandbox-paths.js";
 import { readStringParam } from "../../agents/tools/common.js";
-import type {
-  ChannelId,
-  ChannelMessageActionName,
-  ChannelThreadingToolContext,
-} from "../../channels/plugins/types.js";
+import type { ChannelId, ChannelMessageActionName } from "../../channels/plugins/types.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import { createRootScopedReadFile } from "../../infra/fs-safe.js";
 import { extensionForMime } from "../../media/mime.js";
@@ -17,60 +11,6 @@ import { readBooleanParam as readBooleanParamShared } from "../../plugin-sdk/boo
 
 export const readBooleanParam = readBooleanParamShared;
 
-export function resolveSlackAutoThreadId(params: {
-  to: string;
-  toolContext?: ChannelThreadingToolContext;
-}): string | undefined {
-  const context = params.toolContext;
-  if (!context?.currentThreadTs || !context.currentChannelId) {
-    return undefined;
-  }
-  // Only mirror auto-threading when Slack would reply in the active thread for this channel.
-  if (context.replyToMode !== "all" && context.replyToMode !== "first") {
-    return undefined;
-  }
-  const parsedTarget = parseSlackTarget(params.to, { defaultKind: "channel" });
-  if (!parsedTarget || parsedTarget.kind !== "channel") {
-    return undefined;
-  }
-  if (parsedTarget.id.toLowerCase() !== context.currentChannelId.toLowerCase()) {
-    return undefined;
-  }
-  if (context.replyToMode === "first" && context.hasRepliedRef?.value) {
-    return undefined;
-  }
-  return context.currentThreadTs;
-}
-
-/**
- * Auto-inject Telegram forum topic thread ID when the message tool targets
- * the same chat the session originated from.  Mirrors the Slack auto-threading
- * pattern so media, buttons, and other tool-sent messages land in the correct
- * topic instead of the General Topic.
- *
- * Unlike Slack, we do not gate on `replyToMode` here: Telegram forum topics
- * are persistent sub-channels (not ephemeral reply threads), so auto-injection
- * should always apply when the target chat matches.
- */
-export function resolveTelegramAutoThreadId(params: {
-  to: string;
-  toolContext?: ChannelThreadingToolContext;
-}): string | undefined {
-  const context = params.toolContext;
-  if (!context?.currentThreadTs || !context.currentChannelId) {
-    return undefined;
-  }
-  // Use parseTelegramTarget to extract canonical chatId from both sides,
-  // mirroring how Slack uses parseSlackTarget. This handles format variations
-  // like `telegram:group:123:topic:456` vs `telegram:123`.
-  const parsedTo = parseTelegramTarget(params.to);
-  const parsedChannel = parseTelegramTarget(context.currentChannelId);
-  if (parsedTo.chatId.toLowerCase() !== parsedChannel.chatId.toLowerCase()) {
-    return undefined;
-  }
-  return context.currentThreadTs;
-}
-
 function resolveAttachmentMaxBytes(params: {
   cfg: OpenClawConfig;
   channel: ChannelId;
diff --git a/src/infra/outbound/message-action-runner.ts b/src/infra/outbound/message-action-runner.ts
index a867d912aca..aa53f7398f4 100644
--- a/src/infra/outbound/message-action-runner.ts
+++ b/src/infra/outbound/message-action-runner.ts
@@ -6,6 +6,7 @@ import {
   readStringParam,
 } from "../../agents/tools/common.js";
 import { parseReplyDirectives } from "../../auto-reply/reply/reply-directives.js";
+import { getChannelPlugin } from "../../channels/plugins/index.js";
 import { dispatchChannelMessageAction } from "../../channels/plugins/message-actions.js";
 import type {
   ChannelId,
@@ -37,8 +38,6 @@ import {
   parseInteractiveParam,
   readBooleanParam,
   resolveAttachmentMediaPolicy,
-  resolveSlackAutoThreadId,
-  resolveTelegramAutoThreadId,
 } from "./message-action-params.js";
 import type { MessagePollResult, MessageSendResult } from "./message.js";
 import {
@@ -65,22 +64,23 @@ export type MessageActionRunnerGateway = {
 function resolveAndApplyOutboundThreadId(
   params: Record<string, unknown>,
   ctx: {
+    cfg: OpenClawConfig;
     channel: ChannelId;
     to: string;
+    accountId?: string | null;
     toolContext?: ChannelThreadingToolContext;
-    allowSlackAutoThread: boolean;
   },
 ): string | undefined {
   const threadId = readStringParam(params, "threadId");
-  const slackAutoThreadId =
-    ctx.allowSlackAutoThread && ctx.channel === "slack" && !threadId
-      ? resolveSlackAutoThreadId({ to: ctx.to, toolContext: ctx.toolContext })
-      : undefined;
-  const telegramAutoThreadId =
-    ctx.channel === "telegram" && !threadId
-      ? resolveTelegramAutoThreadId({ to: ctx.to, toolContext: ctx.toolContext })
-      : undefined;
-  const resolved = threadId ?? slackAutoThreadId ?? telegramAutoThreadId;
+  const resolved =
+    threadId ??
+    getChannelPlugin(ctx.channel)?.threading?.resolveAutoThreadId?.({
+      cfg: ctx.cfg,
+      accountId: ctx.accountId,
+      to: ctx.to,
+      toolContext: ctx.toolContext,
+      replyToId: readStringParam(params, "replyTo"),
+    });
   // Write auto-resolved threadId back into params so downstream dispatch
   // (plugin `readStringParam(params, "threadId")`) picks it up.
   if (resolved && !params.threadId) {
@@ -501,10 +501,11 @@ async function handleSendAction(ctx: ResolvedActionContext): Promise<MessageActi
 
   const replyToId = readStringParam(params, "replyTo");
   const resolvedThreadId = resolveAndApplyOutboundThreadId(params, {
+    cfg,
     channel,
     to,
+    accountId,
     toolContext: input.toolContext,
-    allowSlackAutoThread: channel === "slack" && !replyToId,
   });
   const outboundRoute =
     agentId && !dryRun
@@ -619,10 +620,11 @@ async function handlePollAction(ctx: ResolvedActionContext): Promise<MessageActi
   }
 
   const resolvedThreadId = resolveAndApplyOutboundThreadId(params, {
+    cfg,
     channel,
     to,
+    accountId,
     toolContext: input.toolContext,
-    allowSlackAutoThread: channel === "slack",
   });
 
   const base = typeof params.message === "string" ? params.message : "";
diff --git a/src/infra/outbound/outbound-session.ts b/src/infra/outbound/outbound-session.ts
index 9316f1ba5fc..4298d6226ce 100644
--- a/src/infra/outbound/outbound-session.ts
+++ b/src/infra/outbound/outbound-session.ts
@@ -970,6 +970,20 @@ export async function resolveOutboundSessionRoute(
     return null;
   }
   const nextParams = { ...params, target };
+  const pluginRoute = await getChannelPlugin(
+    params.channel,
+  )?.messaging?.resolveOutboundSessionRoute?.({
+    cfg: nextParams.cfg,
+    agentId: nextParams.agentId,
+    accountId: nextParams.accountId,
+    target,
+    resolvedTarget: nextParams.resolvedTarget,
+    replyToId: nextParams.replyToId,
+    threadId: nextParams.threadId,
+  });
+  if (pluginRoute) {
+    return pluginRoute;
+  }
   const resolver = OUTBOUND_SESSION_RESOLVERS[params.channel];
   if (!resolver) {
     return resolveFallbackSession(nextParams);

From 0b58a1cc1304f00009edba73e599362f7cb593cb Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Sun, 15 Mar 2026 22:41:30 -0700
Subject: [PATCH 011/133] fix: stabilize windows parallels smoke harness

---
 scripts/e2e/parallels-windows-smoke.sh | 29 ++++++++++++--------------
 1 file changed, 13 insertions(+), 16 deletions(-)

diff --git a/scripts/e2e/parallels-windows-smoke.sh b/scripts/e2e/parallels-windows-smoke.sh
index cd144511f49..e7016d22062 100644
--- a/scripts/e2e/parallels-windows-smoke.sh
+++ b/scripts/e2e/parallels-windows-smoke.sh
@@ -371,9 +371,10 @@ phase_run() {
   local timeout_s="$2"
   shift 2
 
-  local log_path pid rc timed_out
+  local log_path pid start rc timed_out
   log_path="$(phase_log_path "$phase_id")"
   say "$phase_id"
+  start=$SECONDS
   timed_out=0
 
   (
@@ -381,26 +382,22 @@ phase_run() {
   ) >"$log_path" 2>&1 &
   pid=$!
 
-  (
-    sleep "$timeout_s"
-    kill "$pid" >/dev/null 2>&1 || true
-    sleep 2
-    kill -9 "$pid" >/dev/null 2>&1 || true
-  ) &
-  local killer_pid=$!
+  while kill -0 "$pid" >/dev/null 2>&1; do
+    if (( SECONDS - start >= timeout_s )); then
+      timed_out=1
+      kill "$pid" >/dev/null 2>&1 || true
+      sleep 2
+      kill -9 "$pid" >/dev/null 2>&1 || true
+      break
+    fi
+    sleep 1
+  done
 
   set +e
   wait "$pid"
   rc=$?
   set -e
 
-  if kill -0 "$killer_pid" >/dev/null 2>&1; then
-    kill "$killer_pid" >/dev/null 2>&1 || true
-    wait "$killer_pid" >/dev/null 2>&1 || true
-  else
-    timed_out=1
-  fi
-
   if (( timed_out )); then
     warn "$phase_id timed out after ${timeout_s}s"
     printf 'timeout after %ss\n' "$timeout_s" >>"$log_path"
@@ -770,7 +767,7 @@ show_gateway_status_compat() {
 }
 
 verify_turn() {
-  guest_run_openclaw "" "" agent --agent main --message ping --json
+  guest_run_openclaw "" "" agent --agent main --message "Reply with exact ASCII text OK only." --json
 }
 
 capture_latest_ref_failure() {

From 55cbfb6e6ad17dcc3c512e3c6170f00a83451eb5 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Sun, 15 Mar 2026 22:42:58 -0700
Subject: [PATCH 012/133] refactor(plugins): move provider onboarding auth into
 plugins

---
 extensions/anthropic/index.ts                 |  37 ++++-
 extensions/google/index.ts                    |  28 +++-
 extensions/minimax/index.ts                   |  70 +++++++-
 extensions/openai/openai-provider.ts          |  28 +++-
 .../auth-choice.apply.plugin-provider.ts      |   4 +
 src/commands/onboard-auth.credentials.ts      |   2 +-
 .../local/auth-choice.test.ts                 |   8 +-
 .../local/auth-choice.ts                      |  36 ++---
 src/plugins/provider-api-key-auth.ts          | 152 ++++++++++++++++++
 src/plugins/provider-wizard.test.ts           |  40 +++++
 src/plugins/provider-wizard.ts                |  32 ++++
 src/plugins/types.ts                          |  17 ++
 12 files changed, 420 insertions(+), 34 deletions(-)
 create mode 100644 src/plugins/provider-api-key-auth.ts

diff --git a/extensions/anthropic/index.ts b/extensions/anthropic/index.ts
index ba2a1a55cb5..13758e7de46 100644
--- a/extensions/anthropic/index.ts
+++ b/extensions/anthropic/index.ts
@@ -19,10 +19,12 @@ import {
 import { buildTokenProfileId, validateAnthropicSetupToken } from "../../src/commands/auth-token.js";
 import { applyAuthProfileConfig } from "../../src/commands/onboard-auth.js";
 import { fetchClaudeUsage } from "../../src/infra/provider-usage.fetch.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 import type { ProviderAuthResult } from "../../src/plugins/types.js";
 import { normalizeSecretInput } from "../../src/utils/normalize-secret-input.js";
 
 const PROVIDER_ID = "anthropic";
+const DEFAULT_ANTHROPIC_MODEL = "anthropic/claude-sonnet-4-6";
 const ANTHROPIC_OPUS_46_MODEL_ID = "claude-opus-4-6";
 const ANTHROPIC_OPUS_46_DOT_MODEL_ID = "claude-opus-4.6";
 const ANTHROPIC_OPUS_TEMPLATE_MODEL_IDS = ["claude-opus-4-5", "claude-opus-4.5"] as const;
@@ -313,6 +315,14 @@ const anthropicPlugin = {
           label: "setup-token (claude)",
           hint: "Paste a setup-token from `claude setup-token`",
           kind: "token",
+          wizard: {
+            choiceId: "token",
+            choiceLabel: "Anthropic token (paste setup-token)",
+            choiceHint: "Run `claude setup-token` elsewhere, then paste the token here",
+            groupId: "anthropic",
+            groupLabel: "Anthropic",
+            groupHint: "setup-token + API key",
+          },
           run: async (ctx: ProviderAuthContext) => await runAnthropicSetupToken(ctx),
           runNonInteractive: async (ctx) =>
             await runAnthropicSetupTokenNonInteractive({
@@ -322,15 +332,26 @@ const anthropicPlugin = {
               agentDir: ctx.agentDir,
             }),
         },
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "Anthropic API key",
+          hint: "Direct Anthropic API key",
+          optionKey: "anthropicApiKey",
+          flagName: "--anthropic-api-key",
+          envVar: "ANTHROPIC_API_KEY",
+          promptMessage: "Enter Anthropic API key",
+          defaultModel: DEFAULT_ANTHROPIC_MODEL,
+          expectedProviders: ["anthropic"],
+          wizard: {
+            choiceId: "apiKey",
+            choiceLabel: "Anthropic API key",
+            groupId: "anthropic",
+            groupLabel: "Anthropic",
+            groupHint: "setup-token + API key",
+          },
+        }),
       ],
-      wizard: {
-        setup: {
-          choiceId: "token",
-          choiceLabel: "Anthropic token (paste setup-token)",
-          choiceHint: "Run `claude setup-token` elsewhere, then paste the token here",
-          methodId: "setup-token",
-        },
-      },
       resolveDynamicModel: (ctx) => resolveAnthropicForwardCompatModel(ctx),
       capabilities: {
         providerFamily: "anthropic",
diff --git a/extensions/google/index.ts b/extensions/google/index.ts
index 0afa07e2ce0..59d417e9349 100644
--- a/extensions/google/index.ts
+++ b/extensions/google/index.ts
@@ -3,7 +3,12 @@ import {
   getScopedCredentialValue,
   setScopedCredentialValue,
 } from "../../src/agents/tools/web-search-plugin-factory.js";
+import {
+  GOOGLE_GEMINI_DEFAULT_MODEL,
+  applyGoogleGeminiModelDefault,
+} from "../../src/commands/google-gemini-model-default.js";
 import { emptyPluginConfigSchema } from "../../src/plugins/config-schema.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 import type { OpenClawPluginApi } from "../../src/plugins/types.js";
 import { registerGoogleGeminiCliProvider } from "./gemini-cli-provider.js";
 import { isModernGoogleModel, resolveGoogle31ForwardCompatModel } from "./provider-models.js";
@@ -19,7 +24,28 @@ const googlePlugin = {
       label: "Google AI Studio",
       docsPath: "/providers/models",
       envVars: ["GEMINI_API_KEY", "GOOGLE_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: "google",
+          methodId: "api-key",
+          label: "Google Gemini API key",
+          hint: "AI Studio / Gemini API key",
+          optionKey: "geminiApiKey",
+          flagName: "--gemini-api-key",
+          envVar: "GEMINI_API_KEY",
+          promptMessage: "Enter Gemini API key",
+          defaultModel: GOOGLE_GEMINI_DEFAULT_MODEL,
+          expectedProviders: ["google"],
+          applyConfig: (cfg) => applyGoogleGeminiModelDefault(cfg).next,
+          wizard: {
+            choiceId: "gemini-api-key",
+            choiceLabel: "Google Gemini API key",
+            groupId: "google",
+            groupLabel: "Google",
+            groupHint: "Gemini API key + OAuth",
+          },
+        }),
+      ],
       resolveDynamicModel: (ctx) =>
         resolveGoogle31ForwardCompatModel({ providerId: "google", ctx }),
       isModernModelRef: ({ modelId }) => isModernGoogleModel(modelId),
diff --git a/extensions/minimax/index.ts b/extensions/minimax/index.ts
index 0231fd86236..6906bb0438d 100644
--- a/extensions/minimax/index.ts
+++ b/extensions/minimax/index.ts
@@ -12,7 +12,12 @@ import {
   buildMinimaxPortalProvider,
   buildMinimaxProvider,
 } from "../../src/agents/models-config.providers.static.js";
+import {
+  applyMinimaxApiConfig,
+  applyMinimaxApiConfigCn,
+} from "../../src/commands/onboard-auth.config-minimax.js";
 import { fetchMinimaxUsage } from "../../src/infra/provider-usage.fetch.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 import { loginMiniMaxPortalOAuth, type MiniMaxRegion } from "./oauth.js";
 
 const API_PROVIDER_ID = "minimax";
@@ -160,7 +165,54 @@ const minimaxPlugin = {
       label: PROVIDER_LABEL,
       docsPath: "/providers/minimax",
       envVars: ["MINIMAX_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: API_PROVIDER_ID,
+          methodId: "api-global",
+          label: "MiniMax API key (Global)",
+          hint: "Global endpoint - api.minimax.io",
+          optionKey: "minimaxApiKey",
+          flagName: "--minimax-api-key",
+          envVar: "MINIMAX_API_KEY",
+          promptMessage:
+            "Enter MiniMax API key (sk-api- or sk-cp-)\nhttps://platform.minimax.io/user-center/basic-information/interface-key",
+          profileId: "minimax:global",
+          defaultModel: modelRef(DEFAULT_MODEL),
+          expectedProviders: ["minimax"],
+          applyConfig: (cfg) => applyMinimaxApiConfig(cfg),
+          wizard: {
+            choiceId: "minimax-global-api",
+            choiceLabel: "MiniMax API key (Global)",
+            choiceHint: "Global endpoint - api.minimax.io",
+            groupId: "minimax",
+            groupLabel: "MiniMax",
+            groupHint: "M2.5 (recommended)",
+          },
+        }),
+        createProviderApiKeyAuthMethod({
+          providerId: API_PROVIDER_ID,
+          methodId: "api-cn",
+          label: "MiniMax API key (CN)",
+          hint: "CN endpoint - api.minimaxi.com",
+          optionKey: "minimaxApiKey",
+          flagName: "--minimax-api-key",
+          envVar: "MINIMAX_API_KEY",
+          promptMessage:
+            "Enter MiniMax CN API key (sk-api- or sk-cp-)\nhttps://platform.minimaxi.com/user-center/basic-information/interface-key",
+          profileId: "minimax:cn",
+          defaultModel: modelRef(DEFAULT_MODEL),
+          expectedProviders: ["minimax", "minimax-cn"],
+          applyConfig: (cfg) => applyMinimaxApiConfigCn(cfg),
+          wizard: {
+            choiceId: "minimax-cn-api",
+            choiceLabel: "MiniMax API key (CN)",
+            choiceHint: "CN endpoint - api.minimaxi.com",
+            groupId: "minimax",
+            groupLabel: "MiniMax",
+            groupHint: "M2.5 (recommended)",
+          },
+        }),
+      ],
       catalog: {
         order: "simple",
         run: async (ctx) => resolveApiCatalog(ctx),
@@ -190,6 +242,14 @@ const minimaxPlugin = {
           label: "MiniMax OAuth (Global)",
           hint: "Global endpoint - api.minimax.io",
           kind: "device_code",
+          wizard: {
+            choiceId: "minimax-global-oauth",
+            choiceLabel: "MiniMax OAuth (Global)",
+            choiceHint: "Global endpoint - api.minimax.io",
+            groupId: "minimax",
+            groupLabel: "MiniMax",
+            groupHint: "M2.5 (recommended)",
+          },
           run: createOAuthHandler("global"),
         },
         {
@@ -197,6 +257,14 @@ const minimaxPlugin = {
           label: "MiniMax OAuth (CN)",
           hint: "CN endpoint - api.minimaxi.com",
           kind: "device_code",
+          wizard: {
+            choiceId: "minimax-cn-oauth",
+            choiceLabel: "MiniMax OAuth (CN)",
+            choiceHint: "CN endpoint - api.minimaxi.com",
+            groupId: "minimax",
+            groupLabel: "MiniMax",
+            groupHint: "M2.5 (recommended)",
+          },
           run: createOAuthHandler("cn"),
         },
       ],
diff --git a/extensions/openai/openai-provider.ts b/extensions/openai/openai-provider.ts
index be406f26bbb..9155fb3cd30 100644
--- a/extensions/openai/openai-provider.ts
+++ b/extensions/openai/openai-provider.ts
@@ -4,6 +4,11 @@ import {
 } from "openclaw/plugin-sdk/core";
 import { normalizeModelCompat } from "../../src/agents/model-compat.js";
 import { normalizeProviderId } from "../../src/agents/model-selection.js";
+import {
+  applyOpenAIConfig,
+  OPENAI_DEFAULT_MODEL,
+} from "../../src/commands/openai-model-default.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 import type { ProviderPlugin } from "../../src/plugins/types.js";
 import {
   cloneFirstTemplateModel,
@@ -89,7 +94,28 @@ export function buildOpenAIProvider(): ProviderPlugin {
     label: "OpenAI",
     docsPath: "/providers/models",
     envVars: ["OPENAI_API_KEY"],
-    auth: [],
+    auth: [
+      createProviderApiKeyAuthMethod({
+        providerId: PROVIDER_ID,
+        methodId: "api-key",
+        label: "OpenAI API key",
+        hint: "Direct OpenAI API key",
+        optionKey: "openaiApiKey",
+        flagName: "--openai-api-key",
+        envVar: "OPENAI_API_KEY",
+        promptMessage: "Enter OpenAI API key",
+        defaultModel: OPENAI_DEFAULT_MODEL,
+        expectedProviders: ["openai"],
+        applyConfig: (cfg) => applyOpenAIConfig(cfg),
+        wizard: {
+          choiceId: "openai-api-key",
+          choiceLabel: "OpenAI API key",
+          groupId: "openai",
+          groupLabel: "OpenAI",
+          groupHint: "Codex OAuth + API key",
+        },
+      }),
+    ],
     resolveDynamicModel: (ctx) => resolveOpenAIGpt54ForwardCompatModel(ctx),
     normalizeResolvedModel: (ctx) => {
       if (normalizeProviderId(ctx.provider) !== PROVIDER_ID) {
diff --git a/src/commands/auth-choice.apply.plugin-provider.ts b/src/commands/auth-choice.apply.plugin-provider.ts
index 139dd4500f4..5f4893b249c 100644
--- a/src/commands/auth-choice.apply.plugin-provider.ts
+++ b/src/commands/auth-choice.apply.plugin-provider.ts
@@ -44,6 +44,7 @@ export async function runProviderPluginAuthMethod(params: {
   emitNotes?: boolean;
   secretInputMode?: OnboardOptions["secretInputMode"];
   allowSecretRefPrompt?: boolean;
+  opts?: Partial<OnboardOptions>;
 }): Promise<{ config: ApplyAuthChoiceParams["config"]; defaultModel?: string }> {
   const agentId = params.agentId ?? resolveDefaultAgentId(params.config);
   const defaultAgentId = resolveDefaultAgentId(params.config);
@@ -64,6 +65,7 @@ export async function runProviderPluginAuthMethod(params: {
     workspaceDir,
     prompter: params.prompter,
     runtime: params.runtime,
+    opts: params.opts,
     secretInputMode: params.secretInputMode,
     allowSecretRefPrompt: params.allowSecretRefPrompt,
     isRemote,
@@ -134,6 +136,7 @@ export async function applyAuthChoiceLoadedPluginProvider(
     workspaceDir,
     secretInputMode: params.opts?.secretInputMode,
     allowSecretRefPrompt: true,
+    opts: params.opts,
   });
 
   let agentModelOverride: string | undefined;
@@ -213,6 +216,7 @@ export async function applyAuthChoicePluginProvider(
     workspaceDir,
     secretInputMode: params.opts?.secretInputMode,
     allowSecretRefPrompt: true,
+    opts: params.opts,
   });
   nextConfig = applied.config;
 
diff --git a/src/commands/onboard-auth.credentials.ts b/src/commands/onboard-auth.credentials.ts
index 014984cd6f3..2973667830b 100644
--- a/src/commands/onboard-auth.credentials.ts
+++ b/src/commands/onboard-auth.credentials.ts
@@ -74,7 +74,7 @@ function resolveApiKeySecretInput(
   return normalized;
 }
 
-function buildApiKeyCredential(
+export function buildApiKeyCredential(
   provider: string,
   input: SecretInput,
   metadata?: Record<string, string>,
diff --git a/src/commands/onboard-non-interactive/local/auth-choice.test.ts b/src/commands/onboard-non-interactive/local/auth-choice.test.ts
index 9fe7a34cda9..b3255e7b4bb 100644
--- a/src/commands/onboard-non-interactive/local/auth-choice.test.ts
+++ b/src/commands/onboard-non-interactive/local/auth-choice.test.ts
@@ -32,11 +32,11 @@ function createRuntime() {
 }
 
 describe("applyNonInteractiveAuthChoice", () => {
-  it("resolves builtin API key auth before plugin provider resolution", async () => {
+  it("resolves plugin provider auth before builtin API key fallbacks", async () => {
     const runtime = createRuntime();
     const nextConfig = { agents: { defaults: {} } } as OpenClawConfig;
     const resolvedConfig = { auth: { profiles: { "openai:default": { mode: "api_key" } } } };
-    applySimpleNonInteractiveApiKeyChoice.mockResolvedValueOnce(resolvedConfig as never);
+    applyNonInteractivePluginProviderChoice.mockResolvedValueOnce(resolvedConfig as never);
 
     const result = await applyNonInteractiveAuthChoice({
       nextConfig,
@@ -47,7 +47,7 @@ describe("applyNonInteractiveAuthChoice", () => {
     });
 
     expect(result).toBe(resolvedConfig);
-    expect(applySimpleNonInteractiveApiKeyChoice).toHaveBeenCalledOnce();
-    expect(applyNonInteractivePluginProviderChoice).not.toHaveBeenCalled();
+    expect(applyNonInteractivePluginProviderChoice).toHaveBeenCalledOnce();
+    expect(applySimpleNonInteractiveApiKeyChoice).not.toHaveBeenCalled();
   });
 });
diff --git a/src/commands/onboard-non-interactive/local/auth-choice.ts b/src/commands/onboard-non-interactive/local/auth-choice.ts
index 64a3379ad15..5c61e247c89 100644
--- a/src/commands/onboard-non-interactive/local/auth-choice.ts
+++ b/src/commands/onboard-non-interactive/local/auth-choice.ts
@@ -156,6 +156,24 @@ export async function applyNonInteractiveAuthChoice(params: {
     return null;
   }
 
+  const pluginProviderChoice = await applyNonInteractivePluginProviderChoice({
+    nextConfig,
+    authChoice,
+    opts,
+    runtime,
+    baseConfig,
+    resolveApiKey: (input) =>
+      resolveApiKey({
+        ...input,
+        cfg: baseConfig,
+        runtime,
+      }),
+    toApiKeyCredential,
+  });
+  if (pluginProviderChoice !== undefined) {
+    return pluginProviderChoice;
+  }
+
   const simpleApiKeyChoice = await applySimpleNonInteractiveApiKeyChoice({
     authChoice,
     nextConfig,
@@ -406,24 +424,6 @@ export async function applyNonInteractiveAuthChoice(params: {
     }
   }
 
-  const pluginProviderChoice = await applyNonInteractivePluginProviderChoice({
-    nextConfig,
-    authChoice,
-    opts,
-    runtime,
-    baseConfig,
-    resolveApiKey: (input) =>
-      resolveApiKey({
-        ...input,
-        cfg: baseConfig,
-        runtime,
-      }),
-    toApiKeyCredential,
-  });
-  if (pluginProviderChoice !== undefined) {
-    return pluginProviderChoice;
-  }
-
   if (
     authChoice === "oauth" ||
     authChoice === "chutes" ||
diff --git a/src/plugins/provider-api-key-auth.ts b/src/plugins/provider-api-key-auth.ts
new file mode 100644
index 00000000000..0ef8b356ea0
--- /dev/null
+++ b/src/plugins/provider-api-key-auth.ts
@@ -0,0 +1,152 @@
+import { upsertAuthProfile } from "../agents/auth-profiles.js";
+import { normalizeApiKeyInput, validateApiKeyInput } from "../commands/auth-choice.api-key.js";
+import { ensureApiKeyFromOptionEnvOrPrompt } from "../commands/auth-choice.apply-helpers.js";
+import { buildApiKeyCredential } from "../commands/onboard-auth.credentials.js";
+import { applyAuthProfileConfig } from "../commands/onboard-auth.js";
+import type { OpenClawConfig } from "../config/config.js";
+import type { SecretInput } from "../config/types.secrets.js";
+import { normalizeOptionalSecretInput } from "../utils/normalize-secret-input.js";
+import type {
+  ProviderAuthMethod,
+  ProviderAuthMethodNonInteractiveContext,
+  ProviderPluginWizardSetup,
+} from "./types.js";
+
+type ProviderApiKeyAuthMethodOptions = {
+  providerId: string;
+  methodId: string;
+  label: string;
+  hint?: string;
+  wizard?: ProviderPluginWizardSetup;
+  optionKey: string;
+  flagName: `--${string}`;
+  envVar: string;
+  promptMessage: string;
+  profileId?: string;
+  defaultModel?: string;
+  expectedProviders?: string[];
+  metadata?: Record<string, string>;
+  noteMessage?: string;
+  noteTitle?: string;
+  applyConfig?: (cfg: OpenClawConfig) => OpenClawConfig;
+};
+
+function resolveStringOption(opts: Record<string, unknown> | undefined, optionKey: string) {
+  return normalizeOptionalSecretInput(opts?.[optionKey]);
+}
+
+function resolveProfileId(params: { providerId: string; profileId?: string }) {
+  return params.profileId?.trim() || `${params.providerId}:default`;
+}
+
+function applyApiKeyConfig(params: {
+  ctx: ProviderAuthMethodNonInteractiveContext;
+  providerId: string;
+  profileId: string;
+  applyConfig?: (cfg: OpenClawConfig) => OpenClawConfig;
+}) {
+  const next = applyAuthProfileConfig(params.ctx.config, {
+    profileId: params.profileId,
+    provider: params.providerId,
+    mode: "api_key",
+  });
+  return params.applyConfig ? params.applyConfig(next) : next;
+}
+
+export function createProviderApiKeyAuthMethod(
+  params: ProviderApiKeyAuthMethodOptions,
+): ProviderAuthMethod {
+  return {
+    id: params.methodId,
+    label: params.label,
+    hint: params.hint,
+    kind: "api_key",
+    wizard: params.wizard,
+    run: async (ctx) => {
+      const opts = ctx.opts as Record<string, unknown> | undefined;
+      const flagValue = resolveStringOption(opts, params.optionKey);
+      let capturedSecretInput: SecretInput | undefined;
+      let capturedMode: "plaintext" | "ref" | undefined;
+
+      await ensureApiKeyFromOptionEnvOrPrompt({
+        token: flagValue ?? normalizeOptionalSecretInput(ctx.opts?.token),
+        tokenProvider: flagValue
+          ? params.providerId
+          : normalizeOptionalSecretInput(ctx.opts?.tokenProvider),
+        secretInputMode:
+          ctx.allowSecretRefPrompt === false
+            ? (ctx.secretInputMode ?? "plaintext")
+            : ctx.secretInputMode,
+        config: ctx.config,
+        expectedProviders: params.expectedProviders ?? [params.providerId],
+        provider: params.providerId,
+        envLabel: params.envVar,
+        promptMessage: params.promptMessage,
+        normalize: normalizeApiKeyInput,
+        validate: validateApiKeyInput,
+        prompter: ctx.prompter,
+        noteMessage: params.noteMessage,
+        noteTitle: params.noteTitle,
+        setCredential: async (apiKey, mode) => {
+          capturedSecretInput = apiKey;
+          capturedMode = mode;
+        },
+      });
+
+      if (!capturedSecretInput) {
+        throw new Error(`Missing API key input for provider "${params.providerId}".`);
+      }
+
+      return {
+        profiles: [
+          {
+            profileId: resolveProfileId(params),
+            credential: buildApiKeyCredential(
+              params.providerId,
+              capturedSecretInput,
+              params.metadata,
+              capturedMode ? { secretInputMode: capturedMode } : undefined,
+            ),
+          },
+        ],
+        ...(params.defaultModel ? { defaultModel: params.defaultModel } : {}),
+      };
+    },
+    runNonInteractive: async (ctx) => {
+      const opts = ctx.opts as Record<string, unknown> | undefined;
+      const resolved = await ctx.resolveApiKey({
+        provider: params.providerId,
+        flagValue: resolveStringOption(opts, params.optionKey),
+        flagName: params.flagName,
+        envVar: params.envVar,
+      });
+      if (!resolved) {
+        return null;
+      }
+
+      const profileId = resolveProfileId(params);
+      if (resolved.source !== "profile") {
+        const credential = ctx.toApiKeyCredential({
+          provider: params.providerId,
+          resolved,
+          ...(params.metadata ? { metadata: params.metadata } : {}),
+        });
+        if (!credential) {
+          return null;
+        }
+        upsertAuthProfile({
+          profileId,
+          credential,
+          agentDir: ctx.agentDir,
+        });
+      }
+
+      return applyApiKeyConfig({
+        ctx,
+        providerId: params.providerId,
+        profileId,
+        applyConfig: params.applyConfig,
+      });
+    },
+  };
+}
diff --git a/src/plugins/provider-wizard.test.ts b/src/plugins/provider-wizard.test.ts
index f55d9292824..eff361ee1c9 100644
--- a/src/plugins/provider-wizard.test.ts
+++ b/src/plugins/provider-wizard.test.ts
@@ -64,6 +64,46 @@ describe("provider wizard boundaries", () => {
     });
   });
 
+  it("builds wizard options from method-level metadata", () => {
+    const provider = makeProvider({
+      id: "openai",
+      label: "OpenAI",
+      auth: [
+        {
+          id: "api-key",
+          label: "OpenAI API key",
+          kind: "api_key",
+          wizard: {
+            choiceId: "openai-api-key",
+            choiceLabel: "OpenAI API key",
+            groupId: "openai",
+            groupLabel: "OpenAI",
+          },
+          run: vi.fn(),
+        },
+      ],
+    });
+    resolvePluginProviders.mockReturnValue([provider]);
+
+    expect(resolveProviderWizardOptions({})).toEqual([
+      {
+        value: "openai-api-key",
+        label: "OpenAI API key",
+        groupId: "openai",
+        groupLabel: "OpenAI",
+      },
+    ]);
+    expect(
+      resolveProviderPluginChoice({
+        providers: [provider],
+        choice: "openai-api-key",
+      }),
+    ).toEqual({
+      provider,
+      method: provider.auth[0],
+    });
+  });
+
   it("builds model-picker entries from plugin metadata and provider-method choices", () => {
     const provider = makeProvider({
       id: "sglang",
diff --git a/src/plugins/provider-wizard.ts b/src/plugins/provider-wizard.ts
index dcac7e36d40..cbe90178056 100644
--- a/src/plugins/provider-wizard.ts
+++ b/src/plugins/provider-wizard.ts
@@ -61,6 +61,17 @@ function resolveMethodById(
   return provider.auth.find((method) => method.id.trim().toLowerCase() === normalizedMethodId);
 }
 
+function listMethodWizardSetups(provider: ProviderPlugin): Array<{
+  method: ProviderAuthMethod;
+  wizard: ProviderPluginWizardSetup;
+}> {
+  return provider.auth
+    .map((method) => (method.wizard ? { method, wizard: method.wizard } : null))
+    .filter((entry): entry is { method: ProviderAuthMethod; wizard: ProviderPluginWizardSetup } =>
+      Boolean(entry),
+    );
+}
+
 function buildSetupOptionForMethod(params: {
   provider: ProviderPlugin;
   wizard: ProviderPluginWizardSetup;
@@ -93,6 +104,20 @@ export function resolveProviderWizardOptions(params: {
   const options: ProviderWizardOption[] = [];
 
   for (const provider of providers) {
+    const methodSetups = listMethodWizardSetups(provider);
+    for (const { method, wizard } of methodSetups) {
+      options.push(
+        buildSetupOptionForMethod({
+          provider,
+          wizard,
+          method,
+          value: wizard.choiceId?.trim() || buildProviderPluginMethodChoice(provider.id, method.id),
+        }),
+      );
+    }
+    if (methodSetups.length > 0) {
+      continue;
+    }
     const setup = provider.wizard?.setup;
     if (!setup) {
       continue;
@@ -187,6 +212,13 @@ export function resolveProviderPluginChoice(params: {
   }
 
   for (const provider of params.providers) {
+    for (const { method, wizard } of listMethodWizardSetups(provider)) {
+      const choiceId =
+        wizard.choiceId?.trim() || buildProviderPluginMethodChoice(provider.id, method.id);
+      if (normalizeChoiceId(choiceId) === choice) {
+        return { provider, method };
+      }
+    }
     const setup = provider.wizard?.setup;
     if (setup) {
       const setupChoiceId = resolveWizardSetupChoiceId(provider, setup);
diff --git a/src/plugins/types.ts b/src/plugins/types.ts
index bea63007fb2..f533b1b80a1 100644
--- a/src/plugins/types.ts
+++ b/src/plugins/types.ts
@@ -119,6 +119,15 @@ export type ProviderAuthContext = {
   workspaceDir?: string;
   prompter: WizardPrompter;
   runtime: RuntimeEnv;
+  /**
+   * Optional onboarding CLI options that triggered this auth flow.
+   *
+   * Present for setup/configure/auth-choice flows so provider methods can
+   * honor preseeded flags like `--openai-api-key` or generic
+   * `--token/--token-provider` pairs. Direct `models auth login` usually
+   * leaves this undefined.
+   */
+  opts?: Partial<OnboardOptions>;
   /**
    * Onboarding secret persistence preference.
    *
@@ -187,6 +196,14 @@ export type ProviderAuthMethod = {
   label: string;
   hint?: string;
   kind: ProviderAuthKind;
+  /**
+   * Optional wizard/onboarding metadata for this specific auth method.
+   *
+   * Use this when one provider exposes multiple setup entries (for example API
+   * key + OAuth, or region-specific login flows). OpenClaw uses this to expose
+   * method-specific auth choices while keeping the provider id stable.
+   */
+  wizard?: ProviderPluginWizardSetup;
   run: (ctx: ProviderAuthContext) => Promise<ProviderAuthResult>;
   runNonInteractive?: (
     ctx: ProviderAuthMethodNonInteractiveContext,

From 2acbea0da74a3ba722a033fab6085fd170177c86 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 05:50:33 +0000
Subject: [PATCH 013/133] docs: restore onboard as canonical setup command

---
 src/cli/program/register.onboard.ts | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/src/cli/program/register.onboard.ts b/src/cli/program/register.onboard.ts
index 982be1a75c3..914732e4079 100644
--- a/src/cli/program/register.onboard.ts
+++ b/src/cli/program/register.onboard.ts
@@ -1,5 +1,4 @@
 import type { Command } from "commander";
-import { formatCliCommand } from "../../cli/command-format.js";
 import { formatStaticAuthChoiceChoicesForCli } from "../../commands/auth-choice-options.static.js";
 import type { GatewayDaemonRuntime } from "../../commands/daemon-runtime.js";
 import { ONBOARD_PROVIDER_AUTH_FLAGS } from "../../commands/onboard-provider-auth-flags.js";
@@ -50,14 +49,11 @@ const AUTH_CHOICE_HELP = formatStaticAuthChoiceChoicesForCli({
 export function registerOnboardCommand(program: Command) {
   const command = program
     .command("onboard")
-    .description('Legacy alias for "openclaw setup --wizard"')
-    .addHelpText("after", () =>
-      [
-        "",
-        `${theme.muted("Docs:")} ${formatDocsLink("/cli/setup", "docs.openclaw.ai/cli/setup")}`,
-        `${theme.muted("Prefer:")} ${formatCliCommand("openclaw setup --wizard")}`,
-        "",
-      ].join("\n"),
+    .description("Interactive wizard to set up the gateway, workspace, and skills")
+    .addHelpText(
+      "after",
+      () =>
+        `\n${theme.muted("Docs:")} ${formatDocsLink("/cli/onboard", "docs.openclaw.ai/cli/onboard")}\n`,
     )
     .option("--workspace <dir>", "Agent workspace directory (default: ~/.openclaw/workspace)")
     .option(

From f9e185887fcedaad53c711e5fa13d9a995cb5b87 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 05:50:48 +0000
Subject: [PATCH 014/133] docs: restore onboard docs references

---
 docs/.i18n/glossary.zh-CN.json          |   4 -
 docs/automation/hooks.md                |   2 +-
 docs/channels/bluebubbles.md            |   4 +-
 docs/channels/feishu.md                 |   2 +-
 docs/channels/nostr.md                  |   2 +-
 docs/channels/synology-chat.md          |   4 +-
 docs/cli/index.md                       |   2 +-
 docs/cli/onboard.md                     | 161 +++++++++++++++++++++---
 docs/cli/setup.md                       |  30 ++---
 docs/concepts/agent-workspace.md        |   2 +-
 docs/concepts/model-providers.md        |  32 ++---
 docs/concepts/models.md                 |   2 +-
 docs/concepts/oauth.md                  |   4 +-
 docs/gateway/authentication.md          |   2 +-
 docs/gateway/configuration-reference.md |  12 +-
 docs/gateway/configuration.md           |   4 +-
 docs/gateway/local-models.md            |   2 +-
 docs/gateway/multiple-gateways.md       |   2 +-
 docs/help/faq.md                        |  12 +-
 docs/index.md                           |   4 +-
 docs/install/exe-dev.md                 |   2 +-
 docs/install/index.md                   |   6 +-
 docs/install/installer.md               |   2 +-
 docs/install/macos-vm.md                |   2 +-
 docs/platforms/digitalocean.md          |   2 +-
 docs/platforms/index.md                 |   2 +-
 docs/platforms/linux.md                 |   4 +-
 docs/platforms/raspberry-pi.md          |   2 +-
 docs/platforms/windows.md               |  10 +-
 docs/providers/anthropic.md             |   6 +-
 docs/providers/cloudflare-ai-gateway.md |   4 +-
 docs/providers/glm.md                   |   8 +-
 docs/providers/huggingface.md           |   4 +-
 docs/providers/index.md                 |   2 +-
 docs/providers/kilocode.md              |   2 +-
 docs/providers/litellm.md               |   2 +-
 docs/providers/minimax.md               |   2 +-
 docs/providers/mistral.md               |   4 +-
 docs/providers/models.md                |   2 +-
 docs/providers/moonshot.md              |   4 +-
 docs/providers/nvidia.md                |   2 +-
 docs/providers/ollama.md                |   8 +-
 docs/providers/openai.md                |   6 +-
 docs/providers/opencode-go.md           |   4 +-
 docs/providers/opencode.md              |   8 +-
 docs/providers/openrouter.md            |   2 +-
 docs/providers/qianfan.md               |   2 +-
 docs/providers/sglang.md                |   2 +-
 docs/providers/synthetic.md             |   2 +-
 docs/providers/together.md              |   4 +-
 docs/providers/venice.md                |   4 +-
 docs/providers/vercel-ai-gateway.md     |   4 +-
 docs/providers/xiaomi.md                |   4 +-
 docs/providers/zai.md                   |   8 +-
 docs/reference/wizard.md                |  14 +--
 docs/start/getting-started.md           |   2 +-
 docs/start/onboarding-overview.md       |  20 +--
 docs/start/wizard-cli-automation.md     |  34 ++---
 docs/start/wizard-cli-reference.md      |  26 ++--
 docs/start/wizard.md                    |  10 +-
 docs/tools/plugin.md                    |   8 +-
 src/cli/program/register.setup.ts       |   6 +-
 src/commands/onboard.ts                 |   2 +-
 src/commands/reset.ts                   |   4 +-
 64 files changed, 328 insertions(+), 219 deletions(-)

diff --git a/docs/.i18n/glossary.zh-CN.json b/docs/.i18n/glossary.zh-CN.json
index bc1892d1e9a..36e44b6d909 100644
--- a/docs/.i18n/glossary.zh-CN.json
+++ b/docs/.i18n/glossary.zh-CN.json
@@ -55,10 +55,6 @@
     "source": "CLI Setup Reference",
     "target": "CLI 设置参考"
   },
-  {
-    "source": "Setup Overview",
-    "target": "设置概览"
-  },
   {
     "source": "Setup Wizard (CLI)",
     "target": "设置向导（CLI）"
diff --git a/docs/automation/hooks.md b/docs/automation/hooks.md
index 84c7a234e11..deda79d3db5 100644
--- a/docs/automation/hooks.md
+++ b/docs/automation/hooks.md
@@ -74,7 +74,7 @@ openclaw hooks info session-memory
 
 ### Onboarding
 
-During onboarding (`openclaw setup --wizard`), you'll be prompted to enable recommended hooks. The wizard automatically discovers eligible hooks and presents them for selection.
+During onboarding (`openclaw onboard`), you'll be prompted to enable recommended hooks. The wizard automatically discovers eligible hooks and presents them for selection.
 
 ## Hook Discovery
 
diff --git a/docs/channels/bluebubbles.md b/docs/channels/bluebubbles.md
index c51c7967b00..9c2f0eb6de4 100644
--- a/docs/channels/bluebubbles.md
+++ b/docs/channels/bluebubbles.md
@@ -26,7 +26,7 @@ Status: bundled plugin that talks to the BlueBubbles macOS server over HTTP. **R
 
 1. Install the BlueBubbles server on your Mac (follow the instructions at [bluebubbles.app/install](https://bluebubbles.app/install)).
 2. In the BlueBubbles config, enable the web API and set a password.
-3. Run `openclaw setup --wizard` and select BlueBubbles, or configure manually:
+3. Run `openclaw onboard` and select BlueBubbles, or configure manually:
 
    ```json5
    {
@@ -129,7 +129,7 @@ launchctl load ~/Library/LaunchAgents/com.user.poke-messages.plist
 BlueBubbles is available in the interactive setup wizard:
 
 ```
-openclaw setup --wizard
+openclaw onboard
 ```
 
 The wizard prompts for:
diff --git a/docs/channels/feishu.md b/docs/channels/feishu.md
index 7e13a3077df..3768906d940 100644
--- a/docs/channels/feishu.md
+++ b/docs/channels/feishu.md
@@ -35,7 +35,7 @@ There are two ways to add the Feishu channel:
 If you just installed OpenClaw, run the setup wizard:
 
 ```bash
-openclaw setup --wizard
+openclaw onboard
 ```
 
 The wizard guides you through:
diff --git a/docs/channels/nostr.md b/docs/channels/nostr.md
index ce410dd879a..46888da0352 100644
--- a/docs/channels/nostr.md
+++ b/docs/channels/nostr.md
@@ -16,7 +16,7 @@ Nostr is a decentralized protocol for social networking. This channel enables Op
 
 ### Onboarding (recommended)
 
-- The setup wizard (`openclaw setup --wizard`) and `openclaw channels add` list optional channel plugins.
+- The setup wizard (`openclaw onboard`) and `openclaw channels add` list optional channel plugins.
 - Selecting Nostr prompts you to install the plugin on demand.
 
 Install defaults:
diff --git a/docs/channels/synology-chat.md b/docs/channels/synology-chat.md
index cc3b2f2ed73..aae655f27b7 100644
--- a/docs/channels/synology-chat.md
+++ b/docs/channels/synology-chat.md
@@ -27,7 +27,7 @@ Details: [Plugins](/tools/plugin)
 ## Quick setup
 
 1. Install and enable the Synology Chat plugin.
-   - `openclaw setup --wizard` now shows Synology Chat in the same channel setup list as `openclaw channels add`.
+   - `openclaw onboard` now shows Synology Chat in the same channel setup list as `openclaw channels add`.
    - Non-interactive setup: `openclaw channels add --channel synology-chat --token <token> --url <incoming-webhook-url>`
 2. In Synology Chat integrations:
    - Create an incoming webhook and copy its URL.
@@ -36,7 +36,7 @@ Details: [Plugins](/tools/plugin)
    - `https://gateway-host/webhook/synology` by default.
    - Or your custom `channels.synology-chat.webhookPath`.
 4. Finish setup in OpenClaw.
-   - Guided: `openclaw setup --wizard`
+   - Guided: `openclaw onboard`
    - Direct: `openclaw channels add --channel synology-chat --token <token> --url <incoming-webhook-url>`
 5. Restart gateway and send a DM to the Synology Chat bot.
 
diff --git a/docs/cli/index.md b/docs/cli/index.md
index 80e6efdadd5..ded970cde9d 100644
--- a/docs/cli/index.md
+++ b/docs/cli/index.md
@@ -13,7 +13,7 @@ This page describes the current CLI behavior. If commands change, update this do
 ## Command pages
 
 - [`setup`](/cli/setup)
-- [`onboard`](/cli/onboard) (legacy alias for `setup --wizard`)
+- [`onboard`](/cli/onboard)
 - [`configure`](/cli/configure)
 - [`config`](/cli/config)
 - [`completion`](/cli/completion)
diff --git a/docs/cli/onboard.md b/docs/cli/onboard.md
index 16aa8413135..899ccd82713 100644
--- a/docs/cli/onboard.md
+++ b/docs/cli/onboard.md
@@ -1,30 +1,157 @@
 ---
-summary: "Legacy CLI alias for `openclaw setup --wizard`"
+summary: "CLI reference for `openclaw onboard` (interactive setup wizard)"
 read_when:
-  - You encountered `openclaw onboard` in older docs or scripts
+  - You want guided setup for gateway, workspace, auth, channels, and skills
 title: "onboard"
 ---
 
 # `openclaw onboard`
 
-Legacy alias for `openclaw setup --wizard`.
-
-Prefer:
-
-```bash
-openclaw setup --wizard
-```
-
-`openclaw onboard` still accepts the same flags and behavior for compatibility.
+Interactive setup wizard (local or remote Gateway setup).
 
 ## Related guides
 
-- Primary command docs: [`openclaw setup`](/cli/setup)
-- Setup wizard guide: [Setup Wizard (CLI)](/start/wizard)
-- Setup overview: [Setup Overview](/start/onboarding-overview)
-- Setup wizard reference: [CLI Setup Reference](/start/wizard-cli-reference)
+- CLI onboarding hub: [Setup Wizard (CLI)](/start/wizard)
+- Onboarding overview: [Onboarding Overview](/start/onboarding-overview)
+- CLI onboarding reference: [CLI Setup Reference](/start/wizard-cli-reference)
 - CLI automation: [CLI Automation](/start/wizard-cli-automation)
 - macOS onboarding: [Onboarding (macOS App)](/start/onboarding)
 
-For examples, flags, and non-interactive behavior, use the primary docs at
-[`openclaw setup`](/cli/setup) and [CLI Setup Reference](/start/wizard-cli-reference).
+## Examples
+
+```bash
+openclaw onboard
+openclaw onboard --flow quickstart
+openclaw onboard --flow manual
+openclaw onboard --mode remote --remote-url wss://gateway-host:18789
+```
+
+For plaintext private-network `ws://` targets (trusted networks only), set
+`OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1` in the onboarding process environment.
+
+Non-interactive custom provider:
+
+```bash
+openclaw onboard --non-interactive \
+  --auth-choice custom-api-key \
+  --custom-base-url "https://llm.example.com/v1" \
+  --custom-model-id "foo-large" \
+  --custom-api-key "$CUSTOM_API_KEY" \
+  --secret-input-mode plaintext \
+  --custom-compatibility openai
+```
+
+`--custom-api-key` is optional in non-interactive mode. If omitted, onboarding checks `CUSTOM_API_KEY`.
+
+Non-interactive Ollama:
+
+```bash
+openclaw onboard --non-interactive \
+  --auth-choice ollama \
+  --custom-base-url "http://ollama-host:11434" \
+  --custom-model-id "qwen3.5:27b" \
+  --accept-risk
+```
+
+`--custom-base-url` defaults to `http://127.0.0.1:11434`. `--custom-model-id` is optional; if omitted, onboarding uses Ollama's suggested defaults. Cloud model IDs such as `kimi-k2.5:cloud` also work here.
+
+Store provider keys as refs instead of plaintext:
+
+```bash
+openclaw onboard --non-interactive \
+  --auth-choice openai-api-key \
+  --secret-input-mode ref \
+  --accept-risk
+```
+
+With `--secret-input-mode ref`, onboarding writes env-backed refs instead of plaintext key values.
+For auth-profile backed providers this writes `keyRef` entries; for custom providers this writes `models.providers.<id>.apiKey` as an env ref (for example `{ source: "env", provider: "default", id: "CUSTOM_API_KEY" }`).
+
+Non-interactive `ref` mode contract:
+
+- Set the provider env var in the onboarding process environment (for example `OPENAI_API_KEY`).
+- Do not pass inline key flags (for example `--openai-api-key`) unless that env var is also set.
+- If an inline key flag is passed without the required env var, onboarding fails fast with guidance.
+
+Gateway token options in non-interactive mode:
+
+- `--gateway-auth token --gateway-token <token>` stores a plaintext token.
+- `--gateway-auth token --gateway-token-ref-env <name>` stores `gateway.auth.token` as an env SecretRef.
+- `--gateway-token` and `--gateway-token-ref-env` are mutually exclusive.
+- `--gateway-token-ref-env` requires a non-empty env var in the onboarding process environment.
+- With `--install-daemon`, when token auth requires a token, SecretRef-managed gateway tokens are validated but not persisted as resolved plaintext in supervisor service environment metadata.
+- With `--install-daemon`, if token mode requires a token and the configured token SecretRef is unresolved, onboarding fails closed with remediation guidance.
+- With `--install-daemon`, if both `gateway.auth.token` and `gateway.auth.password` are configured and `gateway.auth.mode` is unset, onboarding blocks install until mode is set explicitly.
+
+Example:
+
+```bash
+export OPENCLAW_GATEWAY_TOKEN="your-token"
+openclaw onboard --non-interactive \
+  --mode local \
+  --auth-choice skip \
+  --gateway-auth token \
+  --gateway-token-ref-env OPENCLAW_GATEWAY_TOKEN \
+  --accept-risk
+```
+
+Non-interactive local gateway health:
+
+- Unless you pass `--skip-health`, onboarding waits for a reachable local gateway before it exits successfully.
+- `--install-daemon` starts the managed gateway install path first. Without it, you must already have a local gateway running, for example `openclaw gateway run`.
+- If you only want config/workspace/bootstrap writes in automation, use `--skip-health`.
+- On native Windows, `--install-daemon` tries Scheduled Tasks first and falls back to a per-user Startup-folder login item if task creation is denied.
+
+Interactive onboarding behavior with reference mode:
+
+- Choose **Use secret reference** when prompted.
+- Then choose either:
+  - Environment variable
+  - Configured secret provider (`file` or `exec`)
+- Onboarding performs a fast preflight validation before saving the ref.
+  - If validation fails, onboarding shows the error and lets you retry.
+
+Non-interactive Z.AI endpoint choices:
+
+Note: `--auth-choice zai-api-key` now auto-detects the best Z.AI endpoint for your key (prefers the general API with `zai/glm-5`).
+If you specifically want the GLM Coding Plan endpoints, pick `zai-coding-global` or `zai-coding-cn`.
+
+```bash
+# Promptless endpoint selection
+openclaw onboard --non-interactive \
+  --auth-choice zai-coding-global \
+  --zai-api-key "$ZAI_API_KEY"
+
+# Other Z.AI endpoint choices:
+# --auth-choice zai-coding-cn
+# --auth-choice zai-global
+# --auth-choice zai-cn
+```
+
+Non-interactive Mistral example:
+
+```bash
+openclaw onboard --non-interactive \
+  --auth-choice mistral-api-key \
+  --mistral-api-key "$MISTRAL_API_KEY"
+```
+
+Flow notes:
+
+- `quickstart`: minimal prompts, auto-generates a gateway token.
+- `manual`: full prompts for port/bind/auth (alias of `advanced`).
+- Local onboarding DM scope behavior: [CLI Setup Reference](/start/wizard-cli-reference#outputs-and-internals).
+- Fastest first chat: `openclaw dashboard` (Control UI, no channel setup).
+- Custom Provider: connect any OpenAI or Anthropic compatible endpoint,
+  including hosted providers not listed. Use Unknown to auto-detect.
+
+## Common follow-up commands
+
+```bash
+openclaw configure
+openclaw agents add <name>
+```
+
+<Note>
+`--json` does not imply non-interactive mode. Use `--non-interactive` for scripts.
+</Note>
diff --git a/docs/cli/setup.md b/docs/cli/setup.md
index d8b5f686ef9..d8992ba8a43 100644
--- a/docs/cli/setup.md
+++ b/docs/cli/setup.md
@@ -1,43 +1,29 @@
 ---
-summary: "CLI reference for `openclaw setup` (initialize config/workspace or run the setup wizard)"
+summary: "CLI reference for `openclaw setup` (initialize config + workspace)"
 read_when:
-  - You want first-run setup without the guided wizard
-  - You want the guided setup wizard via `openclaw setup --wizard`
+  - You’re doing first-run setup without the full setup wizard
   - You want to set the default workspace path
 title: "setup"
 ---
 
 # `openclaw setup`
 
-Initialize `~/.openclaw/openclaw.json` and the agent workspace, or run the guided setup wizard.
+Initialize `~/.openclaw/openclaw.json` and the agent workspace.
 
 Related:
 
 - Getting started: [Getting started](/start/getting-started)
-- Setup wizard: [Setup Wizard (CLI)](/start/wizard)
-- macOS app onboarding: [Onboarding](/start/onboarding)
+- Wizard: [Onboarding](/start/onboarding)
 
 ## Examples
 
 ```bash
 openclaw setup
 openclaw setup --workspace ~/.openclaw/workspace
-openclaw setup --wizard
-openclaw setup --wizard --install-daemon
 ```
 
-Without flags, `openclaw setup` only ensures config + workspace defaults.
-Use `--wizard` for the full guided flow.
+To run the wizard via setup:
 
-## Modes
-
-- `openclaw setup`: initialize config/workspace defaults only
-- `openclaw setup --wizard`: guided setup for auth, gateway, channels, and skills
-- `openclaw setup --wizard --non-interactive`: scripted setup flow
-
-## Related guides
-
-- Setup wizard guide: [Setup Wizard (CLI)](/start/wizard)
-- Setup wizard reference: [CLI Setup Reference](/start/wizard-cli-reference)
-- Setup wizard automation: [CLI Automation](/start/wizard-cli-automation)
-- Legacy alias: [`openclaw onboard`](/cli/onboard)
+```bash
+openclaw setup --wizard
+```
diff --git a/docs/concepts/agent-workspace.md b/docs/concepts/agent-workspace.md
index 7fc114818cb..ff55f241bcd 100644
--- a/docs/concepts/agent-workspace.md
+++ b/docs/concepts/agent-workspace.md
@@ -36,7 +36,7 @@ inside a sandbox workspace under `~/.openclaw/sandboxes`, not your host workspac
 }
 ```
 
-`openclaw setup --wizard`, `openclaw configure`, or `openclaw setup` will create the
+`openclaw onboard`, `openclaw configure`, or `openclaw setup` will create the
 workspace and seed the bootstrap files if they are missing.
 Sandbox seed copies only accept regular in-workspace files; symlink/hardlink
 aliases that resolve outside the source workspace are ignored.
diff --git a/docs/concepts/model-providers.md b/docs/concepts/model-providers.md
index 8e8f17f4a67..fc0656c0dd4 100644
--- a/docs/concepts/model-providers.md
+++ b/docs/concepts/model-providers.md
@@ -15,7 +15,7 @@ For model selection rules, see [/concepts/models](/concepts/models).
 
 - Model refs use `provider/model` (example: `opencode/claude-opus-4-6`).
 - If you set `agents.defaults.models`, it becomes the allowlist.
-- CLI helpers: `openclaw setup --wizard`, `openclaw models list`, `openclaw models set <provider/model>`.
+- CLI helpers: `openclaw onboard`, `openclaw models list`, `openclaw models set <provider/model>`.
 - Provider plugins can inject model catalogs via `registerProvider({ catalog })`;
   OpenClaw merges that output into `models.providers` before writing
   `models.json`.
@@ -139,7 +139,7 @@ OpenClaw ships with the pi‑ai catalog. These providers require **no**
 - Auth: `OPENAI_API_KEY`
 - Optional rotation: `OPENAI_API_KEYS`, `OPENAI_API_KEY_1`, `OPENAI_API_KEY_2`, plus `OPENCLAW_LIVE_OPENAI_KEY` (single override)
 - Example models: `openai/gpt-5.4`, `openai/gpt-5.4-pro`
-- CLI: `openclaw setup --wizard --auth-choice openai-api-key`
+- CLI: `openclaw onboard --auth-choice openai-api-key`
 - Default transport is `auto` (WebSocket-first, SSE fallback)
 - Override per model via `agents.defaults.models["openai/<model>"].params.transport` (`"sse"`, `"websocket"`, or `"auto"`)
 - OpenAI Responses WebSocket warm-up defaults to enabled via `params.openaiWsWarmup` (`true`/`false`)
@@ -159,7 +159,7 @@ OpenClaw ships with the pi‑ai catalog. These providers require **no**
 - Auth: `ANTHROPIC_API_KEY` or `claude setup-token`
 - Optional rotation: `ANTHROPIC_API_KEYS`, `ANTHROPIC_API_KEY_1`, `ANTHROPIC_API_KEY_2`, plus `OPENCLAW_LIVE_ANTHROPIC_KEY` (single override)
 - Example model: `anthropic/claude-opus-4-6`
-- CLI: `openclaw setup --wizard --auth-choice token` (paste setup-token) or `openclaw models auth paste-token --provider anthropic`
+- CLI: `openclaw onboard --auth-choice token` (paste setup-token) or `openclaw models auth paste-token --provider anthropic`
 - Direct API-key models support the shared `/fast` toggle and `params.fastMode`; OpenClaw maps that to Anthropic `service_tier` (`auto` vs `standard_only`)
 - Policy note: setup-token support is technical compatibility; Anthropic has blocked some subscription usage outside Claude Code in the past. Verify current Anthropic terms and decide based on your risk tolerance.
 - Recommendation: Anthropic API key auth is the safer, recommended path over subscription setup-token auth.
@@ -175,7 +175,7 @@ OpenClaw ships with the pi‑ai catalog. These providers require **no**
 - Provider: `openai-codex`
 - Auth: OAuth (ChatGPT)
 - Example model: `openai-codex/gpt-5.4`
-- CLI: `openclaw setup --wizard --auth-choice openai-codex` or `openclaw models auth login --provider openai-codex`
+- CLI: `openclaw onboard --auth-choice openai-codex` or `openclaw models auth login --provider openai-codex`
 - Default transport is `auto` (WebSocket-first, SSE fallback)
 - Override per model via `agents.defaults.models["openai-codex/<model>"].params.transport` (`"sse"`, `"websocket"`, or `"auto"`)
 - Shares the same `/fast` toggle and `params.fastMode` config as direct `openai/*`
@@ -194,7 +194,7 @@ OpenClaw ships with the pi‑ai catalog. These providers require **no**
 - Zen runtime provider: `opencode`
 - Go runtime provider: `opencode-go`
 - Example models: `opencode/claude-opus-4-6`, `opencode-go/kimi-k2.5`
-- CLI: `openclaw setup --wizard --auth-choice opencode-zen` or `openclaw setup --wizard --auth-choice opencode-go`
+- CLI: `openclaw onboard --auth-choice opencode-zen` or `openclaw onboard --auth-choice opencode-go`
 
 ```json5
 {
@@ -209,7 +209,7 @@ OpenClaw ships with the pi‑ai catalog. These providers require **no**
 - Optional rotation: `GEMINI_API_KEYS`, `GEMINI_API_KEY_1`, `GEMINI_API_KEY_2`, `GOOGLE_API_KEY` fallback, and `OPENCLAW_LIVE_GEMINI_KEY` (single override)
 - Example models: `google/gemini-3.1-pro-preview`, `google/gemini-3-flash-preview`
 - Compatibility: legacy OpenClaw config using `google/gemini-3.1-flash-preview` is normalized to `google/gemini-3-flash-preview`
-- CLI: `openclaw setup --wizard --auth-choice gemini-api-key`
+- CLI: `openclaw onboard --auth-choice gemini-api-key`
 
 ### Google Vertex and Gemini CLI
 
@@ -227,7 +227,7 @@ OpenClaw ships with the pi‑ai catalog. These providers require **no**
 - Provider: `zai`
 - Auth: `ZAI_API_KEY`
 - Example model: `zai/glm-5`
-- CLI: `openclaw setup --wizard --auth-choice zai-api-key`
+- CLI: `openclaw onboard --auth-choice zai-api-key`
   - Aliases: `z.ai/*` and `z-ai/*` normalize to `zai/*`
 
 ### Vercel AI Gateway
@@ -235,14 +235,14 @@ OpenClaw ships with the pi‑ai catalog. These providers require **no**
 - Provider: `vercel-ai-gateway`
 - Auth: `AI_GATEWAY_API_KEY`
 - Example model: `vercel-ai-gateway/anthropic/claude-opus-4.6`
-- CLI: `openclaw setup --wizard --auth-choice ai-gateway-api-key`
+- CLI: `openclaw onboard --auth-choice ai-gateway-api-key`
 
 ### Kilo Gateway
 
 - Provider: `kilocode`
 - Auth: `KILOCODE_API_KEY`
 - Example model: `kilocode/anthropic/claude-opus-4.6`
-- CLI: `openclaw setup --wizard --kilocode-api-key <key>`
+- CLI: `openclaw onboard --kilocode-api-key <key>`
 - Base URL: `https://api.kilo.ai/api/gateway/`
 - Expanded built-in catalog includes GLM-5 Free, MiniMax M2.5 Free, GPT-5.2, Gemini 3 Pro Preview, Gemini 3 Flash Preview, Grok Code Fast 1, and Kimi K2.5.
 
@@ -271,13 +271,13 @@ See [/providers/kilocode](/providers/kilocode) for setup details.
 - xAI: `xai` (`XAI_API_KEY`)
 - Mistral: `mistral` (`MISTRAL_API_KEY`)
 - Example model: `mistral/mistral-large-latest`
-- CLI: `openclaw setup --wizard --auth-choice mistral-api-key`
+- CLI: `openclaw onboard --auth-choice mistral-api-key`
 - Groq: `groq` (`GROQ_API_KEY`)
 - Cerebras: `cerebras` (`CEREBRAS_API_KEY`)
   - GLM models on Cerebras use ids `zai-glm-4.7` and `zai-glm-4.6`.
   - OpenAI-compatible base URL: `https://api.cerebras.ai/v1`.
 - GitHub Copilot: `github-copilot` (`COPILOT_GITHUB_TOKEN` / `GH_TOKEN` / `GITHUB_TOKEN`)
-- Hugging Face Inference example model: `huggingface/deepseek-ai/DeepSeek-R1`; CLI: `openclaw setup --wizard --auth-choice huggingface-api-key`. See [Hugging Face (Inference)](/providers/huggingface).
+- Hugging Face Inference example model: `huggingface/deepseek-ai/DeepSeek-R1`; CLI: `openclaw onboard --auth-choice huggingface-api-key`. See [Hugging Face (Inference)](/providers/huggingface).
 
 ## Providers via `models.providers` (custom/base URL)
 
@@ -367,7 +367,7 @@ Volcano Engine (火山引擎) provides access to Doubao and other models in Chin
 - Provider: `volcengine` (coding: `volcengine-plan`)
 - Auth: `VOLCANO_ENGINE_API_KEY`
 - Example model: `volcengine/doubao-seed-1-8-251228`
-- CLI: `openclaw setup --wizard --auth-choice volcengine-api-key`
+- CLI: `openclaw onboard --auth-choice volcengine-api-key`
 
 ```json5
 {
@@ -400,7 +400,7 @@ BytePlus ARK provides access to the same models as Volcano Engine for internatio
 - Provider: `byteplus` (coding: `byteplus-plan`)
 - Auth: `BYTEPLUS_API_KEY`
 - Example model: `byteplus/seed-1-8-251228`
-- CLI: `openclaw setup --wizard --auth-choice byteplus-api-key`
+- CLI: `openclaw onboard --auth-choice byteplus-api-key`
 
 ```json5
 {
@@ -431,7 +431,7 @@ Synthetic provides Anthropic-compatible models behind the `synthetic` provider:
 - Provider: `synthetic`
 - Auth: `SYNTHETIC_API_KEY`
 - Example model: `synthetic/hf:MiniMaxAI/MiniMax-M2.5`
-- CLI: `openclaw setup --wizard --auth-choice synthetic-api-key`
+- CLI: `openclaw onboard --auth-choice synthetic-api-key`
 
 ```json5
 {
@@ -485,7 +485,7 @@ ollama pull llama3.3
 
 Ollama is detected locally at `http://127.0.0.1:11434` when you opt in with
 `OLLAMA_API_KEY`, and the bundled provider plugin adds Ollama directly to
-`openclaw setup --wizard` and the model picker. See [/providers/ollama](/providers/ollama)
+`openclaw onboard` and the model picker. See [/providers/ollama](/providers/ollama)
 for onboarding, cloud/local mode, and custom configuration.
 
 ### vLLM
@@ -595,7 +595,7 @@ Notes:
 ## CLI examples
 
 ```bash
-openclaw setup --wizard --auth-choice opencode-zen
+openclaw onboard --auth-choice opencode-zen
 openclaw models set opencode/claude-opus-4-6
 openclaw models list
 ```
diff --git a/docs/concepts/models.md b/docs/concepts/models.md
index f190630ac36..e85e605456f 100644
--- a/docs/concepts/models.md
+++ b/docs/concepts/models.md
@@ -39,7 +39,7 @@ Related:
 If you don’t want to hand-edit config, run the setup wizard:
 
 ```bash
-openclaw setup --wizard
+openclaw onboard
 ```
 
 It can set up model + auth for common providers, including **OpenAI Code (Codex)
diff --git a/docs/concepts/oauth.md b/docs/concepts/oauth.md
index 4b8b2739c22..4766687ad51 100644
--- a/docs/concepts/oauth.md
+++ b/docs/concepts/oauth.md
@@ -92,7 +92,7 @@ Flow shape:
 2. paste the token into OpenClaw
 3. store as a token auth profile (no refresh)
 
-The wizard path is `openclaw setup --wizard` → auth choice `setup-token` (Anthropic).
+The wizard path is `openclaw onboard` → auth choice `setup-token` (Anthropic).
 
 ### OpenAI Codex (ChatGPT OAuth)
 
@@ -107,7 +107,7 @@ Flow shape (PKCE):
 5. exchange at `https://auth.openai.com/oauth/token`
 6. extract `accountId` from the access token and store `{ access, refresh, expires, accountId }`
 
-Wizard path is `openclaw setup --wizard` → auth choice `openai-codex`.
+Wizard path is `openclaw onboard` → auth choice `openai-codex`.
 
 ## Refresh + expiry
 
diff --git a/docs/gateway/authentication.md b/docs/gateway/authentication.md
index fe8e5b760d3..c25501e6cdd 100644
--- a/docs/gateway/authentication.md
+++ b/docs/gateway/authentication.md
@@ -50,7 +50,7 @@ openclaw doctor
 ```
 
 If you’d rather not manage env vars yourself, the setup wizard can store
-API keys for daemon use: `openclaw setup --wizard`.
+API keys for daemon use: `openclaw onboard`.
 
 See [Help](/help) for details on env inheritance (`env.shellEnv`,
 `~/.openclaw/.env`, systemd/launchd).
diff --git a/docs/gateway/configuration-reference.md b/docs/gateway/configuration-reference.md
index b28cde9c260..0653fd3834f 100644
--- a/docs/gateway/configuration-reference.md
+++ b/docs/gateway/configuration-reference.md
@@ -2182,7 +2182,7 @@ Use `cerebras/zai-glm-4.7` for Cerebras; `zai/glm-4.7` for Z.AI direct.
 }
 ```
 
-Set `OPENCODE_API_KEY` (or `OPENCODE_ZEN_API_KEY`). Use `opencode/...` refs for the Zen catalog or `opencode-go/...` refs for the Go catalog. Shortcut: `openclaw setup --wizard --auth-choice opencode-zen` or `openclaw setup --wizard --auth-choice opencode-go`.
+Set `OPENCODE_API_KEY` (or `OPENCODE_ZEN_API_KEY`). Use `opencode/...` refs for the Zen catalog or `opencode-go/...` refs for the Go catalog. Shortcut: `openclaw onboard --auth-choice opencode-zen` or `openclaw onboard --auth-choice opencode-go`.
 
 </Accordion>
 
@@ -2199,7 +2199,7 @@ Set `OPENCODE_API_KEY` (or `OPENCODE_ZEN_API_KEY`). Use `opencode/...` refs for
 }
 ```
 
-Set `ZAI_API_KEY`. `z.ai/*` and `z-ai/*` are accepted aliases. Shortcut: `openclaw setup --wizard --auth-choice zai-api-key`.
+Set `ZAI_API_KEY`. `z.ai/*` and `z-ai/*` are accepted aliases. Shortcut: `openclaw onboard --auth-choice zai-api-key`.
 
 - General endpoint: `https://api.z.ai/api/paas/v4`
 - Coding endpoint (default): `https://api.z.ai/api/coding/paas/v4`
@@ -2242,7 +2242,7 @@ Set `ZAI_API_KEY`. `z.ai/*` and `z-ai/*` are accepted aliases. Shortcut: `opencl
 }
 ```
 
-For the China endpoint: `baseUrl: "https://api.moonshot.cn/v1"` or `openclaw setup --wizard --auth-choice moonshot-api-key-cn`.
+For the China endpoint: `baseUrl: "https://api.moonshot.cn/v1"` or `openclaw onboard --auth-choice moonshot-api-key-cn`.
 
 </Accordion>
 
@@ -2260,7 +2260,7 @@ For the China endpoint: `baseUrl: "https://api.moonshot.cn/v1"` or `openclaw set
 }
 ```
 
-Anthropic-compatible, built-in provider. Shortcut: `openclaw setup --wizard --auth-choice kimi-code-api-key`.
+Anthropic-compatible, built-in provider. Shortcut: `openclaw onboard --auth-choice kimi-code-api-key`.
 
 </Accordion>
 
@@ -2299,7 +2299,7 @@ Anthropic-compatible, built-in provider. Shortcut: `openclaw setup --wizard --au
 }
 ```
 
-Base URL should omit `/v1` (Anthropic client appends it). Shortcut: `openclaw setup --wizard --auth-choice synthetic-api-key`.
+Base URL should omit `/v1` (Anthropic client appends it). Shortcut: `openclaw onboard --auth-choice synthetic-api-key`.
 
 </Accordion>
 
@@ -2339,7 +2339,7 @@ Base URL should omit `/v1` (Anthropic client appends it). Shortcut: `openclaw se
 }
 ```
 
-Set `MINIMAX_API_KEY`. Shortcut: `openclaw setup --wizard --auth-choice minimax-api`.
+Set `MINIMAX_API_KEY`. Shortcut: `openclaw onboard --auth-choice minimax-api`.
 
 </Accordion>
 
diff --git a/docs/gateway/configuration.md b/docs/gateway/configuration.md
index db4bb167417..a699e74652f 100644
--- a/docs/gateway/configuration.md
+++ b/docs/gateway/configuration.md
@@ -20,7 +20,7 @@ If the file is missing, OpenClaw uses safe defaults. Common reasons to add a con
 See the [full reference](/gateway/configuration-reference) for every available field.
 
 <Tip>
-**New to configuration?** Start with `openclaw setup --wizard` for interactive setup, or check out the [Configuration Examples](/gateway/configuration-examples) guide for complete copy-paste configs.
+**New to configuration?** Start with `openclaw onboard` for interactive setup, or check out the [Configuration Examples](/gateway/configuration-examples) guide for complete copy-paste configs.
 </Tip>
 
 ## Minimal config
@@ -38,7 +38,7 @@ See the [full reference](/gateway/configuration-reference) for every available f
 <Tabs>
   <Tab title="Interactive wizard">
     ```bash
-    openclaw setup --wizard       # full setup wizard
+    openclaw onboard       # full setup wizard
     openclaw configure     # config wizard
     ```
   </Tab>
diff --git a/docs/gateway/local-models.md b/docs/gateway/local-models.md
index 93a63c38170..4059f988776 100644
--- a/docs/gateway/local-models.md
+++ b/docs/gateway/local-models.md
@@ -11,7 +11,7 @@ title: "Local Models"
 
 Local is doable, but OpenClaw expects large context + strong defenses against prompt injection. Small cards truncate context and leak safety. Aim high: **≥2 maxed-out Mac Studios or equivalent GPU rig (~$30k+)**. A single **24 GB** GPU works only for lighter prompts with higher latency. Use the **largest / full-size model variant you can run**; aggressively quantized or “small” checkpoints raise prompt-injection risk (see [Security](/gateway/security)).
 
-If you want the lowest-friction local setup, start with [Ollama](/providers/ollama) and `openclaw setup --wizard`. This page is the opinionated guide for higher-end local stacks and custom OpenAI-compatible local servers.
+If you want the lowest-friction local setup, start with [Ollama](/providers/ollama) and `openclaw onboard`. This page is the opinionated guide for higher-end local stacks and custom OpenAI-compatible local servers.
 
 ## Recommended: LM Studio + MiniMax M2.5 (Responses API, full-size)
 
diff --git a/docs/gateway/multiple-gateways.md b/docs/gateway/multiple-gateways.md
index b2d5257f0ff..6d1cf423b98 100644
--- a/docs/gateway/multiple-gateways.md
+++ b/docs/gateway/multiple-gateways.md
@@ -59,7 +59,7 @@ Port spacing: leave at least 20 ports between base ports so the derived browser/
 ```bash
 # Main bot (existing or fresh, without --profile param)
 # Runs on port 18789 + Chrome CDC/Canvas/... Ports
-openclaw setup --wizard
+openclaw onboard
 openclaw gateway install
 
 # Rescue bot (isolated profile + ports)
diff --git a/docs/help/faq.md b/docs/help/faq.md
index 670ea170c19..8fdf39ab5c1 100644
--- a/docs/help/faq.md
+++ b/docs/help/faq.md
@@ -321,7 +321,7 @@ The repo recommends running from source and using the setup wizard:
 
 ```bash
 curl -fsSL https://openclaw.ai/install.sh | bash
-openclaw setup --wizard --install-daemon
+openclaw onboard --install-daemon
 ```
 
 The wizard can also build UI assets automatically. After onboarding, you typically run the Gateway on port **18789**.
@@ -334,10 +334,10 @@ cd openclaw
 pnpm install
 pnpm build
 pnpm ui:build # auto-installs UI deps on first run
-openclaw setup --wizard
+openclaw onboard
 ```
 
-If you don't have a global install yet, run it via `pnpm openclaw setup --wizard`.
+If you don't have a global install yet, run it via `pnpm openclaw onboard`.
 
 ### How do I open the dashboard after onboarding
 
@@ -687,7 +687,7 @@ Docs: [Update](/cli/update), [Updating](/install/updating).
 
 ### What does the setup wizard actually do
 
-`openclaw setup --wizard` is the recommended setup path. In **local mode** it walks you through:
+`openclaw onboard` is the recommended setup path. In **local mode** it walks you through:
 
 - **Model/auth setup** (provider OAuth/setup-token flows and API keys supported, plus local model options such as LM Studio)
 - **Workspace** location + bootstrap files
@@ -1904,7 +1904,7 @@ openclaw reset --scope full --yes --non-interactive
 Then re-run setup:
 
 ```bash
-openclaw setup --wizard --install-daemon
+openclaw onboard --install-daemon
 ```
 
 Notes:
@@ -2092,7 +2092,7 @@ Quickest setup:
 1. Install Ollama from `https://ollama.com/download`
 2. Pull a local model such as `ollama pull glm-4.7-flash`
 3. If you want Ollama Cloud too, run `ollama signin`
-4. Run `openclaw setup --wizard` and choose `Ollama`
+4. Run `openclaw onboard` and choose `Ollama`
 5. Pick `Local` or `Cloud + Local`
 
 Notes:
diff --git a/docs/index.md b/docs/index.md
index e8c2210caff..7c69600f55d 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -34,7 +34,7 @@ title: "OpenClaw"
     Install OpenClaw and bring up the Gateway in minutes.
   </Card>
   <Card title="Run the Wizard" href="/start/wizard" icon="sparkles">
-    Guided setup with `openclaw setup --wizard` and pairing flows.
+    Guided setup with `openclaw onboard` and pairing flows.
   </Card>
   <Card title="Open the Control UI" href="/web/control-ui" icon="layout-dashboard">
     Launch the browser dashboard for chat, config, and sessions.
@@ -103,7 +103,7 @@ The Gateway is the single source of truth for sessions, routing, and channel con
   </Step>
   <Step title="Onboard and install the service">
     ```bash
-    openclaw setup --wizard --install-daemon
+    openclaw onboard --install-daemon
     ```
   </Step>
   <Step title="Pair WhatsApp and start the Gateway">
diff --git a/docs/install/exe-dev.md b/docs/install/exe-dev.md
index b66865593da..c49dab4e426 100644
--- a/docs/install/exe-dev.md
+++ b/docs/install/exe-dev.md
@@ -31,7 +31,7 @@ Shelley, [exe.dev](https://exe.dev)'s agent, can install OpenClaw instantly with
 prompt. The prompt used is as below:
 
 ```
-Set up OpenClaw (https://docs.openclaw.ai/install) on this VM. Use the non-interactive and accept-risk flags for openclaw setup --wizarding. Add the supplied auth or token as needed. Configure nginx to forward from the default port 18789 to the root location on the default enabled site config, making sure to enable Websocket support. Pairing is done by "openclaw devices list" and "openclaw devices approve <request id>". Make sure the dashboard shows that OpenClaw's health is OK. exe.dev handles forwarding from port 8000 to port 80/443 and HTTPS for us, so the final "reachable" should be <vm-name>.exe.xyz, without port specification.
+Set up OpenClaw (https://docs.openclaw.ai/install) on this VM. Use the non-interactive and accept-risk flags for openclaw onboarding. Add the supplied auth or token as needed. Configure nginx to forward from the default port 18789 to the root location on the default enabled site config, making sure to enable Websocket support. Pairing is done by "openclaw devices list" and "openclaw devices approve <request id>". Make sure the dashboard shows that OpenClaw's health is OK. exe.dev handles forwarding from port 8000 to port 80/443 and HTTPS for us, so the final "reachable" should be <vm-name>.exe.xyz, without port specification.
 ```
 
 ## Manual installation
diff --git a/docs/install/index.md b/docs/install/index.md
index 59396c49b5f..21adfdaa592 100644
--- a/docs/install/index.md
+++ b/docs/install/index.md
@@ -76,7 +76,7 @@ For VPS/cloud hosts, avoid third-party "1-click" marketplace images when possibl
       <Tab title="npm">
         ```bash
         npm install -g openclaw@latest
-        openclaw setup --wizard --install-daemon
+        openclaw onboard --install-daemon
         ```
 
         <Accordion title="sharp build errors?">
@@ -93,7 +93,7 @@ For VPS/cloud hosts, avoid third-party "1-click" marketplace images when possibl
         ```bash
         pnpm add -g openclaw@latest
         pnpm approve-builds -g        # approve openclaw, node-llama-cpp, sharp, etc.
-        openclaw setup --wizard --install-daemon
+        openclaw onboard --install-daemon
         ```
 
         <Note>
@@ -140,7 +140,7 @@ For VPS/cloud hosts, avoid third-party "1-click" marketplace images when possibl
       </Step>
       <Step title="Run onboarding">
         ```bash
-        openclaw setup --wizard --install-daemon
+        openclaw onboard --install-daemon
         ```
       </Step>
     </Steps>
diff --git a/docs/install/installer.md b/docs/install/installer.md
index 813fa7b31b4..5859c22fd0d 100644
--- a/docs/install/installer.md
+++ b/docs/install/installer.md
@@ -224,7 +224,7 @@ Designed for environments where you want everything under a local prefix (defaul
 | `--version <ver>`      | OpenClaw version or dist-tag (default: `latest`)                                |
 | `--node-version <ver>` | Node version (default: `22.22.0`)                                               |
 | `--json`               | Emit NDJSON events                                                              |
-| `--onboard`            | Run `openclaw setup --wizard` after install                                     |
+| `--onboard`            | Run `openclaw onboard` after install                                            |
 | `--no-onboard`         | Skip onboarding (default)                                                       |
 | `--set-npm-prefix`     | On Linux, force npm prefix to `~/.npm-global` if current prefix is not writable |
 | `--help`               | Show usage (`-h`)                                                               |
diff --git a/docs/install/macos-vm.md b/docs/install/macos-vm.md
index 3e036c6ee0d..f2eadfda113 100644
--- a/docs/install/macos-vm.md
+++ b/docs/install/macos-vm.md
@@ -138,7 +138,7 @@ Inside the VM:
 
 ```bash
 npm install -g openclaw@latest
-openclaw setup --wizard --install-daemon
+openclaw onboard --install-daemon
 ```
 
 Follow the onboarding prompts to set up your model provider (Anthropic, OpenAI, etc.).
diff --git a/docs/platforms/digitalocean.md b/docs/platforms/digitalocean.md
index aaea2644ca6..cd05587ae76 100644
--- a/docs/platforms/digitalocean.md
+++ b/docs/platforms/digitalocean.md
@@ -80,7 +80,7 @@ openclaw --version
 ## 4) Run Onboarding
 
 ```bash
-openclaw setup --wizard --install-daemon
+openclaw onboard --install-daemon
 ```
 
 The wizard will walk you through:
diff --git a/docs/platforms/index.md b/docs/platforms/index.md
index 3c7ecca0f48..ec2663aefe4 100644
--- a/docs/platforms/index.md
+++ b/docs/platforms/index.md
@@ -42,7 +42,7 @@ Native companion apps for Windows are also planned; the Gateway is recommended v
 
 Use one of these (all supported):
 
-- Wizard (recommended): `openclaw setup --wizard --install-daemon`
+- Wizard (recommended): `openclaw onboard --install-daemon`
 - Direct: `openclaw gateway install`
 - Configure flow: `openclaw configure` → select **Gateway service**
 - Repair/migrate: `openclaw doctor` (offers to install or fix the service)
diff --git a/docs/platforms/linux.md b/docs/platforms/linux.md
index 29de3dd47ea..c03dba6f795 100644
--- a/docs/platforms/linux.md
+++ b/docs/platforms/linux.md
@@ -17,7 +17,7 @@ Native Linux companion apps are planned. Contributions are welcome if you want t
 
 1. Install Node 24 (recommended; Node 22 LTS, currently `22.16+`, still works for compatibility)
 2. `npm i -g openclaw@latest`
-3. `openclaw setup --wizard --install-daemon`
+3. `openclaw onboard --install-daemon`
 4. From your laptop: `ssh -N -L 18789:127.0.0.1:18789 <user>@<host>`
 5. Open `http://127.0.0.1:18789/` and paste your token
 
@@ -39,7 +39,7 @@ Step-by-step VPS guide: [exe.dev](/install/exe-dev)
 Use one of these:
 
 ```
-openclaw setup --wizard --install-daemon
+openclaw onboard --install-daemon
 ```
 
 Or:
diff --git a/docs/platforms/raspberry-pi.md b/docs/platforms/raspberry-pi.md
index 4a3bf7b8204..2050b6395b4 100644
--- a/docs/platforms/raspberry-pi.md
+++ b/docs/platforms/raspberry-pi.md
@@ -130,7 +130,7 @@ The hackable install gives you direct access to logs and code — useful for deb
 ## 7) Run Onboarding
 
 ```bash
-openclaw setup --wizard --install-daemon
+openclaw onboard --install-daemon
 ```
 
 Follow the wizard:
diff --git a/docs/platforms/windows.md b/docs/platforms/windows.md
index c8047271e65..e40d798604d 100644
--- a/docs/platforms/windows.md
+++ b/docs/platforms/windows.md
@@ -38,8 +38,8 @@ openclaw agent --local --agent main --thinking low -m "Reply with exactly WINDOW
 
 Current caveats:
 
-- `openclaw setup --wizard --non-interactive` still expects a reachable local gateway unless you pass `--skip-health`
-- `openclaw setup --wizard --non-interactive --install-daemon` and `openclaw gateway install` try Windows Scheduled Tasks first
+- `openclaw onboard --non-interactive` still expects a reachable local gateway unless you pass `--skip-health`
+- `openclaw onboard --non-interactive --install-daemon` and `openclaw gateway install` try Windows Scheduled Tasks first
 - if Scheduled Task creation is denied, OpenClaw falls back to a per-user Startup-folder login item and starts the gateway immediately
 - if `schtasks` itself wedges or stops responding, OpenClaw now aborts that path quickly and falls back instead of hanging forever
 - Scheduled Tasks are still preferred when available because they provide better supervisor status
@@ -47,7 +47,7 @@ Current caveats:
 If you want the native CLI only, without gateway service install, use one of these:
 
 ```powershell
-openclaw setup --wizard --non-interactive --skip-health
+openclaw onboard --non-interactive --skip-health
 openclaw gateway run
 ```
 
@@ -70,7 +70,7 @@ If Scheduled Task creation is blocked, the fallback service mode still auto-star
 Inside WSL2:
 
 ```
-openclaw setup --wizard --install-daemon
+openclaw onboard --install-daemon
 ```
 
 Or:
@@ -230,7 +230,7 @@ cd openclaw
 pnpm install
 pnpm ui:build # auto-installs UI deps on first run
 pnpm build
-openclaw setup --wizard
+openclaw onboard
 ```
 
 Full guide: [Getting Started](/start/getting-started)
diff --git a/docs/providers/anthropic.md b/docs/providers/anthropic.md
index 5611eec7ba4..d16d76f6315 100644
--- a/docs/providers/anthropic.md
+++ b/docs/providers/anthropic.md
@@ -19,11 +19,11 @@ Create your API key in the Anthropic Console.
 ### CLI setup
 
 ```bash
-openclaw setup --wizard
+openclaw onboard
 # choose: Anthropic API key
 
 # or non-interactive
-openclaw setup --wizard --anthropic-api-key "$ANTHROPIC_API_KEY"
+openclaw onboard --anthropic-api-key "$ANTHROPIC_API_KEY"
 ```
 
 ### Config snippet
@@ -214,7 +214,7 @@ openclaw models auth paste-token --provider anthropic
 
 ```bash
 # Paste a setup-token during setup
-openclaw setup --wizard --auth-choice setup-token
+openclaw onboard --auth-choice setup-token
 ```
 
 ### Config snippet (setup-token)
diff --git a/docs/providers/cloudflare-ai-gateway.md b/docs/providers/cloudflare-ai-gateway.md
index 63f471413e8..392a611e705 100644
--- a/docs/providers/cloudflare-ai-gateway.md
+++ b/docs/providers/cloudflare-ai-gateway.md
@@ -22,7 +22,7 @@ For Anthropic models, use your Anthropic API key.
 1. Set the provider API key and Gateway details:
 
 ```bash
-openclaw setup --wizard --auth-choice cloudflare-ai-gateway-api-key
+openclaw onboard --auth-choice cloudflare-ai-gateway-api-key
 ```
 
 2. Set a default model:
@@ -40,7 +40,7 @@ openclaw setup --wizard --auth-choice cloudflare-ai-gateway-api-key
 ## Non-interactive example
 
 ```bash
-openclaw setup --wizard --non-interactive \
+openclaw onboard --non-interactive \
   --mode local \
   --auth-choice cloudflare-ai-gateway-api-key \
   --cloudflare-ai-gateway-account-id "your-account-id" \
diff --git a/docs/providers/glm.md b/docs/providers/glm.md
index bd096212cd0..64fe39a42df 100644
--- a/docs/providers/glm.md
+++ b/docs/providers/glm.md
@@ -15,16 +15,16 @@ models are accessed via the `zai` provider and model IDs like `zai/glm-5`.
 
 ```bash
 # Coding Plan Global, recommended for Coding Plan users
-openclaw setup --wizard --auth-choice zai-coding-global
+openclaw onboard --auth-choice zai-coding-global
 
 # Coding Plan CN (China region), recommended for Coding Plan users
-openclaw setup --wizard --auth-choice zai-coding-cn
+openclaw onboard --auth-choice zai-coding-cn
 
 # General API
-openclaw setup --wizard --auth-choice zai-global
+openclaw onboard --auth-choice zai-global
 
 # General API CN (China region)
-openclaw setup --wizard --auth-choice zai-cn
+openclaw onboard --auth-choice zai-cn
 ```
 
 ## Config snippet
diff --git a/docs/providers/huggingface.md b/docs/providers/huggingface.md
index 416037dca49..7b33955f524 100644
--- a/docs/providers/huggingface.md
+++ b/docs/providers/huggingface.md
@@ -21,7 +21,7 @@ title: "Hugging Face (Inference)"
 2. Run onboarding and choose **Hugging Face** in the provider dropdown, then enter your API key when prompted:
 
 ```bash
-openclaw setup --wizard --auth-choice huggingface-api-key
+openclaw onboard --auth-choice huggingface-api-key
 ```
 
 3. In the **Default Hugging Face model** dropdown, pick the model you want (the list is loaded from the Inference API when you have a valid token; otherwise a built-in list is shown). Your choice is saved as the default model.
@@ -40,7 +40,7 @@ openclaw setup --wizard --auth-choice huggingface-api-key
 ## Non-interactive example
 
 ```bash
-openclaw setup --wizard --non-interactive \
+openclaw onboard --non-interactive \
   --mode local \
   --auth-choice huggingface-api-key \
   --huggingface-api-key "$HF_TOKEN"
diff --git a/docs/providers/index.md b/docs/providers/index.md
index 0e5c181f56b..f68cd0e0b53 100644
--- a/docs/providers/index.md
+++ b/docs/providers/index.md
@@ -15,7 +15,7 @@ Looking for chat channel docs (WhatsApp/Telegram/Discord/Slack/Mattermost (plugi
 
 ## Quick start
 
-1. Authenticate with the provider (usually via `openclaw setup --wizard`).
+1. Authenticate with the provider (usually via `openclaw onboard`).
 2. Set the default model:
 
 ```json5
diff --git a/docs/providers/kilocode.md b/docs/providers/kilocode.md
index b3d75e64bcf..15f8e4c2b7c 100644
--- a/docs/providers/kilocode.md
+++ b/docs/providers/kilocode.md
@@ -19,7 +19,7 @@ endpoint and API key. It is OpenAI-compatible, so most OpenAI SDKs work by switc
 ## CLI setup
 
 ```bash
-openclaw setup --wizard --kilocode-api-key <key>
+openclaw onboard --kilocode-api-key <key>
 ```
 
 Or set the environment variable:
diff --git a/docs/providers/litellm.md b/docs/providers/litellm.md
index d96e1bb795c..51ad0d599f8 100644
--- a/docs/providers/litellm.md
+++ b/docs/providers/litellm.md
@@ -22,7 +22,7 @@ read_when:
 ### Via onboarding
 
 ```bash
-openclaw setup --wizard --auth-choice litellm-api-key
+openclaw onboard --auth-choice litellm-api-key
 ```
 
 ### Manual setup
diff --git a/docs/providers/minimax.md b/docs/providers/minimax.md
index 7a39111f6c2..0d3635352cc 100644
--- a/docs/providers/minimax.md
+++ b/docs/providers/minimax.md
@@ -44,7 +44,7 @@ Enable the bundled OAuth plugin and authenticate:
 ```bash
 openclaw plugins enable minimax  # skip if already loaded.
 openclaw gateway restart  # restart if gateway is already running
-openclaw setup --wizard --auth-choice minimax-portal
+openclaw onboard --auth-choice minimax-portal
 ```
 
 You will be prompted to select an endpoint:
diff --git a/docs/providers/mistral.md b/docs/providers/mistral.md
index 60a9e82853d..44e594abf21 100644
--- a/docs/providers/mistral.md
+++ b/docs/providers/mistral.md
@@ -15,9 +15,9 @@ Mistral can also be used for memory embeddings (`memorySearch.provider = "mistra
 ## CLI setup
 
 ```bash
-openclaw setup --wizard --auth-choice mistral-api-key
+openclaw onboard --auth-choice mistral-api-key
 # or non-interactive
-openclaw setup --wizard --mistral-api-key "$MISTRAL_API_KEY"
+openclaw onboard --mistral-api-key "$MISTRAL_API_KEY"
 ```
 
 ## Config snippet (LLM provider)
diff --git a/docs/providers/models.md b/docs/providers/models.md
index 0bbff47c51e..a117d286051 100644
--- a/docs/providers/models.md
+++ b/docs/providers/models.md
@@ -13,7 +13,7 @@ model as `provider/model`.
 
 ## Quick start (two steps)
 
-1. Authenticate with the provider (usually via `openclaw setup --wizard`).
+1. Authenticate with the provider (usually via `openclaw onboard`).
 2. Set the default model:
 
 ```json5
diff --git a/docs/providers/moonshot.md b/docs/providers/moonshot.md
index de21a6ffb0a..daf9c881de5 100644
--- a/docs/providers/moonshot.md
+++ b/docs/providers/moonshot.md
@@ -26,13 +26,13 @@ Current Kimi K2 model IDs:
 [//]: # "moonshot-kimi-k2-ids:end"
 
 ```bash
-openclaw setup --wizard --auth-choice moonshot-api-key
+openclaw onboard --auth-choice moonshot-api-key
 ```
 
 Kimi Coding:
 
 ```bash
-openclaw setup --wizard --auth-choice kimi-code-api-key
+openclaw onboard --auth-choice kimi-code-api-key
 ```
 
 Note: Moonshot and Kimi Coding are separate providers. Keys are not interchangeable, endpoints differ, and model refs differ (Moonshot uses `moonshot/...`, Kimi Coding uses `kimi-coding/...`).
diff --git a/docs/providers/nvidia.md b/docs/providers/nvidia.md
index 2708d88db96..693a51db9b3 100644
--- a/docs/providers/nvidia.md
+++ b/docs/providers/nvidia.md
@@ -16,7 +16,7 @@ Export the key once, then run onboarding and set an NVIDIA model:
 
 ```bash
 export NVIDIA_API_KEY="nvapi-..."
-openclaw setup --wizard --auth-choice skip
+openclaw onboard --auth-choice skip
 openclaw models set nvidia/nvidia/llama-3.1-nemotron-70b-instruct
 ```
 
diff --git a/docs/providers/ollama.md b/docs/providers/ollama.md
index db36f90a2da..5a1eb2bd27e 100644
--- a/docs/providers/ollama.md
+++ b/docs/providers/ollama.md
@@ -21,7 +21,7 @@ Ollama is a local LLM runtime that makes it easy to run open-source models on yo
 The fastest way to set up Ollama is through the setup wizard:
 
 ```bash
-openclaw setup --wizard
+openclaw onboard
 ```
 
 Select **Ollama** from the provider list. The wizard will:
@@ -35,7 +35,7 @@ Select **Ollama** from the provider list. The wizard will:
 Non-interactive mode is also supported:
 
 ```bash
-openclaw setup --wizard --non-interactive \
+openclaw onboard --non-interactive \
   --auth-choice ollama \
   --accept-risk
 ```
@@ -43,7 +43,7 @@ openclaw setup --wizard --non-interactive \
 Optionally specify a custom base URL or model:
 
 ```bash
-openclaw setup --wizard --non-interactive \
+openclaw onboard --non-interactive \
   --auth-choice ollama \
   --custom-base-url "http://ollama-host:11434" \
   --custom-model-id "qwen3.5:27b" \
@@ -73,7 +73,7 @@ ollama signin
 4. Run onboarding and choose `Ollama`:
 
 ```bash
-openclaw setup --wizard
+openclaw onboard
 ```
 
 - `Local`: local models only
diff --git a/docs/providers/openai.md b/docs/providers/openai.md
index 4f90d092838..a6a60f8f2ea 100644
--- a/docs/providers/openai.md
+++ b/docs/providers/openai.md
@@ -20,9 +20,9 @@ Get your API key from the OpenAI dashboard.
 ### CLI setup
 
 ```bash
-openclaw setup --wizard --auth-choice openai-api-key
+openclaw onboard --auth-choice openai-api-key
 # or non-interactive
-openclaw setup --wizard --openai-api-key "$OPENAI_API_KEY"
+openclaw onboard --openai-api-key "$OPENAI_API_KEY"
 ```
 
 ### Config snippet
@@ -52,7 +52,7 @@ Codex cloud requires ChatGPT sign-in, while the Codex CLI supports ChatGPT or AP
 
 ```bash
 # Run Codex OAuth in the wizard
-openclaw setup --wizard --auth-choice openai-codex
+openclaw onboard --auth-choice openai-codex
 
 # Or run OAuth directly
 openclaw models auth login --provider openai-codex
diff --git a/docs/providers/opencode-go.md b/docs/providers/opencode-go.md
index 2d826712977..4552e916beb 100644
--- a/docs/providers/opencode-go.md
+++ b/docs/providers/opencode-go.md
@@ -21,9 +21,9 @@ provider id `opencode-go` so upstream per-model routing stays correct.
 ## CLI setup
 
 ```bash
-openclaw setup --wizard --auth-choice opencode-go
+openclaw onboard --auth-choice opencode-go
 # or non-interactive
-openclaw setup --wizard --opencode-go-api-key "$OPENCODE_API_KEY"
+openclaw onboard --opencode-go-api-key "$OPENCODE_API_KEY"
 ```
 
 ## Config snippet
diff --git a/docs/providers/opencode.md b/docs/providers/opencode.md
index 98eb2cfcbe0..da44e5154c0 100644
--- a/docs/providers/opencode.md
+++ b/docs/providers/opencode.md
@@ -22,15 +22,15 @@ as one OpenCode setup.
 ### Zen catalog
 
 ```bash
-openclaw setup --wizard --auth-choice opencode-zen
-openclaw setup --wizard --opencode-zen-api-key "$OPENCODE_API_KEY"
+openclaw onboard --auth-choice opencode-zen
+openclaw onboard --opencode-zen-api-key "$OPENCODE_API_KEY"
 ```
 
 ### Go catalog
 
 ```bash
-openclaw setup --wizard --auth-choice opencode-go
-openclaw setup --wizard --opencode-go-api-key "$OPENCODE_API_KEY"
+openclaw onboard --auth-choice opencode-go
+openclaw onboard --opencode-go-api-key "$OPENCODE_API_KEY"
 ```
 
 ## Config snippet
diff --git a/docs/providers/openrouter.md b/docs/providers/openrouter.md
index 4da33dbb1bc..5a9023481be 100644
--- a/docs/providers/openrouter.md
+++ b/docs/providers/openrouter.md
@@ -14,7 +14,7 @@ endpoint and API key. It is OpenAI-compatible, so most OpenAI SDKs work by switc
 ## CLI setup
 
 ```bash
-openclaw setup --wizard --auth-choice apiKey --token-provider openrouter --token "$OPENROUTER_API_KEY"
+openclaw onboard --auth-choice apiKey --token-provider openrouter --token "$OPENROUTER_API_KEY"
 ```
 
 ## Config snippet
diff --git a/docs/providers/qianfan.md b/docs/providers/qianfan.md
index 9784dcc64dd..1e80dafb26b 100644
--- a/docs/providers/qianfan.md
+++ b/docs/providers/qianfan.md
@@ -27,7 +27,7 @@ endpoint and API key. It is OpenAI-compatible, so most OpenAI SDKs work by switc
 ## CLI setup
 
 ```bash
-openclaw setup --wizard --auth-choice qianfan-api-key
+openclaw onboard --auth-choice qianfan-api-key
 ```
 
 ## Related Documentation
diff --git a/docs/providers/sglang.md b/docs/providers/sglang.md
index 96d33d5e767..ce66950c0c3 100644
--- a/docs/providers/sglang.md
+++ b/docs/providers/sglang.md
@@ -33,7 +33,7 @@ export SGLANG_API_KEY="sglang-local"
 3. Run onboarding and choose `SGLang`, or set a model directly:
 
 ```bash
-openclaw setup --wizard
+openclaw onboard
 ```
 
 ```json5
diff --git a/docs/providers/synthetic.md b/docs/providers/synthetic.md
index 0e662320984..ae406a0e390 100644
--- a/docs/providers/synthetic.md
+++ b/docs/providers/synthetic.md
@@ -17,7 +17,7 @@ Synthetic exposes Anthropic-compatible endpoints. OpenClaw registers it as the
 2. Run onboarding:
 
 ```bash
-openclaw setup --wizard --auth-choice synthetic-api-key
+openclaw onboard --auth-choice synthetic-api-key
 ```
 
 The default model is set to:
diff --git a/docs/providers/together.md b/docs/providers/together.md
index e93224e5da3..62bab43a204 100644
--- a/docs/providers/together.md
+++ b/docs/providers/together.md
@@ -18,7 +18,7 @@ The [Together AI](https://together.ai) provides access to leading open-source mo
 1. Set the API key (recommended: store it for the Gateway):
 
 ```bash
-openclaw setup --wizard --auth-choice together-api-key
+openclaw onboard --auth-choice together-api-key
 ```
 
 2. Set a default model:
@@ -36,7 +36,7 @@ openclaw setup --wizard --auth-choice together-api-key
 ## Non-interactive example
 
 ```bash
-openclaw setup --wizard --non-interactive \
+openclaw onboard --non-interactive \
   --mode local \
   --auth-choice together-api-key \
   --together-api-key "$TOGETHER_API_KEY"
diff --git a/docs/providers/venice.md b/docs/providers/venice.md
index a793239eb6f..520cf22d82b 100644
--- a/docs/providers/venice.md
+++ b/docs/providers/venice.md
@@ -58,7 +58,7 @@ export VENICE_API_KEY="vapi_xxxxxxxxxxxx"
 **Option B: Interactive Setup (Recommended)**
 
 ```bash
-openclaw setup --wizard --auth-choice venice-api-key
+openclaw onboard --auth-choice venice-api-key
 ```
 
 This will:
@@ -71,7 +71,7 @@ This will:
 **Option C: Non-interactive**
 
 ```bash
-openclaw setup --wizard --non-interactive \
+openclaw onboard --non-interactive \
   --auth-choice venice-api-key \
   --venice-api-key "vapi_xxxxxxxxxxxx"
 ```
diff --git a/docs/providers/vercel-ai-gateway.md b/docs/providers/vercel-ai-gateway.md
index 55acf7f2ba7..f76e2b51bb5 100644
--- a/docs/providers/vercel-ai-gateway.md
+++ b/docs/providers/vercel-ai-gateway.md
@@ -21,7 +21,7 @@ The [Vercel AI Gateway](https://vercel.com/ai-gateway) provides a unified API to
 1. Set the API key (recommended: store it for the Gateway):
 
 ```bash
-openclaw setup --wizard --auth-choice ai-gateway-api-key
+openclaw onboard --auth-choice ai-gateway-api-key
 ```
 
 2. Set a default model:
@@ -39,7 +39,7 @@ openclaw setup --wizard --auth-choice ai-gateway-api-key
 ## Non-interactive example
 
 ```bash
-openclaw setup --wizard --non-interactive \
+openclaw onboard --non-interactive \
   --mode local \
   --auth-choice ai-gateway-api-key \
   --ai-gateway-api-key "$AI_GATEWAY_API_KEY"
diff --git a/docs/providers/xiaomi.md b/docs/providers/xiaomi.md
index ec6ec043125..da1cf7fe38a 100644
--- a/docs/providers/xiaomi.md
+++ b/docs/providers/xiaomi.md
@@ -22,9 +22,9 @@ the `xiaomi` provider with a Xiaomi MiMo API key.
 ## CLI setup
 
 ```bash
-openclaw setup --wizard --auth-choice xiaomi-api-key
+openclaw onboard --auth-choice xiaomi-api-key
 # or non-interactive
-openclaw setup --wizard --auth-choice xiaomi-api-key --xiaomi-api-key "$XIAOMI_API_KEY"
+openclaw onboard --auth-choice xiaomi-api-key --xiaomi-api-key "$XIAOMI_API_KEY"
 ```
 
 ## Config snippet
diff --git a/docs/providers/zai.md b/docs/providers/zai.md
index 86a0b3c6878..6f3aea27020 100644
--- a/docs/providers/zai.md
+++ b/docs/providers/zai.md
@@ -16,16 +16,16 @@ with a Z.AI API key.
 
 ```bash
 # Coding Plan Global, recommended for Coding Plan users
-openclaw setup --wizard --auth-choice zai-coding-global
+openclaw onboard --auth-choice zai-coding-global
 
 # Coding Plan CN (China region), recommended for Coding Plan users
-openclaw setup --wizard --auth-choice zai-coding-cn
+openclaw onboard --auth-choice zai-coding-cn
 
 # General API
-openclaw setup --wizard --auth-choice zai-global
+openclaw onboard --auth-choice zai-global
 
 # General API CN (China region)
-openclaw setup --wizard --auth-choice zai-cn
+openclaw onboard --auth-choice zai-cn
 ```
 
 ## Config snippet
diff --git a/docs/reference/wizard.md b/docs/reference/wizard.md
index b52aa74086d..5bfa3da7f9f 100644
--- a/docs/reference/wizard.md
+++ b/docs/reference/wizard.md
@@ -2,7 +2,7 @@
 summary: "Full reference for the CLI setup wizard: every step, flag, and config field"
 read_when:
   - Looking up a specific wizard step or flag
-  - Automating setup with non-interactive mode
+  - Automating onboarding with non-interactive mode
   - Debugging wizard behavior
 title: "Setup Wizard Reference"
 sidebarTitle: "Wizard Reference"
@@ -10,7 +10,7 @@ sidebarTitle: "Wizard Reference"
 
 # Setup Wizard Reference
 
-This is the full reference for the `openclaw setup --wizard` CLI wizard.
+This is the full reference for the `openclaw onboard` CLI wizard.
 For a high-level overview, see [Setup Wizard](/start/wizard).
 
 ## Flow details (local mode)
@@ -76,11 +76,11 @@ For a high-level overview, see [Setup Wizard](/start/wizard).
     - In token mode, interactive setup offers:
       - **Generate/store plaintext token** (default)
       - **Use SecretRef** (opt-in)
-      - Quickstart reuses existing `gateway.auth.token` SecretRefs across `env`, `file`, and `exec` providers for setup probe/dashboard bootstrap.
-      - If that SecretRef is configured but cannot be resolved, setup fails early with a clear fix message instead of silently degrading runtime auth.
+      - Quickstart reuses existing `gateway.auth.token` SecretRefs across `env`, `file`, and `exec` providers for onboarding probe/dashboard bootstrap.
+      - If that SecretRef is configured but cannot be resolved, onboarding fails early with a clear fix message instead of silently degrading runtime auth.
     - In password mode, interactive setup also supports plaintext or SecretRef storage.
     - Non-interactive token SecretRef path: `--gateway-token-ref-env <ENV_VAR>`.
-      - Requires a non-empty env var in the setup process environment.
+      - Requires a non-empty env var in the onboarding process environment.
       - Cannot be combined with `--gateway-token`.
     - Disable auth only if you fully trust every local process.
     - Non‑loopback binds still require auth.
@@ -137,7 +137,7 @@ If the Control UI assets are missing, the wizard attempts to build them; fallbac
 Use `--non-interactive` to automate or script onboarding:
 
 ```bash
-openclaw setup --wizard --non-interactive \
+openclaw onboard --non-interactive \
   --mode local \
   --auth-choice apiKey \
   --anthropic-api-key "$ANTHROPIC_API_KEY" \
@@ -154,7 +154,7 @@ Gateway token SecretRef in non-interactive mode:
 
 ```bash
 export OPENCLAW_GATEWAY_TOKEN="your-token"
-openclaw setup --wizard --non-interactive \
+openclaw onboard --non-interactive \
   --mode local \
   --auth-choice skip \
   --gateway-auth token \
diff --git a/docs/start/getting-started.md b/docs/start/getting-started.md
index af779afbe42..3fc64e5087d 100644
--- a/docs/start/getting-started.md
+++ b/docs/start/getting-started.md
@@ -54,7 +54,7 @@ Check your Node version with `node --version` if you are unsure.
   </Step>
   <Step title="Run the setup wizard">
     ```bash
-    openclaw setup --wizard --install-daemon
+    openclaw onboard --install-daemon
     ```
 
     The wizard configures auth, gateway settings, and optional channels.
diff --git a/docs/start/onboarding-overview.md b/docs/start/onboarding-overview.md
index c2147252d2b..1e94a4db64a 100644
--- a/docs/start/onboarding-overview.md
+++ b/docs/start/onboarding-overview.md
@@ -1,18 +1,18 @@
 ---
-summary: "Overview of OpenClaw setup options and flows"
+summary: "Overview of OpenClaw onboarding options and flows"
 read_when:
-  - Choosing a setup path
+  - Choosing an onboarding path
   - Setting up a new environment
-title: "Setup Overview"
-sidebarTitle: "Setup Overview"
+title: "Onboarding Overview"
+sidebarTitle: "Onboarding Overview"
 ---
 
-# Setup Overview
+# Onboarding Overview
 
-OpenClaw supports multiple setup paths depending on where the Gateway runs
+OpenClaw supports multiple onboarding paths depending on where the Gateway runs
 and how you prefer to configure providers.
 
-## Choose your setup path
+## Choose your onboarding path
 
 - **CLI wizard** for macOS, Linux, and Windows (via WSL2).
 - **macOS app** for a guided first run on Apple silicon or Intel Macs.
@@ -22,14 +22,14 @@ and how you prefer to configure providers.
 Run the wizard in a terminal:
 
 ```bash
-openclaw setup --wizard
+openclaw onboard
 ```
 
 Use the CLI wizard when you want full control of the Gateway, workspace,
 channels, and skills. Docs:
 
 - [Setup Wizard (CLI)](/start/wizard)
-- [`openclaw setup --wizard` command](/cli/setup)
+- [`openclaw onboard` command](/cli/onboard)
 
 ## macOS app onboarding
 
@@ -48,4 +48,4 @@ CLI wizard. You will be asked to:
 - Provide a model ID and optional alias.
 - Choose an Endpoint ID so multiple custom endpoints can coexist.
 
-For detailed steps, follow the CLI setup docs above.
+For detailed steps, follow the CLI onboarding docs above.
diff --git a/docs/start/wizard-cli-automation.md b/docs/start/wizard-cli-automation.md
index 17803cefe48..884d49e143b 100644
--- a/docs/start/wizard-cli-automation.md
+++ b/docs/start/wizard-cli-automation.md
@@ -1,7 +1,7 @@
 ---
-summary: "Scripted setup wizard and agent setup for the OpenClaw CLI"
+summary: "Scripted onboarding and agent setup for the OpenClaw CLI"
 read_when:
-  - You are automating setup in scripts or CI
+  - You are automating onboarding in scripts or CI
   - You need non-interactive examples for specific providers
 title: "CLI Automation"
 sidebarTitle: "CLI automation"
@@ -9,7 +9,7 @@ sidebarTitle: "CLI automation"
 
 # CLI Automation
 
-Use `--non-interactive` to automate `openclaw setup --wizard`.
+Use `--non-interactive` to automate `openclaw onboard`.
 
 <Note>
 `--json` does not imply non-interactive mode. Use `--non-interactive` (and `--workspace`) for scripts.
@@ -18,7 +18,7 @@ Use `--non-interactive` to automate `openclaw setup --wizard`.
 ## Baseline non-interactive example
 
 ```bash
-openclaw setup --wizard --non-interactive \
+openclaw onboard --non-interactive \
   --mode local \
   --auth-choice apiKey \
   --anthropic-api-key "$ANTHROPIC_API_KEY" \
@@ -41,7 +41,7 @@ Passing inline key flags without the matching env var now fails fast.
 Example:
 
 ```bash
-openclaw setup --wizard --non-interactive \
+openclaw onboard --non-interactive \
   --mode local \
   --auth-choice openai-api-key \
   --secret-input-mode ref \
@@ -53,7 +53,7 @@ openclaw setup --wizard --non-interactive \
 <AccordionGroup>
   <Accordion title="Gemini example">
     ```bash
-    openclaw setup --wizard --non-interactive \
+    openclaw onboard --non-interactive \
       --mode local \
       --auth-choice gemini-api-key \
       --gemini-api-key "$GEMINI_API_KEY" \
@@ -63,7 +63,7 @@ openclaw setup --wizard --non-interactive \
   </Accordion>
   <Accordion title="Z.AI example">
     ```bash
-    openclaw setup --wizard --non-interactive \
+    openclaw onboard --non-interactive \
       --mode local \
       --auth-choice zai-api-key \
       --zai-api-key "$ZAI_API_KEY" \
@@ -73,7 +73,7 @@ openclaw setup --wizard --non-interactive \
   </Accordion>
   <Accordion title="Vercel AI Gateway example">
     ```bash
-    openclaw setup --wizard --non-interactive \
+    openclaw onboard --non-interactive \
       --mode local \
       --auth-choice ai-gateway-api-key \
       --ai-gateway-api-key "$AI_GATEWAY_API_KEY" \
@@ -83,7 +83,7 @@ openclaw setup --wizard --non-interactive \
   </Accordion>
   <Accordion title="Cloudflare AI Gateway example">
     ```bash
-    openclaw setup --wizard --non-interactive \
+    openclaw onboard --non-interactive \
       --mode local \
       --auth-choice cloudflare-ai-gateway-api-key \
       --cloudflare-ai-gateway-account-id "your-account-id" \
@@ -95,7 +95,7 @@ openclaw setup --wizard --non-interactive \
   </Accordion>
   <Accordion title="Moonshot example">
     ```bash
-    openclaw setup --wizard --non-interactive \
+    openclaw onboard --non-interactive \
       --mode local \
       --auth-choice moonshot-api-key \
       --moonshot-api-key "$MOONSHOT_API_KEY" \
@@ -105,7 +105,7 @@ openclaw setup --wizard --non-interactive \
   </Accordion>
   <Accordion title="Mistral example">
     ```bash
-    openclaw setup --wizard --non-interactive \
+    openclaw onboard --non-interactive \
       --mode local \
       --auth-choice mistral-api-key \
       --mistral-api-key "$MISTRAL_API_KEY" \
@@ -115,7 +115,7 @@ openclaw setup --wizard --non-interactive \
   </Accordion>
   <Accordion title="Synthetic example">
     ```bash
-    openclaw setup --wizard --non-interactive \
+    openclaw onboard --non-interactive \
       --mode local \
       --auth-choice synthetic-api-key \
       --synthetic-api-key "$SYNTHETIC_API_KEY" \
@@ -125,7 +125,7 @@ openclaw setup --wizard --non-interactive \
   </Accordion>
   <Accordion title="OpenCode example">
     ```bash
-    openclaw setup --wizard --non-interactive \
+    openclaw onboard --non-interactive \
       --mode local \
       --auth-choice opencode-zen \
       --opencode-zen-api-key "$OPENCODE_API_KEY" \
@@ -136,7 +136,7 @@ openclaw setup --wizard --non-interactive \
   </Accordion>
   <Accordion title="Ollama example">
     ```bash
-    openclaw setup --wizard --non-interactive \
+    openclaw onboard --non-interactive \
       --mode local \
       --auth-choice ollama \
       --custom-model-id "qwen3.5:27b" \
@@ -147,7 +147,7 @@ openclaw setup --wizard --non-interactive \
   </Accordion>
   <Accordion title="Custom provider example">
     ```bash
-    openclaw setup --wizard --non-interactive \
+    openclaw onboard --non-interactive \
       --mode local \
       --auth-choice custom-api-key \
       --custom-base-url "https://llm.example.com/v1" \
@@ -165,7 +165,7 @@ openclaw setup --wizard --non-interactive \
 
     ```bash
     export CUSTOM_API_KEY="your-key"
-    openclaw setup --wizard --non-interactive \
+    openclaw onboard --non-interactive \
       --mode local \
       --auth-choice custom-api-key \
       --custom-base-url "https://llm.example.com/v1" \
@@ -212,4 +212,4 @@ Notes:
 
 - Onboarding hub: [Setup Wizard (CLI)](/start/wizard)
 - Full reference: [CLI Setup Reference](/start/wizard-cli-reference)
-- Command reference: [`openclaw setup --wizard`](/cli/setup)
+- Command reference: [`openclaw onboard`](/cli/onboard)
diff --git a/docs/start/wizard-cli-reference.md b/docs/start/wizard-cli-reference.md
index 2a2bac76528..36bd836a13f 100644
--- a/docs/start/wizard-cli-reference.md
+++ b/docs/start/wizard-cli-reference.md
@@ -1,15 +1,15 @@
 ---
 summary: "Complete reference for CLI setup flow, auth/model setup, outputs, and internals"
 read_when:
-  - You need detailed behavior for `openclaw setup --wizard`
-  - You are debugging setup results or integrating setup clients
+  - You need detailed behavior for openclaw onboard
+  - You are debugging onboarding results or integrating onboarding clients
 title: "CLI Setup Reference"
 sidebarTitle: "CLI reference"
 ---
 
 # CLI Setup Reference
 
-This page is the full reference for `openclaw setup --wizard`.
+This page is the full reference for `openclaw onboard`.
 For the short guide, see [Setup Wizard (CLI)](/start/wizard).
 
 ## What the wizard does
@@ -56,7 +56,7 @@ It does not install or modify anything on the remote host.
       - **Use SecretRef** (opt-in)
     - In password mode, interactive setup also supports plaintext or SecretRef storage.
     - Non-interactive token SecretRef path: `--gateway-token-ref-env <ENV_VAR>`.
-      - Requires a non-empty env var in the setup process environment.
+      - Requires a non-empty env var in the onboarding process environment.
       - Cannot be combined with `--gateway-token`.
     - Disable auth only if you fully trust every local process.
     - Non-loopback binds still require auth.
@@ -220,20 +220,20 @@ Credential and profile paths:
 
 Credential storage mode:
 
-- Default setup behavior persists API keys as plaintext values in auth profiles.
+- Default onboarding behavior persists API keys as plaintext values in auth profiles.
 - `--secret-input-mode ref` enables reference mode instead of plaintext key storage.
   In interactive setup, you can choose either:
   - environment variable ref (for example `keyRef: { source: "env", provider: "default", id: "OPENAI_API_KEY" }`)
   - configured provider ref (`file` or `exec`) with provider alias + id
 - Interactive reference mode runs a fast preflight validation before saving.
-  - Env refs: validates variable name + non-empty value in the current setup environment.
+  - Env refs: validates variable name + non-empty value in the current onboarding environment.
   - Provider refs: validates provider config and resolves the requested id.
-  - If preflight fails, setup shows the error and lets you retry.
+  - If preflight fails, onboarding shows the error and lets you retry.
 - In non-interactive mode, `--secret-input-mode ref` is env-backed only.
-  - Set the provider env var in the setup process environment.
-  - Inline key flags (for example `--openai-api-key`) require that env var to be set; otherwise setup fails fast.
+  - Set the provider env var in the onboarding process environment.
+  - Inline key flags (for example `--openai-api-key`) require that env var to be set; otherwise onboarding fails fast.
   - For custom providers, non-interactive `ref` mode stores `models.providers.<id>.apiKey` as `{ source: "env", provider: "default", id: "CUSTOM_API_KEY" }`.
-  - In that custom-provider case, `--custom-api-key` requires `CUSTOM_API_KEY` to be set; otherwise setup fails fast.
+  - In that custom-provider case, `--custom-api-key` requires `CUSTOM_API_KEY` to be set; otherwise onboarding fails fast.
 - Gateway auth credentials support plaintext and SecretRef choices in interactive setup:
   - Token mode: **Generate/store plaintext token** (default) or **Use SecretRef**.
   - Password mode: plaintext or SecretRef.
@@ -252,9 +252,9 @@ Typical fields in `~/.openclaw/openclaw.json`:
 
 - `agents.defaults.workspace`
 - `agents.defaults.model` / `models.providers` (if Minimax chosen)
-- `tools.profile` (local setup defaults to `"coding"` when unset; existing explicit values are preserved)
+- `tools.profile` (local onboarding defaults to `"coding"` when unset; existing explicit values are preserved)
 - `gateway.*` (mode, bind, auth, tailscale)
-- `session.dmScope` (local setup defaults this to `per-channel-peer` when unset; existing explicit values are preserved)
+- `session.dmScope` (local onboarding defaults this to `per-channel-peer` when unset; existing explicit values are preserved)
 - `channels.telegram.botToken`, `channels.discord.token`, `channels.signal.*`, `channels.imessage.*`
 - Channel allowlists (Slack, Discord, Matrix, Microsoft Teams) when you opt in during prompts (names resolve to IDs when possible)
 - `skills.install.nodeManager`
@@ -296,4 +296,4 @@ Signal setup behavior:
 
 - Onboarding hub: [Setup Wizard (CLI)](/start/wizard)
 - Automation and scripts: [CLI Automation](/start/wizard-cli-automation)
-- Command reference: [`openclaw setup --wizard`](/cli/setup)
+- Command reference: [`openclaw onboard`](/cli/onboard)
diff --git a/docs/start/wizard.md b/docs/start/wizard.md
index fe887ea9a4f..7bbe9df64cf 100644
--- a/docs/start/wizard.md
+++ b/docs/start/wizard.md
@@ -4,7 +4,7 @@ read_when:
   - Running or configuring the setup wizard
   - Setting up a new machine
 title: "Setup Wizard (CLI)"
-sidebarTitle: "Setup: CLI"
+sidebarTitle: "Onboarding: CLI"
 ---
 
 # Setup Wizard (CLI)
@@ -15,7 +15,7 @@ It configures a local Gateway or a remote Gateway connection, plus channels, ski
 and workspace defaults in one guided flow.
 
 ```bash
-openclaw setup --wizard
+openclaw onboard
 ```
 
 <Info>
@@ -52,7 +52,7 @@ The wizard starts with **QuickStart** (defaults) vs **Advanced** (full control).
     - Gateway port **18789**
     - Gateway auth **Token** (auto‑generated, even on loopback)
     - Tool policy default for new local setups: `tools.profile: "coding"` (existing explicit profile is preserved)
-    - DM isolation default: local setup writes `session.dmScope: "per-channel-peer"` when unset. Details: [CLI Setup Reference](/start/wizard-cli-reference#outputs-and-internals)
+    - DM isolation default: local onboarding writes `session.dmScope: "per-channel-peer"` when unset. Details: [CLI Setup Reference](/start/wizard-cli-reference#outputs-and-internals)
     - Tailscale exposure **Off**
     - Telegram + WhatsApp DMs default to **allowlist** (you'll be prompted for your phone number)
   </Tab>
@@ -119,7 +119,7 @@ For the deeper technical reference, including RPC details, see
 
 ## Related docs
 
-- CLI command reference: [`openclaw setup`](/cli/setup)
-- Setup overview: [Setup Overview](/start/onboarding-overview)
+- CLI command reference: [`openclaw onboard`](/cli/onboard)
+- Onboarding overview: [Onboarding Overview](/start/onboarding-overview)
 - macOS app onboarding: [Onboarding](/start/onboarding)
 - Agent first-run ritual: [Agent Bootstrapping](/start/bootstrapping)
diff --git a/docs/tools/plugin.md b/docs/tools/plugin.md
index 560d25930d5..c14f3c39f56 100644
--- a/docs/tools/plugin.md
+++ b/docs/tools/plugin.md
@@ -1195,11 +1195,11 @@ A provider plugin can participate in five distinct phases:
    `auth[].run(ctx)` performs OAuth, API-key capture, device code, or custom
    setup and returns auth profiles plus optional config patches.
 2. **Non-interactive setup**
-   `auth[].runNonInteractive(ctx)` handles `openclaw setup --wizard --non-interactive`
+   `auth[].runNonInteractive(ctx)` handles `openclaw onboard --non-interactive`
    without prompts. Use this when the provider needs custom headless setup
    beyond the built-in simple API-key paths.
 3. **Wizard integration**
-   `wizard.setup` adds an entry to `openclaw setup --wizard`.
+   `wizard.setup` adds an entry to `openclaw onboard`.
    `wizard.modelPicker` adds a setup entry to the model picker.
 4. **Implicit discovery**
    `discovery.run(ctx)` can contribute provider config automatically during
@@ -1360,7 +1360,7 @@ or more auth methods (OAuth, API key, device code, etc.). Those methods can
 power:
 
 - `openclaw models auth login --provider <id> [--method <id>]`
-- `openclaw setup --wizard`
+- `openclaw onboard`
 - model-picker “custom provider” setup entries
 - implicit provider discovery during model resolution/listing
 
@@ -1435,7 +1435,7 @@ Notes:
   for headless onboarding.
 - Return `configPatch` when you need to add default models or provider config.
 - Return `defaultModel` so `--set-default` can update agent defaults.
-- `wizard.setup` adds a provider choice to `openclaw setup --wizard`.
+- `wizard.setup` adds a provider choice to `openclaw onboard`.
 - `wizard.modelPicker` adds a “setup this provider” entry to the model picker.
 - `discovery.run` returns either `{ provider }` for the plugin’s own provider id
   or `{ providers }` for multi-provider discovery.
diff --git a/src/cli/program/register.setup.ts b/src/cli/program/register.setup.ts
index 95888cb236a..33893d945bb 100644
--- a/src/cli/program/register.setup.ts
+++ b/src/cli/program/register.setup.ts
@@ -10,7 +10,7 @@ import { hasExplicitOptions } from "../command-options.js";
 export function registerSetupCommand(program: Command) {
   program
     .command("setup")
-    .description("Initialize config/workspace or run the setup wizard")
+    .description("Initialize ~/.openclaw/openclaw.json and the agent workspace")
     .addHelpText(
       "after",
       () =>
@@ -20,8 +20,8 @@ export function registerSetupCommand(program: Command) {
       "--workspace <dir>",
       "Agent workspace directory (default: ~/.openclaw/workspace; stored as agents.defaults.workspace)",
     )
-    .option("--wizard", "Run the guided setup wizard", false)
-    .option("--non-interactive", "Run the setup wizard without prompts", false)
+    .option("--wizard", "Run the interactive onboarding wizard", false)
+    .option("--non-interactive", "Run the wizard without prompts", false)
     .option("--mode <mode>", "Wizard mode: local|remote")
     .option("--remote-url <url>", "Remote Gateway WebSocket URL")
     .option("--remote-token <token>", "Remote Gateway token (optional)")
diff --git a/src/commands/onboard.ts b/src/commands/onboard.ts
index 8eb16fb2c07..c9af3fbf937 100644
--- a/src/commands/onboard.ts
+++ b/src/commands/onboard.ts
@@ -61,7 +61,7 @@ export async function setupWizardCommand(
       [
         "Non-interactive setup requires explicit risk acknowledgement.",
         "Read: https://docs.openclaw.ai/security",
-        `Re-run with: ${formatCliCommand("openclaw setup --wizard --non-interactive --accept-risk ...")}`,
+        `Re-run with: ${formatCliCommand("openclaw onboard --non-interactive --accept-risk ...")}`,
       ].join("\n"),
     );
     runtime.exit(1);
diff --git a/src/commands/reset.ts b/src/commands/reset.ts
index eca1d78e7c1..596d80a139a 100644
--- a/src/commands/reset.ts
+++ b/src/commands/reset.ts
@@ -134,7 +134,7 @@ export async function resetCommand(runtime: RuntimeEnv, opts: ResetOptions) {
     for (const dir of sessionDirs) {
       await removePath(dir, runtime, { dryRun, label: dir });
     }
-    runtime.log(`Next: ${formatCliCommand("openclaw setup --wizard --install-daemon")}`);
+    runtime.log(`Next: ${formatCliCommand("openclaw onboard --install-daemon")}`);
     return;
   }
 
@@ -145,7 +145,7 @@ export async function resetCommand(runtime: RuntimeEnv, opts: ResetOptions) {
       { dryRun },
     );
     await removeWorkspaceDirs(workspaceDirs, runtime, { dryRun });
-    runtime.log(`Next: ${formatCliCommand("openclaw setup --wizard --install-daemon")}`);
+    runtime.log(`Next: ${formatCliCommand("openclaw onboard --install-daemon")}`);
     return;
   }
 }

From 2580b81bd217702c9302072e6a70de9b90f64b9b Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Sun, 15 Mar 2026 22:52:56 -0700
Subject: [PATCH 015/133] refactor: move channel capability diagnostics into
 plugins

---
 docs/refactor/plugin-sdk.md                   |   2 +
 extensions/discord/src/channel.ts             | 104 +++++
 extensions/msteams/src/channel.ts             |  45 +++
 extensions/signal/src/channel.ts              |   5 +
 extensions/slack/src/channel.ts               |  58 +++
 extensions/telegram/src/channel.ts            |  27 +-
 src/auto-reply/reply/route-reply.test.ts      |   7 +-
 src/auto-reply/reply/route-reply.ts           |  29 +-
 .../plugins/message-actions.security.test.ts  |   2 +
 src/channels/plugins/message-actions.ts       |  18 +-
 src/channels/plugins/types.adapters.ts        |  29 ++
 src/channels/plugins/types.core.ts            |   2 +
 src/channels/plugins/types.ts                 |   3 +
 src/channels/reply-prefix.ts                  |   7 +-
 src/commands/channels/add.ts                  |  16 -
 src/commands/channels/capabilities.test.ts    |  36 +-
 src/commands/channels/capabilities.ts         | 360 +++---------------
 src/commands/channels/remove.ts               |   5 -
 18 files changed, 363 insertions(+), 392 deletions(-)

diff --git a/docs/refactor/plugin-sdk.md b/docs/refactor/plugin-sdk.md
index 05d519a0d24..5a630982a97 100644
--- a/docs/refactor/plugin-sdk.md
+++ b/docs/refactor/plugin-sdk.md
@@ -223,6 +223,8 @@ channel-specific UX and routing behavior:
 - `messaging.enableInteractiveReplies`: channel-owned reply normalization toggles
   (for example Slack interactive replies)
 - `messaging.resolveOutboundSessionRoute`: channel-owned outbound session routing
+- `status.formatCapabilitiesProbe` / `status.buildCapabilitiesDiagnostics`: channel-owned
+  `/channels capabilities` probe display and extra audits/scopes
 - `threading.resolveAutoThreadId`: channel-owned same-conversation auto-threading
 - `threading.resolveReplyTransport`: channel-owned reply-vs-thread delivery mapping
 - `actions.requiresTrustedRequesterSender`: channel-owned privileged action trust gates
diff --git a/extensions/discord/src/channel.ts b/extensions/discord/src/channel.ts
index 26a69cf79e0..1b0e003202c 100644
--- a/extensions/discord/src/channel.ts
+++ b/extensions/discord/src/channel.ts
@@ -38,8 +38,11 @@ import {
 import { resolveOutboundSendDep } from "../../../src/infra/outbound/send-deps.js";
 import { normalizeMessageChannel } from "../../../src/utils/message-channel.js";
 import { isDiscordExecApprovalClientEnabled } from "./exec-approvals.js";
+import type { DiscordProbe } from "./probe.js";
 import { getDiscordRuntime } from "./runtime.js";
+import { fetchChannelPermissionsDiscord } from "./send.js";
 import { createDiscordSetupWizardProxy, discordSetupAdapter } from "./setup-core.js";
+import { parseDiscordTarget } from "./targets.js";
 import { DiscordUiContainer } from "./ui.js";
 
 type DiscordSendFn = ReturnType<
@@ -47,11 +50,27 @@ type DiscordSendFn = ReturnType<
 >["channel"]["discord"]["sendMessageDiscord"];
 
 const meta = getChatChannelMeta("discord");
+const REQUIRED_DISCORD_PERMISSIONS = ["ViewChannel", "SendMessages"] as const;
 
 async function loadDiscordChannelRuntime() {
   return await import("./channel.runtime.js");
 }
 
+function formatDiscordIntents(intents?: {
+  messageContent?: string;
+  guildMembers?: string;
+  presence?: string;
+}) {
+  if (!intents) {
+    return "unknown";
+  }
+  return [
+    `messageContent=${intents.messageContent ?? "unknown"}`,
+    `guildMembers=${intents.guildMembers ?? "unknown"}`,
+    `presence=${intents.presence ?? "unknown"}`,
+  ].join(" ");
+}
+
 const discordMessageActions: ChannelMessageActionAdapter = {
   listActions: (ctx) =>
     getDiscordRuntime().channel.discord.messageActions?.listActions?.(ctx) ?? [],
@@ -355,6 +374,91 @@ export const discordPlugin: ChannelPlugin<ResolvedDiscordAccount> = {
       getDiscordRuntime().channel.discord.probeDiscord(account.token, timeoutMs, {
         includeApplication: true,
       }),
+    formatCapabilitiesProbe: ({ probe }) => {
+      const discordProbe = probe as DiscordProbe | undefined;
+      const lines = [];
+      if (discordProbe?.bot?.username) {
+        const botId = discordProbe.bot.id ? ` (${discordProbe.bot.id})` : "";
+        lines.push({ text: `Bot: @${discordProbe.bot.username}${botId}` });
+      }
+      if (discordProbe?.application?.intents) {
+        lines.push({ text: `Intents: ${formatDiscordIntents(discordProbe.application.intents)}` });
+      }
+      return lines;
+    },
+    buildCapabilitiesDiagnostics: async ({ account, timeoutMs, target }) => {
+      if (!target?.trim()) {
+        return undefined;
+      }
+      const parsedTarget = parseDiscordTarget(target.trim(), { defaultKind: "channel" });
+      const details: Record<string, unknown> = {
+        target: {
+          raw: target,
+          normalized: parsedTarget?.normalized,
+          kind: parsedTarget?.kind,
+          channelId: parsedTarget?.kind === "channel" ? parsedTarget.id : undefined,
+        },
+      };
+      if (!parsedTarget || parsedTarget.kind !== "channel") {
+        return {
+          details,
+          lines: [
+            {
+              text: "Permissions: Target looks like a DM user; pass channel:<id> to audit channel permissions.",
+              tone: "error",
+            },
+          ],
+        };
+      }
+      const token = account.token?.trim();
+      if (!token) {
+        return {
+          details,
+          lines: [
+            {
+              text: "Permissions: Discord bot token missing for permission audit.",
+              tone: "error",
+            },
+          ],
+        };
+      }
+      try {
+        const perms = await fetchChannelPermissionsDiscord(parsedTarget.id, {
+          token,
+          accountId: account.accountId ?? undefined,
+        });
+        const missingRequired = REQUIRED_DISCORD_PERMISSIONS.filter(
+          (permission) => !perms.permissions.includes(permission),
+        );
+        details.permissions = {
+          channelId: perms.channelId,
+          guildId: perms.guildId,
+          isDm: perms.isDm,
+          channelType: perms.channelType,
+          permissions: perms.permissions,
+          missingRequired,
+          raw: perms.raw,
+        };
+        return {
+          details,
+          lines: [
+            {
+              text: `Permissions (${perms.channelId}): ${perms.permissions.length ? perms.permissions.join(", ") : "none"}`,
+            },
+            missingRequired.length > 0
+              ? { text: `Missing required: ${missingRequired.join(", ")}`, tone: "warn" }
+              : { text: "Missing required: none", tone: "success" },
+          ],
+        };
+      } catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        details.permissions = { channelId: parsedTarget.id, error: message };
+        return {
+          details,
+          lines: [{ text: `Permissions: ${message}`, tone: "error" }],
+        };
+      }
+    },
     auditAccount: async ({ account, timeoutMs, cfg }) => {
       const { channelIds, unresolvedChannels } = collectDiscordAuditChannelIds({
         cfg,
diff --git a/extensions/msteams/src/channel.ts b/extensions/msteams/src/channel.ts
index a21aa451eb8..c4d3f41054c 100644
--- a/extensions/msteams/src/channel.ts
+++ b/extensions/msteams/src/channel.ts
@@ -17,6 +17,7 @@ import {
   PAIRING_APPROVED_MESSAGE,
 } from "openclaw/plugin-sdk/msteams";
 import { resolveMSTeamsGroupToolPolicy } from "./policy.js";
+import type { ProbeMSTeamsResult } from "./probe.js";
 import {
   normalizeMSTeamsMessagingTarget,
   normalizeMSTeamsUserInput,
@@ -47,6 +48,16 @@ const meta = {
   order: 60,
 } as const;
 
+const TEAMS_GRAPH_PERMISSION_HINTS: Record<string, string> = {
+  "ChannelMessage.Read.All": "channel history",
+  "Chat.Read.All": "chat history",
+  "Channel.ReadBasic.All": "channel list",
+  "Team.ReadBasic.All": "team list",
+  "TeamsActivity.Read.All": "teams activity",
+  "Sites.Read.All": "files (SharePoint)",
+  "Files.Read.All": "files (OneDrive)",
+};
+
 async function loadMSTeamsChannelRuntime() {
   return await import("./channel.runtime.js");
 }
@@ -435,6 +446,40 @@ export const msteamsPlugin: ChannelPlugin<ResolvedMSTeamsAccount> = {
       }),
     probeAccount: async ({ cfg }) =>
       await (await loadMSTeamsChannelRuntime()).probeMSTeams(cfg.channels?.msteams),
+    formatCapabilitiesProbe: ({ probe }) => {
+      const teamsProbe = probe as ProbeMSTeamsResult | undefined;
+      const lines: Array<{ text: string; tone?: "error" }> = [];
+      const appId = typeof teamsProbe?.appId === "string" ? teamsProbe.appId.trim() : "";
+      if (appId) {
+        lines.push({ text: `App: ${appId}` });
+      }
+      const graph = teamsProbe?.graph;
+      if (graph) {
+        const roles = Array.isArray(graph.roles)
+          ? graph.roles.map((role) => String(role).trim()).filter(Boolean)
+          : [];
+        const scopes = Array.isArray(graph.scopes)
+          ? graph.scopes.map((scope) => String(scope).trim()).filter(Boolean)
+          : [];
+        const formatPermission = (permission: string) => {
+          const hint = TEAMS_GRAPH_PERMISSION_HINTS[permission];
+          return hint ? `${permission} (${hint})` : permission;
+        };
+        if (graph.ok === false) {
+          lines.push({ text: `Graph: ${graph.error ?? "failed"}`, tone: "error" });
+        } else if (roles.length > 0 || scopes.length > 0) {
+          if (roles.length > 0) {
+            lines.push({ text: `Graph roles: ${roles.map(formatPermission).join(", ")}` });
+          }
+          if (scopes.length > 0) {
+            lines.push({ text: `Graph scopes: ${scopes.map(formatPermission).join(", ")}` });
+          }
+        } else if (graph.ok === true) {
+          lines.push({ text: "Graph: ok" });
+        }
+      }
+      return lines;
+    },
     buildAccountSnapshot: ({ account, runtime, probe }) => ({
       accountId: account.accountId,
       enabled: account.enabled,
diff --git a/extensions/signal/src/channel.ts b/extensions/signal/src/channel.ts
index 8b2f0998ff9..010df26d390 100644
--- a/extensions/signal/src/channel.ts
+++ b/extensions/signal/src/channel.ts
@@ -27,6 +27,7 @@ import {
   type ResolvedSignalAccount,
 } from "openclaw/plugin-sdk/signal";
 import { resolveOutboundSendDep } from "../../../src/infra/outbound/send-deps.js";
+import type { SignalProbe } from "./probe.js";
 import { getSignalRuntime } from "./runtime.js";
 import { createSignalSetupWizardProxy, signalSetupAdapter } from "./setup-core.js";
 
@@ -220,6 +221,10 @@ export const signalPlugin: ChannelPlugin<ResolvedSignalAccount> = {
       const baseUrl = account.baseUrl;
       return await getSignalRuntime().channel.signal.probeSignal(baseUrl, timeoutMs);
     },
+    formatCapabilitiesProbe: ({ probe }) =>
+      (probe as SignalProbe | undefined)?.version
+        ? [{ text: `Signal daemon: ${(probe as SignalProbe).version}` }]
+        : [],
     buildAccountSnapshot: ({ account, runtime, probe }) => ({
       ...buildBaseAccountStatusSnapshot({ account, runtime, probe }),
       baseUrl: account.baseUrl,
diff --git a/extensions/slack/src/channel.ts b/extensions/slack/src/channel.ts
index 04c9706bd95..f658b93d2c3 100644
--- a/extensions/slack/src/channel.ts
+++ b/extensions/slack/src/channel.ts
@@ -36,7 +36,10 @@ import {
 } from "openclaw/plugin-sdk/slack";
 import { resolveOutboundSendDep } from "../../../src/infra/outbound/send-deps.js";
 import { buildPassiveProbedChannelStatusSummary } from "../../shared/channel-status-summary.js";
+import { parseSlackBlocksInput } from "./blocks-input.js";
+import type { SlackProbe } from "./probe.js";
 import { getSlackRuntime } from "./runtime.js";
+import { fetchSlackScopes } from "./scopes.js";
 import { createSlackSetupWizardProxy, slackSetupAdapter } from "./setup-core.js";
 import { parseSlackTarget } from "./targets.js";
 
@@ -126,6 +129,21 @@ function resolveSlackAutoThreadId(params: {
   return context.currentThreadTs;
 }
 
+function formatSlackScopeDiagnostic(params: {
+  tokenType: "bot" | "user";
+  result: Awaited<ReturnType<typeof fetchSlackScopes>>;
+}) {
+  const source = params.result.source ? ` (${params.result.source})` : "";
+  const label = params.tokenType === "user" ? "User scopes" : "Bot scopes";
+  if (params.result.ok && params.result.scopes?.length) {
+    return { text: `${label}${source}: ${params.result.scopes.join(", ")}` } as const;
+  }
+  return {
+    text: `${label}: ${params.result.error ?? "scope lookup failed"}`,
+    tone: "error",
+  } as const;
+}
+
 const slackConfigAccessors = createScopedAccountConfigAccessors({
   resolveAccount: ({ cfg, accountId }) => resolveSlackAccount({ cfg, accountId }),
   resolveAllowFrom: (account: ResolvedSlackAccount) => account.dm?.allowFrom,
@@ -285,6 +303,17 @@ export const slackPlugin: ChannelPlugin<ResolvedSlackAccount> = {
     normalizeTarget: normalizeSlackMessagingTarget,
     enableInteractiveReplies: ({ cfg, accountId }) =>
       isSlackInteractiveRepliesEnabled({ cfg, accountId }),
+    hasStructuredReplyPayload: ({ payload }) => {
+      const slackData = payload.channelData?.slack;
+      if (!slackData || typeof slackData !== "object" || Array.isArray(slackData)) {
+        return false;
+      }
+      try {
+        return Boolean(parseSlackBlocksInput((slackData as { blocks?: unknown }).blocks)?.length);
+      } catch {
+        return false;
+      }
+    },
     targetResolver: {
       looksLikeId: looksLikeSlackTargetId,
       hint: "<channelId|user:ID|channel:ID>",
@@ -429,6 +458,35 @@ export const slackPlugin: ChannelPlugin<ResolvedSlackAccount> = {
       }
       return await getSlackRuntime().channel.slack.probeSlack(token, timeoutMs);
     },
+    formatCapabilitiesProbe: ({ probe }) => {
+      const slackProbe = probe as SlackProbe | undefined;
+      const lines = [];
+      if (slackProbe?.bot?.name) {
+        lines.push({ text: `Bot: @${slackProbe.bot.name}` });
+      }
+      if (slackProbe?.team?.name || slackProbe?.team?.id) {
+        const id = slackProbe.team?.id ? ` (${slackProbe.team.id})` : "";
+        lines.push({ text: `Team: ${slackProbe.team?.name ?? "unknown"}${id}` });
+      }
+      return lines;
+    },
+    buildCapabilitiesDiagnostics: async ({ account, timeoutMs }) => {
+      const lines = [];
+      const details: Record<string, unknown> = {};
+      const botToken = account.botToken?.trim();
+      const userToken = account.config.userToken?.trim();
+      const botScopes = botToken
+        ? await fetchSlackScopes(botToken, timeoutMs)
+        : { ok: false, error: "Slack bot token missing." };
+      lines.push(formatSlackScopeDiagnostic({ tokenType: "bot", result: botScopes }));
+      details.botScopes = botScopes;
+      if (userToken) {
+        const userScopes = await fetchSlackScopes(userToken, timeoutMs);
+        lines.push(formatSlackScopeDiagnostic({ tokenType: "user", result: userScopes }));
+        details.userScopes = userScopes;
+      }
+      return { lines, details };
+    },
     buildAccountSnapshot: ({ account, runtime, probe }) => {
       const mode = account.config.mode ?? "socket";
       const configured =
diff --git a/extensions/telegram/src/channel.ts b/extensions/telegram/src/channel.ts
index 1f0d94057a2..2aebfe5652c 100644
--- a/extensions/telegram/src/channel.ts
+++ b/extensions/telegram/src/channel.ts
@@ -54,7 +54,6 @@ import { sendTypingTelegram } from "./send.js";
 import { telegramSetupAdapter } from "./setup-core.js";
 import { telegramSetupWizard } from "./setup-surface.js";
 import { parseTelegramTarget } from "./targets.js";
-import { deleteTelegramUpdateOffset } from "./update-offset-store.js";
 
 type TelegramSendFn = ReturnType<
   typeof getTelegramRuntime
@@ -334,10 +333,12 @@ export const telegramPlugin: ChannelPlugin<ResolvedTelegramAccount, TelegramProb
       const previousToken = resolveTelegramAccount({ cfg: prevCfg, accountId }).token.trim();
       const nextToken = resolveTelegramAccount({ cfg: nextCfg, accountId }).token.trim();
       if (previousToken !== nextToken) {
+        const { deleteTelegramUpdateOffset } = await import("./update-offset-store.js");
         await deleteTelegramUpdateOffset({ accountId });
       }
     },
     onAccountRemoved: async ({ accountId }) => {
+      const { deleteTelegramUpdateOffset } = await import("./update-offset-store.js");
       await deleteTelegramUpdateOffset({ accountId });
     },
   },
@@ -515,6 +516,30 @@ export const telegramPlugin: ChannelPlugin<ResolvedTelegramAccount, TelegramProb
         proxyUrl: account.config.proxy,
         network: account.config.network,
       }),
+    formatCapabilitiesProbe: ({ probe }) => {
+      const lines = [];
+      if (probe?.bot?.username) {
+        const botId = probe.bot.id ? ` (${probe.bot.id})` : "";
+        lines.push({ text: `Bot: @${probe.bot.username}${botId}` });
+      }
+      const flags: string[] = [];
+      if (typeof probe?.bot?.canJoinGroups === "boolean") {
+        flags.push(`joinGroups=${probe.bot.canJoinGroups}`);
+      }
+      if (typeof probe?.bot?.canReadAllGroupMessages === "boolean") {
+        flags.push(`readAllGroupMessages=${probe.bot.canReadAllGroupMessages}`);
+      }
+      if (typeof probe?.bot?.supportsInlineQueries === "boolean") {
+        flags.push(`inlineQueries=${probe.bot.supportsInlineQueries}`);
+      }
+      if (flags.length > 0) {
+        lines.push({ text: `Flags: ${flags.join(" ")}` });
+      }
+      if (probe?.webhook?.url !== undefined) {
+        lines.push({ text: `Webhook: ${probe.webhook.url || "none"}` });
+      }
+      return lines;
+    },
     auditAccount: async ({ account, timeoutMs, probe, cfg }) => {
       const groups =
         cfg.channels?.telegram?.accounts?.[account.accountId]?.groups ??
diff --git a/src/auto-reply/reply/route-reply.test.ts b/src/auto-reply/reply/route-reply.test.ts
index 0a717f9bfc7..c0023ae1c37 100644
--- a/src/auto-reply/reply/route-reply.test.ts
+++ b/src/auto-reply/reply/route-reply.test.ts
@@ -1,5 +1,6 @@
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 import { mattermostPlugin } from "../../../extensions/mattermost/src/channel.js";
+import { slackPlugin } from "../../../extensions/slack/src/channel.js";
 import { discordOutbound } from "../../channels/plugins/outbound/discord.js";
 import { imessageOutbound } from "../../channels/plugins/outbound/imessage.js";
 import { signalOutbound } from "../../channels/plugins/outbound/signal.js";
@@ -540,7 +541,11 @@ const defaultRegistry = createTestRegistry([
   },
   {
     pluginId: "slack",
-    plugin: createOutboundTestPlugin({ id: "slack", outbound: slackOutbound, label: "Slack" }),
+    plugin: {
+      ...createOutboundTestPlugin({ id: "slack", outbound: slackOutbound, label: "Slack" }),
+      messaging: slackPlugin.messaging,
+      threading: slackPlugin.threading,
+    },
     source: "test",
   },
   {
diff --git a/src/auto-reply/reply/route-reply.ts b/src/auto-reply/reply/route-reply.ts
index 15036d0878f..8dc7499526a 100644
--- a/src/auto-reply/reply/route-reply.ts
+++ b/src/auto-reply/reply/route-reply.ts
@@ -7,8 +7,6 @@
  * across multiple providers.
  */
 
-import { parseSlackBlocksInput } from "../../../extensions/slack/src/blocks-input.js";
-import { isSlackInteractiveRepliesEnabled } from "../../../extensions/slack/src/interactive-replies.js";
 import { resolveSessionAgentId } from "../../agents/agent-scope.js";
 import { resolveEffectiveMessagesConfig } from "../../agents/identity.js";
 import { getChannelPlugin, normalizeChannelId } from "../../channels/plugins/index.js";
@@ -101,9 +99,10 @@ export async function routeReply(params: RouteReplyParams): Promise<RouteReplyRe
       : cfg.messages?.responsePrefix;
   const normalized = normalizeReplyPayload(payload, {
     responsePrefix,
-    enableSlackInteractiveReplies:
-      plugin?.messaging?.enableInteractiveReplies?.({ cfg, accountId }) ??
-      (channel === "slack" ? isSlackInteractiveRepliesEnabled({ cfg, accountId }) : false),
+    enableSlackInteractiveReplies: plugin?.messaging?.enableInteractiveReplies?.({
+      cfg,
+      accountId,
+    }),
   });
   if (!normalized) {
     return { ok: true };
@@ -121,23 +120,9 @@ export async function routeReply(params: RouteReplyParams): Promise<RouteReplyRe
       : [];
   const replyToId = externalPayload.replyToId;
   const hasInteractive = (externalPayload.interactive?.blocks.length ?? 0) > 0;
-  let hasChannelData =
-    externalPayload.channelData != null && Object.keys(externalPayload.channelData).length > 0;
-  if (
-    channel === "slack" &&
-    externalPayload.channelData?.slack &&
-    typeof externalPayload.channelData.slack === "object" &&
-    !Array.isArray(externalPayload.channelData.slack)
-  ) {
-    try {
-      hasChannelData = Boolean(
-        parseSlackBlocksInput((externalPayload.channelData.slack as { blocks?: unknown }).blocks)
-          ?.length,
-      );
-    } catch {
-      hasChannelData = false;
-    }
-  }
+  const hasChannelData = plugin?.messaging?.hasStructuredReplyPayload?.({
+    payload: externalPayload,
+  });
 
   // Skip empty replies.
   if (!text.trim() && mediaUrls.length === 0 && !hasInteractive && !hasChannelData) {
diff --git a/src/channels/plugins/message-actions.security.test.ts b/src/channels/plugins/message-actions.security.test.ts
index 1dbd19de3e0..b8b62afdecd 100644
--- a/src/channels/plugins/message-actions.security.test.ts
+++ b/src/channels/plugins/message-actions.security.test.ts
@@ -25,6 +25,8 @@ const discordPlugin: ChannelPlugin = {
   actions: {
     listActions: () => ["kick"],
     supportsAction: ({ action }) => action === "kick",
+    requiresTrustedRequesterSender: ({ action, toolContext }) =>
+      Boolean(action === "kick" && toolContext),
     handleAction,
   },
 };
diff --git a/src/channels/plugins/message-actions.ts b/src/channels/plugins/message-actions.ts
index 53bc14cfc10..506f2204493 100644
--- a/src/channels/plugins/message-actions.ts
+++ b/src/channels/plugins/message-actions.ts
@@ -6,23 +6,13 @@ import type { ChannelMessageActionContext, ChannelMessageActionName } from "./ty
 
 type ChannelActions = NonNullable<NonNullable<ReturnType<typeof getChannelPlugin>>["actions"]>;
 
-const trustedRequesterRequiredByChannel: Readonly<
-  Partial<Record<string, ReadonlySet<ChannelMessageActionName>>>
-> = {
-  discord: new Set<ChannelMessageActionName>(["timeout", "kick", "ban"]),
-};
-
 function requiresTrustedRequesterSender(ctx: ChannelMessageActionContext): boolean {
   const plugin = getChannelPlugin(ctx.channel);
-  const fromPlugin = plugin?.actions?.requiresTrustedRequesterSender?.({
-    action: ctx.action,
-    toolContext: ctx.toolContext,
-  });
-  if (fromPlugin != null) {
-    return fromPlugin;
-  }
   return Boolean(
-    trustedRequesterRequiredByChannel[ctx.channel]?.has(ctx.action) && ctx.toolContext,
+    plugin?.actions?.requiresTrustedRequesterSender?.({
+      action: ctx.action,
+      toolContext: ctx.toolContext,
+    }),
   );
 }
 
diff --git a/src/channels/plugins/types.adapters.ts b/src/channels/plugins/types.adapters.ts
index c8255f07542..084fa653bb8 100644
--- a/src/channels/plugins/types.adapters.ts
+++ b/src/channels/plugins/types.adapters.ts
@@ -35,6 +35,22 @@ export type ChannelExecApprovalForwardTarget = {
   source?: "session" | "target";
 };
 
+export type ChannelCapabilitiesDisplayTone = "default" | "muted" | "success" | "warn" | "error";
+
+export type ChannelCapabilitiesDisplayLine = {
+  text: string;
+  tone?: ChannelCapabilitiesDisplayTone;
+};
+
+export type ChannelCapabilitiesDiagnostics = {
+  lines?: ChannelCapabilitiesDisplayLine[];
+  details?: Record<string, unknown>;
+};
+
+type BivariantCallback<T extends (...args: never[]) => unknown> = {
+  bivarianceHack: T;
+}["bivarianceHack"];
+
 export type ChannelSetupAdapter = {
   resolveAccountId?: (params: {
     cfg: OpenClawConfig;
@@ -153,12 +169,25 @@ export type ChannelStatusAdapter<ResolvedAccount, Probe = unknown, Audit = unkno
     timeoutMs: number;
     cfg: OpenClawConfig;
   }) => Promise<Probe>;
+  formatCapabilitiesProbe?: BivariantCallback<
+    (params: { probe: Probe }) => ChannelCapabilitiesDisplayLine[]
+  >;
   auditAccount?: (params: {
     account: ResolvedAccount;
     timeoutMs: number;
     cfg: OpenClawConfig;
     probe?: Probe;
   }) => Promise<Audit>;
+  buildCapabilitiesDiagnostics?: BivariantCallback<
+    (params: {
+      account: ResolvedAccount;
+      timeoutMs: number;
+      cfg: OpenClawConfig;
+      probe?: Probe;
+      audit?: Audit;
+      target?: string;
+    }) => Promise<ChannelCapabilitiesDiagnostics | undefined>
+  >;
   buildAccountSnapshot?: (params: {
     account: ResolvedAccount;
     cfg: OpenClawConfig;
diff --git a/src/channels/plugins/types.core.ts b/src/channels/plugins/types.core.ts
index 22b2c9387e7..4d94afe49fd 100644
--- a/src/channels/plugins/types.core.ts
+++ b/src/channels/plugins/types.core.ts
@@ -2,6 +2,7 @@ import type { TopLevelComponents } from "@buape/carbon";
 import type { AgentTool, AgentToolResult } from "@mariozechner/pi-agent-core";
 import type { TSchema } from "@sinclair/typebox";
 import type { MsgContext } from "../../auto-reply/templating.js";
+import type { ReplyPayload } from "../../auto-reply/types.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import type { PollInput } from "../../polls.js";
 import type { GatewayClientMode, GatewayClientName } from "../../utils/message-channel.js";
@@ -349,6 +350,7 @@ export type ChannelMessagingAdapter = {
     cfg: OpenClawConfig;
     accountId?: string | null;
   }) => boolean;
+  hasStructuredReplyPayload?: (params: { payload: ReplyPayload }) => boolean;
   targetResolver?: {
     looksLikeId?: (raw: string, normalized?: string) => boolean;
     hint?: string;
diff --git a/src/channels/plugins/types.ts b/src/channels/plugins/types.ts
index a2abcc12dea..ffa098f0673 100644
--- a/src/channels/plugins/types.ts
+++ b/src/channels/plugins/types.ts
@@ -9,6 +9,9 @@ export type { ChannelMessageCapability } from "./message-capabilities.js";
 export type {
   ChannelAuthAdapter,
   ChannelCommandAdapter,
+  ChannelCapabilitiesDiagnostics,
+  ChannelCapabilitiesDisplayLine,
+  ChannelCapabilitiesDisplayTone,
   ChannelConfigAdapter,
   ChannelDirectoryAdapter,
   ChannelExecApprovalAdapter,
diff --git a/src/channels/reply-prefix.ts b/src/channels/reply-prefix.ts
index c76b6175157..cfda423eeb9 100644
--- a/src/channels/reply-prefix.ts
+++ b/src/channels/reply-prefix.ts
@@ -1,4 +1,3 @@
-import { isSlackInteractiveRepliesEnabled } from "../../extensions/slack/src/interactive-replies.js";
 import { resolveEffectiveMessagesConfig, resolveIdentityName } from "../agents/identity.js";
 import {
   extractShortModelName,
@@ -55,11 +54,7 @@ export function createReplyPrefixContext(params: {
       ? (getChannelPlugin(params.channel)?.messaging?.enableInteractiveReplies?.({
           cfg,
           accountId: params.accountId,
-        }) ??
-        (params.channel === "slack"
-          ? isSlackInteractiveRepliesEnabled({ cfg, accountId: params.accountId })
-          : undefined) ??
-        undefined)
+        }) ?? undefined)
       : undefined,
     responsePrefixContextProvider: () => prefixContext,
     onModelSelected,
diff --git a/src/commands/channels/add.ts b/src/commands/channels/add.ts
index 0079e7ea881..4f8b3e8133c 100644
--- a/src/commands/channels/add.ts
+++ b/src/commands/channels/add.ts
@@ -321,12 +321,6 @@ export async function channelsAddCommand(
     });
   }
 
-  let previousTelegramToken = "";
-  if (channel === "telegram") {
-    const { resolveTelegramAccount } = await import("../../../extensions/telegram/src/accounts.js");
-    previousTelegramToken = resolveTelegramAccount({ cfg: prevConfig, accountId }).token.trim();
-  }
-
   nextConfig = applyChannelAccountConfig({
     cfg: nextConfig,
     channel,
@@ -340,16 +334,6 @@ export async function channelsAddCommand(
     accountId,
     runtime,
   });
-  if (channel === "telegram") {
-    const [{ resolveTelegramAccount }, { deleteTelegramUpdateOffset }] = await Promise.all([
-      import("../../../extensions/telegram/src/accounts.js"),
-      import("../../../extensions/telegram/src/update-offset-store.js"),
-    ]);
-    const nextTelegramToken = resolveTelegramAccount({ cfg: nextConfig, accountId }).token.trim();
-    if (previousTelegramToken !== nextTelegramToken) {
-      await deleteTelegramUpdateOffset({ accountId });
-    }
-  }
 
   await writeConfigFile(nextConfig);
   runtime.log(`Added ${channelLabel(channel)} account "${accountId}".`);
diff --git a/src/commands/channels/capabilities.test.ts b/src/commands/channels/capabilities.test.ts
index 5e838cc4ec8..3a70bdb85f9 100644
--- a/src/commands/channels/capabilities.test.ts
+++ b/src/commands/channels/capabilities.test.ts
@@ -1,7 +1,6 @@
 process.env.NO_COLOR = "1";
 
 import { beforeEach, describe, expect, it, vi } from "vitest";
-import { fetchSlackScopes } from "../../../extensions/slack/src/scopes.js";
 import { getChannelPlugin, listChannelPlugins } from "../../channels/plugins/index.js";
 import type { ChannelPlugin } from "../../channels/plugins/types.js";
 import { channelsCapabilitiesCommand } from "./capabilities.js";
@@ -21,10 +20,6 @@ vi.mock("../../channels/plugins/index.js", () => ({
   getChannelPlugin: vi.fn(),
 }));
 
-vi.mock("../../../extensions/slack/src/scopes.js", () => ({
-  fetchSlackScopes: vi.fn(),
-}));
-
 const runtime = {
   log: (...args: unknown[]) => {
     logs.push(args.map(String).join(" "));
@@ -95,14 +90,22 @@ describe("channelsCapabilitiesCommand", () => {
       },
       probe: { ok: true, bot: { name: "openclaw" }, team: { name: "team" } },
     });
+    plugin.status = {
+      ...plugin.status,
+      formatCapabilitiesProbe: () => [{ text: "Bot: @openclaw" }, { text: "Team: team" }],
+      buildCapabilitiesDiagnostics: async () => ({
+        lines: [
+          { text: "Bot scopes (auth.scopes): chat:write" },
+          { text: "User scopes (auth.scopes): users:read" },
+        ],
+        details: {
+          botScopes: { ok: true, scopes: ["chat:write"], source: "auth.scopes" },
+          userScopes: { ok: true, scopes: ["users:read"], source: "auth.scopes" },
+        },
+      }),
+    };
     vi.mocked(listChannelPlugins).mockReturnValue([plugin]);
     vi.mocked(getChannelPlugin).mockReturnValue(plugin);
-    vi.mocked(fetchSlackScopes).mockImplementation(async (token: string) => {
-      if (token === "xoxp-user") {
-        return { ok: true, scopes: ["users:read"], source: "auth.scopes" };
-      }
-      return { ok: true, scopes: ["chat:write"], source: "auth.scopes" };
-    });
 
     await channelsCapabilitiesCommand({ channel: "slack" }, runtime);
 
@@ -111,8 +114,6 @@ describe("channelsCapabilitiesCommand", () => {
     expect(output).toContain("User scopes");
     expect(output).toContain("chat:write");
     expect(output).toContain("users:read");
-    expect(fetchSlackScopes).toHaveBeenCalledWith("xoxb-bot", expect.any(Number));
-    expect(fetchSlackScopes).toHaveBeenCalledWith("xoxp-user", expect.any(Number));
   });
 
   it("prints Teams Graph permission hints when present", async () => {
@@ -127,6 +128,15 @@ describe("channelsCapabilitiesCommand", () => {
         },
       },
     });
+    plugin.status = {
+      ...plugin.status,
+      formatCapabilitiesProbe: () => [
+        { text: "App: app-id" },
+        {
+          text: "Graph roles: ChannelMessage.Read.All (channel history), Files.Read.All (files (OneDrive))",
+        },
+      ],
+    };
     vi.mocked(listChannelPlugins).mockReturnValue([plugin]);
     vi.mocked(getChannelPlugin).mockReturnValue(plugin);
 
diff --git a/src/commands/channels/capabilities.ts b/src/commands/channels/capabilities.ts
index 30f64da43d9..acd28137b30 100644
--- a/src/commands/channels/capabilities.ts
+++ b/src/commands/channels/capabilities.ts
@@ -1,9 +1,11 @@
-import { fetchChannelPermissionsDiscord } from "../../../extensions/discord/src/send.js";
-import { parseDiscordTarget } from "../../../extensions/discord/src/targets.js";
-import { fetchSlackScopes, type SlackScopesResult } from "../../../extensions/slack/src/scopes.js";
 import { resolveChannelDefaultAccountId } from "../../channels/plugins/helpers.js";
 import { getChannelPlugin, listChannelPlugins } from "../../channels/plugins/index.js";
-import type { ChannelCapabilities, ChannelPlugin } from "../../channels/plugins/types.js";
+import type {
+  ChannelCapabilities,
+  ChannelCapabilitiesDiagnostics,
+  ChannelCapabilitiesDisplayLine,
+  ChannelPlugin,
+} from "../../channels/plugins/types.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import { danger } from "../../globals.js";
 import { defaultRuntime, type RuntimeEnv } from "../../runtime.js";
@@ -18,24 +20,6 @@ export type ChannelsCapabilitiesOptions = {
   json?: boolean;
 };
 
-type DiscordTargetSummary = {
-  raw?: string;
-  normalized?: string;
-  kind?: "channel" | "user";
-  channelId?: string;
-};
-
-type DiscordPermissionsReport = {
-  channelId?: string;
-  guildId?: string;
-  isDm?: boolean;
-  channelType?: number;
-  permissions?: string[];
-  missingRequired?: string[];
-  raw?: string;
-  error?: string;
-};
-
 type ChannelCapabilitiesReport = {
   channel: string;
   accountId: string;
@@ -45,24 +29,7 @@ type ChannelCapabilitiesReport = {
   support?: ChannelCapabilities;
   actions?: string[];
   probe?: unknown;
-  slackScopes?: Array<{
-    tokenType: "bot" | "user";
-    result: SlackScopesResult;
-  }>;
-  target?: DiscordTargetSummary;
-  channelPermissions?: DiscordPermissionsReport;
-};
-
-const REQUIRED_DISCORD_PERMISSIONS = ["ViewChannel", "SendMessages"] as const;
-
-const TEAMS_GRAPH_PERMISSION_HINTS: Record<string, string> = {
-  "ChannelMessage.Read.All": "channel history",
-  "Chat.Read.All": "chat history",
-  "Channel.ReadBasic.All": "channel list",
-  "Team.ReadBasic.All": "team list",
-  "TeamsActivity.Read.All": "teams activity",
-  "Sites.Read.All": "files (SharePoint)",
-  "Files.Read.All": "files (OneDrive)",
+  diagnostics?: ChannelCapabilitiesDiagnostics;
 };
 
 function normalizeTimeout(raw: unknown, fallback = 10_000) {
@@ -117,221 +84,35 @@ function formatSupport(capabilities?: ChannelCapabilities) {
   return bits.length ? bits.join(" ") : "none";
 }
 
-function summarizeDiscordTarget(raw?: string): DiscordTargetSummary | undefined {
-  if (!raw) {
-    return undefined;
-  }
-  const target = parseDiscordTarget(raw, { defaultKind: "channel" });
-  if (!target) {
-    return { raw };
-  }
-  if (target.kind === "channel") {
-    return {
-      raw,
-      normalized: target.normalized,
-      kind: "channel",
-      channelId: target.id,
-    };
-  }
-  if (target.kind === "user") {
-    return {
-      raw,
-      normalized: target.normalized,
-      kind: "user",
-    };
-  }
-  return { raw, normalized: target.normalized };
-}
-
-function formatDiscordIntents(intents?: {
-  messageContent?: string;
-  guildMembers?: string;
-  presence?: string;
-}) {
-  if (!intents) {
-    return "unknown";
-  }
-  return [
-    `messageContent=${intents.messageContent ?? "unknown"}`,
-    `guildMembers=${intents.guildMembers ?? "unknown"}`,
-    `presence=${intents.presence ?? "unknown"}`,
-  ].join(" ");
-}
-
-function formatProbeLines(channelId: string, probe: unknown): string[] {
-  const lines: string[] = [];
+function formatGenericProbeLines(probe: unknown): ChannelCapabilitiesDisplayLine[] {
   if (!probe || typeof probe !== "object") {
-    return lines;
+    return [];
   }
   const probeObj = probe as Record<string, unknown>;
-
-  if (channelId === "discord") {
-    const bot = probeObj.bot as { id?: string | null; username?: string | null } | undefined;
-    if (bot?.username) {
-      const botId = bot.id ? ` (${bot.id})` : "";
-      lines.push(`Bot: ${theme.accent(`@${bot.username}`)}${botId}`);
-    }
-    const app = probeObj.application as { intents?: Record<string, unknown> } | undefined;
-    if (app?.intents) {
-      lines.push(`Intents: ${formatDiscordIntents(app.intents)}`);
-    }
-  }
-
-  if (channelId === "telegram") {
-    const bot = probeObj.bot as { username?: string | null; id?: number | null } | undefined;
-    if (bot?.username) {
-      const botId = bot.id ? ` (${bot.id})` : "";
-      lines.push(`Bot: ${theme.accent(`@${bot.username}`)}${botId}`);
-    }
-    const flags: string[] = [];
-    const canJoinGroups = (bot as { canJoinGroups?: boolean | null })?.canJoinGroups;
-    const canReadAll = (bot as { canReadAllGroupMessages?: boolean | null })
-      ?.canReadAllGroupMessages;
-    const inlineQueries = (bot as { supportsInlineQueries?: boolean | null })
-      ?.supportsInlineQueries;
-    if (typeof canJoinGroups === "boolean") {
-      flags.push(`joinGroups=${canJoinGroups}`);
-    }
-    if (typeof canReadAll === "boolean") {
-      flags.push(`readAllGroupMessages=${canReadAll}`);
-    }
-    if (typeof inlineQueries === "boolean") {
-      flags.push(`inlineQueries=${inlineQueries}`);
-    }
-    if (flags.length > 0) {
-      lines.push(`Flags: ${flags.join(" ")}`);
-    }
-    const webhook = probeObj.webhook as { url?: string | null } | undefined;
-    if (webhook?.url !== undefined) {
-      lines.push(`Webhook: ${webhook.url || "none"}`);
-    }
-  }
-
-  if (channelId === "slack") {
-    const bot = probeObj.bot as { name?: string } | undefined;
-    const team = probeObj.team as { name?: string; id?: string } | undefined;
-    if (bot?.name) {
-      lines.push(`Bot: ${theme.accent(`@${bot.name}`)}`);
-    }
-    if (team?.name || team?.id) {
-      const id = team?.id ? ` (${team.id})` : "";
-      lines.push(`Team: ${team?.name ?? "unknown"}${id}`);
-    }
-  }
-
-  if (channelId === "signal") {
-    const version = probeObj.version as string | null | undefined;
-    if (version) {
-      lines.push(`Signal daemon: ${version}`);
-    }
-  }
-
-  if (channelId === "msteams") {
-    const appId = typeof probeObj.appId === "string" ? probeObj.appId.trim() : "";
-    if (appId) {
-      lines.push(`App: ${theme.accent(appId)}`);
-    }
-    const graph = probeObj.graph as
-      | { ok?: boolean; roles?: unknown; scopes?: unknown; error?: string }
-      | undefined;
-    if (graph) {
-      const roles = Array.isArray(graph.roles)
-        ? graph.roles.map((role) => String(role).trim()).filter(Boolean)
-        : [];
-      const scopes =
-        typeof graph.scopes === "string"
-          ? graph.scopes
-              .split(/\s+/)
-              .map((scope) => scope.trim())
-              .filter(Boolean)
-          : Array.isArray(graph.scopes)
-            ? graph.scopes.map((scope) => String(scope).trim()).filter(Boolean)
-            : [];
-      if (graph.ok === false) {
-        lines.push(`Graph: ${theme.error(graph.error ?? "failed")}`);
-      } else if (roles.length > 0 || scopes.length > 0) {
-        const formatPermission = (permission: string) => {
-          const hint = TEAMS_GRAPH_PERMISSION_HINTS[permission];
-          return hint ? `${permission} (${hint})` : permission;
-        };
-        if (roles.length > 0) {
-          lines.push(`Graph roles: ${roles.map(formatPermission).join(", ")}`);
-        }
-        if (scopes.length > 0) {
-          lines.push(`Graph scopes: ${scopes.map(formatPermission).join(", ")}`);
-        }
-      } else if (graph.ok === true) {
-        lines.push("Graph: ok");
-      }
-    }
-  }
-
   const ok = typeof probeObj.ok === "boolean" ? probeObj.ok : undefined;
-  if (ok === true && lines.length === 0) {
-    lines.push("Probe: ok");
+  if (ok === true) {
+    return [{ text: "Probe: ok" }];
   }
   if (ok === false) {
     const error =
       typeof probeObj.error === "string" && probeObj.error ? ` (${probeObj.error})` : "";
-    lines.push(`Probe: ${theme.error(`failed${error}`)}`);
+    return [{ text: `Probe: failed${error}`, tone: "error" }];
   }
-  return lines;
+  return [];
 }
 
-async function buildDiscordPermissions(params: {
-  account: { token?: string; accountId?: string };
-  target?: string;
-}): Promise<{ target?: DiscordTargetSummary; report?: DiscordPermissionsReport }> {
-  const target = summarizeDiscordTarget(params.target?.trim());
-  if (!target) {
-    return {};
-  }
-  if (target.kind !== "channel" || !target.channelId) {
-    return {
-      target,
-      report: {
-        error: "Target looks like a DM user; pass channel:<id> to audit channel permissions.",
-      },
-    };
-  }
-  const token = params.account.token?.trim();
-  if (!token) {
-    return {
-      target,
-      report: {
-        channelId: target.channelId,
-        error: "Discord bot token missing for permission audit.",
-      },
-    };
-  }
-  try {
-    const perms = await fetchChannelPermissionsDiscord(target.channelId, {
-      token,
-      accountId: params.account.accountId ?? undefined,
-    });
-    const missing = REQUIRED_DISCORD_PERMISSIONS.filter(
-      (permission) => !perms.permissions.includes(permission),
-    );
-    return {
-      target,
-      report: {
-        channelId: perms.channelId,
-        guildId: perms.guildId,
-        isDm: perms.isDm,
-        channelType: perms.channelType,
-        permissions: perms.permissions,
-        missingRequired: missing.length ? missing : [],
-        raw: perms.raw,
-      },
-    };
-  } catch (err) {
-    return {
-      target,
-      report: {
-        channelId: target.channelId,
-        error: err instanceof Error ? err.message : String(err),
-      },
-    };
+function renderDisplayLine(line: ChannelCapabilitiesDisplayLine) {
+  switch (line.tone) {
+    case "muted":
+      return theme.muted(line.text);
+    case "success":
+      return theme.success(line.text);
+    case "warn":
+      return theme.warn(line.text);
+    case "error":
+      return theme.error(line.text);
+    default:
+      return line.text;
   }
 }
 
@@ -378,41 +159,16 @@ async function resolveChannelReports(params: {
       }
     }
 
-    let slackScopes: ChannelCapabilitiesReport["slackScopes"];
-    if (plugin.id === "slack" && configured && enabled) {
-      const botToken = (resolvedAccount as { botToken?: string }).botToken?.trim();
-      const userToken = (resolvedAccount as { userToken?: string }).userToken?.trim();
-      const scopeReports: NonNullable<ChannelCapabilitiesReport["slackScopes"]> = [];
-      if (botToken) {
-        scopeReports.push({
-          tokenType: "bot",
-          result: await fetchSlackScopes(botToken, timeoutMs),
-        });
-      } else {
-        scopeReports.push({
-          tokenType: "bot",
-          result: { ok: false, error: "Slack bot token missing." },
-        });
-      }
-      if (userToken) {
-        scopeReports.push({
-          tokenType: "user",
-          result: await fetchSlackScopes(userToken, timeoutMs),
-        });
-      }
-      slackScopes = scopeReports;
-    }
-
-    let discordTarget: DiscordTargetSummary | undefined;
-    let discordPermissions: DiscordPermissionsReport | undefined;
-    if (plugin.id === "discord" && params.target) {
-      const perms = await buildDiscordPermissions({
-        account: resolvedAccount as { token?: string; accountId?: string },
-        target: params.target,
-      });
-      discordTarget = perms.target;
-      discordPermissions = perms.report;
-    }
+    const diagnostics =
+      configured && enabled
+        ? await plugin.status?.buildCapabilitiesDiagnostics?.({
+            account: resolvedAccount,
+            timeoutMs,
+            cfg,
+            probe,
+            target: params.target,
+          })
+        : undefined;
 
     reports.push({
       channel: plugin.id,
@@ -425,10 +181,8 @@ async function resolveChannelReports(params: {
       enabled,
       support: plugin.capabilities,
       probe,
-      target: discordTarget,
-      channelPermissions: discordPermissions,
       actions,
-      slackScopes,
+      diagnostics,
     });
   }
   return reports;
@@ -451,8 +205,8 @@ export async function channelsCapabilitiesCommand(
     runtime.exit(1);
     return;
   }
-  if (rawTarget && rawChannel !== "discord") {
-    runtime.error(danger("--target requires --channel discord."));
+  if (rawTarget && (!rawChannel || rawChannel === "all")) {
+    runtime.error(danger("--target requires a specific --channel."));
     runtime.exit(1);
     return;
   }
@@ -484,7 +238,7 @@ export async function channelsCapabilitiesCommand(
         cfg,
         timeoutMs,
         accountOverride,
-        target: rawTarget && plugin.id === "discord" ? rawTarget : undefined,
+        target: rawTarget || undefined,
       })),
     );
   }
@@ -513,39 +267,17 @@ export async function channelsCapabilitiesCommand(
       const enabledLabel = report.enabled === false ? "disabled" : "enabled";
       lines.push(`Status: ${configuredLabel}, ${enabledLabel}`);
     }
-    const probeLines = formatProbeLines(report.channel, report.probe);
+    const probeLines =
+      getChannelPlugin(report.channel)?.status?.formatCapabilitiesProbe?.({
+        probe: report.probe,
+      }) ?? formatGenericProbeLines(report.probe);
     if (probeLines.length > 0) {
-      lines.push(...probeLines);
+      lines.push(...probeLines.map(renderDisplayLine));
     } else if (report.configured && report.enabled) {
       lines.push(theme.muted("Probe: unavailable"));
     }
-    if (report.channel === "slack" && report.slackScopes) {
-      for (const entry of report.slackScopes) {
-        const source = entry.result.source ? ` (${entry.result.source})` : "";
-        const label = entry.tokenType === "user" ? "User scopes" : "Bot scopes";
-        if (entry.result.ok && entry.result.scopes?.length) {
-          lines.push(`${label}${source}: ${entry.result.scopes.join(", ")}`);
-        } else if (entry.result.error) {
-          lines.push(`${label}: ${theme.error(entry.result.error)}`);
-        }
-      }
-    }
-    if (report.channel === "discord" && report.channelPermissions) {
-      const perms = report.channelPermissions;
-      if (perms.error) {
-        lines.push(`Permissions: ${theme.error(perms.error)}`);
-      } else {
-        const list = perms.permissions?.length ? perms.permissions.join(", ") : "none";
-        const label = perms.channelId ? ` (${perms.channelId})` : "";
-        lines.push(`Permissions${label}: ${list}`);
-        if (perms.missingRequired && perms.missingRequired.length > 0) {
-          lines.push(`${theme.warn("Missing required:")} ${perms.missingRequired.join(", ")}`);
-        } else {
-          lines.push(theme.success("Missing required: none"));
-        }
-      }
-    } else if (report.channel === "discord" && rawTarget && !report.channelPermissions) {
-      lines.push(theme.muted("Permissions: skipped (no target)."));
+    if (report.diagnostics?.lines?.length) {
+      lines.push(...report.diagnostics.lines.map(renderDisplayLine));
     }
     lines.push("");
   }
diff --git a/src/commands/channels/remove.ts b/src/commands/channels/remove.ts
index b7d012d0fac..1cd5fded7d3 100644
--- a/src/commands/channels/remove.ts
+++ b/src/commands/channels/remove.ts
@@ -118,11 +118,6 @@ export async function channelsRemoveCommand(
       accountId: resolvedAccountId,
       runtime,
     });
-    if (channel === "telegram") {
-      const { deleteTelegramUpdateOffset } =
-        await import("../../../extensions/telegram/src/update-offset-store.js");
-      await deleteTelegramUpdateOffset({ accountId: resolvedAccountId });
-    }
   } else {
     if (!plugin.config.setAccountEnabled) {
       runtime.error(`Channel ${channel} does not support disable.`);

From 9cd9c7a4884177ecfbd4e040e2487701a2d1bb66 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 05:21:52 +0000
Subject: [PATCH 016/133] refactor: split slack block action handling

---
 .../events/interactions.block-actions.ts      | 773 ++++++++++++++++++
 .../slack/src/monitor/events/interactions.ts  | 607 +-------------
 2 files changed, 781 insertions(+), 599 deletions(-)
 create mode 100644 extensions/slack/src/monitor/events/interactions.block-actions.ts

diff --git a/extensions/slack/src/monitor/events/interactions.block-actions.ts b/extensions/slack/src/monitor/events/interactions.block-actions.ts
new file mode 100644
index 00000000000..1f54df45a5d
--- /dev/null
+++ b/extensions/slack/src/monitor/events/interactions.block-actions.ts
@@ -0,0 +1,773 @@
+import type { SlackActionMiddlewareArgs } from "@slack/bolt";
+import type { Block, KnownBlock } from "@slack/web-api";
+import { enqueueSystemEvent } from "../../../../../src/infra/system-events.js";
+import {
+  buildPluginBindingResolvedText,
+  parsePluginBindingApprovalCustomId,
+  resolvePluginConversationBindingApproval,
+} from "../../../../../src/plugins/conversation-binding.js";
+import { dispatchPluginInteractiveHandler } from "../../../../../src/plugins/interactive.js";
+import { SLACK_REPLY_BUTTON_ACTION_ID, SLACK_REPLY_SELECT_ACTION_ID } from "../../blocks-render.js";
+import { authorizeSlackSystemEventSender } from "../auth.js";
+import type { SlackMonitorContext } from "../context.js";
+import { escapeSlackMrkdwn } from "../mrkdwn.js";
+
+type InteractionMessageBlock = {
+  type?: string;
+  block_id?: string;
+  elements?: Array<{ action_id?: string }>;
+};
+
+type SelectOption = {
+  value?: string;
+  text?: { text?: string };
+};
+
+type InteractionSelectionFields = {
+  blockId?: string;
+  callbackId?: string;
+  value?: string;
+  inputKind?: "number" | "text" | "url" | "email" | "rich_text";
+  inputValue?: string;
+  inputNumber?: number;
+  inputEmail?: string;
+  inputUrl?: string;
+  richTextValue?: unknown;
+  richTextPreview?: string;
+  selectedValues?: string[];
+  selectedUsers?: string[];
+  selectedChannels?: string[];
+  selectedConversations?: string[];
+  selectedLabels?: string[];
+  selectedDate?: string;
+  selectedTime?: string;
+  selectedDateTime?: number;
+  actionType?: string;
+  viewId?: string;
+  privateMetadata?: string;
+  viewHash?: string;
+  inputs?: unknown[];
+  isCleared?: boolean;
+  routedChannelType?: string;
+  routedChannelId?: string;
+};
+
+export type InteractionSummary = InteractionSelectionFields & {
+  interactionType?: "block_action" | "view_submission" | "view_closed";
+  actionId: string;
+  userId?: string;
+  teamId?: string;
+  triggerId?: string;
+  responseUrl?: string;
+  workflowTriggerUrl?: string;
+  workflowId?: string;
+  channelId?: string;
+  messageTs?: string;
+  threadTs?: string;
+};
+
+type SlackActionSummary = Omit<InteractionSummary, "actionId" | "blockId">;
+
+type SlackBlockActionBody = {
+  user?: { id?: string };
+  team?: { id?: string };
+  trigger_id?: string;
+  response_url?: string;
+  channel?: { id?: string };
+  container?: { channel_id?: string; message_ts?: string; thread_ts?: string };
+  message?: { ts?: string; text?: string; blocks?: unknown[] };
+};
+
+type SlackBlockActionRespond = NonNullable<SlackActionMiddlewareArgs["respond"]>;
+
+type ParsedSlackBlockAction = {
+  typedBody: SlackBlockActionBody;
+  typedAction: Record<string, unknown>;
+  typedActionWithText: {
+    action_id?: string;
+    block_id?: string;
+    type?: string;
+    text?: { text?: string };
+  };
+  actionId: string;
+  blockId?: string;
+  userId: string;
+  channelId?: string;
+  messageTs?: string;
+  threadTs?: string;
+  actionSummary: SlackActionSummary;
+};
+
+function readOptionValues(options: unknown): string[] | undefined {
+  if (!Array.isArray(options)) {
+    return undefined;
+  }
+  const values = options
+    .map((option) => (option && typeof option === "object" ? (option as SelectOption).value : null))
+    .filter((value): value is string => typeof value === "string" && value.trim().length > 0);
+  return values.length > 0 ? values : undefined;
+}
+
+function readOptionLabels(options: unknown): string[] | undefined {
+  if (!Array.isArray(options)) {
+    return undefined;
+  }
+  const labels = options
+    .map((option) =>
+      option && typeof option === "object" ? ((option as SelectOption).text?.text ?? null) : null,
+    )
+    .filter((label): label is string => typeof label === "string" && label.trim().length > 0);
+  return labels.length > 0 ? labels : undefined;
+}
+
+function uniqueNonEmptyStrings(values: string[]): string[] {
+  const unique: string[] = [];
+  const seen = new Set<string>();
+  for (const entry of values) {
+    if (typeof entry !== "string") {
+      continue;
+    }
+    const trimmed = entry.trim();
+    if (!trimmed || seen.has(trimmed)) {
+      continue;
+    }
+    seen.add(trimmed);
+    unique.push(trimmed);
+  }
+  return unique;
+}
+
+function collectRichTextFragments(value: unknown, out: string[]): void {
+  if (!value || typeof value !== "object") {
+    return;
+  }
+  const typed = value as { text?: unknown; elements?: unknown };
+  if (typeof typed.text === "string" && typed.text.trim().length > 0) {
+    out.push(typed.text.trim());
+  }
+  if (Array.isArray(typed.elements)) {
+    for (const child of typed.elements) {
+      collectRichTextFragments(child, out);
+    }
+  }
+}
+
+function summarizeRichTextPreview(value: unknown): string | undefined {
+  const fragments: string[] = [];
+  collectRichTextFragments(value, fragments);
+  if (fragments.length === 0) {
+    return undefined;
+  }
+  const joined = fragments.join(" ").replace(/\s+/g, " ").trim();
+  if (!joined) {
+    return undefined;
+  }
+  const max = 120;
+  return joined.length <= max ? joined : `${joined.slice(0, max - 1)}…`;
+}
+
+function readInteractionAction(raw: unknown) {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+    return undefined;
+  }
+  return raw as Record<string, unknown>;
+}
+
+export function summarizeAction(action: Record<string, unknown>): SlackActionSummary {
+  const typed = action as {
+    type?: string;
+    selected_option?: SelectOption;
+    selected_options?: SelectOption[];
+    selected_user?: string;
+    selected_users?: string[];
+    selected_channel?: string;
+    selected_channels?: string[];
+    selected_conversation?: string;
+    selected_conversations?: string[];
+    selected_date?: string;
+    selected_time?: string;
+    selected_date_time?: number;
+    value?: string;
+    rich_text_value?: unknown;
+    workflow?: {
+      trigger_url?: string;
+      workflow_id?: string;
+    };
+  };
+  const actionType = typed.type;
+  const selectedUsers = uniqueNonEmptyStrings([
+    ...(typed.selected_user ? [typed.selected_user] : []),
+    ...(Array.isArray(typed.selected_users) ? typed.selected_users : []),
+  ]);
+  const selectedChannels = uniqueNonEmptyStrings([
+    ...(typed.selected_channel ? [typed.selected_channel] : []),
+    ...(Array.isArray(typed.selected_channels) ? typed.selected_channels : []),
+  ]);
+  const selectedConversations = uniqueNonEmptyStrings([
+    ...(typed.selected_conversation ? [typed.selected_conversation] : []),
+    ...(Array.isArray(typed.selected_conversations) ? typed.selected_conversations : []),
+  ]);
+  const selectedValues = uniqueNonEmptyStrings([
+    ...(typed.selected_option?.value ? [typed.selected_option.value] : []),
+    ...(readOptionValues(typed.selected_options) ?? []),
+    ...selectedUsers,
+    ...selectedChannels,
+    ...selectedConversations,
+  ]);
+  const selectedLabels = uniqueNonEmptyStrings([
+    ...(typed.selected_option?.text?.text ? [typed.selected_option.text.text] : []),
+    ...(readOptionLabels(typed.selected_options) ?? []),
+  ]);
+  const inputValue = typeof typed.value === "string" ? typed.value : undefined;
+  const inputNumber =
+    actionType === "number_input" && inputValue != null ? Number.parseFloat(inputValue) : undefined;
+  const parsedNumber = Number.isFinite(inputNumber) ? inputNumber : undefined;
+  const inputEmail =
+    actionType === "email_text_input" && inputValue?.includes("@") ? inputValue : undefined;
+  let inputUrl: string | undefined;
+  if (actionType === "url_text_input" && inputValue) {
+    try {
+      inputUrl = new URL(inputValue).toString();
+    } catch {
+      inputUrl = undefined;
+    }
+  }
+  const richTextValue = actionType === "rich_text_input" ? typed.rich_text_value : undefined;
+  const richTextPreview = summarizeRichTextPreview(richTextValue);
+  const inputKind =
+    actionType === "number_input"
+      ? "number"
+      : actionType === "email_text_input"
+        ? "email"
+        : actionType === "url_text_input"
+          ? "url"
+          : actionType === "rich_text_input"
+            ? "rich_text"
+            : inputValue != null
+              ? "text"
+              : undefined;
+
+  return {
+    actionType,
+    inputKind,
+    value: typed.value,
+    selectedValues: selectedValues.length > 0 ? selectedValues : undefined,
+    selectedUsers: selectedUsers.length > 0 ? selectedUsers : undefined,
+    selectedChannels: selectedChannels.length > 0 ? selectedChannels : undefined,
+    selectedConversations: selectedConversations.length > 0 ? selectedConversations : undefined,
+    selectedLabels: selectedLabels.length > 0 ? selectedLabels : undefined,
+    selectedDate: typed.selected_date,
+    selectedTime: typed.selected_time,
+    selectedDateTime:
+      typeof typed.selected_date_time === "number" ? typed.selected_date_time : undefined,
+    inputValue,
+    inputNumber: parsedNumber,
+    inputEmail,
+    inputUrl,
+    richTextValue,
+    richTextPreview,
+    workflowTriggerUrl: typed.workflow?.trigger_url,
+    workflowId: typed.workflow?.workflow_id,
+  };
+}
+
+function isBulkActionsBlock(block: InteractionMessageBlock): boolean {
+  return (
+    block.type === "actions" &&
+    Array.isArray(block.elements) &&
+    block.elements.length > 0 &&
+    block.elements.every((el) => typeof el.action_id === "string" && el.action_id.includes("_all_"))
+  );
+}
+
+function formatInteractionSelectionLabel(params: {
+  actionId: string;
+  summary: SlackActionSummary;
+  buttonText?: string;
+}): string {
+  if (params.summary.actionType === "button" && params.buttonText?.trim()) {
+    return params.buttonText.trim();
+  }
+  if (params.summary.selectedLabels?.length) {
+    if (params.summary.selectedLabels.length <= 3) {
+      return params.summary.selectedLabels.join(", ");
+    }
+    return `${params.summary.selectedLabels.slice(0, 3).join(", ")} +${
+      params.summary.selectedLabels.length - 3
+    }`;
+  }
+  if (params.summary.selectedValues?.length) {
+    if (params.summary.selectedValues.length <= 3) {
+      return params.summary.selectedValues.join(", ");
+    }
+    return `${params.summary.selectedValues.slice(0, 3).join(", ")} +${
+      params.summary.selectedValues.length - 3
+    }`;
+  }
+  if (params.summary.selectedDate) {
+    return params.summary.selectedDate;
+  }
+  if (params.summary.selectedTime) {
+    return params.summary.selectedTime;
+  }
+  if (typeof params.summary.selectedDateTime === "number") {
+    return new Date(params.summary.selectedDateTime * 1000).toISOString();
+  }
+  if (params.summary.richTextPreview) {
+    return params.summary.richTextPreview;
+  }
+  if (params.summary.value?.trim()) {
+    return params.summary.value.trim();
+  }
+  return params.actionId;
+}
+
+function formatInteractionConfirmationText(params: {
+  selectedLabel: string;
+  userId?: string;
+}): string {
+  const actor = params.userId?.trim() ? ` by <@${params.userId.trim()}>` : "";
+  return `:white_check_mark: *${escapeSlackMrkdwn(params.selectedLabel)}* selected${actor}`;
+}
+
+function buildSlackPluginInteractionData(params: {
+  actionId: string;
+  summary: SlackActionSummary;
+}): string | null {
+  const actionId = params.actionId.trim();
+  if (!actionId) {
+    return null;
+  }
+  const payload =
+    params.summary.value?.trim() ||
+    params.summary.selectedValues?.map((value) => value.trim()).find(Boolean) ||
+    "";
+  if (actionId === SLACK_REPLY_BUTTON_ACTION_ID || actionId === SLACK_REPLY_SELECT_ACTION_ID) {
+    return payload || null;
+  }
+  return payload ? `${actionId}:${payload}` : actionId;
+}
+
+function buildSlackPluginInteractionId(params: {
+  userId?: string;
+  channelId?: string;
+  messageTs?: string;
+  triggerId?: string;
+  actionId: string;
+  summary: SlackActionSummary;
+}): string {
+  const primaryValue =
+    params.summary.value?.trim() ||
+    params.summary.selectedValues?.map((value) => value.trim()).find(Boolean) ||
+    "";
+  return [
+    params.userId?.trim() || "",
+    params.channelId?.trim() || "",
+    params.messageTs?.trim() || "",
+    params.triggerId?.trim() || "",
+    params.actionId.trim(),
+    primaryValue,
+  ].join(":");
+}
+
+function parseSlackBlockAction(params: {
+  body: unknown;
+  action: unknown;
+  log?: (message: string) => void;
+}): ParsedSlackBlockAction | null {
+  const typedBody = params.body as SlackBlockActionBody;
+  const typedAction = readInteractionAction(params.action);
+  if (!typedAction) {
+    params.log?.(
+      `slack:interaction malformed action payload channel=${typedBody.channel?.id ?? typedBody.container?.channel_id ?? "unknown"} user=${
+        typedBody.user?.id ?? "unknown"
+      }`,
+    );
+    return null;
+  }
+  const typedActionWithText = typedAction as {
+    action_id?: string;
+    block_id?: string;
+    type?: string;
+    text?: { text?: string };
+  };
+  return {
+    typedBody,
+    typedAction,
+    typedActionWithText,
+    actionId:
+      typeof typedActionWithText.action_id === "string" ? typedActionWithText.action_id : "unknown",
+    blockId: typedActionWithText.block_id,
+    userId: typedBody.user?.id ?? "unknown",
+    channelId: typedBody.channel?.id ?? typedBody.container?.channel_id,
+    messageTs: typedBody.message?.ts ?? typedBody.container?.message_ts,
+    threadTs: typedBody.container?.thread_ts,
+    actionSummary: summarizeAction(typedAction),
+  };
+}
+
+async function respondEphemeral(
+  respond: SlackBlockActionRespond | undefined,
+  text: string,
+): Promise<void> {
+  if (!respond) {
+    return;
+  }
+  try {
+    await respond({
+      text,
+      response_type: "ephemeral",
+    });
+  } catch {
+    // Best-effort feedback only.
+  }
+}
+
+async function updateSlackInteractionMessage(params: {
+  ctx: SlackMonitorContext;
+  channelId?: string;
+  messageTs?: string;
+  text: string;
+  blocks?: (Block | KnownBlock)[];
+}): Promise<void> {
+  if (!params.channelId || !params.messageTs) {
+    return;
+  }
+  await params.ctx.app.client.chat.update({
+    channel: params.channelId,
+    ts: params.messageTs,
+    text: params.text,
+    ...(params.blocks ? { blocks: params.blocks } : {}),
+  });
+}
+
+async function authorizeSlackBlockAction(params: {
+  ctx: SlackMonitorContext;
+  parsed: ParsedSlackBlockAction;
+  respond?: SlackBlockActionRespond;
+}): Promise<
+  | {
+      allowed: true;
+      channelType?: "im" | "mpim" | "channel" | "group";
+    }
+  | { allowed: false }
+> {
+  const auth = await authorizeSlackSystemEventSender({
+    ctx: params.ctx,
+    senderId: params.parsed.userId,
+    channelId: params.parsed.channelId,
+  });
+  if (auth.allowed) {
+    return auth;
+  }
+  params.ctx.runtime.log?.(
+    `slack:interaction drop action=${params.parsed.actionId} user=${params.parsed.userId} channel=${params.parsed.channelId ?? "unknown"} reason=${auth.reason ?? "unauthorized"}`,
+  );
+  await respondEphemeral(params.respond, "You are not authorized to use this control.");
+  return { allowed: false };
+}
+
+async function handleSlackPluginBindingApproval(params: {
+  ctx: SlackMonitorContext;
+  parsed: ParsedSlackBlockAction;
+  pluginInteractionData: string;
+  respond?: SlackBlockActionRespond;
+}): Promise<boolean> {
+  const pluginBindingApproval = parsePluginBindingApprovalCustomId(params.pluginInteractionData);
+  if (!pluginBindingApproval) {
+    return false;
+  }
+  const resolved = await resolvePluginConversationBindingApproval({
+    approvalId: pluginBindingApproval.approvalId,
+    decision: pluginBindingApproval.decision,
+    senderId: params.parsed.userId,
+  });
+  try {
+    await updateSlackInteractionMessage({
+      ctx: params.ctx,
+      channelId: params.parsed.channelId,
+      messageTs: params.parsed.messageTs,
+      text: params.parsed.typedBody.message?.text ?? "",
+      blocks: [],
+    });
+  } catch {
+    // Best-effort cleanup only; continue with follow-up feedback.
+  }
+  await respondEphemeral(params.respond, buildPluginBindingResolvedText(resolved));
+  return true;
+}
+
+async function dispatchSlackPluginInteraction(params: {
+  ctx: SlackMonitorContext;
+  parsed: ParsedSlackBlockAction;
+  pluginInteractionData: string;
+  auth: { isAuthorizedSender: boolean };
+  respond?: SlackBlockActionRespond;
+}): Promise<boolean> {
+  const pluginInteractionId = buildSlackPluginInteractionId({
+    userId: params.parsed.userId,
+    channelId: params.parsed.channelId,
+    messageTs: params.parsed.messageTs,
+    triggerId: params.parsed.typedBody.trigger_id,
+    actionId: params.parsed.actionId,
+    summary: params.parsed.actionSummary,
+  });
+  if (
+    await handleSlackPluginBindingApproval({
+      ctx: params.ctx,
+      parsed: params.parsed,
+      pluginInteractionData: params.pluginInteractionData,
+      respond: params.respond,
+    })
+  ) {
+    return true;
+  }
+  const pluginResult = await dispatchPluginInteractiveHandler({
+    channel: "slack",
+    data: params.pluginInteractionData,
+    interactionId: pluginInteractionId,
+    ctx: {
+      accountId: params.ctx.accountId,
+      interactionId: pluginInteractionId,
+      conversationId: params.parsed.channelId ?? "",
+      parentConversationId: undefined,
+      threadId: params.parsed.threadTs,
+      senderId: params.parsed.userId,
+      senderUsername: undefined,
+      auth: params.auth,
+      interaction: {
+        kind: params.parsed.actionSummary.actionType === "button" ? "button" : "select",
+        actionId: params.parsed.actionId,
+        blockId: params.parsed.blockId,
+        messageTs: params.parsed.messageTs,
+        threadTs: params.parsed.threadTs,
+        value: params.parsed.actionSummary.value,
+        selectedValues: params.parsed.actionSummary.selectedValues,
+        selectedLabels: params.parsed.actionSummary.selectedLabels,
+        triggerId: params.parsed.typedBody.trigger_id,
+        responseUrl: params.parsed.typedBody.response_url,
+      },
+    },
+    respond: {
+      acknowledge: async () => {},
+      reply: async ({ text, responseType }) => {
+        if (!text) {
+          return;
+        }
+        await params.respond?.({
+          text,
+          response_type: responseType ?? "ephemeral",
+        });
+      },
+      followUp: async ({ text, responseType }) => {
+        if (!text) {
+          return;
+        }
+        await params.respond?.({
+          text,
+          response_type: responseType ?? "ephemeral",
+        });
+      },
+      editMessage: async ({ text, blocks }) => {
+        await updateSlackInteractionMessage({
+          ctx: params.ctx,
+          channelId: params.parsed.channelId,
+          messageTs: params.parsed.messageTs,
+          text: text ?? params.parsed.typedBody.message?.text ?? "",
+          blocks: Array.isArray(blocks) ? (blocks as (Block | KnownBlock)[]) : undefined,
+        });
+      },
+    },
+  });
+  return pluginResult.matched && pluginResult.handled;
+}
+
+function enqueueSlackBlockActionEvent(params: {
+  ctx: SlackMonitorContext;
+  parsed: ParsedSlackBlockAction;
+  auth: { channelType?: "im" | "mpim" | "channel" | "group" };
+  formatSystemEvent: (payload: Record<string, unknown>) => string;
+}): void {
+  const eventPayload: InteractionSummary = {
+    interactionType: "block_action",
+    actionId: params.parsed.actionId,
+    blockId: params.parsed.blockId,
+    ...params.parsed.actionSummary,
+    userId: params.parsed.userId,
+    teamId: params.parsed.typedBody.team?.id,
+    triggerId: params.parsed.typedBody.trigger_id,
+    responseUrl: params.parsed.typedBody.response_url,
+    channelId: params.parsed.channelId,
+    messageTs: params.parsed.messageTs,
+    threadTs: params.parsed.threadTs,
+  };
+  params.ctx.runtime.log?.(
+    `slack:interaction action=${params.parsed.actionId} type=${params.parsed.actionSummary.actionType ?? "unknown"} user=${params.parsed.userId} channel=${params.parsed.channelId}`,
+  );
+  const sessionKey = params.ctx.resolveSlackSystemEventSessionKey({
+    channelId: params.parsed.channelId,
+    channelType: params.auth.channelType,
+    senderId: params.parsed.userId,
+  });
+  const contextParts = [
+    "slack:interaction",
+    params.parsed.channelId,
+    params.parsed.messageTs,
+    params.parsed.actionId,
+  ].filter(Boolean);
+  enqueueSystemEvent(params.formatSystemEvent(eventPayload), {
+    sessionKey,
+    contextKey: contextParts.join(":"),
+  });
+}
+
+function buildSlackConfirmationBlocks(params: {
+  parsed: ParsedSlackBlockAction;
+  originalBlocks: unknown[];
+}): (Block | KnownBlock)[] {
+  const selectedLabel = formatInteractionSelectionLabel({
+    actionId: params.parsed.actionId,
+    summary: params.parsed.actionSummary,
+    buttonText: params.parsed.typedActionWithText.text?.text,
+  });
+  let updatedBlocks = params.originalBlocks.map((block) => {
+    const typedBlock = block as InteractionMessageBlock;
+    if (typedBlock.type === "actions" && typedBlock.block_id === params.parsed.blockId) {
+      return {
+        type: "context",
+        elements: [
+          {
+            type: "mrkdwn",
+            text: formatInteractionConfirmationText({
+              selectedLabel,
+              userId: params.parsed.userId,
+            }),
+          },
+        ],
+      };
+    }
+    return block;
+  });
+  const hasRemainingIndividualActionRows = updatedBlocks.some((block) => {
+    const typedBlock = block as InteractionMessageBlock;
+    return typedBlock.type === "actions" && !isBulkActionsBlock(typedBlock);
+  });
+  if (!hasRemainingIndividualActionRows) {
+    updatedBlocks = updatedBlocks.filter((block, index) => {
+      const typedBlock = block as InteractionMessageBlock;
+      if (isBulkActionsBlock(typedBlock)) {
+        return false;
+      }
+      if (typedBlock.type !== "divider") {
+        return true;
+      }
+      const next = updatedBlocks[index + 1] as InteractionMessageBlock | undefined;
+      return !next || !isBulkActionsBlock(next);
+    });
+  }
+  return updatedBlocks as (Block | KnownBlock)[];
+}
+
+async function updateSlackLegacyBlockAction(params: {
+  ctx: SlackMonitorContext;
+  parsed: ParsedSlackBlockAction;
+  respond?: SlackBlockActionRespond;
+}): Promise<void> {
+  const originalBlocks = params.parsed.typedBody.message?.blocks;
+  if (
+    !Array.isArray(originalBlocks) ||
+    !params.parsed.channelId ||
+    !params.parsed.messageTs ||
+    !params.parsed.blockId
+  ) {
+    return;
+  }
+  try {
+    await updateSlackInteractionMessage({
+      ctx: params.ctx,
+      channelId: params.parsed.channelId,
+      messageTs: params.parsed.messageTs,
+      text: params.parsed.typedBody.message?.text ?? "",
+      blocks: buildSlackConfirmationBlocks({
+        parsed: params.parsed,
+        originalBlocks,
+      }),
+    });
+  } catch {
+    await respondEphemeral(params.respond, `Button "${params.parsed.actionId}" clicked!`);
+  }
+}
+
+async function handleSlackBlockAction(params: {
+  ctx: SlackMonitorContext;
+  args: SlackActionMiddlewareArgs;
+  formatSystemEvent: (payload: Record<string, unknown>) => string;
+}): Promise<void> {
+  const { ack, body, action, respond } = params.args;
+  await ack();
+  if (params.ctx.shouldDropMismatchedSlackEvent?.(body)) {
+    params.ctx.runtime.log?.("slack:interaction drop block action payload (mismatched app/team)");
+    return;
+  }
+  const parsed = parseSlackBlockAction({
+    body,
+    action,
+    log: params.ctx.runtime.log,
+  });
+  if (!parsed) {
+    return;
+  }
+  const auth = await authorizeSlackBlockAction({
+    ctx: params.ctx,
+    parsed,
+    respond,
+  });
+  if (!auth.allowed) {
+    return;
+  }
+  const pluginInteractionData = buildSlackPluginInteractionData({
+    actionId: parsed.actionId,
+    summary: parsed.actionSummary,
+  });
+  if (pluginInteractionData) {
+    const handled = await dispatchSlackPluginInteraction({
+      ctx: params.ctx,
+      parsed,
+      pluginInteractionData,
+      auth: {
+        isAuthorizedSender: true,
+      },
+      respond,
+    });
+    if (handled) {
+      return;
+    }
+  }
+  enqueueSlackBlockActionEvent({
+    ctx: params.ctx,
+    parsed,
+    auth,
+    formatSystemEvent: params.formatSystemEvent,
+  });
+  await updateSlackLegacyBlockAction({
+    ctx: params.ctx,
+    parsed,
+    respond,
+  });
+}
+
+export function registerSlackBlockActionHandler(params: {
+  ctx: SlackMonitorContext;
+  formatSystemEvent: (payload: Record<string, unknown>) => string;
+}): void {
+  if (typeof params.ctx.app.action !== "function") {
+    return;
+  }
+  params.ctx.app.action(/.+/, async (args: SlackActionMiddlewareArgs) => {
+    await handleSlackBlockAction({
+      ctx: params.ctx,
+      args,
+      formatSystemEvent: params.formatSystemEvent,
+    });
+  });
+}
diff --git a/extensions/slack/src/monitor/events/interactions.ts b/extensions/slack/src/monitor/events/interactions.ts
index 1ebb55d090e..384498ac5fe 100644
--- a/extensions/slack/src/monitor/events/interactions.ts
+++ b/extensions/slack/src/monitor/events/interactions.ts
@@ -1,17 +1,10 @@
-import type { SlackActionMiddlewareArgs } from "@slack/bolt";
-import type { Block, KnownBlock } from "@slack/web-api";
-import { enqueueSystemEvent } from "../../../../../src/infra/system-events.js";
-import {
-  buildPluginBindingResolvedText,
-  parsePluginBindingApprovalCustomId,
-  resolvePluginConversationBindingApproval,
-} from "../../../../../src/plugins/conversation-binding.js";
-import { dispatchPluginInteractiveHandler } from "../../../../../src/plugins/interactive.js";
-import { SLACK_REPLY_BUTTON_ACTION_ID, SLACK_REPLY_SELECT_ACTION_ID } from "../../blocks-render.js";
 import { truncateSlackText } from "../../truncate.js";
-import { authorizeSlackSystemEventSender } from "../auth.js";
 import type { SlackMonitorContext } from "../context.js";
-import { escapeSlackMrkdwn } from "../mrkdwn.js";
+import {
+  registerSlackBlockActionHandler,
+  summarizeAction,
+  type InteractionSummary,
+} from "./interactions.block-actions.js";
 import {
   registerModalLifecycleHandler,
   type ModalInputSummary,
@@ -34,33 +27,6 @@ const SLACK_INTERACTION_REDACTED_KEYS = new Set([
   "viewHash",
 ]);
 
-type InteractionMessageBlock = {
-  type?: string;
-  block_id?: string;
-  elements?: Array<{ action_id?: string }>;
-};
-
-type SelectOption = {
-  value?: string;
-  text?: { text?: string };
-};
-
-type InteractionSelectionFields = Partial<ModalInputSummary>;
-
-type InteractionSummary = InteractionSelectionFields & {
-  interactionType?: "block_action" | "view_submission" | "view_closed";
-  actionId: string;
-  userId?: string;
-  teamId?: string;
-  triggerId?: string;
-  responseUrl?: string;
-  workflowTriggerUrl?: string;
-  workflowId?: string;
-  channelId?: string;
-  messageTs?: string;
-  threadTs?: string;
-};
-
 function sanitizeSlackInteractionPayloadValue(value: unknown, key?: string): unknown {
   if (value === undefined) {
     return undefined;
@@ -189,281 +155,6 @@ function formatSlackInteractionSystemEvent(payload: Record<string, unknown>): st
   });
 }
 
-function readOptionValues(options: unknown): string[] | undefined {
-  if (!Array.isArray(options)) {
-    return undefined;
-  }
-  const values = options
-    .map((option) => (option && typeof option === "object" ? (option as SelectOption).value : null))
-    .filter((value): value is string => typeof value === "string" && value.trim().length > 0);
-  return values.length > 0 ? values : undefined;
-}
-
-function readOptionLabels(options: unknown): string[] | undefined {
-  if (!Array.isArray(options)) {
-    return undefined;
-  }
-  const labels = options
-    .map((option) =>
-      option && typeof option === "object" ? ((option as SelectOption).text?.text ?? null) : null,
-    )
-    .filter((label): label is string => typeof label === "string" && label.trim().length > 0);
-  return labels.length > 0 ? labels : undefined;
-}
-
-function uniqueNonEmptyStrings(values: string[]): string[] {
-  const unique: string[] = [];
-  const seen = new Set<string>();
-  for (const entry of values) {
-    if (typeof entry !== "string") {
-      continue;
-    }
-    const trimmed = entry.trim();
-    if (!trimmed || seen.has(trimmed)) {
-      continue;
-    }
-    seen.add(trimmed);
-    unique.push(trimmed);
-  }
-  return unique;
-}
-
-function collectRichTextFragments(value: unknown, out: string[]): void {
-  if (!value || typeof value !== "object") {
-    return;
-  }
-  const typed = value as { text?: unknown; elements?: unknown };
-  if (typeof typed.text === "string" && typed.text.trim().length > 0) {
-    out.push(typed.text.trim());
-  }
-  if (Array.isArray(typed.elements)) {
-    for (const child of typed.elements) {
-      collectRichTextFragments(child, out);
-    }
-  }
-}
-
-function summarizeRichTextPreview(value: unknown): string | undefined {
-  const fragments: string[] = [];
-  collectRichTextFragments(value, fragments);
-  if (fragments.length === 0) {
-    return undefined;
-  }
-  const joined = fragments.join(" ").replace(/\s+/g, " ").trim();
-  if (!joined) {
-    return undefined;
-  }
-  const max = 120;
-  return joined.length <= max ? joined : `${joined.slice(0, max - 1)}…`;
-}
-
-function readInteractionAction(raw: unknown) {
-  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
-    return undefined;
-  }
-  return raw as Record<string, unknown>;
-}
-
-function summarizeAction(
-  action: Record<string, unknown>,
-): Omit<InteractionSummary, "actionId" | "blockId"> {
-  const typed = action as {
-    type?: string;
-    selected_option?: SelectOption;
-    selected_options?: SelectOption[];
-    selected_user?: string;
-    selected_users?: string[];
-    selected_channel?: string;
-    selected_channels?: string[];
-    selected_conversation?: string;
-    selected_conversations?: string[];
-    selected_date?: string;
-    selected_time?: string;
-    selected_date_time?: number;
-    value?: string;
-    rich_text_value?: unknown;
-    workflow?: {
-      trigger_url?: string;
-      workflow_id?: string;
-    };
-  };
-  const actionType = typed.type;
-  const selectedUsers = uniqueNonEmptyStrings([
-    ...(typed.selected_user ? [typed.selected_user] : []),
-    ...(Array.isArray(typed.selected_users) ? typed.selected_users : []),
-  ]);
-  const selectedChannels = uniqueNonEmptyStrings([
-    ...(typed.selected_channel ? [typed.selected_channel] : []),
-    ...(Array.isArray(typed.selected_channels) ? typed.selected_channels : []),
-  ]);
-  const selectedConversations = uniqueNonEmptyStrings([
-    ...(typed.selected_conversation ? [typed.selected_conversation] : []),
-    ...(Array.isArray(typed.selected_conversations) ? typed.selected_conversations : []),
-  ]);
-  const selectedValues = uniqueNonEmptyStrings([
-    ...(typed.selected_option?.value ? [typed.selected_option.value] : []),
-    ...(readOptionValues(typed.selected_options) ?? []),
-    ...selectedUsers,
-    ...selectedChannels,
-    ...selectedConversations,
-  ]);
-  const selectedLabels = uniqueNonEmptyStrings([
-    ...(typed.selected_option?.text?.text ? [typed.selected_option.text.text] : []),
-    ...(readOptionLabels(typed.selected_options) ?? []),
-  ]);
-  const inputValue = typeof typed.value === "string" ? typed.value : undefined;
-  const inputNumber =
-    actionType === "number_input" && inputValue != null ? Number.parseFloat(inputValue) : undefined;
-  const parsedNumber = Number.isFinite(inputNumber) ? inputNumber : undefined;
-  const inputEmail =
-    actionType === "email_text_input" && inputValue?.includes("@") ? inputValue : undefined;
-  let inputUrl: string | undefined;
-  if (actionType === "url_text_input" && inputValue) {
-    try {
-      // Normalize to a canonical URL string so downstream handlers do not need to reparse.
-      inputUrl = new URL(inputValue).toString();
-    } catch {
-      inputUrl = undefined;
-    }
-  }
-  const richTextValue = actionType === "rich_text_input" ? typed.rich_text_value : undefined;
-  const richTextPreview = summarizeRichTextPreview(richTextValue);
-  const inputKind =
-    actionType === "number_input"
-      ? "number"
-      : actionType === "email_text_input"
-        ? "email"
-        : actionType === "url_text_input"
-          ? "url"
-          : actionType === "rich_text_input"
-            ? "rich_text"
-            : inputValue != null
-              ? "text"
-              : undefined;
-
-  return {
-    actionType,
-    inputKind,
-    value: typed.value,
-    selectedValues: selectedValues.length > 0 ? selectedValues : undefined,
-    selectedUsers: selectedUsers.length > 0 ? selectedUsers : undefined,
-    selectedChannels: selectedChannels.length > 0 ? selectedChannels : undefined,
-    selectedConversations: selectedConversations.length > 0 ? selectedConversations : undefined,
-    selectedLabels: selectedLabels.length > 0 ? selectedLabels : undefined,
-    selectedDate: typed.selected_date,
-    selectedTime: typed.selected_time,
-    selectedDateTime:
-      typeof typed.selected_date_time === "number" ? typed.selected_date_time : undefined,
-    inputValue,
-    inputNumber: parsedNumber,
-    inputEmail,
-    inputUrl,
-    richTextValue,
-    richTextPreview,
-    workflowTriggerUrl: typed.workflow?.trigger_url,
-    workflowId: typed.workflow?.workflow_id,
-  };
-}
-
-function isBulkActionsBlock(block: InteractionMessageBlock): boolean {
-  return (
-    block.type === "actions" &&
-    Array.isArray(block.elements) &&
-    block.elements.length > 0 &&
-    block.elements.every((el) => typeof el.action_id === "string" && el.action_id.includes("_all_"))
-  );
-}
-
-function formatInteractionSelectionLabel(params: {
-  actionId: string;
-  summary: Omit<InteractionSummary, "actionId" | "blockId">;
-  buttonText?: string;
-}): string {
-  if (params.summary.actionType === "button" && params.buttonText?.trim()) {
-    return params.buttonText.trim();
-  }
-  if (params.summary.selectedLabels?.length) {
-    if (params.summary.selectedLabels.length <= 3) {
-      return params.summary.selectedLabels.join(", ");
-    }
-    return `${params.summary.selectedLabels.slice(0, 3).join(", ")} +${
-      params.summary.selectedLabels.length - 3
-    }`;
-  }
-  if (params.summary.selectedValues?.length) {
-    if (params.summary.selectedValues.length <= 3) {
-      return params.summary.selectedValues.join(", ");
-    }
-    return `${params.summary.selectedValues.slice(0, 3).join(", ")} +${
-      params.summary.selectedValues.length - 3
-    }`;
-  }
-  if (params.summary.selectedDate) {
-    return params.summary.selectedDate;
-  }
-  if (params.summary.selectedTime) {
-    return params.summary.selectedTime;
-  }
-  if (typeof params.summary.selectedDateTime === "number") {
-    return new Date(params.summary.selectedDateTime * 1000).toISOString();
-  }
-  if (params.summary.richTextPreview) {
-    return params.summary.richTextPreview;
-  }
-  if (params.summary.value?.trim()) {
-    return params.summary.value.trim();
-  }
-  return params.actionId;
-}
-
-function formatInteractionConfirmationText(params: {
-  selectedLabel: string;
-  userId?: string;
-}): string {
-  const actor = params.userId?.trim() ? ` by <@${params.userId.trim()}>` : "";
-  return `:white_check_mark: *${escapeSlackMrkdwn(params.selectedLabel)}* selected${actor}`;
-}
-
-function buildSlackPluginInteractionData(params: {
-  actionId: string;
-  summary: Omit<InteractionSummary, "actionId" | "blockId">;
-}): string | null {
-  const actionId = params.actionId.trim();
-  if (!actionId) {
-    return null;
-  }
-  const payload =
-    params.summary.value?.trim() ||
-    params.summary.selectedValues?.map((value) => value.trim()).find(Boolean) ||
-    "";
-  if (actionId === SLACK_REPLY_BUTTON_ACTION_ID || actionId === SLACK_REPLY_SELECT_ACTION_ID) {
-    return payload || null;
-  }
-  return payload ? `${actionId}:${payload}` : actionId;
-}
-
-function buildSlackPluginInteractionId(params: {
-  userId?: string;
-  channelId?: string;
-  messageTs?: string;
-  triggerId?: string;
-  actionId: string;
-  summary: Omit<InteractionSummary, "actionId" | "blockId">;
-}): string {
-  const primaryValue =
-    params.summary.value?.trim() ||
-    params.summary.selectedValues?.map((value) => value.trim()).find(Boolean) ||
-    "";
-  return [
-    params.userId?.trim() || "",
-    params.channelId?.trim() || "",
-    params.messageTs?.trim() || "",
-    params.triggerId?.trim() || "",
-    params.actionId.trim(),
-    primaryValue,
-  ].join(":");
-}
-
 function summarizeViewState(values: unknown): ModalInputSummary[] {
   if (!values || typeof values !== "object") {
     return [];
@@ -490,291 +181,9 @@ function summarizeViewState(values: unknown): ModalInputSummary[] {
 
 export function registerSlackInteractionEvents(params: { ctx: SlackMonitorContext }) {
   const { ctx } = params;
-  if (typeof ctx.app.action !== "function") {
-    return;
-  }
-
-  // Handle Block Kit actions for this Slack app, including legacy/custom
-  // action_ids that plugin handlers map into shared interactive namespaces.
-  ctx.app.action(/.+/, async (args: SlackActionMiddlewareArgs) => {
-    const { ack, body, action, respond } = args;
-    const typedBody = body as unknown as {
-      user?: { id?: string };
-      team?: { id?: string };
-      trigger_id?: string;
-      response_url?: string;
-      channel?: { id?: string };
-      container?: { channel_id?: string; message_ts?: string; thread_ts?: string };
-      message?: { ts?: string; text?: string; blocks?: unknown[] };
-    };
-
-    // Acknowledge the action immediately to prevent the warning icon
-    await ack();
-    if (ctx.shouldDropMismatchedSlackEvent?.(body)) {
-      ctx.runtime.log?.("slack:interaction drop block action payload (mismatched app/team)");
-      return;
-    }
-
-    // Extract action details using proper Bolt types
-    const typedAction = readInteractionAction(action);
-    if (!typedAction) {
-      ctx.runtime.log?.(
-        `slack:interaction malformed action payload channel=${typedBody.channel?.id ?? typedBody.container?.channel_id ?? "unknown"} user=${
-          typedBody.user?.id ?? "unknown"
-        }`,
-      );
-      return;
-    }
-    const typedActionWithText = typedAction as {
-      action_id?: string;
-      block_id?: string;
-      type?: string;
-      text?: { text?: string };
-    };
-    const actionId =
-      typeof typedActionWithText.action_id === "string" ? typedActionWithText.action_id : "unknown";
-    const blockId = typedActionWithText.block_id;
-    const userId = typedBody.user?.id ?? "unknown";
-    const channelId = typedBody.channel?.id ?? typedBody.container?.channel_id;
-    const messageTs = typedBody.message?.ts ?? typedBody.container?.message_ts;
-    const threadTs = typedBody.container?.thread_ts;
-    const auth = await authorizeSlackSystemEventSender({
-      ctx,
-      senderId: userId,
-      channelId,
-    });
-    if (!auth.allowed) {
-      ctx.runtime.log?.(
-        `slack:interaction drop action=${actionId} user=${userId} channel=${channelId ?? "unknown"} reason=${auth.reason ?? "unauthorized"}`,
-      );
-      if (respond) {
-        try {
-          await respond({
-            text: "You are not authorized to use this control.",
-            response_type: "ephemeral",
-          });
-        } catch {
-          // Best-effort feedback only.
-        }
-      }
-      return;
-    }
-    const actionSummary = summarizeAction(typedAction);
-    const pluginInteractionData = buildSlackPluginInteractionData({
-      actionId,
-      summary: actionSummary,
-    });
-    if (pluginInteractionData) {
-      const pluginInteractionId = buildSlackPluginInteractionId({
-        userId,
-        channelId,
-        messageTs,
-        triggerId: typedBody.trigger_id,
-        actionId,
-        summary: actionSummary,
-      });
-      const pluginBindingApproval = parsePluginBindingApprovalCustomId(pluginInteractionData);
-      if (pluginBindingApproval) {
-        const resolved = await resolvePluginConversationBindingApproval({
-          approvalId: pluginBindingApproval.approvalId,
-          decision: pluginBindingApproval.decision,
-          senderId: userId,
-        });
-        if (channelId && messageTs) {
-          try {
-            await ctx.app.client.chat.update({
-              channel: channelId,
-              ts: messageTs,
-              text: typedBody.message?.text ?? "",
-              blocks: [],
-            });
-          } catch {
-            // Best-effort cleanup only; continue with follow-up feedback.
-          }
-        }
-        if (respond) {
-          try {
-            await respond({
-              text: buildPluginBindingResolvedText(resolved),
-              response_type: "ephemeral",
-            });
-          } catch {
-            // Best-effort feedback only.
-          }
-        }
-        return;
-      }
-      const pluginResult = await dispatchPluginInteractiveHandler({
-        channel: "slack",
-        data: pluginInteractionData,
-        interactionId: pluginInteractionId,
-        ctx: {
-          accountId: ctx.accountId,
-          interactionId: pluginInteractionId,
-          conversationId: channelId ?? "",
-          parentConversationId: undefined,
-          threadId: threadTs,
-          senderId: userId,
-          senderUsername: undefined,
-          auth: {
-            isAuthorizedSender: auth.allowed,
-          },
-          interaction: {
-            kind: actionSummary.actionType === "button" ? "button" : "select",
-            actionId,
-            blockId,
-            messageTs,
-            threadTs,
-            value: actionSummary.value,
-            selectedValues: actionSummary.selectedValues,
-            selectedLabels: actionSummary.selectedLabels,
-            triggerId: typedBody.trigger_id,
-            responseUrl: typedBody.response_url,
-          },
-        },
-        respond: {
-          acknowledge: async () => {},
-          reply: async ({ text, responseType }) => {
-            if (!respond) {
-              return;
-            }
-            await respond({
-              text,
-              response_type: responseType ?? "ephemeral",
-            });
-          },
-          followUp: async ({ text, responseType }) => {
-            if (!respond) {
-              return;
-            }
-            await respond({
-              text,
-              response_type: responseType ?? "ephemeral",
-            });
-          },
-          editMessage: async ({ text, blocks }) => {
-            if (!channelId || !messageTs) {
-              return;
-            }
-            await ctx.app.client.chat.update({
-              channel: channelId,
-              ts: messageTs,
-              text: text ?? typedBody.message?.text ?? "",
-              ...(Array.isArray(blocks) ? { blocks: blocks as (Block | KnownBlock)[] } : {}),
-            });
-          },
-        },
-      });
-      if (pluginResult.matched && pluginResult.handled) {
-        return;
-      }
-    }
-    const eventPayload: InteractionSummary = {
-      interactionType: "block_action",
-      actionId,
-      blockId,
-      ...actionSummary,
-      userId,
-      teamId: typedBody.team?.id,
-      triggerId: typedBody.trigger_id,
-      responseUrl: typedBody.response_url,
-      channelId,
-      messageTs,
-      threadTs,
-    };
-
-    // Log the interaction for debugging
-    ctx.runtime.log?.(
-      `slack:interaction action=${actionId} type=${actionSummary.actionType ?? "unknown"} user=${userId} channel=${channelId}`,
-    );
-
-    // Send a system event to notify the agent about the button click
-    // Pass undefined (not "unknown") to allow proper main session fallback
-    const sessionKey = ctx.resolveSlackSystemEventSessionKey({
-      channelId: channelId,
-      channelType: auth.channelType,
-      senderId: userId,
-    });
-
-    // Build context key - only include defined values to avoid "unknown" noise
-    const contextParts = ["slack:interaction", channelId, messageTs, actionId].filter(Boolean);
-    const contextKey = contextParts.join(":");
-
-    enqueueSystemEvent(formatSlackInteractionSystemEvent(eventPayload), {
-      sessionKey,
-      contextKey,
-    });
-
-    const originalBlocks = typedBody.message?.blocks;
-    if (!Array.isArray(originalBlocks) || !channelId || !messageTs) {
-      return;
-    }
-
-    if (!blockId) {
-      return;
-    }
-
-    const selectedLabel = formatInteractionSelectionLabel({
-      actionId,
-      summary: actionSummary,
-      buttonText: typedActionWithText.text?.text,
-    });
-    let updatedBlocks = originalBlocks.map((block) => {
-      const typedBlock = block as InteractionMessageBlock;
-      if (typedBlock.type === "actions" && typedBlock.block_id === blockId) {
-        return {
-          type: "context",
-          elements: [
-            {
-              type: "mrkdwn",
-              text: formatInteractionConfirmationText({ selectedLabel, userId }),
-            },
-          ],
-        };
-      }
-      return block;
-    });
-
-    const hasRemainingIndividualActionRows = updatedBlocks.some((block) => {
-      const typedBlock = block as InteractionMessageBlock;
-      return typedBlock.type === "actions" && !isBulkActionsBlock(typedBlock);
-    });
-
-    if (!hasRemainingIndividualActionRows) {
-      updatedBlocks = updatedBlocks.filter((block, index) => {
-        const typedBlock = block as InteractionMessageBlock;
-        if (isBulkActionsBlock(typedBlock)) {
-          return false;
-        }
-        if (typedBlock.type !== "divider") {
-          return true;
-        }
-        const next = updatedBlocks[index + 1] as InteractionMessageBlock | undefined;
-        return !next || !isBulkActionsBlock(next);
-      });
-    }
-
-    try {
-      await ctx.app.client.chat.update({
-        channel: channelId,
-        ts: messageTs,
-        text: typedBody.message?.text ?? "",
-        blocks: updatedBlocks as (Block | KnownBlock)[],
-      });
-    } catch {
-      // If update fails, fallback to ephemeral confirmation for immediate UX feedback.
-      if (!respond) {
-        return;
-      }
-      try {
-        await respond({
-          text: `Button "${actionId}" clicked!`,
-          response_type: "ephemeral",
-        });
-      } catch {
-        // Action was acknowledged and system event enqueued even when response updates fail.
-      }
-    }
+  registerSlackBlockActionHandler({
+    ctx,
+    formatSystemEvent: formatSlackInteractionSystemEvent,
   });
 
   if (typeof ctx.app.view !== "function") {

From 39634088712e5f8530d9063cf5b413c5bf496a18 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 05:28:08 +0000
Subject: [PATCH 017/133] refactor: split plugin interactive dispatch adapters

---
 src/plugins/interactive-dispatch-adapters.ts | 219 ++++++++++
 src/plugins/interactive.test.ts              | 404 ++++++++++++++++++-
 src/plugins/interactive.ts                   | 276 ++-----------
 3 files changed, 650 insertions(+), 249 deletions(-)
 create mode 100644 src/plugins/interactive-dispatch-adapters.ts

diff --git a/src/plugins/interactive-dispatch-adapters.ts b/src/plugins/interactive-dispatch-adapters.ts
new file mode 100644
index 00000000000..4050e707958
--- /dev/null
+++ b/src/plugins/interactive-dispatch-adapters.ts
@@ -0,0 +1,219 @@
+import {
+  detachPluginConversationBinding,
+  getCurrentPluginConversationBinding,
+  requestPluginConversationBinding,
+} from "./conversation-binding.js";
+import type {
+  PluginConversationBindingRequestParams,
+  PluginInteractiveDiscordHandlerContext,
+  PluginInteractiveDiscordHandlerRegistration,
+  PluginInteractiveSlackHandlerContext,
+  PluginInteractiveSlackHandlerRegistration,
+  PluginInteractiveTelegramHandlerContext,
+  PluginInteractiveTelegramHandlerRegistration,
+} from "./types.js";
+
+type RegisteredInteractiveMetadata = {
+  pluginId: string;
+  pluginName?: string;
+  pluginRoot?: string;
+};
+
+type PluginBindingConversation = Parameters<
+  typeof requestPluginConversationBinding
+>[0]["conversation"];
+
+export type TelegramInteractiveDispatchContext = Omit<
+  PluginInteractiveTelegramHandlerContext,
+  | "callback"
+  | "respond"
+  | "channel"
+  | "requestConversationBinding"
+  | "detachConversationBinding"
+  | "getCurrentConversationBinding"
+> & {
+  callbackMessage: {
+    messageId: number;
+    chatId: string;
+    messageText?: string;
+  };
+};
+
+export type DiscordInteractiveDispatchContext = Omit<
+  PluginInteractiveDiscordHandlerContext,
+  | "interaction"
+  | "respond"
+  | "channel"
+  | "requestConversationBinding"
+  | "detachConversationBinding"
+  | "getCurrentConversationBinding"
+> & {
+  interaction: Omit<
+    PluginInteractiveDiscordHandlerContext["interaction"],
+    "data" | "namespace" | "payload"
+  >;
+};
+
+export type SlackInteractiveDispatchContext = Omit<
+  PluginInteractiveSlackHandlerContext,
+  | "interaction"
+  | "respond"
+  | "channel"
+  | "requestConversationBinding"
+  | "detachConversationBinding"
+  | "getCurrentConversationBinding"
+> & {
+  interaction: Omit<
+    PluginInteractiveSlackHandlerContext["interaction"],
+    "data" | "namespace" | "payload"
+  >;
+};
+
+function createConversationBindingHelpers(params: {
+  registration: RegisteredInteractiveMetadata;
+  senderId?: string;
+  conversation: PluginBindingConversation;
+}) {
+  const { registration, senderId, conversation } = params;
+  const pluginRoot = registration.pluginRoot;
+
+  return {
+    requestConversationBinding: async (binding: PluginConversationBindingRequestParams = {}) => {
+      if (!pluginRoot) {
+        return {
+          status: "error" as const,
+          message: "This interaction cannot bind the current conversation.",
+        };
+      }
+      return requestPluginConversationBinding({
+        pluginId: registration.pluginId,
+        pluginName: registration.pluginName,
+        pluginRoot,
+        requestedBySenderId: senderId,
+        conversation,
+        binding,
+      });
+    },
+    detachConversationBinding: async () => {
+      if (!pluginRoot) {
+        return { removed: false };
+      }
+      return detachPluginConversationBinding({
+        pluginRoot,
+        conversation,
+      });
+    },
+    getCurrentConversationBinding: async () => {
+      if (!pluginRoot) {
+        return null;
+      }
+      return getCurrentPluginConversationBinding({
+        pluginRoot,
+        conversation,
+      });
+    },
+  };
+}
+
+export function dispatchTelegramInteractiveHandler(params: {
+  registration: PluginInteractiveTelegramHandlerRegistration & RegisteredInteractiveMetadata;
+  data: string;
+  namespace: string;
+  payload: string;
+  ctx: TelegramInteractiveDispatchContext;
+  respond: PluginInteractiveTelegramHandlerContext["respond"];
+}) {
+  const { callbackMessage, ...handlerContext } = params.ctx;
+
+  return params.registration.handler({
+    ...handlerContext,
+    channel: "telegram",
+    callback: {
+      data: params.data,
+      namespace: params.namespace,
+      payload: params.payload,
+      messageId: callbackMessage.messageId,
+      chatId: callbackMessage.chatId,
+      messageText: callbackMessage.messageText,
+    },
+    respond: params.respond,
+    ...createConversationBindingHelpers({
+      registration: params.registration,
+      senderId: handlerContext.senderId,
+      conversation: {
+        channel: "telegram",
+        accountId: handlerContext.accountId,
+        conversationId: handlerContext.conversationId,
+        parentConversationId: handlerContext.parentConversationId,
+        threadId: handlerContext.threadId,
+      },
+    }),
+  });
+}
+
+export function dispatchDiscordInteractiveHandler(params: {
+  registration: PluginInteractiveDiscordHandlerRegistration & RegisteredInteractiveMetadata;
+  data: string;
+  namespace: string;
+  payload: string;
+  ctx: DiscordInteractiveDispatchContext;
+  respond: PluginInteractiveDiscordHandlerContext["respond"];
+}) {
+  const handlerContext = params.ctx;
+
+  return params.registration.handler({
+    ...handlerContext,
+    channel: "discord",
+    interaction: {
+      ...handlerContext.interaction,
+      data: params.data,
+      namespace: params.namespace,
+      payload: params.payload,
+    },
+    respond: params.respond,
+    ...createConversationBindingHelpers({
+      registration: params.registration,
+      senderId: handlerContext.senderId,
+      conversation: {
+        channel: "discord",
+        accountId: handlerContext.accountId,
+        conversationId: handlerContext.conversationId,
+        parentConversationId: handlerContext.parentConversationId,
+      },
+    }),
+  });
+}
+
+export function dispatchSlackInteractiveHandler(params: {
+  registration: PluginInteractiveSlackHandlerRegistration & RegisteredInteractiveMetadata;
+  data: string;
+  namespace: string;
+  payload: string;
+  ctx: SlackInteractiveDispatchContext;
+  respond: PluginInteractiveSlackHandlerContext["respond"];
+}) {
+  const handlerContext = params.ctx;
+
+  return params.registration.handler({
+    ...handlerContext,
+    channel: "slack",
+    interaction: {
+      ...handlerContext.interaction,
+      data: params.data,
+      namespace: params.namespace,
+      payload: params.payload,
+    },
+    respond: params.respond,
+    ...createConversationBindingHelpers({
+      registration: params.registration,
+      senderId: handlerContext.senderId,
+      conversation: {
+        channel: "slack",
+        accountId: handlerContext.accountId,
+        conversationId: handlerContext.conversationId,
+        parentConversationId: handlerContext.parentConversationId,
+        threadId: handlerContext.threadId,
+      },
+    }),
+  });
+}
diff --git a/src/plugins/interactive.test.ts b/src/plugins/interactive.test.ts
index 10caf6dbfa9..14980ec4545 100644
--- a/src/plugins/interactive.test.ts
+++ b/src/plugins/interactive.test.ts
@@ -1,13 +1,62 @@
-import { beforeEach, describe, expect, it, vi } from "vitest";
+import { afterEach, beforeEach, describe, expect, it, vi, type MockInstance } from "vitest";
+import * as conversationBinding from "./conversation-binding.js";
 import {
   clearPluginInteractiveHandlers,
   dispatchPluginInteractiveHandler,
   registerPluginInteractiveHandler,
 } from "./interactive.js";
 
+let requestPluginConversationBindingMock: MockInstance<
+  typeof conversationBinding.requestPluginConversationBinding
+>;
+let detachPluginConversationBindingMock: MockInstance<
+  typeof conversationBinding.detachPluginConversationBinding
+>;
+let getCurrentPluginConversationBindingMock: MockInstance<
+  typeof conversationBinding.getCurrentPluginConversationBinding
+>;
+
 describe("plugin interactive handlers", () => {
   beforeEach(() => {
     clearPluginInteractiveHandlers();
+    requestPluginConversationBindingMock = vi
+      .spyOn(conversationBinding, "requestPluginConversationBinding")
+      .mockResolvedValue({
+        status: "bound",
+        binding: {
+          bindingId: "binding-1",
+          pluginId: "codex-plugin",
+          pluginName: "Codex",
+          pluginRoot: "/plugins/codex",
+          channel: "telegram",
+          accountId: "default",
+          conversationId: "-10099:topic:77",
+          parentConversationId: "-10099",
+          threadId: 77,
+          boundAt: 1,
+        },
+      });
+    detachPluginConversationBindingMock = vi
+      .spyOn(conversationBinding, "detachPluginConversationBinding")
+      .mockResolvedValue({ removed: true });
+    getCurrentPluginConversationBindingMock = vi
+      .spyOn(conversationBinding, "getCurrentPluginConversationBinding")
+      .mockResolvedValue({
+        bindingId: "binding-1",
+        pluginId: "codex-plugin",
+        pluginName: "Codex",
+        pluginRoot: "/plugins/codex",
+        channel: "telegram",
+        accountId: "default",
+        conversationId: "-10099:topic:77",
+        parentConversationId: "-10099",
+        threadId: 77,
+        boundAt: 1,
+      });
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
   });
 
   it("routes Telegram callbacks by namespace and dedupes callback ids", async () => {
@@ -213,6 +262,359 @@ describe("plugin interactive handlers", () => {
     );
   });
 
+  it("wires Telegram conversation binding helpers with topic context", async () => {
+    const requestResult = {
+      status: "bound" as const,
+      binding: {
+        bindingId: "binding-telegram",
+        pluginId: "codex-plugin",
+        pluginName: "Codex",
+        pluginRoot: "/plugins/codex",
+        channel: "telegram",
+        accountId: "default",
+        conversationId: "-10099:topic:77",
+        parentConversationId: "-10099",
+        threadId: 77,
+        boundAt: 1,
+      },
+    };
+    const currentBinding = {
+      ...requestResult.binding,
+      boundAt: 2,
+    };
+    requestPluginConversationBindingMock.mockResolvedValueOnce(requestResult);
+    getCurrentPluginConversationBindingMock.mockResolvedValueOnce(currentBinding);
+
+    const handler = vi.fn(async (ctx) => {
+      await expect(
+        ctx.requestConversationBinding({
+          summary: "Bind this topic",
+          detachHint: "Use /new to detach",
+        }),
+      ).resolves.toEqual(requestResult);
+      await expect(ctx.detachConversationBinding()).resolves.toEqual({ removed: true });
+      await expect(ctx.getCurrentConversationBinding()).resolves.toEqual(currentBinding);
+      return { handled: true };
+    });
+    expect(
+      registerPluginInteractiveHandler(
+        "codex-plugin",
+        {
+          channel: "telegram",
+          namespace: "codex",
+          handler,
+        },
+        { pluginName: "Codex", pluginRoot: "/plugins/codex" },
+      ),
+    ).toEqual({ ok: true });
+
+    await expect(
+      dispatchPluginInteractiveHandler({
+        channel: "telegram",
+        data: "codex:bind",
+        callbackId: "cb-bind",
+        ctx: {
+          accountId: "default",
+          callbackId: "cb-bind",
+          conversationId: "-10099:topic:77",
+          parentConversationId: "-10099",
+          senderId: "user-1",
+          senderUsername: "ada",
+          threadId: 77,
+          isGroup: true,
+          isForum: true,
+          auth: { isAuthorizedSender: true },
+          callbackMessage: {
+            messageId: 55,
+            chatId: "-10099",
+            messageText: "Pick a thread",
+          },
+        },
+        respond: {
+          reply: vi.fn(async () => {}),
+          editMessage: vi.fn(async () => {}),
+          editButtons: vi.fn(async () => {}),
+          clearButtons: vi.fn(async () => {}),
+          deleteMessage: vi.fn(async () => {}),
+        },
+      }),
+    ).resolves.toEqual({
+      matched: true,
+      handled: true,
+      duplicate: false,
+    });
+
+    expect(requestPluginConversationBindingMock).toHaveBeenCalledWith({
+      pluginId: "codex-plugin",
+      pluginName: "Codex",
+      pluginRoot: "/plugins/codex",
+      requestedBySenderId: "user-1",
+      conversation: {
+        channel: "telegram",
+        accountId: "default",
+        conversationId: "-10099:topic:77",
+        parentConversationId: "-10099",
+        threadId: 77,
+      },
+      binding: {
+        summary: "Bind this topic",
+        detachHint: "Use /new to detach",
+      },
+    });
+    expect(detachPluginConversationBindingMock).toHaveBeenCalledWith({
+      pluginRoot: "/plugins/codex",
+      conversation: {
+        channel: "telegram",
+        accountId: "default",
+        conversationId: "-10099:topic:77",
+        parentConversationId: "-10099",
+        threadId: 77,
+      },
+    });
+    expect(getCurrentPluginConversationBindingMock).toHaveBeenCalledWith({
+      pluginRoot: "/plugins/codex",
+      conversation: {
+        channel: "telegram",
+        accountId: "default",
+        conversationId: "-10099:topic:77",
+        parentConversationId: "-10099",
+        threadId: 77,
+      },
+    });
+  });
+
+  it("wires Discord conversation binding helpers with parent channel context", async () => {
+    const requestResult = {
+      status: "bound" as const,
+      binding: {
+        bindingId: "binding-discord",
+        pluginId: "codex-plugin",
+        pluginName: "Codex",
+        pluginRoot: "/plugins/codex",
+        channel: "discord",
+        accountId: "default",
+        conversationId: "channel-1",
+        parentConversationId: "parent-1",
+        boundAt: 1,
+      },
+    };
+    const currentBinding = {
+      ...requestResult.binding,
+      boundAt: 2,
+    };
+    requestPluginConversationBindingMock.mockResolvedValueOnce(requestResult);
+    getCurrentPluginConversationBindingMock.mockResolvedValueOnce(currentBinding);
+
+    const handler = vi.fn(async (ctx) => {
+      await expect(ctx.requestConversationBinding({ summary: "Bind Discord" })).resolves.toEqual(
+        requestResult,
+      );
+      await expect(ctx.detachConversationBinding()).resolves.toEqual({ removed: true });
+      await expect(ctx.getCurrentConversationBinding()).resolves.toEqual(currentBinding);
+      return { handled: true };
+    });
+    expect(
+      registerPluginInteractiveHandler(
+        "codex-plugin",
+        {
+          channel: "discord",
+          namespace: "codex",
+          handler,
+        },
+        { pluginName: "Codex", pluginRoot: "/plugins/codex" },
+      ),
+    ).toEqual({ ok: true });
+
+    await expect(
+      dispatchPluginInteractiveHandler({
+        channel: "discord",
+        data: "codex:bind",
+        interactionId: "ix-bind",
+        ctx: {
+          accountId: "default",
+          interactionId: "ix-bind",
+          conversationId: "channel-1",
+          parentConversationId: "parent-1",
+          guildId: "guild-1",
+          senderId: "user-1",
+          senderUsername: "ada",
+          auth: { isAuthorizedSender: true },
+          interaction: {
+            kind: "button",
+            messageId: "message-1",
+            values: ["allow"],
+          },
+        },
+        respond: {
+          acknowledge: vi.fn(async () => {}),
+          reply: vi.fn(async () => {}),
+          followUp: vi.fn(async () => {}),
+          editMessage: vi.fn(async () => {}),
+          clearComponents: vi.fn(async () => {}),
+        },
+      }),
+    ).resolves.toEqual({
+      matched: true,
+      handled: true,
+      duplicate: false,
+    });
+
+    expect(requestPluginConversationBindingMock).toHaveBeenCalledWith({
+      pluginId: "codex-plugin",
+      pluginName: "Codex",
+      pluginRoot: "/plugins/codex",
+      requestedBySenderId: "user-1",
+      conversation: {
+        channel: "discord",
+        accountId: "default",
+        conversationId: "channel-1",
+        parentConversationId: "parent-1",
+      },
+      binding: {
+        summary: "Bind Discord",
+      },
+    });
+    expect(detachPluginConversationBindingMock).toHaveBeenCalledWith({
+      pluginRoot: "/plugins/codex",
+      conversation: {
+        channel: "discord",
+        accountId: "default",
+        conversationId: "channel-1",
+        parentConversationId: "parent-1",
+      },
+    });
+    expect(getCurrentPluginConversationBindingMock).toHaveBeenCalledWith({
+      pluginRoot: "/plugins/codex",
+      conversation: {
+        channel: "discord",
+        accountId: "default",
+        conversationId: "channel-1",
+        parentConversationId: "parent-1",
+      },
+    });
+  });
+
+  it("wires Slack conversation binding helpers with thread context", async () => {
+    const requestResult = {
+      status: "bound" as const,
+      binding: {
+        bindingId: "binding-slack",
+        pluginId: "codex-plugin",
+        pluginName: "Codex",
+        pluginRoot: "/plugins/codex",
+        channel: "slack",
+        accountId: "default",
+        conversationId: "C123",
+        parentConversationId: "C123",
+        threadId: "1710000000.000100",
+        boundAt: 1,
+      },
+    };
+    const currentBinding = {
+      ...requestResult.binding,
+      boundAt: 2,
+    };
+    requestPluginConversationBindingMock.mockResolvedValueOnce(requestResult);
+    getCurrentPluginConversationBindingMock.mockResolvedValueOnce(currentBinding);
+
+    const handler = vi.fn(async (ctx) => {
+      await expect(ctx.requestConversationBinding({ summary: "Bind Slack" })).resolves.toEqual(
+        requestResult,
+      );
+      await expect(ctx.detachConversationBinding()).resolves.toEqual({ removed: true });
+      await expect(ctx.getCurrentConversationBinding()).resolves.toEqual(currentBinding);
+      return { handled: true };
+    });
+    expect(
+      registerPluginInteractiveHandler(
+        "codex-plugin",
+        {
+          channel: "slack",
+          namespace: "codex",
+          handler,
+        },
+        { pluginName: "Codex", pluginRoot: "/plugins/codex" },
+      ),
+    ).toEqual({ ok: true });
+
+    await expect(
+      dispatchPluginInteractiveHandler({
+        channel: "slack",
+        data: "codex:bind",
+        interactionId: "slack-bind",
+        ctx: {
+          accountId: "default",
+          interactionId: "slack-bind",
+          conversationId: "C123",
+          parentConversationId: "C123",
+          threadId: "1710000000.000100",
+          senderId: "user-1",
+          senderUsername: "ada",
+          auth: { isAuthorizedSender: true },
+          interaction: {
+            kind: "button",
+            actionId: "codex",
+            blockId: "codex_actions",
+            messageTs: "1710000000.000200",
+            threadTs: "1710000000.000100",
+            value: "bind",
+            selectedValues: ["bind"],
+            selectedLabels: ["Bind"],
+            triggerId: "trigger-1",
+            responseUrl: "https://hooks.slack.test/response",
+          },
+        },
+        respond: {
+          acknowledge: vi.fn(async () => {}),
+          reply: vi.fn(async () => {}),
+          followUp: vi.fn(async () => {}),
+          editMessage: vi.fn(async () => {}),
+        },
+      }),
+    ).resolves.toEqual({
+      matched: true,
+      handled: true,
+      duplicate: false,
+    });
+
+    expect(requestPluginConversationBindingMock).toHaveBeenCalledWith({
+      pluginId: "codex-plugin",
+      pluginName: "Codex",
+      pluginRoot: "/plugins/codex",
+      requestedBySenderId: "user-1",
+      conversation: {
+        channel: "slack",
+        accountId: "default",
+        conversationId: "C123",
+        parentConversationId: "C123",
+        threadId: "1710000000.000100",
+      },
+      binding: {
+        summary: "Bind Slack",
+      },
+    });
+    expect(detachPluginConversationBindingMock).toHaveBeenCalledWith({
+      pluginRoot: "/plugins/codex",
+      conversation: {
+        channel: "slack",
+        accountId: "default",
+        conversationId: "C123",
+        parentConversationId: "C123",
+        threadId: "1710000000.000100",
+      },
+    });
+    expect(getCurrentPluginConversationBindingMock).toHaveBeenCalledWith({
+      pluginRoot: "/plugins/codex",
+      conversation: {
+        channel: "slack",
+        accountId: "default",
+        conversationId: "C123",
+        parentConversationId: "C123",
+        threadId: "1710000000.000100",
+      },
+    });
+  });
+
   it("does not consume dedupe keys when a handler throws", async () => {
     const handler = vi
       .fn(async () => ({ handled: true }))
diff --git a/src/plugins/interactive.ts b/src/plugins/interactive.ts
index 15561a8af15..04403c80fa2 100644
--- a/src/plugins/interactive.ts
+++ b/src/plugins/interactive.ts
@@ -1,9 +1,12 @@
 import { createDedupeCache } from "../infra/dedupe.js";
 import {
-  detachPluginConversationBinding,
-  getCurrentPluginConversationBinding,
-  requestPluginConversationBinding,
-} from "./conversation-binding.js";
+  dispatchDiscordInteractiveHandler,
+  dispatchSlackInteractiveHandler,
+  dispatchTelegramInteractiveHandler,
+  type DiscordInteractiveDispatchContext,
+  type SlackInteractiveDispatchContext,
+  type TelegramInteractiveDispatchContext,
+} from "./interactive-dispatch-adapters.js";
 import type {
   PluginInteractiveDiscordHandlerContext,
   PluginInteractiveButtons,
@@ -30,52 +33,6 @@ type InteractiveDispatchResult =
   | { matched: false; handled: false; duplicate: false }
   | { matched: true; handled: boolean; duplicate: boolean };
 
-type TelegramInteractiveDispatchContext = Omit<
-  PluginInteractiveTelegramHandlerContext,
-  | "callback"
-  | "respond"
-  | "channel"
-  | "requestConversationBinding"
-  | "detachConversationBinding"
-  | "getCurrentConversationBinding"
-> & {
-  callbackMessage: {
-    messageId: number;
-    chatId: string;
-    messageText?: string;
-  };
-};
-
-type DiscordInteractiveDispatchContext = Omit<
-  PluginInteractiveDiscordHandlerContext,
-  | "interaction"
-  | "respond"
-  | "channel"
-  | "requestConversationBinding"
-  | "detachConversationBinding"
-  | "getCurrentConversationBinding"
-> & {
-  interaction: Omit<
-    PluginInteractiveDiscordHandlerContext["interaction"],
-    "data" | "namespace" | "payload"
-  >;
-};
-
-type SlackInteractiveDispatchContext = Omit<
-  PluginInteractiveSlackHandlerContext,
-  | "interaction"
-  | "respond"
-  | "channel"
-  | "requestConversationBinding"
-  | "detachConversationBinding"
-  | "getCurrentConversationBinding"
-> & {
-  interaction: Omit<
-    PluginInteractiveSlackHandlerContext["interaction"],
-    "data" | "namespace" | "payload"
-  >;
-};
-
 const interactiveHandlers = new Map<string, RegisteredInteractiveHandler>();
 const callbackDedupe = createDedupeCache({
   ttlMs: 5 * 60_000,
@@ -252,211 +209,34 @@ export async function dispatchPluginInteractiveHandler(params: {
     | ReturnType<PluginInteractiveDiscordHandlerRegistration["handler"]>
     | ReturnType<PluginInteractiveSlackHandlerRegistration["handler"]>;
   if (params.channel === "telegram") {
-    const pluginRoot = match.registration.pluginRoot;
-    const { callbackMessage, ...handlerContext } = params.ctx as TelegramInteractiveDispatchContext;
-    result = (
-      match.registration as RegisteredInteractiveHandler &
-        PluginInteractiveTelegramHandlerRegistration
-    ).handler({
-      ...handlerContext,
-      channel: "telegram",
-      callback: {
-        data: params.data,
-        namespace: match.namespace,
-        payload: match.payload,
-        messageId: callbackMessage.messageId,
-        chatId: callbackMessage.chatId,
-        messageText: callbackMessage.messageText,
-      },
+    result = dispatchTelegramInteractiveHandler({
+      registration: match.registration as RegisteredInteractiveHandler &
+        PluginInteractiveTelegramHandlerRegistration,
+      data: params.data,
+      namespace: match.namespace,
+      payload: match.payload,
+      ctx: params.ctx as TelegramInteractiveDispatchContext,
       respond: params.respond as PluginInteractiveTelegramHandlerContext["respond"],
-      requestConversationBinding: async (bindingParams) => {
-        if (!pluginRoot) {
-          return {
-            status: "error",
-            message: "This interaction cannot bind the current conversation.",
-          };
-        }
-        return requestPluginConversationBinding({
-          pluginId: match.registration.pluginId,
-          pluginName: match.registration.pluginName,
-          pluginRoot,
-          requestedBySenderId: handlerContext.senderId,
-          conversation: {
-            channel: "telegram",
-            accountId: handlerContext.accountId,
-            conversationId: handlerContext.conversationId,
-            parentConversationId: handlerContext.parentConversationId,
-            threadId: handlerContext.threadId,
-          },
-          binding: bindingParams,
-        });
-      },
-      detachConversationBinding: async () => {
-        if (!pluginRoot) {
-          return { removed: false };
-        }
-        return detachPluginConversationBinding({
-          pluginRoot,
-          conversation: {
-            channel: "telegram",
-            accountId: handlerContext.accountId,
-            conversationId: handlerContext.conversationId,
-            parentConversationId: handlerContext.parentConversationId,
-            threadId: handlerContext.threadId,
-          },
-        });
-      },
-      getCurrentConversationBinding: async () => {
-        if (!pluginRoot) {
-          return null;
-        }
-        return getCurrentPluginConversationBinding({
-          pluginRoot,
-          conversation: {
-            channel: "telegram",
-            accountId: handlerContext.accountId,
-            conversationId: handlerContext.conversationId,
-            parentConversationId: handlerContext.parentConversationId,
-            threadId: handlerContext.threadId,
-          },
-        });
-      },
     });
   } else if (params.channel === "discord") {
-    const pluginRoot = match.registration.pluginRoot;
-    result = (
-      match.registration as RegisteredInteractiveHandler &
-        PluginInteractiveDiscordHandlerRegistration
-    ).handler({
-      ...(params.ctx as DiscordInteractiveDispatchContext),
-      channel: "discord",
-      interaction: {
-        ...(params.ctx as DiscordInteractiveDispatchContext).interaction,
-        data: params.data,
-        namespace: match.namespace,
-        payload: match.payload,
-      },
+    result = dispatchDiscordInteractiveHandler({
+      registration: match.registration as RegisteredInteractiveHandler &
+        PluginInteractiveDiscordHandlerRegistration,
+      data: params.data,
+      namespace: match.namespace,
+      payload: match.payload,
+      ctx: params.ctx as DiscordInteractiveDispatchContext,
       respond: params.respond as PluginInteractiveDiscordHandlerContext["respond"],
-      requestConversationBinding: async (bindingParams) => {
-        if (!pluginRoot) {
-          return {
-            status: "error",
-            message: "This interaction cannot bind the current conversation.",
-          };
-        }
-        const handlerContext = params.ctx as DiscordInteractiveDispatchContext;
-        return requestPluginConversationBinding({
-          pluginId: match.registration.pluginId,
-          pluginName: match.registration.pluginName,
-          pluginRoot,
-          requestedBySenderId: handlerContext.senderId,
-          conversation: {
-            channel: "discord",
-            accountId: handlerContext.accountId,
-            conversationId: handlerContext.conversationId,
-            parentConversationId: handlerContext.parentConversationId,
-          },
-          binding: bindingParams,
-        });
-      },
-      detachConversationBinding: async () => {
-        if (!pluginRoot) {
-          return { removed: false };
-        }
-        const handlerContext = params.ctx as DiscordInteractiveDispatchContext;
-        return detachPluginConversationBinding({
-          pluginRoot,
-          conversation: {
-            channel: "discord",
-            accountId: handlerContext.accountId,
-            conversationId: handlerContext.conversationId,
-            parentConversationId: handlerContext.parentConversationId,
-          },
-        });
-      },
-      getCurrentConversationBinding: async () => {
-        if (!pluginRoot) {
-          return null;
-        }
-        const handlerContext = params.ctx as DiscordInteractiveDispatchContext;
-        return getCurrentPluginConversationBinding({
-          pluginRoot,
-          conversation: {
-            channel: "discord",
-            accountId: handlerContext.accountId,
-            conversationId: handlerContext.conversationId,
-            parentConversationId: handlerContext.parentConversationId,
-          },
-        });
-      },
     });
   } else {
-    const pluginRoot = match.registration.pluginRoot;
-    const handlerContext = params.ctx as SlackInteractiveDispatchContext;
-    result = (
-      match.registration as RegisteredInteractiveHandler & PluginInteractiveSlackHandlerRegistration
-    ).handler({
-      ...handlerContext,
-      channel: "slack",
-      interaction: {
-        ...handlerContext.interaction,
-        data: params.data,
-        namespace: match.namespace,
-        payload: match.payload,
-      },
+    result = dispatchSlackInteractiveHandler({
+      registration: match.registration as RegisteredInteractiveHandler &
+        PluginInteractiveSlackHandlerRegistration,
+      data: params.data,
+      namespace: match.namespace,
+      payload: match.payload,
+      ctx: params.ctx as SlackInteractiveDispatchContext,
       respond: params.respond as PluginInteractiveSlackHandlerContext["respond"],
-      requestConversationBinding: async (bindingParams) => {
-        if (!pluginRoot) {
-          return {
-            status: "error",
-            message: "This interaction cannot bind the current conversation.",
-          };
-        }
-        return requestPluginConversationBinding({
-          pluginId: match.registration.pluginId,
-          pluginName: match.registration.pluginName,
-          pluginRoot,
-          requestedBySenderId: handlerContext.senderId,
-          conversation: {
-            channel: "slack",
-            accountId: handlerContext.accountId,
-            conversationId: handlerContext.conversationId,
-            parentConversationId: handlerContext.parentConversationId,
-            threadId: handlerContext.threadId,
-          },
-          binding: bindingParams,
-        });
-      },
-      detachConversationBinding: async () => {
-        if (!pluginRoot) {
-          return { removed: false };
-        }
-        return detachPluginConversationBinding({
-          pluginRoot,
-          conversation: {
-            channel: "slack",
-            accountId: handlerContext.accountId,
-            conversationId: handlerContext.conversationId,
-            parentConversationId: handlerContext.parentConversationId,
-            threadId: handlerContext.threadId,
-          },
-        });
-      },
-      getCurrentConversationBinding: async () => {
-        if (!pluginRoot) {
-          return null;
-        }
-        return getCurrentPluginConversationBinding({
-          pluginRoot,
-          conversation: {
-            channel: "slack",
-            accountId: handlerContext.accountId,
-            conversationId: handlerContext.conversationId,
-            parentConversationId: handlerContext.parentConversationId,
-            threadId: handlerContext.threadId,
-          },
-        });
-      },
     });
   }
   const resolved = await result;

From 7bea559166811732237db003c9ddc7e7e51f8c8e Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 05:32:41 +0000
Subject: [PATCH 018/133] refactor: unify reply content checks

---
 src/auto-reply/reply/normalize-reply.ts     | 57 ++++++++++++++----
 src/auto-reply/reply/reply-payloads.ts      | 17 +++---
 src/auto-reply/reply/route-reply.ts         | 11 +++-
 src/infra/outbound/deliver.ts               | 32 +++++-----
 src/infra/outbound/message-action-runner.ts | 18 +++---
 src/infra/outbound/payloads.ts              | 20 +++++--
 src/interactive/payload.test.ts             | 66 +++++++++++++++++++++
 src/interactive/payload.ts                  | 24 ++++++++
 8 files changed, 195 insertions(+), 50 deletions(-)
 create mode 100644 src/interactive/payload.test.ts

diff --git a/src/auto-reply/reply/normalize-reply.ts b/src/auto-reply/reply/normalize-reply.ts
index 9ef5a7a9d90..52faa463bdb 100644
--- a/src/auto-reply/reply/normalize-reply.ts
+++ b/src/auto-reply/reply/normalize-reply.ts
@@ -1,4 +1,5 @@
 import { sanitizeUserFacingText } from "../../agents/pi-embedded-helpers.js";
+import { hasReplyChannelData, hasReplyContent } from "../../interactive/payload.js";
 import { stripHeartbeatToken } from "../heartbeat.js";
 import {
   HEARTBEAT_TOKEN,
@@ -31,13 +32,17 @@ export function normalizeReplyPayload(
   payload: ReplyPayload,
   opts: NormalizeReplyOptions = {},
 ): ReplyPayload | null {
-  const hasMedia = Boolean(payload.mediaUrl || (payload.mediaUrls?.length ?? 0) > 0);
-  const hasInteractive = (payload.interactive?.blocks.length ?? 0) > 0;
-  const hasChannelData = Boolean(
-    payload.channelData && Object.keys(payload.channelData).length > 0,
-  );
+  const hasChannelData = hasReplyChannelData(payload.channelData);
   const trimmed = payload.text?.trim() ?? "";
-  if (!trimmed && !hasMedia && !hasInteractive && !hasChannelData) {
+  if (
+    !hasReplyContent({
+      text: trimmed,
+      mediaUrl: payload.mediaUrl,
+      mediaUrls: payload.mediaUrls,
+      interactive: payload.interactive,
+      hasChannelData,
+    })
+  ) {
     opts.onSkip?.("empty");
     return null;
   }
@@ -45,7 +50,14 @@ export function normalizeReplyPayload(
   const silentToken = opts.silentToken ?? SILENT_REPLY_TOKEN;
   let text = payload.text ?? undefined;
   if (text && isSilentReplyText(text, silentToken)) {
-    if (!hasMedia && !hasInteractive && !hasChannelData) {
+    if (
+      !hasReplyContent({
+        mediaUrl: payload.mediaUrl,
+        mediaUrls: payload.mediaUrls,
+        interactive: payload.interactive,
+        hasChannelData,
+      })
+    ) {
       opts.onSkip?.("silent");
       return null;
     }
@@ -56,7 +68,15 @@ export function normalizeReplyPayload(
   // silent just like the exact-match path above.  (#30916, #30955)
   if (text && text.includes(silentToken) && !isSilentReplyText(text, silentToken)) {
     text = stripSilentToken(text, silentToken);
-    if (!text && !hasMedia && !hasInteractive && !hasChannelData) {
+    if (
+      !hasReplyContent({
+        text,
+        mediaUrl: payload.mediaUrl,
+        mediaUrls: payload.mediaUrls,
+        interactive: payload.interactive,
+        hasChannelData,
+      })
+    ) {
       opts.onSkip?.("silent");
       return null;
     }
@@ -72,7 +92,16 @@ export function normalizeReplyPayload(
     if (stripped.didStrip) {
       opts.onHeartbeatStrip?.();
     }
-    if (stripped.shouldSkip && !hasMedia && !hasInteractive && !hasChannelData) {
+    if (
+      stripped.shouldSkip &&
+      !hasReplyContent({
+        text: stripped.text,
+        mediaUrl: payload.mediaUrl,
+        mediaUrls: payload.mediaUrls,
+        interactive: payload.interactive,
+        hasChannelData,
+      })
+    ) {
       opts.onSkip?.("heartbeat");
       return null;
     }
@@ -82,7 +111,15 @@ export function normalizeReplyPayload(
   if (text) {
     text = sanitizeUserFacingText(text, { errorContext: Boolean(payload.isError) });
   }
-  if (!text?.trim() && !hasMedia && !hasInteractive && !hasChannelData) {
+  if (
+    !hasReplyContent({
+      text,
+      mediaUrl: payload.mediaUrl,
+      mediaUrls: payload.mediaUrls,
+      interactive: payload.interactive,
+      hasChannelData,
+    })
+  ) {
     opts.onSkip?.("empty");
     return null;
   }
diff --git a/src/auto-reply/reply/reply-payloads.ts b/src/auto-reply/reply/reply-payloads.ts
index ab7586f1664..f5f409e2900 100644
--- a/src/auto-reply/reply/reply-payloads.ts
+++ b/src/auto-reply/reply/reply-payloads.ts
@@ -4,6 +4,7 @@ import type { MessagingToolSend } from "../../agents/pi-embedded-runner.js";
 import { normalizeChannelId } from "../../channels/plugins/index.js";
 import type { ReplyToMode } from "../../config/types.js";
 import { normalizeTargetForProvider } from "../../infra/outbound/target-normalization.js";
+import { hasReplyChannelData, hasReplyContent } from "../../interactive/payload.js";
 import { normalizeOptionalAccountId } from "../../routing/account-id.js";
 import type { OriginatingChannelType } from "../templating.js";
 import type { ReplyPayload } from "../types.js";
@@ -74,14 +75,14 @@ export function applyReplyTagsToPayload(
 }
 
 export function isRenderablePayload(payload: ReplyPayload): boolean {
-  return Boolean(
-    payload.text ||
-    payload.mediaUrl ||
-    (payload.mediaUrls && payload.mediaUrls.length > 0) ||
-    payload.audioAsVoice ||
-    payload.interactive ||
-    payload.channelData,
-  );
+  return hasReplyContent({
+    text: payload.text,
+    mediaUrl: payload.mediaUrl,
+    mediaUrls: payload.mediaUrls,
+    interactive: payload.interactive,
+    hasChannelData: hasReplyChannelData(payload.channelData),
+    extraContent: payload.audioAsVoice,
+  });
 }
 
 export function shouldSuppressReasoningPayload(payload: ReplyPayload): boolean {
diff --git a/src/auto-reply/reply/route-reply.ts b/src/auto-reply/reply/route-reply.ts
index 8dc7499526a..3836ceb5ab6 100644
--- a/src/auto-reply/reply/route-reply.ts
+++ b/src/auto-reply/reply/route-reply.ts
@@ -12,6 +12,7 @@ import { resolveEffectiveMessagesConfig } from "../../agents/identity.js";
 import { getChannelPlugin, normalizeChannelId } from "../../channels/plugins/index.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import { buildOutboundSessionContext } from "../../infra/outbound/session-context.js";
+import { hasReplyContent } from "../../interactive/payload.js";
 import { INTERNAL_MESSAGE_CHANNEL, normalizeMessageChannel } from "../../utils/message-channel.js";
 import type { OriginatingChannelType } from "../templating.js";
 import type { ReplyPayload } from "../types.js";
@@ -119,13 +120,19 @@ export async function routeReply(params: RouteReplyParams): Promise<RouteReplyRe
       ? [externalPayload.mediaUrl]
       : [];
   const replyToId = externalPayload.replyToId;
-  const hasInteractive = (externalPayload.interactive?.blocks.length ?? 0) > 0;
   const hasChannelData = plugin?.messaging?.hasStructuredReplyPayload?.({
     payload: externalPayload,
   });
 
   // Skip empty replies.
-  if (!text.trim() && mediaUrls.length === 0 && !hasInteractive && !hasChannelData) {
+  if (
+    !hasReplyContent({
+      text,
+      mediaUrls,
+      interactive: externalPayload.interactive,
+      hasChannelData,
+    })
+  ) {
     return { ok: true };
   }
 
diff --git a/src/infra/outbound/deliver.ts b/src/infra/outbound/deliver.ts
index 9d661b38c45..9e10f525cb0 100644
--- a/src/infra/outbound/deliver.ts
+++ b/src/infra/outbound/deliver.ts
@@ -30,6 +30,7 @@ import {
   toPluginMessageContext,
   toPluginMessageSentEvent,
 } from "../../hooks/message-hook-mappers.js";
+import { hasReplyChannelData, hasReplyContent } from "../../interactive/payload.js";
 import { createSubsystemLogger } from "../../logging/subsystem.js";
 import { getAgentScopedMediaLocalRoots } from "../../media/local-roots.js";
 import { getGlobalHookRunner } from "../../plugins/hook-runner-global.js";
@@ -238,30 +239,24 @@ type MessageSentEvent = {
   messageId?: string;
 };
 
-function hasMediaPayload(payload: ReplyPayload): boolean {
-  return Boolean(payload.mediaUrl) || (payload.mediaUrls?.length ?? 0) > 0;
-}
-
-function hasChannelDataPayload(payload: ReplyPayload): boolean {
-  return Boolean(payload.channelData && Object.keys(payload.channelData).length > 0);
-}
-
-function hasInteractivePayload(payload: ReplyPayload): boolean {
-  return (payload.interactive?.blocks.length ?? 0) > 0;
-}
-
 function normalizePayloadForChannelDelivery(
   payload: ReplyPayload,
   channelId: string,
 ): ReplyPayload | null {
-  const hasMedia = hasMediaPayload(payload);
-  const hasChannelData = hasChannelDataPayload(payload);
-  const hasInteractive = hasInteractivePayload(payload);
+  const hasChannelData = hasReplyChannelData(payload.channelData);
   const rawText = typeof payload.text === "string" ? payload.text : "";
   const normalizedText =
     channelId === "whatsapp" ? rawText.replace(/^(?:[ \t]*\r?\n)+/, "") : rawText;
   if (!normalizedText.trim()) {
-    if (!hasMedia && !hasInteractive && !hasChannelData) {
+    if (
+      !hasReplyContent({
+        text: normalizedText,
+        mediaUrl: payload.mediaUrl,
+        mediaUrls: payload.mediaUrls,
+        interactive: payload.interactive,
+        hasChannelData,
+      })
+    ) {
       return null;
     }
     return {
@@ -713,7 +708,10 @@ async function deliverOutboundPayloadsCore(
       };
       if (
         handler.sendPayload &&
-        (effectivePayload.channelData || hasInteractivePayload(effectivePayload))
+        (effectivePayload.channelData ||
+          hasReplyContent({
+            interactive: effectivePayload.interactive,
+          }))
       ) {
         const delivery = await handler.sendPayload(effectivePayload, sendOverrides);
         results.push(delivery);
diff --git a/src/infra/outbound/message-action-runner.ts b/src/infra/outbound/message-action-runner.ts
index aa53f7398f4..8480b962544 100644
--- a/src/infra/outbound/message-action-runner.ts
+++ b/src/infra/outbound/message-action-runner.ts
@@ -14,6 +14,7 @@ import type {
   ChannelThreadingToolContext,
 } from "../../channels/plugins/types.js";
 import type { OpenClawConfig } from "../../config/config.js";
+import { hasInteractiveReplyBlocks, hasReplyContent } from "../../interactive/payload.js";
 import { getAgentScopedMediaLocalRoots } from "../../media/local-roots.js";
 import { hasPollCreationParams, resolveTelegramPollVisibility } from "../../poll-params.js";
 import { resolvePollMaxSelections } from "../../polls.js";
@@ -407,7 +408,7 @@ async function handleSendAction(ctx: ResolvedActionContext): Promise<MessageActi
   const hasButtons = Array.isArray(params.buttons) && params.buttons.length > 0;
   const hasCard = params.card != null && typeof params.card === "object";
   const hasComponents = params.components != null && typeof params.components === "object";
-  const hasInteractive = params.interactive != null && typeof params.interactive === "object";
+  const hasInteractive = hasInteractiveReplyBlocks(params.interactive);
   const hasBlocks =
     (Array.isArray(params.blocks) && params.blocks.length > 0) ||
     (typeof params.blocks === "string" && params.blocks.trim().length > 0);
@@ -482,14 +483,13 @@ async function handleSendAction(ctx: ResolvedActionContext): Promise<MessageActi
     }
   }
   if (
-    !message.trim() &&
-    !mediaUrl &&
-    mergedMediaUrls.length === 0 &&
-    !hasButtons &&
-    !hasCard &&
-    !hasComponents &&
-    !hasInteractive &&
-    !hasBlocks
+    !hasReplyContent({
+      text: message,
+      mediaUrl,
+      mediaUrls: mergedMediaUrls,
+      interactive: params.interactive,
+      extraContent: hasButtons || hasCard || hasComponents || hasBlocks,
+    })
   ) {
     throw new Error("send requires text or media");
   }
diff --git a/src/infra/outbound/payloads.ts b/src/infra/outbound/payloads.ts
index 63cdf09673f..d98bf22c218 100644
--- a/src/infra/outbound/payloads.ts
+++ b/src/infra/outbound/payloads.ts
@@ -5,7 +5,12 @@ import {
   shouldSuppressReasoningPayload,
 } from "../../auto-reply/reply/reply-payloads.js";
 import type { ReplyPayload } from "../../auto-reply/types.js";
-import type { InteractiveReply } from "../../interactive/payload.js";
+import {
+  hasInteractiveReplyBlocks,
+  hasReplyChannelData,
+  hasReplyContent,
+  type InteractiveReply,
+} from "../../interactive/payload.js";
 
 export type NormalizedOutboundPayload = {
   text: string;
@@ -94,10 +99,17 @@ export function normalizeOutboundPayloads(
     const mediaUrls = payload.mediaUrls ?? (payload.mediaUrl ? [payload.mediaUrl] : []);
     const interactive = payload.interactive;
     const channelData = payload.channelData;
-    const hasChannelData = Boolean(channelData && Object.keys(channelData).length > 0);
-    const hasInteractive = Boolean(interactive?.blocks.length);
+    const hasChannelData = hasReplyChannelData(channelData);
+    const hasInteractive = hasInteractiveReplyBlocks(interactive);
     const text = payload.text ?? "";
-    if (!text && mediaUrls.length === 0 && !hasInteractive && !hasChannelData) {
+    if (
+      !hasReplyContent({
+        text,
+        mediaUrls,
+        interactive,
+        hasChannelData,
+      })
+    ) {
       continue;
     }
     normalizedPayloads.push({
diff --git a/src/interactive/payload.test.ts b/src/interactive/payload.test.ts
new file mode 100644
index 00000000000..3000716cd2e
--- /dev/null
+++ b/src/interactive/payload.test.ts
@@ -0,0 +1,66 @@
+import { describe, expect, it } from "vitest";
+import {
+  hasReplyChannelData,
+  hasReplyContent,
+  normalizeInteractiveReply,
+  resolveInteractiveTextFallback,
+} from "./payload.js";
+
+describe("hasReplyChannelData", () => {
+  it("accepts non-empty objects only", () => {
+    expect(hasReplyChannelData(undefined)).toBe(false);
+    expect(hasReplyChannelData({})).toBe(false);
+    expect(hasReplyChannelData([])).toBe(false);
+    expect(hasReplyChannelData({ slack: { blocks: [] } })).toBe(true);
+  });
+});
+
+describe("hasReplyContent", () => {
+  it("treats whitespace-only text and empty structured payloads as empty", () => {
+    expect(
+      hasReplyContent({
+        text: "   ",
+        mediaUrls: ["", "   "],
+        interactive: { blocks: [] },
+        hasChannelData: false,
+      }),
+    ).toBe(false);
+  });
+
+  it("accepts shared interactive blocks and explicit extra content", () => {
+    expect(
+      hasReplyContent({
+        interactive: {
+          blocks: [{ type: "buttons", buttons: [{ label: "Retry", value: "retry" }] }],
+        },
+      }),
+    ).toBe(true);
+    expect(
+      hasReplyContent({
+        text: "   ",
+        extraContent: true,
+      }),
+    ).toBe(true);
+  });
+});
+
+describe("interactive payload helpers", () => {
+  it("normalizes interactive replies and resolves text fallbacks", () => {
+    const interactive = normalizeInteractiveReply({
+      blocks: [
+        { type: "text", text: "First" },
+        { type: "buttons", buttons: [{ label: "Retry", value: "retry" }] },
+        { type: "text", text: "Second" },
+      ],
+    });
+
+    expect(interactive).toEqual({
+      blocks: [
+        { type: "text", text: "First" },
+        { type: "buttons", buttons: [{ label: "Retry", value: "retry" }] },
+        { type: "text", text: "Second" },
+      ],
+    });
+    expect(resolveInteractiveTextFallback({ interactive })).toBe("First\n\nSecond");
+  });
+});
diff --git a/src/interactive/payload.ts b/src/interactive/payload.ts
index 6fad12e1f1b..5ccd55d0eff 100644
--- a/src/interactive/payload.ts
+++ b/src/interactive/payload.ts
@@ -136,6 +136,30 @@ export function hasInteractiveReplyBlocks(value: unknown): value is InteractiveR
   return Boolean(normalizeInteractiveReply(value));
 }
 
+export function hasReplyChannelData(value: unknown): value is Record<string, unknown> {
+  return Boolean(
+    value && typeof value === "object" && !Array.isArray(value) && Object.keys(value).length > 0,
+  );
+}
+
+export function hasReplyContent(params: {
+  text?: string | null;
+  mediaUrl?: string | null;
+  mediaUrls?: ReadonlyArray<string | null | undefined>;
+  interactive?: unknown;
+  hasChannelData?: boolean;
+  extraContent?: boolean;
+}): boolean {
+  return Boolean(
+    params.text?.trim() ||
+    params.mediaUrl?.trim() ||
+    params.mediaUrls?.some((entry) => Boolean(entry?.trim())) ||
+    hasInteractiveReplyBlocks(params.interactive) ||
+    params.hasChannelData ||
+    params.extraContent,
+  );
+}
+
 export function resolveInteractiveTextFallback(params: {
   text?: string;
   interactive?: InteractiveReply;

From ff558862f079c83e7435fa2fa4cb06538447ee97 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 05:35:21 +0000
Subject: [PATCH 019/133] refactor: extract discord shared interactive mapper

---
 .../discord/src/actions/handle-action.ts      |  2 +-
 extensions/discord/src/components.ts          | 66 +------------------
 extensions/discord/src/outbound-adapter.ts    |  2 +-
 .../discord/src/shared-interactive.test.ts    |  2 +-
 extensions/discord/src/shared-interactive.ts  | 66 +++++++++++++++++++
 5 files changed, 70 insertions(+), 68 deletions(-)
 create mode 100644 extensions/discord/src/shared-interactive.ts

diff --git a/extensions/discord/src/actions/handle-action.ts b/extensions/discord/src/actions/handle-action.ts
index a1b9caf3b93..4beb7d76de4 100644
--- a/extensions/discord/src/actions/handle-action.ts
+++ b/extensions/discord/src/actions/handle-action.ts
@@ -10,7 +10,7 @@ import { resolveReactionMessageId } from "../../../../src/channels/plugins/actio
 import type { ChannelMessageActionContext } from "../../../../src/channels/plugins/types.js";
 import { normalizeInteractiveReply } from "../../../../src/interactive/payload.js";
 import { readBooleanParam } from "../../../../src/plugin-sdk/boolean-param.js";
-import { buildDiscordInteractiveComponents } from "../components.js";
+import { buildDiscordInteractiveComponents } from "../shared-interactive.js";
 import { resolveDiscordChannelId } from "../targets.js";
 import { tryHandleDiscordMessageActionGuildAdmin } from "./handle-action.guild-admin.js";
 
diff --git a/extensions/discord/src/components.ts b/extensions/discord/src/components.ts
index 6725ad49a4d..27d29c0dbd7 100644
--- a/extensions/discord/src/components.ts
+++ b/extensions/discord/src/components.ts
@@ -25,8 +25,6 @@ import {
   type TopLevelComponents,
 } from "@buape/carbon";
 import { ButtonStyle, MessageFlags, TextInputStyle } from "discord-api-types/v10";
-import { reduceInteractiveReply } from "../../../src/channels/plugins/outbound/interactive.js";
-import type { InteractiveButtonStyle, InteractiveReply } from "../../../src/interactive/payload.js";
 
 export const DISCORD_COMPONENT_CUSTOM_ID_KEY = "occomp";
 export const DISCORD_MODAL_CUSTOM_ID_KEY = "ocmodal";
@@ -213,69 +211,7 @@ export type DiscordComponentBuildResult = {
   entries: DiscordComponentEntry[];
   modals: DiscordModalEntry[];
 };
-
-function resolveDiscordInteractiveButtonStyle(
-  style?: InteractiveButtonStyle,
-): DiscordComponentButtonStyle | undefined {
-  return style ?? "secondary";
-}
-
-const DISCORD_INTERACTIVE_BUTTON_ROW_SIZE = 5;
-
-export function buildDiscordInteractiveComponents(
-  interactive?: InteractiveReply,
-): DiscordComponentMessageSpec | undefined {
-  const blocks = reduceInteractiveReply(
-    interactive,
-    [] as NonNullable<DiscordComponentMessageSpec["blocks"]>,
-    (state, block) => {
-      if (block.type === "text") {
-        const text = block.text.trim();
-        if (text) {
-          state.push({ type: "text", text });
-        }
-        return state;
-      }
-      if (block.type === "buttons") {
-        if (block.buttons.length === 0) {
-          return state;
-        }
-        for (
-          let index = 0;
-          index < block.buttons.length;
-          index += DISCORD_INTERACTIVE_BUTTON_ROW_SIZE
-        ) {
-          state.push({
-            type: "actions",
-            buttons: block.buttons
-              .slice(index, index + DISCORD_INTERACTIVE_BUTTON_ROW_SIZE)
-              .map((button) => ({
-                label: button.label,
-                style: resolveDiscordInteractiveButtonStyle(button.style),
-                callbackData: button.value,
-              })),
-          });
-        }
-        return state;
-      }
-      if (block.type === "select" && block.options.length > 0) {
-        state.push({
-          type: "actions",
-          select: {
-            type: "string",
-            placeholder: block.placeholder,
-            options: block.options.map((option) => ({
-              label: option.label,
-              value: option.value,
-            })),
-          },
-        });
-      }
-      return state;
-    },
-  );
-  return blocks.length > 0 ? { blocks } : undefined;
-}
+export { buildDiscordInteractiveComponents } from "./shared-interactive.js";
 
 const BLOCK_ALIASES = new Map<string, DiscordComponentBlock["type"]>([
   ["row", "actions"],
diff --git a/extensions/discord/src/outbound-adapter.ts b/extensions/discord/src/outbound-adapter.ts
index 09796a7b0b3..1c6e0111869 100644
--- a/extensions/discord/src/outbound-adapter.ts
+++ b/extensions/discord/src/outbound-adapter.ts
@@ -8,7 +8,6 @@ import type { OpenClawConfig } from "../../../src/config/config.js";
 import type { OutboundIdentity } from "../../../src/infra/outbound/identity.js";
 import { resolveOutboundSendDep } from "../../../src/infra/outbound/send-deps.js";
 import type { DiscordComponentMessageSpec } from "./components.js";
-import { buildDiscordInteractiveComponents } from "./components.js";
 import { getThreadBindingManager, type ThreadBindingRecord } from "./monitor/thread-bindings.js";
 import { normalizeDiscordOutboundTarget } from "./normalize.js";
 import {
@@ -17,6 +16,7 @@ import {
   sendPollDiscord,
   sendWebhookMessageDiscord,
 } from "./send.js";
+import { buildDiscordInteractiveComponents } from "./shared-interactive.js";
 
 function resolveDiscordOutboundTarget(params: {
   to: string;
diff --git a/extensions/discord/src/shared-interactive.test.ts b/extensions/discord/src/shared-interactive.test.ts
index 827ad1126a8..33ce8f68ec1 100644
--- a/extensions/discord/src/shared-interactive.test.ts
+++ b/extensions/discord/src/shared-interactive.test.ts
@@ -1,5 +1,5 @@
 import { describe, expect, it } from "vitest";
-import { buildDiscordInteractiveComponents } from "./components.js";
+import { buildDiscordInteractiveComponents } from "./shared-interactive.js";
 
 describe("buildDiscordInteractiveComponents", () => {
   it("maps shared buttons and selects into Discord component blocks", () => {
diff --git a/extensions/discord/src/shared-interactive.ts b/extensions/discord/src/shared-interactive.ts
new file mode 100644
index 00000000000..d99f964f5c9
--- /dev/null
+++ b/extensions/discord/src/shared-interactive.ts
@@ -0,0 +1,66 @@
+import { reduceInteractiveReply } from "../../../src/channels/plugins/outbound/interactive.js";
+import type { InteractiveButtonStyle, InteractiveReply } from "../../../src/interactive/payload.js";
+import type { DiscordComponentButtonStyle, DiscordComponentMessageSpec } from "./components.js";
+
+function resolveDiscordInteractiveButtonStyle(
+  style?: InteractiveButtonStyle,
+): DiscordComponentButtonStyle | undefined {
+  return style ?? "secondary";
+}
+
+const DISCORD_INTERACTIVE_BUTTON_ROW_SIZE = 5;
+
+export function buildDiscordInteractiveComponents(
+  interactive?: InteractiveReply,
+): DiscordComponentMessageSpec | undefined {
+  const blocks = reduceInteractiveReply(
+    interactive,
+    [] as NonNullable<DiscordComponentMessageSpec["blocks"]>,
+    (state, block) => {
+      if (block.type === "text") {
+        const text = block.text.trim();
+        if (text) {
+          state.push({ type: "text", text });
+        }
+        return state;
+      }
+      if (block.type === "buttons") {
+        if (block.buttons.length === 0) {
+          return state;
+        }
+        for (
+          let index = 0;
+          index < block.buttons.length;
+          index += DISCORD_INTERACTIVE_BUTTON_ROW_SIZE
+        ) {
+          state.push({
+            type: "actions",
+            buttons: block.buttons
+              .slice(index, index + DISCORD_INTERACTIVE_BUTTON_ROW_SIZE)
+              .map((button) => ({
+                label: button.label,
+                style: resolveDiscordInteractiveButtonStyle(button.style),
+                callbackData: button.value,
+              })),
+          });
+        }
+        return state;
+      }
+      if (block.type === "select" && block.options.length > 0) {
+        state.push({
+          type: "actions",
+          select: {
+            type: "string",
+            placeholder: block.placeholder,
+            options: block.options.map((option) => ({
+              label: option.label,
+              value: option.value,
+            })),
+          },
+        });
+      }
+      return state;
+    },
+  );
+  return blocks.length > 0 ? { blocks } : undefined;
+}

From ecaafb6a4f2981702b8e4785476affee74779dd7 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 05:37:12 +0000
Subject: [PATCH 020/133] refactor: unify telegram interactive button
 resolution

---
 extensions/telegram/src/button-types.test.ts | 69 ++++++++++++++++++++
 extensions/telegram/src/button-types.ts      | 15 ++++-
 extensions/telegram/src/channel-actions.ts   | 10 +--
 extensions/telegram/src/outbound-adapter.ts  |  8 ++-
 4 files changed, 93 insertions(+), 9 deletions(-)
 create mode 100644 extensions/telegram/src/button-types.test.ts

diff --git a/extensions/telegram/src/button-types.test.ts b/extensions/telegram/src/button-types.test.ts
new file mode 100644
index 00000000000..849caac62ac
--- /dev/null
+++ b/extensions/telegram/src/button-types.test.ts
@@ -0,0 +1,69 @@
+import { describe, expect, it } from "vitest";
+import { buildTelegramInteractiveButtons, resolveTelegramInlineButtons } from "./button-types.js";
+
+describe("buildTelegramInteractiveButtons", () => {
+  it("maps shared buttons and selects into Telegram inline rows", () => {
+    expect(
+      buildTelegramInteractiveButtons({
+        blocks: [
+          {
+            type: "buttons",
+            buttons: [
+              { label: "Approve", value: "approve", style: "success" },
+              { label: "Reject", value: "reject", style: "danger" },
+              { label: "Later", value: "later" },
+              { label: "Archive", value: "archive" },
+            ],
+          },
+          {
+            type: "select",
+            options: [{ label: "Alpha", value: "alpha" }],
+          },
+        ],
+      }),
+    ).toEqual([
+      [
+        { text: "Approve", callback_data: "approve", style: "success" },
+        { text: "Reject", callback_data: "reject", style: "danger" },
+        { text: "Later", callback_data: "later", style: undefined },
+      ],
+      [{ text: "Archive", callback_data: "archive", style: undefined }],
+      [{ text: "Alpha", callback_data: "alpha", style: undefined }],
+    ]);
+  });
+});
+
+describe("resolveTelegramInlineButtons", () => {
+  it("prefers explicit buttons over shared interactive blocks", () => {
+    const explicit = [[{ text: "Keep", callback_data: "keep" }]] as const;
+
+    expect(
+      resolveTelegramInlineButtons({
+        buttons: explicit,
+        interactive: {
+          blocks: [
+            {
+              type: "buttons",
+              buttons: [{ label: "Override", value: "override" }],
+            },
+          ],
+        },
+      }),
+    ).toBe(explicit);
+  });
+
+  it("derives buttons from raw interactive payloads", () => {
+    expect(
+      resolveTelegramInlineButtons({
+        interactive: {
+          blocks: [
+            {
+              type: "buttons",
+              buttons: [{ label: "Retry", value: "retry", style: "primary" }],
+            },
+          ],
+        },
+      }),
+    ).toEqual([[{ text: "Retry", callback_data: "retry", style: "primary" }]]);
+  });
+});
diff --git a/extensions/telegram/src/button-types.ts b/extensions/telegram/src/button-types.ts
index f9c77ac190b..a6eae71995b 100644
--- a/extensions/telegram/src/button-types.ts
+++ b/extensions/telegram/src/button-types.ts
@@ -1,5 +1,9 @@
 import { reduceInteractiveReply } from "../../../src/channels/plugins/outbound/interactive.js";
-import type { InteractiveReply, InteractiveReplyButton } from "../../../src/interactive/payload.js";
+import {
+  normalizeInteractiveReply,
+  type InteractiveReply,
+  type InteractiveReplyButton,
+} from "../../../src/interactive/payload.js";
 
 export type TelegramButtonStyle = "danger" | "success" | "primary";
 
@@ -60,3 +64,12 @@ export function buildTelegramInteractiveButtons(
   );
   return rows.length > 0 ? rows : undefined;
 }
+
+export function resolveTelegramInlineButtons(params: {
+  buttons?: TelegramInlineButtons;
+  interactive?: unknown;
+}): TelegramInlineButtons | undefined {
+  return (
+    params.buttons ?? buildTelegramInteractiveButtons(normalizeInteractiveReply(params.interactive))
+  );
+}
diff --git a/extensions/telegram/src/channel-actions.ts b/extensions/telegram/src/channel-actions.ts
index 246ed45c0e3..84548374f05 100644
--- a/extensions/telegram/src/channel-actions.ts
+++ b/extensions/telegram/src/channel-actions.ts
@@ -15,7 +15,6 @@ import type {
   ChannelMessageActionName,
 } from "../../../src/channels/plugins/types.js";
 import type { TelegramActionConfig } from "../../../src/config/types.telegram.js";
-import { normalizeInteractiveReply } from "../../../src/interactive/payload.js";
 import { readBooleanParam } from "../../../src/plugin-sdk/boolean-param.js";
 import { extractToolSend } from "../../../src/plugin-sdk/tool-send.js";
 import { resolveTelegramPollVisibility } from "../../../src/poll-params.js";
@@ -24,7 +23,7 @@ import {
   listEnabledTelegramAccounts,
   resolveTelegramPollActionGateState,
 } from "./accounts.js";
-import { buildTelegramInteractiveButtons } from "./button-types.js";
+import { resolveTelegramInlineButtons } from "./button-types.js";
 import { isTelegramInlineButtonsEnabled } from "./inline-buttons.js";
 
 const providerId = "telegram";
@@ -32,9 +31,10 @@ const providerId = "telegram";
 function readTelegramSendParams(params: Record<string, unknown>) {
   const to = readStringParam(params, "to", { required: true });
   const mediaUrl = readStringParam(params, "media", { trim: false });
-  const buttons =
-    params.buttons ??
-    buildTelegramInteractiveButtons(normalizeInteractiveReply(params.interactive));
+  const buttons = resolveTelegramInlineButtons({
+    buttons: params.buttons as ReturnType<typeof resolveTelegramInlineButtons>,
+    interactive: params.interactive,
+  });
   const hasButtons = Array.isArray(buttons) && buttons.length > 0;
   const message = readStringParam(params, "message", {
     required: !mediaUrl && !hasButtons,
diff --git a/extensions/telegram/src/outbound-adapter.ts b/extensions/telegram/src/outbound-adapter.ts
index b5ed5ccfcb4..e8c0530d06b 100644
--- a/extensions/telegram/src/outbound-adapter.ts
+++ b/extensions/telegram/src/outbound-adapter.ts
@@ -10,7 +10,7 @@ import {
 } from "../../../src/infra/outbound/send-deps.js";
 import { resolveInteractiveTextFallback } from "../../../src/interactive/payload.js";
 import type { TelegramInlineButtons } from "./button-types.js";
-import { buildTelegramInteractiveButtons } from "./button-types.js";
+import { resolveTelegramInlineButtons } from "./button-types.js";
 import { markdownToTelegramHtmlChunks } from "./format.js";
 import { parseTelegramReplyToMessageId, parseTelegramThreadId } from "./outbound-params.js";
 import { sendMessageTelegram } from "./send.js";
@@ -67,8 +67,10 @@ export async function sendTelegramPayloadMessages(params: {
       interactive: params.payload.interactive,
     }) ?? "";
   const mediaUrls = resolvePayloadMediaUrls(params.payload);
-  const interactiveButtons = buildTelegramInteractiveButtons(params.payload.interactive);
-  const buttons = telegramData?.buttons ?? interactiveButtons;
+  const buttons = resolveTelegramInlineButtons({
+    buttons: telegramData?.buttons,
+    interactive: params.payload.interactive,
+  });
   const payloadOpts = {
     ...params.baseOpts,
     quoteText,

From 2852eab323bd5e9a9c41bedf8e79a2e4fac35a24 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 05:40:07 +0000
Subject: [PATCH 021/133] build: add land gate parity script

---
 docs/ci.md   | 3 +++
 package.json | 1 +
 2 files changed, 4 insertions(+)

diff --git a/docs/ci.md b/docs/ci.md
index e8710b87cb1..25445d6c0ed 100644
--- a/docs/ci.md
+++ b/docs/ci.md
@@ -53,4 +53,7 @@ pnpm check          # types + lint + format
 pnpm test           # vitest tests
 pnpm check:docs     # docs format + lint + broken links
 pnpm release:check  # validate npm pack
+pnpm land:gate      # maintainer land gate: frozen-lock install + check + build + test + release:check
 ```
+
+`pnpm land:gate` intentionally includes the same frozen-lockfile install step CI uses before running `check`, `build`, `test`, and `release:check`. Use it when you want local merge-gate parity instead of piecemeal commands.
diff --git a/package.json b/package.json
index caa950adf1f..6aa553f5302 100644
--- a/package.json
+++ b/package.json
@@ -270,6 +270,7 @@
     "ios:gen": "bash -lc './scripts/ios-configure-signing.sh && ./scripts/ios-write-version-xcconfig.sh && cd apps/ios && xcodegen generate'",
     "ios:open": "bash -lc './scripts/ios-configure-signing.sh && ./scripts/ios-write-version-xcconfig.sh && cd apps/ios && xcodegen generate && open OpenClaw.xcodeproj'",
     "ios:run": "bash -lc './scripts/ios-configure-signing.sh && ./scripts/ios-write-version-xcconfig.sh && cd apps/ios && xcodegen generate && xcodebuild -project OpenClaw.xcodeproj -scheme OpenClaw -destination \"${IOS_DEST:-platform=iOS Simulator,name=iPhone 17}\" -configuration Debug build && xcrun simctl boot \"${IOS_SIM:-iPhone 17}\" || true && xcrun simctl launch booted ai.openclaw.ios'",
+    "land:gate": "pnpm install --frozen-lockfile --prefer-offline --ignore-scripts=false --config.engine-strict=false --config.enable-pre-post-scripts=true --config.side-effects-cache=true && pnpm check && pnpm build && pnpm test && pnpm release:check",
     "lint": "oxlint --type-aware",
     "lint:agent:ingress-owner": "node scripts/check-ingress-agent-owner-context.mjs",
     "lint:all": "pnpm lint && pnpm lint:swift",

From 465567b1eb1cbb03a37734ea1a3ac78a32f60a72 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 05:44:31 +0000
Subject: [PATCH 022/133] test: fix setup wizard smoke mocks

---
 src/cli/program.test-mocks.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/cli/program.test-mocks.ts b/src/cli/program.test-mocks.ts
index 8f82e71fca5..15595755dc3 100644
--- a/src/cli/program.test-mocks.ts
+++ b/src/cli/program.test-mocks.ts
@@ -34,8 +34,8 @@ export const statusCommand = programMocks.statusCommand as AnyMock;
 export const configureCommand = programMocks.configureCommand as AnyMock;
 export const configureCommandWithSections = programMocks.configureCommandWithSections as AnyMock;
 export const setupCommand = programMocks.setupCommand as AnyMock;
-export const setupWizardCommand = programMocks.setupWizardCommand as AnyMock;
 export const onboardCommand = programMocks.onboardCommand as AnyMock;
+export const setupWizardCommand = programMocks.setupWizardCommand as AnyMock;
 export const callGateway = programMocks.callGateway as AnyMock;
 export const runChannelLogin = programMocks.runChannelLogin as AnyMock;
 export const runChannelLogout = programMocks.runChannelLogout as AnyMock;

From 0a6f22a69478573f0e8d0ccb622dfac15f33fd43 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 05:49:29 +0000
Subject: [PATCH 023/133] docs: sync config baseline

---
 docs/.generated/config-baseline.json  | 10 +++++-----
 docs/.generated/config-baseline.jsonl | 10 +++++-----
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/docs/.generated/config-baseline.json b/docs/.generated/config-baseline.json
index dee3827bbcc..8a30b9c6fde 100644
--- a/docs/.generated/config-baseline.json
+++ b/docs/.generated/config-baseline.json
@@ -58804,7 +58804,7 @@
         "advanced"
       ],
       "label": "Setup Wizard State",
-      "help": "Setup wizard state tracking fields that record the most recent guided onboarding run details. Keep these fields for observability and troubleshooting of setup flows across upgrades.",
+      "help": "Setup wizard state tracking fields that record the most recent guided setup run details. Keep these fields for observability and troubleshooting of setup flows across upgrades.",
       "hasChildren": true
     },
     {
@@ -58818,7 +58818,7 @@
         "advanced"
       ],
       "label": "Wizard Last Run Timestamp",
-      "help": "ISO timestamp for when the setup wizard most recently completed on this host. Use this to confirm onboarding recency during support and operational audits.",
+      "help": "ISO timestamp for when the setup wizard most recently completed on this host. Use this to confirm setup recency during support and operational audits.",
       "hasChildren": false
     },
     {
@@ -58832,7 +58832,7 @@
         "advanced"
       ],
       "label": "Wizard Last Run Command",
-      "help": "Command invocation recorded for the latest wizard run to preserve execution context. Use this to reproduce onboarding steps when verifying setup regressions.",
+      "help": "Command invocation recorded for the latest wizard run to preserve execution context. Use this to reproduce setup steps when verifying setup regressions.",
       "hasChildren": false
     },
     {
@@ -58846,7 +58846,7 @@
         "advanced"
       ],
       "label": "Wizard Last Run Commit",
-      "help": "Source commit identifier recorded for the last wizard execution in development builds. Use this to correlate onboarding behavior with exact source state during debugging.",
+      "help": "Source commit identifier recorded for the last wizard execution in development builds. Use this to correlate setup behavior with exact source state during debugging.",
       "hasChildren": false
     },
     {
@@ -58874,7 +58874,7 @@
         "advanced"
       ],
       "label": "Wizard Last Run Version",
-      "help": "OpenClaw version recorded at the time of the most recent wizard run on this config. Use this when diagnosing behavior differences across version-to-version onboarding changes.",
+      "help": "OpenClaw version recorded at the time of the most recent wizard run on this config. Use this when diagnosing behavior differences across version-to-version setup changes.",
       "hasChildren": false
     }
   ]
diff --git a/docs/.generated/config-baseline.jsonl b/docs/.generated/config-baseline.jsonl
index 004f48478bb..f8a5068394e 100644
--- a/docs/.generated/config-baseline.jsonl
+++ b/docs/.generated/config-baseline.jsonl
@@ -5086,9 +5086,9 @@
 {"recordType":"path","path":"web.reconnect.jitter","kind":"core","type":"number","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Web Reconnect Jitter","help":"Randomization factor (0-1) applied to reconnect delays to desynchronize clients after outage events. Keep non-zero jitter in multi-client deployments to reduce synchronized spikes.","hasChildren":false}
 {"recordType":"path","path":"web.reconnect.maxAttempts","kind":"core","type":"integer","required":false,"deprecated":false,"sensitive":false,"tags":["performance"],"label":"Web Reconnect Max Attempts","help":"Maximum reconnect attempts before giving up for the current failure sequence (0 means no retries). Use finite caps for controlled failure handling in automation-sensitive environments.","hasChildren":false}
 {"recordType":"path","path":"web.reconnect.maxMs","kind":"core","type":"number","required":false,"deprecated":false,"sensitive":false,"tags":["performance"],"label":"Web Reconnect Max Delay (ms)","help":"Maximum reconnect backoff cap in milliseconds to bound retry delay growth over repeated failures. Use a reasonable cap so recovery remains timely after prolonged outages.","hasChildren":false}
-{"recordType":"path","path":"wizard","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Setup Wizard State","help":"Setup wizard state tracking fields that record the most recent guided onboarding run details. Keep these fields for observability and troubleshooting of setup flows across upgrades.","hasChildren":true}
-{"recordType":"path","path":"wizard.lastRunAt","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Wizard Last Run Timestamp","help":"ISO timestamp for when the setup wizard most recently completed on this host. Use this to confirm onboarding recency during support and operational audits.","hasChildren":false}
-{"recordType":"path","path":"wizard.lastRunCommand","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Wizard Last Run Command","help":"Command invocation recorded for the latest wizard run to preserve execution context. Use this to reproduce onboarding steps when verifying setup regressions.","hasChildren":false}
-{"recordType":"path","path":"wizard.lastRunCommit","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Wizard Last Run Commit","help":"Source commit identifier recorded for the last wizard execution in development builds. Use this to correlate onboarding behavior with exact source state during debugging.","hasChildren":false}
+{"recordType":"path","path":"wizard","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Setup Wizard State","help":"Setup wizard state tracking fields that record the most recent guided setup run details. Keep these fields for observability and troubleshooting of setup flows across upgrades.","hasChildren":true}
+{"recordType":"path","path":"wizard.lastRunAt","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Wizard Last Run Timestamp","help":"ISO timestamp for when the setup wizard most recently completed on this host. Use this to confirm setup recency during support and operational audits.","hasChildren":false}
+{"recordType":"path","path":"wizard.lastRunCommand","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Wizard Last Run Command","help":"Command invocation recorded for the latest wizard run to preserve execution context. Use this to reproduce setup steps when verifying setup regressions.","hasChildren":false}
+{"recordType":"path","path":"wizard.lastRunCommit","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Wizard Last Run Commit","help":"Source commit identifier recorded for the last wizard execution in development builds. Use this to correlate setup behavior with exact source state during debugging.","hasChildren":false}
 {"recordType":"path","path":"wizard.lastRunMode","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Wizard Last Run Mode","help":"Wizard execution mode recorded as \"local\" or \"remote\" for the most recent setup flow. Use this to understand whether setup targeted direct local runtime or remote gateway topology.","hasChildren":false}
-{"recordType":"path","path":"wizard.lastRunVersion","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Wizard Last Run Version","help":"OpenClaw version recorded at the time of the most recent wizard run on this config. Use this when diagnosing behavior differences across version-to-version onboarding changes.","hasChildren":false}
+{"recordType":"path","path":"wizard.lastRunVersion","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Wizard Last Run Version","help":"OpenClaw version recorded at the time of the most recent wizard run on this config. Use this when diagnosing behavior differences across version-to-version setup changes.","hasChildren":false}

From ebfd32efc31cb26a204358811006dd9d6cc318a9 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 21:26:15 -0700
Subject: [PATCH 024/133] Status: split heartbeat summary helpers

---
 src/commands/health.ts              |   2 +-
 src/commands/status.summary.test.ts |   2 +-
 src/commands/status.summary.ts      |   2 +-
 src/infra/heartbeat-runner.ts       | 114 +++------------------------
 src/infra/heartbeat-summary.ts      | 118 ++++++++++++++++++++++++++++
 5 files changed, 133 insertions(+), 105 deletions(-)
 create mode 100644 src/infra/heartbeat-summary.ts

diff --git a/src/commands/health.ts b/src/commands/health.ts
index ddfc308bda4..301cb55282e 100644
--- a/src/commands/health.ts
+++ b/src/commands/health.ts
@@ -14,7 +14,7 @@ import { formatErrorMessage } from "../infra/errors.js";
 import {
   type HeartbeatSummary,
   resolveHeartbeatSummaryForAgent,
-} from "../infra/heartbeat-runner.js";
+} from "../infra/heartbeat-summary.js";
 import { buildChannelAccountBindings, resolvePreferredAccountId } from "../routing/bindings.js";
 import { normalizeAgentId } from "../routing/session-key.js";
 import type { RuntimeEnv } from "../runtime.js";
diff --git a/src/commands/status.summary.test.ts b/src/commands/status.summary.test.ts
index c0344065126..2045c380e1b 100644
--- a/src/commands/status.summary.test.ts
+++ b/src/commands/status.summary.test.ts
@@ -48,7 +48,7 @@ vi.mock("../infra/channel-summary.js", () => ({
   buildChannelSummary: vi.fn(async () => ["ok"]),
 }));
 
-vi.mock("../infra/heartbeat-runner.js", () => ({
+vi.mock("../infra/heartbeat-summary.js", () => ({
   resolveHeartbeatSummaryForAgent: vi.fn(() => ({
     enabled: true,
     every: "5m",
diff --git a/src/commands/status.summary.ts b/src/commands/status.summary.ts
index b028c99ab6d..6de3b282648 100644
--- a/src/commands/status.summary.ts
+++ b/src/commands/status.summary.ts
@@ -16,7 +16,7 @@ import {
   listAgentsForGateway,
   resolveSessionModelRef,
 } from "../gateway/session-utils.js";
-import { resolveHeartbeatSummaryForAgent } from "../infra/heartbeat-runner.js";
+import { resolveHeartbeatSummaryForAgent } from "../infra/heartbeat-summary.js";
 import { peekSystemEvents } from "../infra/system-events.js";
 import { parseAgentSessionKey } from "../routing/session-key.js";
 import { resolveRuntimeServiceVersion } from "../version.js";
diff --git a/src/infra/heartbeat-runner.ts b/src/infra/heartbeat-runner.ts
index 1f6ae8767e9..34b3a7b5f86 100644
--- a/src/infra/heartbeat-runner.ts
+++ b/src/infra/heartbeat-runner.ts
@@ -11,7 +11,6 @@ import { DEFAULT_HEARTBEAT_FILENAME } from "../agents/workspace.js";
 import { resolveHeartbeatReplyPayload } from "../auto-reply/heartbeat-reply-payload.js";
 import {
   DEFAULT_HEARTBEAT_ACK_MAX_CHARS,
-  DEFAULT_HEARTBEAT_EVERY,
   isHeartbeatContentEffectivelyEmpty,
   resolveHeartbeatPrompt as resolveHeartbeatPromptText,
   stripHeartbeatToken,
@@ -21,7 +20,6 @@ import { HEARTBEAT_TOKEN } from "../auto-reply/tokens.js";
 import type { ReplyPayload } from "../auto-reply/types.js";
 import { getChannelPlugin } from "../channels/plugins/index.js";
 import type { ChannelHeartbeatDeps } from "../channels/plugins/types.js";
-import { parseDurationMs } from "../cli/parse-duration.js";
 import type { OpenClawConfig } from "../config/config.js";
 import { loadConfig } from "../config/config.js";
 import {
@@ -56,6 +54,12 @@ import {
 } from "./heartbeat-events-filter.js";
 import { emitHeartbeatEvent, resolveIndicatorType } from "./heartbeat-events.js";
 import { resolveHeartbeatReasonKind } from "./heartbeat-reason.js";
+import {
+  isHeartbeatEnabledForAgent,
+  resolveHeartbeatIntervalMs,
+  resolveHeartbeatSummaryForAgent,
+  type HeartbeatSummary,
+} from "./heartbeat-summary.js";
 import { resolveHeartbeatVisibility } from "./heartbeat-visibility.js";
 import {
   areHeartbeatsEnabled,
@@ -84,6 +88,12 @@ export type HeartbeatDeps = OutboundSendDeps &
 const log = createSubsystemLogger("gateway/heartbeat");
 
 export { areHeartbeatsEnabled, setHeartbeatsEnabled };
+export {
+  isHeartbeatEnabledForAgent,
+  resolveHeartbeatIntervalMs,
+  resolveHeartbeatSummaryForAgent,
+  type HeartbeatSummary,
+} from "./heartbeat-summary.js";
 
 type HeartbeatConfig = AgentDefaultsConfig["heartbeat"];
 type HeartbeatAgent = {
@@ -91,17 +101,6 @@ type HeartbeatAgent = {
   heartbeat?: HeartbeatConfig;
 };
 
-export type HeartbeatSummary = {
-  enabled: boolean;
-  every: string;
-  everyMs: number | null;
-  prompt: string;
-  target: string;
-  model?: string;
-  ackMaxChars: number;
-};
-
-const DEFAULT_HEARTBEAT_TARGET = "none";
 export { isCronSystemEvent };
 
 type HeartbeatAgentState = {
@@ -122,18 +121,6 @@ function hasExplicitHeartbeatAgents(cfg: OpenClawConfig) {
   return list.some((entry) => Boolean(entry?.heartbeat));
 }
 
-export function isHeartbeatEnabledForAgent(cfg: OpenClawConfig, agentId?: string): boolean {
-  const resolvedAgentId = normalizeAgentId(agentId ?? resolveDefaultAgentId(cfg));
-  const list = cfg.agents?.list ?? [];
-  const hasExplicit = hasExplicitHeartbeatAgents(cfg);
-  if (hasExplicit) {
-    return list.some(
-      (entry) => Boolean(entry?.heartbeat) && normalizeAgentId(entry?.id) === resolvedAgentId,
-    );
-  }
-  return resolvedAgentId === resolveDefaultAgentId(cfg);
-}
-
 function resolveHeartbeatConfig(
   cfg: OpenClawConfig,
   agentId?: string,
@@ -149,54 +136,6 @@ function resolveHeartbeatConfig(
   return { ...defaults, ...overrides };
 }
 
-export function resolveHeartbeatSummaryForAgent(
-  cfg: OpenClawConfig,
-  agentId?: string,
-): HeartbeatSummary {
-  const defaults = cfg.agents?.defaults?.heartbeat;
-  const overrides = agentId ? resolveAgentConfig(cfg, agentId)?.heartbeat : undefined;
-  const enabled = isHeartbeatEnabledForAgent(cfg, agentId);
-
-  if (!enabled) {
-    return {
-      enabled: false,
-      every: "disabled",
-      everyMs: null,
-      prompt: resolveHeartbeatPromptText(defaults?.prompt),
-      target: defaults?.target ?? DEFAULT_HEARTBEAT_TARGET,
-      model: defaults?.model,
-      ackMaxChars: Math.max(0, defaults?.ackMaxChars ?? DEFAULT_HEARTBEAT_ACK_MAX_CHARS),
-    };
-  }
-
-  const merged = defaults || overrides ? { ...defaults, ...overrides } : undefined;
-  const every = merged?.every ?? defaults?.every ?? overrides?.every ?? DEFAULT_HEARTBEAT_EVERY;
-  const everyMs = resolveHeartbeatIntervalMs(cfg, undefined, merged);
-  const prompt = resolveHeartbeatPromptText(
-    merged?.prompt ?? defaults?.prompt ?? overrides?.prompt,
-  );
-  const target =
-    merged?.target ?? defaults?.target ?? overrides?.target ?? DEFAULT_HEARTBEAT_TARGET;
-  const model = merged?.model ?? defaults?.model ?? overrides?.model;
-  const ackMaxChars = Math.max(
-    0,
-    merged?.ackMaxChars ??
-      defaults?.ackMaxChars ??
-      overrides?.ackMaxChars ??
-      DEFAULT_HEARTBEAT_ACK_MAX_CHARS,
-  );
-
-  return {
-    enabled: true,
-    every,
-    everyMs,
-    prompt,
-    target,
-    model,
-    ackMaxChars,
-  };
-}
-
 function resolveHeartbeatAgents(cfg: OpenClawConfig): HeartbeatAgent[] {
   const list = cfg.agents?.list ?? [];
   if (hasExplicitHeartbeatAgents(cfg)) {
@@ -212,35 +151,6 @@ function resolveHeartbeatAgents(cfg: OpenClawConfig): HeartbeatAgent[] {
   return [{ agentId: fallbackId, heartbeat: resolveHeartbeatConfig(cfg, fallbackId) }];
 }
 
-export function resolveHeartbeatIntervalMs(
-  cfg: OpenClawConfig,
-  overrideEvery?: string,
-  heartbeat?: HeartbeatConfig,
-) {
-  const raw =
-    overrideEvery ??
-    heartbeat?.every ??
-    cfg.agents?.defaults?.heartbeat?.every ??
-    DEFAULT_HEARTBEAT_EVERY;
-  if (!raw) {
-    return null;
-  }
-  const trimmed = String(raw).trim();
-  if (!trimmed) {
-    return null;
-  }
-  let ms: number;
-  try {
-    ms = parseDurationMs(trimmed, { defaultUnit: "m" });
-  } catch {
-    return null;
-  }
-  if (ms <= 0) {
-    return null;
-  }
-  return ms;
-}
-
 export function resolveHeartbeatPrompt(cfg: OpenClawConfig, heartbeat?: HeartbeatConfig) {
   return resolveHeartbeatPromptText(heartbeat?.prompt ?? cfg.agents?.defaults?.heartbeat?.prompt);
 }
diff --git a/src/infra/heartbeat-summary.ts b/src/infra/heartbeat-summary.ts
new file mode 100644
index 00000000000..89650de44a6
--- /dev/null
+++ b/src/infra/heartbeat-summary.ts
@@ -0,0 +1,118 @@
+import { resolveAgentConfig, resolveDefaultAgentId } from "../agents/agent-scope.js";
+import {
+  DEFAULT_HEARTBEAT_ACK_MAX_CHARS,
+  DEFAULT_HEARTBEAT_EVERY,
+  resolveHeartbeatPrompt as resolveHeartbeatPromptText,
+} from "../auto-reply/heartbeat.js";
+import { parseDurationMs } from "../cli/parse-duration.js";
+import type { OpenClawConfig } from "../config/config.js";
+import type { AgentDefaultsConfig } from "../config/types.agent-defaults.js";
+import { normalizeAgentId } from "../routing/session-key.js";
+
+type HeartbeatConfig = AgentDefaultsConfig["heartbeat"];
+
+export type HeartbeatSummary = {
+  enabled: boolean;
+  every: string;
+  everyMs: number | null;
+  prompt: string;
+  target: string;
+  model?: string;
+  ackMaxChars: number;
+};
+
+const DEFAULT_HEARTBEAT_TARGET = "none";
+
+function hasExplicitHeartbeatAgents(cfg: OpenClawConfig) {
+  const list = cfg.agents?.list ?? [];
+  return list.some((entry) => Boolean(entry?.heartbeat));
+}
+
+export function isHeartbeatEnabledForAgent(cfg: OpenClawConfig, agentId?: string): boolean {
+  const resolvedAgentId = normalizeAgentId(agentId ?? resolveDefaultAgentId(cfg));
+  const list = cfg.agents?.list ?? [];
+  const hasExplicit = hasExplicitHeartbeatAgents(cfg);
+  if (hasExplicit) {
+    return list.some(
+      (entry) => Boolean(entry?.heartbeat) && normalizeAgentId(entry?.id) === resolvedAgentId,
+    );
+  }
+  return resolvedAgentId === resolveDefaultAgentId(cfg);
+}
+
+export function resolveHeartbeatIntervalMs(
+  cfg: OpenClawConfig,
+  overrideEvery?: string,
+  heartbeat?: HeartbeatConfig,
+) {
+  const raw =
+    overrideEvery ??
+    heartbeat?.every ??
+    cfg.agents?.defaults?.heartbeat?.every ??
+    DEFAULT_HEARTBEAT_EVERY;
+  if (!raw) {
+    return null;
+  }
+  const trimmed = String(raw).trim();
+  if (!trimmed) {
+    return null;
+  }
+  let ms: number;
+  try {
+    ms = parseDurationMs(trimmed, { defaultUnit: "m" });
+  } catch {
+    return null;
+  }
+  if (ms <= 0) {
+    return null;
+  }
+  return ms;
+}
+
+export function resolveHeartbeatSummaryForAgent(
+  cfg: OpenClawConfig,
+  agentId?: string,
+): HeartbeatSummary {
+  const defaults = cfg.agents?.defaults?.heartbeat;
+  const overrides = agentId ? resolveAgentConfig(cfg, agentId)?.heartbeat : undefined;
+  const enabled = isHeartbeatEnabledForAgent(cfg, agentId);
+
+  if (!enabled) {
+    return {
+      enabled: false,
+      every: "disabled",
+      everyMs: null,
+      prompt: resolveHeartbeatPromptText(defaults?.prompt),
+      target: defaults?.target ?? DEFAULT_HEARTBEAT_TARGET,
+      model: defaults?.model,
+      ackMaxChars: Math.max(0, defaults?.ackMaxChars ?? DEFAULT_HEARTBEAT_ACK_MAX_CHARS),
+    };
+  }
+
+  const merged = defaults || overrides ? { ...defaults, ...overrides } : undefined;
+  const every = merged?.every ?? defaults?.every ?? overrides?.every ?? DEFAULT_HEARTBEAT_EVERY;
+  const everyMs = resolveHeartbeatIntervalMs(cfg, undefined, merged);
+  const prompt = resolveHeartbeatPromptText(
+    merged?.prompt ?? defaults?.prompt ?? overrides?.prompt,
+  );
+  const target =
+    merged?.target ?? defaults?.target ?? overrides?.target ?? DEFAULT_HEARTBEAT_TARGET;
+  const model = merged?.model ?? defaults?.model ?? overrides?.model;
+  const ackMaxChars = Math.max(
+    0,
+    merged?.ackMaxChars ??
+      defaults?.ackMaxChars ??
+      overrides?.ackMaxChars ??
+      DEFAULT_HEARTBEAT_ACK_MAX_CHARS,
+  );
+
+  return {
+    enabled: true,
+    every,
+    everyMs,
+    prompt,
+    target,
+    model,
+    ackMaxChars,
+  };
+}

From 4cb46f223c4bf7e5e91721d74418fe76ea128c30 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 21:39:48 -0700
Subject: [PATCH 025/133] Security: trim audit policy import surfaces

---
 src/agents/pi-tools.policy.ts     | 48 +++----------------------------
 src/agents/tool-policy-match.ts   | 44 ++++++++++++++++++++++++++++
 src/gateway/hooks-policy.ts       | 24 ++++++++++++++++
 src/gateway/hooks.ts              | 26 ++---------------
 src/security/audit-extra.async.ts |  8 ++----
 src/security/audit-extra.sync.ts  | 10 +++----
 6 files changed, 81 insertions(+), 79 deletions(-)
 create mode 100644 src/agents/tool-policy-match.ts
 create mode 100644 src/gateway/hooks-policy.ts

diff --git a/src/agents/pi-tools.policy.ts b/src/agents/pi-tools.policy.ts
index 0353c454865..a6f8651f72d 100644
--- a/src/agents/pi-tools.policy.ts
+++ b/src/agents/pi-tools.policy.ts
@@ -7,7 +7,6 @@ import { normalizeAgentId } from "../routing/session-key.js";
 import { resolveThreadParentSessionKey } from "../sessions/session-key-utils.js";
 import { normalizeMessageChannel } from "../utils/message-channel.js";
 import { resolveAgentConfig, resolveAgentIdFromSessionKey } from "./agent-scope.js";
-import { compileGlobPatterns, matchesAnyGlobPattern } from "./glob-pattern.js";
 import type { AnyAgentTool } from "./pi-tools.types.js";
 import { pickSandboxToolPolicy } from "./sandbox-tool-policy.js";
 import type { SandboxToolPolicy } from "./sandbox.js";
@@ -15,34 +14,8 @@ import {
   resolveStoredSubagentCapabilities,
   type SubagentSessionRole,
 } from "./subagent-capabilities.js";
-import { expandToolGroups, normalizeToolName } from "./tool-policy.js";
-
-function makeToolPolicyMatcher(policy: SandboxToolPolicy) {
-  const deny = compileGlobPatterns({
-    raw: expandToolGroups(policy.deny ?? []),
-    normalize: normalizeToolName,
-  });
-  const allow = compileGlobPatterns({
-    raw: expandToolGroups(policy.allow ?? []),
-    normalize: normalizeToolName,
-  });
-  return (name: string) => {
-    const normalized = normalizeToolName(name);
-    if (matchesAnyGlobPattern(normalized, deny)) {
-      return false;
-    }
-    if (allow.length === 0) {
-      return true;
-    }
-    if (matchesAnyGlobPattern(normalized, allow)) {
-      return true;
-    }
-    if (normalized === "apply_patch" && matchesAnyGlobPattern("exec", allow)) {
-      return true;
-    }
-    return false;
-  };
-}
+import { isToolAllowedByPolicies, isToolAllowedByPolicyName } from "./tool-policy-match.js";
+import { normalizeToolName } from "./tool-policy.js";
 
 /**
  * Tools always denied for sub-agents regardless of depth.
@@ -140,19 +113,11 @@ export function resolveSubagentToolPolicyForSession(
   return { allow: mergedAllow, deny };
 }
 
-export function isToolAllowedByPolicyName(name: string, policy?: SandboxToolPolicy): boolean {
-  if (!policy) {
-    return true;
-  }
-  return makeToolPolicyMatcher(policy)(name);
-}
-
 export function filterToolsByPolicy(tools: AnyAgentTool[], policy?: SandboxToolPolicy) {
   if (!policy) {
     return tools;
   }
-  const matcher = makeToolPolicyMatcher(policy);
-  return tools.filter((tool) => matcher(tool.name));
+  return tools.filter((tool) => isToolAllowedByPolicyName(tool.name, policy));
 }
 
 type ToolPolicyConfig = {
@@ -381,9 +346,4 @@ export function resolveGroupToolPolicy(params: {
   return pickSandboxToolPolicy(toolsConfig);
 }
 
-export function isToolAllowedByPolicies(
-  name: string,
-  policies: Array<SandboxToolPolicy | undefined>,
-) {
-  return policies.every((policy) => isToolAllowedByPolicyName(name, policy));
-}
+export { isToolAllowedByPolicies, isToolAllowedByPolicyName } from "./tool-policy-match.js";
diff --git a/src/agents/tool-policy-match.ts b/src/agents/tool-policy-match.ts
new file mode 100644
index 00000000000..112bd94be10
--- /dev/null
+++ b/src/agents/tool-policy-match.ts
@@ -0,0 +1,44 @@
+import { compileGlobPatterns, matchesAnyGlobPattern } from "./glob-pattern.js";
+import type { SandboxToolPolicy } from "./sandbox/types.js";
+import { expandToolGroups, normalizeToolName } from "./tool-policy.js";
+
+function makeToolPolicyMatcher(policy: SandboxToolPolicy) {
+  const deny = compileGlobPatterns({
+    raw: expandToolGroups(policy.deny ?? []),
+    normalize: normalizeToolName,
+  });
+  const allow = compileGlobPatterns({
+    raw: expandToolGroups(policy.allow ?? []),
+    normalize: normalizeToolName,
+  });
+  return (name: string) => {
+    const normalized = normalizeToolName(name);
+    if (matchesAnyGlobPattern(normalized, deny)) {
+      return false;
+    }
+    if (allow.length === 0) {
+      return true;
+    }
+    if (matchesAnyGlobPattern(normalized, allow)) {
+      return true;
+    }
+    if (normalized === "apply_patch" && matchesAnyGlobPattern("exec", allow)) {
+      return true;
+    }
+    return false;
+  };
+}
+
+export function isToolAllowedByPolicyName(name: string, policy?: SandboxToolPolicy): boolean {
+  if (!policy) {
+    return true;
+  }
+  return makeToolPolicyMatcher(policy)(name);
+}
+
+export function isToolAllowedByPolicies(
+  name: string,
+  policies: Array<SandboxToolPolicy | undefined>,
+) {
+  return policies.every((policy) => isToolAllowedByPolicyName(name, policy));
+}
diff --git a/src/gateway/hooks-policy.ts b/src/gateway/hooks-policy.ts
new file mode 100644
index 00000000000..27ce19b40cf
--- /dev/null
+++ b/src/gateway/hooks-policy.ts
@@ -0,0 +1,24 @@
+import { normalizeAgentId } from "../routing/session-key.js";
+
+export function resolveAllowedAgentIds(raw: string[] | undefined): Set<string> | undefined {
+  if (!Array.isArray(raw)) {
+    return undefined;
+  }
+  const allowed = new Set<string>();
+  let hasWildcard = false;
+  for (const entry of raw) {
+    const trimmed = entry.trim();
+    if (!trimmed) {
+      continue;
+    }
+    if (trimmed === "*") {
+      hasWildcard = true;
+      break;
+    }
+    allowed.add(normalizeAgentId(trimmed));
+  }
+  if (hasWildcard) {
+    return undefined;
+  }
+  return allowed;
+}
diff --git a/src/gateway/hooks.ts b/src/gateway/hooks.ts
index f371e3565a9..d9e23060f04 100644
--- a/src/gateway/hooks.ts
+++ b/src/gateway/hooks.ts
@@ -5,9 +5,10 @@ import { listChannelPlugins } from "../channels/plugins/index.js";
 import type { ChannelId } from "../channels/plugins/types.js";
 import type { OpenClawConfig } from "../config/config.js";
 import { readJsonBodyWithLimit, requestBodyErrorToText } from "../infra/http-body.js";
-import { normalizeAgentId, parseAgentSessionKey } from "../routing/session-key.js";
+import { parseAgentSessionKey } from "../routing/session-key.js";
 import { normalizeMessageChannel } from "../utils/message-channel.js";
 import { type HookMappingResolved, resolveHookMappings } from "./hooks-mapping.js";
+import { resolveAllowedAgentIds } from "./hooks-policy.js";
 
 const DEFAULT_HOOKS_PATH = "/hooks";
 const DEFAULT_HOOKS_MAX_BODY_BYTES = 256 * 1024;
@@ -100,29 +101,6 @@ function resolveKnownAgentIds(cfg: OpenClawConfig, defaultAgentId: string): Set<
   return known;
 }
 
-export function resolveAllowedAgentIds(raw: string[] | undefined): Set<string> | undefined {
-  if (!Array.isArray(raw)) {
-    return undefined;
-  }
-  const allowed = new Set<string>();
-  let hasWildcard = false;
-  for (const entry of raw) {
-    const trimmed = entry.trim();
-    if (!trimmed) {
-      continue;
-    }
-    if (trimmed === "*") {
-      hasWildcard = true;
-      break;
-    }
-    allowed.add(normalizeAgentId(trimmed));
-  }
-  if (hasWildcard) {
-    return undefined;
-  }
-  return allowed;
-}
-
 function resolveSessionKey(raw: string | undefined): string | undefined {
   const value = raw?.trim();
   return value ? value : undefined;
diff --git a/src/security/audit-extra.async.ts b/src/security/audit-extra.async.ts
index 7ad36855852..88df46bafa1 100644
--- a/src/security/audit-extra.async.ts
+++ b/src/security/audit-extra.async.ts
@@ -6,15 +6,13 @@
 import fs from "node:fs/promises";
 import path from "node:path";
 import { resolveDefaultAgentId } from "../agents/agent-scope.js";
-import { isToolAllowedByPolicies } from "../agents/pi-tools.policy.js";
-import {
-  resolveSandboxConfigForAgent,
-  resolveSandboxToolPolicyForAgent,
-} from "../agents/sandbox.js";
+import { resolveSandboxConfigForAgent } from "../agents/sandbox/config.js";
 import { SANDBOX_BROWSER_SECURITY_HASH_EPOCH } from "../agents/sandbox/constants.js";
 import { execDockerRaw, type ExecDockerRawResult } from "../agents/sandbox/docker.js";
+import { resolveSandboxToolPolicyForAgent } from "../agents/sandbox/tool-policy.js";
 import type { SandboxToolPolicy } from "../agents/sandbox/types.js";
 import { loadWorkspaceSkillEntries } from "../agents/skills.js";
+import { isToolAllowedByPolicies } from "../agents/tool-policy-match.js";
 import { resolveToolProfilePolicy } from "../agents/tool-policy.js";
 import { listAgentWorkspaceDirs } from "../agents/workspace-dirs.js";
 import { formatCliCommand } from "../cli/command-format.js";
diff --git a/src/security/audit-extra.sync.ts b/src/security/audit-extra.sync.ts
index 79a701c5489..bebcc44c0d0 100644
--- a/src/security/audit-extra.sync.ts
+++ b/src/security/audit-extra.sync.ts
@@ -1,16 +1,14 @@
-import { isToolAllowedByPolicies } from "../agents/pi-tools.policy.js";
-import {
-  resolveSandboxConfigForAgent,
-  resolveSandboxToolPolicyForAgent,
-} from "../agents/sandbox.js";
+import { resolveSandboxConfigForAgent } from "../agents/sandbox/config.js";
 import { isDangerousNetworkMode, normalizeNetworkMode } from "../agents/sandbox/network-mode.js";
 /**
  * Synchronous security audit collector functions.
  *
  * These functions analyze config-based security properties without I/O.
  */
+import { resolveSandboxToolPolicyForAgent } from "../agents/sandbox/tool-policy.js";
 import type { SandboxToolPolicy } from "../agents/sandbox/types.js";
 import { getBlockedBindReason } from "../agents/sandbox/validate-sandbox-security.js";
+import { isToolAllowedByPolicies } from "../agents/tool-policy-match.js";
 import { resolveToolProfilePolicy } from "../agents/tool-policy.js";
 import { resolveBrowserConfig } from "../browser/config.js";
 import { formatCliCommand } from "../cli/command-format.js";
@@ -21,7 +19,7 @@ import {
 } from "../config/model-input.js";
 import type { AgentToolsConfig } from "../config/types.tools.js";
 import { resolveGatewayAuth } from "../gateway/auth.js";
-import { resolveAllowedAgentIds } from "../gateway/hooks.js";
+import { resolveAllowedAgentIds } from "../gateway/hooks-policy.js";
 import {
   DEFAULT_DANGEROUS_NODE_COMMANDS,
   resolveNodeCommandAllowlist,

From a2119efe1c2e08d5197d23925bdb43d04f04db5e Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 21:43:21 -0700
Subject: [PATCH 026/133] Security: lazy-load deep skill audit helpers

---
 src/security/audit-extra.async.ts | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/security/audit-extra.async.ts b/src/security/audit-extra.async.ts
index 88df46bafa1..54f411eb73b 100644
--- a/src/security/audit-extra.async.ts
+++ b/src/security/audit-extra.async.ts
@@ -11,7 +11,6 @@ import { SANDBOX_BROWSER_SECURITY_HASH_EPOCH } from "../agents/sandbox/constants
 import { execDockerRaw, type ExecDockerRawResult } from "../agents/sandbox/docker.js";
 import { resolveSandboxToolPolicyForAgent } from "../agents/sandbox/tool-policy.js";
 import type { SandboxToolPolicy } from "../agents/sandbox/types.js";
-import { loadWorkspaceSkillEntries } from "../agents/skills.js";
 import { isToolAllowedByPolicies } from "../agents/tool-policy-match.js";
 import { resolveToolProfilePolicy } from "../agents/tool-policy.js";
 import { listAgentWorkspaceDirs } from "../agents/workspace-dirs.js";
@@ -54,6 +53,12 @@ type ExecDockerRawFn = (
 type CodeSafetySummaryCache = Map<string, Promise<unknown>>;
 const MAX_WORKSPACE_SKILL_SCAN_FILES_PER_WORKSPACE = 2_000;
 const MAX_WORKSPACE_SKILL_ESCAPE_DETAIL_ROWS = 12;
+let skillsModulePromise: Promise<typeof import("../agents/skills.js")> | undefined;
+
+function loadSkillsModule() {
+  skillsModulePromise ??= import("../agents/skills.js");
+  return skillsModulePromise;
+}
 
 // --------------------------------------------------------------------------
 // Helpers
@@ -1245,6 +1250,7 @@ export async function collectInstalledSkillsCodeSafetyFindings(params: {
   const pluginExtensionsDir = path.join(params.stateDir, "extensions");
   const scannedSkillDirs = new Set<string>();
   const workspaceDirs = listAgentWorkspaceDirs(params.cfg);
+  const { loadWorkspaceSkillEntries } = await loadSkillsModule();
 
   for (const workspaceDir of workspaceDirs) {
     const entries = loadWorkspaceSkillEntries(workspaceDir, { config: params.cfg });

From 5f42389d8d00d814e4c52ea1c5c37d34bcdeb99f Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 21:45:36 -0700
Subject: [PATCH 027/133] Security: lazy-load audit config snapshot IO

---
 src/security/audit-extra.async.ts | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/security/audit-extra.async.ts b/src/security/audit-extra.async.ts
index 54f411eb73b..5e9c4036e09 100644
--- a/src/security/audit-extra.async.ts
+++ b/src/security/audit-extra.async.ts
@@ -18,7 +18,6 @@ import { formatCliCommand } from "../cli/command-format.js";
 import { MANIFEST_KEY } from "../compat/legacy-names.js";
 import { resolveNativeSkillsEnabled } from "../config/commands.js";
 import type { OpenClawConfig, ConfigFileSnapshot } from "../config/config.js";
-import { createConfigIO } from "../config/config.js";
 import { collectIncludePathsRecursive } from "../config/includes-scan.js";
 import { resolveOAuthDir } from "../config/paths.js";
 import { hasConfiguredSecretInput } from "../config/types.secrets.js";
@@ -54,12 +53,18 @@ type CodeSafetySummaryCache = Map<string, Promise<unknown>>;
 const MAX_WORKSPACE_SKILL_SCAN_FILES_PER_WORKSPACE = 2_000;
 const MAX_WORKSPACE_SKILL_ESCAPE_DETAIL_ROWS = 12;
 let skillsModulePromise: Promise<typeof import("../agents/skills.js")> | undefined;
+let configModulePromise: Promise<typeof import("../config/config.js")> | undefined;
 
 function loadSkillsModule() {
   skillsModulePromise ??= import("../agents/skills.js");
   return skillsModulePromise;
 }
 
+function loadConfigModule() {
+  configModulePromise ??= import("../config/config.js");
+  return configModulePromise;
+}
+
 // --------------------------------------------------------------------------
 // Helpers
 // --------------------------------------------------------------------------
@@ -1133,6 +1138,7 @@ export async function readConfigSnapshotForAudit(params: {
   env: NodeJS.ProcessEnv;
   configPath: string;
 }): Promise<ConfigFileSnapshot> {
+  const { createConfigIO } = await loadConfigModule();
   return await createConfigIO({
     env: params.env,
     configPath: params.configPath,

From d47fc009dea25e99275333b8594d0626952ba3c1 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 21:47:42 -0700
Subject: [PATCH 028/133] Config: keep native command defaults off heavy
 channel registry

---
 src/config/commands.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/config/commands.ts b/src/config/commands.ts
index 4d174d7c396..29992b3a1cd 100644
--- a/src/config/commands.ts
+++ b/src/config/commands.ts
@@ -1,5 +1,5 @@
-import { normalizeChannelId } from "../channels/plugins/index.js";
 import type { ChannelId } from "../channels/plugins/types.js";
+import { normalizeChannelId } from "../channels/registry.js";
 import { isPlainObject } from "../infra/plain-object.js";
 import type { CommandsConfig, NativeCommandsSetting } from "./types.js";
 

From c4b18ab3c9ae8c586bbfe02a279b13b2817cc3b8 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 21:58:50 -0700
Subject: [PATCH 029/133] Status: split lightweight gateway agent list

---
 src/commands/status-all/agents.ts   |  4 +-
 src/commands/status.agent-local.ts  |  4 +-
 src/commands/status.summary.test.ts | 11 +++-
 src/commands/status.summary.ts      |  9 +--
 src/commands/status.test.ts         | 17 ++++--
 src/gateway/agent-list.ts           | 88 +++++++++++++++++++++++++++++
 6 files changed, 115 insertions(+), 18 deletions(-)
 create mode 100644 src/gateway/agent-list.ts

diff --git a/src/commands/status-all/agents.ts b/src/commands/status-all/agents.ts
index caf1ae03ed2..e8d7c485fe5 100644
--- a/src/commands/status-all/agents.ts
+++ b/src/commands/status-all/agents.ts
@@ -3,7 +3,7 @@ import path from "node:path";
 import { resolveAgentWorkspaceDir } from "../../agents/agent-scope.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import { loadSessionStore, resolveStorePath } from "../../config/sessions.js";
-import { listAgentsForGateway } from "../../gateway/session-utils.js";
+import { listGatewayAgentsBasic } from "../../gateway/agent-list.js";
 
 async function fileExists(p: string): Promise<boolean> {
   try {
@@ -15,7 +15,7 @@ async function fileExists(p: string): Promise<boolean> {
 }
 
 export async function getAgentLocalStatuses(cfg: OpenClawConfig) {
-  const agentList = listAgentsForGateway(cfg);
+  const agentList = listGatewayAgentsBasic(cfg);
   const now = Date.now();
 
   const agents = await Promise.all(
diff --git a/src/commands/status.agent-local.ts b/src/commands/status.agent-local.ts
index 5c57036eb97..ce17f9ab94f 100644
--- a/src/commands/status.agent-local.ts
+++ b/src/commands/status.agent-local.ts
@@ -4,7 +4,7 @@ import { resolveAgentWorkspaceDir } from "../agents/agent-scope.js";
 import type { OpenClawConfig } from "../config/config.js";
 import { loadConfig } from "../config/config.js";
 import { loadSessionStore, resolveStorePath } from "../config/sessions.js";
-import { listAgentsForGateway } from "../gateway/session-utils.js";
+import { listGatewayAgentsBasic } from "../gateway/agent-list.js";
 
 export type AgentLocalStatus = {
   id: string;
@@ -36,7 +36,7 @@ async function fileExists(p: string): Promise<boolean> {
 export async function getAgentLocalStatuses(
   cfg: OpenClawConfig = loadConfig(),
 ): Promise<AgentLocalStatusesResult> {
-  const agentList = listAgentsForGateway(cfg);
+  const agentList = listGatewayAgentsBasic(cfg);
   const now = Date.now();
 
   const statuses: AgentLocalStatus[] = [];
diff --git a/src/commands/status.summary.test.ts b/src/commands/status.summary.test.ts
index 2045c380e1b..12ce55844c3 100644
--- a/src/commands/status.summary.test.ts
+++ b/src/commands/status.summary.test.ts
@@ -32,12 +32,15 @@ vi.mock("../config/sessions.js", () => ({
   resolveStorePath: vi.fn(() => "/tmp/sessions.json"),
 }));
 
-vi.mock("../gateway/session-utils.js", () => ({
-  classifySessionKey: vi.fn(() => "direct"),
-  listAgentsForGateway: vi.fn(() => ({
+vi.mock("../gateway/agent-list.js", () => ({
+  listGatewayAgentsBasic: vi.fn(() => ({
     defaultId: "main",
     agents: [{ id: "main" }],
   })),
+}));
+
+vi.mock("../gateway/session-utils.js", () => ({
+  classifySessionKey: vi.fn(() => "direct"),
   resolveSessionModelRef: vi.fn(() => ({
     provider: "openai",
     model: "gpt-5.2",
@@ -61,6 +64,8 @@ vi.mock("../infra/system-events.js", () => ({
 }));
 
 vi.mock("../routing/session-key.js", () => ({
+  normalizeAgentId: vi.fn((value: string) => value),
+  normalizeMainKey: vi.fn((value?: string) => value ?? "main"),
   parseAgentSessionKey: vi.fn(() => null),
 }));
 
diff --git a/src/commands/status.summary.ts b/src/commands/status.summary.ts
index 6de3b282648..3d151c64772 100644
--- a/src/commands/status.summary.ts
+++ b/src/commands/status.summary.ts
@@ -11,11 +11,8 @@ import {
   resolveStorePath,
   type SessionEntry,
 } from "../config/sessions.js";
-import {
-  classifySessionKey,
-  listAgentsForGateway,
-  resolveSessionModelRef,
-} from "../gateway/session-utils.js";
+import { listGatewayAgentsBasic } from "../gateway/agent-list.js";
+import { classifySessionKey, resolveSessionModelRef } from "../gateway/session-utils.js";
 import { resolveHeartbeatSummaryForAgent } from "../infra/heartbeat-summary.js";
 import { peekSystemEvents } from "../infra/system-events.js";
 import { parseAgentSessionKey } from "../routing/session-key.js";
@@ -107,7 +104,7 @@ export async function getStatusSummary(
         resolveLinkChannelContext(cfg),
       )
     : null;
-  const agentList = listAgentsForGateway(cfg);
+  const agentList = listGatewayAgentsBasic(cfg);
   const heartbeatAgents: HeartbeatStatus[] = agentList.agents.map((agent) => {
     const summary = resolveHeartbeatSummaryForAgent(cfg, agent.id);
     return {
diff --git a/src/commands/status.test.ts b/src/commands/status.test.ts
index f3dfd37064a..3e68d55ced2 100644
--- a/src/commands/status.test.ts
+++ b/src/commands/status.test.ts
@@ -168,7 +168,7 @@ const mocks = vi.hoisted(() => ({
     configSnapshot: null,
   }),
   callGateway: vi.fn().mockResolvedValue({}),
-  listAgentsForGateway: vi.fn().mockReturnValue({
+  listGatewayAgentsBasic: vi.fn().mockReturnValue({
     defaultId: "main",
     mainKey: "agent:main:main",
     scope: "per-sender",
@@ -299,11 +299,18 @@ vi.mock("../gateway/call.js", async (importOriginal) => {
   const actual = await importOriginal<typeof import("../gateway/call.js")>();
   return { ...actual, callGateway: mocks.callGateway };
 });
+vi.mock("../gateway/agent-list.js", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("../gateway/agent-list.js")>();
+  return {
+    ...actual,
+    listGatewayAgentsBasic: mocks.listGatewayAgentsBasic,
+  };
+});
+
 vi.mock("../gateway/session-utils.js", async (importOriginal) => {
   const actual = await importOriginal<typeof import("../gateway/session-utils.js")>();
   return {
     ...actual,
-    listAgentsForGateway: mocks.listAgentsForGateway,
   };
 });
 vi.mock("../infra/openclaw-root.js", () => ({
@@ -608,11 +615,11 @@ describe("statusCommand", () => {
   });
 
   it("includes sessions across agents in JSON output", async () => {
-    const originalAgents = mocks.listAgentsForGateway.getMockImplementation();
+    const originalAgents = mocks.listGatewayAgentsBasic.getMockImplementation();
     const originalResolveStorePath = mocks.resolveStorePath.getMockImplementation();
     const originalLoadSessionStore = mocks.loadSessionStore.getMockImplementation();
 
-    mocks.listAgentsForGateway.mockReturnValue({
+    mocks.listGatewayAgentsBasic.mockReturnValue({
       defaultId: "main",
       mainKey: "agent:main:main",
       scope: "per-sender",
@@ -651,7 +658,7 @@ describe("statusCommand", () => {
     ).toBe(true);
 
     if (originalAgents) {
-      mocks.listAgentsForGateway.mockImplementation(originalAgents);
+      mocks.listGatewayAgentsBasic.mockImplementation(originalAgents);
     }
     if (originalResolveStorePath) {
       mocks.resolveStorePath.mockImplementation(originalResolveStorePath);
diff --git a/src/gateway/agent-list.ts b/src/gateway/agent-list.ts
new file mode 100644
index 00000000000..d14cdf0c534
--- /dev/null
+++ b/src/gateway/agent-list.ts
@@ -0,0 +1,88 @@
+import fs from "node:fs";
+import path from "node:path";
+import { resolveDefaultAgentId } from "../agents/agent-scope.js";
+import type { OpenClawConfig } from "../config/config.js";
+import { resolveStateDir } from "../config/paths.js";
+import type { SessionScope } from "../config/sessions.js";
+import { normalizeAgentId, normalizeMainKey } from "../routing/session-key.js";
+
+export type GatewayAgentListRow = {
+  id: string;
+  name?: string;
+};
+
+function listExistingAgentIdsFromDisk(): string[] {
+  const root = resolveStateDir();
+  const agentsDir = path.join(root, "agents");
+  try {
+    const entries = fs.readdirSync(agentsDir, { withFileTypes: true });
+    return entries
+      .filter((entry) => entry.isDirectory())
+      .map((entry) => normalizeAgentId(entry.name))
+      .filter(Boolean);
+  } catch {
+    return [];
+  }
+}
+
+function listConfiguredAgentIds(cfg: OpenClawConfig): string[] {
+  const ids = new Set<string>();
+  const defaultId = normalizeAgentId(resolveDefaultAgentId(cfg));
+  ids.add(defaultId);
+
+  for (const entry of cfg.agents?.list ?? []) {
+    if (entry?.id) {
+      ids.add(normalizeAgentId(entry.id));
+    }
+  }
+
+  for (const id of listExistingAgentIdsFromDisk()) {
+    ids.add(id);
+  }
+
+  const sorted = Array.from(ids).filter(Boolean);
+  sorted.sort((a, b) => a.localeCompare(b));
+  return sorted.includes(defaultId)
+    ? [defaultId, ...sorted.filter((id) => id !== defaultId)]
+    : sorted;
+}
+
+export function listGatewayAgentsBasic(cfg: OpenClawConfig): {
+  defaultId: string;
+  mainKey: string;
+  scope: SessionScope;
+  agents: GatewayAgentListRow[];
+} {
+  const defaultId = normalizeAgentId(resolveDefaultAgentId(cfg));
+  const mainKey = normalizeMainKey(cfg.session?.mainKey);
+  const scope = cfg.session?.scope ?? "per-sender";
+  const configuredById = new Map<string, { name?: string }>();
+  for (const entry of cfg.agents?.list ?? []) {
+    if (!entry?.id) {
+      continue;
+    }
+    configuredById.set(normalizeAgentId(entry.id), {
+      name: typeof entry.name === "string" && entry.name.trim() ? entry.name.trim() : undefined,
+    });
+  }
+  const explicitIds = new Set(
+    (cfg.agents?.list ?? [])
+      .map((entry) => (entry?.id ? normalizeAgentId(entry.id) : ""))
+      .filter(Boolean),
+  );
+  const allowedIds = explicitIds.size > 0 ? new Set([...explicitIds, defaultId]) : null;
+  let agentIds = listConfiguredAgentIds(cfg).filter((id) =>
+    allowedIds ? allowedIds.has(id) : true,
+  );
+  if (mainKey && !agentIds.includes(mainKey) && (!allowedIds || allowedIds.has(mainKey))) {
+    agentIds = [...agentIds, mainKey];
+  }
+  const agents = agentIds.map((id) => {
+    const meta = configuredById.get(id);
+    return {
+      id,
+      name: meta?.name,
+    };
+  });
+  return { defaultId, mainKey, scope, agents };
+}

From ddd34b6cc3b90e97c3af745b4ef136684d2ab798 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Sun, 15 Mar 2026 23:00:16 -0700
Subject: [PATCH 030/133] refactor(plugins): simplify provider auth choice
 metadata

---
 docs/concepts/model-providers.md              |   4 +-
 docs/tools/plugin.md                          |   8 +-
 extensions/anthropic/index.ts                 |  19 ++-
 extensions/openai/openai-codex-provider.ts    |   2 +
 src/cli/models-cli.test.ts                    |  17 ++-
 src/cli/models-cli.ts                         |   7 +-
 .../auth-choice.apply.plugin-provider.ts      |  14 +-
 src/commands/auth-choice.apply.ts             |  11 +-
 .../auth-choice.preferred-provider.test.ts    |  50 +++++++
 .../auth-choice.preferred-provider.ts         |  30 +++--
 ...re.gateway-auth.prompt-auth-config.test.ts |  39 ++++++
 src/commands/configure.gateway-auth.ts        |  48 +++++--
 src/commands/doctor-auth.ts                   |  41 +++---
 src/commands/models/auth.ts                   |   8 +-
 src/plugins/provider-validation.test.ts       |  25 +++-
 src/plugins/provider-validation.ts            | 124 +++++++++++++-----
 src/plugins/provider-wizard.test.ts           |  36 +++++
 src/plugins/provider-wizard.ts                |  10 +-
 src/plugins/types.ts                          |  20 +++
 19 files changed, 415 insertions(+), 98 deletions(-)
 create mode 100644 src/commands/auth-choice.preferred-provider.test.ts

diff --git a/docs/concepts/model-providers.md b/docs/concepts/model-providers.md
index fc0656c0dd4..6adbb5d0f26 100644
--- a/docs/concepts/model-providers.md
+++ b/docs/concepts/model-providers.md
@@ -42,8 +42,8 @@ Typical split:
 
 - `auth[].run` / `auth[].runNonInteractive`: provider owns onboarding/login
   flows for `openclaw onboard`, `openclaw models auth`, and headless setup
-- `wizard.onboarding` / `wizard.modelPicker`: provider owns auth-choice labels,
-  hints, and setup entries in onboarding/model pickers
+- `wizard.setup` / `wizard.modelPicker`: provider owns auth-choice labels,
+  legacy aliases, onboarding allowlist hints, and setup entries in onboarding/model pickers
 - `catalog`: provider appears in `models.providers`
 - `resolveDynamicModel`: provider accepts model ids not present in the local
   static catalog yet
diff --git a/docs/tools/plugin.md b/docs/tools/plugin.md
index c14f3c39f56..ec4084eeca6 100644
--- a/docs/tools/plugin.md
+++ b/docs/tools/plugin.md
@@ -1275,6 +1275,7 @@ errors instead.
 - `groupLabel`: group label
 - `groupHint`: group hint
 - `methodId`: auth method to run
+- `modelAllowlist`: optional post-auth allowlist policy (`allowedKeys`, `initialSelections`, `message`)
 
 `wizard.modelPicker` controls how a provider appears as a "set this up now"
 entry in model selection:
@@ -1435,8 +1436,13 @@ Notes:
   for headless onboarding.
 - Return `configPatch` when you need to add default models or provider config.
 - Return `defaultModel` so `--set-default` can update agent defaults.
-- `wizard.setup` adds a provider choice to `openclaw onboard`.
+- `wizard.setup` adds a provider choice to onboarding surfaces such as
+  `openclaw onboard` / `openclaw setup --wizard`.
+- `wizard.setup.modelAllowlist` lets the provider narrow the follow-up model
+  allowlist prompt during onboarding/configure.
 - `wizard.modelPicker` adds a “setup this provider” entry to the model picker.
+- `deprecatedProfileIds` lets the provider own `openclaw doctor` cleanup for
+  retired auth-profile ids.
 - `discovery.run` returns either `{ provider }` for the plugin’s own provider id
   or `{ providers }` for multi-provider discovery.
 - `discovery.order` controls when the provider runs relative to built-in
diff --git a/extensions/anthropic/index.ts b/extensions/anthropic/index.ts
index 13758e7de46..a2491dfbd87 100644
--- a/extensions/anthropic/index.ts
+++ b/extensions/anthropic/index.ts
@@ -5,7 +5,11 @@ import {
   type ProviderResolveDynamicModelContext,
   type ProviderRuntimeModel,
 } from "openclaw/plugin-sdk/core";
-import { listProfilesForProvider, upsertAuthProfile } from "../../src/agents/auth-profiles.js";
+import {
+  CLAUDE_CLI_PROFILE_ID,
+  listProfilesForProvider,
+  upsertAuthProfile,
+} from "../../src/agents/auth-profiles.js";
 import { suggestOAuthProfileIdForLegacyDefault } from "../../src/agents/auth-profiles/repair.js";
 import type { AuthProfileStore } from "../../src/agents/auth-profiles/types.js";
 import { normalizeModelCompat } from "../../src/agents/model-compat.js";
@@ -38,6 +42,13 @@ const ANTHROPIC_MODERN_MODEL_PREFIXES = [
   "claude-sonnet-4-5",
   "claude-haiku-4-5",
 ] as const;
+const ANTHROPIC_OAUTH_ALLOWLIST = [
+  "anthropic/claude-sonnet-4-6",
+  "anthropic/claude-opus-4-6",
+  "anthropic/claude-opus-4-5",
+  "anthropic/claude-sonnet-4-5",
+  "anthropic/claude-haiku-4-5",
+] as const;
 
 function cloneFirstTemplateModel(params: {
   modelId: string;
@@ -309,6 +320,7 @@ const anthropicPlugin = {
       label: "Anthropic",
       docsPath: "/providers/models",
       envVars: ["ANTHROPIC_OAUTH_TOKEN", "ANTHROPIC_API_KEY"],
+      deprecatedProfileIds: [CLAUDE_CLI_PROFILE_ID],
       auth: [
         {
           id: "setup-token",
@@ -322,6 +334,11 @@ const anthropicPlugin = {
             groupId: "anthropic",
             groupLabel: "Anthropic",
             groupHint: "setup-token + API key",
+            modelAllowlist: {
+              allowedKeys: [...ANTHROPIC_OAUTH_ALLOWLIST],
+              initialSelections: ["anthropic/claude-sonnet-4-6"],
+              message: "Anthropic OAuth models",
+            },
           },
           run: async (ctx: ProviderAuthContext) => await runAnthropicSetupToken(ctx),
           runNonInteractive: async (ctx) =>
diff --git a/extensions/openai/openai-codex-provider.ts b/extensions/openai/openai-codex-provider.ts
index 17ee1348de2..c0ae2c12210 100644
--- a/extensions/openai/openai-codex-provider.ts
+++ b/extensions/openai/openai-codex-provider.ts
@@ -4,6 +4,7 @@ import type {
   ProviderResolveDynamicModelContext,
   ProviderRuntimeModel,
 } from "openclaw/plugin-sdk/core";
+import { CODEX_CLI_PROFILE_ID } from "../../src/agents/auth-profiles.js";
 import { listProfilesForProvider } from "../../src/agents/auth-profiles/profiles.js";
 import { ensureAuthProfileStore } from "../../src/agents/auth-profiles/store.js";
 import type { OAuthCredential } from "../../src/agents/auth-profiles/types.js";
@@ -194,6 +195,7 @@ export function buildOpenAICodexProviderPlugin(): ProviderPlugin {
     id: PROVIDER_ID,
     label: "OpenAI Codex",
     docsPath: "/providers/models",
+    deprecatedProfileIds: [CODEX_CLI_PROFILE_ID],
     auth: [
       {
         id: "oauth",
diff --git a/src/cli/models-cli.test.ts b/src/cli/models-cli.test.ts
index 7386988a1f0..208b74fd09d 100644
--- a/src/cli/models-cli.test.ts
+++ b/src/cli/models-cli.test.ts
@@ -2,18 +2,17 @@ import { Command } from "commander";
 import { beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
 import { runRegisteredCli } from "../test-utils/command-runner.js";
 
-const githubCopilotLoginCommand = vi.fn();
 const modelsStatusCommand = vi.fn().mockResolvedValue(undefined);
 const noopAsync = vi.fn(async () => undefined);
+const modelsAuthLoginCommand = vi.fn().mockResolvedValue(undefined);
 
 vi.mock("../commands/models.js", () => ({
-  githubCopilotLoginCommand,
   modelsStatusCommand,
   modelsAliasesAddCommand: noopAsync,
   modelsAliasesListCommand: noopAsync,
   modelsAliasesRemoveCommand: noopAsync,
   modelsAuthAddCommand: noopAsync,
-  modelsAuthLoginCommand: noopAsync,
+  modelsAuthLoginCommand,
   modelsAuthOrderClearCommand: noopAsync,
   modelsAuthOrderGetCommand: noopAsync,
   modelsAuthOrderSetCommand: noopAsync,
@@ -42,7 +41,7 @@ describe("models cli", () => {
   });
 
   beforeEach(() => {
-    githubCopilotLoginCommand.mockClear();
+    modelsAuthLoginCommand.mockClear();
     modelsStatusCommand.mockClear();
   });
 
@@ -74,9 +73,13 @@ describe("models cli", () => {
       from: "user",
     });
 
-    expect(githubCopilotLoginCommand).toHaveBeenCalledTimes(1);
-    expect(githubCopilotLoginCommand).toHaveBeenCalledWith(
-      expect.objectContaining({ yes: true }),
+    expect(modelsAuthLoginCommand).toHaveBeenCalledTimes(1);
+    expect(modelsAuthLoginCommand).toHaveBeenCalledWith(
+      expect.objectContaining({
+        provider: "github-copilot",
+        method: "device",
+        yes: true,
+      }),
       expect.any(Object),
     );
   });
diff --git a/src/cli/models-cli.ts b/src/cli/models-cli.ts
index d3be2d6c131..f3391c2796e 100644
--- a/src/cli/models-cli.ts
+++ b/src/cli/models-cli.ts
@@ -1,6 +1,5 @@
 import type { Command } from "commander";
 import {
-  githubCopilotLoginCommand,
   modelsAliasesAddCommand,
   modelsAliasesListCommand,
   modelsAliasesRemoveCommand,
@@ -364,13 +363,13 @@ export function registerModelsCli(program: Command) {
   auth
     .command("login-github-copilot")
     .description("Login to GitHub Copilot via GitHub device flow (TTY required)")
-    .option("--profile-id <id>", "Auth profile id (default: github-copilot:github)")
     .option("--yes", "Overwrite existing profile without prompting", false)
     .action(async (opts) => {
       await runModelsCommand(async () => {
-        await githubCopilotLoginCommand(
+        await modelsAuthLoginCommand(
           {
-            profileId: opts.profileId as string | undefined,
+            provider: "github-copilot",
+            method: "device",
             yes: Boolean(opts.yes),
           },
           defaultRuntime,
diff --git a/src/commands/auth-choice.apply.plugin-provider.ts b/src/commands/auth-choice.apply.plugin-provider.ts
index 5f4893b249c..76994d27b32 100644
--- a/src/commands/auth-choice.apply.plugin-provider.ts
+++ b/src/commands/auth-choice.apply.plugin-provider.ts
@@ -117,7 +117,12 @@ export async function applyAuthChoiceLoadedPluginProvider(
     resolveAgentWorkspaceDir(params.config, agentId) ?? resolveDefaultAgentWorkspaceDir();
   const { resolvePluginProviders, resolveProviderPluginChoice, runProviderModelSelectedHook } =
     await loadPluginProviderRuntime();
-  const providers = resolvePluginProviders({ config: params.config, workspaceDir });
+  const providers = resolvePluginProviders({
+    config: params.config,
+    workspaceDir,
+    bundledProviderAllowlistCompat: true,
+    bundledProviderVitestCompat: true,
+  });
   const resolved = resolveProviderPluginChoice({
     providers,
     choice: params.authChoice,
@@ -190,7 +195,12 @@ export async function applyAuthChoicePluginProvider(
 
   const { resolvePluginProviders, runProviderModelSelectedHook } =
     await loadPluginProviderRuntime();
-  const providers = resolvePluginProviders({ config: nextConfig, workspaceDir });
+  const providers = resolvePluginProviders({
+    config: nextConfig,
+    workspaceDir,
+    bundledProviderAllowlistCompat: true,
+    bundledProviderVitestCompat: true,
+  });
   const provider = resolveProviderMatch(providers, options.providerId);
   if (!provider) {
     await params.prompter.note(
diff --git a/src/commands/auth-choice.apply.ts b/src/commands/auth-choice.apply.ts
index 798d8991199..bafa9122e25 100644
--- a/src/commands/auth-choice.apply.ts
+++ b/src/commands/auth-choice.apply.ts
@@ -1,6 +1,7 @@
 import type { OpenClawConfig } from "../config/config.js";
 import type { RuntimeEnv } from "../runtime.js";
 import type { WizardPrompter } from "../wizard/prompts.js";
+import { normalizeLegacyOnboardAuthChoice } from "./auth-choice-legacy.js";
 import { applyAuthChoiceAnthropic } from "./auth-choice.apply.anthropic.js";
 import { applyAuthChoiceApiProviders } from "./auth-choice.apply.api-providers.js";
 import { applyAuthChoiceMiniMax } from "./auth-choice.apply.minimax.js";
@@ -28,6 +29,12 @@ export type ApplyAuthChoiceResult = {
 export async function applyAuthChoice(
   params: ApplyAuthChoiceParams,
 ): Promise<ApplyAuthChoiceResult> {
+  const normalizedAuthChoice =
+    normalizeLegacyOnboardAuthChoice(params.authChoice) ?? params.authChoice;
+  const normalizedParams =
+    normalizedAuthChoice === params.authChoice
+      ? params
+      : { ...params, authChoice: normalizedAuthChoice };
   const handlers: Array<(p: ApplyAuthChoiceParams) => Promise<ApplyAuthChoiceResult | null>> = [
     applyAuthChoiceLoadedPluginProvider,
     applyAuthChoiceAnthropic,
@@ -38,11 +45,11 @@ export async function applyAuthChoice(
   ];
 
   for (const handler of handlers) {
-    const result = await handler(params);
+    const result = await handler(normalizedParams);
     if (result) {
       return result;
     }
   }
 
-  return { config: params.config };
+  return { config: normalizedParams.config };
 }
diff --git a/src/commands/auth-choice.preferred-provider.test.ts b/src/commands/auth-choice.preferred-provider.test.ts
new file mode 100644
index 00000000000..6f84763a308
--- /dev/null
+++ b/src/commands/auth-choice.preferred-provider.test.ts
@@ -0,0 +1,50 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+
+const resolveProviderPluginChoice = vi.hoisted(() => vi.fn());
+const resolvePluginProviders = vi.hoisted(() => vi.fn(() => []));
+
+vi.mock("../plugins/provider-wizard.js", () => ({
+  resolveProviderPluginChoice,
+}));
+
+vi.mock("../plugins/providers.js", () => ({
+  resolvePluginProviders,
+}));
+
+import { resolvePreferredProviderForAuthChoice } from "./auth-choice.preferred-provider.js";
+
+describe("resolvePreferredProviderForAuthChoice", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    resolvePluginProviders.mockReturnValue([]);
+    resolveProviderPluginChoice.mockReturnValue(null);
+  });
+
+  it("normalizes legacy auth choices before plugin lookup", async () => {
+    resolveProviderPluginChoice.mockReturnValue({
+      provider: { id: "anthropic", label: "Anthropic", auth: [] },
+      method: { id: "setup-token", label: "setup-token", kind: "token" },
+    });
+
+    await expect(resolvePreferredProviderForAuthChoice({ choice: "claude-cli" })).resolves.toBe(
+      "anthropic",
+    );
+    expect(resolveProviderPluginChoice).toHaveBeenCalledWith(
+      expect.objectContaining({
+        choice: "setup-token",
+      }),
+    );
+    expect(resolvePluginProviders).toHaveBeenCalledWith(
+      expect.objectContaining({
+        bundledProviderAllowlistCompat: true,
+        bundledProviderVitestCompat: true,
+      }),
+    );
+  });
+
+  it("falls back to static core choices when no provider plugin claims the choice", async () => {
+    await expect(resolvePreferredProviderForAuthChoice({ choice: "chutes" })).resolves.toBe(
+      "chutes",
+    );
+  });
+});
diff --git a/src/commands/auth-choice.preferred-provider.ts b/src/commands/auth-choice.preferred-provider.ts
index 49251a88f87..a7faad5d3a4 100644
--- a/src/commands/auth-choice.preferred-provider.ts
+++ b/src/commands/auth-choice.preferred-provider.ts
@@ -1,15 +1,12 @@
 import type { OpenClawConfig } from "../config/config.js";
+import { normalizeLegacyOnboardAuthChoice } from "./auth-choice-legacy.js";
 import type { AuthChoice } from "./onboard-types.js";
 
 const PREFERRED_PROVIDER_BY_AUTH_CHOICE: Partial<Record<AuthChoice, string>> = {
-  oauth: "anthropic",
-  "setup-token": "anthropic",
-  "claude-cli": "anthropic",
+  chutes: "chutes",
   token: "anthropic",
   apiKey: "anthropic",
   "openai-codex": "openai-codex",
-  "codex-cli": "openai-codex",
-  chutes: "chutes",
   "openai-api-key": "openai",
   "openrouter-api-key": "openrouter",
   "kilocode-api-key": "kilocode",
@@ -57,11 +54,7 @@ export async function resolvePreferredProviderForAuthChoice(params: {
   workspaceDir?: string;
   env?: NodeJS.ProcessEnv;
 }): Promise<string | undefined> {
-  const preferred = PREFERRED_PROVIDER_BY_AUTH_CHOICE[params.choice];
-  if (preferred) {
-    return preferred;
-  }
-
+  const choice = normalizeLegacyOnboardAuthChoice(params.choice) ?? params.choice;
   const [{ resolveProviderPluginChoice }, { resolvePluginProviders }] = await Promise.all([
     import("../plugins/provider-wizard.js"),
     import("../plugins/providers.js"),
@@ -70,9 +63,20 @@ export async function resolvePreferredProviderForAuthChoice(params: {
     config: params.config,
     workspaceDir: params.workspaceDir,
     env: params.env,
+    bundledProviderAllowlistCompat: true,
+    bundledProviderVitestCompat: true,
   });
-  return resolveProviderPluginChoice({
+  const pluginResolved = resolveProviderPluginChoice({
     providers,
-    choice: params.choice,
-  })?.provider.id;
+    choice,
+  });
+  if (pluginResolved) {
+    return pluginResolved.provider.id;
+  }
+
+  const preferred = PREFERRED_PROVIDER_BY_AUTH_CHOICE[choice];
+  if (preferred) {
+    return preferred;
+  }
+  return undefined;
 }
diff --git a/src/commands/configure.gateway-auth.prompt-auth-config.test.ts b/src/commands/configure.gateway-auth.prompt-auth-config.test.ts
index 0657a77b3e1..b6ba81a432e 100644
--- a/src/commands/configure.gateway-auth.prompt-auth-config.test.ts
+++ b/src/commands/configure.gateway-auth.prompt-auth-config.test.ts
@@ -8,6 +8,8 @@ const mocks = vi.hoisted(() => ({
   promptModelAllowlist: vi.fn(),
   promptDefaultModel: vi.fn(),
   promptCustomApiConfig: vi.fn(),
+  resolvePluginProviders: vi.fn(() => []),
+  resolveProviderPluginChoice: vi.fn<() => unknown>(() => null),
 }));
 
 vi.mock("../agents/auth-profiles.js", () => ({
@@ -39,6 +41,14 @@ vi.mock("./onboard-custom.js", () => ({
   promptCustomApiConfig: mocks.promptCustomApiConfig,
 }));
 
+vi.mock("../plugins/providers.js", () => ({
+  resolvePluginProviders: mocks.resolvePluginProviders,
+}));
+
+vi.mock("../plugins/provider-wizard.js", () => ({
+  resolveProviderPluginChoice: mocks.resolveProviderPluginChoice,
+}));
+
 import { promptAuthConfig } from "./configure.gateway-auth.js";
 
 function makeRuntime(): RuntimeEnv {
@@ -94,6 +104,8 @@ async function runPromptAuthConfigWithAllowlist(includeMinimaxProvider = false)
   mocks.promptModelAllowlist.mockResolvedValue({
     models: ["kilocode/kilo/auto"],
   });
+  mocks.resolvePluginProviders.mockReturnValue([]);
+  mocks.resolveProviderPluginChoice.mockReturnValue(null);
 
   return promptAuthConfig({}, makeRuntime(), noopPrompter);
 }
@@ -118,4 +130,31 @@ describe("promptAuthConfig", () => {
       "MiniMax-M2.5",
     ]);
   });
+
+  it("uses plugin-owned allowlist metadata for provider auth choices", async () => {
+    mocks.promptAuthChoiceGrouped.mockResolvedValue("token");
+    mocks.applyAuthChoice.mockResolvedValue({ config: {} });
+    mocks.promptModelAllowlist.mockResolvedValue({ models: undefined });
+    mocks.resolveProviderPluginChoice.mockReturnValue({
+      provider: { id: "anthropic", label: "Anthropic", auth: [] },
+      method: { id: "setup-token", label: "setup-token", kind: "token" },
+      wizard: {
+        modelAllowlist: {
+          allowedKeys: ["anthropic/claude-sonnet-4-6"],
+          initialSelections: ["anthropic/claude-sonnet-4-6"],
+          message: "Anthropic OAuth models",
+        },
+      },
+    });
+
+    await promptAuthConfig({}, makeRuntime(), noopPrompter);
+
+    expect(mocks.promptModelAllowlist).toHaveBeenCalledWith(
+      expect.objectContaining({
+        allowedKeys: ["anthropic/claude-sonnet-4-6"],
+        initialSelections: ["anthropic/claude-sonnet-4-6"],
+        message: "Anthropic OAuth models",
+      }),
+    );
+  });
 });
diff --git a/src/commands/configure.gateway-auth.ts b/src/commands/configure.gateway-auth.ts
index ca56ee25275..8963557e80a 100644
--- a/src/commands/configure.gateway-auth.ts
+++ b/src/commands/configure.gateway-auth.ts
@@ -2,6 +2,8 @@ import { ensureAuthProfileStore } from "../agents/auth-profiles.js";
 import { resolveDefaultAgentWorkspaceDir } from "../agents/workspace.js";
 import type { OpenClawConfig, GatewayAuthConfig } from "../config/config.js";
 import { isSecretRef, type SecretInput } from "../config/types.secrets.js";
+import { resolveProviderPluginChoice } from "../plugins/provider-wizard.js";
+import { resolvePluginProviders } from "../plugins/providers.js";
 import type { RuntimeEnv } from "../runtime.js";
 import type { WizardPrompter } from "../wizard/prompts.js";
 import { promptAuthChoiceGrouped } from "./auth-choice-prompt.js";
@@ -30,13 +32,30 @@ function sanitizeTokenValue(value: unknown): string | undefined {
   return trimmed;
 }
 
-const ANTHROPIC_OAUTH_MODEL_KEYS = [
-  "anthropic/claude-sonnet-4-6",
-  "anthropic/claude-opus-4-6",
-  "anthropic/claude-opus-4-5",
-  "anthropic/claude-sonnet-4-5",
-  "anthropic/claude-haiku-4-5",
-];
+function resolveProviderChoiceModelAllowlist(params: {
+  authChoice: string;
+  config: OpenClawConfig;
+  workspaceDir?: string;
+  env?: NodeJS.ProcessEnv;
+}):
+  | {
+      allowedKeys?: string[];
+      initialSelections?: string[];
+      message?: string;
+    }
+  | undefined {
+  const providers = resolvePluginProviders({
+    config: params.config,
+    workspaceDir: params.workspaceDir,
+    env: params.env,
+    bundledProviderAllowlistCompat: true,
+    bundledProviderVitestCompat: true,
+  });
+  return resolveProviderPluginChoice({
+    providers,
+    choice: params.authChoice,
+  })?.wizard?.modelAllowlist;
+}
 
 export function buildGatewayAuthConfig(params: {
   existing?: GatewayAuthConfig;
@@ -125,16 +144,19 @@ export async function promptAuthConfig(
     }
   }
 
-  const anthropicOAuth =
-    authChoice === "setup-token" || authChoice === "token" || authChoice === "oauth";
-
   if (authChoice !== "custom-api-key") {
+    const modelAllowlist = resolveProviderChoiceModelAllowlist({
+      authChoice,
+      config: next,
+      workspaceDir: resolveDefaultAgentWorkspaceDir(),
+      env: process.env,
+    });
     const allowlistSelection = await promptModelAllowlist({
       config: next,
       prompter,
-      allowedKeys: anthropicOAuth ? ANTHROPIC_OAUTH_MODEL_KEYS : undefined,
-      initialSelections: anthropicOAuth ? ["anthropic/claude-sonnet-4-6"] : undefined,
-      message: anthropicOAuth ? "Anthropic OAuth models" : undefined,
+      allowedKeys: modelAllowlist?.allowedKeys,
+      initialSelections: modelAllowlist?.initialSelections,
+      message: modelAllowlist?.message,
     });
     if (allowlistSelection.models) {
       next = applyModelAllowlist(next, allowlistSelection.models);
diff --git a/src/commands/doctor-auth.ts b/src/commands/doctor-auth.ts
index cf8267cebff..1f46ef28ba1 100644
--- a/src/commands/doctor-auth.ts
+++ b/src/commands/doctor-auth.ts
@@ -15,6 +15,7 @@ import {
 import { updateAuthProfileStoreWithLock } from "../agents/auth-profiles/store.js";
 import { formatCliCommand } from "../cli/command-format.js";
 import type { OpenClawConfig } from "../config/config.js";
+import { resolvePluginProviders } from "../plugins/providers.js";
 import { note } from "../terminal/note.js";
 import type { DoctorPrompter } from "./doctor-prompter.js";
 import {
@@ -119,30 +120,36 @@ export async function maybeRemoveDeprecatedCliAuthProfiles(
   prompter: DoctorPrompter,
 ): Promise<OpenClawConfig> {
   const store = ensureAuthProfileStore(undefined, { allowKeychainPrompt: false });
-  const deprecated = new Set<string>();
-  if (store.profiles[CLAUDE_CLI_PROFILE_ID] || cfg.auth?.profiles?.[CLAUDE_CLI_PROFILE_ID]) {
-    deprecated.add(CLAUDE_CLI_PROFILE_ID);
-  }
-  if (store.profiles[CODEX_CLI_PROFILE_ID] || cfg.auth?.profiles?.[CODEX_CLI_PROFILE_ID]) {
-    deprecated.add(CODEX_CLI_PROFILE_ID);
-  }
+  const providers = resolvePluginProviders({
+    config: cfg,
+    env: process.env,
+    bundledProviderAllowlistCompat: true,
+    bundledProviderVitestCompat: true,
+  });
+  const deprecatedEntries = providers.flatMap((provider) =>
+    (provider.deprecatedProfileIds ?? [])
+      .filter((profileId) => store.profiles[profileId] || cfg.auth?.profiles?.[profileId])
+      .map((profileId) => ({
+        profileId,
+        providerId: provider.id,
+        providerLabel: provider.label,
+      })),
+  );
+  const deprecated = new Set(deprecatedEntries.map((entry) => entry.profileId));
 
   if (deprecated.size === 0) {
     return cfg;
   }
 
   const lines = ["Deprecated external CLI auth profiles detected (no longer supported):"];
-  if (deprecated.has(CLAUDE_CLI_PROFILE_ID)) {
+  for (const entry of deprecatedEntries) {
     const authCommand =
-      resolveProviderAuthLoginCommand({ provider: "anthropic" }) ??
-      formatCliCommand("openclaw configure");
-    lines.push(`- ${CLAUDE_CLI_PROFILE_ID} (Anthropic): use ${authCommand}`);
-  }
-  if (deprecated.has(CODEX_CLI_PROFILE_ID)) {
-    const authCommand =
-      resolveProviderAuthLoginCommand({ provider: "openai-codex" }) ??
-      formatCliCommand("openclaw configure");
-    lines.push(`- ${CODEX_CLI_PROFILE_ID} (OpenAI Codex): use ${authCommand}`);
+      resolveProviderAuthLoginCommand({
+        provider: entry.providerId,
+        config: cfg,
+        env: process.env,
+      }) ?? formatCliCommand("openclaw configure");
+    lines.push(`- ${entry.profileId} (${entry.providerLabel}): use ${authCommand}`);
   }
   note(lines.join("\n"), "Auth profiles");
 
diff --git a/src/commands/models/auth.ts b/src/commands/models/auth.ts
index 1ea838fdb27..6001ede2ea4 100644
--- a/src/commands/models/auth.ts
+++ b/src/commands/models/auth.ts
@@ -106,7 +106,12 @@ async function resolveModelsAuthContext(): Promise<ResolvedModelsAuthContext> {
   const agentDir = resolveAgentDir(config, defaultAgentId);
   const workspaceDir =
     resolveAgentWorkspaceDir(config, defaultAgentId) ?? resolveDefaultAgentWorkspaceDir();
-  const providers = resolvePluginProviders({ config, workspaceDir });
+  const providers = resolvePluginProviders({
+    config,
+    workspaceDir,
+    bundledProviderAllowlistCompat: true,
+    bundledProviderVitestCompat: true,
+  });
   return { config, agentDir, workspaceDir, providers };
 }
 
@@ -490,6 +495,7 @@ type LoginOptions = {
   provider?: string;
   method?: string;
   setDefault?: boolean;
+  yes?: boolean;
 };
 
 /**
diff --git a/src/plugins/provider-validation.test.ts b/src/plugins/provider-validation.test.ts
index f0208aa1d2a..fe934aa6578 100644
--- a/src/plugins/provider-validation.test.ts
+++ b/src/plugins/provider-validation.test.ts
@@ -32,12 +32,21 @@ describe("normalizeRegisteredProvider", () => {
         id: " demo ",
         label: " Demo Provider ",
         aliases: [" alias-one ", "alias-one", ""],
+        deprecatedProfileIds: [" demo:legacy ", "demo:legacy", ""],
         envVars: [" DEMO_API_KEY ", "DEMO_API_KEY"],
         auth: [
           {
             id: " primary ",
             label: " Primary ",
             kind: "custom",
+            wizard: {
+              choiceId: " demo-primary ",
+              modelAllowlist: {
+                allowedKeys: [" demo/model ", "demo/model"],
+                initialSelections: [" demo/model "],
+                message: " Demo models ",
+              },
+            },
             run: async () => ({ profiles: [] }),
           },
           {
@@ -66,8 +75,22 @@ describe("normalizeRegisteredProvider", () => {
       id: "demo",
       label: "Demo Provider",
       aliases: ["alias-one"],
+      deprecatedProfileIds: ["demo:legacy"],
       envVars: ["DEMO_API_KEY"],
-      auth: [{ id: "primary", label: "Primary" }],
+      auth: [
+        {
+          id: "primary",
+          label: "Primary",
+          wizard: {
+            choiceId: "demo-primary",
+            modelAllowlist: {
+              allowedKeys: ["demo/model"],
+              initialSelections: ["demo/model"],
+              message: "Demo models",
+            },
+          },
+        },
+      ],
       wizard: {
         setup: {
           choiceId: "demo-choice",
diff --git a/src/plugins/provider-validation.ts b/src/plugins/provider-validation.ts
index 172fefc1777..f53abc8bd6d 100644
--- a/src/plugins/provider-validation.ts
+++ b/src/plugins/provider-validation.ts
@@ -27,6 +27,80 @@ function normalizeTextList(values: string[] | undefined): string[] | undefined {
   return normalized.length > 0 ? normalized : undefined;
 }
 
+function normalizeProviderWizardSetup(params: {
+  providerId: string;
+  pluginId: string;
+  source: string;
+  auth: ProviderAuthMethod[];
+  setup: NonNullable<ProviderPlugin["wizard"]>["setup"];
+  pushDiagnostic: (diag: PluginDiagnostic) => void;
+}): NonNullable<ProviderPlugin["wizard"]>["setup"] {
+  const hasAuthMethods = params.auth.length > 0;
+  if (!params.setup) {
+    return undefined;
+  }
+  if (!hasAuthMethods) {
+    pushProviderDiagnostic({
+      level: "warn",
+      pluginId: params.pluginId,
+      source: params.source,
+      message: `provider "${params.providerId}" setup metadata ignored because it has no auth methods`,
+      pushDiagnostic: params.pushDiagnostic,
+    });
+    return undefined;
+  }
+  const methodId = normalizeText(params.setup.methodId);
+  if (methodId && !params.auth.some((method) => method.id === methodId)) {
+    pushProviderDiagnostic({
+      level: "warn",
+      pluginId: params.pluginId,
+      source: params.source,
+      message: `provider "${params.providerId}" setup method "${methodId}" not found; falling back to available methods`,
+      pushDiagnostic: params.pushDiagnostic,
+    });
+  }
+  return {
+    ...(normalizeText(params.setup.choiceId)
+      ? { choiceId: normalizeText(params.setup.choiceId) }
+      : {}),
+    ...(normalizeText(params.setup.choiceLabel)
+      ? { choiceLabel: normalizeText(params.setup.choiceLabel) }
+      : {}),
+    ...(normalizeText(params.setup.choiceHint)
+      ? { choiceHint: normalizeText(params.setup.choiceHint) }
+      : {}),
+    ...(normalizeText(params.setup.groupId)
+      ? { groupId: normalizeText(params.setup.groupId) }
+      : {}),
+    ...(normalizeText(params.setup.groupLabel)
+      ? { groupLabel: normalizeText(params.setup.groupLabel) }
+      : {}),
+    ...(normalizeText(params.setup.groupHint)
+      ? { groupHint: normalizeText(params.setup.groupHint) }
+      : {}),
+    ...(methodId && params.auth.some((method) => method.id === methodId) ? { methodId } : {}),
+    ...(params.setup.modelAllowlist
+      ? {
+          modelAllowlist: {
+            ...(normalizeTextList(params.setup.modelAllowlist.allowedKeys)
+              ? { allowedKeys: normalizeTextList(params.setup.modelAllowlist.allowedKeys) }
+              : {}),
+            ...(normalizeTextList(params.setup.modelAllowlist.initialSelections)
+              ? {
+                  initialSelections: normalizeTextList(
+                    params.setup.modelAllowlist.initialSelections,
+                  ),
+                }
+              : {}),
+            ...(normalizeText(params.setup.modelAllowlist.message)
+              ? { message: normalizeText(params.setup.modelAllowlist.message) }
+              : {}),
+          },
+        }
+      : {}),
+  };
+}
+
 function normalizeProviderAuthMethods(params: {
   providerId: string;
   pluginId: string;
@@ -60,11 +134,20 @@ function normalizeProviderAuthMethods(params: {
       continue;
     }
     seenMethodIds.add(methodId);
+    const wizard = normalizeProviderWizardSetup({
+      providerId: params.providerId,
+      pluginId: params.pluginId,
+      source: params.source,
+      auth: [{ ...method, id: methodId }],
+      setup: method.wizard,
+      pushDiagnostic: params.pushDiagnostic,
+    });
     normalized.push({
       ...method,
       id: methodId,
       label: normalizeText(method.label) ?? methodId,
       ...(normalizeText(method.hint) ? { hint: normalizeText(method.hint) } : {}),
+      ...(wizard ? { wizard } : {}),
     });
   }
 
@@ -92,37 +175,14 @@ function normalizeProviderWizard(params: {
     if (!setup) {
       return undefined;
     }
-    if (!hasAuthMethods) {
-      pushProviderDiagnostic({
-        level: "warn",
-        pluginId: params.pluginId,
-        source: params.source,
-        message: `provider "${params.providerId}" setup metadata ignored because it has no auth methods`,
-        pushDiagnostic: params.pushDiagnostic,
-      });
-      return undefined;
-    }
-    const methodId = normalizeText(setup.methodId);
-    if (methodId && !hasMethod(methodId)) {
-      pushProviderDiagnostic({
-        level: "warn",
-        pluginId: params.pluginId,
-        source: params.source,
-        message: `provider "${params.providerId}" setup method "${methodId}" not found; falling back to available methods`,
-        pushDiagnostic: params.pushDiagnostic,
-      });
-    }
-    return {
-      ...(normalizeText(setup.choiceId) ? { choiceId: normalizeText(setup.choiceId) } : {}),
-      ...(normalizeText(setup.choiceLabel)
-        ? { choiceLabel: normalizeText(setup.choiceLabel) }
-        : {}),
-      ...(normalizeText(setup.choiceHint) ? { choiceHint: normalizeText(setup.choiceHint) } : {}),
-      ...(normalizeText(setup.groupId) ? { groupId: normalizeText(setup.groupId) } : {}),
-      ...(normalizeText(setup.groupLabel) ? { groupLabel: normalizeText(setup.groupLabel) } : {}),
-      ...(normalizeText(setup.groupHint) ? { groupHint: normalizeText(setup.groupHint) } : {}),
-      ...(methodId && hasMethod(methodId) ? { methodId } : {}),
-    };
+    return normalizeProviderWizardSetup({
+      providerId: params.providerId,
+      pluginId: params.pluginId,
+      source: params.source,
+      auth: params.auth,
+      setup,
+      pushDiagnostic: params.pushDiagnostic,
+    });
   };
 
   const normalizeModelPicker = () => {
@@ -195,6 +255,7 @@ export function normalizeRegisteredProvider(params: {
   });
   const docsPath = normalizeText(params.provider.docsPath);
   const aliases = normalizeTextList(params.provider.aliases);
+  const deprecatedProfileIds = normalizeTextList(params.provider.deprecatedProfileIds);
   const envVars = normalizeTextList(params.provider.envVars);
   const wizard = normalizeProviderWizard({
     providerId: id,
@@ -230,6 +291,7 @@ export function normalizeRegisteredProvider(params: {
     label: normalizeText(params.provider.label) ?? id,
     ...(docsPath ? { docsPath } : {}),
     ...(aliases ? { aliases } : {}),
+    ...(deprecatedProfileIds ? { deprecatedProfileIds } : {}),
     ...(envVars ? { envVars } : {}),
     auth,
     ...(catalog ? { catalog } : {}),
diff --git a/src/plugins/provider-wizard.test.ts b/src/plugins/provider-wizard.test.ts
index eff361ee1c9..d7b8348f9b2 100644
--- a/src/plugins/provider-wizard.test.ts
+++ b/src/plugins/provider-wizard.test.ts
@@ -61,6 +61,7 @@ describe("provider wizard boundaries", () => {
     ).toEqual({
       provider,
       method: provider.auth[0],
+      wizard: provider.wizard?.setup,
     });
   });
 
@@ -101,6 +102,41 @@ describe("provider wizard boundaries", () => {
     ).toEqual({
       provider,
       method: provider.auth[0],
+      wizard: provider.auth[0]?.wizard,
+    });
+  });
+
+  it("returns method wizard metadata for canonical choices", () => {
+    const provider = makeProvider({
+      id: "anthropic",
+      label: "Anthropic",
+      auth: [
+        {
+          id: "setup-token",
+          label: "setup-token",
+          kind: "token",
+          wizard: {
+            choiceId: "token",
+            modelAllowlist: {
+              allowedKeys: ["anthropic/claude-sonnet-4-6"],
+              initialSelections: ["anthropic/claude-sonnet-4-6"],
+              message: "Anthropic OAuth models",
+            },
+          },
+          run: vi.fn(),
+        },
+      ],
+    });
+
+    expect(
+      resolveProviderPluginChoice({
+        providers: [provider],
+        choice: "token",
+      }),
+    ).toEqual({
+      provider,
+      method: provider.auth[0],
+      wizard: provider.auth[0]?.wizard,
     });
   });
 
diff --git a/src/plugins/provider-wizard.ts b/src/plugins/provider-wizard.ts
index cbe90178056..0b95a07f2b5 100644
--- a/src/plugins/provider-wizard.ts
+++ b/src/plugins/provider-wizard.ts
@@ -190,7 +190,11 @@ export function resolveProviderModelPickerEntries(params: {
 export function resolveProviderPluginChoice(params: {
   providers: ProviderPlugin[];
   choice: string;
-}): { provider: ProviderPlugin; method: ProviderAuthMethod } | null {
+}): {
+  provider: ProviderPlugin;
+  method: ProviderAuthMethod;
+  wizard?: ProviderPluginWizardSetup;
+} | null {
   const choice = params.choice.trim();
   if (!choice) {
     return null;
@@ -216,7 +220,7 @@ export function resolveProviderPluginChoice(params: {
       const choiceId =
         wizard.choiceId?.trim() || buildProviderPluginMethodChoice(provider.id, method.id);
       if (normalizeChoiceId(choiceId) === choice) {
-        return { provider, method };
+        return { provider, method, wizard };
       }
     }
     const setup = provider.wizard?.setup;
@@ -225,7 +229,7 @@ export function resolveProviderPluginChoice(params: {
       if (normalizeChoiceId(setupChoiceId) === choice) {
         const method = resolveMethodById(provider, setup.methodId);
         if (method) {
-          return { provider, method };
+          return { provider, method, wizard: setup };
         }
       }
     }
diff --git a/src/plugins/types.ts b/src/plugins/types.ts
index f533b1b80a1..6dc5788b9eb 100644
--- a/src/plugins/types.ts
+++ b/src/plugins/types.ts
@@ -553,6 +553,18 @@ export type ProviderPluginWizardSetup = {
   groupLabel?: string;
   groupHint?: string;
   methodId?: string;
+  /**
+   * Optional model-allowlist prompt policy applied after this auth choice is
+   * selected in configure/onboarding flows.
+   *
+   * Keep this UI-facing and static. Provider logic that needs runtime state
+   * should stay in `run`/`runNonInteractive`.
+   */
+  modelAllowlist?: {
+    allowedKeys?: string[];
+    initialSelections?: string[];
+    message?: string;
+  };
 };
 
 export type ProviderPluginWizardModelPicker = {
@@ -773,6 +785,14 @@ export type ProviderPlugin = {
    * bearer token (for example Gemini CLI's `{ token, projectId }` payload).
    */
   formatApiKey?: (cred: AuthProfileCredential) => string;
+  /**
+   * Legacy auth-profile ids that should be retired by `openclaw doctor`.
+   *
+   * Use this when a provider plugin replaces an older core-managed profile id
+   * and wants cleanup/migration messaging to live with the provider instead of
+   * in hardcoded doctor tables.
+   */
+  deprecatedProfileIds?: string[];
   /**
    * Provider-owned OAuth refresh.
    *

From aa97368f7d6f5ed1e805ec739b13871b6008226f Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Sun, 15 Mar 2026 23:02:36 -0700
Subject: [PATCH 031/133] test: add openshell sandbox e2e smoke

---
 docs/help/testing.md               |  19 +-
 package.json                       |   1 +
 test/openshell-sandbox.e2e.test.ts | 585 +++++++++++++++++++++++++++++
 3 files changed, 604 insertions(+), 1 deletion(-)
 create mode 100644 test/openshell-sandbox.e2e.test.ts

diff --git a/docs/help/testing.md b/docs/help/testing.md
index b2057e8a1da..9fa1404a8d4 100644
--- a/docs/help/testing.md
+++ b/docs/help/testing.md
@@ -61,7 +61,7 @@ Think of the suites as “increasing realism” (and increasing flakiness/cost):
 
 - Command: `pnpm test:e2e`
 - Config: `vitest.e2e.config.ts`
-- Files: `src/**/*.e2e.test.ts`
+- Files: `src/**/*.e2e.test.ts`, `test/**/*.e2e.test.ts`
 - Runtime defaults:
   - Uses Vitest `vmForks` for faster file startup.
   - Uses adaptive workers (CI: 2-4, local: 4-8).
@@ -77,6 +77,23 @@ Think of the suites as “increasing realism” (and increasing flakiness/cost):
   - No real keys required
   - More moving parts than unit tests (can be slower)
 
+### E2E: OpenShell backend smoke
+
+- Command: `pnpm test:e2e:openshell`
+- File: `test/openshell-sandbox.e2e.test.ts`
+- Scope:
+  - Starts an isolated OpenShell gateway on the host via Docker
+  - Creates a sandbox from a temporary local Dockerfile
+  - Exercises OpenClaw's OpenShell backend over real `sandbox ssh-config` + SSH exec
+  - Verifies remote-canonical filesystem behavior through the sandbox fs bridge
+- Expectations:
+  - Opt-in only; not part of the default `pnpm test:e2e` run
+  - Requires a local `openshell` CLI plus a working Docker daemon
+  - Uses isolated `HOME` / `XDG_CONFIG_HOME`, then destroys the test gateway and sandbox
+- Useful overrides:
+  - `OPENCLAW_E2E_OPENSHELL=1` to enable the test when running the broader e2e suite manually
+  - `OPENCLAW_E2E_OPENSHELL_COMMAND=/path/to/openshell` to point at a non-default CLI binary or wrapper script
+
 ### Live (real providers + real models)
 
 - Command: `pnpm test:live`
diff --git a/package.json b/package.json
index 6aa553f5302..124975e63d1 100644
--- a/package.json
+++ b/package.json
@@ -319,6 +319,7 @@
     "test:docker:plugins": "bash scripts/e2e/plugins-docker.sh",
     "test:docker:qr": "bash scripts/e2e/qr-import-docker.sh",
     "test:e2e": "vitest run --config vitest.e2e.config.ts",
+    "test:e2e:openshell": "OPENCLAW_E2E_OPENSHELL=1 vitest run --config vitest.e2e.config.ts test/openshell-sandbox.e2e.test.ts",
     "test:extensions": "vitest run --config vitest.extensions.config.ts",
     "test:fast": "vitest run --config vitest.unit.config.ts",
     "test:force": "node --import tsx scripts/test-force.ts",
diff --git a/test/openshell-sandbox.e2e.test.ts b/test/openshell-sandbox.e2e.test.ts
new file mode 100644
index 00000000000..21824db38ee
--- /dev/null
+++ b/test/openshell-sandbox.e2e.test.ts
@@ -0,0 +1,585 @@
+import { spawn } from "node:child_process";
+import fs from "node:fs/promises";
+import net from "node:net";
+import os from "node:os";
+import path from "node:path";
+import { describe, expect, it } from "vitest";
+import { createOpenShellSandboxBackendFactory } from "../extensions/openshell/src/backend.js";
+import { resolveOpenShellPluginConfig } from "../extensions/openshell/src/config.js";
+import { createSandboxTestContext } from "../src/agents/sandbox/test-fixtures.js";
+
+const OPENCLAW_OPENSHELL_E2E = process.env.OPENCLAW_E2E_OPENSHELL === "1";
+const OPENCLAW_OPENSHELL_E2E_TIMEOUT_MS = 12 * 60_000;
+const OPENCLAW_OPENSHELL_COMMAND =
+  process.env.OPENCLAW_E2E_OPENSHELL_COMMAND?.trim() || "openshell";
+
+const CUSTOM_IMAGE_DOCKERFILE = `FROM python:3.13-slim
+
+RUN apt-get update && apt-get install -y --no-install-recommends \\
+    coreutils \\
+    curl \\
+    findutils \\
+    iproute2 \\
+  && rm -rf /var/lib/apt/lists/*
+
+RUN groupadd -g 1000 sandbox && \\
+    useradd -m -u 1000 -g sandbox sandbox
+
+RUN echo "openclaw-openshell-e2e" > /opt/openshell-e2e-marker.txt
+
+WORKDIR /sandbox
+CMD ["sleep", "infinity"]
+`;
+
+type ExecResult = {
+  code: number;
+  stdout: string;
+  stderr: string;
+};
+
+type HostPolicyServer = {
+  port: number;
+  close(): Promise<void>;
+};
+
+async function runCommand(params: {
+  command: string;
+  args: string[];
+  cwd?: string;
+  env?: NodeJS.ProcessEnv;
+  stdin?: string | Buffer;
+  allowFailure?: boolean;
+  timeoutMs?: number;
+}): Promise<ExecResult> {
+  return await new Promise((resolve, reject) => {
+    const child = spawn(params.command, params.args, {
+      cwd: params.cwd,
+      env: params.env,
+      stdio: ["pipe", "pipe", "pipe"],
+    });
+    const stdoutChunks: Buffer[] = [];
+    const stderrChunks: Buffer[] = [];
+    let timedOut = false;
+    const timeout =
+      params.timeoutMs && params.timeoutMs > 0
+        ? setTimeout(() => {
+            timedOut = true;
+            child.kill("SIGKILL");
+          }, params.timeoutMs)
+        : null;
+
+    child.stdout.on("data", (chunk) => stdoutChunks.push(Buffer.from(chunk)));
+    child.stderr.on("data", (chunk) => stderrChunks.push(Buffer.from(chunk)));
+    child.on("error", reject);
+    child.on("close", (code) => {
+      if (timeout) {
+        clearTimeout(timeout);
+      }
+      const stdout = Buffer.concat(stdoutChunks).toString("utf8");
+      const stderr = Buffer.concat(stderrChunks).toString("utf8");
+      if (timedOut) {
+        reject(new Error(`command timed out: ${params.command} ${params.args.join(" ")}`));
+        return;
+      }
+      const exitCode = code ?? 0;
+      if (exitCode !== 0 && !params.allowFailure) {
+        reject(
+          new Error(
+            [
+              `command failed: ${params.command} ${params.args.join(" ")}`,
+              `exit: ${exitCode}`,
+              stdout.trim() ? `stdout:\n${stdout}` : "",
+              stderr.trim() ? `stderr:\n${stderr}` : "",
+            ]
+              .filter(Boolean)
+              .join("\n"),
+          ),
+        );
+        return;
+      }
+      resolve({ code: exitCode, stdout, stderr });
+    });
+
+    child.stdin.end(params.stdin);
+  });
+}
+
+async function commandAvailable(command: string): Promise<boolean> {
+  try {
+    const result = await runCommand({
+      command,
+      args: ["--help"],
+      allowFailure: true,
+      timeoutMs: 20_000,
+    });
+    return result.code === 0 || result.stdout.length > 0 || result.stderr.length > 0;
+  } catch {
+    return false;
+  }
+}
+
+async function dockerReady(): Promise<boolean> {
+  try {
+    const result = await runCommand({
+      command: "docker",
+      args: ["version"],
+      allowFailure: true,
+      timeoutMs: 20_000,
+    });
+    return result.code === 0;
+  } catch {
+    return false;
+  }
+}
+
+async function allocatePort(): Promise<number> {
+  return await new Promise((resolve, reject) => {
+    const server = net.createServer();
+    server.on("error", reject);
+    server.listen(0, "127.0.0.1", () => {
+      const address = server.address();
+      if (!address || typeof address === "string") {
+        server.close(() => reject(new Error("failed to allocate local port")));
+        return;
+      }
+      const { port } = address;
+      server.close((error) => {
+        if (error) {
+          reject(error);
+          return;
+        }
+        resolve(port);
+      });
+    });
+  });
+}
+
+function openshellEnv(rootDir: string): NodeJS.ProcessEnv {
+  const homeDir = path.join(rootDir, "home");
+  const xdgDir = path.join(rootDir, "xdg");
+  const cacheDir = path.join(rootDir, "xdg-cache");
+  return {
+    ...process.env,
+    HOME: homeDir,
+    XDG_CONFIG_HOME: xdgDir,
+    XDG_CACHE_HOME: cacheDir,
+  };
+}
+
+function trimTrailingNewline(value: string): string {
+  return value.replace(/\r?\n$/, "");
+}
+
+async function startHostPolicyServer(): Promise<HostPolicyServer> {
+  const port = await allocatePort();
+  const responseBody = JSON.stringify({ ok: true, message: "hello-from-host" });
+  const serverScript = `from http.server import BaseHTTPRequestHandler, HTTPServer
+import os
+
+BODY = os.environ["RESPONSE_BODY"].encode()
+
+class Handler(BaseHTTPRequestHandler):
+    def do_GET(self):
+        self.send_response(200)
+        self.send_header("Content-Type", "application/json")
+        self.send_header("Content-Length", str(len(BODY)))
+        self.end_headers()
+        self.wfile.write(BODY)
+
+    def do_POST(self):
+        length = int(self.headers.get("Content-Length", "0"))
+        if length:
+            self.rfile.read(length)
+        self.send_response(200)
+        self.send_header("Content-Type", "application/json")
+        self.send_header("Content-Length", str(len(BODY)))
+        self.end_headers()
+        self.wfile.write(BODY)
+
+    def log_message(self, _format, *_args):
+        pass
+
+HTTPServer(("0.0.0.0", 8000), Handler).serve_forever()
+`;
+  const startResult = await runCommand({
+    command: "docker",
+    args: [
+      "run",
+      "--detach",
+      "--rm",
+      "-e",
+      `RESPONSE_BODY=${responseBody}`,
+      "-p",
+      `${port}:8000`,
+      "python:3.13-alpine",
+      "python3",
+      "-c",
+      serverScript,
+    ],
+    timeoutMs: 60_000,
+  });
+  const containerId = trimTrailingNewline(startResult.stdout.trim());
+  if (!containerId) {
+    throw new Error("failed to start docker-backed host policy server");
+  }
+
+  const startedAt = Date.now();
+  while (Date.now() - startedAt < 30_000) {
+    const readyResult = await runCommand({
+      command: "docker",
+      args: [
+        "exec",
+        containerId,
+        "python3",
+        "-c",
+        "import urllib.request; urllib.request.urlopen('http://127.0.0.1:8000', timeout=1).read()",
+      ],
+      allowFailure: true,
+      timeoutMs: 15_000,
+    });
+    if (readyResult.code === 0) {
+      return {
+        port,
+        async close() {
+          await runCommand({
+            command: "docker",
+            args: ["rm", "-f", containerId],
+            allowFailure: true,
+            timeoutMs: 30_000,
+          });
+        },
+      };
+    }
+    await new Promise((resolve) => setTimeout(resolve, 500));
+  }
+
+  await runCommand({
+    command: "docker",
+    args: ["rm", "-f", containerId],
+    allowFailure: true,
+    timeoutMs: 30_000,
+  });
+  throw new Error("docker-backed host policy server did not become ready");
+}
+
+function buildOpenShellPolicyYaml(params: { port: number; binaryPath: string }): string {
+  const networkPolicies = `  host_echo:
+    name: host-echo
+    endpoints:
+      - host: host.openshell.internal
+        port: ${params.port}
+        allowed_ips:
+          - "0.0.0.0/0"
+    binaries:
+      - path: ${params.binaryPath}`;
+  return `version: 1
+
+filesystem_policy:
+  include_workdir: true
+  read_only: [/usr, /lib, /proc, /dev/urandom, /app, /etc, /var/log]
+  read_write: [/sandbox, /tmp, /dev/null]
+
+landlock:
+  compatibility: best_effort
+
+process:
+  run_as_user: sandbox
+  run_as_group: sandbox
+
+network_policies:
+${networkPolicies}
+`;
+}
+
+async function runBackendExec(params: {
+  backend: Awaited<ReturnType<ReturnType<typeof createOpenShellSandboxBackendFactory>>>;
+  command: string;
+  allowFailure?: boolean;
+  timeoutMs?: number;
+}): Promise<ExecResult> {
+  const execSpec = await params.backend.buildExecSpec({
+    command: params.command,
+    env: {},
+    usePty: false,
+  });
+  let result: ExecResult | null = null;
+  try {
+    result = await runCommand({
+      command: execSpec.argv[0] ?? "ssh",
+      args: execSpec.argv.slice(1),
+      env: execSpec.env,
+      allowFailure: params.allowFailure,
+      timeoutMs: params.timeoutMs,
+    });
+    return result;
+  } finally {
+    await params.backend.finalizeExec?.({
+      status: result?.code === 0 ? "completed" : "failed",
+      exitCode: result?.code ?? 1,
+      timedOut: false,
+      token: execSpec.finalizeToken,
+    });
+  }
+}
+
+describe("openshell sandbox backend e2e", () => {
+  it.runIf(process.platform !== "win32" && OPENCLAW_OPENSHELL_E2E)(
+    "creates a remote-canonical sandbox through OpenShell and executes over SSH",
+    { timeout: OPENCLAW_OPENSHELL_E2E_TIMEOUT_MS },
+    async () => {
+      if (!(await dockerReady())) {
+        return;
+      }
+      if (!(await commandAvailable(OPENCLAW_OPENSHELL_COMMAND))) {
+        return;
+      }
+
+      const rootDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-openshell-e2e-"));
+      const env = openshellEnv(rootDir);
+      const previousHome = process.env.HOME;
+      const previousXdgConfigHome = process.env.XDG_CONFIG_HOME;
+      const previousXdgCacheHome = process.env.XDG_CACHE_HOME;
+      const workspaceDir = path.join(rootDir, "workspace");
+      const dockerfileDir = path.join(rootDir, "custom-image");
+      const dockerfilePath = path.join(dockerfileDir, "Dockerfile");
+      const denyPolicyPath = path.join(rootDir, "deny-policy.yaml");
+      const allowPolicyPath = path.join(rootDir, "allow-policy.yaml");
+      const scopeSuffix = `${process.pid}-${Date.now()}`;
+      const gatewayName = `openclaw-e2e-${scopeSuffix}`;
+      const scopeKey = `session:openshell-e2e-deny:${scopeSuffix}`;
+      const allowSandboxName = `openclaw-policy-allow-${scopeSuffix}`;
+      const gatewayPort = await allocatePort();
+      let hostPolicyServer: HostPolicyServer | null = null;
+      const sandboxCfg = {
+        mode: "all" as const,
+        backend: "openshell" as const,
+        scope: "session" as const,
+        workspaceAccess: "rw" as const,
+        workspaceRoot: path.join(rootDir, "sandboxes"),
+        docker: {
+          image: "openclaw-sandbox:bookworm-slim",
+          containerPrefix: "openclaw-sbx-",
+          workdir: "/workspace",
+          readOnlyRoot: true,
+          tmpfs: ["/tmp"],
+          network: "none",
+          capDrop: ["ALL"],
+          env: {},
+        },
+        ssh: {
+          command: "ssh",
+          workspaceRoot: "/tmp/openclaw-sandboxes",
+          strictHostKeyChecking: true,
+          updateHostKeys: true,
+        },
+        browser: {
+          enabled: false,
+          image: "openclaw-browser",
+          containerPrefix: "openclaw-browser-",
+          network: "bridge",
+          cdpPort: 9222,
+          vncPort: 5900,
+          noVncPort: 6080,
+          headless: true,
+          enableNoVnc: false,
+          allowHostControl: false,
+          autoStart: false,
+          autoStartTimeoutMs: 1000,
+        },
+        tools: { allow: [], deny: [] },
+        prune: { idleHours: 24, maxAgeDays: 7 },
+      };
+
+      const pluginConfig = resolveOpenShellPluginConfig({
+        command: OPENCLAW_OPENSHELL_COMMAND,
+        gateway: gatewayName,
+        from: dockerfilePath,
+        mode: "remote",
+        autoProviders: false,
+        policy: denyPolicyPath,
+      });
+      const backendFactory = createOpenShellSandboxBackendFactory({ pluginConfig });
+      const backend = await backendFactory({
+        sessionKey: scopeKey,
+        scopeKey,
+        workspaceDir,
+        agentWorkspaceDir: workspaceDir,
+        cfg: sandboxCfg,
+      });
+
+      try {
+        process.env.HOME = env.HOME;
+        process.env.XDG_CONFIG_HOME = env.XDG_CONFIG_HOME;
+        process.env.XDG_CACHE_HOME = env.XDG_CACHE_HOME;
+        hostPolicyServer = await startHostPolicyServer();
+        if (!hostPolicyServer) {
+          throw new Error("failed to start host policy server");
+        }
+        await fs.mkdir(workspaceDir, { recursive: true });
+        await fs.mkdir(dockerfileDir, { recursive: true });
+        await fs.writeFile(path.join(workspaceDir, "seed.txt"), "seed-from-local\n", "utf8");
+        await fs.writeFile(dockerfilePath, CUSTOM_IMAGE_DOCKERFILE, "utf8");
+        await fs.writeFile(
+          denyPolicyPath,
+          buildOpenShellPolicyYaml({
+            port: hostPolicyServer.port,
+            binaryPath: "/usr/bin/false",
+          }),
+          "utf8",
+        );
+        await fs.writeFile(
+          allowPolicyPath,
+          buildOpenShellPolicyYaml({
+            port: hostPolicyServer.port,
+            binaryPath: "/**",
+          }),
+          "utf8",
+        );
+
+        await runCommand({
+          command: OPENCLAW_OPENSHELL_COMMAND,
+          args: [
+            "gateway",
+            "start",
+            "--name",
+            gatewayName,
+            "--port",
+            String(gatewayPort),
+            "--recreate",
+          ],
+          env,
+          timeoutMs: 8 * 60_000,
+        });
+
+        const execResult = await runBackendExec({
+          backend,
+          command: "pwd && cat /opt/openshell-e2e-marker.txt && cat seed.txt",
+          timeoutMs: 2 * 60_000,
+        });
+
+        expect(execResult.code).toBe(0);
+        const stdout = execResult.stdout.trim();
+        expect(stdout).toContain("/sandbox");
+        expect(stdout).toContain("openclaw-openshell-e2e");
+        expect(stdout).toContain("seed-from-local");
+
+        const curlPathResult = await runBackendExec({
+          backend,
+          command: "command -v curl",
+          timeoutMs: 60_000,
+        });
+        expect(trimTrailingNewline(curlPathResult.stdout.trim())).toMatch(/^\/.+\/curl$/);
+
+        const sandbox = createSandboxTestContext({
+          overrides: {
+            backendId: "openshell",
+            workspaceDir,
+            agentWorkspaceDir: workspaceDir,
+            runtimeId: backend.runtimeId,
+            runtimeLabel: backend.runtimeLabel,
+            containerName: backend.runtimeId,
+            containerWorkdir: backend.workdir,
+            backend,
+          },
+        });
+        const bridge = backend.createFsBridge?.({ sandbox });
+        if (!bridge) {
+          throw new Error("openshell backend did not create a filesystem bridge");
+        }
+
+        await bridge.writeFile({ filePath: "nested/remote-only.txt", data: "hello-remote\n" });
+        await expect(
+          fs.readFile(path.join(workspaceDir, "nested", "remote-only.txt"), "utf8"),
+        ).rejects.toThrow();
+        await expect(bridge.readFile({ filePath: "nested/remote-only.txt" })).resolves.toEqual(
+          Buffer.from("hello-remote\n"),
+        );
+
+        const verifyResult = await runCommand({
+          command: OPENCLAW_OPENSHELL_COMMAND,
+          args: ["sandbox", "ssh-config", backend.runtimeId],
+          env,
+          timeoutMs: 60_000,
+        });
+        expect(verifyResult.code).toBe(0);
+        expect(trimTrailingNewline(verifyResult.stdout)).toContain("Host ");
+
+        const blockedGetResult = await runBackendExec({
+          backend,
+          command: `curl --fail --silent --show-error --max-time 15 "http://host.openshell.internal:${hostPolicyServer.port}/policy-test"`,
+          allowFailure: true,
+          timeoutMs: 60_000,
+        });
+        expect(blockedGetResult.code).not.toBe(0);
+        expect(`${blockedGetResult.stdout}\n${blockedGetResult.stderr}`).toMatch(/403|deny/i);
+
+        const allowedGetResult = await runCommand({
+          command: OPENCLAW_OPENSHELL_COMMAND,
+          args: [
+            "sandbox",
+            "create",
+            "--name",
+            allowSandboxName,
+            "--from",
+            dockerfilePath,
+            "--policy",
+            allowPolicyPath,
+            "--no-auto-providers",
+            "--no-keep",
+            "--",
+            "curl",
+            "--fail",
+            "--silent",
+            "--show-error",
+            "--max-time",
+            "15",
+            `http://host.openshell.internal:${hostPolicyServer.port}/policy-test`,
+          ],
+          env,
+          timeoutMs: 60_000,
+        });
+        expect(allowedGetResult.code).toBe(0);
+        expect(allowedGetResult.stdout).toContain('"message":"hello-from-host"');
+      } finally {
+        await runCommand({
+          command: OPENCLAW_OPENSHELL_COMMAND,
+          args: ["sandbox", "delete", backend.runtimeId],
+          env,
+          allowFailure: true,
+          timeoutMs: 2 * 60_000,
+        });
+        await runCommand({
+          command: OPENCLAW_OPENSHELL_COMMAND,
+          args: ["sandbox", "delete", allowSandboxName],
+          env,
+          allowFailure: true,
+          timeoutMs: 2 * 60_000,
+        });
+        await runCommand({
+          command: OPENCLAW_OPENSHELL_COMMAND,
+          args: ["gateway", "destroy", "--name", gatewayName],
+          env,
+          allowFailure: true,
+          timeoutMs: 3 * 60_000,
+        });
+        await hostPolicyServer?.close().catch(() => {});
+        await fs.rm(rootDir, { recursive: true, force: true });
+        if (previousHome === undefined) {
+          delete process.env.HOME;
+        } else {
+          process.env.HOME = previousHome;
+        }
+        if (previousXdgConfigHome === undefined) {
+          delete process.env.XDG_CONFIG_HOME;
+        } else {
+          process.env.XDG_CONFIG_HOME = previousXdgConfigHome;
+        }
+        if (previousXdgCacheHome === undefined) {
+          delete process.env.XDG_CACHE_HOME;
+        } else {
+          process.env.XDG_CACHE_HOME = previousXdgCacheHome;
+        }
+      }
+    },
+  );
+});

From fa62231afca31a614d2494a4148e08b130a1601a Mon Sep 17 00:00:00 2001
From: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
Date: Mon, 16 Mar 2026 01:07:09 -0500
Subject: [PATCH 032/133] feishu: add structured card actions and interactive
 approval flows (#47873)

* feishu: add structured card actions and interactive approval flows

* feishu: address review fixes and test-gate regressions

* feishu: hold inflight card dedup until completion

* feishu: restore fire-and-forget bot menu handling

* feishu: format card interaction helpers

* Feishu: add changelog entry for card interactions

* Feishu: add changelog entry for ACP session binding
---
 CHANGELOG.md                                  |   2 +
 extensions/feishu/src/bot.card-action.test.ts | 344 +++++++++++++++++-
 extensions/feishu/src/card-action.ts          | 313 +++++++++++++---
 .../feishu/src/card-interaction.test.ts       | 129 +++++++
 extensions/feishu/src/card-interaction.ts     | 168 +++++++++
 extensions/feishu/src/card-ux-approval.ts     |  65 ++++
 .../feishu/src/card-ux-launcher.test.ts       |  98 +++++
 extensions/feishu/src/card-ux-launcher.ts     | 120 ++++++
 extensions/feishu/src/card-ux-shared.ts       |  33 ++
 extensions/feishu/src/monitor.account.ts      |  27 +-
 .../feishu/src/monitor.bot-menu.test.ts       | 229 ++++++++++++
 src/security/audit.ts                         |   9 +-
 12 files changed, 1485 insertions(+), 52 deletions(-)
 create mode 100644 extensions/feishu/src/card-interaction.test.ts
 create mode 100644 extensions/feishu/src/card-interaction.ts
 create mode 100644 extensions/feishu/src/card-ux-approval.ts
 create mode 100644 extensions/feishu/src/card-ux-launcher.test.ts
 create mode 100644 extensions/feishu/src/card-ux-launcher.ts
 create mode 100644 extensions/feishu/src/card-ux-shared.ts
 create mode 100644 extensions/feishu/src/monitor.bot-menu.test.ts

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4aaf84db974..ddfb252fc71 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -24,6 +24,8 @@ Docs: https://docs.openclaw.ai
 - secrets: harden read-only SecretRef command paths and diagnostics. (#47794) Thanks @joshavant.
 - Sandbox/runtime: add pluggable sandbox backends, ship an OpenShell backend with `mirror` and `remote` workspace modes, and make sandbox list/recreate/prune backend-aware instead of Docker-only.
 - Sandbox/SSH: add a core SSH sandbox backend with secret-backed key, certificate, and known_hosts inputs, move shared remote exec/filesystem tooling into core, and keep OpenShell focused on sandbox lifecycle plus optional `mirror` mode.
+- Feishu/cards: add structured interactive approval and quick-action launcher cards, preserve callback user and conversation context through routing, and keep legacy card-action fallback behavior so common actions can run without typing raw commands. (#47873)
+- Feishu/ACP: add current-conversation ACP and subagent session binding for supported DMs and topic conversations, including completion delivery back to the originating Feishu conversation. (#46819)
 
 ### Fixes
 
diff --git a/extensions/feishu/src/bot.card-action.test.ts b/extensions/feishu/src/bot.card-action.test.ts
index 90967b593bd..2df1ce361a1 100644
--- a/extensions/feishu/src/bot.card-action.test.ts
+++ b/extensions/feishu/src/bot.card-action.test.ts
@@ -1,5 +1,15 @@
-import { describe, it, expect, vi } from "vitest";
-import { handleFeishuCardAction, type FeishuCardActionEvent } from "./card-action.js";
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import {
+  handleFeishuCardAction,
+  resetProcessedFeishuCardActionTokensForTests,
+  type FeishuCardActionEvent,
+} from "./card-action.js";
+import { createFeishuCardInteractionEnvelope } from "./card-interaction.js";
+import {
+  FEISHU_APPROVAL_CANCEL_ACTION,
+  FEISHU_APPROVAL_CONFIRM_ACTION,
+  FEISHU_APPROVAL_REQUEST_ACTION,
+} from "./card-ux-approval.js";
 
 // Mock resolveFeishuAccount
 vi.mock("./accounts.js", () => ({
@@ -11,12 +21,25 @@ vi.mock("./bot.js", () => ({
   handleFeishuMessage: vi.fn(),
 }));
 
+const sendCardFeishuMock = vi.hoisted(() => vi.fn());
+const sendMessageFeishuMock = vi.hoisted(() => vi.fn());
+
+vi.mock("./send.js", () => ({
+  sendCardFeishu: sendCardFeishuMock,
+  sendMessageFeishu: sendMessageFeishuMock,
+}));
+
 import { handleFeishuMessage } from "./bot.js";
 
 describe("Feishu Card Action Handler", () => {
   const cfg = {} as any; // Minimal mock
   const runtime = { log: vi.fn(), error: vi.fn() } as any;
 
+  beforeEach(() => {
+    vi.clearAllMocks();
+    resetProcessedFeishuCardActionTokensForTests();
+  });
+
   it("handles card action with text payload", async () => {
     const event: FeishuCardActionEvent = {
       operator: { open_id: "u123", user_id: "uid1", union_id: "un1" },
@@ -60,4 +83,321 @@ describe("Feishu Card Action Handler", () => {
       }),
     );
   });
+
+  it("routes quick command actions with operator and conversation context", async () => {
+    const event: FeishuCardActionEvent = {
+      operator: { open_id: "u123", user_id: "uid1", union_id: "un1" },
+      token: "tok3",
+      action: {
+        value: createFeishuCardInteractionEnvelope({
+          k: "quick",
+          a: "feishu.quick_actions.help",
+          q: "/help",
+          c: { u: "u123", h: "chat1", t: "group", e: Date.now() + 60_000 },
+        }),
+        tag: "button",
+      },
+      context: { open_id: "u123", user_id: "uid1", chat_id: "chat1" },
+    };
+
+    await handleFeishuCardAction({ cfg, event, runtime });
+
+    expect(handleFeishuMessage).toHaveBeenCalledWith(
+      expect.objectContaining({
+        event: expect.objectContaining({
+          sender: expect.objectContaining({
+            sender_id: expect.objectContaining({
+              open_id: "u123",
+              user_id: "uid1",
+              union_id: "un1",
+            }),
+          }),
+          message: expect.objectContaining({
+            chat_id: "chat1",
+            content: '{"text":"/help"}',
+          }),
+        }),
+      }),
+    );
+  });
+
+  it("opens an approval card for metadata actions", async () => {
+    const event: FeishuCardActionEvent = {
+      operator: { open_id: "u123", user_id: "uid1", union_id: "un1" },
+      token: "tok4",
+      action: {
+        value: createFeishuCardInteractionEnvelope({
+          k: "meta",
+          a: FEISHU_APPROVAL_REQUEST_ACTION,
+          m: {
+            command: "/new",
+            prompt: "Start a fresh session?",
+          },
+          c: {
+            u: "u123",
+            h: "chat1",
+            t: "group",
+            s: "agent:codex:feishu:chat:chat1",
+            e: Date.now() + 60_000,
+          },
+        }),
+        tag: "button",
+      },
+      context: { open_id: "u123", user_id: "uid1", chat_id: "chat1" },
+    };
+
+    await handleFeishuCardAction({ cfg, event, runtime, accountId: "main" });
+
+    expect(sendCardFeishuMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        to: "chat:chat1",
+        accountId: "main",
+        card: expect.objectContaining({
+          header: expect.objectContaining({
+            title: expect.objectContaining({ content: "Confirm action" }),
+          }),
+          body: expect.objectContaining({
+            elements: expect.arrayContaining([
+              expect.objectContaining({
+                tag: "action",
+                actions: expect.arrayContaining([
+                  expect.objectContaining({
+                    value: expect.objectContaining({
+                      c: expect.objectContaining({
+                        u: "u123",
+                        h: "chat1",
+                        t: "group",
+                        s: "agent:codex:feishu:chat:chat1",
+                      }),
+                    }),
+                  }),
+                ]),
+              }),
+            ]),
+          }),
+        }),
+      }),
+    );
+    expect(handleFeishuMessage).not.toHaveBeenCalled();
+  });
+
+  it("runs approval confirmation through the normal message path", async () => {
+    const event: FeishuCardActionEvent = {
+      operator: { open_id: "u123", user_id: "uid1", union_id: "un1" },
+      token: "tok5",
+      action: {
+        value: createFeishuCardInteractionEnvelope({
+          k: "quick",
+          a: FEISHU_APPROVAL_CONFIRM_ACTION,
+          q: "/new",
+          c: { u: "u123", h: "chat1", t: "group", e: Date.now() + 60_000 },
+        }),
+        tag: "button",
+      },
+      context: { open_id: "u123", user_id: "uid1", chat_id: "chat1" },
+    };
+
+    await handleFeishuCardAction({ cfg, event, runtime });
+
+    expect(handleFeishuMessage).toHaveBeenCalledWith(
+      expect.objectContaining({
+        event: expect.objectContaining({
+          message: expect.objectContaining({
+            content: '{"text":"/new"}',
+          }),
+        }),
+      }),
+    );
+  });
+
+  it("safely rejects stale structured actions", async () => {
+    const event: FeishuCardActionEvent = {
+      operator: { open_id: "u123", user_id: "uid1", union_id: "un1" },
+      token: "tok6",
+      action: {
+        value: createFeishuCardInteractionEnvelope({
+          k: "quick",
+          a: "feishu.quick_actions.help",
+          q: "/help",
+          c: { u: "u123", h: "chat1", t: "group", e: Date.now() - 1 },
+        }),
+        tag: "button",
+      },
+      context: { open_id: "u123", user_id: "uid1", chat_id: "chat1" },
+    };
+
+    await handleFeishuCardAction({ cfg, event, runtime });
+
+    expect(sendMessageFeishuMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        to: "chat:chat1",
+        text: expect.stringContaining("expired"),
+      }),
+    );
+    expect(handleFeishuMessage).not.toHaveBeenCalled();
+  });
+
+  it("safely rejects wrong-user structured actions", async () => {
+    const event: FeishuCardActionEvent = {
+      operator: { open_id: "u999", user_id: "uid1", union_id: "un1" },
+      token: "tok7",
+      action: {
+        value: createFeishuCardInteractionEnvelope({
+          k: "quick",
+          a: "feishu.quick_actions.help",
+          q: "/help",
+          c: { u: "u123", h: "chat1", t: "group", e: Date.now() + 60_000 },
+        }),
+        tag: "button",
+      },
+      context: { open_id: "u999", user_id: "uid1", chat_id: "chat1" },
+    };
+
+    await handleFeishuCardAction({ cfg, event, runtime });
+
+    expect(sendMessageFeishuMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        text: expect.stringContaining("different user"),
+      }),
+    );
+    expect(handleFeishuMessage).not.toHaveBeenCalled();
+  });
+
+  it("sends a lightweight cancellation notice", async () => {
+    const event: FeishuCardActionEvent = {
+      operator: { open_id: "u123", user_id: "uid1", union_id: "un1" },
+      token: "tok8",
+      action: {
+        value: createFeishuCardInteractionEnvelope({
+          k: "button",
+          a: FEISHU_APPROVAL_CANCEL_ACTION,
+          c: { u: "u123", h: "chat1", t: "group", e: Date.now() + 60_000 },
+        }),
+        tag: "button",
+      },
+      context: { open_id: "u123", user_id: "uid1", chat_id: "chat1" },
+    };
+
+    await handleFeishuCardAction({ cfg, event, runtime });
+
+    expect(sendMessageFeishuMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        to: "chat:chat1",
+        text: "Cancelled.",
+      }),
+    );
+  });
+
+  it("preserves p2p callbacks for DM quick actions", async () => {
+    const event: FeishuCardActionEvent = {
+      operator: { open_id: "u123", user_id: "uid1", union_id: "un1" },
+      token: "tok9",
+      action: {
+        value: createFeishuCardInteractionEnvelope({
+          k: "quick",
+          a: "feishu.quick_actions.help",
+          q: "/help",
+          c: { u: "u123", h: "p2p-chat-1", t: "p2p", e: Date.now() + 60_000 },
+        }),
+        tag: "button",
+      },
+      context: { open_id: "u123", user_id: "uid1", chat_id: "p2p-chat-1" },
+    };
+
+    await handleFeishuCardAction({ cfg, event, runtime });
+
+    expect(handleFeishuMessage).toHaveBeenCalledWith(
+      expect.objectContaining({
+        event: expect.objectContaining({
+          message: expect.objectContaining({
+            chat_id: "p2p-chat-1",
+            chat_type: "p2p",
+          }),
+        }),
+      }),
+    );
+  });
+
+  it("drops duplicate structured callback tokens", async () => {
+    const event: FeishuCardActionEvent = {
+      operator: { open_id: "u123", user_id: "uid1", union_id: "un1" },
+      token: "tok10",
+      action: {
+        value: createFeishuCardInteractionEnvelope({
+          k: "quick",
+          a: "feishu.quick_actions.help",
+          q: "/help",
+          c: { u: "u123", h: "chat1", t: "group", e: Date.now() + 60_000 },
+        }),
+        tag: "button",
+      },
+      context: { open_id: "u123", user_id: "uid1", chat_id: "chat1" },
+    };
+
+    await handleFeishuCardAction({ cfg, event, runtime });
+    await handleFeishuCardAction({ cfg, event, runtime });
+
+    expect(handleFeishuMessage).toHaveBeenCalledTimes(1);
+  });
+
+  it("releases a claimed token when dispatch fails so retries can succeed", async () => {
+    const event: FeishuCardActionEvent = {
+      operator: { open_id: "u123", user_id: "uid1", union_id: "un1" },
+      token: "tok11",
+      action: {
+        value: createFeishuCardInteractionEnvelope({
+          k: "quick",
+          a: "feishu.quick_actions.help",
+          q: "/help",
+          c: { u: "u123", h: "chat1", t: "group", e: Date.now() + 60_000 },
+        }),
+        tag: "button",
+      },
+      context: { open_id: "u123", user_id: "uid1", chat_id: "chat1" },
+    };
+    vi.mocked(handleFeishuMessage)
+      .mockRejectedValueOnce(new Error("transient"))
+      .mockResolvedValueOnce(undefined as never);
+
+    await expect(handleFeishuCardAction({ cfg, event, runtime })).rejects.toThrow("transient");
+    await handleFeishuCardAction({ cfg, event, runtime });
+
+    expect(handleFeishuMessage).toHaveBeenCalledTimes(2);
+  });
+
+  it("keeps an in-flight token claimed while a slow dispatch is still running", async () => {
+    vi.useFakeTimers();
+    const event: FeishuCardActionEvent = {
+      operator: { open_id: "u123", user_id: "uid1", union_id: "un1" },
+      token: "tok12",
+      action: {
+        value: createFeishuCardInteractionEnvelope({
+          k: "quick",
+          a: "feishu.quick_actions.help",
+          q: "/help",
+          c: { u: "u123", h: "chat1", t: "group", e: Date.now() + 60_000 },
+        }),
+        tag: "button",
+      },
+      context: { open_id: "u123", user_id: "uid1", chat_id: "chat1" },
+    };
+
+    let resolveDispatch: (() => void) | undefined;
+    vi.mocked(handleFeishuMessage).mockImplementation(
+      () =>
+        new Promise<void>((resolve) => {
+          resolveDispatch = resolve;
+        }) as never,
+    );
+
+    const first = handleFeishuCardAction({ cfg, event, runtime });
+    await vi.advanceTimersByTimeAsync(61_000);
+    await handleFeishuCardAction({ cfg, event, runtime });
+
+    expect(handleFeishuMessage).toHaveBeenCalledTimes(1);
+
+    resolveDispatch?.();
+    await first;
+    vi.useRealTimers();
+  });
 });
diff --git a/extensions/feishu/src/card-action.ts b/extensions/feishu/src/card-action.ts
index e4f76846316..d664b8d6af2 100644
--- a/extensions/feishu/src/card-action.ts
+++ b/extensions/feishu/src/card-action.ts
@@ -1,6 +1,14 @@
 import type { ClawdbotConfig, RuntimeEnv } from "openclaw/plugin-sdk/feishu";
 import { resolveFeishuAccount } from "./accounts.js";
 import { handleFeishuMessage, type FeishuMessageEvent } from "./bot.js";
+import { decodeFeishuCardAction, buildFeishuCardActionTextFallback } from "./card-interaction.js";
+import {
+  createApprovalCard,
+  FEISHU_APPROVAL_CANCEL_ACTION,
+  FEISHU_APPROVAL_CONFIRM_ACTION,
+  FEISHU_APPROVAL_REQUEST_ACTION,
+} from "./card-ux-approval.js";
+import { sendCardFeishu, sendMessageFeishu } from "./send.js";
 
 export type FeishuCardActionEvent = {
   operator: {
@@ -20,18 +28,142 @@ export type FeishuCardActionEvent = {
   };
 };
 
-function buildCardActionTextFallback(event: FeishuCardActionEvent): string {
-  const actionValue = event.action.value;
-  if (typeof actionValue === "object" && actionValue !== null) {
-    if ("text" in actionValue && typeof actionValue.text === "string") {
-      return actionValue.text;
+const FEISHU_APPROVAL_CARD_TTL_MS = 5 * 60_000;
+const FEISHU_CARD_ACTION_TOKEN_TTL_MS = 15 * 60_000;
+const processedCardActionTokens = new Map<
+  string,
+  { status: "inflight" | "completed"; expiresAt: number }
+>();
+
+export function resetProcessedFeishuCardActionTokensForTests(): void {
+  processedCardActionTokens.clear();
+}
+
+function pruneProcessedCardActionTokens(now: number): void {
+  for (const [key, entry] of processedCardActionTokens.entries()) {
+    if (entry.expiresAt <= now) {
+      processedCardActionTokens.delete(key);
     }
-    if ("command" in actionValue && typeof actionValue.command === "string") {
-      return actionValue.command;
-    }
-    return JSON.stringify(actionValue);
   }
-  return String(actionValue);
+}
+
+function beginFeishuCardActionToken(params: {
+  token: string;
+  accountId: string;
+  now?: number;
+}): boolean {
+  const now = params.now ?? Date.now();
+  pruneProcessedCardActionTokens(now);
+  const normalizedToken = params.token.trim();
+  if (!normalizedToken) {
+    return true;
+  }
+  const key = `${params.accountId}:${normalizedToken}`;
+  const existing = processedCardActionTokens.get(key);
+  if (existing && existing.expiresAt > now) {
+    return false;
+  }
+  processedCardActionTokens.set(key, {
+    status: "inflight",
+    expiresAt: now + FEISHU_CARD_ACTION_TOKEN_TTL_MS,
+  });
+  return true;
+}
+
+function completeFeishuCardActionToken(params: {
+  token: string;
+  accountId: string;
+  now?: number;
+}): void {
+  const now = params.now ?? Date.now();
+  const normalizedToken = params.token.trim();
+  if (!normalizedToken) {
+    return;
+  }
+  processedCardActionTokens.set(`${params.accountId}:${normalizedToken}`, {
+    status: "completed",
+    expiresAt: now + FEISHU_CARD_ACTION_TOKEN_TTL_MS,
+  });
+}
+
+function releaseFeishuCardActionToken(params: { token: string; accountId: string }): void {
+  const normalizedToken = params.token.trim();
+  if (!normalizedToken) {
+    return;
+  }
+  processedCardActionTokens.delete(`${params.accountId}:${normalizedToken}`);
+}
+
+function buildSyntheticMessageEvent(
+  event: FeishuCardActionEvent,
+  content: string,
+  chatType?: "p2p" | "group",
+): FeishuMessageEvent {
+  return {
+    sender: {
+      sender_id: {
+        open_id: event.operator.open_id,
+        user_id: event.operator.user_id,
+        union_id: event.operator.union_id,
+      },
+    },
+    message: {
+      message_id: `card-action-${event.token}`,
+      chat_id: event.context.chat_id || event.operator.open_id,
+      chat_type: chatType ?? (event.context.chat_id ? "group" : "p2p"),
+      message_type: "text",
+      content: JSON.stringify({ text: content }),
+    },
+  };
+}
+
+function resolveCallbackTarget(event: FeishuCardActionEvent): string {
+  const chatId = event.context.chat_id?.trim();
+  if (chatId) {
+    return `chat:${chatId}`;
+  }
+  return `user:${event.operator.open_id}`;
+}
+
+async function dispatchSyntheticCommand(params: {
+  cfg: ClawdbotConfig;
+  event: FeishuCardActionEvent;
+  command: string;
+  botOpenId?: string;
+  runtime?: RuntimeEnv;
+  accountId?: string;
+  chatType?: "p2p" | "group";
+}): Promise<void> {
+  await handleFeishuMessage({
+    cfg: params.cfg,
+    event: buildSyntheticMessageEvent(params.event, params.command, params.chatType),
+    botOpenId: params.botOpenId,
+    runtime: params.runtime,
+    accountId: params.accountId,
+  });
+}
+
+async function sendInvalidInteractionNotice(params: {
+  cfg: ClawdbotConfig;
+  event: FeishuCardActionEvent;
+  reason: "malformed" | "stale" | "wrong_user" | "wrong_conversation";
+  accountId?: string;
+}): Promise<void> {
+  const reasonText =
+    params.reason === "stale"
+      ? "This card action has expired. Open a fresh launcher card and try again."
+      : params.reason === "wrong_user"
+        ? "This card action belongs to a different user."
+        : params.reason === "wrong_conversation"
+          ? "This card action belongs to a different conversation."
+          : "This card action payload is invalid.";
+
+  await sendMessageFeishu({
+    cfg: params.cfg,
+    to: resolveCallbackTarget(params.event),
+    text: `⚠️ ${reasonText}`,
+    accountId: params.accountId,
+  });
 }
 
 export async function handleFeishuCardAction(params: {
@@ -44,36 +176,135 @@ export async function handleFeishuCardAction(params: {
   const { cfg, event, runtime, accountId } = params;
   const account = resolveFeishuAccount({ cfg, accountId });
   const log = runtime?.log ?? console.log;
-  const content = buildCardActionTextFallback(event);
-
-  // Construct a synthetic message event
-  const messageEvent: FeishuMessageEvent = {
-    sender: {
-      sender_id: {
-        open_id: event.operator.open_id,
-        user_id: event.operator.user_id,
-        union_id: event.operator.union_id,
-      },
-    },
-    message: {
-      message_id: `card-action-${event.token}`,
-      chat_id: event.context.chat_id || event.operator.open_id,
-      chat_type: event.context.chat_id ? "group" : "p2p",
-      message_type: "text",
-      content: JSON.stringify({ text: content }),
-    },
-  };
-
-  log(
-    `feishu[${account.accountId}]: handling card action from ${event.operator.open_id}: ${content}`,
-  );
-
-  // Dispatch as normal message
-  await handleFeishuMessage({
-    cfg,
-    event: messageEvent,
-    botOpenId: params.botOpenId,
-    runtime,
-    accountId,
+  const decoded = decodeFeishuCardAction({ event });
+  const claimedToken = beginFeishuCardActionToken({
+    token: event.token,
+    accountId: account.accountId,
   });
+  if (!claimedToken) {
+    log(`feishu[${account.accountId}]: skipping duplicate card action token ${event.token}`);
+    return;
+  }
+
+  try {
+    if (decoded.kind === "invalid") {
+      log(
+        `feishu[${account.accountId}]: rejected card action from ${event.operator.open_id}: ${decoded.reason}`,
+      );
+      await sendInvalidInteractionNotice({
+        cfg,
+        event,
+        reason: decoded.reason,
+        accountId,
+      });
+      completeFeishuCardActionToken({ token: event.token, accountId: account.accountId });
+      return;
+    }
+
+    if (decoded.kind === "structured") {
+      const { envelope } = decoded;
+      log(
+        `feishu[${account.accountId}]: handling structured card action ${envelope.a} from ${event.operator.open_id}`,
+      );
+
+      if (envelope.a === FEISHU_APPROVAL_REQUEST_ACTION) {
+        const command = typeof envelope.m?.command === "string" ? envelope.m.command.trim() : "";
+        if (!command) {
+          await sendInvalidInteractionNotice({
+            cfg,
+            event,
+            reason: "malformed",
+            accountId,
+          });
+          completeFeishuCardActionToken({ token: event.token, accountId: account.accountId });
+          return;
+        }
+        const prompt =
+          typeof envelope.m?.prompt === "string" && envelope.m.prompt.trim()
+            ? envelope.m.prompt
+            : `Run \`${command}\` in this Feishu conversation?`;
+        await sendCardFeishu({
+          cfg,
+          to: resolveCallbackTarget(event),
+          card: createApprovalCard({
+            operatorOpenId: event.operator.open_id,
+            chatId: event.context.chat_id || undefined,
+            command,
+            prompt,
+            sessionKey: envelope.c?.s,
+            expiresAt: Date.now() + FEISHU_APPROVAL_CARD_TTL_MS,
+            chatType: envelope.c?.t ?? (event.context.chat_id ? "group" : "p2p"),
+            confirmLabel: command === "/reset" ? "Reset" : "Confirm",
+          }),
+          accountId,
+        });
+        completeFeishuCardActionToken({ token: event.token, accountId: account.accountId });
+        return;
+      }
+
+      if (envelope.a === FEISHU_APPROVAL_CANCEL_ACTION) {
+        await sendMessageFeishu({
+          cfg,
+          to: resolveCallbackTarget(event),
+          text: "Cancelled.",
+          accountId,
+        });
+        completeFeishuCardActionToken({ token: event.token, accountId: account.accountId });
+        return;
+      }
+
+      if (envelope.a === FEISHU_APPROVAL_CONFIRM_ACTION || envelope.k === "quick") {
+        const command = envelope.q?.trim();
+        if (!command) {
+          await sendInvalidInteractionNotice({
+            cfg,
+            event,
+            reason: "malformed",
+            accountId,
+          });
+          completeFeishuCardActionToken({ token: event.token, accountId: account.accountId });
+          return;
+        }
+        await dispatchSyntheticCommand({
+          cfg,
+          event,
+          command,
+          botOpenId: params.botOpenId,
+          runtime,
+          accountId,
+          chatType: envelope.c?.t ?? (event.context.chat_id ? "group" : "p2p"),
+        });
+        completeFeishuCardActionToken({ token: event.token, accountId: account.accountId });
+        return;
+      }
+
+      await sendInvalidInteractionNotice({
+        cfg,
+        event,
+        reason: "malformed",
+        accountId,
+      });
+      completeFeishuCardActionToken({ token: event.token, accountId: account.accountId });
+      return;
+    }
+
+    const content = buildFeishuCardActionTextFallback(event);
+
+    log(
+      `feishu[${account.accountId}]: handling card action from ${event.operator.open_id}: ${content}`,
+    );
+
+    await dispatchSyntheticCommand({
+      cfg,
+      event,
+      command: content,
+      botOpenId: params.botOpenId,
+      runtime,
+      accountId,
+    });
+    completeFeishuCardActionToken({ token: event.token, accountId: account.accountId });
+  } catch (err) {
+    releaseFeishuCardActionToken({ token: event.token, accountId: account.accountId });
+    throw err;
+  }
 }
diff --git a/extensions/feishu/src/card-interaction.test.ts b/extensions/feishu/src/card-interaction.test.ts
new file mode 100644
index 00000000000..58aee261162
--- /dev/null
+++ b/extensions/feishu/src/card-interaction.test.ts
@@ -0,0 +1,129 @@
+import { describe, expect, it } from "vitest";
+import {
+  buildFeishuCardActionTextFallback,
+  createFeishuCardInteractionEnvelope,
+  decodeFeishuCardAction,
+} from "./card-interaction.js";
+
+describe("feishu card interaction decoder", () => {
+  it("decodes valid structured payloads", () => {
+    const result = decodeFeishuCardAction({
+      now: 1_700_000_000_000,
+      event: {
+        operator: { open_id: "u123" },
+        context: { chat_id: "chat1" },
+        action: {
+          value: createFeishuCardInteractionEnvelope({
+            k: "quick",
+            a: "feishu.quick_actions.help",
+            q: "/help",
+            c: { u: "u123", h: "chat1", t: "group", e: 1_700_000_060_000 },
+          }),
+        },
+      },
+    });
+
+    expect(result).toEqual(
+      expect.objectContaining({
+        kind: "structured",
+        envelope: expect.objectContaining({
+          q: "/help",
+        }),
+      }),
+    );
+  });
+
+  it("falls back for legacy text-like payloads", () => {
+    const result = decodeFeishuCardAction({
+      event: {
+        operator: { open_id: "u123" },
+        context: { chat_id: "chat1" },
+        action: { value: { text: "/ping" } },
+      },
+    });
+
+    expect(result).toEqual({ kind: "legacy", text: "/ping" });
+    expect(
+      buildFeishuCardActionTextFallback({
+        operator: { open_id: "u123" },
+        context: { chat_id: "chat1" },
+        action: { value: { command: "/new" } },
+      }),
+    ).toBe("/new");
+  });
+
+  it("rejects malformed structured payloads", () => {
+    const result = decodeFeishuCardAction({
+      event: {
+        operator: { open_id: "u123" },
+        context: { chat_id: "chat1" },
+        action: {
+          value: {
+            oc: "ocf1",
+            k: "quick",
+            a: "broken",
+            m: { bad: { nested: true } },
+          },
+        },
+      },
+    });
+
+    expect(result).toEqual({ kind: "invalid", reason: "malformed" });
+  });
+
+  it("rejects stale payloads", () => {
+    const result = decodeFeishuCardAction({
+      now: 100,
+      event: {
+        operator: { open_id: "u123" },
+        context: { chat_id: "chat1" },
+        action: {
+          value: createFeishuCardInteractionEnvelope({
+            k: "button",
+            a: "stale",
+            c: { e: 99, t: "group" },
+          }),
+        },
+      },
+    });
+
+    expect(result).toEqual({ kind: "invalid", reason: "stale" });
+  });
+
+  it("rejects wrong-conversation payloads when chat context is enforced", () => {
+    const result = decodeFeishuCardAction({
+      event: {
+        operator: { open_id: "u123" },
+        context: { chat_id: "chat2" },
+        action: {
+          value: createFeishuCardInteractionEnvelope({
+            k: "button",
+            a: "scoped",
+            c: { u: "u123", h: "chat1", t: "group", e: Date.now() + 60_000 },
+          }),
+        },
+      },
+    });
+
+    expect(result).toEqual({ kind: "invalid", reason: "wrong_conversation" });
+  });
+
+  it("rejects malformed chat-type context", () => {
+    const result = decodeFeishuCardAction({
+      event: {
+        operator: { open_id: "u123" },
+        context: { chat_id: "chat1" },
+        action: {
+          value: {
+            oc: "ocf1",
+            k: "button",
+            a: "bad",
+            c: { t: "private" },
+          },
+        },
+      },
+    });
+
+    expect(result).toEqual({ kind: "invalid", reason: "malformed" });
+  });
+});
diff --git a/extensions/feishu/src/card-interaction.ts b/extensions/feishu/src/card-interaction.ts
new file mode 100644
index 00000000000..1da2df05baf
--- /dev/null
+++ b/extensions/feishu/src/card-interaction.ts
@@ -0,0 +1,168 @@
+export const FEISHU_CARD_INTERACTION_VERSION = "ocf1";
+
+export type FeishuCardInteractionKind = "button" | "quick" | "meta";
+export type FeishuCardInteractionReason =
+  | "malformed"
+  | "stale"
+  | "wrong_user"
+  | "wrong_conversation";
+
+export type FeishuCardInteractionMetadata = Record<
+  string,
+  string | number | boolean | null | undefined
+>;
+
+export type FeishuCardInteractionEnvelope = {
+  oc: typeof FEISHU_CARD_INTERACTION_VERSION;
+  k: FeishuCardInteractionKind;
+  a: string;
+  q?: string;
+  m?: FeishuCardInteractionMetadata;
+  c?: {
+    u?: string;
+    h?: string;
+    s?: string;
+    e?: number;
+    t?: "p2p" | "group";
+  };
+};
+
+export type FeishuCardActionEventLike = {
+  operator: {
+    open_id?: string;
+  };
+  action: {
+    value: unknown;
+  };
+  context: {
+    chat_id?: string;
+  };
+};
+
+export type DecodedFeishuCardAction =
+  | {
+      kind: "structured";
+      envelope: FeishuCardInteractionEnvelope;
+    }
+  | {
+      kind: "legacy";
+      text: string;
+    }
+  | {
+      kind: "invalid";
+      reason: FeishuCardInteractionReason;
+    };
+
+function isRecord(value: unknown): value is Record<string, unknown> {
+  return typeof value === "object" && value !== null;
+}
+
+function isInteractionKind(value: unknown): value is FeishuCardInteractionKind {
+  return value === "button" || value === "quick" || value === "meta";
+}
+
+function isMetadataValue(value: unknown): value is string | number | boolean | null | undefined {
+  return (
+    value === null ||
+    value === undefined ||
+    typeof value === "string" ||
+    typeof value === "number" ||
+    typeof value === "boolean"
+  );
+}
+
+export function createFeishuCardInteractionEnvelope(
+  envelope: Omit<FeishuCardInteractionEnvelope, "oc">,
+): FeishuCardInteractionEnvelope {
+  return {
+    oc: FEISHU_CARD_INTERACTION_VERSION,
+    ...envelope,
+  };
+}
+
+export function buildFeishuCardActionTextFallback(event: FeishuCardActionEventLike): string {
+  const actionValue = event.action.value;
+  if (isRecord(actionValue)) {
+    if (typeof actionValue.text === "string") {
+      return actionValue.text;
+    }
+    if (typeof actionValue.command === "string") {
+      return actionValue.command;
+    }
+    return JSON.stringify(actionValue);
+  }
+  return String(actionValue);
+}
+
+export function decodeFeishuCardAction(params: {
+  event: FeishuCardActionEventLike;
+  now?: number;
+}): DecodedFeishuCardAction {
+  const { event, now = Date.now() } = params;
+  const actionValue = event.action.value;
+  if (!isRecord(actionValue) || actionValue.oc !== FEISHU_CARD_INTERACTION_VERSION) {
+    return {
+      kind: "legacy",
+      text: buildFeishuCardActionTextFallback(event),
+    };
+  }
+
+  if (!isInteractionKind(actionValue.k) || typeof actionValue.a !== "string" || !actionValue.a) {
+    return { kind: "invalid", reason: "malformed" };
+  }
+
+  if (actionValue.q !== undefined && typeof actionValue.q !== "string") {
+    return { kind: "invalid", reason: "malformed" };
+  }
+
+  if (actionValue.m !== undefined) {
+    if (!isRecord(actionValue.m)) {
+      return { kind: "invalid", reason: "malformed" };
+    }
+    for (const value of Object.values(actionValue.m)) {
+      if (!isMetadataValue(value)) {
+        return { kind: "invalid", reason: "malformed" };
+      }
+    }
+  }
+
+  if (actionValue.c !== undefined) {
+    if (!isRecord(actionValue.c)) {
+      return { kind: "invalid", reason: "malformed" };
+    }
+    if (actionValue.c.u !== undefined && typeof actionValue.c.u !== "string") {
+      return { kind: "invalid", reason: "malformed" };
+    }
+    if (actionValue.c.h !== undefined && typeof actionValue.c.h !== "string") {
+      return { kind: "invalid", reason: "malformed" };
+    }
+    if (actionValue.c.s !== undefined && typeof actionValue.c.s !== "string") {
+      return { kind: "invalid", reason: "malformed" };
+    }
+    if (actionValue.c.e !== undefined && !Number.isFinite(actionValue.c.e)) {
+      return { kind: "invalid", reason: "malformed" };
+    }
+    if (actionValue.c.t !== undefined && actionValue.c.t !== "p2p" && actionValue.c.t !== "group") {
+      return { kind: "invalid", reason: "malformed" };
+    }
+
+    if (typeof actionValue.c.e === "number" && actionValue.c.e < now) {
+      return { kind: "invalid", reason: "stale" };
+    }
+
+    const expectedUser = actionValue.c.u?.trim();
+    if (expectedUser && expectedUser !== (event.operator.open_id ?? "").trim()) {
+      return { kind: "invalid", reason: "wrong_user" };
+    }
+
+    const expectedChat = actionValue.c.h?.trim();
+    if (expectedChat && expectedChat !== (event.context.chat_id ?? "").trim()) {
+      return { kind: "invalid", reason: "wrong_conversation" };
+    }
+  }
+
+  return {
+    kind: "structured",
+    envelope: actionValue as FeishuCardInteractionEnvelope,
+  };
+}
diff --git a/extensions/feishu/src/card-ux-approval.ts b/extensions/feishu/src/card-ux-approval.ts
new file mode 100644
index 00000000000..944ace931ea
--- /dev/null
+++ b/extensions/feishu/src/card-ux-approval.ts
@@ -0,0 +1,65 @@
+import { createFeishuCardInteractionEnvelope } from "./card-interaction.js";
+import { buildFeishuCardButton, buildFeishuCardInteractionContext } from "./card-ux-shared.js";
+
+export const FEISHU_APPROVAL_REQUEST_ACTION = "feishu.quick_actions.request_approval";
+export const FEISHU_APPROVAL_CONFIRM_ACTION = "feishu.approval.confirm";
+export const FEISHU_APPROVAL_CANCEL_ACTION = "feishu.approval.cancel";
+
+export function createApprovalCard(params: {
+  operatorOpenId: string;
+  chatId?: string;
+  command: string;
+  prompt: string;
+  expiresAt: number;
+  chatType?: "p2p" | "group";
+  sessionKey?: string;
+  confirmLabel?: string;
+  cancelLabel?: string;
+}): Record<string, unknown> {
+  const context = buildFeishuCardInteractionContext(params);
+
+  return {
+    schema: "2.0",
+    config: {
+      wide_screen_mode: true,
+    },
+    header: {
+      title: {
+        tag: "plain_text",
+        content: "Confirm action",
+      },
+      template: "orange",
+    },
+    body: {
+      elements: [
+        {
+          tag: "markdown",
+          content: params.prompt,
+        },
+        {
+          tag: "action",
+          actions: [
+            buildFeishuCardButton({
+              label: params.confirmLabel ?? "Confirm",
+              type: "primary",
+              value: createFeishuCardInteractionEnvelope({
+                k: "quick",
+                a: FEISHU_APPROVAL_CONFIRM_ACTION,
+                q: params.command,
+                c: context,
+              }),
+            }),
+            buildFeishuCardButton({
+              label: params.cancelLabel ?? "Cancel",
+              value: createFeishuCardInteractionEnvelope({
+                k: "button",
+                a: FEISHU_APPROVAL_CANCEL_ACTION,
+                c: context,
+              }),
+            }),
+          ],
+        },
+      ],
+    },
+  };
+}
diff --git a/extensions/feishu/src/card-ux-launcher.test.ts b/extensions/feishu/src/card-ux-launcher.test.ts
new file mode 100644
index 00000000000..6f9f7917daf
--- /dev/null
+++ b/extensions/feishu/src/card-ux-launcher.test.ts
@@ -0,0 +1,98 @@
+import { describe, expect, it, vi, beforeEach } from "vitest";
+import {
+  createQuickActionLauncherCard,
+  isFeishuQuickActionMenuEventKey,
+  maybeHandleFeishuQuickActionMenu,
+} from "./card-ux-launcher.js";
+
+const sendCardFeishuMock = vi.hoisted(() => vi.fn());
+
+vi.mock("./send.js", () => ({
+  sendCardFeishu: sendCardFeishuMock,
+}));
+
+describe("feishu quick-action launcher", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("recognizes the quick-actions bot menu key", () => {
+    expect(isFeishuQuickActionMenuEventKey("quick-actions")).toBe(true);
+    expect(isFeishuQuickActionMenuEventKey("other")).toBe(false);
+  });
+
+  it("builds a launcher card with interactive actions", () => {
+    const card = createQuickActionLauncherCard({
+      operatorOpenId: "u123",
+      chatId: "chat1",
+      expiresAt: 123,
+      sessionKey: "agent:codex:feishu:chat:chat1",
+    }) as {
+      body: {
+        elements: Array<{
+          tag: string;
+          actions?: Array<{ value?: { oc?: string; c?: { s?: string; t?: string } } }>;
+        }>;
+      };
+    };
+
+    const actionBlock = card.body.elements.find((entry) => entry.tag === "action");
+    expect(actionBlock?.actions).toHaveLength(3);
+    expect(actionBlock?.actions?.[0]?.value?.oc).toBe("ocf1");
+    expect(actionBlock?.actions?.[0]?.value?.c?.s).toBe("agent:codex:feishu:chat:chat1");
+    expect(actionBlock?.actions?.[0]?.value?.c?.t).toBeUndefined();
+  });
+
+  it("opens the launcher from a supported bot menu event", async () => {
+    sendCardFeishuMock.mockResolvedValue({ messageId: "m1", chatId: "c1" });
+
+    const handled = await maybeHandleFeishuQuickActionMenu({
+      cfg: {} as any,
+      eventKey: "quick-actions",
+      operatorOpenId: "u123",
+      accountId: "main",
+      now: 100,
+    });
+
+    expect(handled).toBe(true);
+    expect(sendCardFeishuMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        to: "user:u123",
+        accountId: "main",
+        card: expect.objectContaining({
+          body: expect.objectContaining({
+            elements: expect.arrayContaining([
+              expect.objectContaining({
+                tag: "action",
+                actions: expect.arrayContaining([
+                  expect.objectContaining({
+                    value: expect.objectContaining({
+                      c: expect.objectContaining({
+                        t: "p2p",
+                      }),
+                    }),
+                  }),
+                ]),
+              }),
+            ]),
+          }),
+        }),
+      }),
+    );
+  });
+
+  it("falls back to legacy menu handling when launcher send fails", async () => {
+    sendCardFeishuMock.mockRejectedValueOnce(new Error("network"));
+
+    const handled = await maybeHandleFeishuQuickActionMenu({
+      cfg: {} as any,
+      eventKey: "quick-actions",
+      operatorOpenId: "u123",
+      accountId: "main",
+      runtime: { log: vi.fn() } as any,
+      now: 100,
+    });
+
+    expect(handled).toBe(false);
+  });
+});
diff --git a/extensions/feishu/src/card-ux-launcher.ts b/extensions/feishu/src/card-ux-launcher.ts
new file mode 100644
index 00000000000..3303bc2ed77
--- /dev/null
+++ b/extensions/feishu/src/card-ux-launcher.ts
@@ -0,0 +1,120 @@
+import type { ClawdbotConfig, RuntimeEnv } from "openclaw/plugin-sdk/feishu";
+import { createFeishuCardInteractionEnvelope } from "./card-interaction.js";
+import { FEISHU_APPROVAL_REQUEST_ACTION } from "./card-ux-approval.js";
+import { buildFeishuCardButton, buildFeishuCardInteractionContext } from "./card-ux-shared.js";
+import { sendCardFeishu } from "./send.js";
+
+export const FEISHU_QUICK_ACTION_CARD_TTL_MS = 10 * 60_000;
+
+const QUICK_ACTION_MENU_KEYS = new Set(["quick-actions", "quick_actions", "launcher"]);
+
+export function isFeishuQuickActionMenuEventKey(eventKey: string): boolean {
+  return QUICK_ACTION_MENU_KEYS.has(eventKey.trim().toLowerCase());
+}
+
+export function createQuickActionLauncherCard(params: {
+  operatorOpenId: string;
+  chatId?: string;
+  expiresAt: number;
+  chatType?: "p2p" | "group";
+  sessionKey?: string;
+}): Record<string, unknown> {
+  const context = buildFeishuCardInteractionContext(params);
+  return {
+    schema: "2.0",
+    config: {
+      wide_screen_mode: true,
+    },
+    header: {
+      title: {
+        tag: "plain_text",
+        content: "Quick actions",
+      },
+      template: "indigo",
+    },
+    body: {
+      elements: [
+        {
+          tag: "markdown",
+          content: "Run common actions without typing raw commands.",
+        },
+        {
+          tag: "action",
+          actions: [
+            buildFeishuCardButton({
+              label: "Help",
+              value: createFeishuCardInteractionEnvelope({
+                k: "quick",
+                a: "feishu.quick_actions.help",
+                q: "/help",
+                c: context,
+              }),
+            }),
+            buildFeishuCardButton({
+              label: "New session",
+              type: "primary",
+              value: createFeishuCardInteractionEnvelope({
+                k: "meta",
+                a: FEISHU_APPROVAL_REQUEST_ACTION,
+                m: {
+                  command: "/new",
+                  prompt: "Start a fresh session? This will reset the current chat context.",
+                },
+                c: context,
+              }),
+            }),
+            buildFeishuCardButton({
+              label: "Reset",
+              type: "danger",
+              value: createFeishuCardInteractionEnvelope({
+                k: "meta",
+                a: FEISHU_APPROVAL_REQUEST_ACTION,
+                m: {
+                  command: "/reset",
+                  prompt: "Reset this session now? Any active conversation state will be cleared.",
+                },
+                c: context,
+              }),
+            }),
+          ],
+        },
+      ],
+    },
+  };
+}
+
+export async function maybeHandleFeishuQuickActionMenu(params: {
+  cfg: ClawdbotConfig;
+  eventKey: string;
+  operatorOpenId: string;
+  runtime?: RuntimeEnv;
+  accountId?: string;
+  now?: number;
+}): Promise<boolean> {
+  if (!isFeishuQuickActionMenuEventKey(params.eventKey)) {
+    return false;
+  }
+
+  const expiresAt = (params.now ?? Date.now()) + FEISHU_QUICK_ACTION_CARD_TTL_MS;
+  try {
+    await sendCardFeishu({
+      cfg: params.cfg,
+      to: `user:${params.operatorOpenId}`,
+      card: createQuickActionLauncherCard({
+        operatorOpenId: params.operatorOpenId,
+        expiresAt,
+        chatType: "p2p",
+      }),
+      accountId: params.accountId,
+    });
+  } catch (err) {
+    params.runtime?.log?.(
+      `feishu[${params.accountId ?? "default"}]: failed to open quick-action launcher for ${params.operatorOpenId}: ${String(err)}`,
+    );
+    return false;
+  }
+  params.runtime?.log?.(
+    `feishu[${params.accountId ?? "default"}]: opened quick-action launcher for ${params.operatorOpenId}`,
+  );
+  return true;
+}
diff --git a/extensions/feishu/src/card-ux-shared.ts b/extensions/feishu/src/card-ux-shared.ts
new file mode 100644
index 00000000000..02133c39a5c
--- /dev/null
+++ b/extensions/feishu/src/card-ux-shared.ts
@@ -0,0 +1,33 @@
+import type { FeishuCardInteractionEnvelope } from "./card-interaction.js";
+
+export function buildFeishuCardButton(params: {
+  label: string;
+  value: FeishuCardInteractionEnvelope;
+  type?: "default" | "primary" | "danger";
+}) {
+  return {
+    tag: "button",
+    text: {
+      tag: "plain_text",
+      content: params.label,
+    },
+    type: params.type ?? "default",
+    value: params.value,
+  };
+}
+
+export function buildFeishuCardInteractionContext(params: {
+  operatorOpenId: string;
+  chatId?: string;
+  expiresAt: number;
+  chatType?: "p2p" | "group";
+  sessionKey?: string;
+}) {
+  return {
+    u: params.operatorOpenId,
+    ...(params.chatId ? { h: params.chatId } : {}),
+    ...(params.sessionKey ? { s: params.sessionKey } : {}),
+    e: params.expiresAt,
+    ...(params.chatType ? { t: params.chatType } : {}),
+  };
+}
diff --git a/extensions/feishu/src/monitor.account.ts b/extensions/feishu/src/monitor.account.ts
index 3d761631399..241376ac0ba 100644
--- a/extensions/feishu/src/monitor.account.ts
+++ b/extensions/feishu/src/monitor.account.ts
@@ -10,6 +10,7 @@ import {
   type FeishuBotAddedEvent,
 } from "./bot.js";
 import { handleFeishuCardAction, type FeishuCardActionEvent } from "./card-action.js";
+import { maybeHandleFeishuQuickActionMenu } from "./card-ux-launcher.js";
 import { createEventDispatcher } from "./client.js";
 import {
   hasProcessedFeishuMessage,
@@ -513,7 +514,7 @@ function registerEventHandlers(
       try {
         const event = data as {
           event_key?: string;
-          timestamp?: number;
+          timestamp?: string | number;
           operator?: {
             operator_name?: string;
             operator_id?: { open_id?: string; user_id?: string; union_id?: string };
@@ -543,14 +544,28 @@ function registerEventHandlers(
             }),
           },
         };
-        const promise = handleFeishuMessage({
+        const handleLegacyMenu = () =>
+          handleFeishuMessage({
+            cfg,
+            event: syntheticEvent,
+            botOpenId: botOpenIds.get(accountId),
+            botName: botNames.get(accountId),
+            runtime,
+            chatHistories,
+            accountId,
+          });
+
+        const promise = maybeHandleFeishuQuickActionMenu({
           cfg,
-          event: syntheticEvent,
-          botOpenId: botOpenIds.get(accountId),
-          botName: botNames.get(accountId),
+          eventKey,
+          operatorOpenId,
           runtime,
-          chatHistories,
           accountId,
+        }).then((handledMenu) => {
+          if (handledMenu) {
+            return;
+          }
+          return handleLegacyMenu();
         });
         if (fireAndForget) {
           promise.catch((err) => {
diff --git a/extensions/feishu/src/monitor.bot-menu.test.ts b/extensions/feishu/src/monitor.bot-menu.test.ts
new file mode 100644
index 00000000000..cecb0b0512c
--- /dev/null
+++ b/extensions/feishu/src/monitor.bot-menu.test.ts
@@ -0,0 +1,229 @@
+import type { ClawdbotConfig, RuntimeEnv } from "openclaw/plugin-sdk/feishu";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { hasControlCommand } from "../../../src/auto-reply/command-detection.js";
+import {
+  createInboundDebouncer,
+  resolveInboundDebounceMs,
+} from "../../../src/auto-reply/inbound-debounce.js";
+import { createPluginRuntimeMock } from "../../test-utils/plugin-runtime-mock.js";
+import { monitorSingleAccount } from "./monitor.account.js";
+import { setFeishuRuntime } from "./runtime.js";
+import type { ResolvedFeishuAccount } from "./types.js";
+
+const createEventDispatcherMock = vi.hoisted(() => vi.fn());
+const monitorWebSocketMock = vi.hoisted(() => vi.fn(async () => {}));
+const monitorWebhookMock = vi.hoisted(() => vi.fn(async () => {}));
+const handleFeishuMessageMock = vi.hoisted(() => vi.fn(async () => {}));
+const sendCardFeishuMock = vi.hoisted(() => vi.fn(async () => ({ messageId: "m1", chatId: "c1" })));
+const createFeishuThreadBindingManagerMock = vi.hoisted(() => vi.fn(() => ({ stop: vi.fn() })));
+
+let handlers: Record<string, (data: unknown) => Promise<void>> = {};
+
+vi.mock("./client.js", () => ({
+  createEventDispatcher: createEventDispatcherMock,
+}));
+
+vi.mock("./monitor.transport.js", () => ({
+  monitorWebSocket: monitorWebSocketMock,
+  monitorWebhook: monitorWebhookMock,
+}));
+
+vi.mock("./bot.js", async () => {
+  const actual = await vi.importActual<typeof import("./bot.js")>("./bot.js");
+  return {
+    ...actual,
+    handleFeishuMessage: handleFeishuMessageMock,
+  };
+});
+
+vi.mock("./send.js", async () => {
+  const actual = await vi.importActual<typeof import("./send.js")>("./send.js");
+  return {
+    ...actual,
+    sendCardFeishu: sendCardFeishuMock,
+  };
+});
+
+vi.mock("./thread-bindings.js", () => ({
+  createFeishuThreadBindingManager: createFeishuThreadBindingManagerMock,
+}));
+
+function buildAccount(): ResolvedFeishuAccount {
+  return {
+    accountId: "default",
+    enabled: true,
+    configured: true,
+    appId: "cli_test",
+    appSecret: "secret_test", // pragma: allowlist secret
+    domain: "feishu",
+    config: {
+      enabled: true,
+      connectionMode: "websocket",
+    },
+  } as ResolvedFeishuAccount;
+}
+
+async function registerHandlers() {
+  setFeishuRuntime(
+    createPluginRuntimeMock({
+      channel: {
+        debounce: {
+          createInboundDebouncer,
+          resolveInboundDebounceMs,
+        },
+        text: {
+          hasControlCommand,
+        },
+      },
+    }),
+  );
+  const register = vi.fn((registered: Record<string, (data: unknown) => Promise<void>>) => {
+    handlers = registered;
+  });
+  createEventDispatcherMock.mockReturnValue({ register });
+
+  await monitorSingleAccount({
+    cfg: {} as ClawdbotConfig,
+    account: buildAccount(),
+    runtime: {
+      log: vi.fn(),
+      error: vi.fn(),
+      exit: vi.fn(),
+    } as RuntimeEnv,
+    botOpenIdSource: {
+      kind: "prefetched",
+      botOpenId: "ou_bot",
+      botName: "Bot",
+    },
+  });
+
+  const onBotMenu = handlers["application.bot.menu_v6"];
+  if (!onBotMenu) {
+    throw new Error("missing application.bot.menu_v6 handler");
+  }
+  return onBotMenu;
+}
+
+describe("Feishu bot menu handler", () => {
+  beforeEach(() => {
+    handlers = {};
+    vi.clearAllMocks();
+  });
+
+  it("opens the quick-action launcher card at the webhook/event layer", async () => {
+    const onBotMenu = await registerHandlers();
+
+    await onBotMenu({
+      event_key: "quick-actions",
+      timestamp: "1700000000000",
+      operator: {
+        operator_id: {
+          open_id: "ou_user1",
+          user_id: "user_1",
+          union_id: "union_1",
+        },
+      },
+    });
+
+    expect(sendCardFeishuMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        to: "user:ou_user1",
+        card: expect.objectContaining({
+          header: expect.objectContaining({
+            title: expect.objectContaining({ content: "Quick actions" }),
+          }),
+        }),
+      }),
+    );
+    expect(handleFeishuMessageMock).not.toHaveBeenCalled();
+  });
+
+  it("does not block bot-menu handling on quick-action launcher send", async () => {
+    const onBotMenu = await registerHandlers();
+    let resolveSend: (() => void) | undefined;
+    sendCardFeishuMock.mockImplementationOnce(
+      () =>
+        new Promise((resolve) => {
+          resolveSend = () => resolve({ messageId: "m1", chatId: "c1" });
+        }),
+    );
+
+    const pending = onBotMenu({
+      event_key: "quick-actions",
+      timestamp: "1700000000000",
+      operator: {
+        operator_id: {
+          open_id: "ou_user1",
+          user_id: "user_1",
+          union_id: "union_1",
+        },
+      },
+    });
+    let settled = false;
+    pending.finally(() => {
+      settled = true;
+    });
+
+    await Promise.resolve();
+    expect(settled).toBe(true);
+
+    resolveSend?.();
+    await pending;
+  });
+
+  it("falls back to the legacy /menu synthetic message path for unrelated bot menu keys", async () => {
+    const onBotMenu = await registerHandlers();
+
+    await onBotMenu({
+      event_key: "custom-key",
+      timestamp: "1700000000000",
+      operator: {
+        operator_id: {
+          open_id: "ou_user1",
+          user_id: "user_1",
+          union_id: "union_1",
+        },
+      },
+    });
+
+    expect(handleFeishuMessageMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        event: expect.objectContaining({
+          message: expect.objectContaining({
+            content: '{"text":"/menu custom-key"}',
+          }),
+        }),
+      }),
+    );
+    expect(sendCardFeishuMock).not.toHaveBeenCalled();
+  });
+
+  it("falls back to the legacy /menu path when launcher rendering fails", async () => {
+    const onBotMenu = await registerHandlers();
+    sendCardFeishuMock.mockRejectedValueOnce(new Error("boom"));
+
+    await onBotMenu({
+      event_key: "quick-actions",
+      timestamp: "1700000000000",
+      operator: {
+        operator_id: {
+          open_id: "ou_user1",
+          user_id: "user_1",
+          union_id: "union_1",
+        },
+      },
+    });
+
+    await vi.waitFor(() => {
+      expect(handleFeishuMessageMock).toHaveBeenCalledWith(
+        expect.objectContaining({
+          event: expect.objectContaining({
+            message: expect.objectContaining({
+              content: '{"text":"/menu quick-actions"}',
+            }),
+          }),
+        }),
+      );
+    });
+  });
+});
diff --git a/src/security/audit.ts b/src/security/audit.ts
index b304f658d68..0b13ecc5531 100644
--- a/src/security/audit.ts
+++ b/src/security/audit.ts
@@ -1250,13 +1250,16 @@ export async function runSecurityAudit(opts: SecurityAuditOptions): Promise<Secu
     }
   }
 
-  if (context.includeChannelSecurity && hasPotentialConfiguredChannels(cfg, env)) {
-    const plugins = context.plugins ?? (await loadChannelPlugins()).listChannelPlugins();
+  const shouldAuditChannelSecurity =
+    context.includeChannelSecurity &&
+    (context.plugins !== undefined || hasPotentialConfiguredChannels(cfg, env));
+  if (shouldAuditChannelSecurity) {
+    const channelPlugins = context.plugins ?? (await loadChannelPlugins()).listChannelPlugins();
     findings.push(
       ...(await collectChannelSecurityFindings({
         cfg,
         sourceConfig: context.sourceConfig,
-        plugins,
+        plugins: channelPlugins,
       })),
     );
   }

From f0f934556e24b16e82ff09d3b726df144f2e0642 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 06:08:41 +0000
Subject: [PATCH 033/133] build: remove land gate script

---
 docs/ci.md   | 3 ---
 package.json | 1 -
 2 files changed, 4 deletions(-)

diff --git a/docs/ci.md b/docs/ci.md
index 25445d6c0ed..e8710b87cb1 100644
--- a/docs/ci.md
+++ b/docs/ci.md
@@ -53,7 +53,4 @@ pnpm check          # types + lint + format
 pnpm test           # vitest tests
 pnpm check:docs     # docs format + lint + broken links
 pnpm release:check  # validate npm pack
-pnpm land:gate      # maintainer land gate: frozen-lock install + check + build + test + release:check
 ```
-
-`pnpm land:gate` intentionally includes the same frozen-lockfile install step CI uses before running `check`, `build`, `test`, and `release:check`. Use it when you want local merge-gate parity instead of piecemeal commands.
diff --git a/package.json b/package.json
index 124975e63d1..5aeb794f174 100644
--- a/package.json
+++ b/package.json
@@ -270,7 +270,6 @@
     "ios:gen": "bash -lc './scripts/ios-configure-signing.sh && ./scripts/ios-write-version-xcconfig.sh && cd apps/ios && xcodegen generate'",
     "ios:open": "bash -lc './scripts/ios-configure-signing.sh && ./scripts/ios-write-version-xcconfig.sh && cd apps/ios && xcodegen generate && open OpenClaw.xcodeproj'",
     "ios:run": "bash -lc './scripts/ios-configure-signing.sh && ./scripts/ios-write-version-xcconfig.sh && cd apps/ios && xcodegen generate && xcodebuild -project OpenClaw.xcodeproj -scheme OpenClaw -destination \"${IOS_DEST:-platform=iOS Simulator,name=iPhone 17}\" -configuration Debug build && xcrun simctl boot \"${IOS_SIM:-iPhone 17}\" || true && xcrun simctl launch booted ai.openclaw.ios'",
-    "land:gate": "pnpm install --frozen-lockfile --prefer-offline --ignore-scripts=false --config.engine-strict=false --config.enable-pre-post-scripts=true --config.side-effects-cache=true && pnpm check && pnpm build && pnpm test && pnpm release:check",
     "lint": "oxlint --type-aware",
     "lint:agent:ingress-owner": "node scripts/check-ingress-agent-owner-context.mjs",
     "lint:all": "pnpm lint && pnpm lint:swift",

From ed82c7e57be116ad49738448c0b2d39929ddbecb Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 23:11:36 -0700
Subject: [PATCH 034/133] Status: lazy-load tailscale and memory scan deps

---
 src/commands/status.scan.deps.runtime.ts |  2 ++
 src/commands/status.scan.test.ts         |  7 ++----
 src/commands/status.scan.ts              | 31 ++++++++++++++++++------
 3 files changed, 27 insertions(+), 13 deletions(-)
 create mode 100644 src/commands/status.scan.deps.runtime.ts

diff --git a/src/commands/status.scan.deps.runtime.ts b/src/commands/status.scan.deps.runtime.ts
new file mode 100644
index 00000000000..b9838d2176f
--- /dev/null
+++ b/src/commands/status.scan.deps.runtime.ts
@@ -0,0 +1,2 @@
+export { getTailnetHostname } from "../infra/tailscale.js";
+export { getMemorySearchManager } from "../memory/index.js";
diff --git a/src/commands/status.scan.test.ts b/src/commands/status.scan.test.ts
index 7dccbefb621..6e778070c09 100644
--- a/src/commands/status.scan.test.ts
+++ b/src/commands/status.scan.test.ts
@@ -51,8 +51,9 @@ vi.mock("../infra/os-summary.js", () => ({
   resolveOsSummary: vi.fn(() => ({ label: "test-os" })),
 }));
 
-vi.mock("../infra/tailscale.js", () => ({
+vi.mock("./status.scan.deps.runtime.js", () => ({
   getTailnetHostname: vi.fn(),
+  getMemorySearchManager: vi.fn(),
 }));
 
 vi.mock("../gateway/call.js", () => ({
@@ -69,10 +70,6 @@ vi.mock("./status.gateway-probe.js", () => ({
   resolveGatewayProbeAuthResolution: mocks.resolveGatewayProbeAuthResolution,
 }));
 
-vi.mock("../memory/index.js", () => ({
-  getMemorySearchManager: vi.fn(),
-}));
-
 vi.mock("../process/exec.js", () => ({
   runExec: vi.fn(),
 }));
diff --git a/src/commands/status.scan.ts b/src/commands/status.scan.ts
index eaa9ad3066c..bbe10301624 100644
--- a/src/commands/status.scan.ts
+++ b/src/commands/status.scan.ts
@@ -8,8 +8,6 @@ import { buildGatewayConnectionDetails, callGateway } from "../gateway/call.js";
 import { normalizeControlUiBasePath } from "../gateway/control-ui-shared.js";
 import { probeGateway } from "../gateway/probe.js";
 import { resolveOsSummary } from "../infra/os-summary.js";
-import { getTailnetHostname } from "../infra/tailscale.js";
-import { getMemorySearchManager } from "../memory/index.js";
 import type { MemoryProviderStatus } from "../memory/types.js";
 import { runExec } from "../process/exec.js";
 import type { RuntimeEnv } from "../runtime.js";
@@ -51,6 +49,9 @@ type GatewayProbeSnapshot = {
 
 let pluginRegistryModulePromise: Promise<typeof import("../cli/plugin-registry.js")> | undefined;
 let statusScanRuntimeModulePromise: Promise<typeof import("./status.scan.runtime.js")> | undefined;
+let statusScanDepsRuntimeModulePromise:
+  | Promise<typeof import("./status.scan.deps.runtime.js")>
+  | undefined;
 
 function loadPluginRegistryModule() {
   pluginRegistryModulePromise ??= import("../cli/plugin-registry.js");
@@ -62,6 +63,11 @@ function loadStatusScanRuntimeModule() {
   return statusScanRuntimeModulePromise;
 }
 
+function loadStatusScanDepsRuntimeModule() {
+  statusScanDepsRuntimeModulePromise ??= import("./status.scan.deps.runtime.js");
+  return statusScanDepsRuntimeModulePromise;
+}
+
 function deferResult<T>(promise: Promise<T>): Promise<DeferredResult<T>> {
   return promise.then(
     (value) => ({ ok: true, value }),
@@ -184,6 +190,7 @@ async function resolveMemoryStatusSnapshot(params: {
     return null;
   }
   const agentId = agentStatus.defaultId ?? "main";
+  const { getMemorySearchManager } = await loadStatusScanDepsRuntimeModule();
   const { manager } = await getMemorySearchManager({ cfg, agentId, purpose: "status" });
   if (!manager) {
     return null;
@@ -226,9 +233,13 @@ async function scanStatusJsonFast(opts: {
   const tailscaleDnsPromise =
     tailscaleMode === "off"
       ? Promise.resolve<string | null>(null)
-      : getTailnetHostname((cmd, args) =>
-          runExec(cmd, args, { timeoutMs: 1200, maxBuffer: 200_000 }),
-        ).catch(() => null);
+      : loadStatusScanDepsRuntimeModule()
+          .then(({ getTailnetHostname }) =>
+            getTailnetHostname((cmd, args) =>
+              runExec(cmd, args, { timeoutMs: 1200, maxBuffer: 200_000 }),
+            ),
+          )
+          .catch(() => null);
 
   const gatewayProbePromise = resolveGatewayProbeSnapshot({ cfg, opts });
 
@@ -318,9 +329,13 @@ export async function scanStatus(
       const tailscaleDnsPromise =
         tailscaleMode === "off"
           ? Promise.resolve<string | null>(null)
-          : getTailnetHostname((cmd, args) =>
-              runExec(cmd, args, { timeoutMs: 1200, maxBuffer: 200_000 }),
-            ).catch(() => null);
+          : loadStatusScanDepsRuntimeModule()
+              .then(({ getTailnetHostname }) =>
+                getTailnetHostname((cmd, args) =>
+                  runExec(cmd, args, { timeoutMs: 1200, maxBuffer: 200_000 }),
+                ),
+              )
+              .catch(() => null);
       const updateTimeoutMs = opts.all ? 6500 : 2500;
       const updatePromise = deferResult(
         getUpdateCheckResult({

From 81d3c6c9099dafa2c7d3e7dbd922c91175bb787a Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 23:11:09 -0700
Subject: [PATCH 035/133] Tests: fix Feishu full registration mock

---
 extensions/feishu/index.test.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/extensions/feishu/index.test.ts b/extensions/feishu/index.test.ts
index 5236e4bb542..90de46ff6ab 100644
--- a/extensions/feishu/index.test.ts
+++ b/extensions/feishu/index.test.ts
@@ -51,6 +51,7 @@ describe("feishu plugin register", () => {
       registerChannel,
       on: vi.fn(),
       config: {},
+      registrationMode: "full",
     } as unknown as OpenClawPluginApi;
 
     plugin.register(api);

From 853d8c0d8e5bdd4028a05eeea32778a6fe9c743e Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 23:17:34 -0700
Subject: [PATCH 036/133] Tests: cover plugin capability matrix

---
 extensions/discord/src/channel.ts             |   2 +
 extensions/telegram/src/channel.ts            |   2 +
 .../plugins/message-capability-matrix.test.ts | 175 ++++++++++++++++++
 3 files changed, 179 insertions(+)
 create mode 100644 src/channels/plugins/message-capability-matrix.test.ts

diff --git a/extensions/discord/src/channel.ts b/extensions/discord/src/channel.ts
index 1b0e003202c..82532f4c43b 100644
--- a/extensions/discord/src/channel.ts
+++ b/extensions/discord/src/channel.ts
@@ -74,6 +74,8 @@ function formatDiscordIntents(intents?: {
 const discordMessageActions: ChannelMessageActionAdapter = {
   listActions: (ctx) =>
     getDiscordRuntime().channel.discord.messageActions?.listActions?.(ctx) ?? [],
+  getCapabilities: (ctx) =>
+    getDiscordRuntime().channel.discord.messageActions?.getCapabilities?.(ctx) ?? [],
   extractToolSend: (ctx) =>
     getDiscordRuntime().channel.discord.messageActions?.extractToolSend?.(ctx) ?? null,
   handleAction: async (ctx) => {
diff --git a/extensions/telegram/src/channel.ts b/extensions/telegram/src/channel.ts
index 2aebfe5652c..cbdb146b608 100644
--- a/extensions/telegram/src/channel.ts
+++ b/extensions/telegram/src/channel.ts
@@ -179,6 +179,8 @@ function hasTelegramExecApprovalDmRoute(cfg: OpenClawConfig): boolean {
 const telegramMessageActions: ChannelMessageActionAdapter = {
   listActions: (ctx) =>
     getTelegramRuntime().channel.telegram.messageActions?.listActions?.(ctx) ?? [],
+  getCapabilities: (ctx) =>
+    getTelegramRuntime().channel.telegram.messageActions?.getCapabilities?.(ctx) ?? [],
   extractToolSend: (ctx) =>
     getTelegramRuntime().channel.telegram.messageActions?.extractToolSend?.(ctx) ?? null,
   handleAction: async (ctx) => {
diff --git a/src/channels/plugins/message-capability-matrix.test.ts b/src/channels/plugins/message-capability-matrix.test.ts
new file mode 100644
index 00000000000..b8d289aa56b
--- /dev/null
+++ b/src/channels/plugins/message-capability-matrix.test.ts
@@ -0,0 +1,175 @@
+import { afterEach, describe, expect, it, vi } from "vitest";
+import type { OpenClawConfig } from "../../config/config.js";
+
+const telegramGetCapabilitiesMock = vi.fn();
+const discordGetCapabilitiesMock = vi.fn();
+
+vi.mock("../../../extensions/telegram/src/runtime.js", () => ({
+  getTelegramRuntime: () => ({
+    channel: {
+      telegram: {
+        messageActions: {
+          getCapabilities: telegramGetCapabilitiesMock,
+        },
+      },
+    },
+  }),
+}));
+
+vi.mock("../../../extensions/discord/src/runtime.js", () => ({
+  getDiscordRuntime: () => ({
+    channel: {
+      discord: {
+        messageActions: {
+          getCapabilities: discordGetCapabilitiesMock,
+        },
+      },
+    },
+  }),
+}));
+
+const { slackPlugin } = await import("../../../extensions/slack/src/channel.js");
+const { telegramPlugin } = await import("../../../extensions/telegram/src/channel.js");
+const { discordPlugin } = await import("../../../extensions/discord/src/channel.js");
+const { mattermostPlugin } = await import("../../../extensions/mattermost/src/channel.js");
+const { feishuPlugin } = await import("../../../extensions/feishu/src/channel.js");
+const { msteamsPlugin } = await import("../../../extensions/msteams/src/channel.js");
+const { zaloPlugin } = await import("../../../extensions/zalo/src/channel.js");
+
+describe("channel action capability matrix", () => {
+  afterEach(() => {
+    telegramGetCapabilitiesMock.mockReset();
+    discordGetCapabilitiesMock.mockReset();
+  });
+
+  it("exposes Slack blocks by default and interactive when enabled", () => {
+    const baseCfg = {
+      channels: {
+        slack: {
+          botToken: "xoxb-test",
+          appToken: "xapp-test",
+        },
+      },
+    } as OpenClawConfig;
+    const interactiveCfg = {
+      channels: {
+        slack: {
+          botToken: "xoxb-test",
+          appToken: "xapp-test",
+          capabilities: { interactiveReplies: true },
+        },
+      },
+    } as OpenClawConfig;
+
+    expect(slackPlugin.actions?.getCapabilities?.({ cfg: baseCfg })).toEqual(["blocks"]);
+    expect(slackPlugin.actions?.getCapabilities?.({ cfg: interactiveCfg })).toEqual([
+      "blocks",
+      "interactive",
+    ]);
+  });
+
+  it("forwards Telegram action capabilities through the channel wrapper", () => {
+    telegramGetCapabilitiesMock.mockReturnValue(["interactive", "buttons"]);
+
+    const result = telegramPlugin.actions?.getCapabilities?.({ cfg: {} as OpenClawConfig });
+
+    expect(result).toEqual(["interactive", "buttons"]);
+    expect(telegramGetCapabilitiesMock).toHaveBeenCalledWith({ cfg: {} });
+  });
+
+  it("forwards Discord action capabilities through the channel wrapper", () => {
+    discordGetCapabilitiesMock.mockReturnValue(["interactive", "components"]);
+
+    const result = discordPlugin.actions?.getCapabilities?.({ cfg: {} as OpenClawConfig });
+
+    expect(result).toEqual(["interactive", "components"]);
+    expect(discordGetCapabilitiesMock).toHaveBeenCalledWith({ cfg: {} });
+  });
+
+  it("exposes Mattermost buttons only when an account is configured", () => {
+    const configuredCfg = {
+      channels: {
+        mattermost: {
+          enabled: true,
+          botToken: "mm-token",
+          baseUrl: "https://chat.example.com",
+        },
+      },
+    } as OpenClawConfig;
+    const unconfiguredCfg = {
+      channels: {
+        mattermost: {
+          enabled: true,
+        },
+      },
+    } as OpenClawConfig;
+
+    expect(mattermostPlugin.actions?.getCapabilities?.({ cfg: configuredCfg })).toEqual([
+      "buttons",
+    ]);
+    expect(mattermostPlugin.actions?.getCapabilities?.({ cfg: unconfiguredCfg })).toEqual([]);
+  });
+
+  it("exposes Feishu cards only when credentials are configured", () => {
+    const configuredCfg = {
+      channels: {
+        feishu: {
+          enabled: true,
+          appId: "cli_a",
+          appSecret: "secret",
+        },
+      },
+    } as OpenClawConfig;
+    const disabledCfg = {
+      channels: {
+        feishu: {
+          enabled: false,
+          appId: "cli_a",
+          appSecret: "secret",
+        },
+      },
+    } as OpenClawConfig;
+
+    expect(feishuPlugin.actions?.getCapabilities?.({ cfg: configuredCfg })).toEqual(["cards"]);
+    expect(feishuPlugin.actions?.getCapabilities?.({ cfg: disabledCfg })).toEqual([]);
+  });
+
+  it("exposes MSTeams cards only when credentials are configured", () => {
+    const configuredCfg = {
+      channels: {
+        msteams: {
+          enabled: true,
+          tenantId: "tenant",
+          appId: "app",
+          appPassword: "secret",
+        },
+      },
+    } as OpenClawConfig;
+    const disabledCfg = {
+      channels: {
+        msteams: {
+          enabled: false,
+          tenantId: "tenant",
+          appId: "app",
+          appPassword: "secret",
+        },
+      },
+    } as OpenClawConfig;
+
+    expect(msteamsPlugin.actions?.getCapabilities?.({ cfg: configuredCfg })).toEqual(["cards"]);
+    expect(msteamsPlugin.actions?.getCapabilities?.({ cfg: disabledCfg })).toEqual([]);
+  });
+
+  it("keeps Zalo actions on the empty capability set", () => {
+    const cfg = {
+      channels: {
+        zalo: {
+          enabled: true,
+          botToken: "zl-token",
+        },
+      },
+    } as OpenClawConfig;
+
+    expect(zaloPlugin.actions?.getCapabilities?.({ cfg })).toEqual([]);
+  });
+});

From 7b2a7da5493b1576b5ff588d11007dda0bb6fa59 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 23:17:59 -0700
Subject: [PATCH 037/133] Gateway: import normalizeAgentId in hooks

---
 src/gateway/hooks.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/gateway/hooks.ts b/src/gateway/hooks.ts
index d9e23060f04..c11595f8f18 100644
--- a/src/gateway/hooks.ts
+++ b/src/gateway/hooks.ts
@@ -5,7 +5,7 @@ import { listChannelPlugins } from "../channels/plugins/index.js";
 import type { ChannelId } from "../channels/plugins/types.js";
 import type { OpenClawConfig } from "../config/config.js";
 import { readJsonBodyWithLimit, requestBodyErrorToText } from "../infra/http-body.js";
-import { parseAgentSessionKey } from "../routing/session-key.js";
+import { normalizeAgentId, parseAgentSessionKey } from "../routing/session-key.js";
 import { normalizeMessageChannel } from "../utils/message-channel.js";
 import { type HookMappingResolved, resolveHookMappings } from "./hooks-mapping.js";
 import { resolveAllowedAgentIds } from "./hooks-policy.js";

From 130b575c21b7c26a360a7815049640b4c36f3a1d Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 06:21:40 +0000
Subject: [PATCH 038/133] fix: recover bonjour advertiser from ciao announce
 loops

---
 src/infra/bonjour.test.ts |  54 ++++++++-
 src/infra/bonjour.ts      | 245 ++++++++++++++++++++++++++------------
 2 files changed, 221 insertions(+), 78 deletions(-)

diff --git a/src/infra/bonjour.test.ts b/src/infra/bonjour.test.ts
index d8f976fdc41..efccc1ce8b1 100644
--- a/src/infra/bonjour.test.ts
+++ b/src/infra/bonjour.test.ts
@@ -27,21 +27,32 @@ function mockCiaoService(params?: {
   advertise?: ReturnType<typeof vi.fn>;
   destroy?: ReturnType<typeof vi.fn>;
   serviceState?: string;
+  stateRef?: { value: string };
   on?: ReturnType<typeof vi.fn>;
 }) {
   const advertise = params?.advertise ?? vi.fn().mockResolvedValue(undefined);
   const destroy = params?.destroy ?? vi.fn().mockResolvedValue(undefined);
   const on = params?.on ?? vi.fn();
   createService.mockImplementation((options: Record<string, unknown>) => {
-    return {
+    const service = {
       advertise,
       destroy,
-      serviceState: params?.serviceState ?? "announced",
       on,
       getFQDN: () => `${asString(options.type, "service")}.${asString(options.domain, "local")}.`,
       getHostname: () => asString(options.hostname, "unknown"),
       getPort: () => Number(options.port ?? -1),
     };
+    Object.defineProperty(service, "serviceState", {
+      configurable: true,
+      enumerable: true,
+      get: () => params?.stateRef?.value ?? params?.serviceState ?? "announced",
+      set: (value: string) => {
+        if (params?.stateRef) {
+          params.stateRef.value = value;
+        }
+      },
+    });
+    return service;
   });
   return { advertise, destroy, on };
 }
@@ -254,7 +265,7 @@ describe("gateway bonjour advertiser", () => {
     expect(logWarn).toHaveBeenCalledWith(expect.stringContaining("advertise failed"));
 
     // watchdog should attempt re-advertise at the 60s interval tick
-    await vi.advanceTimersByTimeAsync(60_000);
+    await vi.advanceTimersByTimeAsync(15_000);
     expect(advertise).toHaveBeenCalledTimes(2);
 
     await started.stop();
@@ -283,6 +294,43 @@ describe("gateway bonjour advertiser", () => {
     await started.stop();
   });
 
+  it("recreates the advertiser when ciao gets stuck announcing", async () => {
+    enableAdvertiserUnitMode();
+    vi.useFakeTimers();
+
+    const stateRef = { value: "announcing" };
+    const destroy = vi.fn().mockResolvedValue(undefined);
+    const advertise = vi.fn().mockImplementation(() => {
+      if (advertise.mock.calls.length === 1) {
+        stateRef.value = "announcing";
+        return new Promise<void>(() => {});
+      }
+      stateRef.value = "announced";
+      return Promise.resolve();
+    });
+    mockCiaoService({ advertise, destroy, stateRef });
+
+    const started = await startGatewayBonjourAdvertiser({
+      gatewayPort: 18789,
+      sshPort: 2222,
+    });
+
+    expect(createService).toHaveBeenCalledTimes(1);
+    expect(advertise).toHaveBeenCalledTimes(1);
+
+    await vi.advanceTimersByTimeAsync(15_000);
+
+    expect(logWarn).toHaveBeenCalledWith(expect.stringContaining("restarting advertiser"));
+    expect(createService).toHaveBeenCalledTimes(2);
+    expect(advertise).toHaveBeenCalledTimes(2);
+    expect(destroy).toHaveBeenCalledTimes(1);
+    expect(shutdown).toHaveBeenCalledTimes(1);
+
+    await started.stop();
+    expect(destroy).toHaveBeenCalledTimes(2);
+    expect(shutdown).toHaveBeenCalledTimes(2);
+  });
+
   it("normalizes hostnames with domains for service names", async () => {
     // Allow advertiser to run in unit tests.
     delete process.env.VITEST;
diff --git a/src/infra/bonjour.ts b/src/infra/bonjour.ts
index 7d405741a0e..9e7790e2065 100644
--- a/src/infra/bonjour.ts
+++ b/src/infra/bonjour.ts
@@ -58,6 +58,32 @@ type BonjourService = {
   serviceState: string;
 };
 
+type BonjourCycle = {
+  responder: {
+    createService: (options: {
+      name: string;
+      type: string;
+      protocol: unknown;
+      port: number;
+      domain: string;
+      hostname: string;
+      txt: Record<string, string>;
+    }) => unknown;
+    shutdown: () => Promise<void>;
+  };
+  services: Array<{ label: string; svc: BonjourService }>;
+  cleanupUnhandledRejection?: () => void;
+};
+
+type ServiceStateTracker = {
+  state: string;
+  sinceMs: number;
+};
+
+const WATCHDOG_INTERVAL_MS = 5_000;
+const REPAIR_DEBOUNCE_MS = 30_000;
+const STUCK_ANNOUNCING_MS = 8_000;
+
 function serviceSummary(label: string, svc: BonjourService): string {
   let fqdn = "unknown";
   let hostname = "unknown";
@@ -89,7 +115,6 @@ export async function startGatewayBonjourAdvertiser(
   }
 
   const { getResponder, Protocol } = await import("@homebridge/ciao");
-  const responder = getResponder();
 
   // mDNS service instance names are single DNS labels; dots in hostnames (like
   // `Mac.localdomain`) can confuse some resolvers/browsers and break discovery.
@@ -133,8 +158,6 @@ export async function startGatewayBonjourAdvertiser(
     txtBase.cliPath = opts.cliPath.trim();
   }
 
-  const services: Array<{ label: string; svc: BonjourService }> = [];
-
   // Build TXT record for the gateway service.
   // In minimal mode, omit sshPort to avoid advertising SSH availability.
   const gatewayTxt: Record<string, string> = {
@@ -145,25 +168,91 @@ export async function startGatewayBonjourAdvertiser(
     gatewayTxt.sshPort = String(opts.sshPort ?? 22);
   }
 
-  const gateway = responder.createService({
-    name: safeServiceName(instanceName),
-    type: "openclaw-gw",
-    protocol: Protocol.TCP,
-    port: opts.gatewayPort,
-    domain: "local",
-    hostname,
-    txt: gatewayTxt,
-  });
-  services.push({
-    label: "gateway",
-    svc: gateway as unknown as BonjourService,
-  });
+  function createCycle(): BonjourCycle {
+    const responder = getResponder();
+    const services: Array<{ label: string; svc: BonjourService }> = [];
 
-  let ciaoCancellationRejectionHandler: (() => void) | undefined;
-  if (services.length > 0) {
-    ciaoCancellationRejectionHandler = registerUnhandledRejectionHandler(
-      ignoreCiaoCancellationRejection,
-    );
+    const gateway = responder.createService({
+      name: safeServiceName(instanceName),
+      type: "openclaw-gw",
+      protocol: Protocol.TCP,
+      port: opts.gatewayPort,
+      domain: "local",
+      hostname,
+      txt: gatewayTxt,
+    });
+    services.push({
+      label: "gateway",
+      svc: gateway as unknown as BonjourService,
+    });
+
+    const cleanupUnhandledRejection =
+      services.length > 0
+        ? registerUnhandledRejectionHandler(ignoreCiaoCancellationRejection)
+        : undefined;
+
+    return { responder, services, cleanupUnhandledRejection };
+  }
+
+  async function stopCycle(cycle: BonjourCycle | null) {
+    if (!cycle) {
+      return;
+    }
+    for (const { svc } of cycle.services) {
+      try {
+        await svc.destroy();
+      } catch {
+        /* ignore */
+      }
+    }
+    try {
+      await cycle.responder.shutdown();
+    } catch {
+      /* ignore */
+    } finally {
+      cycle.cleanupUnhandledRejection?.();
+    }
+  }
+
+  function attachConflictListeners(services: Array<{ label: string; svc: BonjourService }>) {
+    for (const { label, svc } of services) {
+      try {
+        svc.on("name-change", (name: unknown) => {
+          const next = typeof name === "string" ? name : String(name);
+          logWarn(`bonjour: ${label} name conflict resolved; newName=${JSON.stringify(next)}`);
+        });
+        svc.on("hostname-change", (nextHostname: unknown) => {
+          const next = typeof nextHostname === "string" ? nextHostname : String(nextHostname);
+          logWarn(
+            `bonjour: ${label} hostname conflict resolved; newHostname=${JSON.stringify(next)}`,
+          );
+        });
+      } catch (err) {
+        logDebug(`bonjour: failed to attach listeners for ${label}: ${String(err)}`);
+      }
+    }
+  }
+
+  function startAdvertising(services: Array<{ label: string; svc: BonjourService }>) {
+    for (const { label, svc } of services) {
+      try {
+        void svc
+          .advertise()
+          .then(() => {
+            // Keep this out of stdout/stderr (menubar + tests) but capture in the rolling log.
+            getLogger().info(`bonjour: advertised ${serviceSummary(label, svc)}`);
+          })
+          .catch((err) => {
+            logWarn(
+              `bonjour: advertise failed (${serviceSummary(label, svc)}): ${formatBonjourError(err)}`,
+            );
+          });
+      } catch (err) {
+        logWarn(
+          `bonjour: advertise threw (${serviceSummary(label, svc)}): ${formatBonjourError(err)}`,
+        );
+      }
+    }
   }
 
   logDebug(
@@ -172,55 +261,72 @@ export async function startGatewayBonjourAdvertiser(
     )}, gatewayPort=${opts.gatewayPort}${opts.minimal ? ", minimal=true" : `, sshPort=${opts.sshPort ?? 22}`})`,
   );
 
-  for (const { label, svc } of services) {
-    try {
-      svc.on("name-change", (name: unknown) => {
-        const next = typeof name === "string" ? name : String(name);
-        logWarn(`bonjour: ${label} name conflict resolved; newName=${JSON.stringify(next)}`);
-      });
-      svc.on("hostname-change", (nextHostname: unknown) => {
-        const next = typeof nextHostname === "string" ? nextHostname : String(nextHostname);
-        logWarn(
-          `bonjour: ${label} hostname conflict resolved; newHostname=${JSON.stringify(next)}`,
-        );
-      });
-    } catch (err) {
-      logDebug(`bonjour: failed to attach listeners for ${label}: ${String(err)}`);
-    }
-  }
+  let stopped = false;
+  let recreatePromise: Promise<void> | null = null;
+  let cycle = createCycle();
+  const stateTracker = new Map<string, ServiceStateTracker>();
+  attachConflictListeners(cycle.services);
+  startAdvertising(cycle.services);
 
-  // Do not block gateway startup on mDNS probing/announce. Advertising can take
-  // multiple seconds depending on network state; the gateway should come up even
-  // if Bonjour is slow or fails.
-  for (const { label, svc } of services) {
-    try {
-      void svc
-        .advertise()
-        .then(() => {
-          // Keep this out of stdout/stderr (menubar + tests) but capture in the rolling log.
-          getLogger().info(`bonjour: advertised ${serviceSummary(label, svc)}`);
-        })
-        .catch((err) => {
-          logWarn(
-            `bonjour: advertise failed (${serviceSummary(label, svc)}): ${formatBonjourError(err)}`,
-          );
-        });
-    } catch (err) {
-      logWarn(
-        `bonjour: advertise threw (${serviceSummary(label, svc)}): ${formatBonjourError(err)}`,
-      );
+  const updateStateTrackers = (services: Array<{ label: string; svc: BonjourService }>) => {
+    const now = Date.now();
+    for (const { label, svc } of services) {
+      const nextState = typeof svc.serviceState === "string" ? svc.serviceState : "unknown";
+      const current = stateTracker.get(label);
+      if (!current || current.state !== nextState) {
+        stateTracker.set(label, { state: nextState, sinceMs: now });
+      }
     }
-  }
+  };
+
+  const recreateAdvertiser = async (reason: string) => {
+    if (stopped) {
+      return;
+    }
+    if (recreatePromise) {
+      return recreatePromise;
+    }
+    recreatePromise = (async () => {
+      logWarn(`bonjour: restarting advertiser (${reason})`);
+      const previous = cycle;
+      cycle = createCycle();
+      stateTracker.clear();
+      attachConflictListeners(cycle.services);
+      startAdvertising(cycle.services);
+      await stopCycle(previous);
+    })().finally(() => {
+      recreatePromise = null;
+    });
+    return recreatePromise;
+  };
 
   // Watchdog: if we ever end up in an unannounced state (e.g. after sleep/wake or
   // interface churn), try to re-advertise instead of requiring a full gateway restart.
   const lastRepairAttempt = new Map<string, number>();
   const watchdog = setInterval(() => {
-    for (const { label, svc } of services) {
+    if (stopped || recreatePromise) {
+      return;
+    }
+    updateStateTrackers(cycle.services);
+    for (const { label, svc } of cycle.services) {
       const stateUnknown = (svc as { serviceState?: unknown }).serviceState;
       if (typeof stateUnknown !== "string") {
         continue;
       }
+      const tracked = stateTracker.get(label);
+      if (
+        stateUnknown === "announcing" &&
+        tracked &&
+        Date.now() - tracked.sinceMs >= STUCK_ANNOUNCING_MS
+      ) {
+        void recreateAdvertiser(
+          `service stuck announcing for ${Date.now() - tracked.sinceMs}ms (${serviceSummary(
+            label,
+            svc,
+          )})`,
+        );
+        return;
+      }
       if (stateUnknown === "announced" || stateUnknown === "announcing") {
         continue;
       }
@@ -233,7 +339,7 @@ export async function startGatewayBonjourAdvertiser(
       }
       const now = Date.now();
       const last = lastRepairAttempt.get(key) ?? 0;
-      if (now - last < 30_000) {
+      if (now - last < REPAIR_DEBOUNCE_MS) {
         continue;
       }
       lastRepairAttempt.set(key, now);
@@ -256,26 +362,15 @@ export async function startGatewayBonjourAdvertiser(
         );
       }
     }
-  }, 60_000);
+  }, WATCHDOG_INTERVAL_MS);
   watchdog.unref?.();
 
   return {
     stop: async () => {
+      stopped = true;
       clearInterval(watchdog);
-      for (const { svc } of services) {
-        try {
-          await svc.destroy();
-        } catch {
-          /* ignore */
-        }
-      }
-      try {
-        await responder.shutdown();
-      } catch {
-        /* ignore */
-      } finally {
-        ciaoCancellationRejectionHandler?.();
-      }
+      await recreatePromise;
+      await stopCycle(cycle);
     },
   };
 }

From 4ab016a9bde81100aff88969c05e26635e60082c Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 06:22:02 +0000
Subject: [PATCH 039/133] fix: preserve loopback gateway scopes for local auth

---
 src/gateway/call.test.ts                   |  4 +-
 src/gateway/call.ts                        | 15 +++----
 src/gateway/probe.auth.integration.test.ts | 50 ++++++++++++++++++++++
 src/gateway/probe.test.ts                  | 11 ++++-
 src/gateway/probe.ts                       |  5 ++-
 5 files changed, 72 insertions(+), 13 deletions(-)
 create mode 100644 src/gateway/probe.auth.integration.test.ts

diff --git a/src/gateway/call.test.ts b/src/gateway/call.test.ts
index 7fd9b7c84cb..5ffd3ce3c51 100644
--- a/src/gateway/call.test.ts
+++ b/src/gateway/call.test.ts
@@ -209,7 +209,7 @@ describe("callGateway url resolution", () => {
     expect(lastClientOptions?.token).toBe("explicit-token");
   });
 
-  it("does not attach device identity for local loopback shared-token auth", async () => {
+  it("keeps device identity enabled for local loopback shared-token auth", async () => {
     setLocalLoopbackGatewayConfig();
 
     await callGateway({
@@ -219,7 +219,7 @@ describe("callGateway url resolution", () => {
 
     expect(lastClientOptions?.url).toBe("ws://127.0.0.1:18789");
     expect(lastClientOptions?.token).toBe("explicit-token");
-    expect(lastClientOptions?.deviceIdentity).toBeUndefined();
+    expect(lastClientOptions?.deviceIdentity).toBeDefined();
   });
 
   it("uses OPENCLAW_GATEWAY_URL env override in remote mode when remote URL is missing", async () => {
diff --git a/src/gateway/call.ts b/src/gateway/call.ts
index 300391b6047..98793dd4071 100644
--- a/src/gateway/call.ts
+++ b/src/gateway/call.ts
@@ -86,15 +86,12 @@ function shouldAttachDeviceIdentityForGatewayCall(params: {
   token?: string;
   password?: string;
 }): boolean {
-  if (!(params.token || params.password)) {
-    return true;
-  }
-  try {
-    const parsed = new URL(params.url);
-    return !["127.0.0.1", "::1", "localhost"].includes(parsed.hostname);
-  } catch {
-    return true;
-  }
+  void params;
+  // Shared-auth local calls used to skip device identity as an optimization, but
+  // device-less operator connects now have their self-declared scopes stripped.
+  // Keep identity enabled so local authenticated calls stay device-bound and
+  // retain their least-privilege scopes.
+  return true;
 }
 
 export type ExplicitGatewayAuth = {
diff --git a/src/gateway/probe.auth.integration.test.ts b/src/gateway/probe.auth.integration.test.ts
new file mode 100644
index 00000000000..eed4d1be8ac
--- /dev/null
+++ b/src/gateway/probe.auth.integration.test.ts
@@ -0,0 +1,50 @@
+import { describe, expect, it } from "vitest";
+import { installGatewayTestHooks, testState, withGatewayServer } from "./test-helpers.js";
+
+installGatewayTestHooks();
+
+const { callGateway } = await import("./call.js");
+const { probeGateway } = await import("./probe.js");
+
+describe("probeGateway auth integration", () => {
+  it("keeps direct local authenticated status RPCs device-bound", async () => {
+    const token =
+      typeof (testState.gatewayAuth as { token?: unknown } | undefined)?.token === "string"
+        ? ((testState.gatewayAuth as { token?: string }).token ?? "")
+        : "";
+    expect(token).toBeTruthy();
+
+    await withGatewayServer(async ({ port }) => {
+      const status = await callGateway({
+        url: `ws://127.0.0.1:${port}`,
+        token,
+        method: "status",
+        timeoutMs: 5_000,
+      });
+
+      expect(status).toBeTruthy();
+    });
+  });
+
+  it("keeps detail RPCs available for local authenticated probes", async () => {
+    const token =
+      typeof (testState.gatewayAuth as { token?: unknown } | undefined)?.token === "string"
+        ? ((testState.gatewayAuth as { token?: string }).token ?? "")
+        : "";
+    expect(token).toBeTruthy();
+
+    await withGatewayServer(async ({ port }) => {
+      const result = await probeGateway({
+        url: `ws://127.0.0.1:${port}`,
+        auth: { token },
+        timeoutMs: 5_000,
+      });
+
+      expect(result.ok).toBe(true);
+      expect(result.error).toBeNull();
+      expect(result.health).not.toBeNull();
+      expect(result.status).not.toBeNull();
+      expect(result.configSnapshot).not.toBeNull();
+    });
+  });
+});
diff --git a/src/gateway/probe.test.ts b/src/gateway/probe.test.ts
index f91dc5148d5..4a2374e17cb 100644
--- a/src/gateway/probe.test.ts
+++ b/src/gateway/probe.test.ts
@@ -51,7 +51,7 @@ describe("probeGateway", () => {
     });
 
     expect(gatewayClientState.options?.scopes).toEqual(["operator.read"]);
-    expect(gatewayClientState.options?.deviceIdentity).toBeNull();
+    expect(gatewayClientState.options?.deviceIdentity).toBeUndefined();
     expect(gatewayClientState.requests).toEqual([
       "health",
       "status",
@@ -71,6 +71,15 @@ describe("probeGateway", () => {
     expect(gatewayClientState.options?.deviceIdentity).toBeUndefined();
   });
 
+  it("keeps device identity disabled for unauthenticated loopback probes", async () => {
+    await probeGateway({
+      url: "ws://127.0.0.1:18789",
+      timeoutMs: 1_000,
+    });
+
+    expect(gatewayClientState.options?.deviceIdentity).toBeNull();
+  });
+
   it("skips detail RPCs for lightweight reachability probes", async () => {
     const result = await probeGateway({
       url: "ws://127.0.0.1:18789",
diff --git a/src/gateway/probe.ts b/src/gateway/probe.ts
index 87a77b8bfef..bbd36639b78 100644
--- a/src/gateway/probe.ts
+++ b/src/gateway/probe.ts
@@ -44,7 +44,10 @@ export async function probeGateway(opts: {
 
   const disableDeviceIdentity = (() => {
     try {
-      return isLoopbackHost(new URL(opts.url).hostname);
+      const hostname = new URL(opts.url).hostname;
+      // Local authenticated probes should stay device-bound so read/detail RPCs
+      // are not scope-limited by the shared-auth scope stripping hardening.
+      return isLoopbackHost(hostname) && !(opts.auth?.token || opts.auth?.password);
     } catch {
       return false;
     }

From a608d0955286640a6c15aa93c0cb5bd0e18c9529 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 23:23:50 -0700
Subject: [PATCH 040/133] Status: lazy-load summary session helpers

---
 src/commands/status.summary.runtime.ts |  2 ++
 src/commands/status.summary.ts         | 12 ++++++++++--
 2 files changed, 12 insertions(+), 2 deletions(-)
 create mode 100644 src/commands/status.summary.runtime.ts

diff --git a/src/commands/status.summary.runtime.ts b/src/commands/status.summary.runtime.ts
new file mode 100644
index 00000000000..df1ae881d4f
--- /dev/null
+++ b/src/commands/status.summary.runtime.ts
@@ -0,0 +1,2 @@
+export { resolveContextTokensForModel } from "../agents/context.js";
+export { classifySessionKey, resolveSessionModelRef } from "../gateway/session-utils.js";
diff --git a/src/commands/status.summary.ts b/src/commands/status.summary.ts
index 3d151c64772..bc2c7b4c205 100644
--- a/src/commands/status.summary.ts
+++ b/src/commands/status.summary.ts
@@ -1,4 +1,3 @@
-import { resolveContextTokensForModel } from "../agents/context.js";
 import { DEFAULT_CONTEXT_TOKENS, DEFAULT_MODEL, DEFAULT_PROVIDER } from "../agents/defaults.js";
 import { resolveConfiguredModelRef } from "../agents/model-selection.js";
 import { hasPotentialConfiguredChannels } from "../channels/config-presence.js";
@@ -12,7 +11,6 @@ import {
   type SessionEntry,
 } from "../config/sessions.js";
 import { listGatewayAgentsBasic } from "../gateway/agent-list.js";
-import { classifySessionKey, resolveSessionModelRef } from "../gateway/session-utils.js";
 import { resolveHeartbeatSummaryForAgent } from "../infra/heartbeat-summary.js";
 import { peekSystemEvents } from "../infra/system-events.js";
 import { parseAgentSessionKey } from "../routing/session-key.js";
@@ -21,6 +19,9 @@ import type { HeartbeatStatus, SessionStatus, StatusSummary } from "./status.typ
 
 let channelSummaryModulePromise: Promise<typeof import("../infra/channel-summary.js")> | undefined;
 let linkChannelModulePromise: Promise<typeof import("./status.link-channel.js")> | undefined;
+let statusSummaryRuntimeModulePromise:
+  | Promise<typeof import("./status.summary.runtime.js")>
+  | undefined;
 
 function loadChannelSummaryModule() {
   channelSummaryModulePromise ??= import("../infra/channel-summary.js");
@@ -32,6 +33,11 @@ function loadLinkChannelModule() {
   return linkChannelModulePromise;
 }
 
+function loadStatusSummaryRuntimeModule() {
+  statusSummaryRuntimeModulePromise ??= import("./status.summary.runtime.js");
+  return statusSummaryRuntimeModulePromise;
+}
+
 const buildFlags = (entry?: SessionEntry): string[] => {
   if (!entry) {
     return [];
@@ -97,6 +103,8 @@ export async function getStatusSummary(
   } = {},
 ): Promise<StatusSummary> {
   const { includeSensitive = true } = options;
+  const { classifySessionKey, resolveContextTokensForModel, resolveSessionModelRef } =
+    await loadStatusSummaryRuntimeModule();
   const cfg = options.config ?? loadConfig();
   const needsChannelPlugins = hasPotentialConfiguredChannels(cfg);
   const linkContext = needsChannelPlugins

From d5b12f505cbf3ffe4aeb8a85209ec46c9d7e22e4 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 23:24:03 -0700
Subject: [PATCH 041/133] Status: lazy-load security audit commands

---
 src/commands/status-json.ts    | 23 +++++++++++++++--------
 src/commands/status.command.ts | 26 ++++++++++++++------------
 src/security/audit.runtime.ts  |  1 +
 3 files changed, 30 insertions(+), 20 deletions(-)
 create mode 100644 src/security/audit.runtime.ts

diff --git a/src/commands/status-json.ts b/src/commands/status-json.ts
index 035f2c71245..2579717679c 100644
--- a/src/commands/status-json.ts
+++ b/src/commands/status-json.ts
@@ -2,17 +2,22 @@ import { callGateway } from "../gateway/call.js";
 import type { HeartbeatEventPayload } from "../infra/heartbeat-events.js";
 import { normalizeUpdateChannel, resolveUpdateChannelDisplay } from "../infra/update-channels.js";
 import type { RuntimeEnv } from "../runtime.js";
-import { runSecurityAudit } from "../security/audit.js";
 import { getDaemonStatusSummary, getNodeDaemonStatusSummary } from "./status.daemon.js";
 import { scanStatus } from "./status.scan.js";
 
 let providerUsagePromise: Promise<typeof import("../infra/provider-usage.js")> | undefined;
+let securityAuditModulePromise: Promise<typeof import("../security/audit.runtime.js")> | undefined;
 
 function loadProviderUsage() {
   providerUsagePromise ??= import("../infra/provider-usage.js");
   return providerUsagePromise;
 }
 
+function loadSecurityAuditModule() {
+  securityAuditModulePromise ??= import("../security/audit.runtime.js");
+  return securityAuditModulePromise;
+}
+
 export async function statusJsonCommand(
   opts: {
     deep?: boolean;
@@ -23,13 +28,15 @@ export async function statusJsonCommand(
   runtime: RuntimeEnv,
 ) {
   const scan = await scanStatus({ json: true, timeoutMs: opts.timeoutMs, all: opts.all }, runtime);
-  const securityAudit = await runSecurityAudit({
-    config: scan.cfg,
-    sourceConfig: scan.sourceConfig,
-    deep: false,
-    includeFilesystem: true,
-    includeChannelSecurity: true,
-  });
+  const securityAudit = await loadSecurityAuditModule().then(({ runSecurityAudit }) =>
+    runSecurityAudit({
+      config: scan.cfg,
+      sourceConfig: scan.sourceConfig,
+      deep: false,
+      includeFilesystem: true,
+      includeChannelSecurity: true,
+    }),
+  );
 
   const usage = opts.usage
     ? await loadProviderUsage().then(({ loadProviderUsageSummary }) =>
diff --git a/src/commands/status.command.ts b/src/commands/status.command.ts
index 92702bac66e..9f17b1a9fee 100644
--- a/src/commands/status.command.ts
+++ b/src/commands/status.command.ts
@@ -14,7 +14,6 @@ import {
   type Tone,
 } from "../memory/status-format.js";
 import type { RuntimeEnv } from "../runtime.js";
-import { runSecurityAudit } from "../security/audit.js";
 import { getTerminalTableWidth, renderTable } from "../terminal/table.js";
 import { theme } from "../terminal/theme.js";
 import { formatHealthChannelLines, type HealthSummary } from "./health.js";
@@ -37,12 +36,18 @@ import {
 } from "./status.update.js";
 
 let providerUsagePromise: Promise<typeof import("../infra/provider-usage.js")> | undefined;
+let securityAuditModulePromise: Promise<typeof import("../security/audit.runtime.js")> | undefined;
 
 function loadProviderUsage() {
   providerUsagePromise ??= import("../infra/provider-usage.js");
   return providerUsagePromise;
 }
 
+function loadSecurityAuditModule() {
+  securityAuditModulePromise ??= import("../security/audit.runtime.js");
+  return securityAuditModulePromise;
+}
+
 function resolvePairingRecoveryContext(params: {
   error?: string | null;
   closeReason?: string | null;
@@ -90,28 +95,25 @@ export async function statusCommand(
     { json: opts.json, timeoutMs: opts.timeoutMs, all: opts.all },
     runtime,
   );
-  const securityAudit = opts.json
-    ? await runSecurityAudit({
+  const runSecurityAudit = async () =>
+    await loadSecurityAuditModule().then(({ runSecurityAudit }) =>
+      runSecurityAudit({
         config: scan.cfg,
         sourceConfig: scan.sourceConfig,
         deep: false,
         includeFilesystem: true,
         includeChannelSecurity: true,
-      })
+      }),
+    );
+  const securityAudit = opts.json
+    ? await runSecurityAudit()
     : await withProgress(
         {
           label: "Running security audit…",
           indeterminate: true,
           enabled: true,
         },
-        async () =>
-          await runSecurityAudit({
-            config: scan.cfg,
-            sourceConfig: scan.sourceConfig,
-            deep: false,
-            includeFilesystem: true,
-            includeChannelSecurity: true,
-          }),
+        async () => await runSecurityAudit(),
       );
   const {
     cfg,
diff --git a/src/security/audit.runtime.ts b/src/security/audit.runtime.ts
new file mode 100644
index 00000000000..349d2f26fe5
--- /dev/null
+++ b/src/security/audit.runtime.ts
@@ -0,0 +1 @@
+export { runSecurityAudit } from "./audit.js";

From d163278e9cdfafcf0fd28be9c7d819a965695db9 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Sun, 15 Mar 2026 23:24:18 -0700
Subject: [PATCH 042/133] refactor: move channel delivery and ACP seams into
 plugins

---
 extensions/discord/src/channel.ts             | 104 ++++++
 extensions/feishu/src/channel.ts              |  78 +++++
 extensions/imessage/src/channel.ts            |  18 ++
 extensions/signal/src/channel.ts              | 185 ++++++++++-
 extensions/slack/src/channel.ts               |  57 ++++
 extensions/telegram/src/channel.ts            |  92 ++++++
 extensions/telegram/src/outbound-adapter.ts   |   3 +
 extensions/whatsapp/src/channel.ts            |  62 +++-
 src/acp/persistent-bindings.resolve.ts        | 260 +++------------
 src/acp/persistent-bindings.test.ts           |  12 +
 src/acp/persistent-bindings.types.ts          |   3 +-
 src/auto-reply/reply/commands-allowlist.ts    | 304 ++++++------------
 src/auto-reply/reply/commands.test.ts         |  28 ++
 src/channels/plugins/outbound/signal.ts       | 130 ++++++--
 src/channels/plugins/types.adapters.ts        |  71 ++++
 src/channels/plugins/types.core.ts            |   6 +
 src/channels/plugins/types.plugin.ts          |   2 +
 src/channels/plugins/types.ts                 |   1 +
 src/commands/channel-test-helpers.ts          |   2 +
 ...tbeat-runner.returns-default-unset.test.ts |  15 +
 src/infra/outbound/deliver.ts                 | 191 +++++------
 src/infra/outbound/targets.test.ts            |  82 ++++-
 src/infra/outbound/targets.ts                 | 114 ++-----
 src/test-utils/channel-plugins.ts             |   3 +
 24 files changed, 1177 insertions(+), 646 deletions(-)

diff --git a/extensions/discord/src/channel.ts b/extensions/discord/src/channel.ts
index 82532f4c43b..a16574bfb70 100644
--- a/extensions/discord/src/channel.ts
+++ b/extensions/discord/src/channel.ts
@@ -39,6 +39,7 @@ import { resolveOutboundSendDep } from "../../../src/infra/outbound/send-deps.js
 import { normalizeMessageChannel } from "../../../src/utils/message-channel.js";
 import { isDiscordExecApprovalClientEnabled } from "./exec-approvals.js";
 import type { DiscordProbe } from "./probe.js";
+import { resolveDiscordUserAllowlist } from "./resolve-users.js";
 import { getDiscordRuntime } from "./runtime.js";
 import { fetchChannelPermissionsDiscord } from "./send.js";
 import { createDiscordSetupWizardProxy, discordSetupAdapter } from "./setup-core.js";
@@ -116,6 +117,84 @@ function hasDiscordExecApprovalDmRoute(cfg: OpenClawConfig): boolean {
   });
 }
 
+function readDiscordAllowlistConfig(account: ResolvedDiscordAccount) {
+  const groupOverrides: Array<{ label: string; entries: string[] }> = [];
+  for (const [guildKey, guildCfg] of Object.entries(account.config.guilds ?? {})) {
+    const entries = (guildCfg?.users ?? []).map(String).filter(Boolean);
+    if (entries.length > 0) {
+      groupOverrides.push({ label: `guild ${guildKey}`, entries });
+    }
+    for (const [channelKey, channelCfg] of Object.entries(guildCfg?.channels ?? {})) {
+      const channelEntries = (channelCfg?.users ?? []).map(String).filter(Boolean);
+      if (channelEntries.length > 0) {
+        groupOverrides.push({
+          label: `guild ${guildKey} / channel ${channelKey}`,
+          entries: channelEntries,
+        });
+      }
+    }
+  }
+  return {
+    dmAllowFrom: (account.config.allowFrom ?? account.config.dm?.allowFrom ?? []).map(String),
+    groupPolicy: account.config.groupPolicy,
+    groupOverrides,
+  };
+}
+
+async function resolveDiscordAllowlistNames(params: {
+  cfg: Parameters<typeof resolveDiscordAccount>[0]["cfg"];
+  accountId?: string | null;
+  entries: string[];
+}) {
+  const account = resolveDiscordAccount({ cfg: params.cfg, accountId: params.accountId });
+  const token = account.token?.trim();
+  if (!token) {
+    return [];
+  }
+  return await resolveDiscordUserAllowlist({ token, entries: params.entries });
+}
+
+function normalizeDiscordAcpConversationId(conversationId: string) {
+  const normalized = conversationId.trim();
+  return normalized ? { conversationId: normalized } : null;
+}
+
+function matchDiscordAcpConversation(params: {
+  bindingConversationId: string;
+  conversationId: string;
+  parentConversationId?: string;
+}) {
+  if (params.bindingConversationId === params.conversationId) {
+    return { conversationId: params.conversationId, matchPriority: 2 };
+  }
+  if (
+    params.parentConversationId &&
+    params.parentConversationId !== params.conversationId &&
+    params.bindingConversationId === params.parentConversationId
+  ) {
+    return {
+      conversationId: params.parentConversationId,
+      matchPriority: 1,
+    };
+  }
+  return null;
+}
+
+function parseDiscordExplicitTarget(raw: string) {
+  try {
+    const target = parseDiscordTarget(raw, { defaultKind: "channel" });
+    if (!target) {
+      return null;
+    }
+    return {
+      to: target.id,
+      chatType: target.kind === "user" ? ("direct" as const) : ("channel" as const),
+    };
+  } catch {
+    return null;
+  }
+}
+
 const discordConfigAccessors = createScopedAccountConfigAccessors({
   resolveAccount: ({ cfg, accountId }) => resolveDiscordAccount({ cfg, accountId }),
   resolveAllowFrom: (account: ResolvedDiscordAccount) => account.config.dm?.allowFrom,
@@ -177,6 +256,23 @@ export const discordPlugin: ChannelPlugin<ResolvedDiscordAccount> = {
     }),
     ...discordConfigAccessors,
   },
+  allowlist: {
+    supportsScope: ({ scope }) => scope === "dm",
+    readConfig: ({ cfg, accountId }) =>
+      readDiscordAllowlistConfig(resolveDiscordAccount({ cfg, accountId })),
+    resolveNames: async ({ cfg, accountId, entries }) =>
+      await resolveDiscordAllowlistNames({ cfg, accountId, entries }),
+    resolveConfigEdit: ({ scope, pathPrefix, writeTarget }) =>
+      scope === "dm"
+        ? {
+            pathPrefix,
+            writeTarget,
+            readPaths: [["allowFrom"], ["dm", "allowFrom"]],
+            writePath: ["allowFrom"],
+            cleanupPaths: [["dm", "allowFrom"]],
+          }
+        : null,
+  },
   security: {
     resolveDmPolicy: ({ cfg, accountId, account }) => {
       return buildAccountScopedDmSecurityPolicy({
@@ -238,6 +334,8 @@ export const discordPlugin: ChannelPlugin<ResolvedDiscordAccount> = {
   },
   messaging: {
     normalizeTarget: normalizeDiscordMessagingTarget,
+    parseExplicitTarget: ({ raw }) => parseDiscordExplicitTarget(raw),
+    inferTargetChatType: ({ to }) => parseDiscordExplicitTarget(to)?.chatType,
     buildCrossContextComponents: buildDiscordCrossContextComponents,
     targetResolver: {
       looksLikeId: looksLikeDiscordTargetId,
@@ -356,6 +454,12 @@ export const discordPlugin: ChannelPlugin<ResolvedDiscordAccount> = {
         silent: silent ?? undefined,
       }),
   },
+  acpBindings: {
+    normalizeConfiguredBindingTarget: ({ conversationId }) =>
+      normalizeDiscordAcpConversationId(conversationId),
+    matchConfiguredBinding: ({ bindingConversationId, conversationId, parentConversationId }) =>
+      matchDiscordAcpConversation({ bindingConversationId, conversationId, parentConversationId }),
+  },
   status: {
     defaultRuntime: {
       accountId: DEFAULT_ACCOUNT_ID,
diff --git a/extensions/feishu/src/channel.ts b/extensions/feishu/src/channel.ts
index a9aed9f870d..450b1fbe88f 100644
--- a/extensions/feishu/src/channel.ts
+++ b/extensions/feishu/src/channel.ts
@@ -22,6 +22,7 @@ import {
   resolveDefaultFeishuAccountId,
 } from "./accounts.js";
 import { FeishuConfigSchema } from "./config-schema.js";
+import { parseFeishuConversationId } from "./conversation-id.js";
 import { listFeishuDirectoryPeers, listFeishuDirectoryGroups } from "./directory.static.js";
 import { resolveFeishuGroupToolPolicy } from "./policy.js";
 import { getFeishuRuntime } from "./runtime.js";
@@ -95,6 +96,77 @@ function areAnyFeishuReactionActionsEnabled(cfg: ClawdbotConfig): boolean {
   return false;
 }
 
+function isSupportedFeishuDirectConversationId(conversationId: string): boolean {
+  const trimmed = conversationId.trim();
+  if (!trimmed || trimmed.includes(":")) {
+    return false;
+  }
+  if (trimmed.startsWith("oc_") || trimmed.startsWith("on_")) {
+    return false;
+  }
+  return true;
+}
+
+function normalizeFeishuAcpConversationId(conversationId: string) {
+  const parsed = parseFeishuConversationId({ conversationId });
+  if (
+    !parsed ||
+    (parsed.scope !== "group_topic" &&
+      parsed.scope !== "group_topic_sender" &&
+      !isSupportedFeishuDirectConversationId(parsed.canonicalConversationId))
+  ) {
+    return null;
+  }
+  return {
+    conversationId: parsed.canonicalConversationId,
+    parentConversationId:
+      parsed.scope === "group_topic" || parsed.scope === "group_topic_sender"
+        ? parsed.chatId
+        : undefined,
+  };
+}
+
+function matchFeishuAcpConversation(params: {
+  bindingConversationId: string;
+  conversationId: string;
+  parentConversationId?: string;
+}) {
+  const binding = normalizeFeishuAcpConversationId(params.bindingConversationId);
+  if (!binding) {
+    return null;
+  }
+  const incoming = parseFeishuConversationId({
+    conversationId: params.conversationId,
+    parentConversationId: params.parentConversationId,
+  });
+  if (
+    !incoming ||
+    (incoming.scope !== "group_topic" &&
+      incoming.scope !== "group_topic_sender" &&
+      !isSupportedFeishuDirectConversationId(incoming.canonicalConversationId))
+  ) {
+    return null;
+  }
+  const matchesCanonicalConversation = binding.conversationId === incoming.canonicalConversationId;
+  const matchesParentTopicForSenderScopedConversation =
+    incoming.scope === "group_topic_sender" &&
+    binding.parentConversationId === incoming.chatId &&
+    binding.conversationId === `${incoming.chatId}:topic:${incoming.topicId}`;
+  if (!matchesCanonicalConversation && !matchesParentTopicForSenderScopedConversation) {
+    return null;
+  }
+  return {
+    conversationId: matchesParentTopicForSenderScopedConversation
+      ? binding.conversationId
+      : incoming.canonicalConversationId,
+    parentConversationId:
+      incoming.scope === "group_topic" || incoming.scope === "group_topic_sender"
+        ? incoming.chatId
+        : undefined,
+    matchPriority: matchesCanonicalConversation ? 2 : 1,
+  };
+}
+
 export const feishuPlugin: ChannelPlugin<ResolvedFeishuAccount> = {
   id: "feishu",
   meta: {
@@ -393,6 +465,12 @@ export const feishuPlugin: ChannelPlugin<ResolvedFeishuAccount> = {
       });
     },
   },
+  acpBindings: {
+    normalizeConfiguredBindingTarget: ({ conversationId }) =>
+      normalizeFeishuAcpConversationId(conversationId),
+    matchConfiguredBinding: ({ bindingConversationId, conversationId, parentConversationId }) =>
+      matchFeishuAcpConversation({ bindingConversationId, conversationId, parentConversationId }),
+  },
   setup: feishuSetupAdapter,
   setupWizard: feishuSetupWizard,
   messaging: {
diff --git a/extensions/imessage/src/channel.ts b/extensions/imessage/src/channel.ts
index f2621dea5c2..aec66694ef8 100644
--- a/extensions/imessage/src/channel.ts
+++ b/extensions/imessage/src/channel.ts
@@ -124,6 +124,24 @@ export const imessagePlugin: ChannelPlugin<ResolvedIMessageAccount> = {
     formatAllowFrom: ({ allowFrom }) => formatTrimmedAllowFromEntries(allowFrom),
     resolveDefaultTo: ({ cfg, accountId }) => resolveIMessageConfigDefaultTo({ cfg, accountId }),
   },
+  allowlist: {
+    supportsScope: ({ scope }) => scope === "dm" || scope === "group" || scope === "all",
+    readConfig: ({ cfg, accountId }) => {
+      const account = resolveIMessageAccount({ cfg, accountId });
+      return {
+        dmAllowFrom: (account.config.allowFrom ?? []).map(String),
+        groupAllowFrom: (account.config.groupAllowFrom ?? []).map(String),
+        dmPolicy: account.config.dmPolicy,
+        groupPolicy: account.config.groupPolicy,
+      };
+    },
+    resolveConfigEdit: ({ scope, pathPrefix, writeTarget }) => ({
+      pathPrefix,
+      writeTarget,
+      readPaths: [[scope === "dm" ? "allowFrom" : "groupAllowFrom"]],
+      writePath: [scope === "dm" ? "allowFrom" : "groupAllowFrom"],
+    }),
+  },
   security: {
     resolveDmPolicy: ({ cfg, accountId, account }) => {
       return buildAccountScopedDmSecurityPolicy({
diff --git a/extensions/signal/src/channel.ts b/extensions/signal/src/channel.ts
index 010df26d390..80291872143 100644
--- a/extensions/signal/src/channel.ts
+++ b/extensions/signal/src/channel.ts
@@ -26,7 +26,10 @@ import {
   type ChannelPlugin,
   type ResolvedSignalAccount,
 } from "openclaw/plugin-sdk/signal";
+import { resolveTextChunkLimit } from "../../../src/auto-reply/chunk.js";
+import { resolveMarkdownTableMode } from "../../../src/config/markdown-tables.js";
 import { resolveOutboundSendDep } from "../../../src/infra/outbound/send-deps.js";
+import { markdownToSignalTextChunks } from "./format.js";
 import type { SignalProbe } from "./probe.js";
 import { getSignalRuntime } from "./runtime.js";
 import { createSignalSetupWizardProxy, signalSetupAdapter } from "./setup-core.js";
@@ -66,12 +69,8 @@ const signalConfigAccessors = createScopedAccountConfigAccessors({
 
 type SignalSendFn = ReturnType<typeof getSignalRuntime>["channel"]["signal"]["sendMessageSignal"];
 
-async function sendSignalOutbound(params: {
+function resolveSignalSendContext(params: {
   cfg: Parameters<typeof resolveSignalAccount>[0]["cfg"];
-  to: string;
-  text: string;
-  mediaUrl?: string;
-  mediaLocalRoots?: readonly string[];
   accountId?: string;
   deps?: { [channelId: string]: unknown };
 }) {
@@ -84,6 +83,19 @@ async function sendSignalOutbound(params: {
       cfg.channels?.signal?.accounts?.[accountId]?.mediaMaxMb ?? cfg.channels?.signal?.mediaMaxMb,
     accountId: params.accountId,
   });
+  return { send, maxBytes };
+}
+
+async function sendSignalOutbound(params: {
+  cfg: Parameters<typeof resolveSignalAccount>[0]["cfg"];
+  to: string;
+  text: string;
+  mediaUrl?: string;
+  mediaLocalRoots?: readonly string[];
+  accountId?: string;
+  deps?: { [channelId: string]: unknown };
+}) {
+  const { send, maxBytes } = resolveSignalSendContext(params);
   return await send(params.to, params.text, {
     cfg: params.cfg,
     ...(params.mediaUrl ? { mediaUrl: params.mediaUrl } : {}),
@@ -93,6 +105,120 @@ async function sendSignalOutbound(params: {
   });
 }
 
+function inferSignalTargetChatType(rawTo: string) {
+  let to = rawTo.trim();
+  if (!to) {
+    return undefined;
+  }
+  if (/^signal:/i.test(to)) {
+    to = to.replace(/^signal:/i, "").trim();
+  }
+  if (!to) {
+    return undefined;
+  }
+  const lower = to.toLowerCase();
+  if (lower.startsWith("group:")) {
+    return "group" as const;
+  }
+  if (lower.startsWith("username:") || lower.startsWith("u:")) {
+    return "direct" as const;
+  }
+  return "direct" as const;
+}
+
+function parseSignalExplicitTarget(raw: string) {
+  const normalized = normalizeSignalMessagingTarget(raw);
+  if (!normalized) {
+    return null;
+  }
+  return {
+    to: normalized,
+    chatType: inferSignalTargetChatType(normalized),
+  };
+}
+
+async function sendFormattedSignalText(ctx: {
+  cfg: Parameters<typeof resolveSignalAccount>[0]["cfg"];
+  to: string;
+  text: string;
+  accountId?: string | null;
+  deps?: { [channelId: string]: unknown };
+  abortSignal?: AbortSignal;
+}) {
+  const { send, maxBytes } = resolveSignalSendContext({
+    cfg: ctx.cfg,
+    accountId: ctx.accountId ?? undefined,
+    deps: ctx.deps,
+  });
+  const limit = resolveTextChunkLimit(ctx.cfg, "signal", ctx.accountId ?? undefined, {
+    fallbackLimit: 4000,
+  });
+  const tableMode = resolveMarkdownTableMode({
+    cfg: ctx.cfg,
+    channel: "signal",
+    accountId: ctx.accountId ?? undefined,
+  });
+  let chunks =
+    limit === undefined
+      ? markdownToSignalTextChunks(ctx.text, Number.POSITIVE_INFINITY, { tableMode })
+      : markdownToSignalTextChunks(ctx.text, limit, { tableMode });
+  if (chunks.length === 0 && ctx.text) {
+    chunks = [{ text: ctx.text, styles: [] }];
+  }
+  const results = [];
+  for (const chunk of chunks) {
+    ctx.abortSignal?.throwIfAborted();
+    const result = await send(ctx.to, chunk.text, {
+      cfg: ctx.cfg,
+      maxBytes,
+      accountId: ctx.accountId ?? undefined,
+      textMode: "plain",
+      textStyles: chunk.styles,
+    });
+    results.push({ channel: "signal" as const, ...result });
+  }
+  return results;
+}
+
+async function sendFormattedSignalMedia(ctx: {
+  cfg: Parameters<typeof resolveSignalAccount>[0]["cfg"];
+  to: string;
+  text: string;
+  mediaUrl: string;
+  mediaLocalRoots?: readonly string[];
+  accountId?: string | null;
+  deps?: { [channelId: string]: unknown };
+  abortSignal?: AbortSignal;
+}) {
+  ctx.abortSignal?.throwIfAborted();
+  const { send, maxBytes } = resolveSignalSendContext({
+    cfg: ctx.cfg,
+    accountId: ctx.accountId ?? undefined,
+    deps: ctx.deps,
+  });
+  const tableMode = resolveMarkdownTableMode({
+    cfg: ctx.cfg,
+    channel: "signal",
+    accountId: ctx.accountId ?? undefined,
+  });
+  const formatted = markdownToSignalTextChunks(ctx.text, Number.POSITIVE_INFINITY, {
+    tableMode,
+  })[0] ?? {
+    text: ctx.text,
+    styles: [],
+  };
+  const result = await send(ctx.to, formatted.text, {
+    cfg: ctx.cfg,
+    mediaUrl: ctx.mediaUrl,
+    mediaLocalRoots: ctx.mediaLocalRoots,
+    maxBytes,
+    accountId: ctx.accountId ?? undefined,
+    textMode: "plain",
+    textStyles: formatted.styles,
+  });
+  return { channel: "signal" as const, ...result };
+}
+
 export const signalPlugin: ChannelPlugin<ResolvedSignalAccount> = {
   id: "signal",
   meta: {
@@ -146,6 +272,24 @@ export const signalPlugin: ChannelPlugin<ResolvedSignalAccount> = {
     }),
     ...signalConfigAccessors,
   },
+  allowlist: {
+    supportsScope: ({ scope }) => scope === "dm" || scope === "group" || scope === "all",
+    readConfig: ({ cfg, accountId }) => {
+      const account = resolveSignalAccount({ cfg, accountId });
+      return {
+        dmAllowFrom: (account.config.allowFrom ?? []).map(String),
+        groupAllowFrom: (account.config.groupAllowFrom ?? []).map(String),
+        dmPolicy: account.config.dmPolicy,
+        groupPolicy: account.config.groupPolicy,
+      };
+    },
+    resolveConfigEdit: ({ scope, pathPrefix, writeTarget }) => ({
+      pathPrefix,
+      writeTarget,
+      readPaths: [[scope === "dm" ? "allowFrom" : "groupAllowFrom"]],
+      writePath: [scope === "dm" ? "allowFrom" : "groupAllowFrom"],
+    }),
+  },
   security: {
     resolveDmPolicy: ({ cfg, accountId, account }) => {
       return buildAccountScopedDmSecurityPolicy({
@@ -174,6 +318,8 @@ export const signalPlugin: ChannelPlugin<ResolvedSignalAccount> = {
   },
   messaging: {
     normalizeTarget: normalizeSignalMessagingTarget,
+    parseExplicitTarget: ({ raw }) => parseSignalExplicitTarget(raw),
+    inferTargetChatType: ({ to }) => inferSignalTargetChatType(to),
     targetResolver: {
       looksLikeId: looksLikeSignalTargetId,
       hint: "<E.164|uuid:ID|group:ID|signal:group:ID|signal:+E.164>",
@@ -185,6 +331,35 @@ export const signalPlugin: ChannelPlugin<ResolvedSignalAccount> = {
     chunker: (text, limit) => getSignalRuntime().channel.text.chunkText(text, limit),
     chunkerMode: "text",
     textChunkLimit: 4000,
+    sendFormattedText: async ({ cfg, to, text, accountId, deps, abortSignal }) =>
+      await sendFormattedSignalText({
+        cfg,
+        to,
+        text,
+        accountId,
+        deps,
+        abortSignal,
+      }),
+    sendFormattedMedia: async ({
+      cfg,
+      to,
+      text,
+      mediaUrl,
+      mediaLocalRoots,
+      accountId,
+      deps,
+      abortSignal,
+    }) =>
+      await sendFormattedSignalMedia({
+        cfg,
+        to,
+        text,
+        mediaUrl,
+        mediaLocalRoots,
+        accountId,
+        deps,
+        abortSignal,
+      }),
     sendText: async ({ cfg, to, text, accountId, deps }) => {
       const result = await sendSignalOutbound({
         cfg,
diff --git a/extensions/slack/src/channel.ts b/extensions/slack/src/channel.ts
index f658b93d2c3..2a8849b1671 100644
--- a/extensions/slack/src/channel.ts
+++ b/extensions/slack/src/channel.ts
@@ -38,6 +38,7 @@ import { resolveOutboundSendDep } from "../../../src/infra/outbound/send-deps.js
 import { buildPassiveProbedChannelStatusSummary } from "../../shared/channel-status-summary.js";
 import { parseSlackBlocksInput } from "./blocks-input.js";
 import type { SlackProbe } from "./probe.js";
+import { resolveSlackUserAllowlist } from "./resolve-users.js";
 import { getSlackRuntime } from "./runtime.js";
 import { fetchSlackScopes } from "./scopes.js";
 import { createSlackSetupWizardProxy, slackSetupAdapter } from "./setup-core.js";
@@ -129,6 +130,17 @@ function resolveSlackAutoThreadId(params: {
   return context.currentThreadTs;
 }
 
+function parseSlackExplicitTarget(raw: string) {
+  const target = parseSlackTarget(raw, { defaultKind: "channel" });
+  if (!target) {
+    return null;
+  }
+  return {
+    to: target.id,
+    chatType: target.kind === "user" ? ("direct" as const) : ("channel" as const),
+  };
+}
+
 function formatSlackScopeDiagnostic(params: {
   tokenType: "bot" | "user";
   result: Awaited<ReturnType<typeof fetchSlackScopes>>;
@@ -144,6 +156,32 @@ function formatSlackScopeDiagnostic(params: {
   } as const;
 }
 
+function readSlackAllowlistConfig(account: ResolvedSlackAccount) {
+  return {
+    dmAllowFrom: (account.config.allowFrom ?? account.config.dm?.allowFrom ?? []).map(String),
+    groupPolicy: account.groupPolicy,
+    groupOverrides: Object.entries(account.channels ?? {})
+      .map(([key, value]) => {
+        const entries = (value?.users ?? []).map(String).filter(Boolean);
+        return entries.length > 0 ? { label: key, entries } : null;
+      })
+      .filter(Boolean) as Array<{ label: string; entries: string[] }>,
+  };
+}
+
+async function resolveSlackAllowlistNames(params: {
+  cfg: Parameters<typeof resolveSlackAccount>[0]["cfg"];
+  accountId?: string | null;
+  entries: string[];
+}) {
+  const account = resolveSlackAccount({ cfg: params.cfg, accountId: params.accountId });
+  const token = account.config.userToken?.trim() || account.botToken?.trim();
+  if (!token) {
+    return [];
+  }
+  return await resolveSlackUserAllowlist({ token, entries: params.entries });
+}
+
 const slackConfigAccessors = createScopedAccountConfigAccessors({
   resolveAccount: ({ cfg, accountId }) => resolveSlackAccount({ cfg, accountId }),
   resolveAllowFrom: (account: ResolvedSlackAccount) => account.dm?.allowFrom,
@@ -235,6 +273,23 @@ export const slackPlugin: ChannelPlugin<ResolvedSlackAccount> = {
     }),
     ...slackConfigAccessors,
   },
+  allowlist: {
+    supportsScope: ({ scope }) => scope === "dm",
+    readConfig: ({ cfg, accountId }) =>
+      readSlackAllowlistConfig(resolveSlackAccount({ cfg, accountId })),
+    resolveNames: async ({ cfg, accountId, entries }) =>
+      await resolveSlackAllowlistNames({ cfg, accountId, entries }),
+    resolveConfigEdit: ({ scope, pathPrefix, writeTarget }) =>
+      scope === "dm"
+        ? {
+            pathPrefix,
+            writeTarget,
+            readPaths: [["allowFrom"], ["dm", "allowFrom"]],
+            writePath: ["allowFrom"],
+            cleanupPaths: [["dm", "allowFrom"]],
+          }
+        : null,
+  },
   security: {
     resolveDmPolicy: ({ cfg, accountId, account }) => {
       return buildAccountScopedDmSecurityPolicy({
@@ -301,6 +356,8 @@ export const slackPlugin: ChannelPlugin<ResolvedSlackAccount> = {
   },
   messaging: {
     normalizeTarget: normalizeSlackMessagingTarget,
+    parseExplicitTarget: ({ raw }) => parseSlackExplicitTarget(raw),
+    inferTargetChatType: ({ to }) => parseSlackExplicitTarget(to)?.chatType,
     enableInteractiveReplies: ({ cfg, accountId }) =>
       isSlackInteractiveRepliesEnabled({ cfg, accountId }),
     hasStructuredReplyPayload: ({ payload }) => {
diff --git a/extensions/telegram/src/channel.ts b/extensions/telegram/src/channel.ts
index cbdb146b608..be09a186baf 100644
--- a/extensions/telegram/src/channel.ts
+++ b/extensions/telegram/src/channel.ts
@@ -37,6 +37,7 @@ import {
   type ResolvedTelegramAccount,
   type TelegramProbe,
 } from "openclaw/plugin-sdk/telegram";
+import { parseTelegramTopicConversation } from "../../../src/acp/conversation-id.js";
 import { resolveExecApprovalCommandDisplay } from "../../../src/infra/exec-approval-command-display.js";
 import { buildExecApprovalPendingReplyPayload } from "../../../src/infra/exec-approval-reply.js";
 import {
@@ -166,6 +167,52 @@ function resolveTelegramAutoThreadId(params: {
   return context.currentThreadTs;
 }
 
+function normalizeTelegramAcpConversationId(conversationId: string) {
+  const parsed = parseTelegramTopicConversation({ conversationId });
+  if (!parsed || !parsed.chatId.startsWith("-")) {
+    return null;
+  }
+  return {
+    conversationId: parsed.canonicalConversationId,
+    parentConversationId: parsed.chatId,
+  };
+}
+
+function matchTelegramAcpConversation(params: {
+  bindingConversationId: string;
+  conversationId: string;
+  parentConversationId?: string;
+}) {
+  const binding = normalizeTelegramAcpConversationId(params.bindingConversationId);
+  if (!binding) {
+    return null;
+  }
+  const incoming = parseTelegramTopicConversation({
+    conversationId: params.conversationId,
+    parentConversationId: params.parentConversationId,
+  });
+  if (!incoming || !incoming.chatId.startsWith("-")) {
+    return null;
+  }
+  if (binding.conversationId !== incoming.canonicalConversationId) {
+    return null;
+  }
+  return {
+    conversationId: incoming.canonicalConversationId,
+    parentConversationId: incoming.chatId,
+    matchPriority: 2,
+  };
+}
+
+function parseTelegramExplicitTarget(raw: string) {
+  const target = parseTelegramTarget(raw);
+  return {
+    to: target.chatId,
+    threadId: target.messageThreadId,
+    chatType: target.chatType === "unknown" ? undefined : target.chatType,
+  };
+}
+
 function hasTelegramExecApprovalDmRoute(cfg: OpenClawConfig): boolean {
   return listTelegramAccountIds(cfg).some((accountId) => {
     if (!isTelegramExecApprovalClientEnabled({ cfg, accountId })) {
@@ -217,6 +264,29 @@ const resolveTelegramDmPolicy = createScopedDmSecurityResolver<ResolvedTelegramA
   normalizeEntry: (raw) => raw.replace(/^(telegram|tg):/i, ""),
 });
 
+function readTelegramAllowlistConfig(account: ResolvedTelegramAccount) {
+  const groupOverrides: Array<{ label: string; entries: string[] }> = [];
+  for (const [groupId, groupCfg] of Object.entries(account.config.groups ?? {})) {
+    const entries = (groupCfg?.allowFrom ?? []).map(String).filter(Boolean);
+    if (entries.length > 0) {
+      groupOverrides.push({ label: groupId, entries });
+    }
+    for (const [topicId, topicCfg] of Object.entries(groupCfg?.topics ?? {})) {
+      const topicEntries = (topicCfg?.allowFrom ?? []).map(String).filter(Boolean);
+      if (topicEntries.length > 0) {
+        groupOverrides.push({ label: `${groupId} topic ${topicId}`, entries: topicEntries });
+      }
+    }
+  }
+  return {
+    dmAllowFrom: (account.config.allowFrom ?? []).map(String),
+    groupAllowFrom: (account.config.groupAllowFrom ?? []).map(String),
+    dmPolicy: account.config.dmPolicy,
+    groupPolicy: account.config.groupPolicy,
+    groupOverrides,
+  };
+}
+
 export const telegramPlugin: ChannelPlugin<ResolvedTelegramAccount, TelegramProbe> = {
   id: "telegram",
   meta: {
@@ -284,6 +354,23 @@ export const telegramPlugin: ChannelPlugin<ResolvedTelegramAccount, TelegramProb
     }),
     ...telegramConfigAccessors,
   },
+  allowlist: {
+    supportsScope: ({ scope }) => scope === "dm" || scope === "group" || scope === "all",
+    readConfig: ({ cfg, accountId }) =>
+      readTelegramAllowlistConfig(resolveTelegramAccount({ cfg, accountId })),
+    resolveConfigEdit: ({ scope, pathPrefix, writeTarget }) => ({
+      pathPrefix,
+      writeTarget,
+      readPaths: [[scope === "dm" ? "allowFrom" : "groupAllowFrom"]],
+      writePath: [scope === "dm" ? "allowFrom" : "groupAllowFrom"],
+    }),
+  },
+  acpBindings: {
+    normalizeConfiguredBindingTarget: ({ conversationId }) =>
+      normalizeTelegramAcpConversationId(conversationId),
+    matchConfiguredBinding: ({ bindingConversationId, conversationId, parentConversationId }) =>
+      matchTelegramAcpConversation({ bindingConversationId, conversationId, parentConversationId }),
+  },
   security: {
     resolveDmPolicy: resolveTelegramDmPolicy,
     collectWarnings: ({ account, cfg }) => {
@@ -325,6 +412,8 @@ export const telegramPlugin: ChannelPlugin<ResolvedTelegramAccount, TelegramProb
   },
   messaging: {
     normalizeTarget: normalizeTelegramMessagingTarget,
+    parseExplicitTarget: ({ raw }) => parseTelegramExplicitTarget(raw),
+    inferTargetChatType: ({ to }) => parseTelegramExplicitTarget(to).chatType,
     targetResolver: {
       looksLikeId: looksLikeTelegramTargetId,
       hint: "<chatId>",
@@ -423,6 +512,9 @@ export const telegramPlugin: ChannelPlugin<ResolvedTelegramAccount, TelegramProb
     chunkerMode: "markdown",
     textChunkLimit: 4000,
     pollMaxOptions: 10,
+    shouldSkipPlainTextSanitization: ({ payload }) => Boolean(payload.channelData),
+    resolveEffectiveTextChunkLimit: ({ fallbackLimit }) =>
+      typeof fallbackLimit === "number" ? Math.min(fallbackLimit, 4096) : 4096,
     sendPayload: async ({
       cfg,
       to,
diff --git a/extensions/telegram/src/outbound-adapter.ts b/extensions/telegram/src/outbound-adapter.ts
index e8c0530d06b..0ab050bbd06 100644
--- a/extensions/telegram/src/outbound-adapter.ts
+++ b/extensions/telegram/src/outbound-adapter.ts
@@ -102,6 +102,9 @@ export const telegramOutbound: ChannelOutboundAdapter = {
   chunker: markdownToTelegramHtmlChunks,
   chunkerMode: "markdown",
   textChunkLimit: 4000,
+  shouldSkipPlainTextSanitization: ({ payload }) => Boolean(payload.channelData),
+  resolveEffectiveTextChunkLimit: ({ fallbackLimit }) =>
+    typeof fallbackLimit === "number" ? Math.min(fallbackLimit, 4096) : 4096,
   sendText: async ({ cfg, to, text, accountId, deps, replyToId, threadId }) => {
     const { send, baseOpts } = resolveTelegramSendContext({
       cfg,
diff --git a/extensions/whatsapp/src/channel.ts b/extensions/whatsapp/src/channel.ts
index d73c951a054..cf506e6912b 100644
--- a/extensions/whatsapp/src/channel.ts
+++ b/extensions/whatsapp/src/channel.ts
@@ -24,6 +24,7 @@ import {
   type ChannelMessageActionName,
   type ChannelPlugin,
 } from "openclaw/plugin-sdk/whatsapp";
+import { isWhatsAppGroupJid, normalizeWhatsAppTarget } from "../../../src/whatsapp/normalize.js";
 // WhatsApp-specific imports from local extension code (moved from src/web/ and src/channels/plugins/)
 import {
   listWhatsAppAccountIds,
@@ -42,6 +43,21 @@ async function loadWhatsAppChannelRuntime() {
   return await import("./channel.runtime.js");
 }
 
+function normalizeWhatsAppPayloadText(text: string | undefined): string {
+  return (text ?? "").replace(/^(?:[ \t]*\r?\n)+/, "");
+}
+
+function parseWhatsAppExplicitTarget(raw: string) {
+  const normalized = normalizeWhatsAppTarget(raw);
+  if (!normalized) {
+    return null;
+  }
+  return {
+    to: normalized,
+    chatType: isWhatsAppGroupJid(normalized) ? ("group" as const) : ("direct" as const),
+  };
+}
+
 const whatsappSetupWizardProxy = {
   channel: "whatsapp",
   status: {
@@ -168,6 +184,24 @@ export const whatsappPlugin: ChannelPlugin<ResolvedWhatsAppAccount> = {
     formatAllowFrom: ({ allowFrom }) => formatWhatsAppConfigAllowFromEntries(allowFrom),
     resolveDefaultTo: ({ cfg, accountId }) => resolveWhatsAppConfigDefaultTo({ cfg, accountId }),
   },
+  allowlist: {
+    supportsScope: ({ scope }) => scope === "dm" || scope === "group" || scope === "all",
+    readConfig: ({ cfg, accountId }) => {
+      const account = resolveWhatsAppAccount({ cfg, accountId });
+      return {
+        dmAllowFrom: (account.allowFrom ?? []).map(String),
+        groupAllowFrom: (account.groupAllowFrom ?? []).map(String),
+        dmPolicy: account.dmPolicy,
+        groupPolicy: account.groupPolicy,
+      };
+    },
+    resolveConfigEdit: ({ scope, pathPrefix, writeTarget }) => ({
+      pathPrefix,
+      writeTarget,
+      readPaths: [[scope === "dm" ? "allowFrom" : "groupAllowFrom"]],
+      writePath: [scope === "dm" ? "allowFrom" : "groupAllowFrom"],
+    }),
+  },
   security: {
     resolveDmPolicy: ({ cfg, accountId, account }) => {
       return buildAccountScopedDmSecurityPolicy({
@@ -224,6 +258,8 @@ export const whatsappPlugin: ChannelPlugin<ResolvedWhatsAppAccount> = {
   },
   messaging: {
     normalizeTarget: normalizeWhatsAppMessagingTarget,
+    parseExplicitTarget: ({ raw }) => parseWhatsAppExplicitTarget(raw),
+    inferTargetChatType: ({ to }) => parseWhatsAppExplicitTarget(to)?.chatType,
     targetResolver: {
       looksLikeId: looksLikeWhatsAppTargetId,
       hint: "<E.164|group JID>",
@@ -288,16 +324,22 @@ export const whatsappPlugin: ChannelPlugin<ResolvedWhatsAppAccount> = {
       );
     },
   },
-  outbound: createWhatsAppOutboundBase({
-    chunker: (text, limit) => getWhatsAppRuntime().channel.text.chunkText(text, limit),
-    sendMessageWhatsApp: async (...args) =>
-      await getWhatsAppRuntime().channel.whatsapp.sendMessageWhatsApp(...args),
-    sendPollWhatsApp: async (...args) =>
-      await getWhatsAppRuntime().channel.whatsapp.sendPollWhatsApp(...args),
-    shouldLogVerbose: () => getWhatsAppRuntime().logging.shouldLogVerbose(),
-    resolveTarget: ({ to, allowFrom, mode }) =>
-      resolveWhatsAppOutboundTarget({ to, allowFrom, mode }),
-  }),
+  outbound: {
+    ...createWhatsAppOutboundBase({
+      chunker: (text, limit) => getWhatsAppRuntime().channel.text.chunkText(text, limit),
+      sendMessageWhatsApp: async (...args) =>
+        await getWhatsAppRuntime().channel.whatsapp.sendMessageWhatsApp(...args),
+      sendPollWhatsApp: async (...args) =>
+        await getWhatsAppRuntime().channel.whatsapp.sendPollWhatsApp(...args),
+      shouldLogVerbose: () => getWhatsAppRuntime().logging.shouldLogVerbose(),
+      resolveTarget: ({ to, allowFrom, mode }) =>
+        resolveWhatsAppOutboundTarget({ to, allowFrom, mode }),
+    }),
+    normalizePayload: ({ payload }) => ({
+      ...payload,
+      text: normalizeWhatsAppPayloadText(payload.text),
+    }),
+  },
   auth: {
     login: async ({ cfg, accountId, runtime, verbose }) => {
       const resolvedAccountId = accountId?.trim() || resolveDefaultWhatsAppAccountId(cfg);
diff --git a/src/acp/persistent-bindings.resolve.ts b/src/acp/persistent-bindings.resolve.ts
index 66464535eae..d0039078378 100644
--- a/src/acp/persistent-bindings.resolve.ts
+++ b/src/acp/persistent-bindings.resolve.ts
@@ -1,4 +1,4 @@
-import { parseFeishuConversationId } from "../../extensions/feishu/src/conversation-id.js";
+import { getChannelPlugin } from "../channels/plugins/index.js";
 import { listAcpBindings } from "../config/bindings.js";
 import type { OpenClawConfig } from "../config/config.js";
 import type { AgentAcpBinding } from "../config/types.js";
@@ -8,7 +8,6 @@ import {
   normalizeAccountId,
   parseAgentSessionKey,
 } from "../routing/session-key.js";
-import { parseTelegramTopicConversation } from "./conversation-id.js";
 import {
   buildConfiguredAcpSessionKey,
   normalizeBindingConfig,
@@ -22,21 +21,11 @@ import {
 
 function normalizeBindingChannel(value: string | undefined): ConfiguredAcpBindingChannel | null {
   const normalized = (value ?? "").trim().toLowerCase();
-  if (normalized === "discord" || normalized === "telegram" || normalized === "feishu") {
-    return normalized;
+  if (!normalized) {
+    return null;
   }
-  return null;
-}
-
-function isSupportedFeishuDirectConversationId(conversationId: string): boolean {
-  const trimmed = conversationId.trim();
-  if (!trimmed || trimmed.includes(":")) {
-    return false;
-  }
-  if (trimmed.startsWith("oc_") || trimmed.startsWith("on_")) {
-    return false;
-  }
-  return true;
+  const plugin = getChannelPlugin(normalized);
+  return plugin?.acpBindings ? plugin.id : null;
 }
 
 function resolveAccountMatchPriority(match: string | undefined, actual: string): 0 | 1 | 2 {
@@ -71,10 +60,9 @@ function parseConfiguredBindingSessionKey(params: {
   if (!channel) {
     return null;
   }
-  const accountId = normalizeAccountId(tokens[3]);
   return {
     channel,
-    accountId,
+    accountId: normalizeAccountId(tokens[3]),
   };
 }
 
@@ -231,6 +219,12 @@ export function resolveConfiguredAcpBindingSpecBySessionKey(params: {
   if (!parsedSessionKey) {
     return null;
   }
+  const plugin = getChannelPlugin(parsedSessionKey.channel);
+  const acpBindings = plugin?.acpBindings;
+  if (!acpBindings?.normalizeConfiguredBindingTarget) {
+    return null;
+  }
+
   let wildcardMatch: ConfiguredAcpBindingSpec | null = null;
   for (const binding of listAcpBindings(params.cfg)) {
     const channel = normalizeBindingChannel(binding.match.channel);
@@ -248,81 +242,29 @@ export function resolveConfiguredAcpBindingSpecBySessionKey(params: {
     if (!targetConversationId) {
       continue;
     }
-    if (channel === "discord") {
-      const spec = toConfiguredBindingSpec({
-        cfg: params.cfg,
-        channel: "discord",
-        accountId: parsedSessionKey.accountId,
-        conversationId: targetConversationId,
-        binding,
-      });
-      if (buildConfiguredAcpSessionKey(spec) === sessionKey) {
-        if (accountMatchPriority === 2) {
-          return spec;
-        }
-        if (!wildcardMatch) {
-          wildcardMatch = spec;
-        }
-      }
-      continue;
-    }
-    if (channel === "feishu") {
-      const targetParsed = parseFeishuConversationId({
-        conversationId: targetConversationId,
-      });
-      if (
-        !targetParsed ||
-        (targetParsed.scope !== "group_topic" &&
-          targetParsed.scope !== "group_topic_sender" &&
-          !isSupportedFeishuDirectConversationId(targetParsed.canonicalConversationId))
-      ) {
-        continue;
-      }
-      const spec = toConfiguredBindingSpec({
-        cfg: params.cfg,
-        channel: "feishu",
-        accountId: parsedSessionKey.accountId,
-        conversationId: targetParsed.canonicalConversationId,
-        // Session-key recovery deliberately collapses sender-scoped topic bindings onto the
-        // canonical topic conversation id so `group_topic` and `group_topic_sender` reuse
-        // the same configured ACP session identity.
-        parentConversationId:
-          targetParsed.scope === "group_topic" || targetParsed.scope === "group_topic_sender"
-            ? targetParsed.chatId
-            : undefined,
-        binding,
-      });
-      if (buildConfiguredAcpSessionKey(spec) === sessionKey) {
-        if (accountMatchPriority === 2) {
-          return spec;
-        }
-        if (!wildcardMatch) {
-          wildcardMatch = spec;
-        }
-      }
-      continue;
-    }
-    const parsedTopic = parseTelegramTopicConversation({
+    const target = acpBindings.normalizeConfiguredBindingTarget({
+      binding,
       conversationId: targetConversationId,
     });
-    if (!parsedTopic || !parsedTopic.chatId.startsWith("-")) {
+    if (!target) {
       continue;
     }
     const spec = toConfiguredBindingSpec({
       cfg: params.cfg,
-      channel: "telegram",
+      channel,
       accountId: parsedSessionKey.accountId,
-      conversationId: parsedTopic.canonicalConversationId,
-      parentConversationId: parsedTopic.chatId,
+      conversationId: target.conversationId,
+      parentConversationId: target.parentConversationId,
       binding,
     });
-    if (buildConfiguredAcpSessionKey(spec) === sessionKey) {
-      if (accountMatchPriority === 2) {
-        return spec;
-      }
-      if (!wildcardMatch) {
-        wildcardMatch = spec;
-      }
+    if (buildConfiguredAcpSessionKey(spec) !== sessionKey) {
+      continue;
+    }
+    if (accountMatchPriority === 2) {
+      return spec;
+    }
+    if (!wildcardMatch) {
+      wildcardMatch = spec;
     }
   }
   return wildcardMatch;
@@ -335,136 +277,36 @@ export function resolveConfiguredAcpBindingRecord(params: {
   conversationId: string;
   parentConversationId?: string;
 }): ResolvedConfiguredAcpBinding | null {
-  const channel = params.channel.trim().toLowerCase();
+  const channel = normalizeBindingChannel(params.channel);
   const accountId = normalizeAccountId(params.accountId);
   const conversationId = params.conversationId.trim();
   const parentConversationId = params.parentConversationId?.trim() || undefined;
-  if (!conversationId) {
+  if (!channel || !conversationId) {
     return null;
   }
+  const plugin = getChannelPlugin(channel);
+  const acpBindings = plugin?.acpBindings;
+  if (!acpBindings?.matchConfiguredBinding) {
+    return null;
+  }
+  const matchConfiguredBinding = acpBindings.matchConfiguredBinding;
 
-  if (channel === "discord") {
-    const bindings = listAcpBindings(params.cfg);
-    const resolveDiscordBindingForConversation = (targetConversationId: string) =>
-      resolveConfiguredBindingRecord({
-        cfg: params.cfg,
-        bindings,
-        channel: "discord",
-        accountId,
-        selectConversation: (binding) => {
-          const bindingConversationId = resolveBindingConversationId(binding);
-          if (!bindingConversationId || bindingConversationId !== targetConversationId) {
-            return null;
-          }
-          return { conversationId: targetConversationId };
-        },
-      });
-
-    const directMatch = resolveDiscordBindingForConversation(conversationId);
-    if (directMatch) {
-      return directMatch;
-    }
-    if (parentConversationId && parentConversationId !== conversationId) {
-      const inheritedMatch = resolveDiscordBindingForConversation(parentConversationId);
-      if (inheritedMatch) {
-        return inheritedMatch;
+  return resolveConfiguredBindingRecord({
+    cfg: params.cfg,
+    bindings: listAcpBindings(params.cfg),
+    channel,
+    accountId,
+    selectConversation: (binding) => {
+      const bindingConversationId = resolveBindingConversationId(binding);
+      if (!bindingConversationId) {
+        return null;
       }
-    }
-    return null;
-  }
-
-  if (channel === "telegram") {
-    const parsed = parseTelegramTopicConversation({
-      conversationId,
-      parentConversationId,
-    });
-    if (!parsed || !parsed.chatId.startsWith("-")) {
-      return null;
-    }
-    return resolveConfiguredBindingRecord({
-      cfg: params.cfg,
-      bindings: listAcpBindings(params.cfg),
-      channel: "telegram",
-      accountId,
-      selectConversation: (binding) => {
-        const targetConversationId = resolveBindingConversationId(binding);
-        if (!targetConversationId) {
-          return null;
-        }
-        const targetParsed = parseTelegramTopicConversation({
-          conversationId: targetConversationId,
-        });
-        if (!targetParsed || !targetParsed.chatId.startsWith("-")) {
-          return null;
-        }
-        if (targetParsed.canonicalConversationId !== parsed.canonicalConversationId) {
-          return null;
-        }
-        return {
-          conversationId: parsed.canonicalConversationId,
-          parentConversationId: parsed.chatId,
-        };
-      },
-    });
-  }
-
-  if (channel === "feishu") {
-    const parsed = parseFeishuConversationId({
-      conversationId,
-      parentConversationId,
-    });
-    if (
-      !parsed ||
-      (parsed.scope !== "group_topic" &&
-        parsed.scope !== "group_topic_sender" &&
-        !isSupportedFeishuDirectConversationId(parsed.canonicalConversationId))
-    ) {
-      return null;
-    }
-    return resolveConfiguredBindingRecord({
-      cfg: params.cfg,
-      bindings: listAcpBindings(params.cfg),
-      channel: "feishu",
-      accountId,
-      selectConversation: (binding) => {
-        const targetConversationId = resolveBindingConversationId(binding);
-        if (!targetConversationId) {
-          return null;
-        }
-        const targetParsed = parseFeishuConversationId({
-          conversationId: targetConversationId,
-        });
-        if (
-          !targetParsed ||
-          (targetParsed.scope !== "group_topic" &&
-            targetParsed.scope !== "group_topic_sender" &&
-            !isSupportedFeishuDirectConversationId(targetParsed.canonicalConversationId))
-        ) {
-          return null;
-        }
-        const matchesCanonicalConversation =
-          targetParsed.canonicalConversationId === parsed.canonicalConversationId;
-        const matchesParentTopicForSenderScopedConversation =
-          parsed.scope === "group_topic_sender" &&
-          targetParsed.scope === "group_topic" &&
-          parsed.chatId === targetParsed.chatId &&
-          parsed.topicId === targetParsed.topicId;
-        if (!matchesCanonicalConversation && !matchesParentTopicForSenderScopedConversation) {
-          return null;
-        }
-        return {
-          conversationId: matchesParentTopicForSenderScopedConversation
-            ? targetParsed.canonicalConversationId
-            : parsed.canonicalConversationId,
-          parentConversationId:
-            parsed.scope === "group_topic" || parsed.scope === "group_topic_sender"
-              ? parsed.chatId
-              : undefined,
-          matchPriority: matchesCanonicalConversation ? 2 : 1,
-        };
-      },
-    });
-  }
-
-  return null;
+      return matchConfiguredBinding({
+        binding,
+        bindingConversationId,
+        conversationId,
+        parentConversationId,
+      });
+    },
+  });
 }
diff --git a/src/acp/persistent-bindings.test.ts b/src/acp/persistent-bindings.test.ts
index 06bfba46d57..147c4a455c9 100644
--- a/src/acp/persistent-bindings.test.ts
+++ b/src/acp/persistent-bindings.test.ts
@@ -1,5 +1,10 @@
 import { beforeEach, describe, expect, it, vi } from "vitest";
+import { discordPlugin } from "../../extensions/discord/src/channel.js";
+import { feishuPlugin } from "../../extensions/feishu/src/channel.js";
+import { telegramPlugin } from "../../extensions/telegram/src/channel.js";
 import type { OpenClawConfig } from "../config/config.js";
+import { setActivePluginRegistry } from "../plugins/runtime.js";
+import { createTestRegistry } from "../test-utils/channel-plugins.js";
 const managerMocks = vi.hoisted(() => ({
   resolveSession: vi.fn(),
   closeSession: vi.fn(),
@@ -162,6 +167,13 @@ function mockReadySession(params: { spec: BindingSpec; cwd: string }) {
 }
 
 beforeEach(() => {
+  setActivePluginRegistry(
+    createTestRegistry([
+      { pluginId: "discord", plugin: discordPlugin, source: "test" },
+      { pluginId: "telegram", plugin: telegramPlugin, source: "test" },
+      { pluginId: "feishu", plugin: feishuPlugin, source: "test" },
+    ]),
+  );
   managerMocks.resolveSession.mockReset();
   managerMocks.closeSession.mockReset().mockResolvedValue({
     runtimeClosed: true,
diff --git a/src/acp/persistent-bindings.types.ts b/src/acp/persistent-bindings.types.ts
index 3864392c96c..3583fc4cd9f 100644
--- a/src/acp/persistent-bindings.types.ts
+++ b/src/acp/persistent-bindings.types.ts
@@ -1,9 +1,10 @@
 import { createHash } from "node:crypto";
+import type { ChannelId } from "../channels/plugins/types.js";
 import type { SessionBindingRecord } from "../infra/outbound/session-binding-service.js";
 import { sanitizeAgentId } from "../routing/session-key.js";
 import type { AcpRuntimeSessionMode } from "./runtime/types.js";
 
-export type ConfiguredAcpBindingChannel = "discord" | "telegram" | "feishu";
+export type ConfiguredAcpBindingChannel = ChannelId;
 
 export type ConfiguredAcpBindingSpec = {
   channel: ConfiguredAcpBindingChannel;
diff --git a/src/auto-reply/reply/commands-allowlist.ts b/src/auto-reply/reply/commands-allowlist.ts
index 83d263b828c..f371fcd0b62 100644
--- a/src/auto-reply/reply/commands-allowlist.ts
+++ b/src/auto-reply/reply/commands-allowlist.ts
@@ -1,13 +1,4 @@
-import { resolveDiscordAccount } from "../../../extensions/discord/src/accounts.js";
-import { resolveDiscordUserAllowlist } from "../../../extensions/discord/src/resolve-users.js";
-import { resolveIMessageAccount } from "../../../extensions/imessage/src/accounts.js";
-import { resolveSignalAccount } from "../../../extensions/signal/src/accounts.js";
-import { resolveSlackAccount } from "../../../extensions/slack/src/accounts.js";
-import { resolveSlackUserAllowlist } from "../../../extensions/slack/src/resolve-users.js";
-import { resolveTelegramAccount } from "../../../extensions/telegram/src/accounts.js";
-import { resolveWhatsAppAccount } from "../../../extensions/whatsapp/src/accounts.js";
-import { getChannelDock } from "../../channels/dock.js";
-import { resolveExplicitConfigWriteTarget } from "../../channels/plugins/config-writes.js";
+import { getChannelPlugin } from "../../channels/plugins/index.js";
 import { listPairingChannels } from "../../channels/plugins/pairing.js";
 import type { ChannelId } from "../../channels/plugins/types.js";
 import { normalizeChannelId } from "../../channels/registry.js";
@@ -159,9 +150,9 @@ function normalizeAllowFrom(params: {
   accountId?: string | null;
   values: Array<string | number>;
 }): string[] {
-  const dock = getChannelDock(params.channelId);
-  if (dock?.config?.formatAllowFrom) {
-    return dock.config.formatAllowFrom({
+  const plugin = getChannelPlugin(params.channelId);
+  if (plugin?.config.formatAllowFrom) {
+    return plugin.config.formatAllowFrom({
       cfg: params.cfg,
       accountId: params.accountId,
       allowFrom: params.values,
@@ -182,22 +173,6 @@ function formatEntryList(entries: string[], resolved?: Map<string, string>): str
     .join(", ");
 }
 
-function extractConfigAllowlist(account: {
-  config?: {
-    allowFrom?: Array<string | number>;
-    groupAllowFrom?: Array<string | number>;
-    dmPolicy?: string;
-    groupPolicy?: string;
-  };
-}) {
-  return {
-    dmAllowFrom: (account.config?.allowFrom ?? []).map(String),
-    groupAllowFrom: (account.config?.groupAllowFrom ?? []).map(String),
-    dmPolicy: account.config?.dmPolicy,
-    groupPolicy: account.config?.groupPolicy,
-  };
-}
-
 async function updatePairingStoreAllowlist(params: {
   action: "add" | "remove";
   channelId: ChannelId;
@@ -236,7 +211,7 @@ function resolveAccountTarget(
       target: channel,
       pathPrefix: `channels.${channelId}`,
       accountId: DEFAULT_ACCOUNT_ID,
-      writeTarget: resolveExplicitConfigWriteTarget({ channelId }),
+      writeTarget: { kind: "channel", scope: { channelId } } as const,
     };
   }
   const hasAccounts = Boolean(channel.accounts && typeof channel.accounts === "object");
@@ -246,7 +221,7 @@ function resolveAccountTarget(
       target: channel,
       pathPrefix: `channels.${channelId}`,
       accountId: normalizedAccountId,
-      writeTarget: resolveExplicitConfigWriteTarget({ channelId }),
+      writeTarget: { kind: "channel", scope: { channelId } } as const,
     };
   }
   const accounts = (channel.accounts ??= {}) as Record<string, unknown>;
@@ -261,10 +236,10 @@ function resolveAccountTarget(
     target: account,
     pathPrefix: `channels.${channelId}.accounts.${normalizedAccountId}`,
     accountId: normalizedAccountId,
-    writeTarget: resolveExplicitConfigWriteTarget({
-      channelId,
-      accountId: normalizedAccountId,
-    }),
+    writeTarget: {
+      kind: "account",
+      scope: { channelId, accountId: normalizedAccountId },
+    } as const,
   };
 }
 
@@ -321,37 +296,6 @@ function deleteNestedValue(root: Record<string, unknown>, path: string[]) {
   delete (parent as Record<string, unknown>)[path[path.length - 1]];
 }
 
-function resolveChannelAllowFromPaths(
-  channelId: ChannelId,
-  scope: AllowlistScope,
-): string[] | null {
-  const supportsGroupAllowlist =
-    channelId === "telegram" ||
-    channelId === "whatsapp" ||
-    channelId === "signal" ||
-    channelId === "imessage";
-  if (scope === "all") {
-    return null;
-  }
-  if (scope === "dm") {
-    if (channelId === "slack" || channelId === "discord") {
-      // Canonical DM allowlist location for Slack/Discord. Legacy: dm.allowFrom.
-      return ["allowFrom"];
-    }
-    if (supportsGroupAllowlist) {
-      return ["allowFrom"];
-    }
-    return null;
-  }
-  if (scope === "group") {
-    if (supportsGroupAllowlist) {
-      return ["groupAllowFrom"];
-    }
-    return null;
-  }
-  return null;
-}
-
 function mapResolvedAllowlistNames(entries: ResolvedAllowlistName[]): Map<string, string> {
   const map = new Map<string, string>();
   for (const entry of entries) {
@@ -362,32 +306,35 @@ function mapResolvedAllowlistNames(entries: ResolvedAllowlistName[]): Map<string
   return map;
 }
 
-async function resolveSlackNames(params: {
+async function resolveAllowlistNames(params: {
   cfg: OpenClawConfig;
+  channelId: ChannelId;
   accountId?: string | null;
+  scope: "dm" | "group";
   entries: string[];
 }) {
-  const account = resolveSlackAccount({ cfg: params.cfg, accountId: params.accountId });
-  const token = account.userToken || account.botToken?.trim();
-  if (!token) {
-    return new Map<string, string>();
-  }
-  const resolved = await resolveSlackUserAllowlist({ token, entries: params.entries });
-  return mapResolvedAllowlistNames(resolved);
+  const plugin = getChannelPlugin(params.channelId);
+  const resolved = await plugin?.allowlist?.resolveNames?.({
+    cfg: params.cfg,
+    accountId: params.accountId,
+    scope: params.scope,
+    entries: params.entries,
+  });
+  return mapResolvedAllowlistNames(resolved ?? []);
 }
 
-async function resolveDiscordNames(params: {
+async function readAllowlistConfig(params: {
   cfg: OpenClawConfig;
+  channelId: ChannelId;
   accountId?: string | null;
-  entries: string[];
 }) {
-  const account = resolveDiscordAccount({ cfg: params.cfg, accountId: params.accountId });
-  const token = account.token?.trim();
-  if (!token) {
-    return new Map<string, string>();
-  }
-  const resolved = await resolveDiscordUserAllowlist({ token, entries: params.entries });
-  return mapResolvedAllowlistNames(resolved);
+  const plugin = getChannelPlugin(params.channelId);
+  return (
+    (await plugin?.allowlist?.readConfig?.({
+      cfg: params.cfg,
+      accountId: params.accountId,
+    })) ?? {}
+  );
 }
 
 export const handleAllowlistCommand: CommandHandler = async (params, allowTextCommands) => {
@@ -425,83 +372,31 @@ export const handleAllowlistCommand: CommandHandler = async (params, allowTextCo
     };
   }
   const accountId = normalizeAccountId(parsed.account ?? params.ctx.AccountId);
-  const scope = parsed.scope;
+  const plugin = getChannelPlugin(channelId);
 
   if (parsed.action === "list") {
-    const pairingChannels = listPairingChannels();
-    const supportsStore = pairingChannels.includes(channelId);
+    const supportsStore = listPairingChannels().includes(channelId);
+    if (!plugin?.allowlist?.readConfig && !supportsStore) {
+      return {
+        shouldContinue: false,
+        reply: { text: `⚠️ ${channelId} does not expose allowlist configuration.` },
+      };
+    }
     const storeAllowFrom = supportsStore
       ? await readChannelAllowFromStore(channelId, process.env, accountId).catch(() => [])
       : [];
+    const configState = await readAllowlistConfig({
+      cfg: params.cfg,
+      channelId,
+      accountId,
+    });
 
-    let dmAllowFrom: string[] = [];
-    let groupAllowFrom: string[] = [];
-    let groupOverrides: Array<{ label: string; entries: string[] }> = [];
-    let dmPolicy: string | undefined;
-    let groupPolicy: string | undefined;
-
-    if (channelId === "telegram") {
-      const account = resolveTelegramAccount({ cfg: params.cfg, accountId });
-      ({ dmAllowFrom, groupAllowFrom, dmPolicy, groupPolicy } = extractConfigAllowlist(account));
-      const groups = account.config.groups ?? {};
-      for (const [groupId, groupCfg] of Object.entries(groups)) {
-        const entries = (groupCfg?.allowFrom ?? []).map(String).filter(Boolean);
-        if (entries.length > 0) {
-          groupOverrides.push({ label: groupId, entries });
-        }
-        const topics = groupCfg?.topics ?? {};
-        for (const [topicId, topicCfg] of Object.entries(topics)) {
-          const topicEntries = (topicCfg?.allowFrom ?? []).map(String).filter(Boolean);
-          if (topicEntries.length > 0) {
-            groupOverrides.push({ label: `${groupId} topic ${topicId}`, entries: topicEntries });
-          }
-        }
-      }
-    } else if (channelId === "whatsapp") {
-      const account = resolveWhatsAppAccount({ cfg: params.cfg, accountId });
-      dmAllowFrom = (account.allowFrom ?? []).map(String);
-      groupAllowFrom = (account.groupAllowFrom ?? []).map(String);
-      dmPolicy = account.dmPolicy;
-      groupPolicy = account.groupPolicy;
-    } else if (channelId === "signal") {
-      const account = resolveSignalAccount({ cfg: params.cfg, accountId });
-      ({ dmAllowFrom, groupAllowFrom, dmPolicy, groupPolicy } = extractConfigAllowlist(account));
-    } else if (channelId === "imessage") {
-      const account = resolveIMessageAccount({ cfg: params.cfg, accountId });
-      ({ dmAllowFrom, groupAllowFrom, dmPolicy, groupPolicy } = extractConfigAllowlist(account));
-    } else if (channelId === "slack") {
-      const account = resolveSlackAccount({ cfg: params.cfg, accountId });
-      dmAllowFrom = (account.config.allowFrom ?? account.config.dm?.allowFrom ?? []).map(String);
-      groupPolicy = account.groupPolicy;
-      const channels = account.channels ?? {};
-      groupOverrides = Object.entries(channels)
-        .map(([key, value]) => {
-          const entries = (value?.users ?? []).map(String).filter(Boolean);
-          return entries.length > 0 ? { label: key, entries } : null;
-        })
-        .filter(Boolean) as Array<{ label: string; entries: string[] }>;
-    } else if (channelId === "discord") {
-      const account = resolveDiscordAccount({ cfg: params.cfg, accountId });
-      dmAllowFrom = (account.config.allowFrom ?? account.config.dm?.allowFrom ?? []).map(String);
-      groupPolicy = account.config.groupPolicy;
-      const guilds = account.config.guilds ?? {};
-      for (const [guildKey, guildCfg] of Object.entries(guilds)) {
-        const entries = (guildCfg?.users ?? []).map(String).filter(Boolean);
-        if (entries.length > 0) {
-          groupOverrides.push({ label: `guild ${guildKey}`, entries });
-        }
-        const channels = guildCfg?.channels ?? {};
-        for (const [channelKey, channelCfg] of Object.entries(channels)) {
-          const channelEntries = (channelCfg?.users ?? []).map(String).filter(Boolean);
-          if (channelEntries.length > 0) {
-            groupOverrides.push({
-              label: `guild ${guildKey} / channel ${channelKey}`,
-              entries: channelEntries,
-            });
-          }
-        }
-      }
-    }
+    const dmAllowFrom = (configState.dmAllowFrom ?? []).map(String);
+    const groupAllowFrom = (configState.groupAllowFrom ?? []).map(String);
+    const groupOverrides = (configState.groupOverrides ?? []).map((entry) => ({
+      label: entry.label,
+      entries: entry.entries.map(String).filter(Boolean),
+    }));
 
     const dmDisplay = normalizeAllowFrom({
       cfg: params.cfg,
@@ -522,38 +417,39 @@ export const handleAllowlistCommand: CommandHandler = async (params, allowTextCo
       accountId,
       values: groupOverrideEntries,
     });
+
     const resolvedDm =
-      parsed.resolve && dmDisplay.length > 0 && channelId === "slack"
-        ? await resolveSlackNames({ cfg: params.cfg, accountId, entries: dmDisplay })
-        : parsed.resolve && dmDisplay.length > 0 && channelId === "discord"
-          ? await resolveDiscordNames({ cfg: params.cfg, accountId, entries: dmDisplay })
-          : undefined;
-    const resolvedGroup =
-      parsed.resolve && groupOverrideDisplay.length > 0 && channelId === "slack"
-        ? await resolveSlackNames({
+      parsed.resolve && dmDisplay.length > 0
+        ? await resolveAllowlistNames({
             cfg: params.cfg,
+            channelId,
             accountId,
+            scope: "dm",
+            entries: dmDisplay,
+          })
+        : undefined;
+    const resolvedGroup =
+      parsed.resolve && groupOverrideDisplay.length > 0
+        ? await resolveAllowlistNames({
+            cfg: params.cfg,
+            channelId,
+            accountId,
+            scope: "group",
             entries: groupOverrideDisplay,
           })
-        : parsed.resolve && groupOverrideDisplay.length > 0 && channelId === "discord"
-          ? await resolveDiscordNames({
-              cfg: params.cfg,
-              accountId,
-              entries: groupOverrideDisplay,
-            })
-          : undefined;
+        : undefined;
 
     const lines: string[] = ["🧾 Allowlist"];
     lines.push(`Channel: ${channelId}${accountId ? ` (account ${accountId})` : ""}`);
-    if (dmPolicy) {
-      lines.push(`DM policy: ${dmPolicy}`);
+    if (configState.dmPolicy) {
+      lines.push(`DM policy: ${configState.dmPolicy}`);
     }
-    if (groupPolicy) {
-      lines.push(`Group policy: ${groupPolicy}`);
+    if (configState.groupPolicy) {
+      lines.push(`Group policy: ${configState.groupPolicy}`);
     }
 
-    const showDm = scope === "dm" || scope === "all";
-    const showGroup = scope === "group" || scope === "all";
+    const showDm = parsed.scope === "dm" || parsed.scope === "all";
+    const showGroup = parsed.scope === "group" || parsed.scope === "all";
     if (showDm) {
       lines.push(`DM allowFrom (config): ${formatEntryList(dmDisplay, resolvedDm)}`);
     }
@@ -568,7 +464,7 @@ export const handleAllowlistCommand: CommandHandler = async (params, allowTextCo
     }
     if (showGroup) {
       if (groupAllowFrom.length > 0) {
-        lines.push(`Group allowFrom (config): ${formatEntryList(groupDisplay)}`);
+        lines.push(`Group allowFrom (config): ${formatEntryList(groupDisplay, resolvedGroup)}`);
       }
       if (groupOverrides.length > 0) {
         lines.push("Group overrides:");
@@ -600,12 +496,29 @@ export const handleAllowlistCommand: CommandHandler = async (params, allowTextCo
   const shouldTouchStore = parsed.target !== "config" && listPairingChannels().includes(channelId);
 
   if (shouldUpdateConfig) {
-    const allowlistPath = resolveChannelAllowFromPaths(channelId, scope);
-    if (!allowlistPath) {
+    if (parsed.scope === "all") {
+      return {
+        shouldContinue: false,
+        reply: { text: "⚠️ /allowlist add|remove requires scope dm or group." },
+      };
+    }
+    const {
+      target,
+      pathPrefix,
+      accountId: normalizedAccountId,
+      writeTarget,
+    } = resolveAccountTarget(structuredClone({ channels: {} }), channelId, accountId);
+    void target;
+    const editSpec = plugin?.allowlist?.resolveConfigEdit?.({
+      scope: parsed.scope,
+      pathPrefix,
+      writeTarget,
+    });
+    if (!editSpec) {
       return {
         shouldContinue: false,
         reply: {
-          text: `⚠️ ${channelId} does not support ${scope} allowlist edits via /allowlist.`,
+          text: `⚠️ ${channelId} does not support ${parsed.scope} allowlist edits via /allowlist.`,
         },
       };
     }
@@ -618,19 +531,14 @@ export const handleAllowlistCommand: CommandHandler = async (params, allowTextCo
       };
     }
     const parsedConfig = structuredClone(snapshot.parsed as Record<string, unknown>);
-    const {
-      target,
-      pathPrefix,
-      accountId: normalizedAccountId,
-      writeTarget,
-    } = resolveAccountTarget(parsedConfig, channelId, accountId);
+    const resolvedTarget = resolveAccountTarget(parsedConfig, channelId, accountId);
     const deniedText = resolveConfigWriteDeniedText({
       cfg: params.cfg,
       channel: params.command.channel,
       channelId,
       accountId: params.ctx.AccountId,
       gatewayClientScopes: params.ctx.GatewayClientScopes,
-      target: writeTarget,
+      target: editSpec.writeTarget,
     });
     if (deniedText) {
       return {
@@ -642,13 +550,8 @@ export const handleAllowlistCommand: CommandHandler = async (params, allowTextCo
     }
 
     const existing: string[] = [];
-    const existingPaths =
-      scope === "dm" && (channelId === "slack" || channelId === "discord")
-        ? // Read both while legacy alias may still exist; write canonical below.
-          [allowlistPath, ["dm", "allowFrom"]]
-        : [allowlistPath];
-    for (const path of existingPaths) {
-      const existingRaw = getNestedValue(target, path);
+    for (const path of editSpec.readPaths) {
+      const existingRaw = getNestedValue(resolvedTarget.target, path);
       if (!Array.isArray(existingRaw)) {
         continue;
       }
@@ -713,13 +616,12 @@ export const handleAllowlistCommand: CommandHandler = async (params, allowTextCo
 
     if (configChanged) {
       if (next.length === 0) {
-        deleteNestedValue(target, allowlistPath);
+        deleteNestedValue(resolvedTarget.target, editSpec.writePath);
       } else {
-        setNestedValue(target, allowlistPath, next);
+        setNestedValue(resolvedTarget.target, editSpec.writePath, next);
       }
-      if (scope === "dm" && (channelId === "slack" || channelId === "discord")) {
-        // Remove legacy DM allowlist alias to prevent drift.
-        deleteNestedValue(target, ["dm", "allowFrom"]);
+      for (const path of editSpec.cleanupPaths ?? []) {
+        deleteNestedValue(resolvedTarget.target, path);
       }
     }
 
@@ -750,10 +652,10 @@ export const handleAllowlistCommand: CommandHandler = async (params, allowTextCo
     }
 
     const actionLabel = parsed.action === "add" ? "added" : "removed";
-    const scopeLabel = scope === "dm" ? "DM" : "group";
+    const scopeLabel = parsed.scope === "dm" ? "DM" : "group";
     const locations: string[] = [];
     if (configChanged) {
-      locations.push(`${pathPrefix}.${allowlistPath.join(".")}`);
+      locations.push(`${resolvedTarget.pathPrefix}.${editSpec.writePath.join(".")}`);
     }
     if (shouldTouchStore) {
       locations.push("pairing store");
@@ -782,7 +684,7 @@ export const handleAllowlistCommand: CommandHandler = async (params, allowTextCo
   });
 
   const actionLabel = parsed.action === "add" ? "added" : "removed";
-  const scopeLabel = scope === "dm" ? "DM" : "group";
+  const scopeLabel = parsed.scope === "dm" ? "DM" : "group";
   return {
     shouldContinue: false,
     reply: { text: `✅ ${scopeLabel} allowlist ${actionLabel} in pairing store.` },
diff --git a/src/auto-reply/reply/commands.test.ts b/src/auto-reply/reply/commands.test.ts
index 2d8e6458933..0f2853aab98 100644
--- a/src/auto-reply/reply/commands.test.ts
+++ b/src/auto-reply/reply/commands.test.ts
@@ -8,6 +8,7 @@ import {
   listSubagentRunsForRequester,
   resetSubagentRegistryForTests,
 } from "../../agents/subagent-registry.js";
+import { setDefaultChannelPluginRegistryForTests } from "../../commands/channel-test-helpers.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import { updateSessionStore, type SessionEntry } from "../../config/sessions.js";
 import * as internalHooks from "../../hooks/internal-hooks.js";
@@ -133,6 +134,32 @@ afterAll(async () => {
   await fs.rm(testWorkspaceDir, { recursive: true, force: true });
 });
 
+beforeEach(() => {
+  setDefaultChannelPluginRegistryForTests();
+  readConfigFileSnapshotMock.mockImplementation(async () => {
+    const configPath = process.env.OPENCLAW_CONFIG_PATH;
+    if (!configPath) {
+      return { valid: false, parsed: null };
+    }
+    const parsed = JSON.parse(await fs.readFile(configPath, "utf-8")) as Record<string, unknown>;
+    return { valid: true, parsed };
+  });
+  validateConfigObjectWithPluginsMock.mockImplementation((config: unknown) => ({
+    ok: true,
+    config,
+  }));
+  writeConfigFileMock.mockImplementation(async (config: unknown) => {
+    const configPath = process.env.OPENCLAW_CONFIG_PATH;
+    if (!configPath) {
+      return;
+    }
+    await fs.writeFile(configPath, JSON.stringify(config, null, 2), "utf-8");
+  });
+  readChannelAllowFromStoreMock.mockResolvedValue([]);
+  addChannelAllowFromStoreEntryMock.mockResolvedValue({ changed: true, allowFrom: [] });
+  removeChannelAllowFromStoreEntryMock.mockResolvedValue({ changed: true, allowFrom: [] });
+});
+
 async function withTempConfigPath<T>(
   initialConfig: Record<string, unknown>,
   run: (configPath: string) => Promise<T>,
@@ -998,6 +1025,7 @@ function buildPolicyParams(
 describe("handleCommands /allowlist", () => {
   beforeEach(() => {
     vi.clearAllMocks();
+    setDefaultChannelPluginRegistryForTests();
   });
 
   it("lists config + store allowFrom entries", async () => {
diff --git a/src/channels/plugins/outbound/signal.ts b/src/channels/plugins/outbound/signal.ts
index 028192a3f54..9de4e6f0fa7 100644
--- a/src/channels/plugins/outbound/signal.ts
+++ b/src/channels/plugins/outbound/signal.ts
@@ -1,31 +1,125 @@
+import { markdownToSignalTextChunks } from "../../../../extensions/signal/src/format.js";
 import { sendMessageSignal } from "../../../../extensions/signal/src/send.js";
+import { resolveTextChunkLimit } from "../../../auto-reply/chunk.js";
+import { resolveMarkdownTableMode } from "../../../config/markdown-tables.js";
 import {
   resolveOutboundSendDep,
   type OutboundSendDeps,
 } from "../../../infra/outbound/send-deps.js";
-import {
-  createScopedChannelMediaMaxBytesResolver,
-  createDirectTextMediaOutbound,
-} from "./direct-text-media.js";
+import type { ChannelOutboundAdapter } from "../types.js";
+import { createScopedChannelMediaMaxBytesResolver } from "./direct-text-media.js";
 
 function resolveSignalSender(deps: OutboundSendDeps | undefined) {
   return resolveOutboundSendDep<typeof sendMessageSignal>(deps, "signal") ?? sendMessageSignal;
 }
 
-export const signalOutbound = createDirectTextMediaOutbound({
-  channel: "signal",
-  resolveSender: resolveSignalSender,
-  resolveMaxBytes: createScopedChannelMediaMaxBytesResolver("signal"),
-  buildTextOptions: ({ cfg, maxBytes, accountId }) => ({
-    cfg,
-    maxBytes,
-    accountId: accountId ?? undefined,
-  }),
-  buildMediaOptions: ({ cfg, mediaUrl, maxBytes, accountId, mediaLocalRoots }) => ({
+const resolveSignalMaxBytes = createScopedChannelMediaMaxBytesResolver("signal");
+type SignalSendOpts = NonNullable<Parameters<typeof sendMessageSignal>[2]>;
+
+function inferSignalTableMode(params: { cfg: SignalSendOpts["cfg"]; accountId?: string | null }) {
+  return resolveMarkdownTableMode({
+    cfg: params.cfg,
+    channel: "signal",
+    accountId: params.accountId ?? undefined,
+  });
+}
+
+export const signalOutbound: ChannelOutboundAdapter = {
+  deliveryMode: "direct",
+  chunker: (text, _limit) => text.split(/\n{2,}/).flatMap((chunk) => (chunk ? [chunk] : [])),
+  chunkerMode: "text",
+  textChunkLimit: 4000,
+  sendFormattedText: async ({ cfg, to, text, accountId, deps, abortSignal }) => {
+    const send = resolveSignalSender(deps);
+    const maxBytes = resolveSignalMaxBytes({
+      cfg,
+      accountId: accountId ?? undefined,
+    });
+    const limit = resolveTextChunkLimit(cfg, "signal", accountId ?? undefined, {
+      fallbackLimit: 4000,
+    });
+    const tableMode = inferSignalTableMode({ cfg, accountId });
+    let chunks =
+      limit === undefined
+        ? markdownToSignalTextChunks(text, Number.POSITIVE_INFINITY, { tableMode })
+        : markdownToSignalTextChunks(text, limit, { tableMode });
+    if (chunks.length === 0 && text) {
+      chunks = [{ text, styles: [] }];
+    }
+    const results = [];
+    for (const chunk of chunks) {
+      abortSignal?.throwIfAborted();
+      const result = await send(to, chunk.text, {
+        cfg,
+        maxBytes,
+        accountId: accountId ?? undefined,
+        textMode: "plain",
+        textStyles: chunk.styles,
+      });
+      results.push({ channel: "signal" as const, ...result });
+    }
+    return results;
+  },
+  sendFormattedMedia: async ({
     cfg,
+    to,
+    text,
     mediaUrl,
-    maxBytes,
-    accountId: accountId ?? undefined,
     mediaLocalRoots,
-  }),
-});
+    accountId,
+    deps,
+    abortSignal,
+  }) => {
+    abortSignal?.throwIfAborted();
+    const send = resolveSignalSender(deps);
+    const maxBytes = resolveSignalMaxBytes({
+      cfg,
+      accountId: accountId ?? undefined,
+    });
+    const tableMode = inferSignalTableMode({ cfg, accountId });
+    const formatted = markdownToSignalTextChunks(text, Number.POSITIVE_INFINITY, {
+      tableMode,
+    })[0] ?? {
+      text,
+      styles: [],
+    };
+    const result = await send(to, formatted.text, {
+      cfg,
+      mediaUrl,
+      maxBytes,
+      accountId: accountId ?? undefined,
+      textMode: "plain",
+      textStyles: formatted.styles,
+      mediaLocalRoots,
+    });
+    return { channel: "signal", ...result };
+  },
+  sendText: async ({ cfg, to, text, accountId, deps }) => {
+    const send = resolveSignalSender(deps);
+    const maxBytes = resolveSignalMaxBytes({
+      cfg,
+      accountId: accountId ?? undefined,
+    });
+    const result = await send(to, text, {
+      cfg,
+      maxBytes,
+      accountId: accountId ?? undefined,
+    });
+    return { channel: "signal", ...result };
+  },
+  sendMedia: async ({ cfg, to, text, mediaUrl, mediaLocalRoots, accountId, deps }) => {
+    const send = resolveSignalSender(deps);
+    const maxBytes = resolveSignalMaxBytes({
+      cfg,
+      accountId: accountId ?? undefined,
+    });
+    const result = await send(to, text, {
+      cfg,
+      mediaUrl,
+      maxBytes,
+      accountId: accountId ?? undefined,
+      mediaLocalRoots,
+    });
+    return { channel: "signal", ...result };
+  },
+};
diff --git a/src/channels/plugins/types.adapters.ts b/src/channels/plugins/types.adapters.ts
index 084fa653bb8..c66fa0d463e 100644
--- a/src/channels/plugins/types.adapters.ts
+++ b/src/channels/plugins/types.adapters.ts
@@ -1,11 +1,13 @@
 import type { ReplyPayload } from "../../auto-reply/types.js";
 import type { OpenClawConfig } from "../../config/config.js";
+import type { AgentAcpBinding } from "../../config/types.js";
 import type { GroupToolPolicyConfig } from "../../config/types.tools.js";
 import type { ExecApprovalRequest, ExecApprovalResolved } from "../../infra/exec-approvals.js";
 import type { OutboundDeliveryResult, OutboundSendDeps } from "../../infra/outbound/deliver.js";
 import type { OutboundIdentity } from "../../infra/outbound/identity.js";
 import type { PluginRuntime } from "../../plugins/runtime/types.js";
 import type { RuntimeEnv } from "../../runtime.js";
+import type { ConfigWriteTarget } from "./config-writes.js";
 import type {
   ChannelAccountSnapshot,
   ChannelAccountState,
@@ -137,12 +139,23 @@ export type ChannelOutboundPayloadContext = ChannelOutboundContext & {
   payload: ReplyPayload;
 };
 
+export type ChannelOutboundFormattedContext = ChannelOutboundContext & {
+  abortSignal?: AbortSignal;
+};
+
 export type ChannelOutboundAdapter = {
   deliveryMode: "direct" | "gateway" | "hybrid";
   chunker?: ((text: string, limit: number) => string[]) | null;
   chunkerMode?: "text" | "markdown";
   textChunkLimit?: number;
   pollMaxOptions?: number;
+  normalizePayload?: (params: { payload: ReplyPayload }) => ReplyPayload | null;
+  shouldSkipPlainTextSanitization?: (params: { payload: ReplyPayload }) => boolean;
+  resolveEffectiveTextChunkLimit?: (params: {
+    cfg: OpenClawConfig;
+    accountId?: string | null;
+    fallbackLimit?: number;
+  }) => number | undefined;
   resolveTarget?: (params: {
     cfg?: OpenClawConfig;
     to?: string;
@@ -151,6 +164,10 @@ export type ChannelOutboundAdapter = {
     mode?: ChannelOutboundTargetMode;
   }) => { ok: true; to: string } | { ok: false; error: Error };
   sendPayload?: (ctx: ChannelOutboundPayloadContext) => Promise<OutboundDeliveryResult>;
+  sendFormattedText?: (ctx: ChannelOutboundFormattedContext) => Promise<OutboundDeliveryResult[]>;
+  sendFormattedMedia?: (
+    ctx: ChannelOutboundFormattedContext & { mediaUrl: string },
+  ) => Promise<OutboundDeliveryResult>;
   sendText?: (ctx: ChannelOutboundContext) => Promise<OutboundDeliveryResult>;
   sendMedia?: (ctx: ChannelOutboundContext) => Promise<OutboundDeliveryResult>;
   sendPoll?: (ctx: ChannelPollContext) => Promise<ChannelPollResult>;
@@ -464,9 +481,63 @@ export type ChannelExecApprovalAdapter = {
 };
 
 export type ChannelAllowlistAdapter = {
+  readConfig?: (params: { cfg: OpenClawConfig; accountId?: string | null }) =>
+    | {
+        dmAllowFrom?: Array<string | number>;
+        groupAllowFrom?: Array<string | number>;
+        dmPolicy?: string;
+        groupPolicy?: string;
+        groupOverrides?: Array<{ label: string; entries: Array<string | number> }>;
+      }
+    | Promise<{
+        dmAllowFrom?: Array<string | number>;
+        groupAllowFrom?: Array<string | number>;
+        dmPolicy?: string;
+        groupPolicy?: string;
+        groupOverrides?: Array<{ label: string; entries: Array<string | number> }>;
+      }>;
+  resolveNames?: (params: {
+    cfg: OpenClawConfig;
+    accountId?: string | null;
+    scope: "dm" | "group";
+    entries: string[];
+  }) =>
+    | Array<{ input: string; resolved: boolean; name?: string | null }>
+    | Promise<Array<{ input: string; resolved: boolean; name?: string | null }>>;
+  resolveConfigEdit?: (params: {
+    scope: "dm" | "group";
+    pathPrefix: string;
+    writeTarget: ConfigWriteTarget;
+  }) => {
+    pathPrefix: string;
+    writeTarget: ConfigWriteTarget;
+    readPaths: string[][];
+    writePath: string[];
+    cleanupPaths?: string[][];
+  } | null;
   supportsScope?: (params: { scope: "dm" | "group" | "all" }) => boolean;
 };
 
+export type ChannelAcpBindingAdapter = {
+  normalizeConfiguredBindingTarget?: (params: {
+    binding: AgentAcpBinding;
+    conversationId: string;
+  }) => {
+    conversationId: string;
+    parentConversationId?: string;
+  } | null;
+  matchConfiguredBinding?: (params: {
+    binding: AgentAcpBinding;
+    bindingConversationId: string;
+    conversationId: string;
+    parentConversationId?: string;
+  }) => {
+    conversationId: string;
+    parentConversationId?: string;
+    matchPriority?: number;
+  } | null;
+};
+
 export type ChannelSecurityAdapter<ResolvedAccount = unknown> = {
   resolveDmPolicy?: (
     ctx: ChannelSecurityContext<ResolvedAccount>,
diff --git a/src/channels/plugins/types.core.ts b/src/channels/plugins/types.core.ts
index 4d94afe49fd..a43dbb42876 100644
--- a/src/channels/plugins/types.core.ts
+++ b/src/channels/plugins/types.core.ts
@@ -345,6 +345,12 @@ export type ChannelThreadingToolContext = {
 
 export type ChannelMessagingAdapter = {
   normalizeTarget?: (raw: string) => string | undefined;
+  parseExplicitTarget?: (params: { raw: string }) => {
+    to: string;
+    threadId?: string | number;
+    chatType?: ChatType;
+  } | null;
+  inferTargetChatType?: (params: { to: string }) => ChatType | undefined;
   buildCrossContextComponents?: ChannelCrossContextComponentsFactory;
   enableInteractiveReplies?: (params: {
     cfg: OpenClawConfig;
diff --git a/src/channels/plugins/types.plugin.ts b/src/channels/plugins/types.plugin.ts
index 713eff20bbe..6798545d22f 100644
--- a/src/channels/plugins/types.plugin.ts
+++ b/src/channels/plugins/types.plugin.ts
@@ -17,6 +17,7 @@ import type {
   ChannelSetupAdapter,
   ChannelStatusAdapter,
   ChannelAllowlistAdapter,
+  ChannelAcpBindingAdapter,
 } from "./types.adapters.js";
 import type {
   ChannelAgentTool,
@@ -77,6 +78,7 @@ export type ChannelPlugin<ResolvedAccount = any, Probe = unknown, Audit = unknow
   lifecycle?: ChannelLifecycleAdapter;
   execApprovals?: ChannelExecApprovalAdapter;
   allowlist?: ChannelAllowlistAdapter;
+  acpBindings?: ChannelAcpBindingAdapter;
   streaming?: ChannelStreamingAdapter;
   threading?: ChannelThreadingAdapter;
   messaging?: ChannelMessagingAdapter;
diff --git a/src/channels/plugins/types.ts b/src/channels/plugins/types.ts
index ffa098f0673..bb2d19d0bbd 100644
--- a/src/channels/plugins/types.ts
+++ b/src/channels/plugins/types.ts
@@ -33,6 +33,7 @@ export type {
   ChannelOutboundAdapter,
   ChannelOutboundContext,
   ChannelAllowlistAdapter,
+  ChannelAcpBindingAdapter,
   ChannelPairingAdapter,
   ChannelSecurityAdapter,
   ChannelSetupAdapter,
diff --git a/src/commands/channel-test-helpers.ts b/src/commands/channel-test-helpers.ts
index 410dbd5496b..a76f747b326 100644
--- a/src/commands/channel-test-helpers.ts
+++ b/src/commands/channel-test-helpers.ts
@@ -1,4 +1,5 @@
 import { discordPlugin } from "../../extensions/discord/src/channel.js";
+import { feishuPlugin } from "../../extensions/feishu/src/channel.js";
 import { imessagePlugin } from "../../extensions/imessage/src/channel.js";
 import { signalPlugin } from "../../extensions/signal/src/channel.js";
 import { slackPlugin } from "../../extensions/slack/src/channel.js";
@@ -27,6 +28,7 @@ type PatchedSetupAdapterFields = {
 export function setDefaultChannelPluginRegistryForTests(): void {
   const channels = [
     { pluginId: "discord", plugin: discordPlugin, source: "test" },
+    { pluginId: "feishu", plugin: feishuPlugin, source: "test" },
     { pluginId: "slack", plugin: slackPlugin, source: "test" },
     { pluginId: "telegram", plugin: telegramPlugin, source: "test" },
     { pluginId: "whatsapp", plugin: whatsappPlugin, source: "test" },
diff --git a/src/infra/heartbeat-runner.returns-default-unset.test.ts b/src/infra/heartbeat-runner.returns-default-unset.test.ts
index dc28784870a..a39914016f1 100644
--- a/src/infra/heartbeat-runner.returns-default-unset.test.ts
+++ b/src/infra/heartbeat-runner.returns-default-unset.test.ts
@@ -2,6 +2,7 @@ import fs from "node:fs/promises";
 import os from "node:os";
 import path from "node:path";
 import { afterAll, beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
+import { parseTelegramTarget } from "../../extensions/telegram/src/targets.js";
 import { HEARTBEAT_PROMPT } from "../auto-reply/heartbeat.js";
 import * as replyModule from "../auto-reply/reply.js";
 import { whatsappOutbound } from "../channels/plugins/outbound/whatsapp.js";
@@ -80,6 +81,20 @@ beforeAll(async () => {
         return { channel: "telegram", messageId: res.messageId, chatId: res.chatId };
       },
     },
+    messaging: {
+      parseExplicitTarget: ({ raw }) => {
+        const target = parseTelegramTarget(raw);
+        return {
+          to: target.chatId,
+          threadId: target.messageThreadId,
+          chatType: target.chatType === "unknown" ? undefined : target.chatType,
+        };
+      },
+      inferTargetChatType: ({ to }) => {
+        const target = parseTelegramTarget(to);
+        return target.chatType === "unknown" ? undefined : target.chatType;
+      },
+    },
   });
   telegramPlugin.config = {
     ...telegramPlugin.config,
diff --git a/src/infra/outbound/deliver.ts b/src/infra/outbound/deliver.ts
index 9e10f525cb0..452875d9cff 100644
--- a/src/infra/outbound/deliver.ts
+++ b/src/infra/outbound/deliver.ts
@@ -1,8 +1,3 @@
-import {
-  markdownToSignalTextChunks,
-  type SignalTextStyleRange,
-} from "../../../extensions/signal/src/format.js";
-import { sendMessageSignal } from "../../../extensions/signal/src/send.js";
 import {
   chunkByParagraph,
   chunkMarkdownTextWithMode,
@@ -10,14 +5,12 @@ import {
   resolveTextChunkLimit,
 } from "../../auto-reply/chunk.js";
 import type { ReplyPayload } from "../../auto-reply/types.js";
-import { resolveChannelMediaMaxBytes } from "../../channels/plugins/media-limits.js";
 import { loadChannelOutboundAdapter } from "../../channels/plugins/outbound/load.js";
 import type {
   ChannelOutboundAdapter,
   ChannelOutboundContext,
 } from "../../channels/plugins/types.js";
 import type { OpenClawConfig } from "../../config/config.js";
-import { resolveMarkdownTableMode } from "../../config/markdown-tables.js";
 import {
   appendAssistantMessageToSessionTranscript,
   resolveMirroredTranscriptText,
@@ -51,7 +44,6 @@ export { normalizeOutboundPayloads } from "./payloads.js";
 export { resolveOutboundSendDep, type OutboundSendDeps } from "./send-deps.js";
 
 const log = createSubsystemLogger("outbound/deliver");
-const TELEGRAM_TEXT_LIMIT = 4096;
 
 export type OutboundDeliveryResult = {
   channel: Exclude<OutboundChannel, "none">;
@@ -74,6 +66,9 @@ type ChannelHandler = {
   chunkerMode?: "text" | "markdown";
   textChunkLimit?: number;
   supportsMedia: boolean;
+  normalizePayload?: (payload: ReplyPayload) => ReplyPayload | null;
+  shouldSkipPlainTextSanitization?: (payload: ReplyPayload) => boolean;
+  resolveEffectiveTextChunkLimit?: (fallbackLimit?: number) => number | undefined;
   sendPayload?: (
     payload: ReplyPayload,
     overrides?: {
@@ -81,6 +76,21 @@ type ChannelHandler = {
       threadId?: string | number | null;
     },
   ) => Promise<OutboundDeliveryResult>;
+  sendFormattedText?: (
+    text: string,
+    overrides?: {
+      replyToId?: string | null;
+      threadId?: string | number | null;
+    },
+  ) => Promise<OutboundDeliveryResult[]>;
+  sendFormattedMedia?: (
+    caption: string,
+    mediaUrl: string,
+    overrides?: {
+      replyToId?: string | null;
+      threadId?: string | number | null;
+    },
+  ) => Promise<OutboundDeliveryResult>;
   sendText: (
     text: string,
     overrides?: {
@@ -155,6 +165,20 @@ function createPluginHandler(
     chunkerMode,
     textChunkLimit: outbound.textChunkLimit,
     supportsMedia: Boolean(sendMedia),
+    normalizePayload: outbound.normalizePayload
+      ? (payload) => outbound.normalizePayload!({ payload })
+      : undefined,
+    shouldSkipPlainTextSanitization: outbound.shouldSkipPlainTextSanitization
+      ? (payload) => outbound.shouldSkipPlainTextSanitization!({ payload })
+      : undefined,
+    resolveEffectiveTextChunkLimit: outbound.resolveEffectiveTextChunkLimit
+      ? (fallbackLimit) =>
+          outbound.resolveEffectiveTextChunkLimit!({
+            cfg: params.cfg,
+            accountId: params.accountId ?? undefined,
+            fallbackLimit,
+          })
+      : undefined,
     sendPayload: outbound.sendPayload
       ? async (payload, overrides) =>
           outbound.sendPayload!({
@@ -164,6 +188,21 @@ function createPluginHandler(
             payload,
           })
       : undefined,
+    sendFormattedText: outbound.sendFormattedText
+      ? async (text, overrides) =>
+          outbound.sendFormattedText!({
+            ...resolveCtx(overrides),
+            text,
+          })
+      : undefined,
+    sendFormattedMedia: outbound.sendFormattedMedia
+      ? async (caption, mediaUrl, overrides) =>
+          outbound.sendFormattedMedia!({
+            ...resolveCtx(overrides),
+            text: caption,
+            mediaUrl,
+          })
+      : undefined,
     sendText: async (text, overrides) =>
       sendText({
         ...resolveCtx(overrides),
@@ -239,18 +278,13 @@ type MessageSentEvent = {
   messageId?: string;
 };
 
-function normalizePayloadForChannelDelivery(
-  payload: ReplyPayload,
-  channelId: string,
-): ReplyPayload | null {
+function normalizeEmptyPayloadForDelivery(payload: ReplyPayload): ReplyPayload | null {
+  const text = typeof payload.text === "string" ? payload.text : "";
   const hasChannelData = hasReplyChannelData(payload.channelData);
-  const rawText = typeof payload.text === "string" ? payload.text : "";
-  const normalizedText =
-    channelId === "whatsapp" ? rawText.replace(/^(?:[ \t]*\r?\n)+/, "") : rawText;
-  if (!normalizedText.trim()) {
+  if (!text.trim()) {
     if (
       !hasReplyContent({
-        text: normalizedText,
+        text,
         mediaUrl: payload.mediaUrl,
         mediaUrls: payload.mediaUrls,
         interactive: payload.interactive,
@@ -259,26 +293,20 @@ function normalizePayloadForChannelDelivery(
     ) {
       return null;
     }
-    return {
-      ...payload,
-      text: "",
-    };
+    if (text) {
+      return {
+        ...payload,
+        text: "",
+      };
+    }
   }
-  if (normalizedText === rawText) {
-    return payload;
-  }
-  return {
-    ...payload,
-    text: normalizedText,
-  };
+  return payload;
 }
 
 function normalizePayloadsForChannelDelivery(
   payloads: ReplyPayload[],
   channel: Exclude<OutboundChannel, "none">,
-  _cfg: OpenClawConfig,
-  _to: string,
-  _accountId?: string,
+  handler: ChannelHandler,
 ): ReplyPayload[] {
   const normalizedPayloads: ReplyPayload[] = [];
   for (const payload of normalizeReplyPayloadsForDelivery(payloads)) {
@@ -287,15 +315,19 @@ function normalizePayloadsForChannelDelivery(
     // Models occasionally produce <br>, <b>, etc. that render as literal text.
     // See https://github.com/openclaw/openclaw/issues/31884
     if (isPlainTextSurface(channel) && sanitizedPayload.text) {
-      // Telegram sendPayload uses textMode:"html". Preserve raw HTML in this path.
-      if (!(channel === "telegram" && sanitizedPayload.channelData)) {
+      if (!handler.shouldSkipPlainTextSanitization?.(sanitizedPayload)) {
         sanitizedPayload = {
           ...sanitizedPayload,
           text: sanitizeForPlainText(sanitizedPayload.text),
         };
       }
     }
-    const normalized = normalizePayloadForChannelDelivery(sanitizedPayload, channel);
+    const normalizedPayload = handler.normalizePayload
+      ? handler.normalizePayload(sanitizedPayload)
+      : sanitizedPayload;
+    const normalized = normalizedPayload
+      ? normalizeEmptyPayloadForDelivery(normalizedPayload)
+      : null;
     if (normalized) {
       normalizedPayloads.push(normalized);
     }
@@ -513,8 +545,6 @@ async function deliverOutboundPayloadsCore(
   const accountId = params.accountId;
   const deps = params.deps;
   const abortSignal = params.abortSignal;
-  const sendSignal =
-    resolveOutboundSendDep<typeof sendMessageSignal>(params.deps, "signal") ?? sendMessageSignal;
   const mediaLocalRoots = getAgentScopedMediaLocalRoots(
     cfg,
     params.session?.agentId ?? params.mirror?.agentId,
@@ -539,24 +569,10 @@ async function deliverOutboundPayloadsCore(
         fallbackLimit: handler.textChunkLimit,
       })
     : undefined;
-  const textLimit =
-    channel === "telegram" && typeof configuredTextLimit === "number"
-      ? Math.min(configuredTextLimit, TELEGRAM_TEXT_LIMIT)
-      : configuredTextLimit;
+  const textLimit = handler.resolveEffectiveTextChunkLimit
+    ? handler.resolveEffectiveTextChunkLimit(configuredTextLimit)
+    : configuredTextLimit;
   const chunkMode = handler.chunker ? resolveChunkMode(cfg, channel, accountId) : "length";
-  const isSignalChannel = channel === "signal";
-  const signalTableMode = isSignalChannel
-    ? resolveMarkdownTableMode({ cfg, channel: "signal", accountId })
-    : "code";
-  const signalMaxBytes = isSignalChannel
-    ? resolveChannelMediaMaxBytes({
-        cfg,
-        resolveChannelLimitMb: ({ cfg, accountId }) =>
-          cfg.channels?.signal?.accounts?.[accountId]?.mediaMaxMb ??
-          cfg.channels?.signal?.mediaMaxMb,
-        accountId,
-      })
-    : undefined;
 
   const sendTextChunks = async (
     text: string,
@@ -595,66 +611,7 @@ async function deliverOutboundPayloadsCore(
       results.push(await handler.sendText(chunk, overrides));
     }
   };
-
-  const sendSignalText = async (text: string, styles: SignalTextStyleRange[]) => {
-    throwIfAborted(abortSignal);
-    return {
-      channel: "signal" as const,
-      ...(await sendSignal(to, text, {
-        cfg,
-        maxBytes: signalMaxBytes,
-        accountId: accountId ?? undefined,
-        textMode: "plain",
-        textStyles: styles,
-      })),
-    };
-  };
-
-  const sendSignalTextChunks = async (text: string) => {
-    throwIfAborted(abortSignal);
-    let signalChunks =
-      textLimit === undefined
-        ? markdownToSignalTextChunks(text, Number.POSITIVE_INFINITY, {
-            tableMode: signalTableMode,
-          })
-        : markdownToSignalTextChunks(text, textLimit, { tableMode: signalTableMode });
-    if (signalChunks.length === 0 && text) {
-      signalChunks = [{ text, styles: [] }];
-    }
-    for (const chunk of signalChunks) {
-      throwIfAborted(abortSignal);
-      results.push(await sendSignalText(chunk.text, chunk.styles));
-    }
-  };
-
-  const sendSignalMedia = async (caption: string, mediaUrl: string) => {
-    throwIfAborted(abortSignal);
-    const formatted = markdownToSignalTextChunks(caption, Number.POSITIVE_INFINITY, {
-      tableMode: signalTableMode,
-    })[0] ?? {
-      text: caption,
-      styles: [],
-    };
-    return {
-      channel: "signal" as const,
-      ...(await sendSignal(to, formatted.text, {
-        cfg,
-        mediaUrl,
-        maxBytes: signalMaxBytes,
-        accountId: accountId ?? undefined,
-        textMode: "plain",
-        textStyles: formatted.styles,
-        mediaLocalRoots,
-      })),
-    };
-  };
-  const normalizedPayloads = normalizePayloadsForChannelDelivery(
-    payloads,
-    channel,
-    cfg,
-    to,
-    accountId,
-  );
+  const normalizedPayloads = normalizePayloadsForChannelDelivery(payloads, channel, handler);
   const hookRunner = getGlobalHookRunner();
   const sessionKeyForInternalHooks = params.mirror?.sessionKey ?? params.session?.key;
   const mirrorIsGroup = params.mirror?.isGroup;
@@ -724,8 +681,8 @@ async function deliverOutboundPayloadsCore(
       }
       if (payloadSummary.mediaUrls.length === 0) {
         const beforeCount = results.length;
-        if (isSignalChannel) {
-          await sendSignalTextChunks(payloadSummary.text);
+        if (handler.sendFormattedText) {
+          results.push(...(await handler.sendFormattedText(payloadSummary.text, sendOverrides)));
         } else {
           await sendTextChunks(payloadSummary.text, sendOverrides);
         }
@@ -770,8 +727,8 @@ async function deliverOutboundPayloadsCore(
         throwIfAborted(abortSignal);
         const caption = first ? payloadSummary.text : "";
         first = false;
-        if (isSignalChannel) {
-          const delivery = await sendSignalMedia(caption, url);
+        if (handler.sendFormattedMedia) {
+          const delivery = await handler.sendFormattedMedia(caption, url, sendOverrides);
           results.push(delivery);
           lastMessageId = delivery.messageId;
         } else {
diff --git a/src/infra/outbound/targets.test.ts b/src/infra/outbound/targets.test.ts
index 4da860d083f..4d9645dc130 100644
--- a/src/infra/outbound/targets.test.ts
+++ b/src/infra/outbound/targets.test.ts
@@ -1,9 +1,13 @@
-import { describe, expect, it } from "vitest";
+import { beforeEach, describe, expect, it } from "vitest";
+import { parseTelegramTarget } from "../../../extensions/telegram/src/targets.js";
 import { telegramOutbound } from "../../channels/plugins/outbound/telegram.js";
+import { whatsappOutbound } from "../../channels/plugins/outbound/whatsapp.js";
+import type { ChannelOutboundAdapter } from "../../channels/plugins/types.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import type { SessionEntry } from "../../config/sessions/types.js";
 import { setActivePluginRegistry } from "../../plugins/runtime.js";
 import { createOutboundTestPlugin, createTestRegistry } from "../../test-utils/channel-plugins.js";
+import { isWhatsAppGroupJid, normalizeWhatsAppTarget } from "../../whatsapp/normalize.js";
 import {
   resolveHeartbeatDeliveryTarget,
   resolveOutboundTarget,
@@ -17,6 +21,76 @@ import {
 
 runResolveOutboundTargetCoreTests();
 
+const telegramMessaging = {
+  parseExplicitTarget: ({ raw }: { raw: string }) => {
+    const target = parseTelegramTarget(raw);
+    return {
+      to: target.chatId,
+      threadId: target.messageThreadId,
+      chatType: target.chatType === "unknown" ? undefined : target.chatType,
+    };
+  },
+  inferTargetChatType: ({ to }: { to: string }) => {
+    const target = parseTelegramTarget(to);
+    return target.chatType === "unknown" ? undefined : target.chatType;
+  },
+};
+
+const whatsappMessaging = {
+  inferTargetChatType: ({ to }: { to: string }) => {
+    const normalized = normalizeWhatsAppTarget(to);
+    if (!normalized) {
+      return undefined;
+    }
+    return isWhatsAppGroupJid(normalized) ? ("group" as const) : ("direct" as const);
+  },
+};
+
+const noopOutbound = (channel: "discord" | "imessage" | "slack"): ChannelOutboundAdapter => ({
+  deliveryMode: "direct",
+  sendText: async () => ({ channel, messageId: `${channel}-msg` }),
+});
+
+beforeEach(() => {
+  setActivePluginRegistry(
+    createTestRegistry([
+      {
+        pluginId: "discord",
+        plugin: createOutboundTestPlugin({ id: "discord", outbound: noopOutbound("discord") }),
+        source: "test",
+      },
+      {
+        pluginId: "imessage",
+        plugin: createOutboundTestPlugin({ id: "imessage", outbound: noopOutbound("imessage") }),
+        source: "test",
+      },
+      {
+        pluginId: "slack",
+        plugin: createOutboundTestPlugin({ id: "slack", outbound: noopOutbound("slack") }),
+        source: "test",
+      },
+      {
+        pluginId: "telegram",
+        plugin: createOutboundTestPlugin({
+          id: "telegram",
+          outbound: telegramOutbound,
+          messaging: telegramMessaging,
+        }),
+        source: "test",
+      },
+      {
+        pluginId: "whatsapp",
+        plugin: createOutboundTestPlugin({
+          id: "whatsapp",
+          outbound: whatsappOutbound,
+          messaging: whatsappMessaging,
+        }),
+        source: "test",
+      },
+    ]),
+  );
+});
+
 describe("resolveOutboundTarget defaultTo config fallback", () => {
   installResolveOutboundTargetPluginRegistryHooks();
   const whatsappDefaultCfg: OpenClawConfig = {
@@ -80,7 +154,11 @@ describe("resolveOutboundTarget defaultTo config fallback", () => {
 
     registry.channels.push({
       pluginId: "telegram",
-      plugin: createOutboundTestPlugin({ id: "telegram", outbound: telegramOutbound }),
+      plugin: createOutboundTestPlugin({
+        id: "telegram",
+        outbound: telegramOutbound,
+        messaging: telegramMessaging,
+      }),
       source: "test",
     });
 
diff --git a/src/infra/outbound/targets.ts b/src/infra/outbound/targets.ts
index 9859176abbf..3a584473b8c 100644
--- a/src/infra/outbound/targets.ts
+++ b/src/infra/outbound/targets.ts
@@ -1,9 +1,3 @@
-import { parseDiscordTarget } from "../../../extensions/discord/src/targets.js";
-import { parseSlackTarget } from "../../../extensions/slack/src/targets.js";
-import {
-  parseTelegramTarget,
-  resolveTelegramTargetChatType,
-} from "../../../extensions/telegram/src/targets.js";
 import { normalizeChatType, type ChatType } from "../../channels/chat-type.js";
 import type { ChannelOutboundTargetMode } from "../../channels/plugins/types.js";
 import { formatCliCommand } from "../../cli/command-format.js";
@@ -22,7 +16,6 @@ import {
   isDeliverableMessageChannel,
   normalizeMessageChannel,
 } from "../../utils/message-channel.js";
-import { isWhatsAppGroupJid, normalizeWhatsAppTarget } from "../../whatsapp/normalize.js";
 import {
   normalizeDeliverableOutboundChannel,
   resolveOutboundChannelPlugin,
@@ -65,6 +58,26 @@ export type SessionDeliveryTarget = {
   lastThreadId?: string | number;
 };
 
+function parseExplicitTargetWithPlugin(params: {
+  channel?: DeliverableMessageChannel;
+  fallbackChannel?: DeliverableMessageChannel;
+  raw?: string;
+}) {
+  const raw = params.raw?.trim();
+  if (!raw) {
+    return null;
+  }
+  const provider = params.channel ?? params.fallbackChannel;
+  if (!provider) {
+    return null;
+  }
+  return (
+    resolveOutboundChannelPlugin({ channel: provider })?.messaging?.parseExplicitTarget?.({
+      raw,
+    }) ?? null
+  );
+}
+
 export function resolveSessionDeliveryTarget(params: {
   entry?: SessionEntry;
   requestedChannel?: GatewayMessageChannel | "last";
@@ -124,22 +137,19 @@ export function resolveSessionDeliveryTarget(params: {
     channel = params.fallbackChannel;
   }
 
-  // Parse :topic:NNN from explicitTo (Telegram topic syntax).
-  // Only applies when we positively know the channel is Telegram.
-  // When channel is unknown, the downstream send path (resolveTelegramSession)
-  // handles :topic: parsing independently.
-  const isTelegramContext = channel === "telegram" || (!channel && lastChannel === "telegram");
   let explicitTo = rawExplicitTo;
-  let parsedThreadId: number | undefined;
-  if (isTelegramContext && rawExplicitTo && rawExplicitTo.includes(":topic:")) {
-    const parsed = parseTelegramTarget(rawExplicitTo);
-    explicitTo = parsed.chatId;
-    parsedThreadId = parsed.messageThreadId;
+  const parsedExplicitTarget = parseExplicitTargetWithPlugin({
+    channel,
+    fallbackChannel: !channel ? lastChannel : undefined,
+    raw: rawExplicitTo,
+  });
+  if (parsedExplicitTarget?.to) {
+    explicitTo = parsedExplicitTarget.to;
   }
   const explicitThreadId =
     params.explicitThreadId != null && params.explicitThreadId !== ""
       ? params.explicitThreadId
-      : parsedThreadId;
+      : parsedExplicitTarget?.threadId;
 
   let to = explicitTo;
   if (!to && lastTo) {
@@ -387,70 +397,6 @@ function buildNoHeartbeatDeliveryTarget(params: {
   };
 }
 
-function inferDiscordTargetChatType(to: string): ChatType | undefined {
-  try {
-    const target = parseDiscordTarget(to, { defaultKind: "channel" });
-    if (!target) {
-      return undefined;
-    }
-    return target.kind === "user" ? "direct" : "channel";
-  } catch {
-    return undefined;
-  }
-}
-
-function inferSlackTargetChatType(to: string): ChatType | undefined {
-  const target = parseSlackTarget(to, { defaultKind: "channel" });
-  if (!target) {
-    return undefined;
-  }
-  return target.kind === "user" ? "direct" : "channel";
-}
-
-function inferTelegramTargetChatType(to: string): ChatType | undefined {
-  const chatType = resolveTelegramTargetChatType(to);
-  return chatType === "unknown" ? undefined : chatType;
-}
-
-function inferWhatsAppTargetChatType(to: string): ChatType | undefined {
-  const normalized = normalizeWhatsAppTarget(to);
-  if (!normalized) {
-    return undefined;
-  }
-  return isWhatsAppGroupJid(normalized) ? "group" : "direct";
-}
-
-function inferSignalTargetChatType(rawTo: string): ChatType | undefined {
-  let to = rawTo.trim();
-  if (!to) {
-    return undefined;
-  }
-  if (/^signal:/i.test(to)) {
-    to = to.replace(/^signal:/i, "").trim();
-  }
-  if (!to) {
-    return undefined;
-  }
-  const lower = to.toLowerCase();
-  if (lower.startsWith("group:")) {
-    return "group";
-  }
-  if (lower.startsWith("username:") || lower.startsWith("u:")) {
-    return "direct";
-  }
-  return "direct";
-}
-
-const HEARTBEAT_TARGET_CHAT_TYPE_INFERERS: Partial<
-  Record<DeliverableMessageChannel, (to: string) => ChatType | undefined>
-> = {
-  discord: inferDiscordTargetChatType,
-  slack: inferSlackTargetChatType,
-  telegram: inferTelegramTargetChatType,
-  whatsapp: inferWhatsAppTargetChatType,
-  signal: inferSignalTargetChatType,
-};
-
 function inferChatTypeFromTarget(params: {
   channel: DeliverableMessageChannel;
   to: string;
@@ -469,7 +415,9 @@ function inferChatTypeFromTarget(params: {
   if (/^group:/i.test(to)) {
     return "group";
   }
-  return HEARTBEAT_TARGET_CHAT_TYPE_INFERERS[params.channel]?.(to);
+  return resolveOutboundChannelPlugin({
+    channel: params.channel,
+  })?.messaging?.inferTargetChatType?.({ to });
 }
 
 function resolveHeartbeatDeliveryChatType(params: {
diff --git a/src/test-utils/channel-plugins.ts b/src/test-utils/channel-plugins.ts
index 2af1191feba..4f52350f8fc 100644
--- a/src/test-utils/channel-plugins.ts
+++ b/src/test-utils/channel-plugins.ts
@@ -1,6 +1,7 @@
 import type {
   ChannelCapabilities,
   ChannelId,
+  ChannelMessagingAdapter,
   ChannelOutboundAdapter,
   ChannelPlugin,
 } from "../channels/plugins/types.js";
@@ -96,6 +97,7 @@ export const createMSTeamsTestPlugin = (params?: {
 export const createOutboundTestPlugin = (params: {
   id: ChannelId;
   outbound: ChannelOutboundAdapter;
+  messaging?: ChannelMessagingAdapter;
   label?: string;
   docsPath?: string;
   capabilities?: ChannelCapabilities;
@@ -108,4 +110,5 @@ export const createOutboundTestPlugin = (params: {
     config: { listAccountIds: () => [] },
   }),
   outbound: params.outbound,
+  ...(params.messaging ? { messaging: params.messaging } : {}),
 });

From c7137270d170d10a9e27f3e5a6f6979dd24b0223 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 23:30:04 -0700
Subject: [PATCH 043/133] Security: split audit runtime surfaces

---
 src/security/audit-channel.collect.runtime.ts |  1 +
 src/security/audit-channel.runtime.ts         |  8 +-
 src/security/audit.deep.runtime.ts            |  4 +
 src/security/audit.nondeep.runtime.ts         | 26 +++++
 src/security/audit.ts                         | 94 +++++++++----------
 5 files changed, 81 insertions(+), 52 deletions(-)
 create mode 100644 src/security/audit-channel.collect.runtime.ts
 create mode 100644 src/security/audit.deep.runtime.ts
 create mode 100644 src/security/audit.nondeep.runtime.ts

diff --git a/src/security/audit-channel.collect.runtime.ts b/src/security/audit-channel.collect.runtime.ts
new file mode 100644
index 00000000000..6a33ff6a93a
--- /dev/null
+++ b/src/security/audit-channel.collect.runtime.ts
@@ -0,0 +1 @@
+export { collectChannelSecurityFindings } from "./audit-channel.js";
diff --git a/src/security/audit-channel.runtime.ts b/src/security/audit-channel.runtime.ts
index 147f686862a..71fa1cbea6c 100644
--- a/src/security/audit-channel.runtime.ts
+++ b/src/security/audit-channel.runtime.ts
@@ -1,9 +1,9 @@
-export {
-  isNumericTelegramUserId,
-  normalizeTelegramAllowFromEntry,
-} from "../../extensions/telegram/src/allow-from.js";
 export { readChannelAllowFromStore } from "../pairing/pairing-store.js";
 export {
   isDiscordMutableAllowEntry,
   isZalouserMutableGroupEntry,
 } from "./mutable-allowlist-detectors.js";
+export {
+  isNumericTelegramUserId,
+  normalizeTelegramAllowFromEntry,
+} from "../../extensions/telegram/src/allow-from.js";
diff --git a/src/security/audit.deep.runtime.ts b/src/security/audit.deep.runtime.ts
new file mode 100644
index 00000000000..25662225d9c
--- /dev/null
+++ b/src/security/audit.deep.runtime.ts
@@ -0,0 +1,4 @@
+export {
+  collectInstalledSkillsCodeSafetyFindings,
+  collectPluginsCodeSafetyFindings,
+} from "./audit-extra.async.js";
diff --git a/src/security/audit.nondeep.runtime.ts b/src/security/audit.nondeep.runtime.ts
new file mode 100644
index 00000000000..5a962bf8386
--- /dev/null
+++ b/src/security/audit.nondeep.runtime.ts
@@ -0,0 +1,26 @@
+export {
+  collectAttackSurfaceSummaryFindings,
+  collectExposureMatrixFindings,
+  collectGatewayHttpNoAuthFindings,
+  collectGatewayHttpSessionKeyOverrideFindings,
+  collectHooksHardeningFindings,
+  collectLikelyMultiUserSetupFindings,
+  collectMinimalProfileOverrideFindings,
+  collectModelHygieneFindings,
+  collectNodeDangerousAllowCommandFindings,
+  collectNodeDenyCommandPatternFindings,
+  collectSandboxDangerousConfigFindings,
+  collectSandboxDockerNoopFindings,
+  collectSecretsInConfigFindings,
+  collectSmallModelRiskFindings,
+  collectSyncedFolderFindings,
+} from "./audit-extra.sync.js";
+
+export {
+  collectSandboxBrowserHashLabelFindings,
+  collectIncludeFilePermFindings,
+  collectPluginsTrustFindings,
+  collectStateDeepFilesystemFindings,
+  collectWorkspaceSkillSymlinkEscapeFindings,
+  readConfigSnapshotForAudit,
+} from "./audit-extra.async.js";
diff --git a/src/security/audit.ts b/src/security/audit.ts
index 0b13ecc5531..4e3ef0a6920 100644
--- a/src/security/audit.ts
+++ b/src/security/audit.ts
@@ -21,32 +21,6 @@ import {
 } from "../infra/exec-safe-bin-runtime-policy.js";
 import { normalizeTrustedSafeBinDirs } from "../infra/exec-safe-bin-trust.js";
 import { isBlockedHostnameOrIp, isPrivateNetworkAllowedByPolicy } from "../infra/net/ssrf.js";
-import { collectChannelSecurityFindings } from "./audit-channel.js";
-import {
-  collectAttackSurfaceSummaryFindings,
-  collectExposureMatrixFindings,
-  collectGatewayHttpNoAuthFindings,
-  collectGatewayHttpSessionKeyOverrideFindings,
-  collectHooksHardeningFindings,
-  collectIncludeFilePermFindings,
-  collectInstalledSkillsCodeSafetyFindings,
-  collectLikelyMultiUserSetupFindings,
-  collectSandboxBrowserHashLabelFindings,
-  collectMinimalProfileOverrideFindings,
-  collectModelHygieneFindings,
-  collectNodeDangerousAllowCommandFindings,
-  collectNodeDenyCommandPatternFindings,
-  collectSmallModelRiskFindings,
-  collectSandboxDangerousConfigFindings,
-  collectSandboxDockerNoopFindings,
-  collectPluginsTrustFindings,
-  collectSecretsInConfigFindings,
-  collectPluginsCodeSafetyFindings,
-  collectStateDeepFilesystemFindings,
-  collectSyncedFolderFindings,
-  collectWorkspaceSkillSymlinkEscapeFindings,
-  readConfigSnapshotForAudit,
-} from "./audit-extra.js";
 import {
   formatPermissionDetail,
   formatPermissionRemediation,
@@ -138,12 +112,32 @@ type AuditExecutionContext = {
 };
 
 let channelPluginsModulePromise: Promise<typeof import("../channels/plugins/index.js")> | undefined;
+let auditNonDeepModulePromise: Promise<typeof import("./audit.nondeep.runtime.js")> | undefined;
+let auditDeepModulePromise: Promise<typeof import("./audit.deep.runtime.js")> | undefined;
+let auditChannelModulePromise:
+  | Promise<typeof import("./audit-channel.collect.runtime.js")>
+  | undefined;
 
 async function loadChannelPlugins() {
   channelPluginsModulePromise ??= import("../channels/plugins/index.js");
   return await channelPluginsModulePromise;
 }
 
+async function loadAuditNonDeepModule() {
+  auditNonDeepModulePromise ??= import("./audit.nondeep.runtime.js");
+  return await auditNonDeepModulePromise;
+}
+
+async function loadAuditDeepModule() {
+  auditDeepModulePromise ??= import("./audit.deep.runtime.js");
+  return await auditDeepModulePromise;
+}
+
+async function loadAuditChannelModule() {
+  auditChannelModulePromise ??= import("./audit-channel.collect.runtime.js");
+  return await auditChannelModulePromise;
+}
+
 function countBySeverity(findings: SecurityAuditFinding[]): SecurityAuditSummary {
   let critical = 0;
   let warn = 0;
@@ -1144,6 +1138,7 @@ async function createAuditExecutionContext(
   const deepTimeoutMs = Math.max(250, opts.deepTimeoutMs ?? 5000);
   const stateDir = opts.stateDir ?? resolveStateDir(env);
   const configPath = opts.configPath ?? resolveConfigPath(env, stateDir);
+  const { readConfigSnapshotForAudit } = await loadAuditNonDeepModule();
   const configSnapshot = includeFilesystem
     ? opts.configSnapshot !== undefined
       ? opts.configSnapshot
@@ -1174,28 +1169,29 @@ export async function runSecurityAudit(opts: SecurityAuditOptions): Promise<Secu
   const findings: SecurityAuditFinding[] = [];
   const context = await createAuditExecutionContext(opts);
   const { cfg, env, platform, stateDir, configPath } = context;
+  const auditNonDeep = await loadAuditNonDeepModule();
 
-  findings.push(...collectAttackSurfaceSummaryFindings(cfg));
-  findings.push(...collectSyncedFolderFindings({ stateDir, configPath }));
+  findings.push(...auditNonDeep.collectAttackSurfaceSummaryFindings(cfg));
+  findings.push(...auditNonDeep.collectSyncedFolderFindings({ stateDir, configPath }));
 
   findings.push(...collectGatewayConfigFindings(cfg, context.sourceConfig, env));
   findings.push(...collectBrowserControlFindings(cfg, env));
   findings.push(...collectLoggingFindings(cfg));
   findings.push(...collectElevatedFindings(cfg));
   findings.push(...collectExecRuntimeFindings(cfg));
-  findings.push(...collectHooksHardeningFindings(cfg, env));
-  findings.push(...collectGatewayHttpNoAuthFindings(cfg, env));
-  findings.push(...collectGatewayHttpSessionKeyOverrideFindings(cfg));
-  findings.push(...collectSandboxDockerNoopFindings(cfg));
-  findings.push(...collectSandboxDangerousConfigFindings(cfg));
-  findings.push(...collectNodeDenyCommandPatternFindings(cfg));
-  findings.push(...collectNodeDangerousAllowCommandFindings(cfg));
-  findings.push(...collectMinimalProfileOverrideFindings(cfg));
-  findings.push(...collectSecretsInConfigFindings(cfg));
-  findings.push(...collectModelHygieneFindings(cfg));
-  findings.push(...collectSmallModelRiskFindings({ cfg, env }));
-  findings.push(...collectExposureMatrixFindings(cfg));
-  findings.push(...collectLikelyMultiUserSetupFindings(cfg));
+  findings.push(...auditNonDeep.collectHooksHardeningFindings(cfg, env));
+  findings.push(...auditNonDeep.collectGatewayHttpNoAuthFindings(cfg, env));
+  findings.push(...auditNonDeep.collectGatewayHttpSessionKeyOverrideFindings(cfg));
+  findings.push(...auditNonDeep.collectSandboxDockerNoopFindings(cfg));
+  findings.push(...auditNonDeep.collectSandboxDangerousConfigFindings(cfg));
+  findings.push(...auditNonDeep.collectNodeDenyCommandPatternFindings(cfg));
+  findings.push(...auditNonDeep.collectNodeDangerousAllowCommandFindings(cfg));
+  findings.push(...auditNonDeep.collectMinimalProfileOverrideFindings(cfg));
+  findings.push(...auditNonDeep.collectSecretsInConfigFindings(cfg));
+  findings.push(...auditNonDeep.collectModelHygieneFindings(cfg));
+  findings.push(...auditNonDeep.collectSmallModelRiskFindings({ cfg, env }));
+  findings.push(...auditNonDeep.collectExposureMatrixFindings(cfg));
+  findings.push(...auditNonDeep.collectLikelyMultiUserSetupFindings(cfg));
 
   if (context.includeFilesystem) {
     findings.push(
@@ -1209,7 +1205,7 @@ export async function runSecurityAudit(opts: SecurityAuditOptions): Promise<Secu
     );
     if (context.configSnapshot) {
       findings.push(
-        ...(await collectIncludeFilePermFindings({
+        ...(await auditNonDeep.collectIncludeFilePermFindings({
           configSnapshot: context.configSnapshot,
           env,
           platform,
@@ -1218,7 +1214,7 @@ export async function runSecurityAudit(opts: SecurityAuditOptions): Promise<Secu
       );
     }
     findings.push(
-      ...(await collectStateDeepFilesystemFindings({
+      ...(await auditNonDeep.collectStateDeepFilesystemFindings({
         cfg,
         env,
         stateDir,
@@ -1226,22 +1222,23 @@ export async function runSecurityAudit(opts: SecurityAuditOptions): Promise<Secu
         execIcacls: context.execIcacls,
       })),
     );
-    findings.push(...(await collectWorkspaceSkillSymlinkEscapeFindings({ cfg })));
+    findings.push(...(await auditNonDeep.collectWorkspaceSkillSymlinkEscapeFindings({ cfg })));
     findings.push(
-      ...(await collectSandboxBrowserHashLabelFindings({
+      ...(await auditNonDeep.collectSandboxBrowserHashLabelFindings({
         execDockerRawFn: context.execDockerRawFn,
       })),
     );
-    findings.push(...(await collectPluginsTrustFindings({ cfg, stateDir })));
+    findings.push(...(await auditNonDeep.collectPluginsTrustFindings({ cfg, stateDir })));
     if (context.deep) {
+      const auditDeep = await loadAuditDeepModule();
       findings.push(
-        ...(await collectPluginsCodeSafetyFindings({
+        ...(await auditDeep.collectPluginsCodeSafetyFindings({
           stateDir,
           summaryCache: context.codeSafetySummaryCache,
         })),
       );
       findings.push(
-        ...(await collectInstalledSkillsCodeSafetyFindings({
+        ...(await auditDeep.collectInstalledSkillsCodeSafetyFindings({
           cfg,
           stateDir,
           summaryCache: context.codeSafetySummaryCache,
@@ -1255,6 +1252,7 @@ export async function runSecurityAudit(opts: SecurityAuditOptions): Promise<Secu
     (context.plugins !== undefined || hasPotentialConfiguredChannels(cfg, env));
   if (shouldAuditChannelSecurity) {
     const channelPlugins = context.plugins ?? (await loadChannelPlugins()).listChannelPlugins();
+    const { collectChannelSecurityFindings } = await loadAuditChannelModule();
     findings.push(
       ...(await collectChannelSecurityFindings({
         cfg,

From bd67f3336414da8fee874aa160a3a95db2da243e Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 23:30:10 -0700
Subject: [PATCH 044/133] Tests: add channel actions contract helper

---
 src/test-utils/channel-actions-contract.ts | 53 ++++++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 src/test-utils/channel-actions-contract.ts

diff --git a/src/test-utils/channel-actions-contract.ts b/src/test-utils/channel-actions-contract.ts
new file mode 100644
index 00000000000..12d7d7046f5
--- /dev/null
+++ b/src/test-utils/channel-actions-contract.ts
@@ -0,0 +1,53 @@
+import { expect, it } from "vitest";
+import type { ChannelMessageCapability } from "../channels/plugins/message-capabilities.js";
+import type { ChannelMessageActionName, ChannelPlugin } from "../channels/plugins/types.js";
+import type { OpenClawConfig } from "../config/config.js";
+
+type ChannelActionsContractCase = {
+  name: string;
+  cfg: OpenClawConfig;
+  expectedActions: readonly ChannelMessageActionName[];
+  expectedCapabilities?: readonly ChannelMessageCapability[];
+  beforeTest?: () => void;
+};
+
+export function installChannelActionsContractSuite(params: {
+  plugin: Pick<ChannelPlugin, "id" | "actions">;
+  cases: readonly ChannelActionsContractCase[];
+  unsupportedAction?: ChannelMessageActionName;
+}) {
+  it("exposes the base message actions contract", () => {
+    expect(params.plugin.actions).toBeDefined();
+    expect(typeof params.plugin.actions?.listActions).toBe("function");
+  });
+
+  for (const testCase of params.cases) {
+    it(`actions contract: ${testCase.name}`, () => {
+      testCase.beforeTest?.();
+
+      const actions = params.plugin.actions?.listActions?.({ cfg: testCase.cfg }) ?? [];
+      const capabilities = params.plugin.actions?.getCapabilities?.({ cfg: testCase.cfg }) ?? [];
+
+      expect(actions).toEqual([...new Set(actions)]);
+      expect(capabilities).toEqual([...new Set(capabilities)]);
+      expect(actions.toSorted()).toEqual([...testCase.expectedActions].toSorted());
+      expect(capabilities.toSorted()).toEqual(
+        [...(testCase.expectedCapabilities ?? [])].toSorted(),
+      );
+
+      if (params.plugin.actions?.supportsAction) {
+        for (const action of testCase.expectedActions) {
+          expect(params.plugin.actions.supportsAction({ action })).toBe(true);
+        }
+        if (
+          params.unsupportedAction &&
+          !testCase.expectedActions.includes(params.unsupportedAction)
+        ) {
+          expect(params.plugin.actions.supportsAction({ action: params.unsupportedAction })).toBe(
+            false,
+          );
+        }
+      }
+    });
+  }
+}

From c01515672f6b62ccddffda6b40d4912cc6eb2e1a Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 23:30:42 -0700
Subject: [PATCH 045/133] Tests: add channel plugin contract helper

---
 src/test-utils/channel-plugin-contract.ts | 24 +++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 src/test-utils/channel-plugin-contract.ts

diff --git a/src/test-utils/channel-plugin-contract.ts b/src/test-utils/channel-plugin-contract.ts
new file mode 100644
index 00000000000..b2912befd0b
--- /dev/null
+++ b/src/test-utils/channel-plugin-contract.ts
@@ -0,0 +1,24 @@
+import { expect, it } from "vitest";
+import type { ChannelPlugin } from "../channels/plugins/types.js";
+
+export function installChannelPluginContractSuite(params: {
+  plugin: Pick<ChannelPlugin, "id" | "meta" | "capabilities" | "config">;
+}) {
+  it("satisfies the base channel plugin contract", () => {
+    const { plugin } = params;
+
+    expect(typeof plugin.id).toBe("string");
+    expect(plugin.id.trim()).not.toBe("");
+
+    expect(plugin.meta.id).toBe(plugin.id);
+    expect(plugin.meta.label.trim()).not.toBe("");
+    expect(plugin.meta.selectionLabel.trim()).not.toBe("");
+    expect(plugin.meta.docsPath).toMatch(/^\/channels\//);
+    expect(plugin.meta.blurb.trim()).not.toBe("");
+
+    expect(plugin.capabilities.chatTypes.length).toBeGreaterThan(0);
+
+    expect(typeof plugin.config.listAccountIds).toBe("function");
+    expect(typeof plugin.config.resolveAccount).toBe("function");
+  });
+}

From 4ae80407a680e8007a4c7e15b7391806256a80e1 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 23:31:22 -0700
Subject: [PATCH 046/133] Tests: add Slack channel contract suite

---
 extensions/slack/src/channel.contract.test.ts | 85 +++++++++++++++++++
 1 file changed, 85 insertions(+)
 create mode 100644 extensions/slack/src/channel.contract.test.ts

diff --git a/extensions/slack/src/channel.contract.test.ts b/extensions/slack/src/channel.contract.test.ts
new file mode 100644
index 00000000000..3fd0e23dab5
--- /dev/null
+++ b/extensions/slack/src/channel.contract.test.ts
@@ -0,0 +1,85 @@
+import type { OpenClawConfig } from "openclaw/plugin-sdk/slack";
+import { describe } from "vitest";
+import { installChannelActionsContractSuite } from "../../../src/test-utils/channel-actions-contract.js";
+import { installChannelPluginContractSuite } from "../../../src/test-utils/channel-plugin-contract.js";
+import { slackPlugin } from "./channel.js";
+
+describe("slackPlugin contract", () => {
+  installChannelPluginContractSuite({
+    plugin: slackPlugin,
+  });
+
+  installChannelActionsContractSuite({
+    plugin: slackPlugin,
+    unsupportedAction: "poll",
+    cases: [
+      {
+        name: "configured account exposes default Slack actions",
+        cfg: {
+          channels: {
+            slack: {
+              botToken: "xoxb-test",
+              appToken: "xapp-test",
+            },
+          },
+        } as OpenClawConfig,
+        expectedActions: [
+          "send",
+          "react",
+          "reactions",
+          "read",
+          "edit",
+          "delete",
+          "download-file",
+          "pin",
+          "unpin",
+          "list-pins",
+          "member-info",
+          "emoji-list",
+        ],
+        expectedCapabilities: ["blocks"],
+      },
+      {
+        name: "interactive replies add the shared interactive capability",
+        cfg: {
+          channels: {
+            slack: {
+              botToken: "xoxb-test",
+              appToken: "xapp-test",
+              capabilities: {
+                interactiveReplies: true,
+              },
+            },
+          },
+        } as OpenClawConfig,
+        expectedActions: [
+          "send",
+          "react",
+          "reactions",
+          "read",
+          "edit",
+          "delete",
+          "download-file",
+          "pin",
+          "unpin",
+          "list-pins",
+          "member-info",
+          "emoji-list",
+        ],
+        expectedCapabilities: ["blocks", "interactive"],
+      },
+      {
+        name: "missing tokens disables the actions surface",
+        cfg: {
+          channels: {
+            slack: {
+              enabled: true,
+            },
+          },
+        } as OpenClawConfig,
+        expectedActions: [],
+        expectedCapabilities: [],
+      },
+    ],
+  });
+});

From 13090da3ac3496512ee0ea4220950fa48bd56a17 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 23:31:29 -0700
Subject: [PATCH 047/133] Tests: add Mattermost channel contract suite

---
 .../mattermost/src/channel.contract.test.ts   | 59 +++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 extensions/mattermost/src/channel.contract.test.ts

diff --git a/extensions/mattermost/src/channel.contract.test.ts b/extensions/mattermost/src/channel.contract.test.ts
new file mode 100644
index 00000000000..96f5fe9ed4a
--- /dev/null
+++ b/extensions/mattermost/src/channel.contract.test.ts
@@ -0,0 +1,59 @@
+import type { OpenClawConfig } from "openclaw/plugin-sdk/mattermost";
+import { describe } from "vitest";
+import { installChannelActionsContractSuite } from "../../../src/test-utils/channel-actions-contract.js";
+import { installChannelPluginContractSuite } from "../../../src/test-utils/channel-plugin-contract.js";
+import { mattermostPlugin } from "./channel.js";
+
+describe("mattermostPlugin contract", () => {
+  installChannelPluginContractSuite({
+    plugin: mattermostPlugin,
+  });
+
+  installChannelActionsContractSuite({
+    plugin: mattermostPlugin,
+    unsupportedAction: "poll",
+    cases: [
+      {
+        name: "configured account exposes send and react",
+        cfg: {
+          channels: {
+            mattermost: {
+              enabled: true,
+              botToken: "test-token",
+              baseUrl: "https://chat.example.com",
+            },
+          },
+        } as OpenClawConfig,
+        expectedActions: ["send", "react"],
+        expectedCapabilities: ["buttons"],
+      },
+      {
+        name: "reactions can be disabled while send stays available",
+        cfg: {
+          channels: {
+            mattermost: {
+              enabled: true,
+              botToken: "test-token",
+              baseUrl: "https://chat.example.com",
+              actions: { reactions: false },
+            },
+          },
+        } as OpenClawConfig,
+        expectedActions: ["send"],
+        expectedCapabilities: ["buttons"],
+      },
+      {
+        name: "missing bot credentials disables the actions surface",
+        cfg: {
+          channels: {
+            mattermost: {
+              enabled: true,
+            },
+          },
+        } as OpenClawConfig,
+        expectedActions: [],
+        expectedCapabilities: [],
+      },
+    ],
+  });
+});

From 4fc3492da516998c63b09ccee534090084ea326a Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 23:31:34 -0700
Subject: [PATCH 048/133] Tests: add Telegram channel contract suite

---
 .../telegram/src/channel.contract.test.ts     | 49 +++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 extensions/telegram/src/channel.contract.test.ts

diff --git a/extensions/telegram/src/channel.contract.test.ts b/extensions/telegram/src/channel.contract.test.ts
new file mode 100644
index 00000000000..164f862949d
--- /dev/null
+++ b/extensions/telegram/src/channel.contract.test.ts
@@ -0,0 +1,49 @@
+import type { OpenClawConfig } from "openclaw/plugin-sdk/telegram";
+import { afterEach, describe, vi } from "vitest";
+import { installChannelActionsContractSuite } from "../../../src/test-utils/channel-actions-contract.js";
+import { installChannelPluginContractSuite } from "../../../src/test-utils/channel-plugin-contract.js";
+
+const telegramListActionsMock = vi.fn();
+const telegramGetCapabilitiesMock = vi.fn();
+
+vi.mock("./runtime.js", () => ({
+  getTelegramRuntime: () => ({
+    channel: {
+      telegram: {
+        messageActions: {
+          listActions: telegramListActionsMock,
+          getCapabilities: telegramGetCapabilitiesMock,
+        },
+      },
+    },
+  }),
+}));
+
+const { telegramPlugin } = await import("./channel.js");
+
+describe("telegramPlugin contract", () => {
+  afterEach(() => {
+    telegramListActionsMock.mockReset();
+    telegramGetCapabilitiesMock.mockReset();
+  });
+
+  installChannelPluginContractSuite({
+    plugin: telegramPlugin,
+  });
+
+  installChannelActionsContractSuite({
+    plugin: telegramPlugin,
+    cases: [
+      {
+        name: "forwards runtime-backed Telegram actions and capabilities",
+        cfg: {} as OpenClawConfig,
+        expectedActions: ["send", "poll", "react"],
+        expectedCapabilities: ["interactive", "buttons"],
+        beforeTest: () => {
+          telegramListActionsMock.mockReturnValue(["send", "poll", "react"]);
+          telegramGetCapabilitiesMock.mockReturnValue(["interactive", "buttons"]);
+        },
+      },
+    ],
+  });
+});

From 3838ef9b2a836792566fae1122a75e3b77545db5 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 23:31:39 -0700
Subject: [PATCH 049/133] Tests: add Discord channel contract suite

---
 .../discord/src/channel.contract.test.ts      | 49 +++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 extensions/discord/src/channel.contract.test.ts

diff --git a/extensions/discord/src/channel.contract.test.ts b/extensions/discord/src/channel.contract.test.ts
new file mode 100644
index 00000000000..3a651e6e26b
--- /dev/null
+++ b/extensions/discord/src/channel.contract.test.ts
@@ -0,0 +1,49 @@
+import type { OpenClawConfig } from "openclaw/plugin-sdk/discord";
+import { afterEach, describe, vi } from "vitest";
+import { installChannelActionsContractSuite } from "../../../src/test-utils/channel-actions-contract.js";
+import { installChannelPluginContractSuite } from "../../../src/test-utils/channel-plugin-contract.js";
+
+const discordListActionsMock = vi.fn();
+const discordGetCapabilitiesMock = vi.fn();
+
+vi.mock("./runtime.js", () => ({
+  getDiscordRuntime: () => ({
+    channel: {
+      discord: {
+        messageActions: {
+          listActions: discordListActionsMock,
+          getCapabilities: discordGetCapabilitiesMock,
+        },
+      },
+    },
+  }),
+}));
+
+const { discordPlugin } = await import("./channel.js");
+
+describe("discordPlugin contract", () => {
+  afterEach(() => {
+    discordListActionsMock.mockReset();
+    discordGetCapabilitiesMock.mockReset();
+  });
+
+  installChannelPluginContractSuite({
+    plugin: discordPlugin,
+  });
+
+  installChannelActionsContractSuite({
+    plugin: discordPlugin,
+    cases: [
+      {
+        name: "forwards runtime-backed Discord actions and capabilities",
+        cfg: {} as OpenClawConfig,
+        expectedActions: ["send", "react", "poll"],
+        expectedCapabilities: ["interactive", "components"],
+        beforeTest: () => {
+          discordListActionsMock.mockReturnValue(["send", "react", "poll"]);
+          discordGetCapabilitiesMock.mockReturnValue(["interactive", "components"]);
+        },
+      },
+    ],
+  });
+});

From 623ba1403108b0330b740c9765e90cfe85dd203a Mon Sep 17 00:00:00 2001
From: brokemac79 <brokemac79@users.noreply.github.com>
Date: Mon, 16 Mar 2026 02:18:02 +0000
Subject: [PATCH 050/133] fix(session): preserve external channel route when
 webchat views session (#47745)

When a Telegram/WhatsApp/iMessage session was viewed or messaged from the
dashboard/webchat, resolveLastChannelRaw() unconditionally returned 'webchat'
for any isDirectSessionKey() or isMainSessionKey() match, overwriting the
persisted external delivery route.

This caused subagent completion events to be delivered to the webchat/dashboard
instead of the original channel (Telegram, WhatsApp, etc.), silently dropping
messages for the channel user.

Fix: only allow webchat to own routing when no external delivery route has been
established (no persisted external lastChannel, no external channel hint in the
session key). If an external route exists, webchat is treated as admin/monitoring
access and must not mutate the delivery route.

Updated/added tests to document the correct behaviour.

Fixes #47745
---
 src/auto-reply/reply/session-delivery.test.ts | 41 +++++++-----
 src/auto-reply/reply/session-delivery.ts      | 26 ++++++--
 src/auto-reply/reply/session.test.ts          | 65 +++++++++++++++----
 3 files changed, 96 insertions(+), 36 deletions(-)

diff --git a/src/auto-reply/reply/session-delivery.test.ts b/src/auto-reply/reply/session-delivery.test.ts
index 2bfb4812f64..bd5f0d7c27b 100644
--- a/src/auto-reply/reply/session-delivery.test.ts
+++ b/src/auto-reply/reply/session-delivery.test.ts
@@ -9,24 +9,29 @@ describe("session delivery direct-session routing overrides", () => {
     "agent:main:telegram:dm:123456",
     "agent:main:telegram:direct:123456:thread:99",
     "agent:main:telegram:account-a:direct:123456:topic:ops",
-  ])("lets webchat override persisted routes for strict direct key %s", (sessionKey) => {
-    expect(
-      resolveLastChannelRaw({
-        originatingChannelRaw: "webchat",
-        persistedLastChannel: "telegram",
-        sessionKey,
-      }),
-    ).toBe("webchat");
-    expect(
-      resolveLastToRaw({
-        originatingChannelRaw: "webchat",
-        originatingToRaw: "session:dashboard",
-        persistedLastChannel: "telegram",
-        persistedLastTo: "123456",
-        sessionKey,
-      }),
-    ).toBe("session:dashboard");
-  });
+  ])(
+    "preserves persisted external route when webchat accesses channel-peer session %s (fixes #47745)",
+    (sessionKey) => {
+      // Webchat/dashboard viewing an external-channel session must not overwrite
+      // the delivery route — subagents must still deliver to the original channel.
+      expect(
+        resolveLastChannelRaw({
+          originatingChannelRaw: "webchat",
+          persistedLastChannel: "telegram",
+          sessionKey,
+        }),
+      ).toBe("telegram");
+      expect(
+        resolveLastToRaw({
+          originatingChannelRaw: "webchat",
+          originatingToRaw: "session:dashboard",
+          persistedLastChannel: "telegram",
+          persistedLastTo: "123456",
+          sessionKey,
+        }),
+      ).toBe("123456");
+    },
+  );
 
   it.each([
     "agent:main:main:direct",
diff --git a/src/auto-reply/reply/session-delivery.ts b/src/auto-reply/reply/session-delivery.ts
index ef2f0cde227..1197b7c5245 100644
--- a/src/auto-reply/reply/session-delivery.ts
+++ b/src/auto-reply/reply/session-delivery.ts
@@ -90,16 +90,25 @@ export function resolveLastChannelRaw(params: {
   sessionKey?: string;
 }): string | undefined {
   const originatingChannel = normalizeMessageChannel(params.originatingChannelRaw);
-  // WebChat should own reply routing for direct-session UI turns, even when the
-  // session previously replied through an external channel like iMessage.
+  // WebChat should own reply routing for direct-session UI turns, but only when
+  // the session has no established external delivery route. If the session was
+  // created via an external channel (e.g. Telegram, iMessage), webchat/dashboard
+  // access must not overwrite the persisted route — doing so causes subagent
+  // completion events to be delivered to the dashboard instead of the original
+  // channel. See: https://github.com/openclaw/openclaw/issues/47745
+  const persistedChannel = normalizeMessageChannel(params.persistedLastChannel);
+  const sessionKeyChannelHintForCheck = resolveSessionKeyChannelHint(params.sessionKey);
+  const hasEstablishedExternalRoute =
+    isExternalRoutingChannel(persistedChannel) ||
+    isExternalRoutingChannel(sessionKeyChannelHintForCheck);
   if (
     originatingChannel === INTERNAL_MESSAGE_CHANNEL &&
+    !hasEstablishedExternalRoute &&
     (isMainSessionKey(params.sessionKey) || isDirectSessionKey(params.sessionKey))
   ) {
     return params.originatingChannelRaw;
   }
-  const persistedChannel = normalizeMessageChannel(params.persistedLastChannel);
-  const sessionKeyChannelHint = resolveSessionKeyChannelHint(params.sessionKey);
+  const sessionKeyChannelHint = sessionKeyChannelHintForCheck;
   let resolved = params.originatingChannelRaw || params.persistedLastChannel;
   // Internal/non-deliverable sources should not overwrite previously known
   // external delivery routes (or explicit channel hints from the session key).
@@ -122,14 +131,19 @@ export function resolveLastToRaw(params: {
   sessionKey?: string;
 }): string | undefined {
   const originatingChannel = normalizeMessageChannel(params.originatingChannelRaw);
+  const persistedChannel = normalizeMessageChannel(params.persistedLastChannel);
+  const sessionKeyChannelHintForToCheck = resolveSessionKeyChannelHint(params.sessionKey);
+  const hasEstablishedExternalRouteForTo =
+    isExternalRoutingChannel(persistedChannel) ||
+    isExternalRoutingChannel(sessionKeyChannelHintForToCheck);
   if (
     originatingChannel === INTERNAL_MESSAGE_CHANNEL &&
+    !hasEstablishedExternalRouteForTo &&
     (isMainSessionKey(params.sessionKey) || isDirectSessionKey(params.sessionKey))
   ) {
     return params.originatingToRaw || params.toRaw;
   }
-  const persistedChannel = normalizeMessageChannel(params.persistedLastChannel);
-  const sessionKeyChannelHint = resolveSessionKeyChannelHint(params.sessionKey);
+  const sessionKeyChannelHint = sessionKeyChannelHintForToCheck;
 
   // When the turn originates from an internal/non-deliverable source, do not
   // replace an established external destination with internal routing ids
diff --git a/src/auto-reply/reply/session.test.ts b/src/auto-reply/reply/session.test.ts
index db0870b704a..5c382a74aa9 100644
--- a/src/auto-reply/reply/session.test.ts
+++ b/src/auto-reply/reply/session.test.ts
@@ -1942,8 +1942,11 @@ describe("initSessionState internal channel routing preservation", () => {
     expect(result.sessionEntry.deliveryContext?.to).toBe("group:12345");
   });
 
-  it("lets direct webchat turns override persisted external routes for per-channel-peer sessions", async () => {
-    const storePath = await createStorePath("webchat-direct-route-override-");
+  it("preserves persisted external route when webchat views a channel-peer session (fixes #47745)", async () => {
+    // Regression: dashboard/webchat access must not overwrite an established
+    // external delivery route (e.g. Telegram/iMessage) on a channel-scoped session.
+    // Subagent completions should still be delivered to the original channel.
+    const storePath = await createStorePath("webchat-direct-route-preserve-");
     const sessionKey = "agent:main:imessage:direct:+1555";
     await writeSessionStoreFast(storePath, {
       [sessionKey]: {
@@ -1973,6 +1976,40 @@ describe("initSessionState internal channel routing preservation", () => {
       commandAuthorized: true,
     });
 
+    // External route must be preserved — webchat is admin/monitoring only
+    expect(result.sessionEntry.lastChannel).toBe("imessage");
+    expect(result.sessionEntry.lastTo).toBe("+1555");
+    expect(result.sessionEntry.deliveryContext?.channel).toBe("imessage");
+    expect(result.sessionEntry.deliveryContext?.to).toBe("+1555");
+  });
+
+  it("lets direct webchat turns own routing for sessions with no prior external route", async () => {
+    // Webchat should still own routing for sessions that were created via webchat
+    // (no external channel ever established).
+    const storePath = await createStorePath("webchat-direct-route-noext-");
+    const sessionKey = "agent:main:main";
+    await writeSessionStoreFast(storePath, {
+      [sessionKey]: {
+        sessionId: "sess-webchat-noext",
+        updatedAt: Date.now(),
+      },
+    });
+    const cfg = {
+      session: { store: storePath, dmScope: "per-channel-peer" },
+    } as OpenClawConfig;
+
+    const result = await initSessionState({
+      ctx: {
+        Body: "reply from control ui",
+        SessionKey: sessionKey,
+        OriginatingChannel: "webchat",
+        OriginatingTo: "session:dashboard",
+        Surface: "webchat",
+      },
+      cfg,
+      commandAuthorized: true,
+    });
+
     expect(result.sessionEntry.lastChannel).toBe("webchat");
     expect(result.sessionEntry.lastTo).toBe("session:dashboard");
     expect(result.sessionEntry.deliveryContext?.channel).toBe("webchat");
@@ -2068,8 +2105,10 @@ describe("initSessionState internal channel routing preservation", () => {
     expect(result.sessionEntry.lastChannel).toBe("webchat");
   });
 
-  it("does not reuse stale external lastTo for webchat/main turns without destination", async () => {
-    const storePath = await createStorePath("webchat-main-no-stale-lastto-");
+  it("preserves external route for main session when webchat accesses without destination (fixes #47745)", async () => {
+    // Regression: webchat monitoring a main session that has an established WhatsApp
+    // route must not clear that route. Subagents should still deliver to WhatsApp.
+    const storePath = await createStorePath("webchat-main-preserve-external-");
     const sessionKey = "agent:main:main";
     await writeSessionStoreFast(storePath, {
       [sessionKey]: {
@@ -2095,12 +2134,14 @@ describe("initSessionState internal channel routing preservation", () => {
       commandAuthorized: true,
     });
 
-    expect(result.sessionEntry.lastChannel).toBe("webchat");
-    expect(result.sessionEntry.lastTo).toBeUndefined();
+    expect(result.sessionEntry.lastChannel).toBe("whatsapp");
+    expect(result.sessionEntry.lastTo).toBe("+15555550123");
   });
 
-  it("prefers webchat route over persisted external route for main session turns", async () => {
-    const storePath = await createStorePath("prefer-webchat-main-route-");
+  it("preserves external route for main session when webchat sends with destination (fixes #47745)", async () => {
+    // Regression: webchat sending to a main session with an established WhatsApp route
+    // must not steal that route for webchat delivery.
+    const storePath = await createStorePath("preserve-main-external-webchat-send-");
     const sessionKey = "agent:main:main";
     await writeSessionStoreFast(storePath, {
       [sessionKey]: {
@@ -2127,9 +2168,9 @@ describe("initSessionState internal channel routing preservation", () => {
       commandAuthorized: true,
     });
 
-    expect(result.sessionEntry.lastChannel).toBe("webchat");
-    expect(result.sessionEntry.lastTo).toBe("session:webchat-main");
-    expect(result.sessionEntry.deliveryContext?.channel).toBe("webchat");
-    expect(result.sessionEntry.deliveryContext?.to).toBe("session:webchat-main");
+    expect(result.sessionEntry.lastChannel).toBe("whatsapp");
+    expect(result.sessionEntry.lastTo).toBe("+15555550123");
+    expect(result.sessionEntry.deliveryContext?.channel).toBe("whatsapp");
+    expect(result.sessionEntry.deliveryContext?.to).toBe("+15555550123");
   });
 });

From fb47777d38814533ff30319faf49990923e81886 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 06:37:09 +0000
Subject: [PATCH 051/133] fix: address bot nit on session route preservation
 (#47797) (thanks @brokemac79)

---
 CHANGELOG.md                             |  1 +
 src/auto-reply/reply/session-delivery.ts | 13 ++++---------
 2 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ddfb252fc71..a21ff47279b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -85,6 +85,7 @@ Docs: https://docs.openclaw.ai
 - Gateway/watch mode: recreate bundled plugin runtime metadata after clean or stale `dist` states, so `pnpm gateway:watch` no longer fails on missing `dist/extensions/*/openclaw.plugin.json` manifests after a rebuild. Thanks @gumadeiras.
 - Plugins/context engines: enforce owner-aware context-engine registration on both loader and public SDK paths so plugins cannot spoof privileged ownership, claim the core `legacy` engine id, or overwrite an existing engine id through direct SDK imports. (#47595) Thanks @vincentkoc.
 - Windows/gateway status: accept `schtasks` `Last Result` output as an alias for `Last Run Result`, so running scheduled-task installs no longer show `Runtime: unknown`. (#47844) Thanks @MoerAI.
+- Control UI/session routing: preserve established external delivery routes when webchat views or sends in externally originated sessions, so subagent completions still return to the original channel instead of the dashboard. (#47797) Thanks @brokemac79.
 
 ## 2026.3.13
 
diff --git a/src/auto-reply/reply/session-delivery.ts b/src/auto-reply/reply/session-delivery.ts
index 1197b7c5245..9a112a6829e 100644
--- a/src/auto-reply/reply/session-delivery.ts
+++ b/src/auto-reply/reply/session-delivery.ts
@@ -97,10 +97,9 @@ export function resolveLastChannelRaw(params: {
   // completion events to be delivered to the dashboard instead of the original
   // channel. See: https://github.com/openclaw/openclaw/issues/47745
   const persistedChannel = normalizeMessageChannel(params.persistedLastChannel);
-  const sessionKeyChannelHintForCheck = resolveSessionKeyChannelHint(params.sessionKey);
+  const sessionKeyChannelHint = resolveSessionKeyChannelHint(params.sessionKey);
   const hasEstablishedExternalRoute =
-    isExternalRoutingChannel(persistedChannel) ||
-    isExternalRoutingChannel(sessionKeyChannelHintForCheck);
+    isExternalRoutingChannel(persistedChannel) || isExternalRoutingChannel(sessionKeyChannelHint);
   if (
     originatingChannel === INTERNAL_MESSAGE_CHANNEL &&
     !hasEstablishedExternalRoute &&
@@ -108,7 +107,6 @@ export function resolveLastChannelRaw(params: {
   ) {
     return params.originatingChannelRaw;
   }
-  const sessionKeyChannelHint = sessionKeyChannelHintForCheck;
   let resolved = params.originatingChannelRaw || params.persistedLastChannel;
   // Internal/non-deliverable sources should not overwrite previously known
   // external delivery routes (or explicit channel hints from the session key).
@@ -132,10 +130,9 @@ export function resolveLastToRaw(params: {
 }): string | undefined {
   const originatingChannel = normalizeMessageChannel(params.originatingChannelRaw);
   const persistedChannel = normalizeMessageChannel(params.persistedLastChannel);
-  const sessionKeyChannelHintForToCheck = resolveSessionKeyChannelHint(params.sessionKey);
+  const sessionKeyChannelHint = resolveSessionKeyChannelHint(params.sessionKey);
   const hasEstablishedExternalRouteForTo =
-    isExternalRoutingChannel(persistedChannel) ||
-    isExternalRoutingChannel(sessionKeyChannelHintForToCheck);
+    isExternalRoutingChannel(persistedChannel) || isExternalRoutingChannel(sessionKeyChannelHint);
   if (
     originatingChannel === INTERNAL_MESSAGE_CHANNEL &&
     !hasEstablishedExternalRouteForTo &&
@@ -143,8 +140,6 @@ export function resolveLastToRaw(params: {
   ) {
     return params.originatingToRaw || params.toRaw;
   }
-  const sessionKeyChannelHint = sessionKeyChannelHintForToCheck;
-
   // When the turn originates from an internal/non-deliverable source, do not
   // replace an established external destination with internal routing ids
   // (e.g., session/webchat ids).

From 3105a1284a872f1d80c36b489c550f2e323e0898 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 23:45:06 -0700
Subject: [PATCH 052/133] Tests: add plugin contract suites

---
 src/channels/plugins/contracts/suites.ts | 214 +++++++++++++++++++++++
 1 file changed, 214 insertions(+)
 create mode 100644 src/channels/plugins/contracts/suites.ts

diff --git a/src/channels/plugins/contracts/suites.ts b/src/channels/plugins/contracts/suites.ts
new file mode 100644
index 00000000000..48a0f886208
--- /dev/null
+++ b/src/channels/plugins/contracts/suites.ts
@@ -0,0 +1,214 @@
+import { expect, it } from "vitest";
+import type { OpenClawConfig } from "../../../config/config.js";
+import type {
+  ChannelAccountSnapshot,
+  ChannelAccountState,
+  ChannelMessageCapability,
+  ChannelSetupInput,
+} from "../types.core.js";
+import type { ChannelPlugin } from "../types.js";
+import type { ChannelMessageActionName } from "../types.js";
+
+function sortStrings(values: readonly string[]) {
+  return [...values].toSorted((left, right) => left.localeCompare(right));
+}
+
+export function installChannelPluginContractSuite(params: {
+  plugin: Pick<ChannelPlugin, "id" | "meta" | "capabilities" | "config">;
+}) {
+  it("satisfies the base channel plugin contract", () => {
+    const { plugin } = params;
+
+    expect(typeof plugin.id).toBe("string");
+    expect(plugin.id.trim()).not.toBe("");
+
+    expect(plugin.meta.id).toBe(plugin.id);
+    expect(plugin.meta.label.trim()).not.toBe("");
+    expect(plugin.meta.selectionLabel.trim()).not.toBe("");
+    expect(plugin.meta.docsPath).toMatch(/^\/channels\//);
+    expect(plugin.meta.blurb.trim()).not.toBe("");
+
+    expect(plugin.capabilities.chatTypes.length).toBeGreaterThan(0);
+
+    expect(typeof plugin.config.listAccountIds).toBe("function");
+    expect(typeof plugin.config.resolveAccount).toBe("function");
+  });
+}
+
+type ChannelActionsContractCase = {
+  name: string;
+  cfg: OpenClawConfig;
+  expectedActions: readonly ChannelMessageActionName[];
+  expectedCapabilities?: readonly ChannelMessageCapability[];
+  beforeTest?: () => void;
+};
+
+export function installChannelActionsContractSuite(params: {
+  plugin: Pick<ChannelPlugin, "id" | "actions">;
+  cases: readonly ChannelActionsContractCase[];
+  unsupportedAction?: ChannelMessageActionName;
+}) {
+  it("exposes the base message actions contract", () => {
+    expect(params.plugin.actions).toBeDefined();
+    expect(typeof params.plugin.actions?.listActions).toBe("function");
+  });
+
+  for (const testCase of params.cases) {
+    it(`actions contract: ${testCase.name}`, () => {
+      testCase.beforeTest?.();
+
+      const actions = params.plugin.actions?.listActions?.({ cfg: testCase.cfg }) ?? [];
+      const capabilities = params.plugin.actions?.getCapabilities?.({ cfg: testCase.cfg }) ?? [];
+
+      expect(actions).toEqual([...new Set(actions)]);
+      expect(capabilities).toEqual([...new Set(capabilities)]);
+      expect(sortStrings(actions)).toEqual(sortStrings(testCase.expectedActions));
+      expect(sortStrings(capabilities)).toEqual(sortStrings(testCase.expectedCapabilities ?? []));
+
+      if (params.plugin.actions?.supportsAction) {
+        for (const action of testCase.expectedActions) {
+          expect(params.plugin.actions.supportsAction({ action })).toBe(true);
+        }
+        if (
+          params.unsupportedAction &&
+          !testCase.expectedActions.includes(params.unsupportedAction)
+        ) {
+          expect(params.plugin.actions.supportsAction({ action: params.unsupportedAction })).toBe(
+            false,
+          );
+        }
+      }
+    });
+  }
+}
+
+type ChannelSetupContractCase<ResolvedAccount> = {
+  name: string;
+  cfg: OpenClawConfig;
+  accountId?: string;
+  input: ChannelSetupInput;
+  expectedAccountId?: string;
+  expectedValidation?: string | null;
+  beforeTest?: () => void;
+  assertPatchedConfig?: (cfg: OpenClawConfig) => void;
+  assertResolvedAccount?: (account: ResolvedAccount, cfg: OpenClawConfig) => void;
+};
+
+export function installChannelSetupContractSuite<ResolvedAccount>(params: {
+  plugin: Pick<ChannelPlugin<ResolvedAccount>, "id" | "config" | "setup">;
+  cases: readonly ChannelSetupContractCase<ResolvedAccount>[];
+}) {
+  it("exposes the base setup contract", () => {
+    expect(params.plugin.setup).toBeDefined();
+    expect(typeof params.plugin.setup?.applyAccountConfig).toBe("function");
+  });
+
+  for (const testCase of params.cases) {
+    it(`setup contract: ${testCase.name}`, () => {
+      testCase.beforeTest?.();
+
+      const resolvedAccountId =
+        params.plugin.setup?.resolveAccountId?.({
+          cfg: testCase.cfg,
+          accountId: testCase.accountId,
+          input: testCase.input,
+        }) ??
+        testCase.accountId ??
+        "default";
+
+      expect(resolvedAccountId).toBe(testCase.expectedAccountId ?? resolvedAccountId);
+
+      const validation =
+        params.plugin.setup?.validateInput?.({
+          cfg: testCase.cfg,
+          accountId: resolvedAccountId,
+          input: testCase.input,
+        }) ?? null;
+      expect(validation).toBe(testCase.expectedValidation ?? null);
+
+      const nextCfg = params.plugin.setup?.applyAccountConfig({
+        cfg: testCase.cfg,
+        accountId: resolvedAccountId,
+        input: testCase.input,
+      });
+      expect(nextCfg).toBeDefined();
+
+      const account = params.plugin.config.resolveAccount(nextCfg!, resolvedAccountId);
+      testCase.assertPatchedConfig?.(nextCfg!);
+      testCase.assertResolvedAccount?.(account, nextCfg!);
+    });
+  }
+}
+
+type ChannelStatusContractCase<Probe> = {
+  name: string;
+  cfg: OpenClawConfig;
+  accountId?: string;
+  runtime?: ChannelAccountSnapshot;
+  probe?: Probe;
+  beforeTest?: () => void;
+  expectedState?: ChannelAccountState;
+  resolveStateInput?: {
+    configured: boolean;
+    enabled: boolean;
+  };
+  assertSnapshot?: (snapshot: ChannelAccountSnapshot) => void;
+  assertSummary?: (summary: Record<string, unknown>) => void;
+};
+
+export function installChannelStatusContractSuite<ResolvedAccount, Probe = unknown>(params: {
+  plugin: Pick<ChannelPlugin<ResolvedAccount, Probe>, "id" | "config" | "status">;
+  cases: readonly ChannelStatusContractCase<Probe>[];
+}) {
+  it("exposes the base status contract", () => {
+    expect(params.plugin.status).toBeDefined();
+    expect(typeof params.plugin.status?.buildAccountSnapshot).toBe("function");
+  });
+
+  if (params.plugin.status?.defaultRuntime) {
+    it("status contract: default runtime is shaped like an account snapshot", () => {
+      expect(typeof params.plugin.status?.defaultRuntime?.accountId).toBe("string");
+    });
+  }
+
+  for (const testCase of params.cases) {
+    it(`status contract: ${testCase.name}`, async () => {
+      testCase.beforeTest?.();
+
+      const account = params.plugin.config.resolveAccount(testCase.cfg, testCase.accountId);
+      const snapshot = await params.plugin.status!.buildAccountSnapshot!({
+        account,
+        cfg: testCase.cfg,
+        runtime: testCase.runtime,
+        probe: testCase.probe,
+      });
+
+      expect(typeof snapshot.accountId).toBe("string");
+      expect(snapshot.accountId.trim()).not.toBe("");
+      testCase.assertSnapshot?.(snapshot);
+
+      if (params.plugin.status?.buildChannelSummary) {
+        const defaultAccountId =
+          params.plugin.config.defaultAccountId?.(testCase.cfg) ?? testCase.accountId ?? "default";
+        const summary = await params.plugin.status.buildChannelSummary({
+          account,
+          cfg: testCase.cfg,
+          defaultAccountId,
+          snapshot,
+        });
+        expect(summary).toEqual(expect.any(Object));
+        testCase.assertSummary?.(summary);
+      }
+
+      if (testCase.expectedState && params.plugin.status?.resolveAccountState) {
+        const state = params.plugin.status.resolveAccountState({
+          account,
+          cfg: testCase.cfg,
+          configured: testCase.resolveStateInput?.configured ?? true,
+          enabled: testCase.resolveStateInput?.enabled ?? true,
+        });
+        expect(state).toBe(testCase.expectedState);
+      }
+    });
+  }
+}

From 6043e733a653bdb6ec1aadc39aaf73a258b52b16 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 23:45:14 -0700
Subject: [PATCH 053/133] Tests: add plugin contract registry

---
 src/channels/plugins/contracts/registry.ts | 485 +++++++++++++++++++++
 1 file changed, 485 insertions(+)
 create mode 100644 src/channels/plugins/contracts/registry.ts

diff --git a/src/channels/plugins/contracts/registry.ts b/src/channels/plugins/contracts/registry.ts
new file mode 100644
index 00000000000..f5bb1d845e2
--- /dev/null
+++ b/src/channels/plugins/contracts/registry.ts
@@ -0,0 +1,485 @@
+import { expect, vi } from "vitest";
+import { bluebubblesPlugin } from "../../../../extensions/bluebubbles/src/channel.js";
+import { discordPlugin } from "../../../../extensions/discord/src/channel.js";
+import { setDiscordRuntime } from "../../../../extensions/discord/src/runtime.js";
+import { feishuPlugin } from "../../../../extensions/feishu/src/channel.js";
+import { googlechatPlugin } from "../../../../extensions/googlechat/src/channel.js";
+import { imessagePlugin } from "../../../../extensions/imessage/src/channel.js";
+import { ircPlugin } from "../../../../extensions/irc/src/channel.js";
+import { linePlugin } from "../../../../extensions/line/src/channel.js";
+import { setLineRuntime } from "../../../../extensions/line/src/runtime.js";
+import { matrixPlugin } from "../../../../extensions/matrix/src/channel.js";
+import { mattermostPlugin } from "../../../../extensions/mattermost/src/channel.js";
+import { msteamsPlugin } from "../../../../extensions/msteams/src/channel.js";
+import { nextcloudTalkPlugin } from "../../../../extensions/nextcloud-talk/src/channel.js";
+import { nostrPlugin } from "../../../../extensions/nostr/src/channel.js";
+import { signalPlugin } from "../../../../extensions/signal/src/channel.js";
+import { slackPlugin } from "../../../../extensions/slack/src/channel.js";
+import { synologyChatPlugin } from "../../../../extensions/synology-chat/src/channel.js";
+import { telegramPlugin } from "../../../../extensions/telegram/src/channel.js";
+import { setTelegramRuntime } from "../../../../extensions/telegram/src/runtime.js";
+import { tlonPlugin } from "../../../../extensions/tlon/src/channel.js";
+import { whatsappPlugin } from "../../../../extensions/whatsapp/src/channel.js";
+import { zaloPlugin } from "../../../../extensions/zalo/src/channel.js";
+import { zalouserPlugin } from "../../../../extensions/zalouser/src/channel.js";
+import type { OpenClawConfig } from "../../../config/config.js";
+import {
+  resolveDefaultLineAccountId,
+  resolveLineAccount,
+  listLineAccountIds,
+} from "../../../line/accounts.js";
+import type { ChannelPlugin } from "../types.js";
+
+type PluginContractEntry = {
+  id: string;
+  plugin: Pick<ChannelPlugin, "id" | "meta" | "capabilities" | "config">;
+};
+
+type ActionsContractEntry = {
+  id: string;
+  plugin: Pick<ChannelPlugin, "id" | "actions">;
+  unsupportedAction?: string;
+  cases: Array<{
+    name: string;
+    cfg: OpenClawConfig;
+    expectedActions: string[];
+    expectedCapabilities?: string[];
+    beforeTest?: () => void;
+  }>;
+};
+
+type SetupContractEntry = {
+  id: string;
+  plugin: Pick<ChannelPlugin, "id" | "config" | "setup">;
+  cases: Array<{
+    name: string;
+    cfg: OpenClawConfig;
+    accountId?: string;
+    input: Record<string, unknown>;
+    expectedAccountId?: string;
+    expectedValidation?: string | null;
+    beforeTest?: () => void;
+    assertPatchedConfig?: (cfg: OpenClawConfig) => void;
+    assertResolvedAccount?: (account: unknown, cfg: OpenClawConfig) => void;
+  }>;
+};
+
+type StatusContractEntry = {
+  id: string;
+  plugin: Pick<ChannelPlugin, "id" | "config" | "status">;
+  cases: Array<{
+    name: string;
+    cfg: OpenClawConfig;
+    accountId?: string;
+    runtime?: Record<string, unknown>;
+    probe?: unknown;
+    beforeTest?: () => void;
+    assertSnapshot?: (snapshot: Record<string, unknown>) => void;
+    assertSummary?: (summary: Record<string, unknown>) => void;
+  }>;
+};
+
+const telegramListActionsMock = vi.fn();
+const telegramGetCapabilitiesMock = vi.fn();
+const discordListActionsMock = vi.fn();
+const discordGetCapabilitiesMock = vi.fn();
+
+setTelegramRuntime({
+  channel: {
+    telegram: {
+      messageActions: {
+        listActions: telegramListActionsMock,
+        getCapabilities: telegramGetCapabilitiesMock,
+      },
+    },
+  },
+} as never);
+
+setDiscordRuntime({
+  channel: {
+    discord: {
+      messageActions: {
+        listActions: discordListActionsMock,
+        getCapabilities: discordGetCapabilitiesMock,
+      },
+    },
+  },
+} as never);
+
+setLineRuntime({
+  channel: {
+    line: {
+      listLineAccountIds,
+      resolveDefaultLineAccountId,
+      resolveLineAccount: ({ cfg, accountId }: { cfg: OpenClawConfig; accountId?: string }) =>
+        resolveLineAccount({ cfg, accountId }),
+    },
+  },
+} as never);
+
+export const pluginContractRegistry: PluginContractEntry[] = [
+  { id: "bluebubbles", plugin: bluebubblesPlugin },
+  { id: "discord", plugin: discordPlugin },
+  { id: "feishu", plugin: feishuPlugin },
+  { id: "googlechat", plugin: googlechatPlugin },
+  { id: "imessage", plugin: imessagePlugin },
+  { id: "irc", plugin: ircPlugin },
+  { id: "line", plugin: linePlugin },
+  { id: "matrix", plugin: matrixPlugin },
+  { id: "mattermost", plugin: mattermostPlugin },
+  { id: "msteams", plugin: msteamsPlugin },
+  { id: "nextcloud-talk", plugin: nextcloudTalkPlugin },
+  { id: "nostr", plugin: nostrPlugin },
+  { id: "signal", plugin: signalPlugin },
+  { id: "slack", plugin: slackPlugin },
+  { id: "synology-chat", plugin: synologyChatPlugin },
+  { id: "telegram", plugin: telegramPlugin },
+  { id: "tlon", plugin: tlonPlugin },
+  { id: "whatsapp", plugin: whatsappPlugin },
+  { id: "zalo", plugin: zaloPlugin },
+  { id: "zalouser", plugin: zalouserPlugin },
+];
+
+export const actionContractRegistry: ActionsContractEntry[] = [
+  {
+    id: "slack",
+    plugin: slackPlugin,
+    unsupportedAction: "poll",
+    cases: [
+      {
+        name: "configured account exposes default Slack actions",
+        cfg: {
+          channels: {
+            slack: {
+              botToken: "xoxb-test",
+              appToken: "xapp-test",
+            },
+          },
+        } as OpenClawConfig,
+        expectedActions: [
+          "send",
+          "react",
+          "reactions",
+          "read",
+          "edit",
+          "delete",
+          "download-file",
+          "pin",
+          "unpin",
+          "list-pins",
+          "member-info",
+          "emoji-list",
+        ],
+        expectedCapabilities: ["blocks"],
+      },
+      {
+        name: "interactive replies add the shared interactive capability",
+        cfg: {
+          channels: {
+            slack: {
+              botToken: "xoxb-test",
+              appToken: "xapp-test",
+              capabilities: {
+                interactiveReplies: true,
+              },
+            },
+          },
+        } as OpenClawConfig,
+        expectedActions: [
+          "send",
+          "react",
+          "reactions",
+          "read",
+          "edit",
+          "delete",
+          "download-file",
+          "pin",
+          "unpin",
+          "list-pins",
+          "member-info",
+          "emoji-list",
+        ],
+        expectedCapabilities: ["blocks", "interactive"],
+      },
+      {
+        name: "missing tokens disables the actions surface",
+        cfg: {
+          channels: {
+            slack: {
+              enabled: true,
+            },
+          },
+        } as OpenClawConfig,
+        expectedActions: [],
+        expectedCapabilities: [],
+      },
+    ],
+  },
+  {
+    id: "mattermost",
+    plugin: mattermostPlugin,
+    unsupportedAction: "poll",
+    cases: [
+      {
+        name: "configured account exposes send and react",
+        cfg: {
+          channels: {
+            mattermost: {
+              enabled: true,
+              botToken: "test-token",
+              baseUrl: "https://chat.example.com",
+            },
+          },
+        } as OpenClawConfig,
+        expectedActions: ["send", "react"],
+        expectedCapabilities: ["buttons"],
+      },
+      {
+        name: "reactions can be disabled while send stays available",
+        cfg: {
+          channels: {
+            mattermost: {
+              enabled: true,
+              botToken: "test-token",
+              baseUrl: "https://chat.example.com",
+              actions: { reactions: false },
+            },
+          },
+        } as OpenClawConfig,
+        expectedActions: ["send"],
+        expectedCapabilities: ["buttons"],
+      },
+      {
+        name: "missing bot credentials disables the actions surface",
+        cfg: {
+          channels: {
+            mattermost: {
+              enabled: true,
+            },
+          },
+        } as OpenClawConfig,
+        expectedActions: [],
+        expectedCapabilities: [],
+      },
+    ],
+  },
+  {
+    id: "telegram",
+    plugin: telegramPlugin,
+    cases: [
+      {
+        name: "forwards runtime-backed Telegram actions and capabilities",
+        cfg: {} as OpenClawConfig,
+        expectedActions: ["send", "poll", "react"],
+        expectedCapabilities: ["interactive", "buttons"],
+        beforeTest: () => {
+          telegramListActionsMock.mockReset();
+          telegramGetCapabilitiesMock.mockReset();
+          telegramListActionsMock.mockReturnValue(["send", "poll", "react"]);
+          telegramGetCapabilitiesMock.mockReturnValue(["interactive", "buttons"]);
+        },
+      },
+    ],
+  },
+  {
+    id: "discord",
+    plugin: discordPlugin,
+    cases: [
+      {
+        name: "forwards runtime-backed Discord actions and capabilities",
+        cfg: {} as OpenClawConfig,
+        expectedActions: ["send", "react", "poll"],
+        expectedCapabilities: ["interactive", "components"],
+        beforeTest: () => {
+          discordListActionsMock.mockReset();
+          discordGetCapabilitiesMock.mockReset();
+          discordListActionsMock.mockReturnValue(["send", "react", "poll"]);
+          discordGetCapabilitiesMock.mockReturnValue(["interactive", "components"]);
+        },
+      },
+    ],
+  },
+];
+
+export const setupContractRegistry: SetupContractEntry[] = [
+  {
+    id: "slack",
+    plugin: slackPlugin,
+    cases: [
+      {
+        name: "default account stores tokens and enables the channel",
+        cfg: {} as OpenClawConfig,
+        input: {
+          botToken: "xoxb-test",
+          appToken: "xapp-test",
+        },
+        expectedAccountId: "default",
+        assertPatchedConfig: (cfg) => {
+          expect(cfg.channels?.slack?.enabled).toBe(true);
+          expect(cfg.channels?.slack?.botToken).toBe("xoxb-test");
+          expect(cfg.channels?.slack?.appToken).toBe("xapp-test");
+        },
+      },
+      {
+        name: "non-default env setup is rejected",
+        cfg: {} as OpenClawConfig,
+        accountId: "ops",
+        input: {
+          useEnv: true,
+        },
+        expectedAccountId: "ops",
+        expectedValidation: "Slack env tokens can only be used for the default account.",
+      },
+    ],
+  },
+  {
+    id: "mattermost",
+    plugin: mattermostPlugin,
+    cases: [
+      {
+        name: "default account stores token and normalized base URL",
+        cfg: {} as OpenClawConfig,
+        input: {
+          botToken: "test-token",
+          httpUrl: "https://chat.example.com/",
+        },
+        expectedAccountId: "default",
+        assertPatchedConfig: (cfg) => {
+          expect(cfg.channels?.mattermost?.enabled).toBe(true);
+          expect(cfg.channels?.mattermost?.botToken).toBe("test-token");
+          expect(cfg.channels?.mattermost?.baseUrl).toBe("https://chat.example.com");
+        },
+      },
+      {
+        name: "missing credentials are rejected",
+        cfg: {} as OpenClawConfig,
+        input: {
+          httpUrl: "",
+        },
+        expectedAccountId: "default",
+        expectedValidation: "Mattermost requires --bot-token and --http-url (or --use-env).",
+      },
+    ],
+  },
+  {
+    id: "line",
+    plugin: linePlugin,
+    cases: [
+      {
+        name: "default account stores token and secret",
+        cfg: {} as OpenClawConfig,
+        input: {
+          channelAccessToken: "line-token",
+          channelSecret: "line-secret",
+        },
+        expectedAccountId: "default",
+        assertPatchedConfig: (cfg) => {
+          expect(cfg.channels?.line?.enabled).toBe(true);
+          expect(cfg.channels?.line?.channelAccessToken).toBe("line-token");
+          expect(cfg.channels?.line?.channelSecret).toBe("line-secret");
+        },
+      },
+      {
+        name: "non-default env setup is rejected",
+        cfg: {} as OpenClawConfig,
+        accountId: "ops",
+        input: {
+          useEnv: true,
+        },
+        expectedAccountId: "ops",
+        expectedValidation: "LINE_CHANNEL_ACCESS_TOKEN can only be used for the default account.",
+      },
+    ],
+  },
+];
+
+export const statusContractRegistry: StatusContractEntry[] = [
+  {
+    id: "slack",
+    plugin: slackPlugin,
+    cases: [
+      {
+        name: "configured account produces a configured status snapshot",
+        cfg: {
+          channels: {
+            slack: {
+              botToken: "xoxb-test",
+              appToken: "xapp-test",
+            },
+          },
+        } as OpenClawConfig,
+        runtime: {
+          accountId: "default",
+          connected: true,
+          running: true,
+        },
+        probe: { ok: true },
+        assertSnapshot: (snapshot) => {
+          expect(snapshot.accountId).toBe("default");
+          expect(snapshot.enabled).toBe(true);
+          expect(snapshot.configured).toBe(true);
+        },
+      },
+    ],
+  },
+  {
+    id: "mattermost",
+    plugin: mattermostPlugin,
+    cases: [
+      {
+        name: "configured account preserves connectivity details in the snapshot",
+        cfg: {
+          channels: {
+            mattermost: {
+              enabled: true,
+              botToken: "test-token",
+              baseUrl: "https://chat.example.com",
+            },
+          },
+        } as OpenClawConfig,
+        runtime: {
+          accountId: "default",
+          connected: true,
+          lastConnectedAt: 1234,
+        },
+        probe: { ok: true },
+        assertSnapshot: (snapshot) => {
+          expect(snapshot.accountId).toBe("default");
+          expect(snapshot.enabled).toBe(true);
+          expect(snapshot.configured).toBe(true);
+          expect(snapshot.connected).toBe(true);
+          expect(snapshot.baseUrl).toBe("https://chat.example.com");
+        },
+      },
+    ],
+  },
+  {
+    id: "line",
+    plugin: linePlugin,
+    cases: [
+      {
+        name: "configured account produces a webhook status snapshot",
+        cfg: {
+          channels: {
+            line: {
+              enabled: true,
+              channelAccessToken: "line-token",
+              channelSecret: "line-secret",
+            },
+          },
+        } as OpenClawConfig,
+        runtime: {
+          accountId: "default",
+          running: true,
+        },
+        probe: { ok: true },
+        assertSnapshot: (snapshot) => {
+          expect(snapshot.accountId).toBe("default");
+          expect(snapshot.enabled).toBe(true);
+          expect(snapshot.configured).toBe(true);
+          expect(snapshot.mode).toBe("webhook");
+        },
+      },
+    ],
+  },
+];

From 910d039ea7fce696f84f5345e622698462c4cea8 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 23:45:26 -0700
Subject: [PATCH 054/133] Tests: add global plugin contract suite

---
 .../plugins/contracts/plugin.contract.test.ts         | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 src/channels/plugins/contracts/plugin.contract.test.ts

diff --git a/src/channels/plugins/contracts/plugin.contract.test.ts b/src/channels/plugins/contracts/plugin.contract.test.ts
new file mode 100644
index 00000000000..534d7284456
--- /dev/null
+++ b/src/channels/plugins/contracts/plugin.contract.test.ts
@@ -0,0 +1,11 @@
+import { describe } from "vitest";
+import { pluginContractRegistry } from "./registry.js";
+import { installChannelPluginContractSuite } from "./suites.js";
+
+for (const entry of pluginContractRegistry) {
+  describe(`${entry.id} plugin contract`, () => {
+    installChannelPluginContractSuite({
+      plugin: entry.plugin,
+    });
+  });
+}

From c5d61b96779a795569fb6266bcb292137218ee76 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 23:45:33 -0700
Subject: [PATCH 055/133] Tests: add global actions contract suite

---
 .../plugins/contracts/actions.contract.test.ts      | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 src/channels/plugins/contracts/actions.contract.test.ts

diff --git a/src/channels/plugins/contracts/actions.contract.test.ts b/src/channels/plugins/contracts/actions.contract.test.ts
new file mode 100644
index 00000000000..11daa8cd205
--- /dev/null
+++ b/src/channels/plugins/contracts/actions.contract.test.ts
@@ -0,0 +1,13 @@
+import { describe } from "vitest";
+import { actionContractRegistry } from "./registry.js";
+import { installChannelActionsContractSuite } from "./suites.js";
+
+for (const entry of actionContractRegistry) {
+  describe(`${entry.id} actions contract`, () => {
+    installChannelActionsContractSuite({
+      plugin: entry.plugin,
+      cases: entry.cases as never,
+      unsupportedAction: entry.unsupportedAction as never,
+    });
+  });
+}

From acf7e83ac4a801913eba46723b1c2a549c0e11d0 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 23:45:44 -0700
Subject: [PATCH 056/133] Tests: add global setup contract suite

---
 .../plugins/contracts/setup.contract.test.ts         | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 src/channels/plugins/contracts/setup.contract.test.ts

diff --git a/src/channels/plugins/contracts/setup.contract.test.ts b/src/channels/plugins/contracts/setup.contract.test.ts
new file mode 100644
index 00000000000..acc221d61d6
--- /dev/null
+++ b/src/channels/plugins/contracts/setup.contract.test.ts
@@ -0,0 +1,12 @@
+import { describe } from "vitest";
+import { setupContractRegistry } from "./registry.js";
+import { installChannelSetupContractSuite } from "./suites.js";
+
+for (const entry of setupContractRegistry) {
+  describe(`${entry.id} setup contract`, () => {
+    installChannelSetupContractSuite({
+      plugin: entry.plugin,
+      cases: entry.cases as never,
+    });
+  });
+}

From 9df7e8bec45ed8b6d18cf9c221d4ac20f3068726 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 23:45:52 -0700
Subject: [PATCH 057/133] Tests: add global status contract suite

---
 .../plugins/contracts/status.contract.test.ts        | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 src/channels/plugins/contracts/status.contract.test.ts

diff --git a/src/channels/plugins/contracts/status.contract.test.ts b/src/channels/plugins/contracts/status.contract.test.ts
new file mode 100644
index 00000000000..9cc364f17d2
--- /dev/null
+++ b/src/channels/plugins/contracts/status.contract.test.ts
@@ -0,0 +1,12 @@
+import { describe } from "vitest";
+import { statusContractRegistry } from "./registry.js";
+import { installChannelStatusContractSuite } from "./suites.js";
+
+for (const entry of statusContractRegistry) {
+  describe(`${entry.id} status contract`, () => {
+    installChannelStatusContractSuite({
+      plugin: entry.plugin,
+      cases: entry.cases as never,
+    });
+  });
+}

From f5ef936615aaa2025270752c9603bbb0ed24925f Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 23:46:05 -0700
Subject: [PATCH 058/133] Tests: replace local channel contracts

---
 .../discord/src/channel.contract.test.ts      | 49 -----------
 .../mattermost/src/channel.contract.test.ts   | 59 -------------
 extensions/slack/src/channel.contract.test.ts | 85 -------------------
 .../telegram/src/channel.contract.test.ts     | 49 -----------
 src/test-utils/channel-actions-contract.ts    | 53 ------------
 src/test-utils/channel-plugin-contract.ts     | 24 ------
 6 files changed, 319 deletions(-)
 delete mode 100644 extensions/discord/src/channel.contract.test.ts
 delete mode 100644 extensions/mattermost/src/channel.contract.test.ts
 delete mode 100644 extensions/slack/src/channel.contract.test.ts
 delete mode 100644 extensions/telegram/src/channel.contract.test.ts
 delete mode 100644 src/test-utils/channel-actions-contract.ts
 delete mode 100644 src/test-utils/channel-plugin-contract.ts

diff --git a/extensions/discord/src/channel.contract.test.ts b/extensions/discord/src/channel.contract.test.ts
deleted file mode 100644
index 3a651e6e26b..00000000000
--- a/extensions/discord/src/channel.contract.test.ts
+++ /dev/null
@@ -1,49 +0,0 @@
-import type { OpenClawConfig } from "openclaw/plugin-sdk/discord";
-import { afterEach, describe, vi } from "vitest";
-import { installChannelActionsContractSuite } from "../../../src/test-utils/channel-actions-contract.js";
-import { installChannelPluginContractSuite } from "../../../src/test-utils/channel-plugin-contract.js";
-
-const discordListActionsMock = vi.fn();
-const discordGetCapabilitiesMock = vi.fn();
-
-vi.mock("./runtime.js", () => ({
-  getDiscordRuntime: () => ({
-    channel: {
-      discord: {
-        messageActions: {
-          listActions: discordListActionsMock,
-          getCapabilities: discordGetCapabilitiesMock,
-        },
-      },
-    },
-  }),
-}));
-
-const { discordPlugin } = await import("./channel.js");
-
-describe("discordPlugin contract", () => {
-  afterEach(() => {
-    discordListActionsMock.mockReset();
-    discordGetCapabilitiesMock.mockReset();
-  });
-
-  installChannelPluginContractSuite({
-    plugin: discordPlugin,
-  });
-
-  installChannelActionsContractSuite({
-    plugin: discordPlugin,
-    cases: [
-      {
-        name: "forwards runtime-backed Discord actions and capabilities",
-        cfg: {} as OpenClawConfig,
-        expectedActions: ["send", "react", "poll"],
-        expectedCapabilities: ["interactive", "components"],
-        beforeTest: () => {
-          discordListActionsMock.mockReturnValue(["send", "react", "poll"]);
-          discordGetCapabilitiesMock.mockReturnValue(["interactive", "components"]);
-        },
-      },
-    ],
-  });
-});
diff --git a/extensions/mattermost/src/channel.contract.test.ts b/extensions/mattermost/src/channel.contract.test.ts
deleted file mode 100644
index 96f5fe9ed4a..00000000000
--- a/extensions/mattermost/src/channel.contract.test.ts
+++ /dev/null
@@ -1,59 +0,0 @@
-import type { OpenClawConfig } from "openclaw/plugin-sdk/mattermost";
-import { describe } from "vitest";
-import { installChannelActionsContractSuite } from "../../../src/test-utils/channel-actions-contract.js";
-import { installChannelPluginContractSuite } from "../../../src/test-utils/channel-plugin-contract.js";
-import { mattermostPlugin } from "./channel.js";
-
-describe("mattermostPlugin contract", () => {
-  installChannelPluginContractSuite({
-    plugin: mattermostPlugin,
-  });
-
-  installChannelActionsContractSuite({
-    plugin: mattermostPlugin,
-    unsupportedAction: "poll",
-    cases: [
-      {
-        name: "configured account exposes send and react",
-        cfg: {
-          channels: {
-            mattermost: {
-              enabled: true,
-              botToken: "test-token",
-              baseUrl: "https://chat.example.com",
-            },
-          },
-        } as OpenClawConfig,
-        expectedActions: ["send", "react"],
-        expectedCapabilities: ["buttons"],
-      },
-      {
-        name: "reactions can be disabled while send stays available",
-        cfg: {
-          channels: {
-            mattermost: {
-              enabled: true,
-              botToken: "test-token",
-              baseUrl: "https://chat.example.com",
-              actions: { reactions: false },
-            },
-          },
-        } as OpenClawConfig,
-        expectedActions: ["send"],
-        expectedCapabilities: ["buttons"],
-      },
-      {
-        name: "missing bot credentials disables the actions surface",
-        cfg: {
-          channels: {
-            mattermost: {
-              enabled: true,
-            },
-          },
-        } as OpenClawConfig,
-        expectedActions: [],
-        expectedCapabilities: [],
-      },
-    ],
-  });
-});
diff --git a/extensions/slack/src/channel.contract.test.ts b/extensions/slack/src/channel.contract.test.ts
deleted file mode 100644
index 3fd0e23dab5..00000000000
--- a/extensions/slack/src/channel.contract.test.ts
+++ /dev/null
@@ -1,85 +0,0 @@
-import type { OpenClawConfig } from "openclaw/plugin-sdk/slack";
-import { describe } from "vitest";
-import { installChannelActionsContractSuite } from "../../../src/test-utils/channel-actions-contract.js";
-import { installChannelPluginContractSuite } from "../../../src/test-utils/channel-plugin-contract.js";
-import { slackPlugin } from "./channel.js";
-
-describe("slackPlugin contract", () => {
-  installChannelPluginContractSuite({
-    plugin: slackPlugin,
-  });
-
-  installChannelActionsContractSuite({
-    plugin: slackPlugin,
-    unsupportedAction: "poll",
-    cases: [
-      {
-        name: "configured account exposes default Slack actions",
-        cfg: {
-          channels: {
-            slack: {
-              botToken: "xoxb-test",
-              appToken: "xapp-test",
-            },
-          },
-        } as OpenClawConfig,
-        expectedActions: [
-          "send",
-          "react",
-          "reactions",
-          "read",
-          "edit",
-          "delete",
-          "download-file",
-          "pin",
-          "unpin",
-          "list-pins",
-          "member-info",
-          "emoji-list",
-        ],
-        expectedCapabilities: ["blocks"],
-      },
-      {
-        name: "interactive replies add the shared interactive capability",
-        cfg: {
-          channels: {
-            slack: {
-              botToken: "xoxb-test",
-              appToken: "xapp-test",
-              capabilities: {
-                interactiveReplies: true,
-              },
-            },
-          },
-        } as OpenClawConfig,
-        expectedActions: [
-          "send",
-          "react",
-          "reactions",
-          "read",
-          "edit",
-          "delete",
-          "download-file",
-          "pin",
-          "unpin",
-          "list-pins",
-          "member-info",
-          "emoji-list",
-        ],
-        expectedCapabilities: ["blocks", "interactive"],
-      },
-      {
-        name: "missing tokens disables the actions surface",
-        cfg: {
-          channels: {
-            slack: {
-              enabled: true,
-            },
-          },
-        } as OpenClawConfig,
-        expectedActions: [],
-        expectedCapabilities: [],
-      },
-    ],
-  });
-});
diff --git a/extensions/telegram/src/channel.contract.test.ts b/extensions/telegram/src/channel.contract.test.ts
deleted file mode 100644
index 164f862949d..00000000000
--- a/extensions/telegram/src/channel.contract.test.ts
+++ /dev/null
@@ -1,49 +0,0 @@
-import type { OpenClawConfig } from "openclaw/plugin-sdk/telegram";
-import { afterEach, describe, vi } from "vitest";
-import { installChannelActionsContractSuite } from "../../../src/test-utils/channel-actions-contract.js";
-import { installChannelPluginContractSuite } from "../../../src/test-utils/channel-plugin-contract.js";
-
-const telegramListActionsMock = vi.fn();
-const telegramGetCapabilitiesMock = vi.fn();
-
-vi.mock("./runtime.js", () => ({
-  getTelegramRuntime: () => ({
-    channel: {
-      telegram: {
-        messageActions: {
-          listActions: telegramListActionsMock,
-          getCapabilities: telegramGetCapabilitiesMock,
-        },
-      },
-    },
-  }),
-}));
-
-const { telegramPlugin } = await import("./channel.js");
-
-describe("telegramPlugin contract", () => {
-  afterEach(() => {
-    telegramListActionsMock.mockReset();
-    telegramGetCapabilitiesMock.mockReset();
-  });
-
-  installChannelPluginContractSuite({
-    plugin: telegramPlugin,
-  });
-
-  installChannelActionsContractSuite({
-    plugin: telegramPlugin,
-    cases: [
-      {
-        name: "forwards runtime-backed Telegram actions and capabilities",
-        cfg: {} as OpenClawConfig,
-        expectedActions: ["send", "poll", "react"],
-        expectedCapabilities: ["interactive", "buttons"],
-        beforeTest: () => {
-          telegramListActionsMock.mockReturnValue(["send", "poll", "react"]);
-          telegramGetCapabilitiesMock.mockReturnValue(["interactive", "buttons"]);
-        },
-      },
-    ],
-  });
-});
diff --git a/src/test-utils/channel-actions-contract.ts b/src/test-utils/channel-actions-contract.ts
deleted file mode 100644
index 12d7d7046f5..00000000000
--- a/src/test-utils/channel-actions-contract.ts
+++ /dev/null
@@ -1,53 +0,0 @@
-import { expect, it } from "vitest";
-import type { ChannelMessageCapability } from "../channels/plugins/message-capabilities.js";
-import type { ChannelMessageActionName, ChannelPlugin } from "../channels/plugins/types.js";
-import type { OpenClawConfig } from "../config/config.js";
-
-type ChannelActionsContractCase = {
-  name: string;
-  cfg: OpenClawConfig;
-  expectedActions: readonly ChannelMessageActionName[];
-  expectedCapabilities?: readonly ChannelMessageCapability[];
-  beforeTest?: () => void;
-};
-
-export function installChannelActionsContractSuite(params: {
-  plugin: Pick<ChannelPlugin, "id" | "actions">;
-  cases: readonly ChannelActionsContractCase[];
-  unsupportedAction?: ChannelMessageActionName;
-}) {
-  it("exposes the base message actions contract", () => {
-    expect(params.plugin.actions).toBeDefined();
-    expect(typeof params.plugin.actions?.listActions).toBe("function");
-  });
-
-  for (const testCase of params.cases) {
-    it(`actions contract: ${testCase.name}`, () => {
-      testCase.beforeTest?.();
-
-      const actions = params.plugin.actions?.listActions?.({ cfg: testCase.cfg }) ?? [];
-      const capabilities = params.plugin.actions?.getCapabilities?.({ cfg: testCase.cfg }) ?? [];
-
-      expect(actions).toEqual([...new Set(actions)]);
-      expect(capabilities).toEqual([...new Set(capabilities)]);
-      expect(actions.toSorted()).toEqual([...testCase.expectedActions].toSorted());
-      expect(capabilities.toSorted()).toEqual(
-        [...(testCase.expectedCapabilities ?? [])].toSorted(),
-      );
-
-      if (params.plugin.actions?.supportsAction) {
-        for (const action of testCase.expectedActions) {
-          expect(params.plugin.actions.supportsAction({ action })).toBe(true);
-        }
-        if (
-          params.unsupportedAction &&
-          !testCase.expectedActions.includes(params.unsupportedAction)
-        ) {
-          expect(params.plugin.actions.supportsAction({ action: params.unsupportedAction })).toBe(
-            false,
-          );
-        }
-      }
-    });
-  }
-}
diff --git a/src/test-utils/channel-plugin-contract.ts b/src/test-utils/channel-plugin-contract.ts
deleted file mode 100644
index b2912befd0b..00000000000
--- a/src/test-utils/channel-plugin-contract.ts
+++ /dev/null
@@ -1,24 +0,0 @@
-import { expect, it } from "vitest";
-import type { ChannelPlugin } from "../channels/plugins/types.js";
-
-export function installChannelPluginContractSuite(params: {
-  plugin: Pick<ChannelPlugin, "id" | "meta" | "capabilities" | "config">;
-}) {
-  it("satisfies the base channel plugin contract", () => {
-    const { plugin } = params;
-
-    expect(typeof plugin.id).toBe("string");
-    expect(plugin.id.trim()).not.toBe("");
-
-    expect(plugin.meta.id).toBe(plugin.id);
-    expect(plugin.meta.label.trim()).not.toBe("");
-    expect(plugin.meta.selectionLabel.trim()).not.toBe("");
-    expect(plugin.meta.docsPath).toMatch(/^\/channels\//);
-    expect(plugin.meta.blurb.trim()).not.toBe("");
-
-    expect(plugin.capabilities.chatTypes.length).toBeGreaterThan(0);
-
-    expect(typeof plugin.config.listAccountIds).toBe("function");
-    expect(typeof plugin.config.resolveAccount).toBe("function");
-  });
-}

From ae60094fb55659bd93723f7f97a8173a43d24c04 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Sun, 15 Mar 2026 23:47:07 -0700
Subject: [PATCH 059/133] refactor(plugins): move onboarding auth metadata to
 manifests

---
 docs/plugins/manifest.md                      |  40 +++
 docs/tools/plugin.md                          |  20 +-
 extensions/anthropic/openclaw.plugin.json     |  25 ++
 extensions/byteplus/index.ts                  |  30 +-
 extensions/byteplus/openclaw.plugin.json      |  15 +
 extensions/cloudflare-ai-gateway/index.ts     | 196 ++++++++++-
 .../openclaw.plugin.json                      |  16 +
 extensions/copilot-proxy/openclaw.plugin.json |  12 +
 .../github-copilot/openclaw.plugin.json       |  12 +
 extensions/google/openclaw.plugin.json        |  25 ++
 extensions/huggingface/index.ts               |  29 +-
 extensions/huggingface/openclaw.plugin.json   |  16 +
 extensions/kilocode/index.ts                  |  28 +-
 extensions/kilocode/openclaw.plugin.json      |  16 +
 extensions/kimi-coding/index.ts               |  30 +-
 extensions/kimi-coding/openclaw.plugin.json   |  15 +
 extensions/minimax/openclaw.plugin.json       |  50 +++
 extensions/mistral/index.ts                   |  25 +-
 extensions/mistral/openclaw.plugin.json       |  15 +
 extensions/modelstudio/index.ts               |  63 +++-
 extensions/modelstudio/openclaw.plugin.json   |  30 ++
 extensions/moonshot/index.ts                  |  49 ++-
 extensions/moonshot/openclaw.plugin.json      |  28 ++
 extensions/ollama/openclaw.plugin.json        |  12 +
 extensions/openai/openclaw.plugin.json        |  25 ++
 extensions/opencode-go/index.ts               |  32 +-
 extensions/opencode-go/openclaw.plugin.json   |  15 +
 extensions/opencode/index.ts                  |  33 +-
 extensions/opencode/openclaw.plugin.json      |  15 +
 extensions/openrouter/index.ts                |  28 +-
 extensions/openrouter/openclaw.plugin.json    |  15 +
 extensions/qianfan/index.ts                   |  25 +-
 extensions/qianfan/openclaw.plugin.json       |  15 +
 .../qwen-portal-auth/openclaw.plugin.json     |  12 +
 extensions/sglang/openclaw.plugin.json        |  12 +
 extensions/synthetic/index.ts                 |  28 +-
 extensions/synthetic/openclaw.plugin.json     |  15 +
 extensions/together/index.ts                  |  28 +-
 extensions/together/openclaw.plugin.json      |  15 +
 extensions/venice/index.ts                    |  31 +-
 extensions/venice/openclaw.plugin.json        |  15 +
 extensions/vercel-ai-gateway/index.ts         |  28 +-
 .../vercel-ai-gateway/openclaw.plugin.json    |  15 +
 extensions/vllm/openclaw.plugin.json          |  12 +
 extensions/volcengine/index.ts                |  30 +-
 extensions/volcengine/openclaw.plugin.json    |  15 +
 extensions/xai/index.ts                       |  28 +-
 extensions/xai/openclaw.plugin.json           |  15 +
 extensions/xiaomi/index.ts                    |  25 +-
 extensions/xiaomi/openclaw.plugin.json        |  15 +
 extensions/zai/index.ts                       | 194 ++++++++++-
 extensions/zai/openclaw.plugin.json           |  71 ++++
 src/cli/program/register.onboard.test.ts      |  21 +-
 src/cli/program/register.onboard.ts           |  52 ++-
 src/commands/auth-choice-options.static.ts    | 308 ++----------------
 src/commands/auth-choice-options.test.ts      | 209 +++++++++++-
 src/commands/auth-choice-options.ts           | 123 ++++---
 .../auth-choice.apply.anthropic.test.ts       | 105 ------
 src/commands/auth-choice.apply.anthropic.ts   |  64 ----
 .../auth-choice.apply.api-providers.ts        |  27 +-
 src/commands/auth-choice.apply.openai.test.ts | 116 -------
 src/commands/auth-choice.apply.openai.ts      |  80 -----
 src/commands/auth-choice.apply.ts             |  13 +-
 .../auth-choice.preferred-provider.test.ts    |  21 ++
 .../auth-choice.preferred-provider.ts         |  45 +--
 src/commands/auth-choice.test.ts              |  28 +-
 src/commands/onboard-core-auth-flags.ts       |  21 ++
 .../local/auth-choice-inference.ts            |  60 +---
 src/commands/onboard-provider-auth-flags.ts   | 225 -------------
 src/plugin-sdk/core.ts                        |   1 +
 src/plugins/manifest-registry.test.ts         |  16 +
 src/plugins/manifest-registry.ts              |   2 +
 src/plugins/manifest.ts                       |  74 +++++
 src/plugins/provider-api-key-auth.ts          |   7 +-
 src/plugins/provider-auth-choices.test.ts     |  92 ++++++
 src/plugins/provider-auth-choices.ts          | 102 ++++++
 src/secrets/provider-env-vars.ts              |  18 +-
 77 files changed, 2334 insertions(+), 1100 deletions(-)
 delete mode 100644 src/commands/auth-choice.apply.anthropic.test.ts
 delete mode 100644 src/commands/auth-choice.apply.anthropic.ts
 delete mode 100644 src/commands/auth-choice.apply.openai.test.ts
 delete mode 100644 src/commands/auth-choice.apply.openai.ts
 create mode 100644 src/commands/onboard-core-auth-flags.ts
 delete mode 100644 src/commands/onboard-provider-auth-flags.ts
 create mode 100644 src/plugins/provider-auth-choices.test.ts
 create mode 100644 src/plugins/provider-auth-choices.ts

diff --git a/docs/plugins/manifest.md b/docs/plugins/manifest.md
index 01d5e0d3578..5ef77b9ef68 100644
--- a/docs/plugins/manifest.md
+++ b/docs/plugins/manifest.md
@@ -59,12 +59,49 @@ Optional keys:
 - `providerAuthEnvVars` (object): auth env vars keyed by provider id. Use this
   when OpenClaw should resolve provider credentials from env without loading
   plugin runtime first.
+- `providerAuthChoices` (array): cheap onboarding/auth-choice metadata keyed by
+  provider + auth method. Use this when OpenClaw should show a provider in
+  auth-choice pickers, preferred-provider resolution, and CLI help without
+  loading plugin runtime first.
 - `skills` (array): skill directories to load (relative to the plugin root).
 - `name` (string): display name for the plugin.
 - `description` (string): short plugin summary.
 - `uiHints` (object): config field labels/placeholders/sensitive flags for UI rendering.
 - `version` (string): plugin version (informational).
 
+### `providerAuthChoices` shape
+
+Each entry can declare:
+
+- `provider`: provider id
+- `method`: auth method id
+- `choiceId`: stable onboarding/auth-choice id
+- `choiceLabel` / `choiceHint`: picker label + short hint
+- `groupId` / `groupLabel` / `groupHint`: grouped onboarding bucket metadata
+- `optionKey` / `cliFlag` / `cliOption` / `cliDescription`: optional one-flag
+  CLI wiring for simple auth flows such as API keys
+
+Example:
+
+```json
+{
+  "providerAuthChoices": [
+    {
+      "provider": "openrouter",
+      "method": "api-key",
+      "choiceId": "openrouter-api-key",
+      "choiceLabel": "OpenRouter API key",
+      "groupId": "openrouter",
+      "groupLabel": "OpenRouter",
+      "optionKey": "openrouterApiKey",
+      "cliFlag": "--openrouter-api-key",
+      "cliOption": "--openrouter-api-key <key>",
+      "cliDescription": "OpenRouter API key"
+    }
+  ]
+}
+```
+
 ## JSON Schema requirements
 
 - **Every plugin must ship a JSON Schema**, even if it accepts no config.
@@ -90,6 +127,9 @@ Optional keys:
 - `providerAuthEnvVars` is the cheap metadata path for auth probes, env-marker
   validation, and similar provider-auth surfaces that should not boot plugin
   runtime just to inspect env names.
+- `providerAuthChoices` is the cheap metadata path for auth-choice pickers,
+  `--auth-choice` resolution, preferred-provider mapping, and simple onboarding
+  CLI flag registration before provider runtime loads.
 - Exclusive plugin kinds are selected through `plugins.slots.*`.
   - `kind: "memory"` is selected by `plugins.slots.memory`.
   - `kind: "context-engine"` is selected by `plugins.slots.contextEngine`
diff --git a/docs/tools/plugin.md b/docs/tools/plugin.md
index ec4084eeca6..a53a05bf6c0 100644
--- a/docs/tools/plugin.md
+++ b/docs/tools/plugin.md
@@ -218,7 +218,8 @@ Tool authoring guide: [Plugin agent tools](/plugins/agent-tools).
 Provider plugins now have two layers:
 
 - manifest metadata: `providerAuthEnvVars` for cheap env-auth lookup before
-  runtime load
+  runtime load, plus `providerAuthChoices` for cheap onboarding/auth-choice
+  labels and CLI flag metadata before runtime load
 - config-time hooks: `catalog` / legacy `discovery`
 - runtime hooks: `resolveDynamicModel`, `prepareDynamicModel`, `normalizeResolvedModel`, `capabilities`, `prepareExtraParams`, `wrapStreamFn`, `formatApiKey`, `refreshOAuth`, `buildAuthDoctorHint`, `isCacheTtlEligible`, `buildMissingAuthMessage`, `suppressBuiltInModel`, `augmentModelCatalog`, `isBinaryThinking`, `supportsXHighThinking`, `resolveDefaultThinkingLevel`, `isModernModelRef`, `prepareRuntimeAuth`, `resolveUsageAuth`, `fetchUsageSnapshot`
 
@@ -228,8 +229,11 @@ needing a whole custom inference transport.
 
 Use manifest `providerAuthEnvVars` when the provider has env-based credentials
 that generic auth/status/model-picker paths should see without loading plugin
-runtime. Keep provider runtime `envVars` for operator-facing hints such as
-onboarding labels or OAuth client-id/client-secret setup vars.
+runtime. Use manifest `providerAuthChoices` when onboarding/auth-choice CLI
+surfaces should know the provider's choice id, group labels, and simple
+one-flag auth wiring without loading provider runtime. Keep provider runtime
+`envVars` for operator-facing hints such as onboarding labels or OAuth
+client-id/client-secret setup vars.
 
 ### Hook order
 
@@ -1266,6 +1270,16 @@ errors instead.
 
 ### Provider wizard metadata
 
+Provider auth/onboarding metadata can live in two layers:
+
+- manifest `providerAuthChoices`: cheap labels, grouping, `--auth-choice`
+  ids, and simple CLI flag metadata available before runtime load
+- runtime `wizard.setup` / `auth[].wizard`: richer behavior that depends on
+  loaded provider code
+
+Use manifest metadata for static labels/flags. Use runtime wizard metadata when
+setup depends on dynamic auth methods, method fallback, or runtime validation.
+
 `wizard.setup` controls how the provider appears in grouped onboarding:
 
 - `choiceId`: auth-choice value
diff --git a/extensions/anthropic/openclaw.plugin.json b/extensions/anthropic/openclaw.plugin.json
index aec972801f8..65a57bd0381 100644
--- a/extensions/anthropic/openclaw.plugin.json
+++ b/extensions/anthropic/openclaw.plugin.json
@@ -4,6 +4,31 @@
   "providerAuthEnvVars": {
     "anthropic": ["ANTHROPIC_OAUTH_TOKEN", "ANTHROPIC_API_KEY"]
   },
+  "providerAuthChoices": [
+    {
+      "provider": "anthropic",
+      "method": "setup-token",
+      "choiceId": "token",
+      "choiceLabel": "Anthropic token (paste setup-token)",
+      "choiceHint": "Run `claude setup-token` elsewhere, then paste the token here",
+      "groupId": "anthropic",
+      "groupLabel": "Anthropic",
+      "groupHint": "setup-token + API key"
+    },
+    {
+      "provider": "anthropic",
+      "method": "api-key",
+      "choiceId": "apiKey",
+      "choiceLabel": "Anthropic API key",
+      "groupId": "anthropic",
+      "groupLabel": "Anthropic",
+      "groupHint": "setup-token + API key",
+      "optionKey": "anthropicApiKey",
+      "cliFlag": "--anthropic-api-key",
+      "cliOption": "--anthropic-api-key <key>",
+      "cliDescription": "Anthropic API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/byteplus/index.ts b/extensions/byteplus/index.ts
index 35050f2c789..d32263014c6 100644
--- a/extensions/byteplus/index.ts
+++ b/extensions/byteplus/index.ts
@@ -3,8 +3,11 @@ import {
   buildBytePlusCodingProvider,
   buildBytePlusProvider,
 } from "../../src/agents/models-config.providers.static.js";
+import { ensureModelAllowlistEntry } from "../../src/commands/model-allowlist.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 
 const PROVIDER_ID = "byteplus";
+const BYTEPLUS_DEFAULT_MODEL_REF = "byteplus-plan/ark-code-latest";
 
 const byteplusPlugin = {
   id: PROVIDER_ID,
@@ -17,7 +20,32 @@ const byteplusPlugin = {
       label: "BytePlus",
       docsPath: "/concepts/model-providers#byteplus-international",
       envVars: ["BYTEPLUS_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "BytePlus API key",
+          hint: "API key",
+          optionKey: "byteplusApiKey",
+          flagName: "--byteplus-api-key",
+          envVar: "BYTEPLUS_API_KEY",
+          promptMessage: "Enter BytePlus API key",
+          defaultModel: BYTEPLUS_DEFAULT_MODEL_REF,
+          expectedProviders: ["byteplus"],
+          applyConfig: (cfg) =>
+            ensureModelAllowlistEntry({
+              cfg,
+              modelRef: BYTEPLUS_DEFAULT_MODEL_REF,
+            }),
+          wizard: {
+            choiceId: "byteplus-api-key",
+            choiceLabel: "BytePlus API key",
+            groupId: "byteplus",
+            groupLabel: "BytePlus",
+            groupHint: "API key",
+          },
+        }),
+      ],
       catalog: {
         order: "paired",
         run: async (ctx) => {
diff --git a/extensions/byteplus/openclaw.plugin.json b/extensions/byteplus/openclaw.plugin.json
index abef4351a48..f24abe730a3 100644
--- a/extensions/byteplus/openclaw.plugin.json
+++ b/extensions/byteplus/openclaw.plugin.json
@@ -4,6 +4,21 @@
   "providerAuthEnvVars": {
     "byteplus": ["BYTEPLUS_API_KEY"]
   },
+  "providerAuthChoices": [
+    {
+      "provider": "byteplus",
+      "method": "api-key",
+      "choiceId": "byteplus-api-key",
+      "choiceLabel": "BytePlus API key",
+      "groupId": "byteplus",
+      "groupLabel": "BytePlus",
+      "groupHint": "API key",
+      "optionKey": "byteplusApiKey",
+      "cliFlag": "--byteplus-api-key",
+      "cliOption": "--byteplus-api-key <key>",
+      "cliDescription": "BytePlus API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/cloudflare-ai-gateway/index.ts b/extensions/cloudflare-ai-gateway/index.ts
index 173c9eaf48b..4544a932faf 100644
--- a/extensions/cloudflare-ai-gateway/index.ts
+++ b/extensions/cloudflare-ai-gateway/index.ts
@@ -1,14 +1,29 @@
 import { emptyPluginConfigSchema, type OpenClawPluginApi } from "openclaw/plugin-sdk/core";
+import { upsertAuthProfile } from "../../src/agents/auth-profiles.js";
 import { ensureAuthProfileStore, listProfilesForProvider } from "../../src/agents/auth-profiles.js";
 import {
   buildCloudflareAiGatewayModelDefinition,
   resolveCloudflareAiGatewayBaseUrl,
 } from "../../src/agents/cloudflare-ai-gateway.js";
 import { resolveNonEnvSecretRefApiKeyMarker } from "../../src/agents/model-auth-markers.js";
+import {
+  normalizeApiKeyInput,
+  validateApiKeyInput,
+} from "../../src/commands/auth-choice.api-key.js";
+import { ensureApiKeyFromOptionEnvOrPrompt } from "../../src/commands/auth-choice.apply-helpers.js";
+import { buildApiKeyCredential } from "../../src/commands/onboard-auth.credentials.js";
+import {
+  applyCloudflareAiGatewayConfig,
+  applyAuthProfileConfig,
+  CLOUDFLARE_AI_GATEWAY_DEFAULT_MODEL_REF,
+} from "../../src/commands/onboard-auth.js";
+import type { SecretInput } from "../../src/config/types.secrets.js";
 import { coerceSecretRef } from "../../src/config/types.secrets.js";
+import { normalizeOptionalSecretInput } from "../../src/utils/normalize-secret-input.js";
 
 const PROVIDER_ID = "cloudflare-ai-gateway";
 const PROVIDER_ENV_VAR = "CLOUDFLARE_AI_GATEWAY_API_KEY";
+const PROFILE_ID = "cloudflare-ai-gateway:default";
 
 function resolveApiKeyFromCredential(
   cred: ReturnType<typeof ensureAuthProfileStore>["profiles"][string] | undefined,
@@ -26,6 +41,71 @@ function resolveApiKeyFromCredential(
   return cred.key?.trim() || undefined;
 }
 
+function resolveMetadataFromCredential(
+  cred: ReturnType<typeof ensureAuthProfileStore>["profiles"][string] | undefined,
+): { accountId?: string; gatewayId?: string } {
+  if (!cred || cred.type !== "api_key") {
+    return {};
+  }
+  return {
+    accountId: cred?.metadata?.accountId?.trim() || undefined,
+    gatewayId: cred?.metadata?.gatewayId?.trim() || undefined,
+  };
+}
+
+function buildCloudflareConfigPatch(params: { accountId: string; gatewayId: string }) {
+  const baseUrl = resolveCloudflareAiGatewayBaseUrl(params);
+  return {
+    models: {
+      providers: {
+        [PROVIDER_ID]: {
+          baseUrl,
+          api: "anthropic-messages" as const,
+          models: [buildCloudflareAiGatewayModelDefinition()],
+        },
+      },
+    },
+    agents: {
+      defaults: {
+        models: {
+          [CLOUDFLARE_AI_GATEWAY_DEFAULT_MODEL_REF]: {
+            alias: "Cloudflare AI Gateway",
+          },
+        },
+      },
+    },
+  };
+}
+
+async function resolveCloudflareGatewayMetadataInteractive(ctx: {
+  accountId?: string;
+  gatewayId?: string;
+  prompter: {
+    text: (params: {
+      message: string;
+      validate?: (value: unknown) => string | undefined;
+    }) => Promise<unknown>;
+  };
+}) {
+  let accountId = ctx.accountId?.trim() ?? "";
+  let gatewayId = ctx.gatewayId?.trim() ?? "";
+  if (!accountId) {
+    const value = await ctx.prompter.text({
+      message: "Enter Cloudflare Account ID",
+      validate: (val) => (String(val ?? "").trim() ? undefined : "Account ID is required"),
+    });
+    accountId = String(value ?? "").trim();
+  }
+  if (!gatewayId) {
+    const value = await ctx.prompter.text({
+      message: "Enter Cloudflare AI Gateway ID",
+      validate: (val) => (String(val ?? "").trim() ? undefined : "Gateway ID is required"),
+    });
+    gatewayId = String(value ?? "").trim();
+  }
+  return { accountId, gatewayId };
+}
+
 const cloudflareAiGatewayPlugin = {
   id: PROVIDER_ID,
   name: "Cloudflare AI Gateway Provider",
@@ -37,7 +117,121 @@ const cloudflareAiGatewayPlugin = {
       label: "Cloudflare AI Gateway",
       docsPath: "/providers/cloudflare-ai-gateway",
       envVars: ["CLOUDFLARE_AI_GATEWAY_API_KEY"],
-      auth: [],
+      auth: [
+        {
+          id: "api-key",
+          label: "Cloudflare AI Gateway",
+          hint: "Account ID + Gateway ID + API key",
+          kind: "api_key",
+          wizard: {
+            choiceId: "cloudflare-ai-gateway-api-key",
+            choiceLabel: "Cloudflare AI Gateway",
+            choiceHint: "Account ID + Gateway ID + API key",
+            groupId: "cloudflare-ai-gateway",
+            groupLabel: "Cloudflare AI Gateway",
+            groupHint: "Account ID + Gateway ID + API key",
+          },
+          run: async (ctx) => {
+            const metadata = await resolveCloudflareGatewayMetadataInteractive({
+              accountId: normalizeOptionalSecretInput(ctx.opts?.cloudflareAiGatewayAccountId),
+              gatewayId: normalizeOptionalSecretInput(ctx.opts?.cloudflareAiGatewayGatewayId),
+              prompter: ctx.prompter,
+            });
+            let capturedSecretInput: SecretInput | undefined;
+            let capturedCredential = false;
+            let capturedMode: "plaintext" | "ref" | undefined;
+            await ensureApiKeyFromOptionEnvOrPrompt({
+              token: normalizeOptionalSecretInput(ctx.opts?.cloudflareAiGatewayApiKey),
+              tokenProvider: "cloudflare-ai-gateway",
+              secretInputMode: ctx.secretInputMode,
+              config: ctx.config,
+              expectedProviders: [PROVIDER_ID],
+              provider: PROVIDER_ID,
+              envLabel: PROVIDER_ENV_VAR,
+              promptMessage: "Enter Cloudflare AI Gateway API key",
+              normalize: normalizeApiKeyInput,
+              validate: validateApiKeyInput,
+              prompter: ctx.prompter,
+              setCredential: async (apiKey, mode) => {
+                capturedSecretInput = apiKey;
+                capturedCredential = true;
+                capturedMode = mode;
+              },
+            });
+            if (!capturedCredential) {
+              throw new Error("Missing Cloudflare AI Gateway API key.");
+            }
+            const credentialInput = capturedSecretInput ?? "";
+            return {
+              profiles: [
+                {
+                  profileId: PROFILE_ID,
+                  credential: buildApiKeyCredential(
+                    PROVIDER_ID,
+                    credentialInput,
+                    {
+                      accountId: metadata.accountId,
+                      gatewayId: metadata.gatewayId,
+                    },
+                    capturedMode ? { secretInputMode: capturedMode } : undefined,
+                  ),
+                },
+              ],
+              configPatch: buildCloudflareConfigPatch(metadata),
+              defaultModel: CLOUDFLARE_AI_GATEWAY_DEFAULT_MODEL_REF,
+            };
+          },
+          runNonInteractive: async (ctx) => {
+            const authStore = ensureAuthProfileStore(ctx.agentDir, {
+              allowKeychainPrompt: false,
+            });
+            const storedMetadata = resolveMetadataFromCredential(authStore.profiles[PROFILE_ID]);
+            const accountId =
+              normalizeOptionalSecretInput(ctx.opts.cloudflareAiGatewayAccountId) ??
+              storedMetadata.accountId;
+            const gatewayId =
+              normalizeOptionalSecretInput(ctx.opts.cloudflareAiGatewayGatewayId) ??
+              storedMetadata.gatewayId;
+            if (!accountId || !gatewayId) {
+              ctx.runtime.error(
+                "Cloudflare AI Gateway setup requires --cloudflare-ai-gateway-account-id and --cloudflare-ai-gateway-gateway-id.",
+              );
+              ctx.runtime.exit(1);
+              return null;
+            }
+            const resolved = await ctx.resolveApiKey({
+              provider: PROVIDER_ID,
+              flagValue: normalizeOptionalSecretInput(ctx.opts.cloudflareAiGatewayApiKey),
+              flagName: "--cloudflare-ai-gateway-api-key",
+              envVar: PROVIDER_ENV_VAR,
+            });
+            if (!resolved) {
+              return null;
+            }
+            if (resolved.source !== "profile") {
+              const credential = ctx.toApiKeyCredential({
+                provider: PROVIDER_ID,
+                resolved,
+                metadata: { accountId, gatewayId },
+              });
+              if (!credential) {
+                return null;
+              }
+              upsertAuthProfile({
+                profileId: PROFILE_ID,
+                credential,
+                agentDir: ctx.agentDir,
+              });
+            }
+            const next = applyAuthProfileConfig(ctx.config, {
+              profileId: PROFILE_ID,
+              provider: PROVIDER_ID,
+              mode: "api_key",
+            });
+            return applyCloudflareAiGatewayConfig(next, { accountId, gatewayId });
+          },
+        },
+      ],
       catalog: {
         order: "late",
         run: async (ctx) => {
diff --git a/extensions/cloudflare-ai-gateway/openclaw.plugin.json b/extensions/cloudflare-ai-gateway/openclaw.plugin.json
index ca7810e1fd2..daa9d363b54 100644
--- a/extensions/cloudflare-ai-gateway/openclaw.plugin.json
+++ b/extensions/cloudflare-ai-gateway/openclaw.plugin.json
@@ -4,6 +4,22 @@
   "providerAuthEnvVars": {
     "cloudflare-ai-gateway": ["CLOUDFLARE_AI_GATEWAY_API_KEY"]
   },
+  "providerAuthChoices": [
+    {
+      "provider": "cloudflare-ai-gateway",
+      "method": "api-key",
+      "choiceId": "cloudflare-ai-gateway-api-key",
+      "choiceLabel": "Cloudflare AI Gateway",
+      "choiceHint": "Account ID + Gateway ID + API key",
+      "groupId": "cloudflare-ai-gateway",
+      "groupLabel": "Cloudflare AI Gateway",
+      "groupHint": "Account ID + Gateway ID + API key",
+      "optionKey": "cloudflareAiGatewayApiKey",
+      "cliFlag": "--cloudflare-ai-gateway-api-key",
+      "cliOption": "--cloudflare-ai-gateway-api-key <key>",
+      "cliDescription": "Cloudflare AI Gateway API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/copilot-proxy/openclaw.plugin.json b/extensions/copilot-proxy/openclaw.plugin.json
index 90e2011f014..88b5ee0e7b3 100644
--- a/extensions/copilot-proxy/openclaw.plugin.json
+++ b/extensions/copilot-proxy/openclaw.plugin.json
@@ -1,6 +1,18 @@
 {
   "id": "copilot-proxy",
   "providers": ["copilot-proxy"],
+  "providerAuthChoices": [
+    {
+      "provider": "copilot-proxy",
+      "method": "local",
+      "choiceId": "copilot-proxy",
+      "choiceLabel": "Copilot Proxy",
+      "choiceHint": "Configure base URL + model ids",
+      "groupId": "copilot",
+      "groupLabel": "Copilot",
+      "groupHint": "GitHub + local proxy"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/github-copilot/openclaw.plugin.json b/extensions/github-copilot/openclaw.plugin.json
index a6cb5b7f4b5..ec05c52b48c 100644
--- a/extensions/github-copilot/openclaw.plugin.json
+++ b/extensions/github-copilot/openclaw.plugin.json
@@ -4,6 +4,18 @@
   "providerAuthEnvVars": {
     "github-copilot": ["COPILOT_GITHUB_TOKEN", "GH_TOKEN", "GITHUB_TOKEN"]
   },
+  "providerAuthChoices": [
+    {
+      "provider": "github-copilot",
+      "method": "device",
+      "choiceId": "github-copilot",
+      "choiceLabel": "GitHub Copilot",
+      "choiceHint": "Device login with your GitHub account",
+      "groupId": "copilot",
+      "groupLabel": "Copilot",
+      "groupHint": "GitHub + local proxy"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/google/openclaw.plugin.json b/extensions/google/openclaw.plugin.json
index 0d64bb18c14..b779c292375 100644
--- a/extensions/google/openclaw.plugin.json
+++ b/extensions/google/openclaw.plugin.json
@@ -4,6 +4,31 @@
   "providerAuthEnvVars": {
     "google": ["GEMINI_API_KEY", "GOOGLE_API_KEY"]
   },
+  "providerAuthChoices": [
+    {
+      "provider": "google",
+      "method": "api-key",
+      "choiceId": "gemini-api-key",
+      "choiceLabel": "Google Gemini API key",
+      "groupId": "google",
+      "groupLabel": "Google",
+      "groupHint": "Gemini API key + OAuth",
+      "optionKey": "geminiApiKey",
+      "cliFlag": "--gemini-api-key",
+      "cliOption": "--gemini-api-key <key>",
+      "cliDescription": "Gemini API key"
+    },
+    {
+      "provider": "google-gemini-cli",
+      "method": "oauth",
+      "choiceId": "google-gemini-cli",
+      "choiceLabel": "Gemini CLI OAuth",
+      "choiceHint": "Google OAuth with project-aware token payload",
+      "groupId": "google",
+      "groupLabel": "Google",
+      "groupHint": "Gemini API key + OAuth"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/huggingface/index.ts b/extensions/huggingface/index.ts
index c6407954811..c1cea578349 100644
--- a/extensions/huggingface/index.ts
+++ b/extensions/huggingface/index.ts
@@ -1,5 +1,10 @@
 import { emptyPluginConfigSchema, type OpenClawPluginApi } from "openclaw/plugin-sdk/core";
 import { buildHuggingfaceProvider } from "../../src/agents/models-config.providers.discovery.js";
+import {
+  applyHuggingfaceConfig,
+  HUGGINGFACE_DEFAULT_MODEL_REF,
+} from "../../src/commands/onboard-auth.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 
 const PROVIDER_ID = "huggingface";
 
@@ -14,7 +19,29 @@ const huggingfacePlugin = {
       label: "Hugging Face",
       docsPath: "/providers/huggingface",
       envVars: ["HUGGINGFACE_HUB_TOKEN", "HF_TOKEN"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "Hugging Face API key",
+          hint: "Inference API (HF token)",
+          optionKey: "huggingfaceApiKey",
+          flagName: "--huggingface-api-key",
+          envVar: "HUGGINGFACE_HUB_TOKEN",
+          promptMessage: "Enter Hugging Face API key",
+          defaultModel: HUGGINGFACE_DEFAULT_MODEL_REF,
+          expectedProviders: ["huggingface"],
+          applyConfig: (cfg) => applyHuggingfaceConfig(cfg),
+          wizard: {
+            choiceId: "huggingface-api-key",
+            choiceLabel: "Hugging Face API key",
+            choiceHint: "Inference API (HF token)",
+            groupId: "huggingface",
+            groupLabel: "Hugging Face",
+            groupHint: "Inference API (HF token)",
+          },
+        }),
+      ],
       catalog: {
         order: "simple",
         run: async (ctx) => {
diff --git a/extensions/huggingface/openclaw.plugin.json b/extensions/huggingface/openclaw.plugin.json
index 67a34124d0a..84d8fd0e6bf 100644
--- a/extensions/huggingface/openclaw.plugin.json
+++ b/extensions/huggingface/openclaw.plugin.json
@@ -4,6 +4,22 @@
   "providerAuthEnvVars": {
     "huggingface": ["HUGGINGFACE_HUB_TOKEN", "HF_TOKEN"]
   },
+  "providerAuthChoices": [
+    {
+      "provider": "huggingface",
+      "method": "api-key",
+      "choiceId": "huggingface-api-key",
+      "choiceLabel": "Hugging Face API key",
+      "choiceHint": "Inference API (HF token)",
+      "groupId": "huggingface",
+      "groupLabel": "Hugging Face",
+      "groupHint": "Inference API (HF token)",
+      "optionKey": "huggingfaceApiKey",
+      "cliFlag": "--huggingface-api-key",
+      "cliOption": "--huggingface-api-key <key>",
+      "cliDescription": "Hugging Face API key (HF token)"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/kilocode/index.ts b/extensions/kilocode/index.ts
index 10fc30f67d4..5fff1fd061b 100644
--- a/extensions/kilocode/index.ts
+++ b/extensions/kilocode/index.ts
@@ -4,6 +4,11 @@ import {
   createKilocodeWrapper,
   isProxyReasoningUnsupported,
 } from "../../src/agents/pi-embedded-runner/proxy-stream-wrappers.js";
+import {
+  applyKilocodeConfig,
+  KILOCODE_DEFAULT_MODEL_REF,
+} from "../../src/commands/onboard-auth.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 
 const PROVIDER_ID = "kilocode";
 
@@ -18,7 +23,28 @@ const kilocodePlugin = {
       label: "Kilo Gateway",
       docsPath: "/providers/kilocode",
       envVars: ["KILOCODE_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "Kilo Gateway API key",
+          hint: "API key (OpenRouter-compatible)",
+          optionKey: "kilocodeApiKey",
+          flagName: "--kilocode-api-key",
+          envVar: "KILOCODE_API_KEY",
+          promptMessage: "Enter Kilo Gateway API key",
+          defaultModel: KILOCODE_DEFAULT_MODEL_REF,
+          expectedProviders: ["kilocode"],
+          applyConfig: (cfg) => applyKilocodeConfig(cfg),
+          wizard: {
+            choiceId: "kilocode-api-key",
+            choiceLabel: "Kilo Gateway API key",
+            groupId: "kilocode",
+            groupLabel: "Kilo Gateway",
+            groupHint: "API key (OpenRouter-compatible)",
+          },
+        }),
+      ],
       catalog: {
         order: "simple",
         run: async (ctx) => {
diff --git a/extensions/kilocode/openclaw.plugin.json b/extensions/kilocode/openclaw.plugin.json
index 6e3e39aec27..3aa51875bb6 100644
--- a/extensions/kilocode/openclaw.plugin.json
+++ b/extensions/kilocode/openclaw.plugin.json
@@ -4,6 +4,22 @@
   "providerAuthEnvVars": {
     "kilocode": ["KILOCODE_API_KEY"]
   },
+  "providerAuthChoices": [
+    {
+      "provider": "kilocode",
+      "method": "api-key",
+      "choiceId": "kilocode-api-key",
+      "choiceLabel": "Kilo Gateway API key",
+      "choiceHint": "API key (OpenRouter-compatible)",
+      "groupId": "kilocode",
+      "groupLabel": "Kilo Gateway",
+      "groupHint": "API key (OpenRouter-compatible)",
+      "optionKey": "kilocodeApiKey",
+      "cliFlag": "--kilocode-api-key",
+      "cliOption": "--kilocode-api-key <key>",
+      "cliDescription": "Kilo Gateway API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/kimi-coding/index.ts b/extensions/kimi-coding/index.ts
index d6e6e1d74a7..853eee98bef 100644
--- a/extensions/kimi-coding/index.ts
+++ b/extensions/kimi-coding/index.ts
@@ -1,5 +1,7 @@
 import { emptyPluginConfigSchema, type OpenClawPluginApi } from "openclaw/plugin-sdk/core";
 import { buildKimiCodingProvider } from "../../src/agents/models-config.providers.static.js";
+import { applyKimiCodeConfig, KIMI_CODING_MODEL_REF } from "../../src/commands/onboard-auth.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 import { isRecord } from "../../src/utils.js";
 
 const PROVIDER_ID = "kimi-coding";
@@ -16,7 +18,33 @@ const kimiCodingPlugin = {
       aliases: ["kimi-code"],
       docsPath: "/providers/moonshot",
       envVars: ["KIMI_API_KEY", "KIMICODE_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "Kimi Code API key (subscription)",
+          hint: "Kimi K2.5 + Kimi Coding",
+          optionKey: "kimiCodeApiKey",
+          flagName: "--kimi-code-api-key",
+          envVar: "KIMI_API_KEY",
+          promptMessage: "Enter Kimi Coding API key",
+          defaultModel: KIMI_CODING_MODEL_REF,
+          expectedProviders: ["kimi-code", "kimi-coding"],
+          applyConfig: (cfg) => applyKimiCodeConfig(cfg),
+          noteMessage: [
+            "Kimi Coding uses a dedicated endpoint and API key.",
+            "Get your API key at: https://www.kimi.com/code/en",
+          ].join("\n"),
+          noteTitle: "Kimi Coding",
+          wizard: {
+            choiceId: "kimi-code-api-key",
+            choiceLabel: "Kimi Code API key (subscription)",
+            groupId: "moonshot",
+            groupLabel: "Moonshot AI (Kimi K2.5)",
+            groupHint: "Kimi K2.5 + Kimi Coding",
+          },
+        }),
+      ],
       catalog: {
         order: "simple",
         run: async (ctx) => {
diff --git a/extensions/kimi-coding/openclaw.plugin.json b/extensions/kimi-coding/openclaw.plugin.json
index 0664e7ae6df..c86d7211031 100644
--- a/extensions/kimi-coding/openclaw.plugin.json
+++ b/extensions/kimi-coding/openclaw.plugin.json
@@ -4,6 +4,21 @@
   "providerAuthEnvVars": {
     "kimi-coding": ["KIMI_API_KEY", "KIMICODE_API_KEY"]
   },
+  "providerAuthChoices": [
+    {
+      "provider": "kimi-coding",
+      "method": "api-key",
+      "choiceId": "kimi-code-api-key",
+      "choiceLabel": "Kimi Code API key (subscription)",
+      "groupId": "moonshot",
+      "groupLabel": "Moonshot AI (Kimi K2.5)",
+      "groupHint": "Kimi K2.5 + Kimi Coding",
+      "optionKey": "kimiCodeApiKey",
+      "cliFlag": "--kimi-code-api-key",
+      "cliOption": "--kimi-code-api-key <key>",
+      "cliDescription": "Kimi Coding API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/minimax/openclaw.plugin.json b/extensions/minimax/openclaw.plugin.json
index 8934580b36b..848ce80699a 100644
--- a/extensions/minimax/openclaw.plugin.json
+++ b/extensions/minimax/openclaw.plugin.json
@@ -5,6 +5,56 @@
     "minimax": ["MINIMAX_API_KEY"],
     "minimax-portal": ["MINIMAX_OAUTH_TOKEN", "MINIMAX_API_KEY"]
   },
+  "providerAuthChoices": [
+    {
+      "provider": "minimax-portal",
+      "method": "oauth",
+      "choiceId": "minimax-global-oauth",
+      "choiceLabel": "MiniMax OAuth (Global)",
+      "choiceHint": "Global endpoint - api.minimax.io",
+      "groupId": "minimax",
+      "groupLabel": "MiniMax",
+      "groupHint": "M2.5 (recommended)"
+    },
+    {
+      "provider": "minimax",
+      "method": "api-global",
+      "choiceId": "minimax-global-api",
+      "choiceLabel": "MiniMax API key (Global)",
+      "choiceHint": "Global endpoint - api.minimax.io",
+      "groupId": "minimax",
+      "groupLabel": "MiniMax",
+      "groupHint": "M2.5 (recommended)",
+      "optionKey": "minimaxApiKey",
+      "cliFlag": "--minimax-api-key",
+      "cliOption": "--minimax-api-key <key>",
+      "cliDescription": "MiniMax API key"
+    },
+    {
+      "provider": "minimax-portal",
+      "method": "oauth-cn",
+      "choiceId": "minimax-cn-oauth",
+      "choiceLabel": "MiniMax OAuth (CN)",
+      "choiceHint": "CN endpoint - api.minimaxi.com",
+      "groupId": "minimax",
+      "groupLabel": "MiniMax",
+      "groupHint": "M2.5 (recommended)"
+    },
+    {
+      "provider": "minimax",
+      "method": "api-cn",
+      "choiceId": "minimax-cn-api",
+      "choiceLabel": "MiniMax API key (CN)",
+      "choiceHint": "CN endpoint - api.minimaxi.com",
+      "groupId": "minimax",
+      "groupLabel": "MiniMax",
+      "groupHint": "M2.5 (recommended)",
+      "optionKey": "minimaxApiKey",
+      "cliFlag": "--minimax-api-key",
+      "cliOption": "--minimax-api-key <key>",
+      "cliDescription": "MiniMax API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/mistral/index.ts b/extensions/mistral/index.ts
index 355c957282b..56e24f8560c 100644
--- a/extensions/mistral/index.ts
+++ b/extensions/mistral/index.ts
@@ -1,4 +1,6 @@
 import { emptyPluginConfigSchema, type OpenClawPluginApi } from "openclaw/plugin-sdk/core";
+import { applyMistralConfig, MISTRAL_DEFAULT_MODEL_REF } from "../../src/commands/onboard-auth.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 
 const PROVIDER_ID = "mistral";
 
@@ -13,7 +15,28 @@ const mistralPlugin = {
       label: "Mistral",
       docsPath: "/providers/models",
       envVars: ["MISTRAL_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "Mistral API key",
+          hint: "API key",
+          optionKey: "mistralApiKey",
+          flagName: "--mistral-api-key",
+          envVar: "MISTRAL_API_KEY",
+          promptMessage: "Enter Mistral API key",
+          defaultModel: MISTRAL_DEFAULT_MODEL_REF,
+          expectedProviders: ["mistral"],
+          applyConfig: (cfg) => applyMistralConfig(cfg),
+          wizard: {
+            choiceId: "mistral-api-key",
+            choiceLabel: "Mistral API key",
+            groupId: "mistral",
+            groupLabel: "Mistral AI",
+            groupHint: "API key",
+          },
+        }),
+      ],
       capabilities: {
         transcriptToolCallIdMode: "strict9",
         transcriptToolCallIdModelHints: [
diff --git a/extensions/mistral/openclaw.plugin.json b/extensions/mistral/openclaw.plugin.json
index 480c09417d0..93f115cf719 100644
--- a/extensions/mistral/openclaw.plugin.json
+++ b/extensions/mistral/openclaw.plugin.json
@@ -4,6 +4,21 @@
   "providerAuthEnvVars": {
     "mistral": ["MISTRAL_API_KEY"]
   },
+  "providerAuthChoices": [
+    {
+      "provider": "mistral",
+      "method": "api-key",
+      "choiceId": "mistral-api-key",
+      "choiceLabel": "Mistral API key",
+      "groupId": "mistral",
+      "groupLabel": "Mistral AI",
+      "groupHint": "API key",
+      "optionKey": "mistralApiKey",
+      "cliFlag": "--mistral-api-key",
+      "cliOption": "--mistral-api-key <key>",
+      "cliDescription": "Mistral API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/modelstudio/index.ts b/extensions/modelstudio/index.ts
index 487f14498b1..2e3e7c6b3c8 100644
--- a/extensions/modelstudio/index.ts
+++ b/extensions/modelstudio/index.ts
@@ -1,5 +1,11 @@
 import { emptyPluginConfigSchema, type OpenClawPluginApi } from "openclaw/plugin-sdk/core";
 import { buildModelStudioProvider } from "../../src/agents/models-config.providers.static.js";
+import {
+  applyModelStudioConfig,
+  applyModelStudioConfigCn,
+  MODELSTUDIO_DEFAULT_MODEL_REF,
+} from "../../src/commands/onboard-auth.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 
 const PROVIDER_ID = "modelstudio";
 
@@ -14,7 +20,62 @@ const modelStudioPlugin = {
       label: "Model Studio",
       docsPath: "/providers/models",
       envVars: ["MODELSTUDIO_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key-cn",
+          label: "Coding Plan API Key for China (subscription)",
+          hint: "Endpoint: coding.dashscope.aliyuncs.com",
+          optionKey: "modelstudioApiKeyCn",
+          flagName: "--modelstudio-api-key-cn",
+          envVar: "MODELSTUDIO_API_KEY",
+          promptMessage: "Enter Alibaba Cloud Model Studio Coding Plan API key (China)",
+          defaultModel: MODELSTUDIO_DEFAULT_MODEL_REF,
+          expectedProviders: ["modelstudio"],
+          applyConfig: (cfg) => applyModelStudioConfigCn(cfg),
+          noteMessage: [
+            "Get your API key at: https://bailian.console.aliyun.com/",
+            "Endpoint: coding.dashscope.aliyuncs.com",
+            "Models: qwen3.5-plus, glm-4.7, kimi-k2.5, MiniMax-M2.5, etc.",
+          ].join("\n"),
+          noteTitle: "Alibaba Cloud Model Studio Coding Plan (China)",
+          wizard: {
+            choiceId: "modelstudio-api-key-cn",
+            choiceLabel: "Coding Plan API Key for China (subscription)",
+            choiceHint: "Endpoint: coding.dashscope.aliyuncs.com",
+            groupId: "modelstudio",
+            groupLabel: "Alibaba Cloud Model Studio",
+            groupHint: "Coding Plan API key (CN / Global)",
+          },
+        }),
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "Coding Plan API Key for Global/Intl (subscription)",
+          hint: "Endpoint: coding-intl.dashscope.aliyuncs.com",
+          optionKey: "modelstudioApiKey",
+          flagName: "--modelstudio-api-key",
+          envVar: "MODELSTUDIO_API_KEY",
+          promptMessage: "Enter Alibaba Cloud Model Studio Coding Plan API key (Global/Intl)",
+          defaultModel: MODELSTUDIO_DEFAULT_MODEL_REF,
+          expectedProviders: ["modelstudio"],
+          applyConfig: (cfg) => applyModelStudioConfig(cfg),
+          noteMessage: [
+            "Get your API key at: https://bailian.console.aliyun.com/",
+            "Endpoint: coding-intl.dashscope.aliyuncs.com",
+            "Models: qwen3.5-plus, glm-4.7, kimi-k2.5, MiniMax-M2.5, etc.",
+          ].join("\n"),
+          noteTitle: "Alibaba Cloud Model Studio Coding Plan (Global/Intl)",
+          wizard: {
+            choiceId: "modelstudio-api-key",
+            choiceLabel: "Coding Plan API Key for Global/Intl (subscription)",
+            choiceHint: "Endpoint: coding-intl.dashscope.aliyuncs.com",
+            groupId: "modelstudio",
+            groupLabel: "Alibaba Cloud Model Studio",
+            groupHint: "Coding Plan API key (CN / Global)",
+          },
+        }),
+      ],
       catalog: {
         order: "simple",
         run: async (ctx) => {
diff --git a/extensions/modelstudio/openclaw.plugin.json b/extensions/modelstudio/openclaw.plugin.json
index 5cc87ad1b54..e6c20db50c7 100644
--- a/extensions/modelstudio/openclaw.plugin.json
+++ b/extensions/modelstudio/openclaw.plugin.json
@@ -4,6 +4,36 @@
   "providerAuthEnvVars": {
     "modelstudio": ["MODELSTUDIO_API_KEY"]
   },
+  "providerAuthChoices": [
+    {
+      "provider": "modelstudio",
+      "method": "api-key-cn",
+      "choiceId": "modelstudio-api-key-cn",
+      "choiceLabel": "Coding Plan API Key for China (subscription)",
+      "choiceHint": "Endpoint: coding.dashscope.aliyuncs.com",
+      "groupId": "modelstudio",
+      "groupLabel": "Alibaba Cloud Model Studio",
+      "groupHint": "Coding Plan API key (CN / Global)",
+      "optionKey": "modelstudioApiKeyCn",
+      "cliFlag": "--modelstudio-api-key-cn",
+      "cliOption": "--modelstudio-api-key-cn <key>",
+      "cliDescription": "Alibaba Cloud Model Studio Coding Plan API key (China)"
+    },
+    {
+      "provider": "modelstudio",
+      "method": "api-key",
+      "choiceId": "modelstudio-api-key",
+      "choiceLabel": "Coding Plan API Key for Global/Intl (subscription)",
+      "choiceHint": "Endpoint: coding-intl.dashscope.aliyuncs.com",
+      "groupId": "modelstudio",
+      "groupLabel": "Alibaba Cloud Model Studio",
+      "groupHint": "Coding Plan API key (CN / Global)",
+      "optionKey": "modelstudioApiKey",
+      "cliFlag": "--modelstudio-api-key",
+      "cliOption": "--modelstudio-api-key <key>",
+      "cliDescription": "Alibaba Cloud Model Studio Coding Plan API key (Global/Intl)"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/moonshot/index.ts b/extensions/moonshot/index.ts
index 44f77d7b56b..3b57a5134ba 100644
--- a/extensions/moonshot/index.ts
+++ b/extensions/moonshot/index.ts
@@ -8,7 +8,13 @@ import {
   getScopedCredentialValue,
   setScopedCredentialValue,
 } from "../../src/agents/tools/web-search-plugin-factory.js";
+import {
+  applyMoonshotConfig,
+  applyMoonshotConfigCn,
+} from "../../src/commands/onboard-auth.config-core.js";
+import { MOONSHOT_DEFAULT_MODEL_REF } from "../../src/commands/onboard-auth.models.js";
 import { emptyPluginConfigSchema } from "../../src/plugins/config-schema.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 import type { OpenClawPluginApi } from "../../src/plugins/types.js";
 
 const PROVIDER_ID = "moonshot";
@@ -24,7 +30,48 @@ const moonshotPlugin = {
       label: "Moonshot",
       docsPath: "/providers/moonshot",
       envVars: ["MOONSHOT_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "Kimi API key (.ai)",
+          hint: "Kimi K2.5 + Kimi Coding",
+          optionKey: "moonshotApiKey",
+          flagName: "--moonshot-api-key",
+          envVar: "MOONSHOT_API_KEY",
+          promptMessage: "Enter Moonshot API key",
+          defaultModel: MOONSHOT_DEFAULT_MODEL_REF,
+          expectedProviders: ["moonshot"],
+          applyConfig: (cfg) => applyMoonshotConfig(cfg),
+          wizard: {
+            choiceId: "moonshot-api-key",
+            choiceLabel: "Kimi API key (.ai)",
+            groupId: "moonshot",
+            groupLabel: "Moonshot AI (Kimi K2.5)",
+            groupHint: "Kimi K2.5 + Kimi Coding",
+          },
+        }),
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key-cn",
+          label: "Kimi API key (.cn)",
+          hint: "Kimi K2.5 + Kimi Coding",
+          optionKey: "moonshotApiKey",
+          flagName: "--moonshot-api-key",
+          envVar: "MOONSHOT_API_KEY",
+          promptMessage: "Enter Moonshot API key (.cn)",
+          defaultModel: MOONSHOT_DEFAULT_MODEL_REF,
+          expectedProviders: ["moonshot"],
+          applyConfig: (cfg) => applyMoonshotConfigCn(cfg),
+          wizard: {
+            choiceId: "moonshot-api-key-cn",
+            choiceLabel: "Kimi API key (.cn)",
+            groupId: "moonshot",
+            groupLabel: "Moonshot AI (Kimi K2.5)",
+            groupHint: "Kimi K2.5 + Kimi Coding",
+          },
+        }),
+      ],
       catalog: {
         order: "simple",
         run: async (ctx) => {
diff --git a/extensions/moonshot/openclaw.plugin.json b/extensions/moonshot/openclaw.plugin.json
index 542ae46fead..cad9e255a2b 100644
--- a/extensions/moonshot/openclaw.plugin.json
+++ b/extensions/moonshot/openclaw.plugin.json
@@ -4,6 +4,34 @@
   "providerAuthEnvVars": {
     "moonshot": ["MOONSHOT_API_KEY"]
   },
+  "providerAuthChoices": [
+    {
+      "provider": "moonshot",
+      "method": "api-key",
+      "choiceId": "moonshot-api-key",
+      "choiceLabel": "Kimi API key (.ai)",
+      "groupId": "moonshot",
+      "groupLabel": "Moonshot AI (Kimi K2.5)",
+      "groupHint": "Kimi K2.5 + Kimi Coding",
+      "optionKey": "moonshotApiKey",
+      "cliFlag": "--moonshot-api-key",
+      "cliOption": "--moonshot-api-key <key>",
+      "cliDescription": "Moonshot API key"
+    },
+    {
+      "provider": "moonshot",
+      "method": "api-key-cn",
+      "choiceId": "moonshot-api-key-cn",
+      "choiceLabel": "Kimi API key (.cn)",
+      "groupId": "moonshot",
+      "groupLabel": "Moonshot AI (Kimi K2.5)",
+      "groupHint": "Kimi K2.5 + Kimi Coding",
+      "optionKey": "moonshotApiKey",
+      "cliFlag": "--moonshot-api-key",
+      "cliOption": "--moonshot-api-key <key>",
+      "cliDescription": "Moonshot API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/ollama/openclaw.plugin.json b/extensions/ollama/openclaw.plugin.json
index b644e105b84..bace5f2816f 100644
--- a/extensions/ollama/openclaw.plugin.json
+++ b/extensions/ollama/openclaw.plugin.json
@@ -4,6 +4,18 @@
   "providerAuthEnvVars": {
     "ollama": ["OLLAMA_API_KEY"]
   },
+  "providerAuthChoices": [
+    {
+      "provider": "ollama",
+      "method": "local",
+      "choiceId": "ollama",
+      "choiceLabel": "Ollama",
+      "choiceHint": "Cloud and local open models",
+      "groupId": "ollama",
+      "groupLabel": "Ollama",
+      "groupHint": "Cloud and local open models"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/openai/openclaw.plugin.json b/extensions/openai/openclaw.plugin.json
index 4b0ae0efc31..6a492ec3cae 100644
--- a/extensions/openai/openclaw.plugin.json
+++ b/extensions/openai/openclaw.plugin.json
@@ -4,6 +4,31 @@
   "providerAuthEnvVars": {
     "openai": ["OPENAI_API_KEY"]
   },
+  "providerAuthChoices": [
+    {
+      "provider": "openai-codex",
+      "method": "oauth",
+      "choiceId": "openai-codex",
+      "choiceLabel": "OpenAI Codex (ChatGPT OAuth)",
+      "choiceHint": "Browser sign-in",
+      "groupId": "openai",
+      "groupLabel": "OpenAI",
+      "groupHint": "Codex OAuth + API key"
+    },
+    {
+      "provider": "openai",
+      "method": "api-key",
+      "choiceId": "openai-api-key",
+      "choiceLabel": "OpenAI API key",
+      "groupId": "openai",
+      "groupLabel": "OpenAI",
+      "groupHint": "Codex OAuth + API key",
+      "optionKey": "openaiApiKey",
+      "cliFlag": "--openai-api-key",
+      "cliOption": "--openai-api-key <key>",
+      "cliDescription": "OpenAI API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/opencode-go/index.ts b/extensions/opencode-go/index.ts
index 87e52eab53e..2027f9ad05d 100644
--- a/extensions/opencode-go/index.ts
+++ b/extensions/opencode-go/index.ts
@@ -1,4 +1,7 @@
 import { emptyPluginConfigSchema, type OpenClawPluginApi } from "openclaw/plugin-sdk/core";
+import { applyOpencodeGoConfig } from "../../src/commands/onboard-auth.config-opencode-go.js";
+import { OPENCODE_GO_DEFAULT_MODEL_REF } from "../../src/commands/opencode-go-model-default.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 
 const PROVIDER_ID = "opencode-go";
 
@@ -13,7 +16,34 @@ const opencodeGoPlugin = {
       label: "OpenCode Go",
       docsPath: "/providers/models",
       envVars: ["OPENCODE_API_KEY", "OPENCODE_ZEN_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "OpenCode Go catalog",
+          hint: "Shared API key for Zen + Go catalogs",
+          optionKey: "opencodeGoApiKey",
+          flagName: "--opencode-go-api-key",
+          envVar: "OPENCODE_API_KEY",
+          promptMessage: "Enter OpenCode API key",
+          defaultModel: OPENCODE_GO_DEFAULT_MODEL_REF,
+          expectedProviders: ["opencode", "opencode-go"],
+          applyConfig: (cfg) => applyOpencodeGoConfig(cfg),
+          noteMessage: [
+            "OpenCode uses one API key across the Zen and Go catalogs.",
+            "Go focuses on Kimi, GLM, and MiniMax coding models.",
+            "Get your API key at: https://opencode.ai/auth",
+          ].join("\n"),
+          noteTitle: "OpenCode",
+          wizard: {
+            choiceId: "opencode-go",
+            choiceLabel: "OpenCode Go catalog",
+            groupId: "opencode",
+            groupLabel: "OpenCode",
+            groupHint: "Shared API key for Zen + Go catalogs",
+          },
+        }),
+      ],
       capabilities: {
         openAiCompatTurnValidation: false,
         geminiThoughtSignatureSanitization: true,
diff --git a/extensions/opencode-go/openclaw.plugin.json b/extensions/opencode-go/openclaw.plugin.json
index d264f4acdb6..9972dc633ff 100644
--- a/extensions/opencode-go/openclaw.plugin.json
+++ b/extensions/opencode-go/openclaw.plugin.json
@@ -4,6 +4,21 @@
   "providerAuthEnvVars": {
     "opencode-go": ["OPENCODE_API_KEY", "OPENCODE_ZEN_API_KEY"]
   },
+  "providerAuthChoices": [
+    {
+      "provider": "opencode-go",
+      "method": "api-key",
+      "choiceId": "opencode-go",
+      "choiceLabel": "OpenCode Go catalog",
+      "groupId": "opencode",
+      "groupLabel": "OpenCode",
+      "groupHint": "Shared API key for Zen + Go catalogs",
+      "optionKey": "opencodeGoApiKey",
+      "cliFlag": "--opencode-go-api-key",
+      "cliOption": "--opencode-go-api-key <key>",
+      "cliDescription": "OpenCode API key (Go catalog)"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/opencode/index.ts b/extensions/opencode/index.ts
index c800961ab36..008afe4091c 100644
--- a/extensions/opencode/index.ts
+++ b/extensions/opencode/index.ts
@@ -1,4 +1,7 @@
 import { emptyPluginConfigSchema, type OpenClawPluginApi } from "openclaw/plugin-sdk/core";
+import { applyOpencodeZenConfig } from "../../src/commands/onboard-auth.config-opencode.js";
+import { OPENCODE_ZEN_DEFAULT_MODEL } from "../../src/commands/opencode-zen-model-default.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 
 const PROVIDER_ID = "opencode";
 const MINIMAX_PREFIX = "minimax-m2.5";
@@ -22,7 +25,35 @@ const opencodePlugin = {
       label: "OpenCode Zen",
       docsPath: "/providers/models",
       envVars: ["OPENCODE_API_KEY", "OPENCODE_ZEN_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "OpenCode Zen catalog",
+          hint: "Shared API key for Zen + Go catalogs",
+          optionKey: "opencodeZenApiKey",
+          flagName: "--opencode-zen-api-key",
+          envVar: "OPENCODE_API_KEY",
+          promptMessage: "Enter OpenCode API key",
+          defaultModel: OPENCODE_ZEN_DEFAULT_MODEL,
+          expectedProviders: ["opencode", "opencode-go"],
+          applyConfig: (cfg) => applyOpencodeZenConfig(cfg),
+          noteMessage: [
+            "OpenCode uses one API key across the Zen and Go catalogs.",
+            "Zen provides access to Claude, GPT, Gemini, and more models.",
+            "Get your API key at: https://opencode.ai/auth",
+            "Choose the Zen catalog when you want the curated multi-model proxy.",
+          ].join("\n"),
+          noteTitle: "OpenCode",
+          wizard: {
+            choiceId: "opencode-zen",
+            choiceLabel: "OpenCode Zen catalog",
+            groupId: "opencode",
+            groupLabel: "OpenCode",
+            groupHint: "Shared API key for Zen + Go catalogs",
+          },
+        }),
+      ],
       capabilities: {
         openAiCompatTurnValidation: false,
         geminiThoughtSignatureSanitization: true,
diff --git a/extensions/opencode/openclaw.plugin.json b/extensions/opencode/openclaw.plugin.json
index 68608e6abd1..9352896340b 100644
--- a/extensions/opencode/openclaw.plugin.json
+++ b/extensions/opencode/openclaw.plugin.json
@@ -4,6 +4,21 @@
   "providerAuthEnvVars": {
     "opencode": ["OPENCODE_API_KEY", "OPENCODE_ZEN_API_KEY"]
   },
+  "providerAuthChoices": [
+    {
+      "provider": "opencode",
+      "method": "api-key",
+      "choiceId": "opencode-zen",
+      "choiceLabel": "OpenCode Zen catalog",
+      "groupId": "opencode",
+      "groupLabel": "OpenCode",
+      "groupHint": "Shared API key for Zen + Go catalogs",
+      "optionKey": "opencodeZenApiKey",
+      "cliFlag": "--opencode-zen-api-key",
+      "cliOption": "--opencode-zen-api-key <key>",
+      "cliDescription": "OpenCode API key (Zen catalog)"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/openrouter/index.ts b/extensions/openrouter/index.ts
index 92521cb3984..ec4afaa873c 100644
--- a/extensions/openrouter/index.ts
+++ b/extensions/openrouter/index.ts
@@ -16,6 +16,11 @@ import {
   createOpenRouterWrapper,
   isProxyReasoningUnsupported,
 } from "../../src/agents/pi-embedded-runner/proxy-stream-wrappers.js";
+import {
+  applyOpenrouterConfig,
+  OPENROUTER_DEFAULT_MODEL_REF,
+} from "../../src/commands/onboard-auth.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 
 const PROVIDER_ID = "openrouter";
 const OPENROUTER_BASE_URL = "https://openrouter.ai/api/v1";
@@ -85,7 +90,28 @@ const openRouterPlugin = {
       label: "OpenRouter",
       docsPath: "/providers/models",
       envVars: ["OPENROUTER_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "OpenRouter API key",
+          hint: "API key",
+          optionKey: "openrouterApiKey",
+          flagName: "--openrouter-api-key",
+          envVar: "OPENROUTER_API_KEY",
+          promptMessage: "Enter OpenRouter API key",
+          defaultModel: OPENROUTER_DEFAULT_MODEL_REF,
+          expectedProviders: ["openrouter"],
+          applyConfig: (cfg) => applyOpenrouterConfig(cfg),
+          wizard: {
+            choiceId: "openrouter-api-key",
+            choiceLabel: "OpenRouter API key",
+            groupId: "openrouter",
+            groupLabel: "OpenRouter",
+            groupHint: "API key",
+          },
+        }),
+      ],
       catalog: {
         order: "simple",
         run: async (ctx) => {
diff --git a/extensions/openrouter/openclaw.plugin.json b/extensions/openrouter/openclaw.plugin.json
index 84069b8129b..8151f24e677 100644
--- a/extensions/openrouter/openclaw.plugin.json
+++ b/extensions/openrouter/openclaw.plugin.json
@@ -4,6 +4,21 @@
   "providerAuthEnvVars": {
     "openrouter": ["OPENROUTER_API_KEY"]
   },
+  "providerAuthChoices": [
+    {
+      "provider": "openrouter",
+      "method": "api-key",
+      "choiceId": "openrouter-api-key",
+      "choiceLabel": "OpenRouter API key",
+      "groupId": "openrouter",
+      "groupLabel": "OpenRouter",
+      "groupHint": "API key",
+      "optionKey": "openrouterApiKey",
+      "cliFlag": "--openrouter-api-key",
+      "cliOption": "--openrouter-api-key <key>",
+      "cliDescription": "OpenRouter API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/qianfan/index.ts b/extensions/qianfan/index.ts
index 1da228d3772..88b5fee122d 100644
--- a/extensions/qianfan/index.ts
+++ b/extensions/qianfan/index.ts
@@ -1,5 +1,7 @@
 import { emptyPluginConfigSchema, type OpenClawPluginApi } from "openclaw/plugin-sdk/core";
 import { buildQianfanProvider } from "../../src/agents/models-config.providers.static.js";
+import { applyQianfanConfig, QIANFAN_DEFAULT_MODEL_REF } from "../../src/commands/onboard-auth.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 
 const PROVIDER_ID = "qianfan";
 
@@ -14,7 +16,28 @@ const qianfanPlugin = {
       label: "Qianfan",
       docsPath: "/providers/qianfan",
       envVars: ["QIANFAN_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "Qianfan API key",
+          hint: "API key",
+          optionKey: "qianfanApiKey",
+          flagName: "--qianfan-api-key",
+          envVar: "QIANFAN_API_KEY",
+          promptMessage: "Enter Qianfan API key",
+          defaultModel: QIANFAN_DEFAULT_MODEL_REF,
+          expectedProviders: ["qianfan"],
+          applyConfig: (cfg) => applyQianfanConfig(cfg),
+          wizard: {
+            choiceId: "qianfan-api-key",
+            choiceLabel: "Qianfan API key",
+            groupId: "qianfan",
+            groupLabel: "Qianfan",
+            groupHint: "API key",
+          },
+        }),
+      ],
       catalog: {
         order: "simple",
         run: async (ctx) => {
diff --git a/extensions/qianfan/openclaw.plugin.json b/extensions/qianfan/openclaw.plugin.json
index 5070b7a65b7..d2ac243e261 100644
--- a/extensions/qianfan/openclaw.plugin.json
+++ b/extensions/qianfan/openclaw.plugin.json
@@ -4,6 +4,21 @@
   "providerAuthEnvVars": {
     "qianfan": ["QIANFAN_API_KEY"]
   },
+  "providerAuthChoices": [
+    {
+      "provider": "qianfan",
+      "method": "api-key",
+      "choiceId": "qianfan-api-key",
+      "choiceLabel": "Qianfan API key",
+      "groupId": "qianfan",
+      "groupLabel": "Qianfan",
+      "groupHint": "API key",
+      "optionKey": "qianfanApiKey",
+      "cliFlag": "--qianfan-api-key",
+      "cliOption": "--qianfan-api-key <key>",
+      "cliDescription": "QIANFAN API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/qwen-portal-auth/openclaw.plugin.json b/extensions/qwen-portal-auth/openclaw.plugin.json
index 1f5a5deb0b5..5a6a8d555b7 100644
--- a/extensions/qwen-portal-auth/openclaw.plugin.json
+++ b/extensions/qwen-portal-auth/openclaw.plugin.json
@@ -4,6 +4,18 @@
   "providerAuthEnvVars": {
     "qwen-portal": ["QWEN_OAUTH_TOKEN", "QWEN_PORTAL_API_KEY"]
   },
+  "providerAuthChoices": [
+    {
+      "provider": "qwen-portal",
+      "method": "device",
+      "choiceId": "qwen-portal",
+      "choiceLabel": "Qwen OAuth",
+      "choiceHint": "Device code login",
+      "groupId": "qwen",
+      "groupLabel": "Qwen",
+      "groupHint": "OAuth"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/sglang/openclaw.plugin.json b/extensions/sglang/openclaw.plugin.json
index 8d5840c0fdf..d9f7f92eb52 100644
--- a/extensions/sglang/openclaw.plugin.json
+++ b/extensions/sglang/openclaw.plugin.json
@@ -4,6 +4,18 @@
   "providerAuthEnvVars": {
     "sglang": ["SGLANG_API_KEY"]
   },
+  "providerAuthChoices": [
+    {
+      "provider": "sglang",
+      "method": "custom",
+      "choiceId": "sglang",
+      "choiceLabel": "SGLang",
+      "choiceHint": "Fast self-hosted OpenAI-compatible server",
+      "groupId": "sglang",
+      "groupLabel": "SGLang",
+      "groupHint": "Fast self-hosted server"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/synthetic/index.ts b/extensions/synthetic/index.ts
index c22dcc11f8b..080245606da 100644
--- a/extensions/synthetic/index.ts
+++ b/extensions/synthetic/index.ts
@@ -1,5 +1,10 @@
 import { emptyPluginConfigSchema, type OpenClawPluginApi } from "openclaw/plugin-sdk/core";
 import { buildSyntheticProvider } from "../../src/agents/models-config.providers.static.js";
+import {
+  applySyntheticConfig,
+  SYNTHETIC_DEFAULT_MODEL_REF,
+} from "../../src/commands/onboard-auth.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 
 const PROVIDER_ID = "synthetic";
 
@@ -14,7 +19,28 @@ const syntheticPlugin = {
       label: "Synthetic",
       docsPath: "/providers/synthetic",
       envVars: ["SYNTHETIC_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "Synthetic API key",
+          hint: "Anthropic-compatible (multi-model)",
+          optionKey: "syntheticApiKey",
+          flagName: "--synthetic-api-key",
+          envVar: "SYNTHETIC_API_KEY",
+          promptMessage: "Enter Synthetic API key",
+          defaultModel: SYNTHETIC_DEFAULT_MODEL_REF,
+          expectedProviders: ["synthetic"],
+          applyConfig: (cfg) => applySyntheticConfig(cfg),
+          wizard: {
+            choiceId: "synthetic-api-key",
+            choiceLabel: "Synthetic API key",
+            groupId: "synthetic",
+            groupLabel: "Synthetic",
+            groupHint: "Anthropic-compatible (multi-model)",
+          },
+        }),
+      ],
       catalog: {
         order: "simple",
         run: async (ctx) => {
diff --git a/extensions/synthetic/openclaw.plugin.json b/extensions/synthetic/openclaw.plugin.json
index 54c12a19e4c..a0c519a72b2 100644
--- a/extensions/synthetic/openclaw.plugin.json
+++ b/extensions/synthetic/openclaw.plugin.json
@@ -4,6 +4,21 @@
   "providerAuthEnvVars": {
     "synthetic": ["SYNTHETIC_API_KEY"]
   },
+  "providerAuthChoices": [
+    {
+      "provider": "synthetic",
+      "method": "api-key",
+      "choiceId": "synthetic-api-key",
+      "choiceLabel": "Synthetic API key",
+      "groupId": "synthetic",
+      "groupLabel": "Synthetic",
+      "groupHint": "Anthropic-compatible (multi-model)",
+      "optionKey": "syntheticApiKey",
+      "cliFlag": "--synthetic-api-key",
+      "cliOption": "--synthetic-api-key <key>",
+      "cliDescription": "Synthetic API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/together/index.ts b/extensions/together/index.ts
index 5b1f6ced62f..7408fbea140 100644
--- a/extensions/together/index.ts
+++ b/extensions/together/index.ts
@@ -1,5 +1,10 @@
 import { emptyPluginConfigSchema, type OpenClawPluginApi } from "openclaw/plugin-sdk/core";
 import { buildTogetherProvider } from "../../src/agents/models-config.providers.static.js";
+import {
+  applyTogetherConfig,
+  TOGETHER_DEFAULT_MODEL_REF,
+} from "../../src/commands/onboard-auth.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 
 const PROVIDER_ID = "together";
 
@@ -14,7 +19,28 @@ const togetherPlugin = {
       label: "Together",
       docsPath: "/providers/together",
       envVars: ["TOGETHER_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "Together AI API key",
+          hint: "API key",
+          optionKey: "togetherApiKey",
+          flagName: "--together-api-key",
+          envVar: "TOGETHER_API_KEY",
+          promptMessage: "Enter Together AI API key",
+          defaultModel: TOGETHER_DEFAULT_MODEL_REF,
+          expectedProviders: ["together"],
+          applyConfig: (cfg) => applyTogetherConfig(cfg),
+          wizard: {
+            choiceId: "together-api-key",
+            choiceLabel: "Together AI API key",
+            groupId: "together",
+            groupLabel: "Together AI",
+            groupHint: "API key",
+          },
+        }),
+      ],
       catalog: {
         order: "simple",
         run: async (ctx) => {
diff --git a/extensions/together/openclaw.plugin.json b/extensions/together/openclaw.plugin.json
index ea3ae237fa2..f185492aa54 100644
--- a/extensions/together/openclaw.plugin.json
+++ b/extensions/together/openclaw.plugin.json
@@ -4,6 +4,21 @@
   "providerAuthEnvVars": {
     "together": ["TOGETHER_API_KEY"]
   },
+  "providerAuthChoices": [
+    {
+      "provider": "together",
+      "method": "api-key",
+      "choiceId": "together-api-key",
+      "choiceLabel": "Together AI API key",
+      "groupId": "together",
+      "groupLabel": "Together AI",
+      "groupHint": "API key",
+      "optionKey": "togetherApiKey",
+      "cliFlag": "--together-api-key",
+      "cliOption": "--together-api-key <key>",
+      "cliDescription": "Together AI API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/venice/index.ts b/extensions/venice/index.ts
index 75cd6adbaf1..12714fc2666 100644
--- a/extensions/venice/index.ts
+++ b/extensions/venice/index.ts
@@ -1,5 +1,7 @@
 import { emptyPluginConfigSchema, type OpenClawPluginApi } from "openclaw/plugin-sdk/core";
 import { buildVeniceProvider } from "../../src/agents/models-config.providers.discovery.js";
+import { applyVeniceConfig, VENICE_DEFAULT_MODEL_REF } from "../../src/commands/onboard-auth.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 
 const PROVIDER_ID = "venice";
 
@@ -14,7 +16,34 @@ const venicePlugin = {
       label: "Venice",
       docsPath: "/providers/venice",
       envVars: ["VENICE_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "Venice AI API key",
+          hint: "Privacy-focused (uncensored models)",
+          optionKey: "veniceApiKey",
+          flagName: "--venice-api-key",
+          envVar: "VENICE_API_KEY",
+          promptMessage: "Enter Venice AI API key",
+          defaultModel: VENICE_DEFAULT_MODEL_REF,
+          expectedProviders: ["venice"],
+          applyConfig: (cfg) => applyVeniceConfig(cfg),
+          noteMessage: [
+            "Venice AI provides privacy-focused inference with uncensored models.",
+            "Get your API key at: https://venice.ai/settings/api",
+            "Supports 'private' (fully private) and 'anonymized' (proxy) modes.",
+          ].join("\n"),
+          noteTitle: "Venice AI",
+          wizard: {
+            choiceId: "venice-api-key",
+            choiceLabel: "Venice AI API key",
+            groupId: "venice",
+            groupLabel: "Venice AI",
+            groupHint: "Privacy-focused (uncensored models)",
+          },
+        }),
+      ],
       catalog: {
         order: "simple",
         run: async (ctx) => {
diff --git a/extensions/venice/openclaw.plugin.json b/extensions/venice/openclaw.plugin.json
index a84a0e7b669..6667907b5e4 100644
--- a/extensions/venice/openclaw.plugin.json
+++ b/extensions/venice/openclaw.plugin.json
@@ -4,6 +4,21 @@
   "providerAuthEnvVars": {
     "venice": ["VENICE_API_KEY"]
   },
+  "providerAuthChoices": [
+    {
+      "provider": "venice",
+      "method": "api-key",
+      "choiceId": "venice-api-key",
+      "choiceLabel": "Venice AI API key",
+      "groupId": "venice",
+      "groupLabel": "Venice AI",
+      "groupHint": "Privacy-focused (uncensored models)",
+      "optionKey": "veniceApiKey",
+      "cliFlag": "--venice-api-key",
+      "cliOption": "--venice-api-key <key>",
+      "cliDescription": "Venice API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/vercel-ai-gateway/index.ts b/extensions/vercel-ai-gateway/index.ts
index c3098130f3e..a656cf400a7 100644
--- a/extensions/vercel-ai-gateway/index.ts
+++ b/extensions/vercel-ai-gateway/index.ts
@@ -1,5 +1,10 @@
 import { emptyPluginConfigSchema, type OpenClawPluginApi } from "openclaw/plugin-sdk/core";
 import { buildVercelAiGatewayProvider } from "../../src/agents/models-config.providers.discovery.js";
+import {
+  applyVercelAiGatewayConfig,
+  VERCEL_AI_GATEWAY_DEFAULT_MODEL_REF,
+} from "../../src/commands/onboard-auth.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 
 const PROVIDER_ID = "vercel-ai-gateway";
 
@@ -14,7 +19,28 @@ const vercelAiGatewayPlugin = {
       label: "Vercel AI Gateway",
       docsPath: "/providers/vercel-ai-gateway",
       envVars: ["AI_GATEWAY_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "Vercel AI Gateway API key",
+          hint: "API key",
+          optionKey: "aiGatewayApiKey",
+          flagName: "--ai-gateway-api-key",
+          envVar: "AI_GATEWAY_API_KEY",
+          promptMessage: "Enter Vercel AI Gateway API key",
+          defaultModel: VERCEL_AI_GATEWAY_DEFAULT_MODEL_REF,
+          expectedProviders: ["vercel-ai-gateway"],
+          applyConfig: (cfg) => applyVercelAiGatewayConfig(cfg),
+          wizard: {
+            choiceId: "ai-gateway-api-key",
+            choiceLabel: "Vercel AI Gateway API key",
+            groupId: "ai-gateway",
+            groupLabel: "Vercel AI Gateway",
+            groupHint: "API key",
+          },
+        }),
+      ],
       catalog: {
         order: "simple",
         run: async (ctx) => {
diff --git a/extensions/vercel-ai-gateway/openclaw.plugin.json b/extensions/vercel-ai-gateway/openclaw.plugin.json
index 47037724c36..e86c3943c9a 100644
--- a/extensions/vercel-ai-gateway/openclaw.plugin.json
+++ b/extensions/vercel-ai-gateway/openclaw.plugin.json
@@ -4,6 +4,21 @@
   "providerAuthEnvVars": {
     "vercel-ai-gateway": ["AI_GATEWAY_API_KEY"]
   },
+  "providerAuthChoices": [
+    {
+      "provider": "vercel-ai-gateway",
+      "method": "api-key",
+      "choiceId": "ai-gateway-api-key",
+      "choiceLabel": "Vercel AI Gateway API key",
+      "groupId": "ai-gateway",
+      "groupLabel": "Vercel AI Gateway",
+      "groupHint": "API key",
+      "optionKey": "aiGatewayApiKey",
+      "cliFlag": "--ai-gateway-api-key",
+      "cliOption": "--ai-gateway-api-key <key>",
+      "cliDescription": "Vercel AI Gateway API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/vllm/openclaw.plugin.json b/extensions/vllm/openclaw.plugin.json
index 6ab01cb5e89..bc3ad68c407 100644
--- a/extensions/vllm/openclaw.plugin.json
+++ b/extensions/vllm/openclaw.plugin.json
@@ -4,6 +4,18 @@
   "providerAuthEnvVars": {
     "vllm": ["VLLM_API_KEY"]
   },
+  "providerAuthChoices": [
+    {
+      "provider": "vllm",
+      "method": "custom",
+      "choiceId": "vllm",
+      "choiceLabel": "vLLM",
+      "choiceHint": "Local/self-hosted OpenAI-compatible server",
+      "groupId": "vllm",
+      "groupLabel": "vLLM",
+      "groupHint": "Local/self-hosted OpenAI-compatible"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/volcengine/index.ts b/extensions/volcengine/index.ts
index 7d907b5f53e..2e6063365df 100644
--- a/extensions/volcengine/index.ts
+++ b/extensions/volcengine/index.ts
@@ -3,8 +3,11 @@ import {
   buildDoubaoCodingProvider,
   buildDoubaoProvider,
 } from "../../src/agents/models-config.providers.static.js";
+import { ensureModelAllowlistEntry } from "../../src/commands/model-allowlist.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 
 const PROVIDER_ID = "volcengine";
+const VOLCENGINE_DEFAULT_MODEL_REF = "volcengine-plan/ark-code-latest";
 
 const volcenginePlugin = {
   id: PROVIDER_ID,
@@ -17,7 +20,32 @@ const volcenginePlugin = {
       label: "Volcengine",
       docsPath: "/concepts/model-providers#volcano-engine-doubao",
       envVars: ["VOLCANO_ENGINE_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "Volcano Engine API key",
+          hint: "API key",
+          optionKey: "volcengineApiKey",
+          flagName: "--volcengine-api-key",
+          envVar: "VOLCANO_ENGINE_API_KEY",
+          promptMessage: "Enter Volcano Engine API key",
+          defaultModel: VOLCENGINE_DEFAULT_MODEL_REF,
+          expectedProviders: ["volcengine"],
+          applyConfig: (cfg) =>
+            ensureModelAllowlistEntry({
+              cfg,
+              modelRef: VOLCENGINE_DEFAULT_MODEL_REF,
+            }),
+          wizard: {
+            choiceId: "volcengine-api-key",
+            choiceLabel: "Volcano Engine API key",
+            groupId: "volcengine",
+            groupLabel: "Volcano Engine",
+            groupHint: "API key",
+          },
+        }),
+      ],
       catalog: {
         order: "paired",
         run: async (ctx) => {
diff --git a/extensions/volcengine/openclaw.plugin.json b/extensions/volcengine/openclaw.plugin.json
index 2b5e54ff013..4fd6d192281 100644
--- a/extensions/volcengine/openclaw.plugin.json
+++ b/extensions/volcengine/openclaw.plugin.json
@@ -4,6 +4,21 @@
   "providerAuthEnvVars": {
     "volcengine": ["VOLCANO_ENGINE_API_KEY"]
   },
+  "providerAuthChoices": [
+    {
+      "provider": "volcengine",
+      "method": "api-key",
+      "choiceId": "volcengine-api-key",
+      "choiceLabel": "Volcano Engine API key",
+      "groupId": "volcengine",
+      "groupLabel": "Volcano Engine",
+      "groupHint": "API key",
+      "optionKey": "volcengineApiKey",
+      "cliFlag": "--volcengine-api-key",
+      "cliOption": "--volcengine-api-key <key>",
+      "cliDescription": "Volcano Engine API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/xai/index.ts b/extensions/xai/index.ts
index f2ef8b30605..98731023653 100644
--- a/extensions/xai/index.ts
+++ b/extensions/xai/index.ts
@@ -4,9 +4,12 @@ import {
   getScopedCredentialValue,
   setScopedCredentialValue,
 } from "../../src/agents/tools/web-search-plugin-factory.js";
+import { applyXaiConfig, XAI_DEFAULT_MODEL_REF } from "../../src/commands/onboard-auth.js";
 import { emptyPluginConfigSchema } from "../../src/plugins/config-schema.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 import type { OpenClawPluginApi } from "../../src/plugins/types.js";
 
+const PROVIDER_ID = "xai";
 const XAI_MODERN_MODEL_PREFIXES = ["grok-4"] as const;
 
 function matchesModernXaiModel(modelId: string): boolean {
@@ -21,11 +24,32 @@ const xaiPlugin = {
   configSchema: emptyPluginConfigSchema(),
   register(api: OpenClawPluginApi) {
     api.registerProvider({
-      id: "xai",
+      id: PROVIDER_ID,
       label: "xAI",
       docsPath: "/providers/models",
       envVars: ["XAI_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "xAI API key",
+          hint: "API key",
+          optionKey: "xaiApiKey",
+          flagName: "--xai-api-key",
+          envVar: "XAI_API_KEY",
+          promptMessage: "Enter xAI API key",
+          defaultModel: XAI_DEFAULT_MODEL_REF,
+          expectedProviders: ["xai"],
+          applyConfig: (cfg) => applyXaiConfig(cfg),
+          wizard: {
+            choiceId: "xai-api-key",
+            choiceLabel: "xAI API key",
+            groupId: "xai",
+            groupLabel: "xAI (Grok)",
+            groupHint: "API key",
+          },
+        }),
+      ],
       isModernModelRef: ({ provider, modelId }) =>
         normalizeProviderId(provider) === "xai" ? matchesModernXaiModel(modelId) : undefined,
     });
diff --git a/extensions/xai/openclaw.plugin.json b/extensions/xai/openclaw.plugin.json
index eca25c99403..8cb2d8f5cfc 100644
--- a/extensions/xai/openclaw.plugin.json
+++ b/extensions/xai/openclaw.plugin.json
@@ -4,6 +4,21 @@
   "providerAuthEnvVars": {
     "xai": ["XAI_API_KEY"]
   },
+  "providerAuthChoices": [
+    {
+      "provider": "xai",
+      "method": "api-key",
+      "choiceId": "xai-api-key",
+      "choiceLabel": "xAI API key",
+      "groupId": "xai",
+      "groupLabel": "xAI (Grok)",
+      "groupHint": "API key",
+      "optionKey": "xaiApiKey",
+      "cliFlag": "--xai-api-key",
+      "cliOption": "--xai-api-key <key>",
+      "cliDescription": "xAI API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/xiaomi/index.ts b/extensions/xiaomi/index.ts
index 37d7d799691..4987b18c8fd 100644
--- a/extensions/xiaomi/index.ts
+++ b/extensions/xiaomi/index.ts
@@ -1,6 +1,8 @@
 import { emptyPluginConfigSchema, type OpenClawPluginApi } from "openclaw/plugin-sdk/core";
 import { buildXiaomiProvider } from "../../src/agents/models-config.providers.static.js";
+import { applyXiaomiConfig, XIAOMI_DEFAULT_MODEL_REF } from "../../src/commands/onboard-auth.js";
 import { PROVIDER_LABELS } from "../../src/infra/provider-usage.shared.js";
+import { createProviderApiKeyAuthMethod } from "../../src/plugins/provider-api-key-auth.js";
 
 const PROVIDER_ID = "xiaomi";
 
@@ -15,7 +17,28 @@ const xiaomiPlugin = {
       label: "Xiaomi",
       docsPath: "/providers/xiaomi",
       envVars: ["XIAOMI_API_KEY"],
-      auth: [],
+      auth: [
+        createProviderApiKeyAuthMethod({
+          providerId: PROVIDER_ID,
+          methodId: "api-key",
+          label: "Xiaomi API key",
+          hint: "API key",
+          optionKey: "xiaomiApiKey",
+          flagName: "--xiaomi-api-key",
+          envVar: "XIAOMI_API_KEY",
+          promptMessage: "Enter Xiaomi API key",
+          defaultModel: XIAOMI_DEFAULT_MODEL_REF,
+          expectedProviders: ["xiaomi"],
+          applyConfig: (cfg) => applyXiaomiConfig(cfg),
+          wizard: {
+            choiceId: "xiaomi-api-key",
+            choiceLabel: "Xiaomi API key",
+            groupId: "xiaomi",
+            groupLabel: "Xiaomi",
+            groupHint: "API key",
+          },
+        }),
+      ],
       catalog: {
         order: "simple",
         run: async (ctx) => {
diff --git a/extensions/xiaomi/openclaw.plugin.json b/extensions/xiaomi/openclaw.plugin.json
index 4f0c03c280f..61bec4e1473 100644
--- a/extensions/xiaomi/openclaw.plugin.json
+++ b/extensions/xiaomi/openclaw.plugin.json
@@ -4,6 +4,21 @@
   "providerAuthEnvVars": {
     "xiaomi": ["XIAOMI_API_KEY"]
   },
+  "providerAuthChoices": [
+    {
+      "provider": "xiaomi",
+      "method": "api-key",
+      "choiceId": "xiaomi-api-key",
+      "choiceLabel": "Xiaomi API key",
+      "groupId": "xiaomi",
+      "groupLabel": "Xiaomi",
+      "groupHint": "API key",
+      "optionKey": "xiaomiApiKey",
+      "cliFlag": "--xiaomi-api-key",
+      "cliOption": "--xiaomi-api-key <key>",
+      "cliDescription": "Xiaomi API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/extensions/zai/index.ts b/extensions/zai/index.ts
index f4fd60ad5c3..d6a1561167d 100644
--- a/extensions/zai/index.ts
+++ b/extensions/zai/index.ts
@@ -4,18 +4,38 @@ import path from "node:path";
 import {
   emptyPluginConfigSchema,
   type OpenClawPluginApi,
+  type ProviderAuthContext,
+  type ProviderAuthMethod,
+  type ProviderAuthMethodNonInteractiveContext,
   type ProviderResolveDynamicModelContext,
   type ProviderRuntimeModel,
 } from "openclaw/plugin-sdk/core";
+import { upsertAuthProfile } from "../../src/agents/auth-profiles.js";
 import { DEFAULT_CONTEXT_TOKENS } from "../../src/agents/defaults.js";
 import { normalizeModelCompat } from "../../src/agents/model-compat.js";
 import { createZaiToolStreamWrapper } from "../../src/agents/pi-embedded-runner/zai-stream-wrappers.js";
+import {
+  normalizeApiKeyInput,
+  validateApiKeyInput,
+} from "../../src/commands/auth-choice.api-key.js";
+import { ensureApiKeyFromOptionEnvOrPrompt } from "../../src/commands/auth-choice.apply-helpers.js";
+import { buildApiKeyCredential } from "../../src/commands/onboard-auth.credentials.js";
+import {
+  applyAuthProfileConfig,
+  applyZaiConfig,
+  applyZaiProviderConfig,
+  ZAI_DEFAULT_MODEL_REF,
+} from "../../src/commands/onboard-auth.js";
+import { detectZaiEndpoint, type ZaiEndpointId } from "../../src/commands/zai-endpoint-detect.js";
+import type { SecretInput } from "../../src/config/types.secrets.js";
 import { resolveRequiredHomeDir } from "../../src/infra/home-dir.js";
 import { fetchZaiUsage } from "../../src/infra/provider-usage.fetch.js";
+import { normalizeOptionalSecretInput } from "../../src/utils/normalize-secret-input.js";
 
 const PROVIDER_ID = "zai";
 const GLM5_MODEL_ID = "glm-5";
 const GLM5_TEMPLATE_MODEL_ID = "glm-4.7";
+const PROFILE_ID = "zai:default";
 
 function resolveGlm5ForwardCompatModel(
   ctx: ProviderResolveDynamicModelContext,
@@ -73,6 +93,144 @@ function resolveLegacyZaiUsageToken(env: NodeJS.ProcessEnv): string | undefined
   }
 }
 
+function resolveZaiDefaultModel(modelIdOverride?: string): string {
+  return modelIdOverride ? `zai/${modelIdOverride}` : ZAI_DEFAULT_MODEL_REF;
+}
+
+async function runZaiApiKeyAuth(
+  ctx: ProviderAuthContext,
+  endpoint?: ZaiEndpointId,
+): Promise<{
+  profiles: Array<{ profileId: string; credential: ReturnType<typeof buildApiKeyCredential> }>;
+  configPatch: ReturnType<typeof applyZaiProviderConfig>;
+  defaultModel: string;
+  notes?: string[];
+}> {
+  let capturedSecretInput: SecretInput | undefined;
+  let capturedCredential = false;
+  let capturedMode: "plaintext" | "ref" | undefined;
+  const apiKey = await ensureApiKeyFromOptionEnvOrPrompt({
+    token:
+      normalizeOptionalSecretInput(ctx.opts?.zaiApiKey) ??
+      normalizeOptionalSecretInput(ctx.opts?.token),
+    tokenProvider: normalizeOptionalSecretInput(ctx.opts?.zaiApiKey)
+      ? PROVIDER_ID
+      : normalizeOptionalSecretInput(ctx.opts?.tokenProvider),
+    secretInputMode: ctx.secretInputMode,
+    config: ctx.config,
+    expectedProviders: [PROVIDER_ID, "z-ai"],
+    provider: PROVIDER_ID,
+    envLabel: "ZAI_API_KEY",
+    promptMessage: "Enter Z.AI API key",
+    normalize: normalizeApiKeyInput,
+    validate: validateApiKeyInput,
+    prompter: ctx.prompter,
+    setCredential: async (key, mode) => {
+      capturedSecretInput = key;
+      capturedCredential = true;
+      capturedMode = mode;
+    },
+  });
+  if (!capturedCredential) {
+    throw new Error("Missing Z.AI API key.");
+  }
+  const credentialInput = capturedSecretInput ?? "";
+
+  const detected = await detectZaiEndpoint({ apiKey, ...(endpoint ? { endpoint } : {}) });
+  const modelIdOverride = detected?.modelId;
+  const nextEndpoint = detected?.endpoint ?? endpoint;
+  return {
+    profiles: [
+      {
+        profileId: PROFILE_ID,
+        credential: buildApiKeyCredential(
+          PROVIDER_ID,
+          credentialInput,
+          undefined,
+          capturedMode ? { secretInputMode: capturedMode } : undefined,
+        ),
+      },
+    ],
+    configPatch: applyZaiProviderConfig(ctx.config, {
+      ...(nextEndpoint ? { endpoint: nextEndpoint } : {}),
+      ...(modelIdOverride ? { modelId: modelIdOverride } : {}),
+    }),
+    defaultModel: resolveZaiDefaultModel(modelIdOverride),
+    ...(detected?.note ? { notes: [detected.note] } : {}),
+  };
+}
+
+async function runZaiApiKeyAuthNonInteractive(
+  ctx: ProviderAuthMethodNonInteractiveContext,
+  endpoint?: ZaiEndpointId,
+) {
+  const resolved = await ctx.resolveApiKey({
+    provider: PROVIDER_ID,
+    flagValue: normalizeOptionalSecretInput(ctx.opts.zaiApiKey),
+    flagName: "--zai-api-key",
+    envVar: "ZAI_API_KEY",
+  });
+  if (!resolved) {
+    return null;
+  }
+  const detected = await detectZaiEndpoint({
+    apiKey: resolved.key,
+    ...(endpoint ? { endpoint } : {}),
+  });
+  const modelIdOverride = detected?.modelId;
+  const nextEndpoint = detected?.endpoint ?? endpoint;
+
+  if (resolved.source !== "profile") {
+    const credential = ctx.toApiKeyCredential({
+      provider: PROVIDER_ID,
+      resolved,
+    });
+    if (!credential) {
+      return null;
+    }
+    upsertAuthProfile({
+      profileId: PROFILE_ID,
+      credential,
+      agentDir: ctx.agentDir,
+    });
+  }
+
+  const next = applyAuthProfileConfig(ctx.config, {
+    profileId: PROFILE_ID,
+    provider: PROVIDER_ID,
+    mode: "api_key",
+  });
+  return applyZaiConfig(next, {
+    ...(nextEndpoint ? { endpoint: nextEndpoint } : {}),
+    ...(modelIdOverride ? { modelId: modelIdOverride } : {}),
+  });
+}
+
+function buildZaiApiKeyMethod(params: {
+  id: string;
+  choiceId: string;
+  choiceLabel: string;
+  choiceHint?: string;
+  endpoint?: ZaiEndpointId;
+}): ProviderAuthMethod {
+  return {
+    id: params.id,
+    label: params.choiceLabel,
+    hint: params.choiceHint,
+    kind: "api_key",
+    wizard: {
+      choiceId: params.choiceId,
+      choiceLabel: params.choiceLabel,
+      ...(params.choiceHint ? { choiceHint: params.choiceHint } : {}),
+      groupId: "zai",
+      groupLabel: "Z.AI",
+      groupHint: "GLM Coding Plan / Global / CN",
+    },
+    run: async (ctx) => await runZaiApiKeyAuth(ctx, params.endpoint),
+    runNonInteractive: async (ctx) => await runZaiApiKeyAuthNonInteractive(ctx, params.endpoint),
+  };
+}
+
 const zaiPlugin = {
   id: PROVIDER_ID,
   name: "Z.AI Provider",
@@ -85,7 +243,41 @@ const zaiPlugin = {
       aliases: ["z-ai", "z.ai"],
       docsPath: "/providers/models",
       envVars: ["ZAI_API_KEY", "Z_AI_API_KEY"],
-      auth: [],
+      auth: [
+        buildZaiApiKeyMethod({
+          id: "api-key",
+          choiceId: "zai-api-key",
+          choiceLabel: "Z.AI API key",
+        }),
+        buildZaiApiKeyMethod({
+          id: "coding-global",
+          choiceId: "zai-coding-global",
+          choiceLabel: "Coding-Plan-Global",
+          choiceHint: "GLM Coding Plan Global (api.z.ai)",
+          endpoint: "coding-global",
+        }),
+        buildZaiApiKeyMethod({
+          id: "coding-cn",
+          choiceId: "zai-coding-cn",
+          choiceLabel: "Coding-Plan-CN",
+          choiceHint: "GLM Coding Plan CN (open.bigmodel.cn)",
+          endpoint: "coding-cn",
+        }),
+        buildZaiApiKeyMethod({
+          id: "global",
+          choiceId: "zai-global",
+          choiceLabel: "Global",
+          choiceHint: "Z.AI Global (api.z.ai)",
+          endpoint: "global",
+        }),
+        buildZaiApiKeyMethod({
+          id: "cn",
+          choiceId: "zai-cn",
+          choiceLabel: "CN",
+          choiceHint: "Z.AI CN (open.bigmodel.cn)",
+          endpoint: "cn",
+        }),
+      ],
       resolveDynamicModel: (ctx) => resolveGlm5ForwardCompatModel(ctx),
       prepareExtraParams: (ctx) => {
         if (ctx.extraParams?.tool_stream !== undefined) {
diff --git a/extensions/zai/openclaw.plugin.json b/extensions/zai/openclaw.plugin.json
index c5985d748b0..2a7e1c8b40a 100644
--- a/extensions/zai/openclaw.plugin.json
+++ b/extensions/zai/openclaw.plugin.json
@@ -4,6 +4,77 @@
   "providerAuthEnvVars": {
     "zai": ["ZAI_API_KEY", "Z_AI_API_KEY"]
   },
+  "providerAuthChoices": [
+    {
+      "provider": "zai",
+      "method": "api-key",
+      "choiceId": "zai-api-key",
+      "choiceLabel": "Z.AI API key",
+      "groupId": "zai",
+      "groupLabel": "Z.AI",
+      "groupHint": "GLM Coding Plan / Global / CN",
+      "optionKey": "zaiApiKey",
+      "cliFlag": "--zai-api-key",
+      "cliOption": "--zai-api-key <key>",
+      "cliDescription": "Z.AI API key"
+    },
+    {
+      "provider": "zai",
+      "method": "coding-global",
+      "choiceId": "zai-coding-global",
+      "choiceLabel": "Coding-Plan-Global",
+      "choiceHint": "GLM Coding Plan Global (api.z.ai)",
+      "groupId": "zai",
+      "groupLabel": "Z.AI",
+      "groupHint": "GLM Coding Plan / Global / CN",
+      "optionKey": "zaiApiKey",
+      "cliFlag": "--zai-api-key",
+      "cliOption": "--zai-api-key <key>",
+      "cliDescription": "Z.AI API key"
+    },
+    {
+      "provider": "zai",
+      "method": "coding-cn",
+      "choiceId": "zai-coding-cn",
+      "choiceLabel": "Coding-Plan-CN",
+      "choiceHint": "GLM Coding Plan CN (open.bigmodel.cn)",
+      "groupId": "zai",
+      "groupLabel": "Z.AI",
+      "groupHint": "GLM Coding Plan / Global / CN",
+      "optionKey": "zaiApiKey",
+      "cliFlag": "--zai-api-key",
+      "cliOption": "--zai-api-key <key>",
+      "cliDescription": "Z.AI API key"
+    },
+    {
+      "provider": "zai",
+      "method": "global",
+      "choiceId": "zai-global",
+      "choiceLabel": "Global",
+      "choiceHint": "Z.AI Global (api.z.ai)",
+      "groupId": "zai",
+      "groupLabel": "Z.AI",
+      "groupHint": "GLM Coding Plan / Global / CN",
+      "optionKey": "zaiApiKey",
+      "cliFlag": "--zai-api-key",
+      "cliOption": "--zai-api-key <key>",
+      "cliDescription": "Z.AI API key"
+    },
+    {
+      "provider": "zai",
+      "method": "cn",
+      "choiceId": "zai-cn",
+      "choiceLabel": "CN",
+      "choiceHint": "Z.AI CN (open.bigmodel.cn)",
+      "groupId": "zai",
+      "groupLabel": "Z.AI",
+      "groupHint": "GLM Coding Plan / Global / CN",
+      "optionKey": "zaiApiKey",
+      "cliFlag": "--zai-api-key",
+      "cliOption": "--zai-api-key <key>",
+      "cliDescription": "Z.AI API key"
+    }
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
diff --git a/src/cli/program/register.onboard.test.ts b/src/cli/program/register.onboard.test.ts
index def5f28d12c..5b005512bfd 100644
--- a/src/cli/program/register.onboard.test.ts
+++ b/src/cli/program/register.onboard.test.ts
@@ -13,13 +13,28 @@ vi.mock("../../commands/auth-choice-options.static.js", () => ({
   formatStaticAuthChoiceChoicesForCli: () => "token|oauth",
 }));
 
-vi.mock("../../commands/onboard-provider-auth-flags.js", () => ({
-  ONBOARD_PROVIDER_AUTH_FLAGS: [
+vi.mock("../../commands/auth-choice-options.js", () => ({
+  formatAuthChoiceChoicesForCli: () => "token|oauth|openai-api-key",
+}));
+
+vi.mock("../../commands/onboard-core-auth-flags.js", () => ({
+  CORE_ONBOARD_AUTH_FLAGS: [
     {
       cliOption: "--mistral-api-key <key>",
       description: "Mistral API key",
+      optionKey: "mistralApiKey",
     },
-  ] as Array<{ cliOption: string; description: string }>,
+  ] as Array<{ cliOption: string; description: string; optionKey: string }>,
+}));
+
+vi.mock("../../plugins/provider-auth-choices.js", () => ({
+  resolveManifestProviderOnboardAuthFlags: () => [
+    {
+      cliOption: "--openai-api-key <key>",
+      description: "OpenAI API key",
+      optionKey: "openaiApiKey",
+    },
+  ],
 }));
 
 vi.mock("../../commands/onboard.js", () => ({
diff --git a/src/cli/program/register.onboard.ts b/src/cli/program/register.onboard.ts
index 914732e4079..0cd2828553b 100644
--- a/src/cli/program/register.onboard.ts
+++ b/src/cli/program/register.onboard.ts
@@ -1,7 +1,7 @@
 import type { Command } from "commander";
-import { formatStaticAuthChoiceChoicesForCli } from "../../commands/auth-choice-options.static.js";
+import { formatAuthChoiceChoicesForCli } from "../../commands/auth-choice-options.js";
 import type { GatewayDaemonRuntime } from "../../commands/daemon-runtime.js";
-import { ONBOARD_PROVIDER_AUTH_FLAGS } from "../../commands/onboard-provider-auth-flags.js";
+import { CORE_ONBOARD_AUTH_FLAGS } from "../../commands/onboard-core-auth-flags.js";
 import type {
   AuthChoice,
   GatewayAuthChoice,
@@ -12,6 +12,7 @@ import type {
   TailscaleMode,
 } from "../../commands/onboard-types.js";
 import { setupWizardCommand } from "../../commands/onboard.js";
+import { resolveManifestProviderOnboardAuthFlags } from "../../plugins/provider-auth-choices.js";
 import { defaultRuntime } from "../../runtime.js";
 import { formatDocsLink } from "../../terminal/links.js";
 import { theme } from "../../terminal/theme.js";
@@ -41,11 +42,24 @@ function resolveInstallDaemonFlag(
   return undefined;
 }
 
-const AUTH_CHOICE_HELP = formatStaticAuthChoiceChoicesForCli({
+const AUTH_CHOICE_HELP = formatAuthChoiceChoicesForCli({
   includeLegacyAliases: true,
   includeSkip: true,
 });
 
+const ONBOARD_AUTH_FLAGS = [
+  ...CORE_ONBOARD_AUTH_FLAGS,
+  ...resolveManifestProviderOnboardAuthFlags(),
+] as const;
+
+function pickOnboardProviderAuthOptionValues(
+  opts: Record<string, unknown>,
+): Partial<Record<string, string | undefined>> {
+  return Object.fromEntries(
+    ONBOARD_AUTH_FLAGS.map((flag) => [flag.optionKey, opts[flag.optionKey] as string | undefined]),
+  );
+}
+
 export function registerOnboardCommand(program: Command) {
   const command = program
     .command("onboard")
@@ -87,7 +101,7 @@ export function registerOnboardCommand(program: Command) {
     .option("--cloudflare-ai-gateway-account-id <id>", "Cloudflare Account ID")
     .option("--cloudflare-ai-gateway-gateway-id <id>", "Cloudflare AI Gateway ID");
 
-  for (const providerFlag of ONBOARD_PROVIDER_AUTH_FLAGS) {
+  for (const providerFlag of ONBOARD_AUTH_FLAGS) {
     command.option(providerFlag.cliOption, providerFlag.description);
   }
 
@@ -132,6 +146,9 @@ export function registerOnboardCommand(program: Command) {
       });
       const gatewayPort =
         typeof opts.gatewayPort === "string" ? Number.parseInt(opts.gatewayPort, 10) : undefined;
+      const providerAuthOptionValues = pickOnboardProviderAuthOptionValues(
+        opts as Record<string, unknown>,
+      );
       await setupWizardCommand(
         {
           workspace: opts.workspace as string | undefined,
@@ -145,34 +162,9 @@ export function registerOnboardCommand(program: Command) {
           tokenProfileId: opts.tokenProfileId as string | undefined,
           tokenExpiresIn: opts.tokenExpiresIn as string | undefined,
           secretInputMode: opts.secretInputMode as SecretInputMode | undefined,
-          anthropicApiKey: opts.anthropicApiKey as string | undefined,
-          openaiApiKey: opts.openaiApiKey as string | undefined,
-          mistralApiKey: opts.mistralApiKey as string | undefined,
-          openrouterApiKey: opts.openrouterApiKey as string | undefined,
-          kilocodeApiKey: opts.kilocodeApiKey as string | undefined,
-          aiGatewayApiKey: opts.aiGatewayApiKey as string | undefined,
+          ...providerAuthOptionValues,
           cloudflareAiGatewayAccountId: opts.cloudflareAiGatewayAccountId as string | undefined,
           cloudflareAiGatewayGatewayId: opts.cloudflareAiGatewayGatewayId as string | undefined,
-          cloudflareAiGatewayApiKey: opts.cloudflareAiGatewayApiKey as string | undefined,
-          moonshotApiKey: opts.moonshotApiKey as string | undefined,
-          kimiCodeApiKey: opts.kimiCodeApiKey as string | undefined,
-          geminiApiKey: opts.geminiApiKey as string | undefined,
-          zaiApiKey: opts.zaiApiKey as string | undefined,
-          xiaomiApiKey: opts.xiaomiApiKey as string | undefined,
-          qianfanApiKey: opts.qianfanApiKey as string | undefined,
-          modelstudioApiKeyCn: opts.modelstudioApiKeyCn as string | undefined,
-          modelstudioApiKey: opts.modelstudioApiKey as string | undefined,
-          minimaxApiKey: opts.minimaxApiKey as string | undefined,
-          syntheticApiKey: opts.syntheticApiKey as string | undefined,
-          veniceApiKey: opts.veniceApiKey as string | undefined,
-          togetherApiKey: opts.togetherApiKey as string | undefined,
-          huggingfaceApiKey: opts.huggingfaceApiKey as string | undefined,
-          opencodeZenApiKey: opts.opencodeZenApiKey as string | undefined,
-          opencodeGoApiKey: opts.opencodeGoApiKey as string | undefined,
-          xaiApiKey: opts.xaiApiKey as string | undefined,
-          litellmApiKey: opts.litellmApiKey as string | undefined,
-          volcengineApiKey: opts.volcengineApiKey as string | undefined,
-          byteplusApiKey: opts.byteplusApiKey as string | undefined,
           customBaseUrl: opts.customBaseUrl as string | undefined,
           customApiKey: opts.customApiKey as string | undefined,
           customModelId: opts.customModelId as string | undefined,
diff --git a/src/commands/auth-choice-options.static.ts b/src/commands/auth-choice-options.static.ts
index f42c208333f..2dd92e35cdf 100644
--- a/src/commands/auth-choice-options.static.ts
+++ b/src/commands/auth-choice-options.static.ts
@@ -1,5 +1,4 @@
 import { AUTH_CHOICE_LEGACY_ALIASES_FOR_CLI } from "./auth-choice-legacy.js";
-import { ONBOARD_PROVIDER_AUTH_FLAGS } from "./onboard-provider-auth-flags.js";
 import type { AuthChoice, AuthChoiceGroupId } from "./onboard-types.js";
 
 export type { AuthChoiceGroupId };
@@ -8,7 +7,11 @@ export type AuthChoiceOption = {
   value: AuthChoice;
   label: string;
   hint?: string;
+  groupId?: AuthChoiceGroupId;
+  groupLabel?: string;
+  groupHint?: string;
 };
+
 export type AuthChoiceGroup = {
   value: AuthChoiceGroupId;
   label: string;
@@ -16,310 +19,39 @@ export type AuthChoiceGroup = {
   options: AuthChoiceOption[];
 };
 
-export const AUTH_CHOICE_GROUP_DEFS: {
-  value: AuthChoiceGroupId;
-  label: string;
-  hint?: string;
-  choices: AuthChoice[];
-}[] = [
-  {
-    value: "openai",
-    label: "OpenAI",
-    hint: "Codex OAuth + API key",
-    choices: ["openai-codex", "openai-api-key"],
-  },
-  {
-    value: "anthropic",
-    label: "Anthropic",
-    hint: "setup-token + API key",
-    choices: ["token", "apiKey"],
-  },
+export const CORE_AUTH_CHOICE_OPTIONS: ReadonlyArray<AuthChoiceOption> = [
   {
     value: "chutes",
-    label: "Chutes",
-    hint: "OAuth",
-    choices: ["chutes"],
+    label: "Chutes (OAuth)",
+    groupId: "chutes",
+    groupLabel: "Chutes",
+    groupHint: "OAuth",
   },
   {
-    value: "minimax",
-    label: "MiniMax",
-    hint: "M2.5 (recommended)",
-    choices: ["minimax-global-oauth", "minimax-global-api", "minimax-cn-oauth", "minimax-cn-api"],
+    value: "litellm-api-key",
+    label: "LiteLLM API key",
+    hint: "Unified gateway for 100+ LLM providers",
+    groupId: "litellm",
+    groupLabel: "LiteLLM",
+    groupHint: "Unified LLM gateway (100+ providers)",
   },
   {
-    value: "moonshot",
-    label: "Moonshot AI (Kimi K2.5)",
-    hint: "Kimi K2.5 + Kimi Coding",
-    choices: ["moonshot-api-key", "moonshot-api-key-cn", "kimi-code-api-key"],
-  },
-  {
-    value: "google",
-    label: "Google",
-    hint: "Gemini API key + OAuth",
-    choices: ["gemini-api-key", "google-gemini-cli"],
-  },
-  {
-    value: "xai",
-    label: "xAI (Grok)",
-    hint: "API key",
-    choices: ["xai-api-key"],
-  },
-  {
-    value: "mistral",
-    label: "Mistral AI",
-    hint: "API key",
-    choices: ["mistral-api-key"],
-  },
-  {
-    value: "volcengine",
-    label: "Volcano Engine",
-    hint: "API key",
-    choices: ["volcengine-api-key"],
-  },
-  {
-    value: "byteplus",
-    label: "BytePlus",
-    hint: "API key",
-    choices: ["byteplus-api-key"],
-  },
-  {
-    value: "openrouter",
-    label: "OpenRouter",
-    hint: "API key",
-    choices: ["openrouter-api-key"],
-  },
-  {
-    value: "kilocode",
-    label: "Kilo Gateway",
-    hint: "API key (OpenRouter-compatible)",
-    choices: ["kilocode-api-key"],
-  },
-  {
-    value: "qwen",
-    label: "Qwen",
-    hint: "OAuth",
-    choices: ["qwen-portal"],
-  },
-  {
-    value: "zai",
-    label: "Z.AI",
-    hint: "GLM Coding Plan / Global / CN",
-    choices: ["zai-coding-global", "zai-coding-cn", "zai-global", "zai-cn"],
-  },
-  {
-    value: "qianfan",
-    label: "Qianfan",
-    hint: "API key",
-    choices: ["qianfan-api-key"],
-  },
-  {
-    value: "modelstudio",
-    label: "Alibaba Cloud Model Studio",
-    hint: "Coding Plan API key (CN / Global)",
-    choices: ["modelstudio-api-key-cn", "modelstudio-api-key"],
-  },
-  {
-    value: "copilot",
-    label: "Copilot",
-    hint: "GitHub + local proxy",
-    choices: ["github-copilot", "copilot-proxy"],
-  },
-  {
-    value: "ai-gateway",
-    label: "Vercel AI Gateway",
-    hint: "API key",
-    choices: ["ai-gateway-api-key"],
-  },
-  {
-    value: "opencode",
-    label: "OpenCode",
-    hint: "Shared API key for Zen + Go catalogs",
-    choices: ["opencode-zen", "opencode-go"],
-  },
-  {
-    value: "xiaomi",
-    label: "Xiaomi",
-    hint: "API key",
-    choices: ["xiaomi-api-key"],
-  },
-  {
-    value: "synthetic",
-    label: "Synthetic",
-    hint: "Anthropic-compatible (multi-model)",
-    choices: ["synthetic-api-key"],
-  },
-  {
-    value: "together",
-    label: "Together AI",
-    hint: "API key",
-    choices: ["together-api-key"],
-  },
-  {
-    value: "huggingface",
-    label: "Hugging Face",
-    hint: "Inference API (HF token)",
-    choices: ["huggingface-api-key"],
-  },
-  {
-    value: "venice",
-    label: "Venice AI",
-    hint: "Privacy-focused (uncensored models)",
-    choices: ["venice-api-key"],
-  },
-  {
-    value: "litellm",
-    label: "LiteLLM",
-    hint: "Unified LLM gateway (100+ providers)",
-    choices: ["litellm-api-key"],
-  },
-  {
-    value: "cloudflare-ai-gateway",
-    label: "Cloudflare AI Gateway",
-    hint: "Account ID + Gateway ID + API key",
-    choices: ["cloudflare-ai-gateway-api-key"],
-  },
-  {
-    value: "custom",
+    value: "custom-api-key",
     label: "Custom Provider",
     hint: "Any OpenAI or Anthropic compatible endpoint",
-    choices: ["custom-api-key"],
+    groupId: "custom",
+    groupLabel: "Custom Provider",
+    groupHint: "Any OpenAI or Anthropic compatible endpoint",
   },
 ];
 
-const PROVIDER_AUTH_CHOICE_OPTION_HINTS: Partial<Record<AuthChoice, string>> = {
-  "litellm-api-key": "Unified gateway for 100+ LLM providers",
-  "cloudflare-ai-gateway-api-key": "Account ID + Gateway ID + API key",
-  "venice-api-key": "Privacy-focused inference (uncensored models)",
-  "together-api-key": "Access to Llama, DeepSeek, Qwen, and more open models",
-  "huggingface-api-key": "Inference Providers — OpenAI-compatible chat",
-  "opencode-zen": "Shared OpenCode key; curated Zen catalog",
-  "opencode-go": "Shared OpenCode key; Kimi/GLM/MiniMax Go catalog",
-};
-
-const PROVIDER_AUTH_CHOICE_OPTION_LABELS: Partial<Record<AuthChoice, string>> = {
-  "moonshot-api-key": "Kimi API key (.ai)",
-  "moonshot-api-key-cn": "Kimi API key (.cn)",
-  "kimi-code-api-key": "Kimi Code API key (subscription)",
-  "cloudflare-ai-gateway-api-key": "Cloudflare AI Gateway",
-  "opencode-zen": "OpenCode Zen catalog",
-  "opencode-go": "OpenCode Go catalog",
-};
-
-function buildProviderAuthChoiceOptions(): AuthChoiceOption[] {
-  return ONBOARD_PROVIDER_AUTH_FLAGS.map((flag) => ({
-    value: flag.authChoice,
-    label: PROVIDER_AUTH_CHOICE_OPTION_LABELS[flag.authChoice] ?? flag.description,
-    ...(PROVIDER_AUTH_CHOICE_OPTION_HINTS[flag.authChoice]
-      ? { hint: PROVIDER_AUTH_CHOICE_OPTION_HINTS[flag.authChoice] }
-      : {}),
-  }));
-}
-
-export const BASE_AUTH_CHOICE_OPTIONS: ReadonlyArray<AuthChoiceOption> = [
-  {
-    value: "token",
-    label: "Anthropic token (paste setup-token)",
-    hint: "run `claude setup-token` elsewhere, then paste the token here",
-  },
-  {
-    value: "openai-codex",
-    label: "OpenAI Codex (ChatGPT OAuth)",
-  },
-  { value: "chutes", label: "Chutes (OAuth)" },
-  ...buildProviderAuthChoiceOptions(),
-  {
-    value: "moonshot-api-key-cn",
-    label: "Kimi API key (.cn)",
-  },
-  {
-    value: "github-copilot",
-    label: "GitHub Copilot (GitHub device login)",
-    hint: "Uses GitHub device flow",
-  },
-  { value: "gemini-api-key", label: "Google Gemini API key" },
-  {
-    value: "google-gemini-cli",
-    label: "Google Gemini CLI OAuth",
-    hint: "Unofficial flow; review account-risk warning before use",
-  },
-  { value: "zai-api-key", label: "Z.AI API key" },
-  {
-    value: "zai-coding-global",
-    label: "Coding-Plan-Global",
-    hint: "GLM Coding Plan Global (api.z.ai)",
-  },
-  {
-    value: "zai-coding-cn",
-    label: "Coding-Plan-CN",
-    hint: "GLM Coding Plan CN (open.bigmodel.cn)",
-  },
-  {
-    value: "zai-global",
-    label: "Global",
-    hint: "Z.AI Global (api.z.ai)",
-  },
-  {
-    value: "zai-cn",
-    label: "CN",
-    hint: "Z.AI CN (open.bigmodel.cn)",
-  },
-  {
-    value: "xiaomi-api-key",
-    label: "Xiaomi API key",
-  },
-  {
-    value: "minimax-global-oauth",
-    label: "MiniMax Global — OAuth (minimax.io)",
-    hint: "Only supports OAuth for the coding plan",
-  },
-  {
-    value: "minimax-global-api",
-    label: "MiniMax Global — API Key (minimax.io)",
-    hint: "sk-api- or sk-cp- keys supported",
-  },
-  {
-    value: "minimax-cn-oauth",
-    label: "MiniMax CN — OAuth (minimaxi.com)",
-    hint: "Only supports OAuth for the coding plan",
-  },
-  {
-    value: "minimax-cn-api",
-    label: "MiniMax CN — API Key (minimaxi.com)",
-    hint: "sk-api- or sk-cp- keys supported",
-  },
-  { value: "qwen-portal", label: "Qwen OAuth" },
-  {
-    value: "copilot-proxy",
-    label: "Copilot Proxy (local)",
-    hint: "Local proxy for VS Code Copilot models",
-  },
-  { value: "apiKey", label: "Anthropic API key" },
-  {
-    value: "opencode-zen",
-    label: "OpenCode Zen catalog",
-    hint: "Claude, GPT, Gemini via opencode.ai/zen",
-  },
-  { value: "qianfan-api-key", label: "Qianfan API key" },
-  {
-    value: "modelstudio-api-key-cn",
-    label: "Coding Plan API Key for China (subscription)",
-    hint: "Endpoint: coding.dashscope.aliyuncs.com",
-  },
-  {
-    value: "modelstudio-api-key",
-    label: "Coding Plan API Key for Global/Intl (subscription)",
-    hint: "Endpoint: coding-intl.dashscope.aliyuncs.com",
-  },
-  { value: "custom-api-key", label: "Custom Provider" },
-];
-
 export function formatStaticAuthChoiceChoicesForCli(params?: {
   includeSkip?: boolean;
   includeLegacyAliases?: boolean;
 }): string {
   const includeSkip = params?.includeSkip ?? true;
   const includeLegacyAliases = params?.includeLegacyAliases ?? false;
-  const values = BASE_AUTH_CHOICE_OPTIONS.map((opt) => opt.value);
+  const values = CORE_AUTH_CHOICE_OPTIONS.map((opt) => opt.value);
 
   if (includeSkip) {
     values.push("skip");
diff --git a/src/commands/auth-choice-options.test.ts b/src/commands/auth-choice-options.test.ts
index c45297a001e..933d998bc6e 100644
--- a/src/commands/auth-choice-options.test.ts
+++ b/src/commands/auth-choice-options.test.ts
@@ -1,5 +1,6 @@
-import { describe, expect, it, vi } from "vitest";
+import { beforeEach, describe, expect, it, vi } from "vitest";
 import type { AuthProfileStore } from "../agents/auth-profiles.js";
+import type { ProviderAuthChoiceMetadata } from "../plugins/provider-auth-choices.js";
 import type { ProviderWizardOption } from "../plugins/provider-wizard.js";
 import {
   buildAuthChoiceGroups,
@@ -8,9 +9,15 @@ import {
 } from "./auth-choice-options.js";
 import { formatStaticAuthChoiceChoicesForCli } from "./auth-choice-options.static.js";
 
+const resolveManifestProviderAuthChoices = vi.hoisted(() =>
+  vi.fn<() => ProviderAuthChoiceMetadata[]>(() => []),
+);
 const resolveProviderWizardOptions = vi.hoisted(() =>
   vi.fn<() => ProviderWizardOption[]>(() => []),
 );
+vi.mock("../plugins/provider-auth-choices.js", () => ({
+  resolveManifestProviderAuthChoices,
+}));
 vi.mock("../plugins/provider-wizard.js", () => ({
   resolveProviderWizardOptions,
 }));
@@ -25,7 +32,140 @@ function getOptions(includeSkip = false) {
 }
 
 describe("buildAuthChoiceOptions", () => {
+  beforeEach(() => {
+    resolveManifestProviderAuthChoices.mockReturnValue([]);
+    resolveProviderWizardOptions.mockReturnValue([]);
+  });
+
   it("includes core and provider-specific auth choices", () => {
+    resolveManifestProviderAuthChoices.mockReturnValue([
+      {
+        pluginId: "github-copilot",
+        providerId: "github-copilot",
+        methodId: "device",
+        choiceId: "github-copilot",
+        choiceLabel: "GitHub Copilot",
+        groupId: "copilot",
+        groupLabel: "Copilot",
+      },
+      {
+        pluginId: "anthropic",
+        providerId: "anthropic",
+        methodId: "setup-token",
+        choiceId: "token",
+        choiceLabel: "Anthropic token (paste setup-token)",
+        groupId: "anthropic",
+        groupLabel: "Anthropic",
+      },
+      {
+        pluginId: "openai",
+        providerId: "openai",
+        methodId: "api-key",
+        choiceId: "openai-api-key",
+        choiceLabel: "OpenAI API key",
+        groupId: "openai",
+        groupLabel: "OpenAI",
+      },
+      {
+        pluginId: "moonshot",
+        providerId: "moonshot",
+        methodId: "api-key",
+        choiceId: "moonshot-api-key",
+        choiceLabel: "Kimi API key (.ai)",
+        groupId: "moonshot",
+        groupLabel: "Moonshot AI (Kimi K2.5)",
+      },
+      {
+        pluginId: "minimax",
+        providerId: "minimax",
+        methodId: "api-global",
+        choiceId: "minimax-global-api",
+        choiceLabel: "MiniMax API key (Global)",
+        groupId: "minimax",
+        groupLabel: "MiniMax",
+      },
+      {
+        pluginId: "zai",
+        providerId: "zai",
+        methodId: "api-key",
+        choiceId: "zai-api-key",
+        choiceLabel: "Z.AI API key",
+        groupId: "zai",
+        groupLabel: "Z.AI",
+      },
+      {
+        pluginId: "xiaomi",
+        providerId: "xiaomi",
+        methodId: "api-key",
+        choiceId: "xiaomi-api-key",
+        choiceLabel: "Xiaomi API key",
+        groupId: "xiaomi",
+        groupLabel: "Xiaomi",
+      },
+      {
+        pluginId: "together",
+        providerId: "together",
+        methodId: "api-key",
+        choiceId: "together-api-key",
+        choiceLabel: "Together AI API key",
+        groupId: "together",
+        groupLabel: "Together AI",
+      },
+      {
+        pluginId: "qwen-portal-auth",
+        providerId: "qwen-portal",
+        methodId: "device",
+        choiceId: "qwen-portal",
+        choiceLabel: "Qwen OAuth",
+        groupId: "qwen",
+        groupLabel: "Qwen",
+      },
+      {
+        pluginId: "xai",
+        providerId: "xai",
+        methodId: "api-key",
+        choiceId: "xai-api-key",
+        choiceLabel: "xAI API key",
+        groupId: "xai",
+        groupLabel: "xAI (Grok)",
+      },
+      {
+        pluginId: "mistral",
+        providerId: "mistral",
+        methodId: "api-key",
+        choiceId: "mistral-api-key",
+        choiceLabel: "Mistral API key",
+        groupId: "mistral",
+        groupLabel: "Mistral AI",
+      },
+      {
+        pluginId: "volcengine",
+        providerId: "volcengine",
+        methodId: "api-key",
+        choiceId: "volcengine-api-key",
+        choiceLabel: "Volcano Engine API key",
+        groupId: "volcengine",
+        groupLabel: "Volcano Engine",
+      },
+      {
+        pluginId: "byteplus",
+        providerId: "byteplus",
+        methodId: "api-key",
+        choiceId: "byteplus-api-key",
+        choiceLabel: "BytePlus API key",
+        groupId: "byteplus",
+        groupLabel: "BytePlus",
+      },
+      {
+        pluginId: "opencode-go",
+        providerId: "opencode-go",
+        methodId: "api-key",
+        choiceId: "opencode-go",
+        choiceLabel: "OpenCode Go catalog",
+        groupId: "opencode",
+        groupLabel: "OpenCode",
+      },
+    ]);
     resolveProviderWizardOptions.mockReturnValue([
       {
         value: "ollama",
@@ -57,15 +197,8 @@ describe("buildAuthChoiceOptions", () => {
       "zai-api-key",
       "xiaomi-api-key",
       "minimax-global-api",
-      "minimax-cn-api",
-      "minimax-global-oauth",
       "moonshot-api-key",
-      "moonshot-api-key-cn",
-      "kimi-code-api-key",
       "together-api-key",
-      "ai-gateway-api-key",
-      "cloudflare-ai-gateway-api-key",
-      "synthetic-api-key",
       "chutes",
       "qwen-portal",
       "xai-api-key",
@@ -82,15 +215,37 @@ describe("buildAuthChoiceOptions", () => {
   });
 
   it("builds cli help choices from the same catalog", () => {
+    resolveManifestProviderAuthChoices.mockReturnValue([
+      {
+        pluginId: "openai",
+        providerId: "openai",
+        methodId: "api-key",
+        choiceId: "openai-api-key",
+        choiceLabel: "OpenAI API key",
+      },
+    ]);
+    resolveProviderWizardOptions.mockReturnValue([
+      {
+        value: "ollama",
+        label: "Ollama",
+        hint: "Cloud and local open models",
+        groupId: "ollama",
+        groupLabel: "Ollama",
+      },
+    ]);
     const options = getOptions(true);
     const cliChoices = formatAuthChoiceChoicesForCli({
       includeLegacyAliases: false,
       includeSkip: true,
     }).split("|");
 
-    for (const option of options) {
-      expect(cliChoices).toContain(option.value);
-    }
+    expect(cliChoices).toContain("openai-api-key");
+    expect(cliChoices).toContain("chutes");
+    expect(cliChoices).toContain("litellm-api-key");
+    expect(cliChoices).toContain("custom-api-key");
+    expect(cliChoices).toContain("skip");
+    expect(options.some((option) => option.value === "ollama")).toBe(true);
+    expect(cliChoices).not.toContain("ollama");
   });
 
   it("can include legacy aliases in cli help choices", () => {
@@ -106,6 +261,15 @@ describe("buildAuthChoiceOptions", () => {
   });
 
   it("keeps static cli help choices off the plugin-backed catalog", () => {
+    resolveManifestProviderAuthChoices.mockReturnValue([
+      {
+        pluginId: "openai",
+        providerId: "openai",
+        methodId: "api-key",
+        choiceId: "openai-api-key",
+        choiceLabel: "OpenAI API key",
+      },
+    ]);
     resolveProviderWizardOptions.mockReturnValue([
       {
         value: "ollama",
@@ -122,10 +286,12 @@ describe("buildAuthChoiceOptions", () => {
     }).split("|");
 
     expect(cliChoices).not.toContain("ollama");
+    expect(cliChoices).not.toContain("openai-api-key");
     expect(cliChoices).toContain("skip");
   });
 
   it("shows Chutes in grouped provider selection", () => {
+    resolveManifestProviderAuthChoices.mockReturnValue([]);
     const { groups } = buildAuthChoiceGroups({
       store: EMPTY_STORE,
       includeSkip: false,
@@ -137,6 +303,26 @@ describe("buildAuthChoiceOptions", () => {
   });
 
   it("groups OpenCode Zen and Go under one OpenCode entry", () => {
+    resolveManifestProviderAuthChoices.mockReturnValue([
+      {
+        pluginId: "opencode",
+        providerId: "opencode",
+        methodId: "api-key",
+        choiceId: "opencode-zen",
+        choiceLabel: "OpenCode Zen catalog",
+        groupId: "opencode",
+        groupLabel: "OpenCode",
+      },
+      {
+        pluginId: "opencode-go",
+        providerId: "opencode-go",
+        methodId: "api-key",
+        choiceId: "opencode-go",
+        choiceLabel: "OpenCode Go catalog",
+        groupId: "opencode",
+        groupLabel: "OpenCode",
+      },
+    ]);
     const { groups } = buildAuthChoiceGroups({
       store: EMPTY_STORE,
       includeSkip: false,
@@ -149,6 +335,7 @@ describe("buildAuthChoiceOptions", () => {
   });
 
   it("shows Ollama in grouped provider selection", () => {
+    resolveManifestProviderAuthChoices.mockReturnValue([]);
     resolveProviderWizardOptions.mockReturnValue([
       {
         value: "ollama",
diff --git a/src/commands/auth-choice-options.ts b/src/commands/auth-choice-options.ts
index b4df26154aa..03bfa86749a 100644
--- a/src/commands/auth-choice-options.ts
+++ b/src/commands/auth-choice-options.ts
@@ -1,21 +1,51 @@
 import type { AuthProfileStore } from "../agents/auth-profiles.js";
 import type { OpenClawConfig } from "../config/config.js";
+import { resolveManifestProviderAuthChoices } from "../plugins/provider-auth-choices.js";
 import { resolveProviderWizardOptions } from "../plugins/provider-wizard.js";
 import {
-  AUTH_CHOICE_GROUP_DEFS,
-  BASE_AUTH_CHOICE_OPTIONS,
+  CORE_AUTH_CHOICE_OPTIONS,
   type AuthChoiceGroup,
   type AuthChoiceOption,
   formatStaticAuthChoiceChoicesForCli,
 } from "./auth-choice-options.static.js";
 import type { AuthChoice, AuthChoiceGroupId } from "./onboard-types.js";
 
-function resolveDynamicProviderCliChoices(params?: {
+function compareOptionLabels(a: AuthChoiceOption, b: AuthChoiceOption): number {
+  return a.label.localeCompare(b.label);
+}
+
+function compareGroupLabels(a: AuthChoiceGroup, b: AuthChoiceGroup): number {
+  return a.label.localeCompare(b.label);
+}
+
+function resolveManifestProviderChoiceOptions(params?: {
   config?: OpenClawConfig;
   workspaceDir?: string;
   env?: NodeJS.ProcessEnv;
-}): string[] {
-  return [...new Set(resolveProviderWizardOptions(params ?? {}).map((option) => option.value))];
+}): AuthChoiceOption[] {
+  return resolveManifestProviderAuthChoices(params ?? {}).map((choice) => ({
+    value: choice.choiceId as AuthChoice,
+    label: choice.choiceLabel,
+    ...(choice.choiceHint ? { hint: choice.choiceHint } : {}),
+    ...(choice.groupId ? { groupId: choice.groupId as AuthChoiceGroupId } : {}),
+    ...(choice.groupLabel ? { groupLabel: choice.groupLabel } : {}),
+    ...(choice.groupHint ? { groupHint: choice.groupHint } : {}),
+  }));
+}
+
+function resolveRuntimeFallbackProviderChoiceOptions(params?: {
+  config?: OpenClawConfig;
+  workspaceDir?: string;
+  env?: NodeJS.ProcessEnv;
+}): AuthChoiceOption[] {
+  return resolveProviderWizardOptions(params ?? {}).map((option) => ({
+    value: option.value as AuthChoice,
+    label: option.label,
+    ...(option.hint ? { hint: option.hint } : {}),
+    groupId: option.groupId as AuthChoiceGroupId,
+    groupLabel: option.groupLabel,
+    ...(option.groupHint ? { groupHint: option.groupHint } : {}),
+  }));
 }
 
 export function formatAuthChoiceChoicesForCli(params?: {
@@ -27,10 +57,10 @@ export function formatAuthChoiceChoicesForCli(params?: {
 }): string {
   const values = [
     ...formatStaticAuthChoiceChoicesForCli(params).split("|"),
-    ...resolveDynamicProviderCliChoices(params),
+    ...resolveManifestProviderChoiceOptions(params).map((option) => option.value),
   ];
 
-  return values.join("|");
+  return [...new Set(values)].join("|");
 }
 
 export function buildAuthChoiceOptions(params: {
@@ -41,23 +71,30 @@ export function buildAuthChoiceOptions(params: {
   env?: NodeJS.ProcessEnv;
 }): AuthChoiceOption[] {
   void params.store;
-  const optionByValue = new Map<AuthChoice, AuthChoiceOption>(
-    BASE_AUTH_CHOICE_OPTIONS.map((option) => [option.value, option]),
-  );
-
-  for (const option of resolveProviderWizardOptions({
+  const optionByValue = new Map<AuthChoice, AuthChoiceOption>();
+  for (const option of CORE_AUTH_CHOICE_OPTIONS) {
+    optionByValue.set(option.value, option);
+  }
+  for (const option of resolveManifestProviderChoiceOptions({
     config: params.config,
     workspaceDir: params.workspaceDir,
     env: params.env,
   })) {
-    optionByValue.set(option.value as AuthChoice, {
-      value: option.value as AuthChoice,
-      label: option.label,
-      hint: option.hint,
-    });
+    optionByValue.set(option.value, option);
+  }
+  for (const option of resolveRuntimeFallbackProviderChoiceOptions({
+    config: params.config,
+    workspaceDir: params.workspaceDir,
+    env: params.env,
+  })) {
+    if (!optionByValue.has(option.value)) {
+      optionByValue.set(option.value, option);
+    }
   }
 
-  const options: AuthChoiceOption[] = Array.from(optionByValue.values());
+  const options: AuthChoiceOption[] = Array.from(optionByValue.values()).toSorted(
+    compareOptionLabels,
+  );
 
   if (params.includeSkip) {
     options.push({ value: "skip", label: "Skip for now" });
@@ -80,46 +117,30 @@ export function buildAuthChoiceGroups(params: {
     ...params,
     includeSkip: false,
   });
-  const optionByValue = new Map<AuthChoice, AuthChoiceOption>(
-    options.map((opt) => [opt.value, opt]),
-  );
+  const groupsById = new Map<AuthChoiceGroupId, AuthChoiceGroup>();
 
-  const groups: AuthChoiceGroup[] = AUTH_CHOICE_GROUP_DEFS.map((group) => ({
-    ...group,
-    options: group.choices
-      .map((choice) => optionByValue.get(choice))
-      .filter((opt): opt is AuthChoiceOption => Boolean(opt)),
-  }));
-  const staticGroupIds = new Set(groups.map((group) => group.value));
-
-  for (const option of resolveProviderWizardOptions({
-    config: params.config,
-    workspaceDir: params.workspaceDir,
-    env: params.env,
-  })) {
-    const existing = groups.find((group) => group.value === option.groupId);
-    const nextOption = optionByValue.get(option.value as AuthChoice) ?? {
-      value: option.value as AuthChoice,
-      label: option.label,
-      hint: option.hint,
-    };
+  for (const option of options) {
+    if (!option.groupId || !option.groupLabel) {
+      continue;
+    }
+    const existing = groupsById.get(option.groupId);
     if (existing) {
-      if (!existing.options.some((candidate) => candidate.value === nextOption.value)) {
-        existing.options.push(nextOption);
-      }
+      existing.options.push(option);
       continue;
     }
-    if (staticGroupIds.has(option.groupId as AuthChoiceGroupId)) {
-      continue;
-    }
-    groups.push({
-      value: option.groupId as AuthChoiceGroupId,
+    groupsById.set(option.groupId, {
+      value: option.groupId,
       label: option.groupLabel,
-      hint: option.groupHint,
-      options: [nextOption],
+      ...(option.groupHint ? { hint: option.groupHint } : {}),
+      options: [option],
     });
-    staticGroupIds.add(option.groupId as AuthChoiceGroupId);
   }
+  const groups = Array.from(groupsById.values())
+    .map((group) => ({
+      ...group,
+      options: [...group.options].toSorted(compareOptionLabels),
+    }))
+    .toSorted(compareGroupLabels);
 
   const skipOption = params.includeSkip
     ? ({ value: "skip", label: "Skip for now" } satisfies AuthChoiceOption)
diff --git a/src/commands/auth-choice.apply.anthropic.test.ts b/src/commands/auth-choice.apply.anthropic.test.ts
deleted file mode 100644
index 2833477ce96..00000000000
--- a/src/commands/auth-choice.apply.anthropic.test.ts
+++ /dev/null
@@ -1,105 +0,0 @@
-import { afterEach, describe, expect, it, vi } from "vitest";
-import anthropicPlugin from "../../extensions/anthropic/index.js";
-import type { ProviderPlugin } from "../plugins/types.js";
-import { registerSingleProviderPlugin } from "../test-utils/plugin-registration.js";
-import { applyAuthChoiceAnthropic } from "./auth-choice.apply.anthropic.js";
-import { applyAuthChoice } from "./auth-choice.js";
-import { ANTHROPIC_SETUP_TOKEN_PREFIX } from "./auth-token.js";
-import {
-  createAuthTestLifecycle,
-  createExitThrowingRuntime,
-  createWizardPrompter,
-  readAuthProfilesForAgent,
-  setupAuthTestEnv,
-} from "./test-wizard-helpers.js";
-
-const resolvePluginProviders = vi.hoisted(() => vi.fn<() => ProviderPlugin[]>(() => []));
-vi.mock("../plugins/providers.js", () => ({
-  resolvePluginProviders,
-}));
-
-describe("applyAuthChoiceAnthropic", () => {
-  const lifecycle = createAuthTestLifecycle([
-    "OPENCLAW_STATE_DIR",
-    "OPENCLAW_AGENT_DIR",
-    "PI_CODING_AGENT_DIR",
-    "ANTHROPIC_API_KEY",
-    "ANTHROPIC_SETUP_TOKEN",
-  ]);
-
-  async function setupTempState() {
-    const env = await setupAuthTestEnv("openclaw-anthropic-");
-    lifecycle.setStateDir(env.stateDir);
-    return env.agentDir;
-  }
-
-  afterEach(async () => {
-    resolvePluginProviders.mockReset();
-    resolvePluginProviders.mockReturnValue([]);
-    await lifecycle.cleanup();
-  });
-
-  it("writes env-backed Anthropic key as keyRef when secret-input-mode=ref", async () => {
-    const agentDir = await setupTempState();
-    process.env.ANTHROPIC_API_KEY = "sk-ant-api-key";
-
-    const confirm = vi.fn(async () => true);
-    const prompter = createWizardPrompter({ confirm }, { defaultSelect: "ref" });
-    const runtime = createExitThrowingRuntime();
-
-    const result = await applyAuthChoiceAnthropic({
-      authChoice: "apiKey",
-      config: {},
-      prompter,
-      runtime,
-      setDefaultModel: true,
-    });
-
-    expect(result).not.toBeNull();
-    expect(result?.config.auth?.profiles?.["anthropic:default"]).toMatchObject({
-      provider: "anthropic",
-      mode: "api_key",
-    });
-    const parsed = await readAuthProfilesForAgent<{
-      profiles?: Record<string, { key?: string; keyRef?: unknown }>;
-    }>(agentDir);
-    expect(parsed.profiles?.["anthropic:default"]).toMatchObject({
-      keyRef: { source: "env", provider: "default", id: "ANTHROPIC_API_KEY" },
-    });
-    expect(parsed.profiles?.["anthropic:default"]?.key).toBeUndefined();
-  });
-
-  it("routes token onboarding through the anthropic provider plugin", async () => {
-    const agentDir = await setupTempState();
-    process.env.ANTHROPIC_SETUP_TOKEN = `${ANTHROPIC_SETUP_TOKEN_PREFIX}${"x".repeat(100)}`;
-    resolvePluginProviders.mockReturnValue([registerSingleProviderPlugin(anthropicPlugin)]);
-
-    const select = vi.fn().mockResolvedValueOnce("env");
-    const text = vi.fn().mockResolvedValueOnce("ANTHROPIC_SETUP_TOKEN").mockResolvedValueOnce("");
-    const prompter = createWizardPrompter({ select, text }, { defaultSelect: "ref" });
-    const runtime = createExitThrowingRuntime();
-
-    const result = await applyAuthChoice({
-      authChoice: "token",
-      config: {},
-      prompter,
-      runtime,
-      setDefaultModel: true,
-      opts: { secretInputMode: "ref" },
-    });
-
-    expect(result.config.auth?.profiles?.["anthropic:default"]).toMatchObject({
-      provider: "anthropic",
-      mode: "token",
-    });
-    const parsed = await readAuthProfilesForAgent<{
-      profiles?: Record<string, { token?: string; tokenRef?: unknown }>;
-    }>(agentDir);
-    expect(parsed.profiles?.["anthropic:default"]?.token).toBeUndefined();
-    expect(parsed.profiles?.["anthropic:default"]?.tokenRef).toMatchObject({
-      source: "env",
-      provider: "default",
-      id: "ANTHROPIC_SETUP_TOKEN",
-    });
-  });
-});
diff --git a/src/commands/auth-choice.apply.anthropic.ts b/src/commands/auth-choice.apply.anthropic.ts
deleted file mode 100644
index 64e98d3ebaf..00000000000
--- a/src/commands/auth-choice.apply.anthropic.ts
+++ /dev/null
@@ -1,64 +0,0 @@
-import { normalizeApiKeyInput, validateApiKeyInput } from "./auth-choice.api-key.js";
-import {
-  normalizeSecretInputModeInput,
-  ensureApiKeyFromOptionEnvOrPrompt,
-} from "./auth-choice.apply-helpers.js";
-import type { ApplyAuthChoiceParams, ApplyAuthChoiceResult } from "./auth-choice.apply.js";
-import { applyAuthChoicePluginProvider } from "./auth-choice.apply.plugin-provider.js";
-import { applyAgentDefaultModelPrimary } from "./onboard-auth.config-shared.js";
-import { applyAuthProfileConfig, setAnthropicApiKey } from "./onboard-auth.js";
-
-const DEFAULT_ANTHROPIC_MODEL = "anthropic/claude-sonnet-4-6";
-
-export async function applyAuthChoiceAnthropic(
-  params: ApplyAuthChoiceParams,
-): Promise<ApplyAuthChoiceResult | null> {
-  const requestedSecretInputMode = normalizeSecretInputModeInput(params.opts?.secretInputMode);
-  if (
-    params.authChoice === "setup-token" ||
-    params.authChoice === "oauth" ||
-    params.authChoice === "token"
-  ) {
-    return await applyAuthChoicePluginProvider(params, {
-      authChoice: params.authChoice,
-      pluginId: "anthropic",
-      providerId: "anthropic",
-      methodId: "setup-token",
-      label: "Anthropic",
-    });
-  }
-
-  if (params.authChoice === "apiKey") {
-    if (params.opts?.tokenProvider && params.opts.tokenProvider !== "anthropic") {
-      return null;
-    }
-
-    let nextConfig = params.config;
-    await ensureApiKeyFromOptionEnvOrPrompt({
-      token: params.opts?.token,
-      tokenProvider: params.opts?.tokenProvider ?? "anthropic",
-      secretInputMode: requestedSecretInputMode,
-      config: nextConfig,
-      expectedProviders: ["anthropic"],
-      provider: "anthropic",
-      envLabel: "ANTHROPIC_API_KEY",
-      promptMessage: "Enter Anthropic API key",
-      normalize: normalizeApiKeyInput,
-      validate: validateApiKeyInput,
-      prompter: params.prompter,
-      setCredential: async (apiKey, mode) =>
-        setAnthropicApiKey(apiKey, params.agentDir, { secretInputMode: mode }),
-    });
-    nextConfig = applyAuthProfileConfig(nextConfig, {
-      profileId: "anthropic:default",
-      provider: "anthropic",
-      mode: "api_key",
-    });
-    if (params.setDefaultModel) {
-      nextConfig = applyAgentDefaultModelPrimary(nextConfig, DEFAULT_ANTHROPIC_MODEL);
-    }
-    return { config: nextConfig };
-  }
-
-  return null;
-}
diff --git a/src/commands/auth-choice.apply.api-providers.ts b/src/commands/auth-choice.apply.api-providers.ts
index f58a7312f74..eef881c2b13 100644
--- a/src/commands/auth-choice.apply.api-providers.ts
+++ b/src/commands/auth-choice.apply.api-providers.ts
@@ -63,6 +63,23 @@ const ZAI_AUTH_CHOICE_ENDPOINT: Partial<
   "zai-cn": "cn",
 };
 
+export function normalizeApiKeyTokenProviderAuthChoice(params: {
+  authChoice: AuthChoice;
+  tokenProvider?: string;
+}): AuthChoice {
+  if (params.authChoice !== "apiKey" || !params.tokenProvider) {
+    return params.authChoice;
+  }
+  const normalizedTokenProvider = normalizeTokenProviderInput(params.tokenProvider);
+  if (!normalizedTokenProvider) {
+    return params.authChoice;
+  }
+  if (normalizedTokenProvider === "anthropic" || normalizedTokenProvider === "openai") {
+    return params.authChoice;
+  }
+  return API_KEY_TOKEN_PROVIDER_AUTH_CHOICE[normalizedTokenProvider] ?? params.authChoice;
+}
+
 export async function applyAuthChoiceApiProviders(
   params: ApplyAuthChoiceParams,
 ): Promise<ApplyAuthChoiceResult | null> {
@@ -77,14 +94,12 @@ export async function applyAuthChoiceApiProviders(
     (model) => (agentModelOverride = model),
   );
 
-  let authChoice = params.authChoice;
+  const authChoice = normalizeApiKeyTokenProviderAuthChoice({
+    authChoice: params.authChoice,
+    tokenProvider: params.opts?.tokenProvider,
+  });
   const normalizedTokenProvider = normalizeTokenProviderInput(params.opts?.tokenProvider);
   const requestedSecretInputMode = normalizeSecretInputModeInput(params.opts?.secretInputMode);
-  if (authChoice === "apiKey" && params.opts?.tokenProvider) {
-    if (normalizedTokenProvider !== "anthropic" && normalizedTokenProvider !== "openai") {
-      authChoice = API_KEY_TOKEN_PROVIDER_AUTH_CHOICE[normalizedTokenProvider ?? ""] ?? authChoice;
-    }
-  }
 
   if (authChoice === "openrouter-api-key") {
     return applyAuthChoiceOpenRouter(params);
diff --git a/src/commands/auth-choice.apply.openai.test.ts b/src/commands/auth-choice.apply.openai.test.ts
deleted file mode 100644
index 1d14f136f32..00000000000
--- a/src/commands/auth-choice.apply.openai.test.ts
+++ /dev/null
@@ -1,116 +0,0 @@
-import { afterEach, describe, expect, it, vi } from "vitest";
-import { applyAuthChoiceOpenAI } from "./auth-choice.apply.openai.js";
-import {
-  createAuthTestLifecycle,
-  createExitThrowingRuntime,
-  createWizardPrompter,
-  readAuthProfilesForAgent,
-  setupAuthTestEnv,
-} from "./test-wizard-helpers.js";
-
-describe("applyAuthChoiceOpenAI", () => {
-  const lifecycle = createAuthTestLifecycle([
-    "OPENCLAW_STATE_DIR",
-    "OPENCLAW_AGENT_DIR",
-    "PI_CODING_AGENT_DIR",
-    "OPENAI_API_KEY",
-  ]);
-
-  async function setupTempState() {
-    const env = await setupAuthTestEnv("openclaw-openai-");
-    lifecycle.setStateDir(env.stateDir);
-    return env.agentDir;
-  }
-
-  afterEach(async () => {
-    await lifecycle.cleanup();
-  });
-
-  it("writes env-backed OpenAI key as plaintext by default", async () => {
-    const agentDir = await setupTempState();
-    process.env.OPENAI_API_KEY = "sk-openai-env"; // pragma: allowlist secret
-
-    const confirm = vi.fn(async () => true);
-    const text = vi.fn(async () => "unused");
-    const prompter = createWizardPrompter({ confirm, text }, { defaultSelect: "plaintext" });
-    const runtime = createExitThrowingRuntime();
-
-    const result = await applyAuthChoiceOpenAI({
-      authChoice: "openai-api-key",
-      config: {},
-      prompter,
-      runtime,
-      setDefaultModel: true,
-    });
-
-    expect(result).not.toBeNull();
-    expect(result?.config.auth?.profiles?.["openai:default"]).toMatchObject({
-      provider: "openai",
-      mode: "api_key",
-    });
-    const defaultModel = result?.config.agents?.defaults?.model;
-    const primaryModel = typeof defaultModel === "string" ? defaultModel : defaultModel?.primary;
-    expect(primaryModel).toBe("openai/gpt-5.1-codex");
-    expect(text).not.toHaveBeenCalled();
-
-    const parsed = await readAuthProfilesForAgent<{
-      profiles?: Record<string, { key?: string; keyRef?: unknown }>;
-    }>(agentDir);
-    expect(parsed.profiles?.["openai:default"]?.key).toBe("sk-openai-env");
-    expect(parsed.profiles?.["openai:default"]?.keyRef).toBeUndefined();
-  });
-
-  it("writes env-backed OpenAI key as keyRef when secret-input-mode=ref", async () => {
-    const agentDir = await setupTempState();
-    process.env.OPENAI_API_KEY = "sk-openai-env"; // pragma: allowlist secret
-
-    const confirm = vi.fn(async () => true);
-    const text = vi.fn(async () => "unused");
-    const prompter = createWizardPrompter({ confirm, text }, { defaultSelect: "ref" });
-    const runtime = createExitThrowingRuntime();
-
-    const result = await applyAuthChoiceOpenAI({
-      authChoice: "openai-api-key",
-      config: {},
-      prompter,
-      runtime,
-      setDefaultModel: true,
-    });
-
-    expect(result).not.toBeNull();
-    const parsed = await readAuthProfilesForAgent<{
-      profiles?: Record<string, { key?: string; keyRef?: unknown }>;
-    }>(agentDir);
-    expect(parsed.profiles?.["openai:default"]).toMatchObject({
-      keyRef: { source: "env", provider: "default", id: "OPENAI_API_KEY" },
-    });
-    expect(parsed.profiles?.["openai:default"]?.key).toBeUndefined();
-  });
-
-  it("writes explicit token input into openai auth profile", async () => {
-    const agentDir = await setupTempState();
-
-    const prompter = createWizardPrompter({}, { defaultSelect: "" });
-    const runtime = createExitThrowingRuntime();
-
-    const result = await applyAuthChoiceOpenAI({
-      authChoice: "apiKey",
-      config: {},
-      prompter,
-      runtime,
-      setDefaultModel: true,
-      opts: {
-        tokenProvider: "openai",
-        token: "sk-openai-token",
-      },
-    });
-
-    expect(result).not.toBeNull();
-
-    const parsed = await readAuthProfilesForAgent<{
-      profiles?: Record<string, { key?: string; keyRef?: unknown }>;
-    }>(agentDir);
-    expect(parsed.profiles?.["openai:default"]?.key).toBe("sk-openai-token");
-    expect(parsed.profiles?.["openai:default"]?.keyRef).toBeUndefined();
-  });
-});
diff --git a/src/commands/auth-choice.apply.openai.ts b/src/commands/auth-choice.apply.openai.ts
deleted file mode 100644
index e03c9e2505a..00000000000
--- a/src/commands/auth-choice.apply.openai.ts
+++ /dev/null
@@ -1,80 +0,0 @@
-import { normalizeApiKeyInput, validateApiKeyInput } from "./auth-choice.api-key.js";
-import {
-  createAuthChoiceAgentModelNoter,
-  ensureApiKeyFromOptionEnvOrPrompt,
-  normalizeSecretInputModeInput,
-} from "./auth-choice.apply-helpers.js";
-import type { ApplyAuthChoiceParams, ApplyAuthChoiceResult } from "./auth-choice.apply.js";
-import { applyAuthChoicePluginProvider } from "./auth-choice.apply.plugin-provider.js";
-import { applyDefaultModelChoice } from "./auth-choice.default-model.js";
-import { applyAuthProfileConfig, setOpenaiApiKey } from "./onboard-auth.js";
-import {
-  applyOpenAIConfig,
-  applyOpenAIProviderConfig,
-  OPENAI_DEFAULT_MODEL,
-} from "./openai-model-default.js";
-
-export async function applyAuthChoiceOpenAI(
-  params: ApplyAuthChoiceParams,
-): Promise<ApplyAuthChoiceResult | null> {
-  const requestedSecretInputMode = normalizeSecretInputModeInput(params.opts?.secretInputMode);
-  const noteAgentModel = createAuthChoiceAgentModelNoter(params);
-  let authChoice = params.authChoice;
-  if (authChoice === "apiKey" && params.opts?.tokenProvider === "openai") {
-    authChoice = "openai-api-key";
-  }
-
-  if (authChoice === "openai-api-key") {
-    let nextConfig = params.config;
-    let agentModelOverride: string | undefined;
-
-    const applyOpenAiDefaultModelChoice = async (): Promise<ApplyAuthChoiceResult> => {
-      const applied = await applyDefaultModelChoice({
-        config: nextConfig,
-        setDefaultModel: params.setDefaultModel,
-        defaultModel: OPENAI_DEFAULT_MODEL,
-        applyDefaultConfig: applyOpenAIConfig,
-        applyProviderConfig: applyOpenAIProviderConfig,
-        noteDefault: OPENAI_DEFAULT_MODEL,
-        noteAgentModel,
-        prompter: params.prompter,
-      });
-      nextConfig = applied.config;
-      agentModelOverride = applied.agentModelOverride ?? agentModelOverride;
-      return { config: nextConfig, agentModelOverride };
-    };
-
-    await ensureApiKeyFromOptionEnvOrPrompt({
-      token: params.opts?.token,
-      tokenProvider: params.opts?.tokenProvider,
-      secretInputMode: requestedSecretInputMode,
-      config: nextConfig,
-      expectedProviders: ["openai"],
-      provider: "openai",
-      envLabel: "OPENAI_API_KEY",
-      promptMessage: "Enter OpenAI API key",
-      normalize: normalizeApiKeyInput,
-      validate: validateApiKeyInput,
-      prompter: params.prompter,
-      setCredential: async (apiKey, mode) =>
-        setOpenaiApiKey(apiKey, params.agentDir, { secretInputMode: mode }),
-    });
-    nextConfig = applyAuthProfileConfig(nextConfig, {
-      profileId: "openai:default",
-      provider: "openai",
-      mode: "api_key",
-    });
-    return await applyOpenAiDefaultModelChoice();
-  }
-  if (params.authChoice === "openai-codex") {
-    return await applyAuthChoicePluginProvider(params, {
-      authChoice: "openai-codex",
-      pluginId: "openai",
-      providerId: "openai-codex",
-      methodId: "oauth",
-      label: "OpenAI",
-    });
-  }
-
-  return null;
-}
diff --git a/src/commands/auth-choice.apply.ts b/src/commands/auth-choice.apply.ts
index bafa9122e25..f8dab665f23 100644
--- a/src/commands/auth-choice.apply.ts
+++ b/src/commands/auth-choice.apply.ts
@@ -2,11 +2,10 @@ import type { OpenClawConfig } from "../config/config.js";
 import type { RuntimeEnv } from "../runtime.js";
 import type { WizardPrompter } from "../wizard/prompts.js";
 import { normalizeLegacyOnboardAuthChoice } from "./auth-choice-legacy.js";
-import { applyAuthChoiceAnthropic } from "./auth-choice.apply.anthropic.js";
 import { applyAuthChoiceApiProviders } from "./auth-choice.apply.api-providers.js";
+import { normalizeApiKeyTokenProviderAuthChoice } from "./auth-choice.apply.api-providers.js";
 import { applyAuthChoiceMiniMax } from "./auth-choice.apply.minimax.js";
 import { applyAuthChoiceOAuth } from "./auth-choice.apply.oauth.js";
-import { applyAuthChoiceOpenAI } from "./auth-choice.apply.openai.js";
 import { applyAuthChoiceLoadedPluginProvider } from "./auth-choice.apply.plugin-provider.js";
 import type { AuthChoice, OnboardOptions } from "./onboard-types.js";
 
@@ -31,14 +30,16 @@ export async function applyAuthChoice(
 ): Promise<ApplyAuthChoiceResult> {
   const normalizedAuthChoice =
     normalizeLegacyOnboardAuthChoice(params.authChoice) ?? params.authChoice;
+  const normalizedProviderAuthChoice = normalizeApiKeyTokenProviderAuthChoice({
+    authChoice: normalizedAuthChoice,
+    tokenProvider: params.opts?.tokenProvider,
+  });
   const normalizedParams =
-    normalizedAuthChoice === params.authChoice
+    normalizedProviderAuthChoice === params.authChoice
       ? params
-      : { ...params, authChoice: normalizedAuthChoice };
+      : { ...params, authChoice: normalizedProviderAuthChoice };
   const handlers: Array<(p: ApplyAuthChoiceParams) => Promise<ApplyAuthChoiceResult | null>> = [
     applyAuthChoiceLoadedPluginProvider,
-    applyAuthChoiceAnthropic,
-    applyAuthChoiceOpenAI,
     applyAuthChoiceOAuth,
     applyAuthChoiceApiProviders,
     applyAuthChoiceMiniMax,
diff --git a/src/commands/auth-choice.preferred-provider.test.ts b/src/commands/auth-choice.preferred-provider.test.ts
index 6f84763a308..6c9aae5f28e 100644
--- a/src/commands/auth-choice.preferred-provider.test.ts
+++ b/src/commands/auth-choice.preferred-provider.test.ts
@@ -1,8 +1,13 @@
 import { beforeEach, describe, expect, it, vi } from "vitest";
 
+const resolveManifestProviderAuthChoice = vi.hoisted(() => vi.fn());
 const resolveProviderPluginChoice = vi.hoisted(() => vi.fn());
 const resolvePluginProviders = vi.hoisted(() => vi.fn(() => []));
 
+vi.mock("../plugins/provider-auth-choices.js", () => ({
+  resolveManifestProviderAuthChoice,
+}));
+
 vi.mock("../plugins/provider-wizard.js", () => ({
   resolveProviderPluginChoice,
 }));
@@ -16,10 +21,26 @@ import { resolvePreferredProviderForAuthChoice } from "./auth-choice.preferred-p
 describe("resolvePreferredProviderForAuthChoice", () => {
   beforeEach(() => {
     vi.clearAllMocks();
+    resolveManifestProviderAuthChoice.mockReturnValue(undefined);
     resolvePluginProviders.mockReturnValue([]);
     resolveProviderPluginChoice.mockReturnValue(null);
   });
 
+  it("prefers manifest metadata when available", async () => {
+    resolveManifestProviderAuthChoice.mockReturnValue({
+      pluginId: "openai",
+      providerId: "openai",
+      methodId: "api-key",
+      choiceId: "openai-api-key",
+      choiceLabel: "OpenAI API key",
+    });
+
+    await expect(resolvePreferredProviderForAuthChoice({ choice: "openai-api-key" })).resolves.toBe(
+      "openai",
+    );
+    expect(resolvePluginProviders).not.toHaveBeenCalled();
+  });
+
   it("normalizes legacy auth choices before plugin lookup", async () => {
     resolveProviderPluginChoice.mockReturnValue({
       provider: { id: "anthropic", label: "Anthropic", auth: [] },
diff --git a/src/commands/auth-choice.preferred-provider.ts b/src/commands/auth-choice.preferred-provider.ts
index a7faad5d3a4..7cab79d2215 100644
--- a/src/commands/auth-choice.preferred-provider.ts
+++ b/src/commands/auth-choice.preferred-provider.ts
@@ -1,51 +1,12 @@
 import type { OpenClawConfig } from "../config/config.js";
+import { resolveManifestProviderAuthChoice } from "../plugins/provider-auth-choices.js";
 import { normalizeLegacyOnboardAuthChoice } from "./auth-choice-legacy.js";
 import type { AuthChoice } from "./onboard-types.js";
 
 const PREFERRED_PROVIDER_BY_AUTH_CHOICE: Partial<Record<AuthChoice, string>> = {
   chutes: "chutes",
-  token: "anthropic",
-  apiKey: "anthropic",
-  "openai-codex": "openai-codex",
-  "openai-api-key": "openai",
-  "openrouter-api-key": "openrouter",
-  "kilocode-api-key": "kilocode",
-  "ai-gateway-api-key": "vercel-ai-gateway",
-  "cloudflare-ai-gateway-api-key": "cloudflare-ai-gateway",
-  "moonshot-api-key": "moonshot",
-  "moonshot-api-key-cn": "moonshot",
-  "kimi-code-api-key": "kimi-coding",
-  "gemini-api-key": "google",
-  "google-gemini-cli": "google-gemini-cli",
-  "mistral-api-key": "mistral",
-  ollama: "ollama",
-  sglang: "sglang",
-  "zai-api-key": "zai",
-  "zai-coding-global": "zai",
-  "zai-coding-cn": "zai",
-  "zai-global": "zai",
-  "zai-cn": "zai",
-  "xiaomi-api-key": "xiaomi",
-  "synthetic-api-key": "synthetic",
-  "venice-api-key": "venice",
-  "together-api-key": "together",
-  "huggingface-api-key": "huggingface",
-  "github-copilot": "github-copilot",
-  "copilot-proxy": "copilot-proxy",
-  "minimax-global-oauth": "minimax-portal",
-  "minimax-global-api": "minimax",
-  "minimax-cn-oauth": "minimax-portal",
-  "minimax-cn-api": "minimax",
-  "opencode-zen": "opencode",
-  "opencode-go": "opencode-go",
-  "xai-api-key": "xai",
   "litellm-api-key": "litellm",
-  "qwen-portal": "qwen-portal",
-  "volcengine-api-key": "volcengine",
-  "byteplus-api-key": "byteplus",
-  "qianfan-api-key": "qianfan",
   "custom-api-key": "custom",
-  vllm: "vllm",
 };
 
 export async function resolvePreferredProviderForAuthChoice(params: {
@@ -55,6 +16,10 @@ export async function resolvePreferredProviderForAuthChoice(params: {
   env?: NodeJS.ProcessEnv;
 }): Promise<string | undefined> {
   const choice = normalizeLegacyOnboardAuthChoice(params.choice) ?? params.choice;
+  const manifestResolved = resolveManifestProviderAuthChoice(choice, params);
+  if (manifestResolved) {
+    return manifestResolved.providerId;
+  }
   const [{ resolveProviderPluginChoice }, { resolvePluginProviders }] = await Promise.all([
     import("../plugins/provider-wizard.js"),
     import("../plugins/providers.js"),
diff --git a/src/commands/auth-choice.test.ts b/src/commands/auth-choice.test.ts
index 515291feb34..52a6211a87f 100644
--- a/src/commands/auth-choice.test.ts
+++ b/src/commands/auth-choice.test.ts
@@ -1,7 +1,15 @@
 import fs from "node:fs/promises";
 import type { OAuthCredentials } from "@mariozechner/pi-ai";
 import { afterEach, describe, expect, it, vi } from "vitest";
+import anthropicPlugin from "../../extensions/anthropic/index.js";
+import huggingfacePlugin from "../../extensions/huggingface/index.js";
+import kimiCodingPlugin from "../../extensions/kimi-coding/index.js";
+import ollamaPlugin from "../../extensions/ollama/index.js";
+import openAIPlugin from "../../extensions/openai/index.js";
+import togetherPlugin from "../../extensions/together/index.js";
 import { resolveAgentModelPrimaryValue } from "../config/model-input.js";
+import type { ProviderPlugin } from "../plugins/types.js";
+import { createCapturedPluginRegistration } from "../test-utils/plugin-registration.js";
 import type { WizardPrompter } from "../wizard/prompts.js";
 import { applyAuthChoice, resolvePreferredProviderForAuthChoice } from "./auth-choice.js";
 import { GOOGLE_GEMINI_DEFAULT_MODEL } from "./google-gemini-model-default.js";
@@ -34,7 +42,7 @@ vi.mock("./openai-codex-oauth.js", () => ({
   loginOpenAICodexOAuth,
 }));
 
-const resolvePluginProviders = vi.hoisted(() => vi.fn(() => []));
+const resolvePluginProviders = vi.hoisted(() => vi.fn<() => ProviderPlugin[]>(() => []));
 vi.mock("../plugins/providers.js", () => ({
   resolvePluginProviders,
 }));
@@ -55,6 +63,21 @@ type StoredAuthProfile = {
   metadata?: Record<string, string>;
 };
 
+function createDefaultProviderPlugins() {
+  const captured = createCapturedPluginRegistration();
+  for (const plugin of [
+    anthropicPlugin,
+    huggingfacePlugin,
+    kimiCodingPlugin,
+    ollamaPlugin,
+    openAIPlugin,
+    togetherPlugin,
+  ]) {
+    plugin.register(captured.api);
+  }
+  return captured.providers;
+}
+
 describe("applyAuthChoice", () => {
   const lifecycle = createAuthTestLifecycle([
     "OPENCLAW_STATE_DIR",
@@ -127,6 +150,7 @@ describe("applyAuthChoice", () => {
   afterEach(async () => {
     vi.unstubAllGlobals();
     resolvePluginProviders.mockReset();
+    resolvePluginProviders.mockReturnValue(createDefaultProviderPlugins());
     detectZaiEndpoint.mockReset();
     detectZaiEndpoint.mockResolvedValue(null);
     loginOpenAICodexOAuth.mockReset();
@@ -135,6 +159,8 @@ describe("applyAuthChoice", () => {
     activeStateDir = null;
   });
 
+  resolvePluginProviders.mockReturnValue(createDefaultProviderPlugins());
+
   it("does not throw when openai-codex oauth fails", async () => {
     await setupTempState();
 
diff --git a/src/commands/onboard-core-auth-flags.ts b/src/commands/onboard-core-auth-flags.ts
new file mode 100644
index 00000000000..38663dbbccb
--- /dev/null
+++ b/src/commands/onboard-core-auth-flags.ts
@@ -0,0 +1,21 @@
+import type { AuthChoice, OnboardOptions } from "./onboard-types.js";
+
+type OnboardCoreAuthOptionKey = keyof Pick<OnboardOptions, "litellmApiKey">;
+
+export type OnboardCoreAuthFlag = {
+  optionKey: OnboardCoreAuthOptionKey;
+  authChoice: AuthChoice;
+  cliFlag: `--${string}`;
+  cliOption: `--${string} <key>`;
+  description: string;
+};
+
+export const CORE_ONBOARD_AUTH_FLAGS: ReadonlyArray<OnboardCoreAuthFlag> = [
+  {
+    optionKey: "litellmApiKey",
+    authChoice: "litellm-api-key",
+    cliFlag: "--litellm-api-key",
+    cliOption: "--litellm-api-key <key>",
+    description: "LiteLLM API key",
+  },
+];
diff --git a/src/commands/onboard-non-interactive/local/auth-choice-inference.ts b/src/commands/onboard-non-interactive/local/auth-choice-inference.ts
index 212bb9dd890..4f29bcfa2b0 100644
--- a/src/commands/onboard-non-interactive/local/auth-choice-inference.ts
+++ b/src/commands/onboard-non-interactive/local/auth-choice-inference.ts
@@ -1,45 +1,13 @@
-import { ONBOARD_PROVIDER_AUTH_FLAGS } from "../../onboard-provider-auth-flags.js";
+import { resolveManifestProviderOnboardAuthFlags } from "../../../plugins/provider-auth-choices.js";
+import { CORE_ONBOARD_AUTH_FLAGS } from "../../onboard-core-auth-flags.js";
 import type { AuthChoice, OnboardOptions } from "../../onboard-types.js";
 
 type AuthChoiceFlag = {
-  optionKey: keyof AuthChoiceFlagOptions;
+  optionKey: string;
   authChoice: AuthChoice;
   label: string;
 };
 
-type AuthChoiceFlagOptions = Pick<
-  OnboardOptions,
-  | "anthropicApiKey"
-  | "geminiApiKey"
-  | "openaiApiKey"
-  | "mistralApiKey"
-  | "openrouterApiKey"
-  | "kilocodeApiKey"
-  | "aiGatewayApiKey"
-  | "cloudflareAiGatewayApiKey"
-  | "moonshotApiKey"
-  | "kimiCodeApiKey"
-  | "syntheticApiKey"
-  | "veniceApiKey"
-  | "togetherApiKey"
-  | "huggingfaceApiKey"
-  | "zaiApiKey"
-  | "xiaomiApiKey"
-  | "minimaxApiKey"
-  | "opencodeZenApiKey"
-  | "opencodeGoApiKey"
-  | "xaiApiKey"
-  | "litellmApiKey"
-  | "qianfanApiKey"
-  | "modelstudioApiKeyCn"
-  | "modelstudioApiKey"
-  | "volcengineApiKey"
-  | "byteplusApiKey"
-  | "customBaseUrl"
-  | "customModelId"
-  | "customApiKey"
->;
-
 export type AuthChoiceInference = {
   choice?: AuthChoice;
   matches: AuthChoiceFlag[];
@@ -51,13 +19,21 @@ function hasStringValue(value: unknown): boolean {
 
 // Infer auth choice from explicit provider API key flags.
 export function inferAuthChoiceFromFlags(opts: OnboardOptions): AuthChoiceInference {
-  const matches: AuthChoiceFlag[] = ONBOARD_PROVIDER_AUTH_FLAGS.filter(({ optionKey }) =>
-    hasStringValue(opts[optionKey]),
-  ).map((flag) => ({
-    optionKey: flag.optionKey,
-    authChoice: flag.authChoice,
-    label: flag.cliFlag,
-  }));
+  const flags = [
+    ...CORE_ONBOARD_AUTH_FLAGS,
+    ...resolveManifestProviderOnboardAuthFlags(),
+  ] as ReadonlyArray<{
+    optionKey: string;
+    authChoice: string;
+    cliFlag: string;
+  }>;
+  const matches: AuthChoiceFlag[] = flags
+    .filter(({ optionKey }) => hasStringValue(opts[optionKey as keyof OnboardOptions]))
+    .map((flag) => ({
+      optionKey: flag.optionKey,
+      authChoice: flag.authChoice as AuthChoice,
+      label: flag.cliFlag,
+    }));
 
   if (
     hasStringValue(opts.customBaseUrl) ||
diff --git a/src/commands/onboard-provider-auth-flags.ts b/src/commands/onboard-provider-auth-flags.ts
deleted file mode 100644
index 53df8cdc4c8..00000000000
--- a/src/commands/onboard-provider-auth-flags.ts
+++ /dev/null
@@ -1,225 +0,0 @@
-import type { AuthChoice, OnboardOptions } from "./onboard-types.js";
-
-type OnboardProviderAuthOptionKey = keyof Pick<
-  OnboardOptions,
-  | "anthropicApiKey"
-  | "openaiApiKey"
-  | "mistralApiKey"
-  | "openrouterApiKey"
-  | "kilocodeApiKey"
-  | "aiGatewayApiKey"
-  | "cloudflareAiGatewayApiKey"
-  | "moonshotApiKey"
-  | "kimiCodeApiKey"
-  | "geminiApiKey"
-  | "zaiApiKey"
-  | "xiaomiApiKey"
-  | "minimaxApiKey"
-  | "syntheticApiKey"
-  | "veniceApiKey"
-  | "togetherApiKey"
-  | "huggingfaceApiKey"
-  | "opencodeZenApiKey"
-  | "opencodeGoApiKey"
-  | "xaiApiKey"
-  | "litellmApiKey"
-  | "qianfanApiKey"
-  | "modelstudioApiKeyCn"
-  | "modelstudioApiKey"
-  | "volcengineApiKey"
-  | "byteplusApiKey"
->;
-
-export type OnboardProviderAuthFlag = {
-  optionKey: OnboardProviderAuthOptionKey;
-  authChoice: AuthChoice;
-  cliFlag: `--${string}`;
-  cliOption: `--${string} <key>`;
-  description: string;
-};
-
-// Shared source for provider API-key flags used by CLI registration + non-interactive inference.
-export const ONBOARD_PROVIDER_AUTH_FLAGS: ReadonlyArray<OnboardProviderAuthFlag> = [
-  {
-    optionKey: "anthropicApiKey",
-    authChoice: "apiKey",
-    cliFlag: "--anthropic-api-key",
-    cliOption: "--anthropic-api-key <key>",
-    description: "Anthropic API key",
-  },
-  {
-    optionKey: "openaiApiKey",
-    authChoice: "openai-api-key",
-    cliFlag: "--openai-api-key",
-    cliOption: "--openai-api-key <key>",
-    description: "OpenAI API key",
-  },
-  {
-    optionKey: "mistralApiKey",
-    authChoice: "mistral-api-key",
-    cliFlag: "--mistral-api-key",
-    cliOption: "--mistral-api-key <key>",
-    description: "Mistral API key",
-  },
-  {
-    optionKey: "openrouterApiKey",
-    authChoice: "openrouter-api-key",
-    cliFlag: "--openrouter-api-key",
-    cliOption: "--openrouter-api-key <key>",
-    description: "OpenRouter API key",
-  },
-  {
-    optionKey: "kilocodeApiKey",
-    authChoice: "kilocode-api-key",
-    cliFlag: "--kilocode-api-key",
-    cliOption: "--kilocode-api-key <key>",
-    description: "Kilo Gateway API key",
-  },
-  {
-    optionKey: "aiGatewayApiKey",
-    authChoice: "ai-gateway-api-key",
-    cliFlag: "--ai-gateway-api-key",
-    cliOption: "--ai-gateway-api-key <key>",
-    description: "Vercel AI Gateway API key",
-  },
-  {
-    optionKey: "cloudflareAiGatewayApiKey",
-    authChoice: "cloudflare-ai-gateway-api-key",
-    cliFlag: "--cloudflare-ai-gateway-api-key",
-    cliOption: "--cloudflare-ai-gateway-api-key <key>",
-    description: "Cloudflare AI Gateway API key",
-  },
-  {
-    optionKey: "moonshotApiKey",
-    authChoice: "moonshot-api-key",
-    cliFlag: "--moonshot-api-key",
-    cliOption: "--moonshot-api-key <key>",
-    description: "Moonshot API key",
-  },
-  {
-    optionKey: "kimiCodeApiKey",
-    authChoice: "kimi-code-api-key",
-    cliFlag: "--kimi-code-api-key",
-    cliOption: "--kimi-code-api-key <key>",
-    description: "Kimi Coding API key",
-  },
-  {
-    optionKey: "geminiApiKey",
-    authChoice: "gemini-api-key",
-    cliFlag: "--gemini-api-key",
-    cliOption: "--gemini-api-key <key>",
-    description: "Gemini API key",
-  },
-  {
-    optionKey: "zaiApiKey",
-    authChoice: "zai-api-key",
-    cliFlag: "--zai-api-key",
-    cliOption: "--zai-api-key <key>",
-    description: "Z.AI API key",
-  },
-  {
-    optionKey: "xiaomiApiKey",
-    authChoice: "xiaomi-api-key",
-    cliFlag: "--xiaomi-api-key",
-    cliOption: "--xiaomi-api-key <key>",
-    description: "Xiaomi API key",
-  },
-  {
-    optionKey: "minimaxApiKey",
-    authChoice: "minimax-global-api",
-    cliFlag: "--minimax-api-key",
-    cliOption: "--minimax-api-key <key>",
-    description: "MiniMax API key",
-  },
-  {
-    optionKey: "syntheticApiKey",
-    authChoice: "synthetic-api-key",
-    cliFlag: "--synthetic-api-key",
-    cliOption: "--synthetic-api-key <key>",
-    description: "Synthetic API key",
-  },
-  {
-    optionKey: "veniceApiKey",
-    authChoice: "venice-api-key",
-    cliFlag: "--venice-api-key",
-    cliOption: "--venice-api-key <key>",
-    description: "Venice API key",
-  },
-  {
-    optionKey: "togetherApiKey",
-    authChoice: "together-api-key",
-    cliFlag: "--together-api-key",
-    cliOption: "--together-api-key <key>",
-    description: "Together AI API key",
-  },
-  {
-    optionKey: "huggingfaceApiKey",
-    authChoice: "huggingface-api-key",
-    cliFlag: "--huggingface-api-key",
-    cliOption: "--huggingface-api-key <key>",
-    description: "Hugging Face API key (HF token)",
-  },
-  {
-    optionKey: "opencodeZenApiKey",
-    authChoice: "opencode-zen",
-    cliFlag: "--opencode-zen-api-key",
-    cliOption: "--opencode-zen-api-key <key>",
-    description: "OpenCode API key (Zen catalog)",
-  },
-  {
-    optionKey: "opencodeGoApiKey",
-    authChoice: "opencode-go",
-    cliFlag: "--opencode-go-api-key",
-    cliOption: "--opencode-go-api-key <key>",
-    description: "OpenCode API key (Go catalog)",
-  },
-  {
-    optionKey: "xaiApiKey",
-    authChoice: "xai-api-key",
-    cliFlag: "--xai-api-key",
-    cliOption: "--xai-api-key <key>",
-    description: "xAI API key",
-  },
-  {
-    optionKey: "litellmApiKey",
-    authChoice: "litellm-api-key",
-    cliFlag: "--litellm-api-key",
-    cliOption: "--litellm-api-key <key>",
-    description: "LiteLLM API key",
-  },
-  {
-    optionKey: "qianfanApiKey",
-    authChoice: "qianfan-api-key",
-    cliFlag: "--qianfan-api-key",
-    cliOption: "--qianfan-api-key <key>",
-    description: "QIANFAN API key",
-  },
-  {
-    optionKey: "modelstudioApiKeyCn",
-    authChoice: "modelstudio-api-key-cn",
-    cliFlag: "--modelstudio-api-key-cn",
-    cliOption: "--modelstudio-api-key-cn <key>",
-    description: "Alibaba Cloud Model Studio Coding Plan API key (China)",
-  },
-  {
-    optionKey: "modelstudioApiKey",
-    authChoice: "modelstudio-api-key",
-    cliFlag: "--modelstudio-api-key",
-    cliOption: "--modelstudio-api-key <key>",
-    description: "Alibaba Cloud Model Studio Coding Plan API key (Global/Intl)",
-  },
-  {
-    optionKey: "volcengineApiKey",
-    authChoice: "volcengine-api-key",
-    cliFlag: "--volcengine-api-key",
-    cliOption: "--volcengine-api-key <key>",
-    description: "Volcano Engine API key",
-  },
-  {
-    optionKey: "byteplusApiKey",
-    authChoice: "byteplus-api-key",
-    cliFlag: "--byteplus-api-key",
-    cliOption: "--byteplus-api-key <key>",
-    description: "BytePlus API key",
-  },
-];
diff --git a/src/plugin-sdk/core.ts b/src/plugin-sdk/core.ts
index 0ddedea92f8..1dd8ada1f6e 100644
--- a/src/plugin-sdk/core.ts
+++ b/src/plugin-sdk/core.ts
@@ -28,6 +28,7 @@ export type {
   ProviderAuthContext,
   ProviderAuthDoctorHintContext,
   ProviderAuthMethodNonInteractiveContext,
+  ProviderAuthMethod,
   ProviderAuthResult,
 } from "../plugins/types.js";
 export type {
diff --git a/src/plugins/manifest-registry.test.ts b/src/plugins/manifest-registry.test.ts
index 5156ea8a4a3..29edb0da176 100644
--- a/src/plugins/manifest-registry.test.ts
+++ b/src/plugins/manifest-registry.test.ts
@@ -207,6 +207,14 @@ describe("loadPluginManifestRegistry", () => {
       providerAuthEnvVars: {
         openai: ["OPENAI_API_KEY"],
       },
+      providerAuthChoices: [
+        {
+          provider: "openai",
+          method: "api-key",
+          choiceId: "openai-api-key",
+          choiceLabel: "OpenAI API key",
+        },
+      ],
       configSchema: { type: "object" },
     });
 
@@ -219,6 +227,14 @@ describe("loadPluginManifestRegistry", () => {
     expect(registry.plugins[0]?.providerAuthEnvVars).toEqual({
       openai: ["OPENAI_API_KEY"],
     });
+    expect(registry.plugins[0]?.providerAuthChoices).toEqual([
+      {
+        provider: "openai",
+        method: "api-key",
+        choiceId: "openai-api-key",
+        choiceLabel: "OpenAI API key",
+      },
+    ]);
   });
 
   it("reports bundled plugins as the duplicate winner for auto-discovered globals", () => {
diff --git a/src/plugins/manifest-registry.ts b/src/plugins/manifest-registry.ts
index 3a96d3036d5..f9f77f8f041 100644
--- a/src/plugins/manifest-registry.ts
+++ b/src/plugins/manifest-registry.ts
@@ -42,6 +42,7 @@ export type PluginManifestRecord = {
   channels: string[];
   providers: string[];
   providerAuthEnvVars?: Record<string, string[]>;
+  providerAuthChoices?: PluginManifest["providerAuthChoices"];
   skills: string[];
   settingsFiles?: string[];
   hooks: string[];
@@ -154,6 +155,7 @@ function buildRecord(params: {
     channels: params.manifest.channels ?? [],
     providers: params.manifest.providers ?? [],
     providerAuthEnvVars: params.manifest.providerAuthEnvVars,
+    providerAuthChoices: params.manifest.providerAuthChoices,
     skills: params.manifest.skills ?? [],
     settingsFiles: [],
     hooks: [],
diff --git a/src/plugins/manifest.ts b/src/plugins/manifest.ts
index c106996b7f4..d330b982ce1 100644
--- a/src/plugins/manifest.ts
+++ b/src/plugins/manifest.ts
@@ -14,7 +14,13 @@ export type PluginManifest = {
   kind?: PluginKind;
   channels?: string[];
   providers?: string[];
+  /** Cheap provider-auth env lookup without booting plugin runtime. */
   providerAuthEnvVars?: Record<string, string[]>;
+  /**
+   * Cheap onboarding/auth-choice metadata used by config validation, CLI help,
+   * and non-runtime auth-choice routing before provider runtime loads.
+   */
+  providerAuthChoices?: PluginManifestProviderAuthChoice[];
   skills?: string[];
   name?: string;
   description?: string;
@@ -22,6 +28,27 @@ export type PluginManifest = {
   uiHints?: Record<string, PluginConfigUiHint>;
 };
 
+export type PluginManifestProviderAuthChoice = {
+  /** Provider id owned by this manifest entry. */
+  provider: string;
+  /** Provider auth method id that this choice should dispatch to. */
+  method: string;
+  /** Stable auth-choice id used by onboarding and other CLI auth flows. */
+  choiceId: string;
+  /** Optional user-facing choice label/hint for grouped onboarding UI. */
+  choiceLabel?: string;
+  choiceHint?: string;
+  /** Optional grouping metadata for auth-choice pickers. */
+  groupId?: string;
+  groupLabel?: string;
+  groupHint?: string;
+  /** Optional CLI flag metadata for one-flag auth flows such as API keys. */
+  optionKey?: string;
+  cliFlag?: string;
+  cliOption?: string;
+  cliDescription?: string;
+};
+
 export type PluginManifestLoadResult =
   | { ok: true; manifest: PluginManifest; manifestPath: string }
   | { ok: false; error: string; manifestPath: string };
@@ -52,6 +79,51 @@ function normalizeStringListRecord(value: unknown): Record<string, string[]> | u
   return Object.keys(normalized).length > 0 ? normalized : undefined;
 }
 
+function normalizeProviderAuthChoices(
+  value: unknown,
+): PluginManifestProviderAuthChoice[] | undefined {
+  if (!Array.isArray(value)) {
+    return undefined;
+  }
+  const normalized: PluginManifestProviderAuthChoice[] = [];
+  for (const entry of value) {
+    if (!isRecord(entry)) {
+      continue;
+    }
+    const provider = typeof entry.provider === "string" ? entry.provider.trim() : "";
+    const method = typeof entry.method === "string" ? entry.method.trim() : "";
+    const choiceId = typeof entry.choiceId === "string" ? entry.choiceId.trim() : "";
+    if (!provider || !method || !choiceId) {
+      continue;
+    }
+    const choiceLabel = typeof entry.choiceLabel === "string" ? entry.choiceLabel.trim() : "";
+    const choiceHint = typeof entry.choiceHint === "string" ? entry.choiceHint.trim() : "";
+    const groupId = typeof entry.groupId === "string" ? entry.groupId.trim() : "";
+    const groupLabel = typeof entry.groupLabel === "string" ? entry.groupLabel.trim() : "";
+    const groupHint = typeof entry.groupHint === "string" ? entry.groupHint.trim() : "";
+    const optionKey = typeof entry.optionKey === "string" ? entry.optionKey.trim() : "";
+    const cliFlag = typeof entry.cliFlag === "string" ? entry.cliFlag.trim() : "";
+    const cliOption = typeof entry.cliOption === "string" ? entry.cliOption.trim() : "";
+    const cliDescription =
+      typeof entry.cliDescription === "string" ? entry.cliDescription.trim() : "";
+    normalized.push({
+      provider,
+      method,
+      choiceId,
+      ...(choiceLabel ? { choiceLabel } : {}),
+      ...(choiceHint ? { choiceHint } : {}),
+      ...(groupId ? { groupId } : {}),
+      ...(groupLabel ? { groupLabel } : {}),
+      ...(groupHint ? { groupHint } : {}),
+      ...(optionKey ? { optionKey } : {}),
+      ...(cliFlag ? { cliFlag } : {}),
+      ...(cliOption ? { cliOption } : {}),
+      ...(cliDescription ? { cliDescription } : {}),
+    });
+  }
+  return normalized.length > 0 ? normalized : undefined;
+}
+
 export function resolvePluginManifestPath(rootDir: string): string {
   for (const filename of PLUGIN_MANIFEST_FILENAMES) {
     const candidate = path.join(rootDir, filename);
@@ -114,6 +186,7 @@ export function loadPluginManifest(
   const channels = normalizeStringList(raw.channels);
   const providers = normalizeStringList(raw.providers);
   const providerAuthEnvVars = normalizeStringListRecord(raw.providerAuthEnvVars);
+  const providerAuthChoices = normalizeProviderAuthChoices(raw.providerAuthChoices);
   const skills = normalizeStringList(raw.skills);
 
   let uiHints: Record<string, PluginConfigUiHint> | undefined;
@@ -130,6 +203,7 @@ export function loadPluginManifest(
       channels,
       providers,
       providerAuthEnvVars,
+      providerAuthChoices,
       skills,
       name,
       description,
diff --git a/src/plugins/provider-api-key-auth.ts b/src/plugins/provider-api-key-auth.ts
index 0ef8b356ea0..df8e172fcfb 100644
--- a/src/plugins/provider-api-key-auth.ts
+++ b/src/plugins/provider-api-key-auth.ts
@@ -66,6 +66,7 @@ export function createProviderApiKeyAuthMethod(
       const opts = ctx.opts as Record<string, unknown> | undefined;
       const flagValue = resolveStringOption(opts, params.optionKey);
       let capturedSecretInput: SecretInput | undefined;
+      let capturedCredential = false;
       let capturedMode: "plaintext" | "ref" | undefined;
 
       await ensureApiKeyFromOptionEnvOrPrompt({
@@ -89,13 +90,15 @@ export function createProviderApiKeyAuthMethod(
         noteTitle: params.noteTitle,
         setCredential: async (apiKey, mode) => {
           capturedSecretInput = apiKey;
+          capturedCredential = true;
           capturedMode = mode;
         },
       });
 
-      if (!capturedSecretInput) {
+      if (!capturedCredential) {
         throw new Error(`Missing API key input for provider "${params.providerId}".`);
       }
+      const credentialInput = capturedSecretInput ?? "";
 
       return {
         profiles: [
@@ -103,7 +106,7 @@ export function createProviderApiKeyAuthMethod(
             profileId: resolveProfileId(params),
             credential: buildApiKeyCredential(
               params.providerId,
-              capturedSecretInput,
+              credentialInput,
               params.metadata,
               capturedMode ? { secretInputMode: capturedMode } : undefined,
             ),
diff --git a/src/plugins/provider-auth-choices.test.ts b/src/plugins/provider-auth-choices.test.ts
new file mode 100644
index 00000000000..0b9c9ccb5d2
--- /dev/null
+++ b/src/plugins/provider-auth-choices.test.ts
@@ -0,0 +1,92 @@
+import { describe, expect, it, vi } from "vitest";
+
+const loadPluginManifestRegistry = vi.hoisted(() => vi.fn());
+
+vi.mock("./manifest-registry.js", () => ({
+  loadPluginManifestRegistry,
+}));
+
+import {
+  resolveManifestProviderAuthChoice,
+  resolveManifestProviderAuthChoices,
+  resolveManifestProviderOnboardAuthFlags,
+} from "./provider-auth-choices.js";
+
+describe("provider auth choice manifest helpers", () => {
+  it("flattens manifest auth choices", () => {
+    loadPluginManifestRegistry.mockReturnValue({
+      plugins: [
+        {
+          id: "openai",
+          providerAuthChoices: [
+            {
+              provider: "openai",
+              method: "api-key",
+              choiceId: "openai-api-key",
+              choiceLabel: "OpenAI API key",
+              optionKey: "openaiApiKey",
+              cliFlag: "--openai-api-key",
+              cliOption: "--openai-api-key <key>",
+            },
+          ],
+        },
+      ],
+    });
+
+    expect(resolveManifestProviderAuthChoices()).toEqual([
+      {
+        pluginId: "openai",
+        providerId: "openai",
+        methodId: "api-key",
+        choiceId: "openai-api-key",
+        choiceLabel: "OpenAI API key",
+        optionKey: "openaiApiKey",
+        cliFlag: "--openai-api-key",
+        cliOption: "--openai-api-key <key>",
+      },
+    ]);
+    expect(resolveManifestProviderAuthChoice("openai-api-key")?.providerId).toBe("openai");
+  });
+
+  it("deduplicates flag metadata by option key + flag", () => {
+    loadPluginManifestRegistry.mockReturnValue({
+      plugins: [
+        {
+          id: "moonshot",
+          providerAuthChoices: [
+            {
+              provider: "moonshot",
+              method: "api-key",
+              choiceId: "moonshot-api-key",
+              choiceLabel: "Kimi API key (.ai)",
+              optionKey: "moonshotApiKey",
+              cliFlag: "--moonshot-api-key",
+              cliOption: "--moonshot-api-key <key>",
+              cliDescription: "Moonshot API key",
+            },
+            {
+              provider: "moonshot",
+              method: "api-key-cn",
+              choiceId: "moonshot-api-key-cn",
+              choiceLabel: "Kimi API key (.cn)",
+              optionKey: "moonshotApiKey",
+              cliFlag: "--moonshot-api-key",
+              cliOption: "--moonshot-api-key <key>",
+              cliDescription: "Moonshot API key",
+            },
+          ],
+        },
+      ],
+    });
+
+    expect(resolveManifestProviderOnboardAuthFlags()).toEqual([
+      {
+        optionKey: "moonshotApiKey",
+        authChoice: "moonshot-api-key",
+        cliFlag: "--moonshot-api-key",
+        cliOption: "--moonshot-api-key <key>",
+        description: "Moonshot API key",
+      },
+    ]);
+  });
+});
diff --git a/src/plugins/provider-auth-choices.ts b/src/plugins/provider-auth-choices.ts
new file mode 100644
index 00000000000..1d583c618f4
--- /dev/null
+++ b/src/plugins/provider-auth-choices.ts
@@ -0,0 +1,102 @@
+import type { OpenClawConfig } from "../config/config.js";
+import { loadPluginManifestRegistry } from "./manifest-registry.js";
+
+export type ProviderAuthChoiceMetadata = {
+  pluginId: string;
+  providerId: string;
+  methodId: string;
+  choiceId: string;
+  choiceLabel: string;
+  choiceHint?: string;
+  groupId?: string;
+  groupLabel?: string;
+  groupHint?: string;
+  optionKey?: string;
+  cliFlag?: string;
+  cliOption?: string;
+  cliDescription?: string;
+};
+
+export type ProviderOnboardAuthFlag = {
+  optionKey: string;
+  authChoice: string;
+  cliFlag: string;
+  cliOption: string;
+  description: string;
+};
+
+export function resolveManifestProviderAuthChoices(params?: {
+  config?: OpenClawConfig;
+  workspaceDir?: string;
+  env?: NodeJS.ProcessEnv;
+}): ProviderAuthChoiceMetadata[] {
+  const registry = loadPluginManifestRegistry({
+    config: params?.config,
+    workspaceDir: params?.workspaceDir,
+    env: params?.env,
+  });
+
+  return registry.plugins.flatMap((plugin) =>
+    (plugin.providerAuthChoices ?? []).map((choice) => ({
+      pluginId: plugin.id,
+      providerId: choice.provider,
+      methodId: choice.method,
+      choiceId: choice.choiceId,
+      choiceLabel: choice.choiceLabel ?? choice.choiceId,
+      ...(choice.choiceHint ? { choiceHint: choice.choiceHint } : {}),
+      ...(choice.groupId ? { groupId: choice.groupId } : {}),
+      ...(choice.groupLabel ? { groupLabel: choice.groupLabel } : {}),
+      ...(choice.groupHint ? { groupHint: choice.groupHint } : {}),
+      ...(choice.optionKey ? { optionKey: choice.optionKey } : {}),
+      ...(choice.cliFlag ? { cliFlag: choice.cliFlag } : {}),
+      ...(choice.cliOption ? { cliOption: choice.cliOption } : {}),
+      ...(choice.cliDescription ? { cliDescription: choice.cliDescription } : {}),
+    })),
+  );
+}
+
+export function resolveManifestProviderAuthChoice(
+  choiceId: string,
+  params?: {
+    config?: OpenClawConfig;
+    workspaceDir?: string;
+    env?: NodeJS.ProcessEnv;
+  },
+): ProviderAuthChoiceMetadata | undefined {
+  const normalized = choiceId.trim();
+  if (!normalized) {
+    return undefined;
+  }
+  return resolveManifestProviderAuthChoices(params).find(
+    (choice) => choice.choiceId === normalized,
+  );
+}
+
+export function resolveManifestProviderOnboardAuthFlags(params?: {
+  config?: OpenClawConfig;
+  workspaceDir?: string;
+  env?: NodeJS.ProcessEnv;
+}): ProviderOnboardAuthFlag[] {
+  const flags: ProviderOnboardAuthFlag[] = [];
+  const seen = new Set<string>();
+
+  for (const choice of resolveManifestProviderAuthChoices(params)) {
+    if (!choice.optionKey || !choice.cliFlag || !choice.cliOption) {
+      continue;
+    }
+    const dedupeKey = `${choice.optionKey}::${choice.cliFlag}`;
+    if (seen.has(dedupeKey)) {
+      continue;
+    }
+    seen.add(dedupeKey);
+    flags.push({
+      optionKey: choice.optionKey,
+      authChoice: choice.choiceId,
+      cliFlag: choice.cliFlag,
+      cliOption: choice.cliOption,
+      description: choice.cliDescription ?? choice.choiceLabel,
+    });
+  }
+
+  return flags;
+}
diff --git a/src/secrets/provider-env-vars.ts b/src/secrets/provider-env-vars.ts
index af012bb6c5d..269b37d836a 100644
--- a/src/secrets/provider-env-vars.ts
+++ b/src/secrets/provider-env-vars.ts
@@ -9,6 +9,12 @@ const CORE_PROVIDER_AUTH_ENV_VAR_CANDIDATES = {
   litellm: ["LITELLM_API_KEY"],
 } as const;
 
+const CORE_PROVIDER_SETUP_ENV_VAR_OVERRIDES = {
+  anthropic: ["ANTHROPIC_API_KEY", "ANTHROPIC_OAUTH_TOKEN"],
+  chutes: ["CHUTES_API_KEY", "CHUTES_OAUTH_TOKEN"],
+  "minimax-cn": ["MINIMAX_API_KEY"],
+} as const;
+
 /**
  * Provider auth env candidates used by generic auth resolution.
  *
@@ -24,15 +30,15 @@ export const PROVIDER_AUTH_ENV_VAR_CANDIDATES: Record<string, readonly string[]>
 /**
  * Provider env vars used for setup/default secret refs and broad secret
  * scrubbing. This can include non-model providers and may intentionally choose
- * a different preferred first env var than auth resolution. Keep the
- * anthropic override in core so generic onboarding still prefers API keys over
- * OAuth tokens when both are present.
+ * a different preferred first env var than auth resolution.
+ *
+ * Bundled provider auth envs come from plugin manifests. The override map here
+ * is only for true core/non-plugin providers and a few setup-specific ordering
+ * overrides where generic onboarding wants a different preferred env var.
  */
 export const PROVIDER_ENV_VARS: Record<string, readonly string[]> = {
   ...PROVIDER_AUTH_ENV_VAR_CANDIDATES,
-  anthropic: ["ANTHROPIC_API_KEY", "ANTHROPIC_OAUTH_TOKEN"],
-  chutes: ["CHUTES_API_KEY", "CHUTES_OAUTH_TOKEN"],
-  "minimax-cn": ["MINIMAX_API_KEY"],
+  ...CORE_PROVIDER_SETUP_ENV_VAR_OVERRIDES,
 };
 
 const EXTRA_PROVIDER_AUTH_ENV_VARS = ["MINIMAX_CODE_PLAN_KEY"] as const;

From 2054cb9431b6eed97e91b8b03e2ba3f2fd6b71e5 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Sun, 15 Mar 2026 23:47:22 -0700
Subject: [PATCH 060/133] refactor: move remaining channel seams into plugins

---
 extensions/discord/src/channel.ts             |  24 +-
 extensions/imessage/src/channel.ts            |  13 +-
 extensions/signal/src/channel.ts              |  14 +-
 extensions/slack/src/channel.ts               |  24 +-
 extensions/telegram/src/channel.ts            |  14 +-
 extensions/whatsapp/src/channel.ts            |  13 +-
 src/agents/channel-tools.ts                   |   4 +-
 src/agents/pi-tools.policy.ts                 |  10 +-
 src/auto-reply/command-auth.ts                |  63 +++--
 src/auto-reply/commands-registry.data.ts      |  26 +-
 src/auto-reply/reply/agent-runner-utils.ts    |  10 +-
 src/auto-reply/reply/block-streaming.ts       |   7 +-
 src/auto-reply/reply/commands-allowlist.ts    | 222 ++-------------
 .../reply/get-reply-inline-actions.ts         |   4 +-
 src/auto-reply/reply/groups.ts                |   7 +-
 src/auto-reply/reply/mentions.ts              |   5 +-
 src/auto-reply/reply/reply-elevated.ts        |  19 +-
 src/auto-reply/reply/reply-threading.ts       |   9 +-
 src/auto-reply/reply/route-reply.test.ts      |  14 +-
 src/channels/plugins/outbound/discord.ts      |   2 -
 .../plugins/outbound/imessage.test.ts         |   2 +-
 src/channels/plugins/outbound/imessage.ts     |  35 ---
 src/channels/plugins/outbound/signal.test.ts  |   2 +-
 src/channels/plugins/outbound/signal.ts       | 125 ---------
 .../outbound/slack.sendpayload.test.ts        |   2 +-
 src/channels/plugins/outbound/slack.test.ts   |   2 +-
 src/channels/plugins/outbound/slack.ts        | 255 ------------------
 src/channels/plugins/outbound/telegram.ts     |   1 -
 src/channels/plugins/outbound/whatsapp.ts     |   2 -
 src/channels/plugins/plugins-channel.test.ts  |   3 +-
 src/channels/plugins/types.adapters.ts        |  40 ++-
 src/config/sessions/metadata.ts               |   5 +-
 ...gent.direct-delivery-core-channels.test.ts |  14 +-
 src/cron/isolated-agent.test-setup.ts         |   3 +-
 src/infra/exec-approval-forwarder.test.ts     |  12 +-
 ...tbeat-runner.returns-default-unset.test.ts |   2 +-
 src/infra/outbound/deliver.test-helpers.ts    |   8 +-
 src/infra/outbound/deliver.test.ts            |   8 +-
 src/infra/outbound/targets.test.ts            |   3 +-
 src/plugin-sdk/index.ts                       |   1 +
 src/plugin-sdk/telegram.ts                    |   2 +-
 src/test-utils/imessage-test-plugin.ts        |   2 +-
 42 files changed, 246 insertions(+), 787 deletions(-)
 delete mode 100644 src/channels/plugins/outbound/discord.ts
 delete mode 100644 src/channels/plugins/outbound/imessage.ts
 delete mode 100644 src/channels/plugins/outbound/signal.ts
 delete mode 100644 src/channels/plugins/outbound/slack.ts
 delete mode 100644 src/channels/plugins/outbound/telegram.ts
 delete mode 100644 src/channels/plugins/outbound/whatsapp.ts

diff --git a/extensions/discord/src/channel.ts b/extensions/discord/src/channel.ts
index a16574bfb70..3c0da68a06a 100644
--- a/extensions/discord/src/channel.ts
+++ b/extensions/discord/src/channel.ts
@@ -1,6 +1,7 @@
 import { Separator, TextDisplay } from "@buape/carbon";
 import { createScopedChannelConfigBase } from "openclaw/plugin-sdk/compat";
 import {
+  buildAccountScopedAllowlistConfigEditor,
   buildAccountScopedDmSecurityPolicy,
   collectOpenProviderGroupPolicyWarnings,
   collectOpenGroupPolicyConfiguredRouteWarnings,
@@ -262,16 +263,19 @@ export const discordPlugin: ChannelPlugin<ResolvedDiscordAccount> = {
       readDiscordAllowlistConfig(resolveDiscordAccount({ cfg, accountId })),
     resolveNames: async ({ cfg, accountId, entries }) =>
       await resolveDiscordAllowlistNames({ cfg, accountId, entries }),
-    resolveConfigEdit: ({ scope, pathPrefix, writeTarget }) =>
-      scope === "dm"
-        ? {
-            pathPrefix,
-            writeTarget,
-            readPaths: [["allowFrom"], ["dm", "allowFrom"]],
-            writePath: ["allowFrom"],
-            cleanupPaths: [["dm", "allowFrom"]],
-          }
-        : null,
+    applyConfigEdit: buildAccountScopedAllowlistConfigEditor({
+      channelId: "discord",
+      normalize: ({ cfg, accountId, values }) =>
+        discordConfigAccessors.formatAllowFrom!({ cfg, accountId, allowFrom: values }),
+      resolvePaths: (scope) =>
+        scope === "dm"
+          ? {
+              readPaths: [["allowFrom"], ["dm", "allowFrom"]],
+              writePath: ["allowFrom"],
+              cleanupPaths: [["dm", "allowFrom"]],
+            }
+          : null,
+    }),
   },
   security: {
     resolveDmPolicy: ({ cfg, accountId, account }) => {
diff --git a/extensions/imessage/src/channel.ts b/extensions/imessage/src/channel.ts
index aec66694ef8..295f16970ad 100644
--- a/extensions/imessage/src/channel.ts
+++ b/extensions/imessage/src/channel.ts
@@ -1,4 +1,5 @@
 import {
+  buildAccountScopedAllowlistConfigEditor,
   buildAccountScopedDmSecurityPolicy,
   collectAllowlistProviderRestrictSendersWarnings,
 } from "openclaw/plugin-sdk/compat";
@@ -135,11 +136,13 @@ export const imessagePlugin: ChannelPlugin<ResolvedIMessageAccount> = {
         groupPolicy: account.config.groupPolicy,
       };
     },
-    resolveConfigEdit: ({ scope, pathPrefix, writeTarget }) => ({
-      pathPrefix,
-      writeTarget,
-      readPaths: [[scope === "dm" ? "allowFrom" : "groupAllowFrom"]],
-      writePath: [scope === "dm" ? "allowFrom" : "groupAllowFrom"],
+    applyConfigEdit: buildAccountScopedAllowlistConfigEditor({
+      channelId: "imessage",
+      normalize: ({ values }) => formatTrimmedAllowFromEntries(values),
+      resolvePaths: (scope) => ({
+        readPaths: [[scope === "dm" ? "allowFrom" : "groupAllowFrom"]],
+        writePath: [scope === "dm" ? "allowFrom" : "groupAllowFrom"],
+      }),
     }),
   },
   security: {
diff --git a/extensions/signal/src/channel.ts b/extensions/signal/src/channel.ts
index 80291872143..7567d68d4fa 100644
--- a/extensions/signal/src/channel.ts
+++ b/extensions/signal/src/channel.ts
@@ -1,4 +1,5 @@
 import {
+  buildAccountScopedAllowlistConfigEditor,
   buildAccountScopedDmSecurityPolicy,
   createScopedAccountConfigAccessors,
   collectAllowlistProviderRestrictSendersWarnings,
@@ -283,11 +284,14 @@ export const signalPlugin: ChannelPlugin<ResolvedSignalAccount> = {
         groupPolicy: account.config.groupPolicy,
       };
     },
-    resolveConfigEdit: ({ scope, pathPrefix, writeTarget }) => ({
-      pathPrefix,
-      writeTarget,
-      readPaths: [[scope === "dm" ? "allowFrom" : "groupAllowFrom"]],
-      writePath: [scope === "dm" ? "allowFrom" : "groupAllowFrom"],
+    applyConfigEdit: buildAccountScopedAllowlistConfigEditor({
+      channelId: "signal",
+      normalize: ({ cfg, accountId, values }) =>
+        signalConfigAccessors.formatAllowFrom!({ cfg, accountId, allowFrom: values }),
+      resolvePaths: (scope) => ({
+        readPaths: [[scope === "dm" ? "allowFrom" : "groupAllowFrom"]],
+        writePath: [scope === "dm" ? "allowFrom" : "groupAllowFrom"],
+      }),
     }),
   },
   security: {
diff --git a/extensions/slack/src/channel.ts b/extensions/slack/src/channel.ts
index 2a8849b1671..33322732236 100644
--- a/extensions/slack/src/channel.ts
+++ b/extensions/slack/src/channel.ts
@@ -1,5 +1,6 @@
 import { createScopedChannelConfigBase } from "openclaw/plugin-sdk/compat";
 import {
+  buildAccountScopedAllowlistConfigEditor,
   buildAccountScopedDmSecurityPolicy,
   collectOpenProviderGroupPolicyWarnings,
   collectOpenGroupPolicyConfiguredRouteWarnings,
@@ -279,16 +280,19 @@ export const slackPlugin: ChannelPlugin<ResolvedSlackAccount> = {
       readSlackAllowlistConfig(resolveSlackAccount({ cfg, accountId })),
     resolveNames: async ({ cfg, accountId, entries }) =>
       await resolveSlackAllowlistNames({ cfg, accountId, entries }),
-    resolveConfigEdit: ({ scope, pathPrefix, writeTarget }) =>
-      scope === "dm"
-        ? {
-            pathPrefix,
-            writeTarget,
-            readPaths: [["allowFrom"], ["dm", "allowFrom"]],
-            writePath: ["allowFrom"],
-            cleanupPaths: [["dm", "allowFrom"]],
-          }
-        : null,
+    applyConfigEdit: buildAccountScopedAllowlistConfigEditor({
+      channelId: "slack",
+      normalize: ({ cfg, accountId, values }) =>
+        slackConfigAccessors.formatAllowFrom!({ cfg, accountId, allowFrom: values }),
+      resolvePaths: (scope) =>
+        scope === "dm"
+          ? {
+              readPaths: [["allowFrom"], ["dm", "allowFrom"]],
+              writePath: ["allowFrom"],
+              cleanupPaths: [["dm", "allowFrom"]],
+            }
+          : null,
+    }),
   },
   security: {
     resolveDmPolicy: ({ cfg, accountId, account }) => {
diff --git a/extensions/telegram/src/channel.ts b/extensions/telegram/src/channel.ts
index be09a186baf..dda83e3f521 100644
--- a/extensions/telegram/src/channel.ts
+++ b/extensions/telegram/src/channel.ts
@@ -1,5 +1,6 @@
 import { createScopedChannelConfigBase } from "openclaw/plugin-sdk/compat";
 import {
+  buildAccountScopedAllowlistConfigEditor,
   collectAllowlistProviderGroupPolicyWarnings,
   collectOpenGroupPolicyRouteAllowlistWarnings,
   createScopedAccountConfigAccessors,
@@ -358,11 +359,14 @@ export const telegramPlugin: ChannelPlugin<ResolvedTelegramAccount, TelegramProb
     supportsScope: ({ scope }) => scope === "dm" || scope === "group" || scope === "all",
     readConfig: ({ cfg, accountId }) =>
       readTelegramAllowlistConfig(resolveTelegramAccount({ cfg, accountId })),
-    resolveConfigEdit: ({ scope, pathPrefix, writeTarget }) => ({
-      pathPrefix,
-      writeTarget,
-      readPaths: [[scope === "dm" ? "allowFrom" : "groupAllowFrom"]],
-      writePath: [scope === "dm" ? "allowFrom" : "groupAllowFrom"],
+    applyConfigEdit: buildAccountScopedAllowlistConfigEditor({
+      channelId: "telegram",
+      normalize: ({ cfg, accountId, values }) =>
+        telegramConfigAccessors.formatAllowFrom!({ cfg, accountId, allowFrom: values }),
+      resolvePaths: (scope) => ({
+        readPaths: [[scope === "dm" ? "allowFrom" : "groupAllowFrom"]],
+        writePath: [scope === "dm" ? "allowFrom" : "groupAllowFrom"],
+      }),
     }),
   },
   acpBindings: {
diff --git a/extensions/whatsapp/src/channel.ts b/extensions/whatsapp/src/channel.ts
index cf506e6912b..d7f437d3204 100644
--- a/extensions/whatsapp/src/channel.ts
+++ b/extensions/whatsapp/src/channel.ts
@@ -1,3 +1,4 @@
+import { buildAccountScopedAllowlistConfigEditor } from "openclaw/plugin-sdk/compat";
 import {
   buildChannelConfigSchema,
   buildAccountScopedDmSecurityPolicy,
@@ -195,11 +196,13 @@ export const whatsappPlugin: ChannelPlugin<ResolvedWhatsAppAccount> = {
         groupPolicy: account.groupPolicy,
       };
     },
-    resolveConfigEdit: ({ scope, pathPrefix, writeTarget }) => ({
-      pathPrefix,
-      writeTarget,
-      readPaths: [[scope === "dm" ? "allowFrom" : "groupAllowFrom"]],
-      writePath: [scope === "dm" ? "allowFrom" : "groupAllowFrom"],
+    applyConfigEdit: buildAccountScopedAllowlistConfigEditor({
+      channelId: "whatsapp",
+      normalize: ({ values }) => formatWhatsAppConfigAllowFromEntries(values),
+      resolvePaths: (scope) => ({
+        readPaths: [[scope === "dm" ? "allowFrom" : "groupAllowFrom"]],
+        writePath: [scope === "dm" ? "allowFrom" : "groupAllowFrom"],
+      }),
     }),
   },
   security: {
diff --git a/src/agents/channel-tools.ts b/src/agents/channel-tools.ts
index e49a090f509..242cce868c1 100644
--- a/src/agents/channel-tools.ts
+++ b/src/agents/channel-tools.ts
@@ -1,4 +1,3 @@
-import { getChannelDock } from "../channels/dock.js";
 import { getChannelPlugin, listChannelPlugins } from "../channels/plugins/index.js";
 import type {
   ChannelAgentTool,
@@ -73,8 +72,7 @@ export function resolveChannelMessageToolHints(params: {
   if (!channelId) {
     return [];
   }
-  const dock = getChannelDock(channelId);
-  const resolve = dock?.agentPrompt?.messageToolHints;
+  const resolve = getChannelPlugin(channelId)?.agentPrompt?.messageToolHints;
   if (!resolve) {
     return [];
   }
diff --git a/src/agents/pi-tools.policy.ts b/src/agents/pi-tools.policy.ts
index a6f8651f72d..4e7cea7c94e 100644
--- a/src/agents/pi-tools.policy.ts
+++ b/src/agents/pi-tools.policy.ts
@@ -1,4 +1,4 @@
-import { getChannelDock } from "../channels/dock.js";
+import { getChannelPlugin } from "../channels/plugins/index.js";
 import { DEFAULT_SUBAGENT_MAX_SPAWN_DEPTH } from "../config/agent-limits.js";
 import type { OpenClawConfig } from "../config/config.js";
 import { resolveChannelGroupToolsPolicy } from "../config/group-policy.js";
@@ -315,14 +315,14 @@ export function resolveGroupToolPolicy(params: {
   if (!channel) {
     return undefined;
   }
-  let dock;
+  let plugin;
   try {
-    dock = getChannelDock(channel);
+    plugin = getChannelPlugin(channel);
   } catch {
-    dock = undefined;
+    plugin = undefined;
   }
   const toolsConfig =
-    dock?.groups?.resolveToolPolicy?.({
+    plugin?.groups?.resolveToolPolicy?.({
       cfg: params.config,
       groupId,
       groupChannel: params.groupChannel,
diff --git a/src/auto-reply/command-auth.ts b/src/auto-reply/command-auth.ts
index ead6e6e0312..956c132d773 100644
--- a/src/auto-reply/command-auth.ts
+++ b/src/auto-reply/command-auth.ts
@@ -1,6 +1,5 @@
-import type { ChannelDock } from "../channels/dock.js";
-import { getChannelDock, listChannelDocks } from "../channels/dock.js";
-import type { ChannelId } from "../channels/plugins/types.js";
+import { getChannelPlugin, listChannelPlugins } from "../channels/plugins/index.js";
+import type { ChannelId, ChannelPlugin } from "../channels/plugins/types.js";
 import { normalizeAnyChannelId } from "../channels/registry.js";
 import type { OpenClawConfig } from "../config/config.js";
 import { normalizeStringEntries } from "../shared/string-normalization.js";
@@ -52,19 +51,19 @@ function resolveProviderFromContext(ctx: MsgContext, cfg: OpenClawConfig): Chann
       return normalized;
     }
   }
-  const configured = listChannelDocks()
-    .map((dock) => {
-      if (!dock.config?.resolveAllowFrom) {
+  const configured = listChannelPlugins()
+    .map((plugin) => {
+      if (!plugin.config?.resolveAllowFrom) {
         return null;
       }
-      const allowFrom = dock.config.resolveAllowFrom({
+      const allowFrom = plugin.config.resolveAllowFrom({
         cfg,
         accountId: ctx.AccountId,
       });
       if (!Array.isArray(allowFrom) || allowFrom.length === 0) {
         return null;
       }
-      return dock.id;
+      return plugin.id;
     })
     .filter((value): value is ChannelId => Boolean(value));
   if (configured.length === 1) {
@@ -74,29 +73,29 @@ function resolveProviderFromContext(ctx: MsgContext, cfg: OpenClawConfig): Chann
 }
 
 function formatAllowFromList(params: {
-  dock?: ChannelDock;
+  plugin?: ChannelPlugin;
   cfg: OpenClawConfig;
   accountId?: string | null;
   allowFrom: Array<string | number>;
 }): string[] {
-  const { dock, cfg, accountId, allowFrom } = params;
+  const { plugin, cfg, accountId, allowFrom } = params;
   if (!allowFrom || allowFrom.length === 0) {
     return [];
   }
-  if (dock?.config?.formatAllowFrom) {
-    return dock.config.formatAllowFrom({ cfg, accountId, allowFrom });
+  if (plugin?.config?.formatAllowFrom) {
+    return plugin.config.formatAllowFrom({ cfg, accountId, allowFrom });
   }
   return normalizeStringEntries(allowFrom);
 }
 
 function normalizeAllowFromEntry(params: {
-  dock?: ChannelDock;
+  plugin?: ChannelPlugin;
   cfg: OpenClawConfig;
   accountId?: string | null;
   value: string;
 }): string[] {
   const normalized = formatAllowFromList({
-    dock: params.dock,
+    plugin: params.plugin,
     cfg: params.cfg,
     accountId: params.accountId,
     allowFrom: [params.value],
@@ -105,7 +104,7 @@ function normalizeAllowFromEntry(params: {
 }
 
 function resolveOwnerAllowFromList(params: {
-  dock?: ChannelDock;
+  plugin?: ChannelPlugin;
   cfg: OpenClawConfig;
   accountId?: string | null;
   providerId?: ChannelId;
@@ -139,7 +138,7 @@ function resolveOwnerAllowFromList(params: {
     filtered.push(trimmed);
   }
   return formatAllowFromList({
-    dock: params.dock,
+    plugin: params.plugin,
     cfg: params.cfg,
     accountId: params.accountId,
     allowFrom: filtered,
@@ -152,12 +151,12 @@ function resolveOwnerAllowFromList(params: {
  * Returns null if commands.allowFrom is not configured at all (fall back to channel allowFrom).
  */
 function resolveCommandsAllowFromList(params: {
-  dock?: ChannelDock;
+  plugin?: ChannelPlugin;
   cfg: OpenClawConfig;
   accountId?: string | null;
   providerId?: ChannelId;
 }): string[] | null {
-  const { dock, cfg, accountId, providerId } = params;
+  const { plugin, cfg, accountId, providerId } = params;
   const commandsAllowFrom = cfg.commands?.allowFrom;
   if (!commandsAllowFrom || typeof commandsAllowFrom !== "object") {
     return null; // Not configured, fall back to channel allowFrom
@@ -174,7 +173,7 @@ function resolveCommandsAllowFromList(params: {
   }
 
   return formatAllowFromList({
-    dock,
+    plugin,
     cfg,
     accountId,
     allowFrom: rawList,
@@ -211,7 +210,7 @@ function shouldUseFromAsSenderFallback(params: {
 }
 
 function resolveSenderCandidates(params: {
-  dock?: ChannelDock;
+  plugin?: ChannelPlugin;
   providerId?: ChannelId;
   cfg: OpenClawConfig;
   accountId?: string | null;
@@ -220,7 +219,7 @@ function resolveSenderCandidates(params: {
   from?: string | null;
   chatType?: string | null;
 }): string[] {
-  const { dock, cfg, accountId } = params;
+  const { plugin, cfg, accountId } = params;
   const candidates: string[] = [];
   const pushCandidate = (value?: string | null) => {
     const trimmed = (value ?? "").trim();
@@ -245,7 +244,7 @@ function resolveSenderCandidates(params: {
 
   const normalized: string[] = [];
   for (const sender of candidates) {
-    const entries = normalizeAllowFromEntry({ dock, cfg, accountId, value: sender });
+    const entries = normalizeAllowFromEntry({ plugin, cfg, accountId, value: sender });
     for (const entry of entries) {
       if (!normalized.includes(entry)) {
         normalized.push(entry);
@@ -262,36 +261,36 @@ export function resolveCommandAuthorization(params: {
 }): CommandAuthorization {
   const { ctx, cfg, commandAuthorized } = params;
   const providerId = resolveProviderFromContext(ctx, cfg);
-  const dock = providerId ? getChannelDock(providerId) : undefined;
+  const plugin = providerId ? getChannelPlugin(providerId) : undefined;
   const from = (ctx.From ?? "").trim();
   const to = (ctx.To ?? "").trim();
 
   // Check if commands.allowFrom is configured (separate command authorization)
   const commandsAllowFromList = resolveCommandsAllowFromList({
-    dock,
+    plugin,
     cfg,
     accountId: ctx.AccountId,
     providerId,
   });
 
-  const allowFromRaw = dock?.config?.resolveAllowFrom
-    ? dock.config.resolveAllowFrom({ cfg, accountId: ctx.AccountId })
+  const allowFromRaw = plugin?.config?.resolveAllowFrom
+    ? plugin.config.resolveAllowFrom({ cfg, accountId: ctx.AccountId })
     : [];
   const allowFromList = formatAllowFromList({
-    dock,
+    plugin,
     cfg,
     accountId: ctx.AccountId,
     allowFrom: Array.isArray(allowFromRaw) ? allowFromRaw : [],
   });
   const configOwnerAllowFromList = resolveOwnerAllowFromList({
-    dock,
+    plugin,
     cfg,
     accountId: ctx.AccountId,
     providerId,
     allowFrom: cfg.commands?.ownerAllowFrom,
   });
   const contextOwnerAllowFromList = resolveOwnerAllowFromList({
-    dock,
+    plugin,
     cfg,
     accountId: ctx.AccountId,
     providerId,
@@ -303,7 +302,7 @@ export function resolveCommandAuthorization(params: {
   const ownerCandidatesForCommands = allowAll ? [] : allowFromList.filter((entry) => entry !== "*");
   if (!allowAll && ownerCandidatesForCommands.length === 0 && to) {
     const normalizedTo = normalizeAllowFromEntry({
-      dock,
+      plugin,
       cfg,
       accountId: ctx.AccountId,
       value: to,
@@ -328,7 +327,7 @@ export function resolveCommandAuthorization(params: {
   );
 
   const senderCandidates = resolveSenderCandidates({
-    dock,
+    plugin,
     providerId,
     cfg,
     accountId: ctx.AccountId,
@@ -345,7 +344,7 @@ export function resolveCommandAuthorization(params: {
     : undefined;
   const senderId = matchedSender ?? senderCandidates[0];
 
-  const enforceOwner = Boolean(dock?.commands?.enforceOwnerForCommands);
+  const enforceOwner = Boolean(plugin?.commands?.enforceOwnerForCommands);
   const senderIsOwnerByIdentity = Boolean(matchedSender);
   const senderIsOwnerByScope =
     isInternalMessageChannel(ctx.Provider) &&
diff --git a/src/auto-reply/commands-registry.data.ts b/src/auto-reply/commands-registry.data.ts
index 80f8d4bd73f..58064473543 100644
--- a/src/auto-reply/commands-registry.data.ts
+++ b/src/auto-reply/commands-registry.data.ts
@@ -1,4 +1,4 @@
-import { listChannelDocks } from "../channels/dock.js";
+import { listChannelPlugins } from "../channels/plugins/index.js";
 import { getActivePluginRegistry } from "../plugins/runtime.js";
 import { COMMAND_ARG_FORMATTERS } from "./commands-args.js";
 import type {
@@ -46,14 +46,14 @@ function defineChatCommand(command: DefineChatCommandInput): ChatCommandDefiniti
   };
 }
 
-type ChannelDock = ReturnType<typeof listChannelDocks>[number];
+type ChannelPlugin = ReturnType<typeof listChannelPlugins>[number];
 
-function defineDockCommand(dock: ChannelDock): ChatCommandDefinition {
+function defineDockCommand(plugin: ChannelPlugin): ChatCommandDefinition {
   return defineChatCommand({
-    key: `dock:${dock.id}`,
-    nativeName: `dock_${dock.id}`,
-    description: `Switch to ${dock.id} for replies.`,
-    textAliases: [`/dock-${dock.id}`, `/dock_${dock.id}`],
+    key: `dock:${plugin.id}`,
+    nativeName: `dock_${plugin.id}`,
+    description: `Switch to ${plugin.id} for replies.`,
+    textAliases: [`/dock-${plugin.id}`, `/dock_${plugin.id}`],
     category: "docks",
   });
 }
@@ -758,9 +758,9 @@ function buildChatCommands(): ChatCommandDefinition[] {
         },
       ],
     }),
-    ...listChannelDocks()
-      .filter((dock) => dock.capabilities.nativeCommands)
-      .map((dock) => defineDockCommand(dock)),
+    ...listChannelPlugins()
+      .filter((plugin) => plugin.capabilities.nativeCommands)
+      .map((plugin) => defineDockCommand(plugin)),
   ];
 
   registerAlias(commands, "whoami", "/id");
@@ -792,9 +792,9 @@ export function getNativeCommandSurfaces(): Set<string> {
     return cachedNativeCommandSurfaces;
   }
   cachedNativeCommandSurfaces = new Set(
-    listChannelDocks()
-      .filter((dock) => dock.capabilities.nativeCommands)
-      .map((dock) => dock.id),
+    listChannelPlugins()
+      .filter((plugin) => plugin.capabilities.nativeCommands)
+      .map((plugin) => plugin.id),
   );
   cachedNativeRegistry = registry;
   return cachedNativeCommandSurfaces;
diff --git a/src/auto-reply/reply/agent-runner-utils.ts b/src/auto-reply/reply/agent-runner-utils.ts
index c6e71a9bab0..abf6322a287 100644
--- a/src/auto-reply/reply/agent-runner-utils.ts
+++ b/src/auto-reply/reply/agent-runner-utils.ts
@@ -1,6 +1,6 @@
 import { resolveRunModelFallbacksOverride } from "../../agents/agent-scope.js";
 import type { NormalizedUsage } from "../../agents/usage.js";
-import { getChannelDock } from "../../channels/dock.js";
+import { getChannelPlugin } from "../../channels/plugins/index.js";
 import type { ChannelId, ChannelThreadingToolContext } from "../../channels/plugins/types.js";
 import { normalizeAnyChannelId, normalizeChannelId } from "../../channels/registry.js";
 import type { OpenClawConfig } from "../../config/config.js";
@@ -44,8 +44,8 @@ export function buildThreadingToolContext(params: {
   }
   const provider = normalizeChannelId(rawProvider) ?? normalizeAnyChannelId(rawProvider);
   // Fallback for unrecognized/plugin channels (e.g., BlueBubbles before plugin registry init)
-  const dock = provider ? getChannelDock(provider) : undefined;
-  if (!dock?.threading?.buildToolContext) {
+  const threading = provider ? getChannelPlugin(provider)?.threading : undefined;
+  if (!threading?.buildToolContext) {
     return {
       currentChannelId: originTo?.trim() || undefined,
       currentChannelProvider: provider ?? (rawProvider as ChannelId),
@@ -54,7 +54,7 @@ export function buildThreadingToolContext(params: {
     };
   }
   const context =
-    dock.threading.buildToolContext({
+    threading.buildToolContext({
       cfg: config,
       accountId: sessionCtx.AccountId,
       context: {
@@ -72,7 +72,7 @@ export function buildThreadingToolContext(params: {
     }) ?? {};
   return {
     ...context,
-    currentChannelProvider: provider!, // guaranteed non-null since dock exists
+    currentChannelProvider: provider!, // guaranteed non-null since threading exists
     currentMessageId: context.currentMessageId ?? currentMessageId,
   };
 }
diff --git a/src/auto-reply/reply/block-streaming.ts b/src/auto-reply/reply/block-streaming.ts
index b24ee8cac1a..9149f7c8562 100644
--- a/src/auto-reply/reply/block-streaming.ts
+++ b/src/auto-reply/reply/block-streaming.ts
@@ -1,5 +1,4 @@
-import { getChannelDock } from "../../channels/dock.js";
-import { normalizeChannelId } from "../../channels/plugins/index.js";
+import { getChannelPlugin, normalizeChannelId } from "../../channels/plugins/index.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import type { BlockStreamingCoalesceConfig } from "../../config/types.js";
 import { resolveAccountEntry } from "../../routing/account-lookup.js";
@@ -34,7 +33,7 @@ function resolveProviderChunkContext(
   const providerKey = normalizeChunkProvider(provider);
   const providerId = providerKey ? normalizeChannelId(providerKey) : null;
   const providerChunkLimit = providerId
-    ? getChannelDock(providerId)?.outbound?.textChunkLimit
+    ? getChannelPlugin(providerId)?.outbound?.textChunkLimit
     : undefined;
   const textLimit = resolveTextChunkLimit(cfg, providerKey, accountId, {
     fallbackLimit: providerChunkLimit,
@@ -209,7 +208,7 @@ export function resolveBlockStreamingCoalescing(
   // when chunkMode="newline", matching the delivery-time splitting behavior.
   const chunkMode = opts?.chunkMode ?? resolveChunkMode(cfg, providerKey, accountId);
   const providerDefaults = providerId
-    ? getChannelDock(providerId)?.streaming?.blockStreamingCoalesceDefaults
+    ? getChannelPlugin(providerId)?.streaming?.blockStreamingCoalesceDefaults
     : undefined;
   const providerCfg = resolveProviderBlockStreamingCoalesce({
     cfg,
diff --git a/src/auto-reply/reply/commands-allowlist.ts b/src/auto-reply/reply/commands-allowlist.ts
index f371fcd0b62..7360fa20252 100644
--- a/src/auto-reply/reply/commands-allowlist.ts
+++ b/src/auto-reply/reply/commands-allowlist.ts
@@ -1,5 +1,4 @@
 import { getChannelPlugin } from "../../channels/plugins/index.js";
-import { listPairingChannels } from "../../channels/plugins/pairing.js";
 import type { ChannelId } from "../../channels/plugins/types.js";
 import { normalizeChannelId } from "../../channels/registry.js";
 import type { OpenClawConfig } from "../../config/config.js";
@@ -8,7 +7,6 @@ import {
   validateConfigObjectWithPlugins,
   writeConfigFile,
 } from "../../config/config.js";
-import { isBlockedObjectKey } from "../../infra/prototype-keys.js";
 import {
   addChannelAllowFromStoreEntry,
   readChannelAllowFromStore,
@@ -198,104 +196,6 @@ async function updatePairingStoreAllowlist(params: {
   }
 }
 
-function resolveAccountTarget(
-  parsed: Record<string, unknown>,
-  channelId: ChannelId,
-  accountId?: string | null,
-) {
-  const channels = (parsed.channels ??= {}) as Record<string, unknown>;
-  const channel = (channels[channelId] ??= {}) as Record<string, unknown>;
-  const normalizedAccountId = normalizeAccountId(accountId);
-  if (isBlockedObjectKey(normalizedAccountId)) {
-    return {
-      target: channel,
-      pathPrefix: `channels.${channelId}`,
-      accountId: DEFAULT_ACCOUNT_ID,
-      writeTarget: { kind: "channel", scope: { channelId } } as const,
-    };
-  }
-  const hasAccounts = Boolean(channel.accounts && typeof channel.accounts === "object");
-  const useAccount = normalizedAccountId !== DEFAULT_ACCOUNT_ID || hasAccounts;
-  if (!useAccount) {
-    return {
-      target: channel,
-      pathPrefix: `channels.${channelId}`,
-      accountId: normalizedAccountId,
-      writeTarget: { kind: "channel", scope: { channelId } } as const,
-    };
-  }
-  const accounts = (channel.accounts ??= {}) as Record<string, unknown>;
-  const existingAccount = Object.hasOwn(accounts, normalizedAccountId)
-    ? accounts[normalizedAccountId]
-    : undefined;
-  if (!existingAccount || typeof existingAccount !== "object") {
-    accounts[normalizedAccountId] = {};
-  }
-  const account = accounts[normalizedAccountId] as Record<string, unknown>;
-  return {
-    target: account,
-    pathPrefix: `channels.${channelId}.accounts.${normalizedAccountId}`,
-    accountId: normalizedAccountId,
-    writeTarget: {
-      kind: "account",
-      scope: { channelId, accountId: normalizedAccountId },
-    } as const,
-  };
-}
-
-function getNestedValue(root: Record<string, unknown>, path: string[]): unknown {
-  let current: unknown = root;
-  for (const key of path) {
-    if (!current || typeof current !== "object") {
-      return undefined;
-    }
-    current = (current as Record<string, unknown>)[key];
-  }
-  return current;
-}
-
-function ensureNestedObject(
-  root: Record<string, unknown>,
-  path: string[],
-): Record<string, unknown> {
-  let current = root;
-  for (const key of path) {
-    const existing = current[key];
-    if (!existing || typeof existing !== "object") {
-      current[key] = {};
-    }
-    current = current[key] as Record<string, unknown>;
-  }
-  return current;
-}
-
-function setNestedValue(root: Record<string, unknown>, path: string[], value: unknown) {
-  if (path.length === 0) {
-    return;
-  }
-  if (path.length === 1) {
-    root[path[0]] = value;
-    return;
-  }
-  const parent = ensureNestedObject(root, path.slice(0, -1));
-  parent[path[path.length - 1]] = value;
-}
-
-function deleteNestedValue(root: Record<string, unknown>, path: string[]) {
-  if (path.length === 0) {
-    return;
-  }
-  if (path.length === 1) {
-    delete root[path[0]];
-    return;
-  }
-  const parent = getNestedValue(root, path.slice(0, -1));
-  if (!parent || typeof parent !== "object") {
-    return;
-  }
-  delete (parent as Record<string, unknown>)[path[path.length - 1]];
-}
-
 function mapResolvedAllowlistNames(entries: ResolvedAllowlistName[]): Map<string, string> {
   const map = new Map<string, string>();
   for (const entry of entries) {
@@ -375,7 +275,7 @@ export const handleAllowlistCommand: CommandHandler = async (params, allowTextCo
   const plugin = getChannelPlugin(channelId);
 
   if (parsed.action === "list") {
-    const supportsStore = listPairingChannels().includes(channelId);
+    const supportsStore = Boolean(plugin?.pairing);
     if (!plugin?.allowlist?.readConfig && !supportsStore) {
       return {
         shouldContinue: false,
@@ -493,7 +393,7 @@ export const handleAllowlistCommand: CommandHandler = async (params, allowTextCo
   }
 
   const shouldUpdateConfig = parsed.target !== "store";
-  const shouldTouchStore = parsed.target !== "config" && listPairingChannels().includes(channelId);
+  const shouldTouchStore = parsed.target !== "config" && Boolean(plugin?.pairing);
 
   if (shouldUpdateConfig) {
     if (parsed.scope === "all") {
@@ -502,19 +402,7 @@ export const handleAllowlistCommand: CommandHandler = async (params, allowTextCo
         reply: { text: "⚠️ /allowlist add|remove requires scope dm or group." },
       };
     }
-    const {
-      target,
-      pathPrefix,
-      accountId: normalizedAccountId,
-      writeTarget,
-    } = resolveAccountTarget(structuredClone({ channels: {} }), channelId, accountId);
-    void target;
-    const editSpec = plugin?.allowlist?.resolveConfigEdit?.({
-      scope: parsed.scope,
-      pathPrefix,
-      writeTarget,
-    });
-    if (!editSpec) {
+    if (!plugin?.allowlist?.applyConfigEdit) {
       return {
         shouldContinue: false,
         reply: {
@@ -531,14 +419,35 @@ export const handleAllowlistCommand: CommandHandler = async (params, allowTextCo
       };
     }
     const parsedConfig = structuredClone(snapshot.parsed as Record<string, unknown>);
-    const resolvedTarget = resolveAccountTarget(parsedConfig, channelId, accountId);
+    const editResult = await plugin.allowlist.applyConfigEdit({
+      cfg: params.cfg,
+      parsedConfig,
+      accountId,
+      scope: parsed.scope,
+      action: parsed.action,
+      entry: parsed.entry,
+    });
+    if (!editResult) {
+      return {
+        shouldContinue: false,
+        reply: {
+          text: `⚠️ ${channelId} does not support ${parsed.scope} allowlist edits via /allowlist.`,
+        },
+      };
+    }
+    if (editResult.kind === "invalid-entry") {
+      return {
+        shouldContinue: false,
+        reply: { text: "⚠️ Invalid allowlist entry." },
+      };
+    }
     const deniedText = resolveConfigWriteDeniedText({
       cfg: params.cfg,
       channel: params.command.channel,
       channelId,
       accountId: params.ctx.AccountId,
       gatewayClientScopes: params.ctx.GatewayClientScopes,
-      target: editSpec.writeTarget,
+      target: editResult.writeTarget,
     });
     if (deniedText) {
       return {
@@ -548,82 +457,7 @@ export const handleAllowlistCommand: CommandHandler = async (params, allowTextCo
         },
       };
     }
-
-    const existing: string[] = [];
-    for (const path of editSpec.readPaths) {
-      const existingRaw = getNestedValue(resolvedTarget.target, path);
-      if (!Array.isArray(existingRaw)) {
-        continue;
-      }
-      for (const entry of existingRaw) {
-        const value = String(entry).trim();
-        if (!value || existing.includes(value)) {
-          continue;
-        }
-        existing.push(value);
-      }
-    }
-
-    const normalizedEntry = normalizeAllowFrom({
-      cfg: params.cfg,
-      channelId,
-      accountId: normalizedAccountId,
-      values: [parsed.entry],
-    });
-    if (normalizedEntry.length === 0) {
-      return {
-        shouldContinue: false,
-        reply: { text: "⚠️ Invalid allowlist entry." },
-      };
-    }
-
-    const existingNormalized = normalizeAllowFrom({
-      cfg: params.cfg,
-      channelId,
-      accountId: normalizedAccountId,
-      values: existing,
-    });
-
-    const shouldMatch = (value: string) => normalizedEntry.includes(value);
-
-    let configChanged = false;
-    let next = existing;
-    const configHasEntry = existingNormalized.some((value) => shouldMatch(value));
-    if (parsed.action === "add") {
-      if (!configHasEntry) {
-        next = [...existing, parsed.entry.trim()];
-        configChanged = true;
-      }
-    }
-
-    if (parsed.action === "remove") {
-      const keep: string[] = [];
-      for (const entry of existing) {
-        const normalized = normalizeAllowFrom({
-          cfg: params.cfg,
-          channelId,
-          accountId: normalizedAccountId,
-          values: [entry],
-        });
-        if (normalized.some((value) => shouldMatch(value))) {
-          configChanged = true;
-          continue;
-        }
-        keep.push(entry);
-      }
-      next = keep;
-    }
-
-    if (configChanged) {
-      if (next.length === 0) {
-        deleteNestedValue(resolvedTarget.target, editSpec.writePath);
-      } else {
-        setNestedValue(resolvedTarget.target, editSpec.writePath, next);
-      }
-      for (const path of editSpec.cleanupPaths ?? []) {
-        deleteNestedValue(resolvedTarget.target, path);
-      }
-    }
+    const configChanged = editResult.changed;
 
     if (configChanged) {
       const validated = validateConfigObjectWithPlugins(parsedConfig);
@@ -655,7 +489,7 @@ export const handleAllowlistCommand: CommandHandler = async (params, allowTextCo
     const scopeLabel = parsed.scope === "dm" ? "DM" : "group";
     const locations: string[] = [];
     if (configChanged) {
-      locations.push(`${resolvedTarget.pathPrefix}.${editSpec.writePath.join(".")}`);
+      locations.push(editResult.pathLabel);
     }
     if (shouldTouchStore) {
       locations.push("pairing store");
diff --git a/src/auto-reply/reply/get-reply-inline-actions.ts b/src/auto-reply/reply/get-reply-inline-actions.ts
index b4f921672f8..73983cfdc49 100644
--- a/src/auto-reply/reply/get-reply-inline-actions.ts
+++ b/src/auto-reply/reply/get-reply-inline-actions.ts
@@ -3,7 +3,7 @@ import { createOpenClawTools } from "../../agents/openclaw-tools.js";
 import type { BlockReplyChunking } from "../../agents/pi-embedded-block-chunker.js";
 import type { SkillCommandSpec } from "../../agents/skills.js";
 import { applyOwnerOnlyToolPolicy } from "../../agents/tool-policy.js";
-import { getChannelDock } from "../../channels/dock.js";
+import { getChannelPlugin } from "../../channels/plugins/index.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import type { SessionEntry } from "../../config/sessions.js";
 import { logVerbose } from "../../globals.js";
@@ -402,7 +402,7 @@ export async function handleInlineActions(params: {
 
   const isEmptyConfig = Object.keys(cfg).length === 0;
   const skipWhenConfigEmpty = command.channelId
-    ? Boolean(getChannelDock(command.channelId)?.commands?.skipWhenConfigEmpty)
+    ? Boolean(getChannelPlugin(command.channelId)?.commands?.skipWhenConfigEmpty)
     : false;
   if (
     skipWhenConfigEmpty &&
diff --git a/src/auto-reply/reply/groups.ts b/src/auto-reply/reply/groups.ts
index dcf398d5a4b..acdbbe67faf 100644
--- a/src/auto-reply/reply/groups.ts
+++ b/src/auto-reply/reply/groups.ts
@@ -1,4 +1,3 @@
-import { getChannelDock } from "../../channels/dock.js";
 import {
   getChannelPlugin,
   normalizeChannelId as normalizePluginChannelId,
@@ -39,7 +38,7 @@ function resolveDockChannelId(raw?: string | null): ChannelId | null {
     return null;
   }
   try {
-    if (getChannelDock(normalized as ChannelId)) {
+    if (getChannelPlugin(normalized as ChannelId)) {
       return normalized as ChannelId;
     }
   } catch {
@@ -68,7 +67,7 @@ export function resolveGroupRequireMention(params: {
   const groupSpace = ctx.GroupSpace?.trim();
   let requireMention: boolean | undefined;
   try {
-    requireMention = getChannelDock(channel)?.groups?.resolveRequireMention?.({
+    requireMention = getChannelPlugin(channel)?.groups?.resolveRequireMention?.({
       cfg,
       groupId,
       groupChannel,
@@ -158,7 +157,7 @@ export function buildGroupIntro(params: {
     params.sessionCtx.GroupChannel?.trim() ?? params.sessionCtx.GroupSubject?.trim();
   const groupSpace = params.sessionCtx.GroupSpace?.trim();
   const providerIdsLine = providerId
-    ? getChannelDock(providerId)?.groups?.resolveGroupIntroHint?.({
+    ? getChannelPlugin(providerId)?.groups?.resolveGroupIntroHint?.({
         cfg: params.cfg,
         groupId,
         groupChannel,
diff --git a/src/auto-reply/reply/mentions.ts b/src/auto-reply/reply/mentions.ts
index 714e599e38a..5b60cf6688f 100644
--- a/src/auto-reply/reply/mentions.ts
+++ b/src/auto-reply/reply/mentions.ts
@@ -1,6 +1,5 @@
 import { resolveAgentConfig } from "../../agents/agent-scope.js";
-import { getChannelDock } from "../../channels/dock.js";
-import { normalizeChannelId } from "../../channels/plugins/index.js";
+import { getChannelPlugin, normalizeChannelId } from "../../channels/plugins/index.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import { createSubsystemLogger } from "../../logging/subsystem.js";
 import { compileConfigRegexes, type ConfigRegexRejectReason } from "../../security/config-regex.js";
@@ -199,7 +198,7 @@ export function stripMentions(
 ): string {
   let result = text;
   const providerId = ctx.Provider ? normalizeChannelId(ctx.Provider) : null;
-  const providerMentions = providerId ? getChannelDock(providerId)?.mentions : undefined;
+  const providerMentions = providerId ? getChannelPlugin(providerId)?.mentions : undefined;
   const configRegexes = compileMentionPatternsCached({
     patterns: normalizeMentionPatterns(resolveMentionPatterns(cfg, agentId)),
     flags: "gi",
diff --git a/src/auto-reply/reply/reply-elevated.ts b/src/auto-reply/reply/reply-elevated.ts
index 17da0058dd6..9a6e5093bda 100644
--- a/src/auto-reply/reply/reply-elevated.ts
+++ b/src/auto-reply/reply/reply-elevated.ts
@@ -1,6 +1,5 @@
 import { resolveAgentConfig } from "../../agents/agent-scope.js";
-import { getChannelDock } from "../../channels/dock.js";
-import { normalizeChannelId } from "../../channels/plugins/index.js";
+import { getChannelPlugin, normalizeChannelId } from "../../channels/plugins/index.js";
 import type { AgentElevatedAllowFromConfig, OpenClawConfig } from "../../config/config.js";
 import { normalizeStringEntries } from "../../shared/string-normalization.js";
 import type { MsgContext } from "../templating.js";
@@ -34,8 +33,9 @@ function resolveAllowFromFormatter(params: {
   accountId?: string;
 }): AllowFromFormatter {
   const normalizedProvider = normalizeChannelId(params.provider);
-  const dock = normalizedProvider ? getChannelDock(normalizedProvider) : undefined;
-  const formatAllowFrom = dock?.config?.formatAllowFrom;
+  const formatAllowFrom = normalizedProvider
+    ? getChannelPlugin(normalizedProvider)?.config?.formatAllowFrom
+    : undefined;
   if (!formatAllowFrom) {
     return (values) => normalizeStringEntries(values);
   }
@@ -192,11 +192,12 @@ export function resolveElevatedPermissions(params: {
   }
 
   const normalizedProvider = normalizeChannelId(params.provider);
-  const dock = normalizedProvider ? getChannelDock(normalizedProvider) : undefined;
-  const fallbackAllowFrom = dock?.elevated?.allowFromFallback?.({
-    cfg: params.cfg,
-    accountId: params.ctx.AccountId,
-  });
+  const fallbackAllowFrom = normalizedProvider
+    ? getChannelPlugin(normalizedProvider)?.elevated?.allowFromFallback?.({
+        cfg: params.cfg,
+        accountId: params.ctx.AccountId,
+      })
+    : undefined;
   const formatAllowFrom = resolveAllowFromFormatter({
     cfg: params.cfg,
     provider: params.provider,
diff --git a/src/auto-reply/reply/reply-threading.ts b/src/auto-reply/reply/reply-threading.ts
index 5db377bbd00..66871f226b7 100644
--- a/src/auto-reply/reply/reply-threading.ts
+++ b/src/auto-reply/reply/reply-threading.ts
@@ -1,5 +1,4 @@
-import { getChannelDock } from "../../channels/dock.js";
-import { normalizeChannelId } from "../../channels/plugins/index.js";
+import { getChannelPlugin, normalizeChannelId } from "../../channels/plugins/index.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import type { ReplyToMode } from "../../config/types.js";
 import type { OriginatingChannelType } from "../templating.js";
@@ -15,7 +14,7 @@ export function resolveReplyToMode(
   if (!provider) {
     return "all";
   }
-  const resolved = getChannelDock(provider)?.threading?.resolveReplyToMode?.({
+  const resolved = getChannelPlugin(provider)?.threading?.resolveReplyToMode?.({
     cfg,
     accountId,
     chatType,
@@ -59,9 +58,9 @@ export function createReplyToModeFilterForChannel(
   const isWebchat = normalized === "webchat";
   // Default: allow explicit reply tags/directives even when replyToMode is "off".
   // Unknown channels fail closed; internal webchat stays allowed.
-  const dock = provider ? getChannelDock(provider) : undefined;
+  const threading = provider ? getChannelPlugin(provider)?.threading : undefined;
   const allowExplicitReplyTagsWhenOff = provider
-    ? (dock?.threading?.allowExplicitReplyTagsWhenOff ?? dock?.threading?.allowTagsWhenOff ?? true)
+    ? (threading?.allowExplicitReplyTagsWhenOff ?? threading?.allowTagsWhenOff ?? true)
     : isWebchat;
   return createReplyToModeFilter(mode, {
     allowExplicitReplyTagsWhenOff,
diff --git a/src/auto-reply/reply/route-reply.test.ts b/src/auto-reply/reply/route-reply.test.ts
index c0023ae1c37..b7b6cd31e9f 100644
--- a/src/auto-reply/reply/route-reply.test.ts
+++ b/src/auto-reply/reply/route-reply.test.ts
@@ -1,12 +1,14 @@
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 import { mattermostPlugin } from "../../../extensions/mattermost/src/channel.js";
 import { slackPlugin } from "../../../extensions/slack/src/channel.js";
-import { discordOutbound } from "../../channels/plugins/outbound/discord.js";
-import { imessageOutbound } from "../../channels/plugins/outbound/imessage.js";
-import { signalOutbound } from "../../channels/plugins/outbound/signal.js";
-import { slackOutbound } from "../../channels/plugins/outbound/slack.js";
-import { telegramOutbound } from "../../channels/plugins/outbound/telegram.js";
-import { whatsappOutbound } from "../../channels/plugins/outbound/whatsapp.js";
+import {
+  discordOutbound,
+  imessageOutbound,
+  signalOutbound,
+  slackOutbound,
+  telegramOutbound,
+  whatsappOutbound,
+} from "../../../test/channel-outbounds.js";
 import type { ChannelOutboundAdapter, ChannelPlugin } from "../../channels/plugins/types.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import type { PluginRegistry } from "../../plugins/registry.js";
diff --git a/src/channels/plugins/outbound/discord.ts b/src/channels/plugins/outbound/discord.ts
deleted file mode 100644
index 5b2126b8fcc..00000000000
--- a/src/channels/plugins/outbound/discord.ts
+++ /dev/null
@@ -1,2 +0,0 @@
-// Shim: re-exports from extension
-export * from "../../../../extensions/discord/src/outbound-adapter.js";
diff --git a/src/channels/plugins/outbound/imessage.test.ts b/src/channels/plugins/outbound/imessage.test.ts
index b42b5a954c8..04c68a94f82 100644
--- a/src/channels/plugins/outbound/imessage.test.ts
+++ b/src/channels/plugins/outbound/imessage.test.ts
@@ -1,6 +1,6 @@
 import { describe, expect, it, vi } from "vitest";
+import { imessageOutbound } from "../../../../test/channel-outbounds.js";
 import type { OpenClawConfig } from "../../../config/config.js";
-import { imessageOutbound } from "./imessage.js";
 
 describe("imessageOutbound", () => {
   const cfg: OpenClawConfig = {
diff --git a/src/channels/plugins/outbound/imessage.ts b/src/channels/plugins/outbound/imessage.ts
deleted file mode 100644
index b916c1e37df..00000000000
--- a/src/channels/plugins/outbound/imessage.ts
+++ /dev/null
@@ -1,35 +0,0 @@
-import { sendMessageIMessage } from "../../../../extensions/imessage/src/send.js";
-import {
-  resolveOutboundSendDep,
-  type OutboundSendDeps,
-} from "../../../infra/outbound/send-deps.js";
-import {
-  createScopedChannelMediaMaxBytesResolver,
-  createDirectTextMediaOutbound,
-} from "./direct-text-media.js";
-
-function resolveIMessageSender(deps: OutboundSendDeps | undefined) {
-  return (
-    resolveOutboundSendDep<typeof sendMessageIMessage>(deps, "imessage") ?? sendMessageIMessage
-  );
-}
-
-export const imessageOutbound = createDirectTextMediaOutbound({
-  channel: "imessage",
-  resolveSender: resolveIMessageSender,
-  resolveMaxBytes: createScopedChannelMediaMaxBytesResolver("imessage"),
-  buildTextOptions: ({ cfg, maxBytes, accountId, replyToId }) => ({
-    config: cfg,
-    maxBytes,
-    accountId: accountId ?? undefined,
-    replyToId: replyToId ?? undefined,
-  }),
-  buildMediaOptions: ({ cfg, mediaUrl, maxBytes, accountId, replyToId, mediaLocalRoots }) => ({
-    config: cfg,
-    mediaUrl,
-    maxBytes,
-    accountId: accountId ?? undefined,
-    replyToId: replyToId ?? undefined,
-    mediaLocalRoots,
-  }),
-});
diff --git a/src/channels/plugins/outbound/signal.test.ts b/src/channels/plugins/outbound/signal.test.ts
index 9848c558965..5d28e4aefaf 100644
--- a/src/channels/plugins/outbound/signal.test.ts
+++ b/src/channels/plugins/outbound/signal.test.ts
@@ -1,6 +1,6 @@
 import { describe, expect, it, vi } from "vitest";
+import { signalOutbound } from "../../../../test/channel-outbounds.js";
 import type { OpenClawConfig } from "../../../config/config.js";
-import { signalOutbound } from "./signal.js";
 
 describe("signalOutbound", () => {
   const cfg: OpenClawConfig = {
diff --git a/src/channels/plugins/outbound/signal.ts b/src/channels/plugins/outbound/signal.ts
deleted file mode 100644
index 9de4e6f0fa7..00000000000
--- a/src/channels/plugins/outbound/signal.ts
+++ /dev/null
@@ -1,125 +0,0 @@
-import { markdownToSignalTextChunks } from "../../../../extensions/signal/src/format.js";
-import { sendMessageSignal } from "../../../../extensions/signal/src/send.js";
-import { resolveTextChunkLimit } from "../../../auto-reply/chunk.js";
-import { resolveMarkdownTableMode } from "../../../config/markdown-tables.js";
-import {
-  resolveOutboundSendDep,
-  type OutboundSendDeps,
-} from "../../../infra/outbound/send-deps.js";
-import type { ChannelOutboundAdapter } from "../types.js";
-import { createScopedChannelMediaMaxBytesResolver } from "./direct-text-media.js";
-
-function resolveSignalSender(deps: OutboundSendDeps | undefined) {
-  return resolveOutboundSendDep<typeof sendMessageSignal>(deps, "signal") ?? sendMessageSignal;
-}
-
-const resolveSignalMaxBytes = createScopedChannelMediaMaxBytesResolver("signal");
-type SignalSendOpts = NonNullable<Parameters<typeof sendMessageSignal>[2]>;
-
-function inferSignalTableMode(params: { cfg: SignalSendOpts["cfg"]; accountId?: string | null }) {
-  return resolveMarkdownTableMode({
-    cfg: params.cfg,
-    channel: "signal",
-    accountId: params.accountId ?? undefined,
-  });
-}
-
-export const signalOutbound: ChannelOutboundAdapter = {
-  deliveryMode: "direct",
-  chunker: (text, _limit) => text.split(/\n{2,}/).flatMap((chunk) => (chunk ? [chunk] : [])),
-  chunkerMode: "text",
-  textChunkLimit: 4000,
-  sendFormattedText: async ({ cfg, to, text, accountId, deps, abortSignal }) => {
-    const send = resolveSignalSender(deps);
-    const maxBytes = resolveSignalMaxBytes({
-      cfg,
-      accountId: accountId ?? undefined,
-    });
-    const limit = resolveTextChunkLimit(cfg, "signal", accountId ?? undefined, {
-      fallbackLimit: 4000,
-    });
-    const tableMode = inferSignalTableMode({ cfg, accountId });
-    let chunks =
-      limit === undefined
-        ? markdownToSignalTextChunks(text, Number.POSITIVE_INFINITY, { tableMode })
-        : markdownToSignalTextChunks(text, limit, { tableMode });
-    if (chunks.length === 0 && text) {
-      chunks = [{ text, styles: [] }];
-    }
-    const results = [];
-    for (const chunk of chunks) {
-      abortSignal?.throwIfAborted();
-      const result = await send(to, chunk.text, {
-        cfg,
-        maxBytes,
-        accountId: accountId ?? undefined,
-        textMode: "plain",
-        textStyles: chunk.styles,
-      });
-      results.push({ channel: "signal" as const, ...result });
-    }
-    return results;
-  },
-  sendFormattedMedia: async ({
-    cfg,
-    to,
-    text,
-    mediaUrl,
-    mediaLocalRoots,
-    accountId,
-    deps,
-    abortSignal,
-  }) => {
-    abortSignal?.throwIfAborted();
-    const send = resolveSignalSender(deps);
-    const maxBytes = resolveSignalMaxBytes({
-      cfg,
-      accountId: accountId ?? undefined,
-    });
-    const tableMode = inferSignalTableMode({ cfg, accountId });
-    const formatted = markdownToSignalTextChunks(text, Number.POSITIVE_INFINITY, {
-      tableMode,
-    })[0] ?? {
-      text,
-      styles: [],
-    };
-    const result = await send(to, formatted.text, {
-      cfg,
-      mediaUrl,
-      maxBytes,
-      accountId: accountId ?? undefined,
-      textMode: "plain",
-      textStyles: formatted.styles,
-      mediaLocalRoots,
-    });
-    return { channel: "signal", ...result };
-  },
-  sendText: async ({ cfg, to, text, accountId, deps }) => {
-    const send = resolveSignalSender(deps);
-    const maxBytes = resolveSignalMaxBytes({
-      cfg,
-      accountId: accountId ?? undefined,
-    });
-    const result = await send(to, text, {
-      cfg,
-      maxBytes,
-      accountId: accountId ?? undefined,
-    });
-    return { channel: "signal", ...result };
-  },
-  sendMedia: async ({ cfg, to, text, mediaUrl, mediaLocalRoots, accountId, deps }) => {
-    const send = resolveSignalSender(deps);
-    const maxBytes = resolveSignalMaxBytes({
-      cfg,
-      accountId: accountId ?? undefined,
-    });
-    const result = await send(to, text, {
-      cfg,
-      mediaUrl,
-      maxBytes,
-      accountId: accountId ?? undefined,
-      mediaLocalRoots,
-    });
-    return { channel: "signal", ...result };
-  },
-};
diff --git a/src/channels/plugins/outbound/slack.sendpayload.test.ts b/src/channels/plugins/outbound/slack.sendpayload.test.ts
index 0bb551d0395..e1175023858 100644
--- a/src/channels/plugins/outbound/slack.sendpayload.test.ts
+++ b/src/channels/plugins/outbound/slack.sendpayload.test.ts
@@ -1,10 +1,10 @@
 import { describe, expect, it, vi } from "vitest";
+import { slackOutbound } from "../../../../test/channel-outbounds.js";
 import type { ReplyPayload } from "../../../auto-reply/types.js";
 import {
   installSendPayloadContractSuite,
   primeSendMock,
 } from "../../../test-utils/send-payload-contract.js";
-import { slackOutbound } from "./slack.js";
 
 function createHarness(params: {
   payload: ReplyPayload;
diff --git a/src/channels/plugins/outbound/slack.test.ts b/src/channels/plugins/outbound/slack.test.ts
index 9b5c1843ce2..90c6f5e55ad 100644
--- a/src/channels/plugins/outbound/slack.test.ts
+++ b/src/channels/plugins/outbound/slack.test.ts
@@ -10,8 +10,8 @@ vi.mock("../../../plugins/hook-runner-global.js", () => ({
 }));
 
 import { sendMessageSlack } from "../../../../extensions/slack/src/send.js";
+import { slackOutbound } from "../../../../test/channel-outbounds.js";
 import { getGlobalHookRunner } from "../../../plugins/hook-runner-global.js";
-import { slackOutbound } from "./slack.js";
 
 type SlackSendTextCtx = {
   to: string;
diff --git a/src/channels/plugins/outbound/slack.ts b/src/channels/plugins/outbound/slack.ts
deleted file mode 100644
index 13729acb2ee..00000000000
--- a/src/channels/plugins/outbound/slack.ts
+++ /dev/null
@@ -1,255 +0,0 @@
-import { parseSlackBlocksInput } from "../../../../extensions/slack/src/blocks-input.js";
-import {
-  buildSlackInteractiveBlocks,
-  type SlackBlock,
-} from "../../../../extensions/slack/src/blocks-render.js";
-import { sendMessageSlack, type SlackSendIdentity } from "../../../../extensions/slack/src/send.js";
-import type { OutboundIdentity } from "../../../infra/outbound/identity.js";
-import { resolveOutboundSendDep } from "../../../infra/outbound/send-deps.js";
-import {
-  resolveInteractiveTextFallback,
-  type InteractiveReply,
-} from "../../../interactive/payload.js";
-import { getGlobalHookRunner } from "../../../plugins/hook-runner-global.js";
-import type { ChannelOutboundAdapter } from "../types.js";
-import {
-  resolvePayloadMediaUrls,
-  sendPayloadMediaSequence,
-  sendTextMediaPayload,
-} from "./direct-text-media.js";
-
-const SLACK_MAX_BLOCKS = 50;
-
-function resolveRenderedInteractiveBlocks(
-  interactive?: InteractiveReply,
-): SlackBlock[] | undefined {
-  if (!interactive) {
-    return undefined;
-  }
-  const blocks = buildSlackInteractiveBlocks(interactive);
-  return blocks.length > 0 ? blocks : undefined;
-}
-
-function resolveSlackSendIdentity(identity?: OutboundIdentity): SlackSendIdentity | undefined {
-  if (!identity) {
-    return undefined;
-  }
-  const username = identity.name?.trim() || undefined;
-  const iconUrl = identity.avatarUrl?.trim() || undefined;
-  const rawEmoji = identity.emoji?.trim();
-  const iconEmoji = !iconUrl && rawEmoji && /^:[^:\s]+:$/.test(rawEmoji) ? rawEmoji : undefined;
-  if (!username && !iconUrl && !iconEmoji) {
-    return undefined;
-  }
-  return { username, iconUrl, iconEmoji };
-}
-
-async function applySlackMessageSendingHooks(params: {
-  to: string;
-  text: string;
-  threadTs?: string;
-  accountId?: string;
-  mediaUrl?: string;
-}): Promise<{ cancelled: boolean; text: string }> {
-  const hookRunner = getGlobalHookRunner();
-  if (!hookRunner?.hasHooks("message_sending")) {
-    return { cancelled: false, text: params.text };
-  }
-  const hookResult = await hookRunner.runMessageSending(
-    {
-      to: params.to,
-      content: params.text,
-      metadata: {
-        threadTs: params.threadTs,
-        channelId: params.to,
-        ...(params.mediaUrl ? { mediaUrl: params.mediaUrl } : {}),
-      },
-    },
-    { channelId: "slack", accountId: params.accountId ?? undefined },
-  );
-  if (hookResult?.cancel) {
-    return { cancelled: true, text: params.text };
-  }
-  return { cancelled: false, text: hookResult?.content ?? params.text };
-}
-
-async function sendSlackOutboundMessage(params: {
-  cfg: NonNullable<Parameters<typeof sendMessageSlack>[2]>["cfg"];
-  to: string;
-  text: string;
-  mediaUrl?: string;
-  mediaLocalRoots?: readonly string[];
-  blocks?: NonNullable<Parameters<typeof sendMessageSlack>[2]>["blocks"];
-  accountId?: string | null;
-  deps?: { [channelId: string]: unknown } | null;
-  replyToId?: string | null;
-  threadId?: string | number | null;
-  identity?: OutboundIdentity;
-}) {
-  const send =
-    resolveOutboundSendDep<typeof sendMessageSlack>(params.deps, "slack") ?? sendMessageSlack;
-  // Use threadId fallback so routed tool notifications stay in the Slack thread.
-  const threadTs =
-    params.replyToId ?? (params.threadId != null ? String(params.threadId) : undefined);
-  const hookResult = await applySlackMessageSendingHooks({
-    to: params.to,
-    text: params.text,
-    threadTs,
-    mediaUrl: params.mediaUrl,
-    accountId: params.accountId ?? undefined,
-  });
-  if (hookResult.cancelled) {
-    return {
-      channel: "slack" as const,
-      messageId: "cancelled-by-hook",
-      channelId: params.to,
-      meta: { cancelled: true },
-    };
-  }
-
-  const slackIdentity = resolveSlackSendIdentity(params.identity);
-  const result = await send(params.to, hookResult.text, {
-    cfg: params.cfg,
-    threadTs,
-    accountId: params.accountId ?? undefined,
-    ...(params.mediaUrl
-      ? { mediaUrl: params.mediaUrl, mediaLocalRoots: params.mediaLocalRoots }
-      : {}),
-    ...(params.blocks ? { blocks: params.blocks } : {}),
-    ...(slackIdentity ? { identity: slackIdentity } : {}),
-  });
-  return { channel: "slack" as const, ...result };
-}
-
-function resolveSlackBlocks(payload: {
-  channelData?: Record<string, unknown>;
-  interactive?: InteractiveReply;
-}) {
-  const slackData = payload.channelData?.slack;
-  const renderedInteractive = resolveRenderedInteractiveBlocks(payload.interactive);
-  if (!slackData || typeof slackData !== "object" || Array.isArray(slackData)) {
-    return renderedInteractive;
-  }
-  let existingBlocks: SlackBlock[] | undefined;
-  existingBlocks = parseSlackBlocksInput((slackData as { blocks?: unknown }).blocks) as
-    | SlackBlock[]
-    | undefined;
-  const mergedBlocks = [...(existingBlocks ?? []), ...(renderedInteractive ?? [])];
-  if (mergedBlocks.length === 0) {
-    return undefined;
-  }
-  if (mergedBlocks.length > SLACK_MAX_BLOCKS) {
-    throw new Error(
-      `Slack blocks cannot exceed ${SLACK_MAX_BLOCKS} items after interactive render`,
-    );
-  }
-  return mergedBlocks;
-}
-
-export const slackOutbound: ChannelOutboundAdapter = {
-  deliveryMode: "direct",
-  chunker: null,
-  textChunkLimit: 4000,
-  sendPayload: async (ctx) => {
-    const payload = {
-      ...ctx.payload,
-      text:
-        resolveInteractiveTextFallback({
-          text: ctx.payload.text,
-          interactive: ctx.payload.interactive,
-        }) ?? "",
-    };
-    const blocks = resolveSlackBlocks(payload);
-    if (!blocks) {
-      return await sendTextMediaPayload({
-        channel: "slack",
-        ctx: {
-          ...ctx,
-          payload,
-        },
-        adapter: slackOutbound,
-      });
-    }
-    const mediaUrls = resolvePayloadMediaUrls(payload);
-    if (mediaUrls.length === 0) {
-      return await sendSlackOutboundMessage({
-        cfg: ctx.cfg,
-        to: ctx.to,
-        text: payload.text ?? "",
-        mediaLocalRoots: ctx.mediaLocalRoots,
-        blocks,
-        accountId: ctx.accountId,
-        deps: ctx.deps,
-        replyToId: ctx.replyToId,
-        threadId: ctx.threadId,
-        identity: ctx.identity,
-      });
-    }
-    await sendPayloadMediaSequence({
-      text: "",
-      mediaUrls,
-      send: async ({ text, mediaUrl }) =>
-        await sendSlackOutboundMessage({
-          cfg: ctx.cfg,
-          to: ctx.to,
-          text,
-          mediaUrl,
-          mediaLocalRoots: ctx.mediaLocalRoots,
-          accountId: ctx.accountId,
-          deps: ctx.deps,
-          replyToId: ctx.replyToId,
-          threadId: ctx.threadId,
-          identity: ctx.identity,
-        }),
-    });
-    return await sendSlackOutboundMessage({
-      cfg: ctx.cfg,
-      to: ctx.to,
-      text: payload.text ?? "",
-      mediaLocalRoots: ctx.mediaLocalRoots,
-      blocks,
-      accountId: ctx.accountId,
-      deps: ctx.deps,
-      replyToId: ctx.replyToId,
-      threadId: ctx.threadId,
-      identity: ctx.identity,
-    });
-  },
-  sendText: async ({ cfg, to, text, accountId, deps, replyToId, threadId, identity }) => {
-    return await sendSlackOutboundMessage({
-      cfg,
-      to,
-      text,
-      accountId,
-      deps,
-      replyToId,
-      threadId,
-      identity,
-    });
-  },
-  sendMedia: async ({
-    cfg,
-    to,
-    text,
-    mediaUrl,
-    mediaLocalRoots,
-    accountId,
-    deps,
-    replyToId,
-    threadId,
-    identity,
-  }) => {
-    return await sendSlackOutboundMessage({
-      cfg,
-      to,
-      text,
-      mediaUrl,
-      mediaLocalRoots,
-      accountId,
-      deps,
-      replyToId,
-      threadId,
-      identity,
-    });
-  },
-};
diff --git a/src/channels/plugins/outbound/telegram.ts b/src/channels/plugins/outbound/telegram.ts
deleted file mode 100644
index 685ddb6ef31..00000000000
--- a/src/channels/plugins/outbound/telegram.ts
+++ /dev/null
@@ -1 +0,0 @@
-export * from "../../../../extensions/telegram/src/outbound-adapter.js";
diff --git a/src/channels/plugins/outbound/whatsapp.ts b/src/channels/plugins/outbound/whatsapp.ts
deleted file mode 100644
index 112ff4ccf91..00000000000
--- a/src/channels/plugins/outbound/whatsapp.ts
+++ /dev/null
@@ -1,2 +0,0 @@
-// Shim: re-exports from extensions/whatsapp/src/outbound-adapter.ts
-export * from "../../../../extensions/whatsapp/src/outbound-adapter.js";
diff --git a/src/channels/plugins/plugins-channel.test.ts b/src/channels/plugins/plugins-channel.test.ts
index 01a9d29169a..bfd2c4ff556 100644
--- a/src/channels/plugins/plugins-channel.test.ts
+++ b/src/channels/plugins/plugins-channel.test.ts
@@ -1,10 +1,9 @@
 import { describe, expect, it, vi } from "vitest";
 import { normalizeSignalAccountInput } from "../../../extensions/signal/src/setup-surface.js";
+import { telegramOutbound, whatsappOutbound } from "../../../test/channel-outbounds.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import { normalizeIMessageMessagingTarget } from "./normalize/imessage.js";
 import { looksLikeSignalTargetId, normalizeSignalMessagingTarget } from "./normalize/signal.js";
-import { telegramOutbound } from "./outbound/telegram.js";
-import { whatsappOutbound } from "./outbound/whatsapp.js";
 
 function expectWhatsAppTargetResolutionError(result: unknown) {
   expect(result).toEqual({
diff --git a/src/channels/plugins/types.adapters.ts b/src/channels/plugins/types.adapters.ts
index c66fa0d463e..9f9e279bdc1 100644
--- a/src/channels/plugins/types.adapters.ts
+++ b/src/channels/plugins/types.adapters.ts
@@ -481,6 +481,35 @@ export type ChannelExecApprovalAdapter = {
 };
 
 export type ChannelAllowlistAdapter = {
+  applyConfigEdit?: (params: {
+    cfg: OpenClawConfig;
+    parsedConfig: Record<string, unknown>;
+    accountId?: string | null;
+    scope: "dm" | "group";
+    action: "add" | "remove";
+    entry: string;
+  }) =>
+    | {
+        kind: "ok";
+        changed: boolean;
+        pathLabel: string;
+        writeTarget: ConfigWriteTarget;
+      }
+    | {
+        kind: "invalid-entry";
+      }
+    | Promise<
+        | {
+            kind: "ok";
+            changed: boolean;
+            pathLabel: string;
+            writeTarget: ConfigWriteTarget;
+          }
+        | {
+            kind: "invalid-entry";
+          }
+      >
+    | null;
   readConfig?: (params: { cfg: OpenClawConfig; accountId?: string | null }) =>
     | {
         dmAllowFrom?: Array<string | number>;
@@ -504,17 +533,6 @@ export type ChannelAllowlistAdapter = {
   }) =>
     | Array<{ input: string; resolved: boolean; name?: string | null }>
     | Promise<Array<{ input: string; resolved: boolean; name?: string | null }>>;
-  resolveConfigEdit?: (params: {
-    scope: "dm" | "group";
-    pathPrefix: string;
-    writeTarget: ConfigWriteTarget;
-  }) => {
-    pathPrefix: string;
-    writeTarget: ConfigWriteTarget;
-    readPaths: string[][];
-    writePath: string[];
-    cleanupPaths?: string[][];
-  } | null;
   supportsScope?: (params: { scope: "dm" | "group" | "all" }) => boolean;
 };
 
diff --git a/src/config/sessions/metadata.ts b/src/config/sessions/metadata.ts
index c438fd60f2b..b93cfcb5372 100644
--- a/src/config/sessions/metadata.ts
+++ b/src/config/sessions/metadata.ts
@@ -1,8 +1,7 @@
 import type { MsgContext } from "../../auto-reply/templating.js";
 import { normalizeChatType } from "../../channels/chat-type.js";
 import { resolveConversationLabel } from "../../channels/conversation-label.js";
-import { getChannelDock } from "../../channels/dock.js";
-import { normalizeChannelId } from "../../channels/plugins/index.js";
+import { getChannelPlugin, normalizeChannelId } from "../../channels/plugins/index.js";
 import { normalizeMessageChannel } from "../../utils/message-channel.js";
 import { buildGroupDisplayName, resolveGroupSessionKey } from "./group.js";
 import type { GroupKeyResolution, SessionEntry, SessionOrigin } from "./types.js";
@@ -111,7 +110,7 @@ export function deriveGroupSessionPatch(params: {
   const normalizedChannel = normalizeChannelId(channel);
   const isChannelProvider = Boolean(
     normalizedChannel &&
-    getChannelDock(normalizedChannel)?.capabilities.chatTypes.includes("channel"),
+    getChannelPlugin(normalizedChannel)?.capabilities.chatTypes.includes("channel"),
   );
   const nextGroupChannel =
     explicitChannel ??
diff --git a/src/cron/isolated-agent.direct-delivery-core-channels.test.ts b/src/cron/isolated-agent.direct-delivery-core-channels.test.ts
index 1950e361068..c477ded7f7d 100644
--- a/src/cron/isolated-agent.direct-delivery-core-channels.test.ts
+++ b/src/cron/isolated-agent.direct-delivery-core-channels.test.ts
@@ -1,12 +1,14 @@
 import "./isolated-agent.mocks.js";
 import { beforeEach, describe, expect, it } from "vitest";
+import {
+  discordOutbound,
+  imessageOutbound,
+  signalOutbound,
+  slackOutbound,
+  telegramOutbound,
+  whatsappOutbound,
+} from "../../test/channel-outbounds.js";
 import { runSubagentAnnounceFlow } from "../agents/subagent-announce.js";
-import { discordOutbound } from "../channels/plugins/outbound/discord.js";
-import { imessageOutbound } from "../channels/plugins/outbound/imessage.js";
-import { signalOutbound } from "../channels/plugins/outbound/signal.js";
-import { slackOutbound } from "../channels/plugins/outbound/slack.js";
-import { telegramOutbound } from "../channels/plugins/outbound/telegram.js";
-import { whatsappOutbound } from "../channels/plugins/outbound/whatsapp.js";
 import type { CliDeps } from "../cli/deps.js";
 import { setActivePluginRegistry } from "../plugins/runtime.js";
 import { createOutboundTestPlugin, createTestRegistry } from "../test-utils/channel-plugins.js";
diff --git a/src/cron/isolated-agent.test-setup.ts b/src/cron/isolated-agent.test-setup.ts
index e6357531ad3..bdeb71fbaf4 100644
--- a/src/cron/isolated-agent.test-setup.ts
+++ b/src/cron/isolated-agent.test-setup.ts
@@ -1,9 +1,8 @@
 import { vi } from "vitest";
+import { signalOutbound, telegramOutbound } from "../../test/channel-outbounds.js";
 import { loadModelCatalog } from "../agents/model-catalog.js";
 import { runEmbeddedPiAgent } from "../agents/pi-embedded.js";
 import { runSubagentAnnounceFlow } from "../agents/subagent-announce.js";
-import { signalOutbound } from "../channels/plugins/outbound/signal.js";
-import { telegramOutbound } from "../channels/plugins/outbound/telegram.js";
 import { callGateway } from "../gateway/call.js";
 import { setActivePluginRegistry } from "../plugins/runtime.js";
 import { createOutboundTestPlugin, createTestRegistry } from "../test-utils/channel-plugins.js";
diff --git a/src/infra/exec-approval-forwarder.test.ts b/src/infra/exec-approval-forwarder.test.ts
index d29856c3088..2dfc1c97dbd 100644
--- a/src/infra/exec-approval-forwarder.test.ts
+++ b/src/infra/exec-approval-forwarder.test.ts
@@ -1,8 +1,9 @@
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { telegramOutbound } from "../channels/plugins/outbound/telegram.js";
+import { discordPlugin } from "../../extensions/discord/src/channel.js";
+import { telegramPlugin } from "../../extensions/telegram/src/channel.js";
 import type { OpenClawConfig } from "../config/config.js";
 import { setActivePluginRegistry } from "../plugins/runtime.js";
-import { createOutboundTestPlugin, createTestRegistry } from "../test-utils/channel-plugins.js";
+import { createTestRegistry } from "../test-utils/channel-plugins.js";
 import { createExecApprovalForwarder } from "./exec-approval-forwarder.js";
 
 const baseRequest = {
@@ -25,7 +26,12 @@ const emptyRegistry = createTestRegistry([]);
 const defaultRegistry = createTestRegistry([
   {
     pluginId: "telegram",
-    plugin: createOutboundTestPlugin({ id: "telegram", outbound: telegramOutbound }),
+    plugin: telegramPlugin,
+    source: "test",
+  },
+  {
+    pluginId: "discord",
+    plugin: discordPlugin,
     source: "test",
   },
 ]);
diff --git a/src/infra/heartbeat-runner.returns-default-unset.test.ts b/src/infra/heartbeat-runner.returns-default-unset.test.ts
index a39914016f1..8bca1ca1de7 100644
--- a/src/infra/heartbeat-runner.returns-default-unset.test.ts
+++ b/src/infra/heartbeat-runner.returns-default-unset.test.ts
@@ -3,9 +3,9 @@ import os from "node:os";
 import path from "node:path";
 import { afterAll, beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
 import { parseTelegramTarget } from "../../extensions/telegram/src/targets.js";
+import { whatsappOutbound } from "../../test/channel-outbounds.js";
 import { HEARTBEAT_PROMPT } from "../auto-reply/heartbeat.js";
 import * as replyModule from "../auto-reply/reply.js";
-import { whatsappOutbound } from "../channels/plugins/outbound/whatsapp.js";
 import type { OpenClawConfig } from "../config/config.js";
 import {
   resolveAgentIdFromSessionKey,
diff --git a/src/infra/outbound/deliver.test-helpers.ts b/src/infra/outbound/deliver.test-helpers.ts
index bc70c456dc5..77054dff7f3 100644
--- a/src/infra/outbound/deliver.test-helpers.ts
+++ b/src/infra/outbound/deliver.test-helpers.ts
@@ -1,7 +1,9 @@
 import { vi } from "vitest";
-import { signalOutbound } from "../../channels/plugins/outbound/signal.js";
-import { telegramOutbound } from "../../channels/plugins/outbound/telegram.js";
-import { whatsappOutbound } from "../../channels/plugins/outbound/whatsapp.js";
+import {
+  signalOutbound,
+  telegramOutbound,
+  whatsappOutbound,
+} from "../../../test/channel-outbounds.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import { setActivePluginRegistry } from "../../plugins/runtime.js";
 import { createOutboundTestPlugin, createTestRegistry } from "../../test-utils/channel-plugins.js";
diff --git a/src/infra/outbound/deliver.test.ts b/src/infra/outbound/deliver.test.ts
index 075752df083..5323dd83e27 100644
--- a/src/infra/outbound/deliver.test.ts
+++ b/src/infra/outbound/deliver.test.ts
@@ -1,9 +1,11 @@
 import path from "node:path";
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 import { markdownToSignalTextChunks } from "../../../extensions/signal/src/format.js";
-import { signalOutbound } from "../../channels/plugins/outbound/signal.js";
-import { telegramOutbound } from "../../channels/plugins/outbound/telegram.js";
-import { whatsappOutbound } from "../../channels/plugins/outbound/whatsapp.js";
+import {
+  signalOutbound,
+  telegramOutbound,
+  whatsappOutbound,
+} from "../../../test/channel-outbounds.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import { STATE_DIR } from "../../config/paths.js";
 import { setActivePluginRegistry } from "../../plugins/runtime.js";
diff --git a/src/infra/outbound/targets.test.ts b/src/infra/outbound/targets.test.ts
index 4d9645dc130..76bb9a2b3b5 100644
--- a/src/infra/outbound/targets.test.ts
+++ b/src/infra/outbound/targets.test.ts
@@ -1,7 +1,6 @@
 import { beforeEach, describe, expect, it } from "vitest";
 import { parseTelegramTarget } from "../../../extensions/telegram/src/targets.js";
-import { telegramOutbound } from "../../channels/plugins/outbound/telegram.js";
-import { whatsappOutbound } from "../../channels/plugins/outbound/whatsapp.js";
+import { telegramOutbound, whatsappOutbound } from "../../../test/channel-outbounds.js";
 import type { ChannelOutboundAdapter } from "../../channels/plugins/types.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import type { SessionEntry } from "../../config/sessions/types.js";
diff --git a/src/plugin-sdk/index.ts b/src/plugin-sdk/index.ts
index 6e70c8b7c19..5f1ccd91bbe 100644
--- a/src/plugin-sdk/index.ts
+++ b/src/plugin-sdk/index.ts
@@ -241,6 +241,7 @@ export { buildChannelSendResult } from "./channel-send-result.js";
 export type { ChannelSendRawResult } from "./channel-send-result.js";
 export { createPluginRuntimeStore } from "./runtime-store.js";
 export { createScopedChannelConfigBase } from "./channel-config-helpers.js";
+export { buildAccountScopedAllowlistConfigEditor } from "./allowlist-config-edit.js";
 export {
   AllowFromEntrySchema,
   AllowFromListSchema,
diff --git a/src/plugin-sdk/telegram.ts b/src/plugin-sdk/telegram.ts
index 7504994f70a..3e6d1df1257 100644
--- a/src/plugin-sdk/telegram.ts
+++ b/src/plugin-sdk/telegram.ts
@@ -54,7 +54,7 @@ export {
   parseTelegramThreadId,
 } from "../../extensions/telegram/src/outbound-params.js";
 export { collectTelegramStatusIssues } from "../channels/plugins/status-issues/telegram.js";
-export { sendTelegramPayloadMessages } from "../channels/plugins/outbound/telegram.js";
+export { sendTelegramPayloadMessages } from "../../extensions/telegram/src/outbound-adapter.js";
 
 export {
   resolveAllowlistProviderRuntimeGroupPolicy,
diff --git a/src/test-utils/imessage-test-plugin.ts b/src/test-utils/imessage-test-plugin.ts
index 962a1f7c33e..201ad3f9897 100644
--- a/src/test-utils/imessage-test-plugin.ts
+++ b/src/test-utils/imessage-test-plugin.ts
@@ -1,5 +1,5 @@
 import { normalizeIMessageHandle } from "../../extensions/imessage/src/targets.js";
-import { imessageOutbound } from "../channels/plugins/outbound/imessage.js";
+import { imessageOutbound } from "../../test/channel-outbounds.js";
 import type { ChannelOutboundAdapter, ChannelPlugin } from "../channels/plugins/types.js";
 import { collectStatusIssuesFromLastError } from "../plugin-sdk/status-helpers.js";
 

From 7cdd8a84a67b50cfdbcdb49489184a2c5dfe8337 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Sun, 15 Mar 2026 23:47:43 -0700
Subject: [PATCH 061/133] refactor: add plugin-owned outbound adapters

---
 extensions/imessage/src/outbound-adapter.ts |  35 +++
 extensions/signal/src/outbound-adapter.ts   | 125 ++++++++++
 extensions/slack/src/outbound-adapter.ts    | 250 ++++++++++++++++++++
 src/plugin-sdk/allowlist-config-edit.ts     | 210 ++++++++++++++++
 test/channel-outbounds.ts                   |   6 +
 5 files changed, 626 insertions(+)
 create mode 100644 extensions/imessage/src/outbound-adapter.ts
 create mode 100644 extensions/signal/src/outbound-adapter.ts
 create mode 100644 extensions/slack/src/outbound-adapter.ts
 create mode 100644 src/plugin-sdk/allowlist-config-edit.ts
 create mode 100644 test/channel-outbounds.ts

diff --git a/extensions/imessage/src/outbound-adapter.ts b/extensions/imessage/src/outbound-adapter.ts
new file mode 100644
index 00000000000..ae5e7c2836a
--- /dev/null
+++ b/extensions/imessage/src/outbound-adapter.ts
@@ -0,0 +1,35 @@
+import {
+  createScopedChannelMediaMaxBytesResolver,
+  createDirectTextMediaOutbound,
+} from "../../../src/channels/plugins/outbound/direct-text-media.js";
+import {
+  resolveOutboundSendDep,
+  type OutboundSendDeps,
+} from "../../../src/infra/outbound/send-deps.js";
+import { sendMessageIMessage } from "./send.js";
+
+function resolveIMessageSender(deps: OutboundSendDeps | undefined) {
+  return (
+    resolveOutboundSendDep<typeof sendMessageIMessage>(deps, "imessage") ?? sendMessageIMessage
+  );
+}
+
+export const imessageOutbound = createDirectTextMediaOutbound({
+  channel: "imessage",
+  resolveSender: resolveIMessageSender,
+  resolveMaxBytes: createScopedChannelMediaMaxBytesResolver("imessage"),
+  buildTextOptions: ({ cfg, maxBytes, accountId, replyToId }) => ({
+    config: cfg,
+    maxBytes,
+    accountId: accountId ?? undefined,
+    replyToId: replyToId ?? undefined,
+  }),
+  buildMediaOptions: ({ cfg, mediaUrl, maxBytes, accountId, replyToId, mediaLocalRoots }) => ({
+    config: cfg,
+    mediaUrl,
+    maxBytes,
+    accountId: accountId ?? undefined,
+    replyToId: replyToId ?? undefined,
+    mediaLocalRoots,
+  }),
+});
diff --git a/extensions/signal/src/outbound-adapter.ts b/extensions/signal/src/outbound-adapter.ts
new file mode 100644
index 00000000000..b0d77c12bd0
--- /dev/null
+++ b/extensions/signal/src/outbound-adapter.ts
@@ -0,0 +1,125 @@
+import { resolveTextChunkLimit } from "../../../src/auto-reply/chunk.js";
+import { createScopedChannelMediaMaxBytesResolver } from "../../../src/channels/plugins/outbound/direct-text-media.js";
+import type { ChannelOutboundAdapter } from "../../../src/channels/plugins/types.js";
+import { resolveMarkdownTableMode } from "../../../src/config/markdown-tables.js";
+import {
+  resolveOutboundSendDep,
+  type OutboundSendDeps,
+} from "../../../src/infra/outbound/send-deps.js";
+import { markdownToSignalTextChunks } from "./format.js";
+import { sendMessageSignal } from "./send.js";
+
+function resolveSignalSender(deps: OutboundSendDeps | undefined) {
+  return resolveOutboundSendDep<typeof sendMessageSignal>(deps, "signal") ?? sendMessageSignal;
+}
+
+const resolveSignalMaxBytes = createScopedChannelMediaMaxBytesResolver("signal");
+type SignalSendOpts = NonNullable<Parameters<typeof sendMessageSignal>[2]>;
+
+function inferSignalTableMode(params: { cfg: SignalSendOpts["cfg"]; accountId?: string | null }) {
+  return resolveMarkdownTableMode({
+    cfg: params.cfg,
+    channel: "signal",
+    accountId: params.accountId ?? undefined,
+  });
+}
+
+export const signalOutbound: ChannelOutboundAdapter = {
+  deliveryMode: "direct",
+  chunker: (text, _limit) => text.split(/\n{2,}/).flatMap((chunk) => (chunk ? [chunk] : [])),
+  chunkerMode: "text",
+  textChunkLimit: 4000,
+  sendFormattedText: async ({ cfg, to, text, accountId, deps, abortSignal }) => {
+    const send = resolveSignalSender(deps);
+    const maxBytes = resolveSignalMaxBytes({
+      cfg,
+      accountId: accountId ?? undefined,
+    });
+    const limit = resolveTextChunkLimit(cfg, "signal", accountId ?? undefined, {
+      fallbackLimit: 4000,
+    });
+    const tableMode = inferSignalTableMode({ cfg, accountId });
+    let chunks =
+      limit === undefined
+        ? markdownToSignalTextChunks(text, Number.POSITIVE_INFINITY, { tableMode })
+        : markdownToSignalTextChunks(text, limit, { tableMode });
+    if (chunks.length === 0 && text) {
+      chunks = [{ text, styles: [] }];
+    }
+    const results = [];
+    for (const chunk of chunks) {
+      abortSignal?.throwIfAborted();
+      const result = await send(to, chunk.text, {
+        cfg,
+        maxBytes,
+        accountId: accountId ?? undefined,
+        textMode: "plain",
+        textStyles: chunk.styles,
+      });
+      results.push({ channel: "signal" as const, ...result });
+    }
+    return results;
+  },
+  sendFormattedMedia: async ({
+    cfg,
+    to,
+    text,
+    mediaUrl,
+    mediaLocalRoots,
+    accountId,
+    deps,
+    abortSignal,
+  }) => {
+    abortSignal?.throwIfAborted();
+    const send = resolveSignalSender(deps);
+    const maxBytes = resolveSignalMaxBytes({
+      cfg,
+      accountId: accountId ?? undefined,
+    });
+    const tableMode = inferSignalTableMode({ cfg, accountId });
+    const formatted = markdownToSignalTextChunks(text, Number.POSITIVE_INFINITY, {
+      tableMode,
+    })[0] ?? {
+      text,
+      styles: [],
+    };
+    const result = await send(to, formatted.text, {
+      cfg,
+      mediaUrl,
+      maxBytes,
+      accountId: accountId ?? undefined,
+      textMode: "plain",
+      textStyles: formatted.styles,
+      mediaLocalRoots,
+    });
+    return { channel: "signal", ...result };
+  },
+  sendText: async ({ cfg, to, text, accountId, deps }) => {
+    const send = resolveSignalSender(deps);
+    const maxBytes = resolveSignalMaxBytes({
+      cfg,
+      accountId: accountId ?? undefined,
+    });
+    const result = await send(to, text, {
+      cfg,
+      maxBytes,
+      accountId: accountId ?? undefined,
+    });
+    return { channel: "signal", ...result };
+  },
+  sendMedia: async ({ cfg, to, text, mediaUrl, mediaLocalRoots, accountId, deps }) => {
+    const send = resolveSignalSender(deps);
+    const maxBytes = resolveSignalMaxBytes({
+      cfg,
+      accountId: accountId ?? undefined,
+    });
+    const result = await send(to, text, {
+      cfg,
+      mediaUrl,
+      maxBytes,
+      accountId: accountId ?? undefined,
+      mediaLocalRoots,
+    });
+    return { channel: "signal", ...result };
+  },
+};
diff --git a/extensions/slack/src/outbound-adapter.ts b/extensions/slack/src/outbound-adapter.ts
new file mode 100644
index 00000000000..1c851c8f69e
--- /dev/null
+++ b/extensions/slack/src/outbound-adapter.ts
@@ -0,0 +1,250 @@
+import {
+  resolvePayloadMediaUrls,
+  sendPayloadMediaSequence,
+  sendTextMediaPayload,
+} from "../../../src/channels/plugins/outbound/direct-text-media.js";
+import type { ChannelOutboundAdapter } from "../../../src/channels/plugins/types.js";
+import type { OutboundIdentity } from "../../../src/infra/outbound/identity.js";
+import { resolveOutboundSendDep } from "../../../src/infra/outbound/send-deps.js";
+import {
+  resolveInteractiveTextFallback,
+  type InteractiveReply,
+} from "../../../src/interactive/payload.js";
+import { getGlobalHookRunner } from "../../../src/plugins/hook-runner-global.js";
+import { parseSlackBlocksInput } from "./blocks-input.js";
+import { buildSlackInteractiveBlocks, type SlackBlock } from "./blocks-render.js";
+import { sendMessageSlack, type SlackSendIdentity } from "./send.js";
+
+const SLACK_MAX_BLOCKS = 50;
+
+function resolveRenderedInteractiveBlocks(
+  interactive?: InteractiveReply,
+): SlackBlock[] | undefined {
+  if (!interactive) {
+    return undefined;
+  }
+  const blocks = buildSlackInteractiveBlocks(interactive);
+  return blocks.length > 0 ? blocks : undefined;
+}
+
+function resolveSlackSendIdentity(identity?: OutboundIdentity): SlackSendIdentity | undefined {
+  if (!identity) {
+    return undefined;
+  }
+  const username = identity.name?.trim() || undefined;
+  const iconUrl = identity.avatarUrl?.trim() || undefined;
+  const rawEmoji = identity.emoji?.trim();
+  const iconEmoji = !iconUrl && rawEmoji && /^:[^:\s]+:$/.test(rawEmoji) ? rawEmoji : undefined;
+  if (!username && !iconUrl && !iconEmoji) {
+    return undefined;
+  }
+  return { username, iconUrl, iconEmoji };
+}
+
+async function applySlackMessageSendingHooks(params: {
+  to: string;
+  text: string;
+  threadTs?: string;
+  accountId?: string;
+  mediaUrl?: string;
+}): Promise<{ cancelled: boolean; text: string }> {
+  const hookRunner = getGlobalHookRunner();
+  if (!hookRunner?.hasHooks("message_sending")) {
+    return { cancelled: false, text: params.text };
+  }
+  const hookResult = await hookRunner.runMessageSending(
+    {
+      to: params.to,
+      content: params.text,
+      metadata: {
+        threadTs: params.threadTs,
+        channelId: params.to,
+        ...(params.mediaUrl ? { mediaUrl: params.mediaUrl } : {}),
+      },
+    },
+    { channelId: "slack", accountId: params.accountId ?? undefined },
+  );
+  if (hookResult?.cancel) {
+    return { cancelled: true, text: params.text };
+  }
+  return { cancelled: false, text: hookResult?.content ?? params.text };
+}
+
+async function sendSlackOutboundMessage(params: {
+  cfg: NonNullable<Parameters<typeof sendMessageSlack>[2]>["cfg"];
+  to: string;
+  text: string;
+  mediaUrl?: string;
+  mediaLocalRoots?: readonly string[];
+  blocks?: NonNullable<Parameters<typeof sendMessageSlack>[2]>["blocks"];
+  accountId?: string | null;
+  deps?: { [channelId: string]: unknown } | null;
+  replyToId?: string | null;
+  threadId?: string | number | null;
+  identity?: OutboundIdentity;
+}) {
+  const send =
+    resolveOutboundSendDep<typeof sendMessageSlack>(params.deps, "slack") ?? sendMessageSlack;
+  const threadTs =
+    params.replyToId ?? (params.threadId != null ? String(params.threadId) : undefined);
+  const hookResult = await applySlackMessageSendingHooks({
+    to: params.to,
+    text: params.text,
+    threadTs,
+    mediaUrl: params.mediaUrl,
+    accountId: params.accountId ?? undefined,
+  });
+  if (hookResult.cancelled) {
+    return {
+      channel: "slack" as const,
+      messageId: "cancelled-by-hook",
+      channelId: params.to,
+      meta: { cancelled: true },
+    };
+  }
+
+  const slackIdentity = resolveSlackSendIdentity(params.identity);
+  const result = await send(params.to, hookResult.text, {
+    cfg: params.cfg,
+    threadTs,
+    accountId: params.accountId ?? undefined,
+    ...(params.mediaUrl
+      ? { mediaUrl: params.mediaUrl, mediaLocalRoots: params.mediaLocalRoots }
+      : {}),
+    ...(params.blocks ? { blocks: params.blocks } : {}),
+    ...(slackIdentity ? { identity: slackIdentity } : {}),
+  });
+  return { channel: "slack" as const, ...result };
+}
+
+function resolveSlackBlocks(payload: {
+  channelData?: Record<string, unknown>;
+  interactive?: InteractiveReply;
+}) {
+  const slackData = payload.channelData?.slack;
+  const renderedInteractive = resolveRenderedInteractiveBlocks(payload.interactive);
+  if (!slackData || typeof slackData !== "object" || Array.isArray(slackData)) {
+    return renderedInteractive;
+  }
+  const existingBlocks = parseSlackBlocksInput((slackData as { blocks?: unknown }).blocks) as
+    | SlackBlock[]
+    | undefined;
+  const mergedBlocks = [...(existingBlocks ?? []), ...(renderedInteractive ?? [])];
+  if (mergedBlocks.length === 0) {
+    return undefined;
+  }
+  if (mergedBlocks.length > SLACK_MAX_BLOCKS) {
+    throw new Error(
+      `Slack blocks cannot exceed ${SLACK_MAX_BLOCKS} items after interactive render`,
+    );
+  }
+  return mergedBlocks;
+}
+
+export const slackOutbound: ChannelOutboundAdapter = {
+  deliveryMode: "direct",
+  chunker: null,
+  textChunkLimit: 4000,
+  sendPayload: async (ctx) => {
+    const payload = {
+      ...ctx.payload,
+      text:
+        resolveInteractiveTextFallback({
+          text: ctx.payload.text,
+          interactive: ctx.payload.interactive,
+        }) ?? "",
+    };
+    const blocks = resolveSlackBlocks(payload);
+    if (!blocks) {
+      return await sendTextMediaPayload({
+        channel: "slack",
+        ctx: {
+          ...ctx,
+          payload,
+        },
+        adapter: slackOutbound,
+      });
+    }
+    const mediaUrls = resolvePayloadMediaUrls(payload);
+    if (mediaUrls.length === 0) {
+      return await sendSlackOutboundMessage({
+        cfg: ctx.cfg,
+        to: ctx.to,
+        text: payload.text ?? "",
+        mediaLocalRoots: ctx.mediaLocalRoots,
+        blocks,
+        accountId: ctx.accountId,
+        deps: ctx.deps,
+        replyToId: ctx.replyToId,
+        threadId: ctx.threadId,
+        identity: ctx.identity,
+      });
+    }
+    await sendPayloadMediaSequence({
+      text: "",
+      mediaUrls,
+      send: async ({ text, mediaUrl }) =>
+        await sendSlackOutboundMessage({
+          cfg: ctx.cfg,
+          to: ctx.to,
+          text,
+          mediaUrl,
+          mediaLocalRoots: ctx.mediaLocalRoots,
+          accountId: ctx.accountId,
+          deps: ctx.deps,
+          replyToId: ctx.replyToId,
+          threadId: ctx.threadId,
+          identity: ctx.identity,
+        }),
+    });
+    return await sendSlackOutboundMessage({
+      cfg: ctx.cfg,
+      to: ctx.to,
+      text: payload.text ?? "",
+      mediaLocalRoots: ctx.mediaLocalRoots,
+      blocks,
+      accountId: ctx.accountId,
+      deps: ctx.deps,
+      replyToId: ctx.replyToId,
+      threadId: ctx.threadId,
+      identity: ctx.identity,
+    });
+  },
+  sendText: async ({ cfg, to, text, accountId, deps, replyToId, threadId, identity }) => {
+    return await sendSlackOutboundMessage({
+      cfg,
+      to,
+      text,
+      accountId,
+      deps,
+      replyToId,
+      threadId,
+      identity,
+    });
+  },
+  sendMedia: async ({
+    cfg,
+    to,
+    text,
+    mediaUrl,
+    mediaLocalRoots,
+    accountId,
+    deps,
+    replyToId,
+    threadId,
+    identity,
+  }) => {
+    return await sendSlackOutboundMessage({
+      cfg,
+      to,
+      text,
+      mediaUrl,
+      mediaLocalRoots,
+      accountId,
+      deps,
+      replyToId,
+      threadId,
+      identity,
+    });
+  },
+};
diff --git a/src/plugin-sdk/allowlist-config-edit.ts b/src/plugin-sdk/allowlist-config-edit.ts
new file mode 100644
index 00000000000..4c9f10ec278
--- /dev/null
+++ b/src/plugin-sdk/allowlist-config-edit.ts
@@ -0,0 +1,210 @@
+import type { ConfigWriteTarget } from "../channels/plugins/config-writes.js";
+import type { ChannelAllowlistAdapter } from "../channels/plugins/types.adapters.js";
+import type { ChannelId } from "../channels/plugins/types.js";
+import type { OpenClawConfig } from "../config/config.js";
+import { isBlockedObjectKey } from "../infra/prototype-keys.js";
+import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../routing/session-key.js";
+
+type AllowlistConfigPaths = {
+  readPaths: string[][];
+  writePath: string[];
+  cleanupPaths?: string[][];
+};
+
+function resolveAccountScopedWriteTarget(
+  parsed: Record<string, unknown>,
+  channelId: ChannelId,
+  accountId?: string | null,
+) {
+  const channels = (parsed.channels ??= {}) as Record<string, unknown>;
+  const channel = (channels[channelId] ??= {}) as Record<string, unknown>;
+  const normalizedAccountId = normalizeAccountId(accountId);
+  if (isBlockedObjectKey(normalizedAccountId)) {
+    return {
+      target: channel,
+      pathPrefix: `channels.${channelId}`,
+      writeTarget: { kind: "channel", scope: { channelId } } as const satisfies ConfigWriteTarget,
+    };
+  }
+  const hasAccounts = Boolean(channel.accounts && typeof channel.accounts === "object");
+  const useAccount = normalizedAccountId !== DEFAULT_ACCOUNT_ID || hasAccounts;
+  if (!useAccount) {
+    return {
+      target: channel,
+      pathPrefix: `channels.${channelId}`,
+      writeTarget: { kind: "channel", scope: { channelId } } as const satisfies ConfigWriteTarget,
+    };
+  }
+  const accounts = (channel.accounts ??= {}) as Record<string, unknown>;
+  const existingAccount = Object.hasOwn(accounts, normalizedAccountId)
+    ? accounts[normalizedAccountId]
+    : undefined;
+  if (!existingAccount || typeof existingAccount !== "object") {
+    accounts[normalizedAccountId] = {};
+  }
+  const account = accounts[normalizedAccountId] as Record<string, unknown>;
+  return {
+    target: account,
+    pathPrefix: `channels.${channelId}.accounts.${normalizedAccountId}`,
+    writeTarget: {
+      kind: "account",
+      scope: { channelId, accountId: normalizedAccountId },
+    } as const satisfies ConfigWriteTarget,
+  };
+}
+
+function getNestedValue(root: Record<string, unknown>, path: string[]): unknown {
+  let current: unknown = root;
+  for (const key of path) {
+    if (!current || typeof current !== "object") {
+      return undefined;
+    }
+    current = (current as Record<string, unknown>)[key];
+  }
+  return current;
+}
+
+function ensureNestedObject(
+  root: Record<string, unknown>,
+  path: string[],
+): Record<string, unknown> {
+  let current = root;
+  for (const key of path) {
+    const existing = current[key];
+    if (!existing || typeof existing !== "object") {
+      current[key] = {};
+    }
+    current = current[key] as Record<string, unknown>;
+  }
+  return current;
+}
+
+function setNestedValue(root: Record<string, unknown>, path: string[], value: unknown) {
+  if (path.length === 0) {
+    return;
+  }
+  if (path.length === 1) {
+    root[path[0]] = value;
+    return;
+  }
+  const parent = ensureNestedObject(root, path.slice(0, -1));
+  parent[path[path.length - 1]] = value;
+}
+
+function deleteNestedValue(root: Record<string, unknown>, path: string[]) {
+  if (path.length === 0) {
+    return;
+  }
+  if (path.length === 1) {
+    delete root[path[0]];
+    return;
+  }
+  const parent = getNestedValue(root, path.slice(0, -1));
+  if (!parent || typeof parent !== "object") {
+    return;
+  }
+  delete (parent as Record<string, unknown>)[path[path.length - 1]];
+}
+
+function applyAccountScopedAllowlistConfigEdit(params: {
+  parsedConfig: Record<string, unknown>;
+  channelId: ChannelId;
+  accountId?: string | null;
+  action: "add" | "remove";
+  entry: string;
+  normalize: (values: Array<string | number>) => string[];
+  paths: AllowlistConfigPaths;
+}): NonNullable<Awaited<ReturnType<NonNullable<ChannelAllowlistAdapter["applyConfigEdit"]>>>> {
+  const resolvedTarget = resolveAccountScopedWriteTarget(
+    params.parsedConfig,
+    params.channelId,
+    params.accountId,
+  );
+  const existing: string[] = [];
+  for (const path of params.paths.readPaths) {
+    const existingRaw = getNestedValue(resolvedTarget.target, path);
+    if (!Array.isArray(existingRaw)) {
+      continue;
+    }
+    for (const entry of existingRaw) {
+      const value = String(entry).trim();
+      if (!value || existing.includes(value)) {
+        continue;
+      }
+      existing.push(value);
+    }
+  }
+
+  const normalizedEntry = params.normalize([params.entry]);
+  if (normalizedEntry.length === 0) {
+    return { kind: "invalid-entry" };
+  }
+
+  const existingNormalized = params.normalize(existing);
+  const shouldMatch = (value: string) => normalizedEntry.includes(value);
+
+  let changed = false;
+  let next = existing;
+  const configHasEntry = existingNormalized.some((value) => shouldMatch(value));
+  if (params.action === "add") {
+    if (!configHasEntry) {
+      next = [...existing, params.entry.trim()];
+      changed = true;
+    }
+  } else {
+    const keep: string[] = [];
+    for (const entry of existing) {
+      const normalized = params.normalize([entry]);
+      if (normalized.some((value) => shouldMatch(value))) {
+        changed = true;
+        continue;
+      }
+      keep.push(entry);
+    }
+    next = keep;
+  }
+
+  if (changed) {
+    if (next.length === 0) {
+      deleteNestedValue(resolvedTarget.target, params.paths.writePath);
+    } else {
+      setNestedValue(resolvedTarget.target, params.paths.writePath, next);
+    }
+    for (const path of params.paths.cleanupPaths ?? []) {
+      deleteNestedValue(resolvedTarget.target, path);
+    }
+  }
+
+  return {
+    kind: "ok",
+    changed,
+    pathLabel: `${resolvedTarget.pathPrefix}.${params.paths.writePath.join(".")}`,
+    writeTarget: resolvedTarget.writeTarget,
+  };
+}
+
+export function buildAccountScopedAllowlistConfigEditor(params: {
+  channelId: ChannelId;
+  normalize: (params: {
+    cfg: OpenClawConfig;
+    accountId?: string | null;
+    values: Array<string | number>;
+  }) => string[];
+  resolvePaths: (scope: "dm" | "group") => AllowlistConfigPaths | null;
+}): NonNullable<ChannelAllowlistAdapter["applyConfigEdit"]> {
+  return ({ cfg, parsedConfig, accountId, scope, action, entry }) => {
+    const paths = params.resolvePaths(scope);
+    if (!paths) {
+      return null;
+    }
+    return applyAccountScopedAllowlistConfigEdit({
+      parsedConfig,
+      channelId: params.channelId,
+      accountId,
+      action,
+      entry,
+      normalize: (values) => params.normalize({ cfg, accountId, values }),
+      paths,
+    });
+  };
+}
diff --git a/test/channel-outbounds.ts b/test/channel-outbounds.ts
new file mode 100644
index 00000000000..a6da5a1c333
--- /dev/null
+++ b/test/channel-outbounds.ts
@@ -0,0 +1,6 @@
+export { discordOutbound } from "../extensions/discord/src/outbound-adapter.js";
+export { imessageOutbound } from "../extensions/imessage/src/outbound-adapter.js";
+export { signalOutbound } from "../extensions/signal/src/outbound-adapter.js";
+export { slackOutbound } from "../extensions/slack/src/outbound-adapter.js";
+export { telegramOutbound } from "../extensions/telegram/src/outbound-adapter.js";
+export { whatsappOutbound } from "../extensions/whatsapp/src/outbound-adapter.js";

From 5ece9afa8b57b51dea3a7aac45d4e788507bcad1 Mon Sep 17 00:00:00 2001
From: ObitaBot <obitabot@obitabot-mini.tail7d3115.ts.net>
Date: Mon, 16 Mar 2026 13:43:26 +0800
Subject: [PATCH 062/133] fix: scope localStorage settings key by basePath to
 prevent cross-deployment conflicts

- Add settingsKeyForGateway() function similar to tokenSessionKeyForGateway()
- Use scoped key format: openclaw.control.settings.v1:https://example.com/gateway-a
- Add migration from legacy static key on load
- Fixes #47481
---
 ui/src/ui/storage.ts | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/ui/src/ui/storage.ts b/ui/src/ui/storage.ts
index 0b23b3436a4..fcd9c4469c8 100644
--- a/ui/src/ui/storage.ts
+++ b/ui/src/ui/storage.ts
@@ -1,8 +1,12 @@
-const KEY = "openclaw.control.settings.v1";
+const SETTINGS_KEY_PREFIX = "openclaw.control.settings.v1:";
 const LEGACY_TOKEN_SESSION_KEY = "openclaw.control.token.v1";
 const TOKEN_SESSION_KEY_PREFIX = "openclaw.control.token.v1:";
 const MAX_SCOPED_SESSION_ENTRIES = 10;
 
+function settingsKeyForGateway(gatewayUrl: string): string {
+  return `${SETTINGS_KEY_PREFIX}${normalizeGatewayTokenScope(gatewayUrl)}`;
+}
+
 type ScopedSessionSelection = {
   sessionKey: string;
   lastActiveSessionKey: string;
@@ -188,7 +192,9 @@ export function loadSettings(): UiSettings {
   };
 
   try {
-    const raw = storage?.getItem(KEY);
+    // First check for legacy key (no scope), then check for scoped key
+    const scopedKey = settingsKeyForGateway(defaults.gatewayUrl);
+    const raw = storage?.getItem(scopedKey) ?? storage?.getItem(SETTINGS_KEY_PREFIX + "default") ?? storage?.getItem("openclaw.control.settings.v1");
     if (!raw) {
       return defaults;
     }
@@ -256,9 +262,11 @@ function persistSettings(next: UiSettings) {
   persistSessionToken(next.gatewayUrl, next.token);
   const storage = getSafeLocalStorage();
   const scope = normalizeGatewayTokenScope(next.gatewayUrl);
+  const scopedKey = settingsKeyForGateway(next.gatewayUrl);
   let existingSessionsByGateway: Record<string, ScopedSessionSelection> = {};
   try {
-    const raw = storage?.getItem(KEY);
+    // Try to migrate from legacy key or other scopes
+    const raw = storage?.getItem(scopedKey) ?? storage?.getItem(SETTINGS_KEY_PREFIX + "default") ?? storage?.getItem("openclaw.control.settings.v1");
     if (raw) {
       const parsed = JSON.parse(raw) as PersistedUiSettings;
       if (parsed.sessionsByGateway && typeof parsed.sessionsByGateway === "object") {
@@ -294,5 +302,5 @@ function persistSettings(next: UiSettings) {
     sessionsByGateway,
     ...(next.locale ? { locale: next.locale } : {}),
   };
-  storage?.setItem(KEY, JSON.stringify(persisted));
+  storage?.setItem(scopedKey, JSON.stringify(persisted));
 }

From d410debd01f72b0a46f6ac6fb4fc93e954009358 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 23:50:04 -0700
Subject: [PATCH 063/133] Tests: add provider contract suites

---
 src/plugins/contracts/suites.ts | 75 +++++++++++++++++++++++++++++++++
 1 file changed, 75 insertions(+)
 create mode 100644 src/plugins/contracts/suites.ts

diff --git a/src/plugins/contracts/suites.ts b/src/plugins/contracts/suites.ts
new file mode 100644
index 00000000000..22898242855
--- /dev/null
+++ b/src/plugins/contracts/suites.ts
@@ -0,0 +1,75 @@
+import { expect, it } from "vitest";
+import type { OpenClawConfig } from "../../config/config.js";
+import type { ProviderPlugin, WebSearchProviderPlugin } from "../types.js";
+
+export function installProviderPluginContractSuite(params: { provider: ProviderPlugin }) {
+  it("satisfies the base provider plugin contract", () => {
+    const { provider } = params;
+
+    expect(provider.id).toMatch(/^[a-z0-9][a-z0-9-]*$/);
+    expect(provider.label.trim()).not.toBe("");
+
+    if (provider.docsPath) {
+      expect(provider.docsPath.startsWith("/")).toBe(true);
+    }
+    if (provider.aliases) {
+      expect(provider.aliases).toEqual([...new Set(provider.aliases)]);
+    }
+    if (provider.envVars) {
+      expect(provider.envVars).toEqual([...new Set(provider.envVars)]);
+      expect(provider.envVars.every((entry) => entry.trim().length > 0)).toBe(true);
+    }
+
+    expect(Array.isArray(provider.auth)).toBe(true);
+    const authIds = provider.auth.map((method) => method.id);
+    expect(authIds).toEqual([...new Set(authIds)]);
+    for (const method of provider.auth) {
+      expect(method.id.trim()).not.toBe("");
+      expect(method.label.trim()).not.toBe("");
+      expect(method.hint.trim()).not.toBe("");
+      expect(typeof method.run).toBe("function");
+    }
+  });
+}
+
+export function installWebSearchProviderContractSuite(params: {
+  provider: WebSearchProviderPlugin;
+  credentialValue: unknown;
+}) {
+  it("satisfies the base web search provider contract", () => {
+    const { provider } = params;
+
+    expect(provider.id).toMatch(/^[a-z0-9][a-z0-9-]*$/);
+    expect(provider.label.trim()).not.toBe("");
+    expect(provider.hint.trim()).not.toBe("");
+    expect(provider.placeholder.trim()).not.toBe("");
+    expect(provider.signupUrl.startsWith("https://")).toBe(true);
+    if (provider.docsUrl) {
+      expect(provider.docsUrl.startsWith("http")).toBe(true);
+    }
+
+    expect(provider.envVars).toEqual([...new Set(provider.envVars)]);
+    expect(provider.envVars.every((entry) => entry.trim().length > 0)).toBe(true);
+
+    const searchConfigTarget: Record<string, unknown> = {};
+    provider.setCredentialValue(searchConfigTarget, params.credentialValue);
+    expect(provider.getCredentialValue(searchConfigTarget)).toEqual(params.credentialValue);
+
+    const config = {
+      tools: {
+        web: {
+          search: {
+            provider: provider.id,
+            ...searchConfigTarget,
+          },
+        },
+      },
+    } as OpenClawConfig;
+    const tool = provider.createTool({ config, searchConfig: searchConfigTarget });
+
+    expect(tool).not.toBeNull();
+    expect(tool?.description.trim()).not.toBe("");
+    expect(tool?.parameters).toEqual(expect.any(Object));
+    expect(typeof tool?.execute).toBe("function");
+  });
+}

From a8878be0fdfa78edc86b596edaf44b49c4346852 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 23:50:12 -0700
Subject: [PATCH 064/133] Tests: add provider contract registry

---
 src/plugins/contracts/registry.ts | 126 ++++++++++++++++++++++++++++++
 1 file changed, 126 insertions(+)
 create mode 100644 src/plugins/contracts/registry.ts

diff --git a/src/plugins/contracts/registry.ts b/src/plugins/contracts/registry.ts
new file mode 100644
index 00000000000..fce86382798
--- /dev/null
+++ b/src/plugins/contracts/registry.ts
@@ -0,0 +1,126 @@
+import anthropicPlugin from "../../../extensions/anthropic/index.js";
+import bravePlugin from "../../../extensions/brave/index.js";
+import byteplusPlugin from "../../../extensions/byteplus/index.js";
+import cloudflareAiGatewayPlugin from "../../../extensions/cloudflare-ai-gateway/index.js";
+import copilotProxyPlugin from "../../../extensions/copilot-proxy/index.js";
+import firecrawlPlugin from "../../../extensions/firecrawl/index.js";
+import githubCopilotPlugin from "../../../extensions/github-copilot/index.js";
+import googlePlugin from "../../../extensions/google/index.js";
+import huggingFacePlugin from "../../../extensions/huggingface/index.js";
+import kilocodePlugin from "../../../extensions/kilocode/index.js";
+import kimiCodingPlugin from "../../../extensions/kimi-coding/index.js";
+import minimaxPlugin from "../../../extensions/minimax/index.js";
+import mistralPlugin from "../../../extensions/mistral/index.js";
+import modelStudioPlugin from "../../../extensions/modelstudio/index.js";
+import moonshotPlugin from "../../../extensions/moonshot/index.js";
+import nvidiaPlugin from "../../../extensions/nvidia/index.js";
+import ollamaPlugin from "../../../extensions/ollama/index.js";
+import openAIPlugin from "../../../extensions/openai/index.js";
+import opencodeGoPlugin from "../../../extensions/opencode-go/index.js";
+import opencodePlugin from "../../../extensions/opencode/index.js";
+import openRouterPlugin from "../../../extensions/openrouter/index.js";
+import perplexityPlugin from "../../../extensions/perplexity/index.js";
+import qianfanPlugin from "../../../extensions/qianfan/index.js";
+import qwenPortalPlugin from "../../../extensions/qwen-portal-auth/index.js";
+import sglangPlugin from "../../../extensions/sglang/index.js";
+import syntheticPlugin from "../../../extensions/synthetic/index.js";
+import togetherPlugin from "../../../extensions/together/index.js";
+import venicePlugin from "../../../extensions/venice/index.js";
+import vercelAiGatewayPlugin from "../../../extensions/vercel-ai-gateway/index.js";
+import vllmPlugin from "../../../extensions/vllm/index.js";
+import volcenginePlugin from "../../../extensions/volcengine/index.js";
+import xaiPlugin from "../../../extensions/xai/index.js";
+import xiaomiPlugin from "../../../extensions/xiaomi/index.js";
+import zaiPlugin from "../../../extensions/zai/index.js";
+import { createCapturedPluginRegistration } from "../../test-utils/plugin-registration.js";
+import type { OpenClawPluginApi } from "../types.js";
+import type { ProviderPlugin, WebSearchProviderPlugin } from "../types.js";
+
+type RegistrablePlugin = {
+  id: string;
+  register: (api: ReturnType<typeof createCapturedPluginRegistration>["api"]) => void;
+};
+
+type ProviderContractEntry = {
+  pluginId: string;
+  provider: ProviderPlugin;
+};
+
+type WebSearchProviderContractEntry = {
+  pluginId: string;
+  provider: WebSearchProviderPlugin;
+  credentialValue: unknown;
+};
+
+const bundledProviderPlugins: RegistrablePlugin[] = [
+  anthropicPlugin,
+  byteplusPlugin,
+  cloudflareAiGatewayPlugin,
+  copilotProxyPlugin,
+  githubCopilotPlugin,
+  googlePlugin,
+  huggingFacePlugin,
+  kilocodePlugin,
+  kimiCodingPlugin,
+  minimaxPlugin,
+  mistralPlugin,
+  modelStudioPlugin,
+  moonshotPlugin,
+  nvidiaPlugin,
+  ollamaPlugin,
+  opencodeGoPlugin,
+  opencodePlugin,
+  openAIPlugin,
+  openRouterPlugin,
+  qianfanPlugin,
+  qwenPortalPlugin,
+  sglangPlugin,
+  syntheticPlugin,
+  togetherPlugin,
+  venicePlugin,
+  vercelAiGatewayPlugin,
+  vllmPlugin,
+  volcenginePlugin,
+  xaiPlugin,
+  xiaomiPlugin,
+  zaiPlugin,
+];
+
+const bundledWebSearchPlugins: Array<RegistrablePlugin & { credentialValue: unknown }> = [
+  { ...bravePlugin, credentialValue: "BSA-test" },
+  { ...firecrawlPlugin, credentialValue: "fc-test" },
+  { ...googlePlugin, credentialValue: "AIza-test" },
+  { ...moonshotPlugin, credentialValue: "sk-test" },
+  { ...perplexityPlugin, credentialValue: "pplx-test" },
+  { ...xaiPlugin, credentialValue: "xai-test" },
+];
+
+function captureRegistrations(plugin: RegistrablePlugin) {
+  const captured = createCapturedPluginRegistration();
+  const api = {
+    ...captured.api,
+    registerTool() {},
+  } satisfies Partial<OpenClawPluginApi>;
+  plugin.register(api as OpenClawPluginApi);
+  return captured;
+}
+
+export const providerContractRegistry: ProviderContractEntry[] = bundledProviderPlugins.flatMap(
+  (plugin) => {
+    const captured = captureRegistrations(plugin);
+    return captured.providers.map((provider) => ({
+      pluginId: plugin.id,
+      provider,
+    }));
+  },
+);
+
+export const webSearchProviderContractRegistry: WebSearchProviderContractEntry[] =
+  bundledWebSearchPlugins.flatMap((plugin) => {
+    const captured = captureRegistrations(plugin);
+    return captured.webSearchProviders.map((provider) => ({
+      pluginId: plugin.id,
+      provider,
+      credentialValue: plugin.credentialValue,
+    }));
+  });

From 0f502726e18a2826c77e1d7b1ac8a65d44d8ddf3 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 23:50:20 -0700
Subject: [PATCH 065/133] Tests: add global provider contract suite

---
 src/plugins/contracts/provider.contract.test.ts | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 src/plugins/contracts/provider.contract.test.ts

diff --git a/src/plugins/contracts/provider.contract.test.ts b/src/plugins/contracts/provider.contract.test.ts
new file mode 100644
index 00000000000..9ff8f7458d3
--- /dev/null
+++ b/src/plugins/contracts/provider.contract.test.ts
@@ -0,0 +1,11 @@
+import { describe } from "vitest";
+import { providerContractRegistry } from "./registry.js";
+import { installProviderPluginContractSuite } from "./suites.js";
+
+for (const entry of providerContractRegistry) {
+  describe(`${entry.pluginId}:${entry.provider.id} provider contract`, () => {
+    installProviderPluginContractSuite({
+      provider: entry.provider,
+    });
+  });
+}

From 9b73673313880d49ed926759fe6e5051fa9dd10d Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 23:50:29 -0700
Subject: [PATCH 066/133] Tests: add global web search contract suite

---
 .../contracts/web-search-provider.contract.test.ts   | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 src/plugins/contracts/web-search-provider.contract.test.ts

diff --git a/src/plugins/contracts/web-search-provider.contract.test.ts b/src/plugins/contracts/web-search-provider.contract.test.ts
new file mode 100644
index 00000000000..c07eebaf6b5
--- /dev/null
+++ b/src/plugins/contracts/web-search-provider.contract.test.ts
@@ -0,0 +1,12 @@
+import { describe } from "vitest";
+import { webSearchProviderContractRegistry } from "./registry.js";
+import { installWebSearchProviderContractSuite } from "./suites.js";
+
+for (const entry of webSearchProviderContractRegistry) {
+  describe(`${entry.pluginId}:${entry.provider.id} web search contract`, () => {
+    installWebSearchProviderContractSuite({
+      provider: entry.provider,
+      credentialValue: entry.credentialValue,
+    });
+  });
+}

From a8367bb0ec1c1ed0f44219e3c7435a85ccccebef Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 06:50:55 +0000
Subject: [PATCH 067/133] fix: stabilize ci gate

---
 ...ent.delivery-target-thread-session.test.ts | 11 +++++++
 src/cron/isolated-agent.test-setup.ts         | 16 +++++++++-
 src/infra/bonjour.ts                          | 30 +++++--------------
 src/infra/outbound/channel-adapters.test.ts   | 11 ++++++-
 src/infra/outbound/outbound-policy.test.ts    | 11 ++++++-
 src/infra/outbound/outbound.test.ts           |  9 ++++++
 6 files changed, 62 insertions(+), 26 deletions(-)

diff --git a/src/cron/isolated-agent.delivery-target-thread-session.test.ts b/src/cron/isolated-agent.delivery-target-thread-session.test.ts
index a034d7ab924..51f9c645a03 100644
--- a/src/cron/isolated-agent.delivery-target-thread-session.test.ts
+++ b/src/cron/isolated-agent.delivery-target-thread-session.test.ts
@@ -1,4 +1,5 @@
 import { describe, expect, it, vi } from "vitest";
+import { parseTelegramTarget } from "../../extensions/telegram/src/targets.js";
 import type { OpenClawConfig } from "../config/config.js";
 
 // Mock session store so we can control what entries exist.
@@ -19,6 +20,16 @@ vi.mock("../channels/plugins/index.js", () => ({
   getChannelPlugin: vi.fn(() => ({
     meta: { label: "Telegram" },
     config: {},
+    messaging: {
+      parseExplicitTarget: ({ raw }: { raw: string }) => {
+        const target = parseTelegramTarget(raw);
+        return {
+          to: target.chatId,
+          threadId: target.messageThreadId,
+          chatType: target.chatType === "unknown" ? undefined : target.chatType,
+        };
+      },
+    },
     outbound: {
       resolveTarget: ({ to }: { to?: string }) =>
         to ? { ok: true, to } : { ok: false, error: new Error("missing") },
diff --git a/src/cron/isolated-agent.test-setup.ts b/src/cron/isolated-agent.test-setup.ts
index bdeb71fbaf4..17093bda0a5 100644
--- a/src/cron/isolated-agent.test-setup.ts
+++ b/src/cron/isolated-agent.test-setup.ts
@@ -1,5 +1,6 @@
 import { vi } from "vitest";
 import { signalOutbound, telegramOutbound } from "../../test/channel-outbounds.js";
+import { parseTelegramTarget } from "../../extensions/telegram/src/targets.js";
 import { loadModelCatalog } from "../agents/model-catalog.js";
 import { runEmbeddedPiAgent } from "../agents/pi-embedded.js";
 import { runSubagentAnnounceFlow } from "../agents/subagent-announce.js";
@@ -19,7 +20,20 @@ export function setupIsolatedAgentTurnMocks(params?: { fast?: boolean }): void {
     createTestRegistry([
       {
         pluginId: "telegram",
-        plugin: createOutboundTestPlugin({ id: "telegram", outbound: telegramOutbound }),
+        plugin: createOutboundTestPlugin({
+          id: "telegram",
+          outbound: telegramOutbound,
+          messaging: {
+            parseExplicitTarget: ({ raw }) => {
+              const target = parseTelegramTarget(raw);
+              return {
+                to: target.chatId,
+                threadId: target.messageThreadId,
+                chatType: target.chatType === "unknown" ? undefined : target.chatType,
+              };
+            },
+          },
+        }),
         source: "test",
       },
       {
diff --git a/src/infra/bonjour.ts b/src/infra/bonjour.ts
index 9e7790e2065..2b500986f33 100644
--- a/src/infra/bonjour.ts
+++ b/src/infra/bonjour.ts
@@ -48,35 +48,18 @@ function prettifyInstanceName(name: string) {
   return normalized.replace(/\s+\(OpenClaw\)\s*$/i, "").trim() || normalized;
 }
 
-type BonjourService = {
-  advertise: () => Promise<void>;
-  destroy: () => Promise<void>;
-  getFQDN: () => string;
-  getHostname: () => string;
-  getPort: () => number;
-  on: (event: string, listener: (...args: unknown[]) => void) => unknown;
-  serviceState: string;
-};
+type BonjourService = import("@homebridge/ciao").CiaoService;
+type BonjourResponder = import("@homebridge/ciao").Responder;
+type BonjourServiceState = BonjourService["serviceState"];
 
 type BonjourCycle = {
-  responder: {
-    createService: (options: {
-      name: string;
-      type: string;
-      protocol: unknown;
-      port: number;
-      domain: string;
-      hostname: string;
-      txt: Record<string, string>;
-    }) => unknown;
-    shutdown: () => Promise<void>;
-  };
+  responder: BonjourResponder;
   services: Array<{ label: string; svc: BonjourService }>;
   cleanupUnhandledRejection?: () => void;
 };
 
 type ServiceStateTracker = {
-  state: string;
+  state: BonjourServiceState | "unknown";
   sinceMs: number;
 };
 
@@ -271,7 +254,8 @@ export async function startGatewayBonjourAdvertiser(
   const updateStateTrackers = (services: Array<{ label: string; svc: BonjourService }>) => {
     const now = Date.now();
     for (const { label, svc } of services) {
-      const nextState = typeof svc.serviceState === "string" ? svc.serviceState : "unknown";
+      const nextState: BonjourServiceState | "unknown" =
+        typeof svc.serviceState === "string" ? svc.serviceState : "unknown";
       const current = stateTracker.get(label);
       if (!current || current.state !== nextState) {
         stateTracker.set(label, { state: nextState, sinceMs: now });
diff --git a/src/infra/outbound/channel-adapters.test.ts b/src/infra/outbound/channel-adapters.test.ts
index d8a01aadb2b..ca39b403226 100644
--- a/src/infra/outbound/channel-adapters.test.ts
+++ b/src/infra/outbound/channel-adapters.test.ts
@@ -1,9 +1,18 @@
 import { Separator, TextDisplay } from "@buape/carbon";
-import { describe, expect, it } from "vitest";
+import { beforeEach, describe, expect, it } from "vitest";
+import { discordPlugin } from "../../../extensions/discord/src/channel.js";
 import { DiscordUiContainer } from "../../../extensions/discord/src/ui.js";
+import { setActivePluginRegistry } from "../../plugins/runtime.js";
+import { createTestRegistry } from "../../test-utils/channel-plugins.js";
 import { getChannelMessageAdapter } from "./channel-adapters.js";
 
 describe("getChannelMessageAdapter", () => {
+  beforeEach(() => {
+    setActivePluginRegistry(
+      createTestRegistry([{ pluginId: "discord", plugin: discordPlugin, source: "test" }]),
+    );
+  });
+
   it("returns the default adapter for non-discord channels", () => {
     expect(getChannelMessageAdapter("telegram")).toEqual({
       supportsComponentsV2: false,
diff --git a/src/infra/outbound/outbound-policy.test.ts b/src/infra/outbound/outbound-policy.test.ts
index fd19649c345..43e71afb923 100644
--- a/src/infra/outbound/outbound-policy.test.ts
+++ b/src/infra/outbound/outbound-policy.test.ts
@@ -1,5 +1,8 @@
-import { describe, expect, it } from "vitest";
+import { beforeEach, describe, expect, it } from "vitest";
+import { discordPlugin } from "../../../extensions/discord/src/channel.js";
 import type { OpenClawConfig } from "../../config/config.js";
+import { setActivePluginRegistry } from "../../plugins/runtime.js";
+import { createTestRegistry } from "../../test-utils/channel-plugins.js";
 import {
   applyCrossContextDecoration,
   buildCrossContextDecoration,
@@ -23,6 +26,12 @@ const discordConfig = {
 } as OpenClawConfig;
 
 describe("outbound policy helpers", () => {
+  beforeEach(() => {
+    setActivePluginRegistry(
+      createTestRegistry([{ pluginId: "discord", plugin: discordPlugin, source: "test" }]),
+    );
+  });
+
   it("allows cross-provider sends when enabled", () => {
     const cfg = {
       ...slackConfig,
diff --git a/src/infra/outbound/outbound.test.ts b/src/infra/outbound/outbound.test.ts
index 9e58d5c6c05..5c2303d7154 100644
--- a/src/infra/outbound/outbound.test.ts
+++ b/src/infra/outbound/outbound.test.ts
@@ -2,8 +2,11 @@ import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
 import { afterAll, afterEach, beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
+import { discordPlugin } from "../../../extensions/discord/src/channel.js";
 import type { ReplyPayload } from "../../auto-reply/types.js";
 import type { OpenClawConfig } from "../../config/config.js";
+import { setActivePluginRegistry } from "../../plugins/runtime.js";
+import { createTestRegistry } from "../../test-utils/channel-plugins.js";
 import { typedCases } from "../../test-utils/typed-cases.js";
 import {
   ackDelivery,
@@ -39,6 +42,12 @@ import {
 } from "./payloads.js";
 import { runResolveOutboundTargetCoreTests } from "./targets.shared-test.js";
 
+beforeEach(() => {
+  setActivePluginRegistry(
+    createTestRegistry([{ pluginId: "discord", plugin: discordPlugin, source: "test" }]),
+  );
+});
+
 describe("delivery-queue", () => {
   let tmpDir: string;
   let fixtureRoot = "";

From d7ab1a6c7cc6a479db379d086016f6f0cfc3a4f9 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 23:54:37 -0700
Subject: [PATCH 068/133] Tests: add provider registry contract suite

---
 .../contracts/registry.contract.test.ts       | 43 +++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 src/plugins/contracts/registry.contract.test.ts

diff --git a/src/plugins/contracts/registry.contract.test.ts b/src/plugins/contracts/registry.contract.test.ts
new file mode 100644
index 00000000000..a87261fe58c
--- /dev/null
+++ b/src/plugins/contracts/registry.contract.test.ts
@@ -0,0 +1,43 @@
+import { describe, expect, it } from "vitest";
+import { providerContractRegistry, webSearchProviderContractRegistry } from "./registry.js";
+
+function findProviderIdsForPlugin(pluginId: string) {
+  return providerContractRegistry
+    .filter((entry) => entry.pluginId === pluginId)
+    .map((entry) => entry.provider.id)
+    .toSorted((left, right) => left.localeCompare(right));
+}
+
+function findWebSearchIdsForPlugin(pluginId: string) {
+  return webSearchProviderContractRegistry
+    .filter((entry) => entry.pluginId === pluginId)
+    .map((entry) => entry.provider.id)
+    .toSorted((left, right) => left.localeCompare(right));
+}
+
+describe("plugin contract registry", () => {
+  it("does not duplicate bundled provider ids", () => {
+    const ids = providerContractRegistry.map((entry) => entry.provider.id);
+    expect(ids).toEqual([...new Set(ids)]);
+  });
+
+  it("does not duplicate bundled web search provider ids", () => {
+    const ids = webSearchProviderContractRegistry.map((entry) => entry.provider.id);
+    expect(ids).toEqual([...new Set(ids)]);
+  });
+
+  it("keeps multi-provider plugin ownership explicit", () => {
+    expect(findProviderIdsForPlugin("google")).toEqual(["google", "google-gemini-cli"]);
+    expect(findProviderIdsForPlugin("minimax")).toEqual(["minimax", "minimax-portal"]);
+    expect(findProviderIdsForPlugin("openai")).toEqual(["openai", "openai-codex"]);
+  });
+
+  it("keeps bundled web search ownership explicit", () => {
+    expect(findWebSearchIdsForPlugin("brave")).toEqual(["brave"]);
+    expect(findWebSearchIdsForPlugin("firecrawl")).toEqual(["firecrawl"]);
+    expect(findWebSearchIdsForPlugin("google")).toEqual(["gemini"]);
+    expect(findWebSearchIdsForPlugin("moonshot")).toEqual(["kimi"]);
+    expect(findWebSearchIdsForPlugin("perplexity")).toEqual(["perplexity"]);
+    expect(findWebSearchIdsForPlugin("xai")).toEqual(["grok"]);
+  });
+});

From 10cd276641aaf0d37ed90c6cd5ea6a7b87e72d96 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 23:54:51 -0700
Subject: [PATCH 069/133] Tests: relax provider auth hint contract

---
 src/plugins/contracts/suites.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/plugins/contracts/suites.ts b/src/plugins/contracts/suites.ts
index 22898242855..9bc0d8ff8f6 100644
--- a/src/plugins/contracts/suites.ts
+++ b/src/plugins/contracts/suites.ts
@@ -26,7 +26,9 @@ export function installProviderPluginContractSuite(params: { provider: ProviderP
     for (const method of provider.auth) {
       expect(method.id.trim()).not.toBe("");
       expect(method.label.trim()).not.toBe("");
-      expect(method.hint.trim()).not.toBe("");
+      if (method.hint !== undefined) {
+        expect(method.hint.trim()).not.toBe("");
+      }
       expect(typeof method.run).toBe("function");
     }
   });

From 476d948732d0269206fadf78d3463ce7df30e078 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 23:56:08 -0700
Subject: [PATCH 070/133] !refactor(browser): remove Chrome extension path and
 add MCP doctor migration (#47893)

* Browser: replace extension path with Chrome MCP

* Browser: clarify relay stub and doctor checks

* Docs: mark browser MCP migration as breaking

* Browser: reject unsupported profile drivers

* Browser: accept clawd alias on profile create

* Doctor: narrow legacy browser driver migration
---
 CHANGELOG.md                                  |    4 +
 assets/chrome-extension/README.md             |   23 -
 assets/chrome-extension/background-utils.js   |   64 -
 assets/chrome-extension/background.js         | 1025 --------------
 assets/chrome-extension/manifest.json         |   25 -
 assets/chrome-extension/options-validation.js |   57 -
 assets/chrome-extension/options.html          |  200 ---
 assets/chrome-extension/options.js            |   74 -
 docs/.generated/config-baseline.json          |   16 +-
 docs/.generated/config-baseline.jsonl         |    3 +-
 docs/cli/browser.md                           |   25 +-
 docs/cli/docs.md                              |    2 +-
 docs/docs.json                                |    2 -
 docs/gateway/configuration-reference.md       |    4 +-
 docs/gateway/doctor.md                        |   30 +
 docs/gateway/security/index.md                |    5 +-
 docs/gateway/troubleshooting.md               |    5 +-
 docs/help/faq.md                              |   34 +-
 docs/help/troubleshooting.md                  |    5 +-
 docs/install/docker.md                        |    1 +
 docs/tools/browser-linux-troubleshooting.md   |   11 +-
 docs/tools/browser-login.md                   |    1 -
 ...wsl2-windows-remote-cdp-troubleshooting.md |   67 +-
 docs/tools/browser.md                         |  108 +-
 docs/tools/chrome-extension.md                |  203 ---
 docs/tools/index.md                           |    3 +-
 scripts/test-parallel.mjs                     |    1 -
 src/agents/tools/browser-tool.actions.ts      |   20 +-
 src/agents/tools/browser-tool.test.ts         |   30 +-
 src/agents/tools/browser-tool.ts              |    6 +-
 src/browser/browser-utils.test.ts             |   30 +-
 src/browser/cdp.helpers.ts                    |    4 +-
 .../chrome-extension-background-utils.test.ts |  133 --
 src/browser/chrome-extension-manifest.test.ts |   29 -
 ...hrome-extension-options-validation.test.ts |  113 --
 src/browser/chrome-mcp.ts                     |    2 +-
 src/browser/chrome.executables.ts             |   90 ++
 src/browser/client.ts                         |    6 +-
 src/browser/config.test.ts                    |   11 -
 src/browser/config.ts                         |   13 +-
 .../extension-relay-auth.secretref.test.ts    |  117 --
 src/browser/extension-relay-auth.test.ts      |  131 --
 src/browser/extension-relay-auth.ts           |  113 --
 src/browser/extension-relay.bind-host.test.ts |   49 -
 src/browser/extension-relay.test.ts           | 1224 -----------------
 src/browser/extension-relay.ts                | 1068 --------------
 src/browser/profile-capabilities.ts           |   40 +-
 src/browser/profiles-service.test.ts          |   31 -
 src/browser/profiles-service.ts               |   25 +-
 ...ge-for-targetid.extension-fallback.test.ts |   26 +-
 src/browser/pw-session.page-cdp.test.ts       |   63 +-
 src/browser/pw-session.page-cdp.ts            |   48 -
 src/browser/pw-session.ts                     |   21 +-
 .../routes/agent.snapshot.plan.test.ts        |   10 +-
 src/browser/routes/basic.ts                   |   21 +-
 src/browser/server-context.availability.ts    |   39 +-
 ...-tab-available.prefers-last-target.test.ts |  178 ---
 src/browser/server-context.reset.test.ts      |   22 -
 src/browser/server-context.reset.ts           |    5 -
 src/browser/server-context.selection.ts       |   23 +-
 src/browser/server-lifecycle.test.ts          |   92 +-
 src/browser/server-lifecycle.ts               |   28 +-
 .../server.control-server.test-harness.ts     |    2 +-
 ...s-open-profile-unknown-returns-404.test.ts |   29 +-
 src/cli/browser-cli-extension.test.ts         |  190 ---
 src/cli/browser-cli-extension.ts              |  140 --
 src/cli/browser-cli-manage.ts                 |   22 +-
 src/cli/browser-cli.ts                        |    2 -
 src/commands/doctor-browser.test.ts           |   96 ++
 src/commands/doctor-browser.ts                |  108 ++
 src/commands/doctor-config-flow.test.ts       |   54 +
 src/commands/doctor-legacy-config.ts          |   62 +
 src/commands/doctor.fast-path-mocks.ts        |    4 +
 src/commands/doctor.ts                        |    2 +
 src/config/schema.help.quality.test.ts        |    2 +-
 src/config/schema.help.ts                     |    4 +-
 src/config/schema.labels.ts                   |    1 -
 src/config/types.browser.ts                   |    8 +-
 src/config/zod-schema.ts                      |    8 +-
 src/node-host/invoke-browser.test.ts          |    6 +-
 80 files changed, 644 insertions(+), 5955 deletions(-)
 delete mode 100644 assets/chrome-extension/README.md
 delete mode 100644 assets/chrome-extension/background-utils.js
 delete mode 100644 assets/chrome-extension/background.js
 delete mode 100644 assets/chrome-extension/manifest.json
 delete mode 100644 assets/chrome-extension/options-validation.js
 delete mode 100644 assets/chrome-extension/options.html
 delete mode 100644 assets/chrome-extension/options.js
 delete mode 100644 docs/tools/chrome-extension.md
 delete mode 100644 src/browser/chrome-extension-background-utils.test.ts
 delete mode 100644 src/browser/chrome-extension-manifest.test.ts
 delete mode 100644 src/browser/chrome-extension-options-validation.test.ts
 delete mode 100644 src/browser/extension-relay-auth.secretref.test.ts
 delete mode 100644 src/browser/extension-relay-auth.test.ts
 delete mode 100644 src/browser/extension-relay-auth.ts
 delete mode 100644 src/browser/extension-relay.bind-host.test.ts
 delete mode 100644 src/browser/extension-relay.test.ts
 delete mode 100644 src/browser/extension-relay.ts
 delete mode 100644 src/browser/server-context.ensure-tab-available.prefers-last-target.test.ts
 delete mode 100644 src/cli/browser-cli-extension.test.ts
 delete mode 100644 src/cli/browser-cli-extension.ts
 create mode 100644 src/commands/doctor-browser.test.ts
 create mode 100644 src/commands/doctor-browser.ts

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a21ff47279b..384fcffc330 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -27,6 +27,10 @@ Docs: https://docs.openclaw.ai
 - Feishu/cards: add structured interactive approval and quick-action launcher cards, preserve callback user and conversation context through routing, and keep legacy card-action fallback behavior so common actions can run without typing raw commands. (#47873)
 - Feishu/ACP: add current-conversation ACP and subagent session binding for supported DMs and topic conversations, including completion delivery back to the originating Feishu conversation. (#46819)
 
+### Breaking
+
+- Browser/Chrome MCP: remove the legacy Chrome extension relay path, bundled extension assets, `driver: "extension"`, and `browser.relayBindHost`. Run `openclaw doctor --fix` to migrate host-local browser config to `existing-session` / `user`; Docker, headless, sandbox, and remote browser flows still use raw CDP. Thanks @vincentkoc.
+
 ### Fixes
 
 - Group mention gating: reject invalid and unsafe nested-repetition `mentionPatterns`, reuse the shared safe config-regex compiler across mention stripping and detection, and cache strip-time regex compilation so noisy groups avoid repeated recompiles.
diff --git a/assets/chrome-extension/README.md b/assets/chrome-extension/README.md
deleted file mode 100644
index 4ee072c1f2b..00000000000
--- a/assets/chrome-extension/README.md
+++ /dev/null
@@ -1,23 +0,0 @@
-# OpenClaw Chrome Extension (Browser Relay)
-
-Purpose: attach OpenClaw to an existing Chrome tab so the Gateway can automate it (via the local CDP relay server).
-
-## Dev / load unpacked
-
-1. Build/run OpenClaw Gateway with browser control enabled.
-2. Ensure the relay server is reachable at `http://127.0.0.1:18792/` (default).
-3. Install the extension to a stable path:
-
-   ```bash
-   openclaw browser extension install
-   openclaw browser extension path
-   ```
-
-4. Chrome → `chrome://extensions` → enable “Developer mode”.
-5. “Load unpacked” → select the path printed above.
-6. Pin the extension. Click the icon on a tab to attach/detach.
-
-## Options
-
-- `Relay port`: defaults to `18792`.
-- `Gateway token`: required. Set this to `gateway.auth.token` (or `OPENCLAW_GATEWAY_TOKEN`).
diff --git a/assets/chrome-extension/background-utils.js b/assets/chrome-extension/background-utils.js
deleted file mode 100644
index 82d43359c0a..00000000000
--- a/assets/chrome-extension/background-utils.js
+++ /dev/null
@@ -1,64 +0,0 @@
-export function reconnectDelayMs(
-  attempt,
-  opts = { baseMs: 1000, maxMs: 30000, jitterMs: 1000, random: Math.random },
-) {
-  const baseMs = Number.isFinite(opts.baseMs) ? opts.baseMs : 1000;
-  const maxMs = Number.isFinite(opts.maxMs) ? opts.maxMs : 30000;
-  const jitterMs = Number.isFinite(opts.jitterMs) ? opts.jitterMs : 1000;
-  const random = typeof opts.random === "function" ? opts.random : Math.random;
-  const safeAttempt = Math.max(0, Number.isFinite(attempt) ? attempt : 0);
-  const backoff = Math.min(baseMs * 2 ** safeAttempt, maxMs);
-  return backoff + Math.max(0, jitterMs) * random();
-}
-
-export async function deriveRelayToken(gatewayToken, port) {
-  const enc = new TextEncoder();
-  const key = await crypto.subtle.importKey(
-    "raw",
-    enc.encode(gatewayToken),
-    { name: "HMAC", hash: "SHA-256" },
-    false,
-    ["sign"],
-  );
-  const sig = await crypto.subtle.sign(
-    "HMAC",
-    key,
-    enc.encode(`openclaw-extension-relay-v1:${port}`),
-  );
-  return [...new Uint8Array(sig)].map((b) => b.toString(16).padStart(2, "0")).join("");
-}
-
-export async function buildRelayWsUrl(port, gatewayToken) {
-  const token = String(gatewayToken || "").trim();
-  if (!token) {
-    throw new Error(
-      "Missing gatewayToken in extension settings (chrome.storage.local.gatewayToken)",
-    );
-  }
-  const relayToken = await deriveRelayToken(token, port);
-  return `ws://127.0.0.1:${port}/extension?token=${encodeURIComponent(relayToken)}`;
-}
-
-export function isRetryableReconnectError(err) {
-  const message = err instanceof Error ? err.message : String(err || "");
-  if (message.includes("Missing gatewayToken")) {
-    return false;
-  }
-  return true;
-}
-
-export function isMissingTabError(err) {
-  const message = (err instanceof Error ? err.message : String(err || "")).toLowerCase();
-  return (
-    message.includes("no tab with id") ||
-    message.includes("no tab with given id") ||
-    message.includes("tab not found")
-  );
-}
-
-export function isLastRemainingTab(allTabs, tabIdToClose) {
-  if (!Array.isArray(allTabs)) {
-    return true;
-  }
-  return allTabs.filter((tab) => tab && tab.id !== tabIdToClose).length === 0;
-}
diff --git a/assets/chrome-extension/background.js b/assets/chrome-extension/background.js
deleted file mode 100644
index 9031a156489..00000000000
--- a/assets/chrome-extension/background.js
+++ /dev/null
@@ -1,1025 +0,0 @@
-import {
-  buildRelayWsUrl,
-  isLastRemainingTab,
-  isMissingTabError,
-  isRetryableReconnectError,
-  reconnectDelayMs,
-} from './background-utils.js'
-
-const DEFAULT_PORT = 18792
-
-const BADGE = {
-  on: { text: 'ON', color: '#FF5A36' },
-  off: { text: '', color: '#000000' },
-  connecting: { text: '…', color: '#F59E0B' },
-  error: { text: '!', color: '#B91C1C' },
-}
-
-/** @type {WebSocket|null} */
-let relayWs = null
-/** @type {Promise<void>|null} */
-let relayConnectPromise = null
-let relayGatewayToken = ''
-/** @type {string|null} */
-let relayConnectRequestId = null
-
-let nextSession = 1
-
-/** @type {Map<number, {state:'connecting'|'connected', sessionId?:string, targetId?:string, attachOrder?:number}>} */
-const tabs = new Map()
-/** @type {Map<string, number>} */
-const tabBySession = new Map()
-/** @type {Map<string, number>} */
-const childSessionToTab = new Map()
-
-/** @type {Map<number, {resolve:(v:any)=>void, reject:(e:Error)=>void}>} */
-const pending = new Map()
-
-// Per-tab operation locks prevent double-attach races.
-/** @type {Set<number>} */
-const tabOperationLocks = new Set()
-
-// Tabs currently in a detach/re-attach cycle after navigation.
-/** @type {Set<number>} */
-const reattachPending = new Set()
-
-// Reconnect state for exponential backoff.
-let reconnectAttempt = 0
-let reconnectTimer = null
-
-const TAB_VALIDATION_ATTEMPTS = 2
-const TAB_VALIDATION_RETRY_DELAY_MS = 1000
-
-function nowStack() {
-  try {
-    return new Error().stack || ''
-  } catch {
-    return ''
-  }
-}
-
-function sleep(ms) {
-  return new Promise((resolve) => setTimeout(resolve, ms))
-}
-
-async function validateAttachedTab(tabId) {
-  try {
-    await chrome.tabs.get(tabId)
-  } catch {
-    return false
-  }
-
-  for (let attempt = 0; attempt < TAB_VALIDATION_ATTEMPTS; attempt++) {
-    try {
-      await chrome.debugger.sendCommand({ tabId }, 'Runtime.evaluate', {
-        expression: '1',
-        returnByValue: true,
-      })
-      return true
-    } catch (err) {
-      if (isMissingTabError(err)) {
-        return false
-      }
-      if (attempt < TAB_VALIDATION_ATTEMPTS - 1) {
-        await sleep(TAB_VALIDATION_RETRY_DELAY_MS)
-      }
-    }
-  }
-
-  return false
-}
-
-async function getRelayPort() {
-  const stored = await chrome.storage.local.get(['relayPort'])
-  const raw = stored.relayPort
-  const n = Number.parseInt(String(raw || ''), 10)
-  if (!Number.isFinite(n) || n <= 0 || n > 65535) return DEFAULT_PORT
-  return n
-}
-
-async function getGatewayToken() {
-  const stored = await chrome.storage.local.get(['gatewayToken'])
-  const token = String(stored.gatewayToken || '').trim()
-  return token || ''
-}
-
-function setBadge(tabId, kind) {
-  const cfg = BADGE[kind]
-  void chrome.action.setBadgeText({ tabId, text: cfg.text })
-  void chrome.action.setBadgeBackgroundColor({ tabId, color: cfg.color })
-  void chrome.action.setBadgeTextColor({ tabId, color: '#FFFFFF' }).catch(() => {})
-}
-
-// Persist attached tab state to survive MV3 service worker restarts.
-async function persistState() {
-  try {
-    const tabEntries = []
-    for (const [tabId, tab] of tabs.entries()) {
-      if (tab.state === 'connected' && tab.sessionId && tab.targetId) {
-        tabEntries.push({ tabId, sessionId: tab.sessionId, targetId: tab.targetId, attachOrder: tab.attachOrder })
-      }
-    }
-    await chrome.storage.session.set({
-      persistedTabs: tabEntries,
-      nextSession,
-    })
-  } catch {
-    // chrome.storage.session may not be available in all contexts.
-  }
-}
-
-// Rehydrate tab state on service worker startup. Fast path — just restores
-// maps and badges. Relay reconnect happens separately in background.
-async function rehydrateState() {
-  try {
-    const stored = await chrome.storage.session.get(['persistedTabs', 'nextSession'])
-    if (stored.nextSession) {
-      nextSession = Math.max(nextSession, stored.nextSession)
-    }
-    const entries = stored.persistedTabs || []
-    // Phase 1: optimistically restore state and badges.
-    for (const entry of entries) {
-      tabs.set(entry.tabId, {
-        state: 'connected',
-        sessionId: entry.sessionId,
-        targetId: entry.targetId,
-        attachOrder: entry.attachOrder,
-      })
-      tabBySession.set(entry.sessionId, entry.tabId)
-      setBadge(entry.tabId, 'on')
-    }
-    // Retry once so transient busy/navigation states do not permanently drop
-    // a still-attached tab after a service worker restart.
-    for (const entry of entries) {
-      const valid = await validateAttachedTab(entry.tabId)
-      if (!valid) {
-        tabs.delete(entry.tabId)
-        tabBySession.delete(entry.sessionId)
-        setBadge(entry.tabId, 'off')
-      }
-    }
-  } catch {
-    // Ignore rehydration errors.
-  }
-}
-
-async function ensureRelayConnection() {
-  if (relayWs && relayWs.readyState === WebSocket.OPEN) return
-  if (relayConnectPromise) return await relayConnectPromise
-
-  relayConnectPromise = (async () => {
-    const port = await getRelayPort()
-    const gatewayToken = await getGatewayToken()
-    const httpBase = `http://127.0.0.1:${port}`
-    const wsUrl = await buildRelayWsUrl(port, gatewayToken)
-
-    // Fast preflight: is the relay server up?
-    try {
-      await fetch(`${httpBase}/`, { method: 'HEAD', signal: AbortSignal.timeout(2000) })
-    } catch (err) {
-      throw new Error(`Relay server not reachable at ${httpBase} (${String(err)})`)
-    }
-
-    const ws = new WebSocket(wsUrl)
-    relayWs = ws
-    relayGatewayToken = gatewayToken
-    // Bind message handler before open so an immediate first frame (for example
-    // gateway connect.challenge) cannot be missed.
-    ws.onmessage = (event) => {
-      if (ws !== relayWs) return
-      void whenReady(() => onRelayMessage(String(event.data || '')))
-    }
-
-    await new Promise((resolve, reject) => {
-      const t = setTimeout(() => reject(new Error('WebSocket connect timeout')), 5000)
-      ws.onopen = () => {
-        clearTimeout(t)
-        resolve()
-      }
-      ws.onerror = () => {
-        clearTimeout(t)
-        reject(new Error('WebSocket connect failed'))
-      }
-      ws.onclose = (ev) => {
-        clearTimeout(t)
-        reject(new Error(`WebSocket closed (${ev.code} ${ev.reason || 'no reason'})`))
-      }
-    })
-
-    // Bind permanent handlers. Guard against stale socket: if this WS was
-    // replaced before its close fires, the handler is a no-op.
-    ws.onclose = () => {
-      if (ws !== relayWs) return
-      onRelayClosed('closed')
-    }
-    ws.onerror = () => {
-      if (ws !== relayWs) return
-      onRelayClosed('error')
-    }
-  })()
-
-  try {
-    await relayConnectPromise
-    reconnectAttempt = 0
-  } finally {
-    relayConnectPromise = null
-  }
-}
-
-// Relay closed — update badges, reject pending requests, auto-reconnect.
-// Debugger sessions are kept alive so they survive transient WS drops.
-function onRelayClosed(reason) {
-  relayWs = null
-  relayGatewayToken = ''
-  relayConnectRequestId = null
-
-  for (const [id, p] of pending.entries()) {
-    pending.delete(id)
-    p.reject(new Error(`Relay disconnected (${reason})`))
-  }
-
-  reattachPending.clear()
-
-  for (const [tabId, tab] of tabs.entries()) {
-    if (tab.state === 'connected') {
-      setBadge(tabId, 'connecting')
-      void chrome.action.setTitle({
-        tabId,
-        title: 'OpenClaw Browser Relay: relay reconnecting…',
-      })
-    }
-  }
-
-  scheduleReconnect()
-}
-
-function scheduleReconnect() {
-  if (reconnectTimer) {
-    clearTimeout(reconnectTimer)
-    reconnectTimer = null
-  }
-
-  const delay = reconnectDelayMs(reconnectAttempt)
-  reconnectAttempt++
-
-  console.log(`Scheduling reconnect attempt ${reconnectAttempt} in ${Math.round(delay)}ms`)
-
-  reconnectTimer = setTimeout(async () => {
-    reconnectTimer = null
-    try {
-      await ensureRelayConnection()
-      reconnectAttempt = 0
-      console.log('Reconnected successfully')
-      await reannounceAttachedTabs()
-    } catch (err) {
-      const message = err instanceof Error ? err.message : String(err)
-      console.warn(`Reconnect attempt ${reconnectAttempt} failed: ${message}`)
-      if (!isRetryableReconnectError(err)) {
-        return
-      }
-      scheduleReconnect()
-    }
-  }, delay)
-}
-
-function cancelReconnect() {
-  if (reconnectTimer) {
-    clearTimeout(reconnectTimer)
-    reconnectTimer = null
-  }
-  reconnectAttempt = 0
-}
-
-// Re-announce all attached tabs to the relay after reconnect.
-async function reannounceAttachedTabs() {
-  for (const [tabId, tab] of tabs.entries()) {
-    if (tab.state !== 'connected' || !tab.sessionId || !tab.targetId) continue
-
-    // Retry once here as well; reconnect races can briefly make an otherwise
-    // healthy tab look unavailable.
-    const valid = await validateAttachedTab(tabId)
-    if (!valid) {
-      tabs.delete(tabId)
-      if (tab.sessionId) tabBySession.delete(tab.sessionId)
-      setBadge(tabId, 'off')
-      void chrome.action.setTitle({
-        tabId,
-        title: 'OpenClaw Browser Relay (click to attach/detach)',
-      })
-      continue
-    }
-
-    // Send fresh attach event to relay.
-    // Split into two try-catch blocks so debugger failures and relay send
-    // failures are handled independently. Previously, a relay send failure
-    // would fall into the outer catch and set the badge to 'on' even though
-    // the relay had no record of the tab — causing every subsequent browser
-    // tool call to fail with "no tab connected" until the next reconnect cycle.
-    let targetInfo
-    try {
-      const info = /** @type {any} */ (
-        await chrome.debugger.sendCommand({ tabId }, 'Target.getTargetInfo')
-      )
-      targetInfo = info?.targetInfo
-    } catch {
-      // Target.getTargetInfo failed. Preserve at least targetId from
-      // cached tab state so relay receives a stable identifier.
-      targetInfo = tab.targetId ? { targetId: tab.targetId } : undefined
-    }
-
-    try {
-      sendToRelay({
-        method: 'forwardCDPEvent',
-        params: {
-          method: 'Target.attachedToTarget',
-          params: {
-            sessionId: tab.sessionId,
-            targetInfo: { ...targetInfo, attached: true },
-            waitingForDebugger: false,
-          },
-        },
-      })
-
-      setBadge(tabId, 'on')
-      void chrome.action.setTitle({
-        tabId,
-        title: 'OpenClaw Browser Relay: attached (click to detach)',
-      })
-    } catch {
-      // Relay send failed (e.g. WS closed in the gap between ensureRelayConnection
-      // resolving and this loop executing). The tab is still valid — leave badge
-      // as 'connecting' so the reconnect/keepalive cycle will retry rather than
-      // showing a false-positive 'on' that hides the broken state from the user.
-      setBadge(tabId, 'connecting')
-      void chrome.action.setTitle({
-        tabId,
-        title: 'OpenClaw Browser Relay: relay reconnecting…',
-      })
-    }
-  }
-
-  await persistState()
-}
-
-function sendToRelay(payload) {
-  const ws = relayWs
-  if (!ws || ws.readyState !== WebSocket.OPEN) {
-    throw new Error('Relay not connected')
-  }
-  ws.send(JSON.stringify(payload))
-}
-
-function ensureGatewayHandshakeStarted(payload) {
-  if (relayConnectRequestId) return
-  const nonce = typeof payload?.nonce === 'string' ? payload.nonce.trim() : ''
-  relayConnectRequestId = `ext-connect-${Date.now()}-${Math.random().toString(16).slice(2, 8)}`
-  sendToRelay({
-    type: 'req',
-    id: relayConnectRequestId,
-    method: 'connect',
-    params: {
-      minProtocol: 3,
-      maxProtocol: 3,
-      client: {
-        id: 'chrome-relay-extension',
-        version: '1.0.0',
-        platform: 'chrome-extension',
-        mode: 'webchat',
-      },
-      role: 'operator',
-      scopes: ['operator.read', 'operator.write'],
-      caps: [],
-      commands: [],
-      nonce: nonce || undefined,
-      auth: relayGatewayToken ? { token: relayGatewayToken } : undefined,
-    },
-  })
-}
-
-async function maybeOpenHelpOnce() {
-  try {
-    const stored = await chrome.storage.local.get(['helpOnErrorShown'])
-    if (stored.helpOnErrorShown === true) return
-    await chrome.storage.local.set({ helpOnErrorShown: true })
-    await chrome.runtime.openOptionsPage()
-  } catch {
-    // ignore
-  }
-}
-
-function requestFromRelay(command) {
-  const id = command.id
-  return new Promise((resolve, reject) => {
-    const timer = setTimeout(() => {
-      pending.delete(id)
-      reject(new Error('Relay request timeout (30s)'))
-    }, 30000)
-    pending.set(id, {
-      resolve: (v) => { clearTimeout(timer); resolve(v) },
-      reject: (e) => { clearTimeout(timer); reject(e) },
-    })
-    try {
-      sendToRelay(command)
-    } catch (err) {
-      clearTimeout(timer)
-      pending.delete(id)
-      reject(err instanceof Error ? err : new Error(String(err)))
-    }
-  })
-}
-
-async function onRelayMessage(text) {
-  /** @type {any} */
-  let msg
-  try {
-    msg = JSON.parse(text)
-  } catch {
-    return
-  }
-
-  if (msg && msg.type === 'event' && msg.event === 'connect.challenge') {
-    try {
-      ensureGatewayHandshakeStarted(msg.payload)
-    } catch (err) {
-      console.warn('gateway connect handshake start failed', err instanceof Error ? err.message : String(err))
-      relayConnectRequestId = null
-      const ws = relayWs
-      if (ws && ws.readyState === WebSocket.OPEN) {
-        ws.close(1008, 'gateway connect failed')
-      }
-    }
-    return
-  }
-
-  if (msg && msg.type === 'res' && relayConnectRequestId && msg.id === relayConnectRequestId) {
-    relayConnectRequestId = null
-    if (!msg.ok) {
-      const detail = msg?.error?.message || msg?.error || 'gateway connect failed'
-      console.warn('gateway connect handshake rejected', String(detail))
-      const ws = relayWs
-      if (ws && ws.readyState === WebSocket.OPEN) {
-        ws.close(1008, 'gateway connect failed')
-      }
-    }
-    return
-  }
-
-  if (msg && msg.method === 'ping') {
-    try {
-      sendToRelay({ method: 'pong' })
-    } catch {
-      // ignore
-    }
-    return
-  }
-
-  if (msg && typeof msg.id === 'number' && (msg.result !== undefined || msg.error !== undefined)) {
-    const p = pending.get(msg.id)
-    if (!p) return
-    pending.delete(msg.id)
-    if (msg.error) p.reject(new Error(String(msg.error)))
-    else p.resolve(msg.result)
-    return
-  }
-
-  if (msg && typeof msg.id === 'number' && msg.method === 'forwardCDPCommand') {
-    try {
-      const result = await handleForwardCdpCommand(msg)
-      sendToRelay({ id: msg.id, result })
-    } catch (err) {
-      sendToRelay({ id: msg.id, error: err instanceof Error ? err.message : String(err) })
-    }
-  }
-}
-
-function getTabBySessionId(sessionId) {
-  const direct = tabBySession.get(sessionId)
-  if (direct) return { tabId: direct, kind: 'main' }
-  const child = childSessionToTab.get(sessionId)
-  if (child) return { tabId: child, kind: 'child' }
-  return null
-}
-
-function getTabByTargetId(targetId) {
-  for (const [tabId, tab] of tabs.entries()) {
-    if (tab.targetId === targetId) return tabId
-  }
-  return null
-}
-
-async function attachTab(tabId, opts = {}) {
-  const debuggee = { tabId }
-  await chrome.debugger.attach(debuggee, '1.3')
-  await chrome.debugger.sendCommand(debuggee, 'Page.enable').catch(() => {})
-
-  const info = /** @type {any} */ (await chrome.debugger.sendCommand(debuggee, 'Target.getTargetInfo'))
-  const targetInfo = info?.targetInfo
-  const targetId = String(targetInfo?.targetId || '').trim()
-  if (!targetId) {
-    throw new Error('Target.getTargetInfo returned no targetId')
-  }
-
-  const sid = nextSession++
-  const sessionId = `cb-tab-${sid}`
-  const attachOrder = sid
-
-  tabs.set(tabId, { state: 'connected', sessionId, targetId, attachOrder })
-  tabBySession.set(sessionId, tabId)
-  void chrome.action.setTitle({
-    tabId,
-    title: 'OpenClaw Browser Relay: attached (click to detach)',
-  })
-
-  if (!opts.skipAttachedEvent) {
-    sendToRelay({
-      method: 'forwardCDPEvent',
-      params: {
-        method: 'Target.attachedToTarget',
-        params: {
-          sessionId,
-          targetInfo: { ...targetInfo, attached: true },
-          waitingForDebugger: false,
-        },
-      },
-    })
-  }
-
-  setBadge(tabId, 'on')
-  await persistState()
-
-  return { sessionId, targetId }
-}
-
-async function detachTab(tabId, reason) {
-  const tab = tabs.get(tabId)
-
-  // Send detach events for child sessions first.
-  for (const [childSessionId, parentTabId] of childSessionToTab.entries()) {
-    if (parentTabId === tabId) {
-      try {
-        sendToRelay({
-          method: 'forwardCDPEvent',
-          params: {
-            method: 'Target.detachedFromTarget',
-            params: { sessionId: childSessionId, reason: 'parent_detached' },
-          },
-        })
-      } catch {
-        // Relay may be down.
-      }
-      childSessionToTab.delete(childSessionId)
-    }
-  }
-
-  // Send detach event for main session.
-  if (tab?.sessionId && tab?.targetId) {
-    try {
-      sendToRelay({
-        method: 'forwardCDPEvent',
-        params: {
-          method: 'Target.detachedFromTarget',
-          params: { sessionId: tab.sessionId, targetId: tab.targetId, reason },
-        },
-      })
-    } catch {
-      // Relay may be down.
-    }
-  }
-
-  if (tab?.sessionId) tabBySession.delete(tab.sessionId)
-  tabs.delete(tabId)
-
-  try {
-    await chrome.debugger.detach({ tabId })
-  } catch {
-    // May already be detached.
-  }
-
-  setBadge(tabId, 'off')
-  void chrome.action.setTitle({
-    tabId,
-    title: 'OpenClaw Browser Relay (click to attach/detach)',
-  })
-
-  await persistState()
-}
-
-async function connectOrToggleForActiveTab() {
-  const [active] = await chrome.tabs.query({ active: true, currentWindow: true })
-  const tabId = active?.id
-  if (!tabId) return
-
-  // Prevent concurrent operations on the same tab.
-  if (tabOperationLocks.has(tabId)) return
-  tabOperationLocks.add(tabId)
-
-  try {
-    if (reattachPending.has(tabId)) {
-      reattachPending.delete(tabId)
-      setBadge(tabId, 'off')
-      void chrome.action.setTitle({
-        tabId,
-        title: 'OpenClaw Browser Relay (click to attach/detach)',
-      })
-      return
-    }
-
-    const existing = tabs.get(tabId)
-    if (existing?.state === 'connected') {
-      await detachTab(tabId, 'toggle')
-      return
-    }
-
-    // User is manually connecting — cancel any pending reconnect.
-    cancelReconnect()
-
-    tabs.set(tabId, { state: 'connecting' })
-    setBadge(tabId, 'connecting')
-    void chrome.action.setTitle({
-      tabId,
-      title: 'OpenClaw Browser Relay: connecting to local relay…',
-    })
-
-    try {
-      await ensureRelayConnection()
-      await attachTab(tabId)
-    } catch (err) {
-      tabs.delete(tabId)
-      setBadge(tabId, 'error')
-      void chrome.action.setTitle({
-        tabId,
-        title: 'OpenClaw Browser Relay: relay not running (open options for setup)',
-      })
-      void maybeOpenHelpOnce()
-      const message = err instanceof Error ? err.message : String(err)
-      console.warn('attach failed', message, nowStack())
-    }
-  } finally {
-    tabOperationLocks.delete(tabId)
-  }
-}
-
-async function handleForwardCdpCommand(msg) {
-  const method = String(msg?.params?.method || '').trim()
-  const params = msg?.params?.params || undefined
-  const sessionId = typeof msg?.params?.sessionId === 'string' ? msg.params.sessionId : undefined
-
-  const bySession = sessionId ? getTabBySessionId(sessionId) : null
-  const targetId = typeof params?.targetId === 'string' ? params.targetId : undefined
-  const tabId =
-    bySession?.tabId ||
-    (targetId ? getTabByTargetId(targetId) : null) ||
-    (() => {
-      for (const [id, tab] of tabs.entries()) {
-        if (tab.state === 'connected') return id
-      }
-      return null
-    })()
-
-  if (!tabId) throw new Error(`No attached tab for method ${method}`)
-
-  /** @type {chrome.debugger.DebuggerSession} */
-  const debuggee = { tabId }
-
-  if (method === 'Runtime.enable') {
-    try {
-      await chrome.debugger.sendCommand(debuggee, 'Runtime.disable')
-      await new Promise((r) => setTimeout(r, 50))
-    } catch {
-      // ignore
-    }
-    return await chrome.debugger.sendCommand(debuggee, 'Runtime.enable', params)
-  }
-
-  if (method === 'Target.createTarget') {
-    const url = typeof params?.url === 'string' ? params.url : 'about:blank'
-    const tab = await chrome.tabs.create({ url, active: false })
-    if (!tab.id) throw new Error('Failed to create tab')
-    await new Promise((r) => setTimeout(r, 100))
-    const attached = await attachTab(tab.id)
-    return { targetId: attached.targetId }
-  }
-
-  if (method === 'Target.closeTarget') {
-    const target = typeof params?.targetId === 'string' ? params.targetId : ''
-    const toClose = target ? getTabByTargetId(target) : tabId
-    if (!toClose) return { success: false }
-    try {
-      const allTabs = await chrome.tabs.query({})
-      if (isLastRemainingTab(allTabs, toClose)) {
-        console.warn('Refusing to close the last tab: this would kill the browser process')
-        return { success: false, error: 'Cannot close the last tab' }
-      }
-      await chrome.tabs.remove(toClose)
-    } catch {
-      return { success: false }
-    }
-    return { success: true }
-  }
-
-  if (method === 'Target.activateTarget') {
-    const target = typeof params?.targetId === 'string' ? params.targetId : ''
-    const toActivate = target ? getTabByTargetId(target) : tabId
-    if (!toActivate) return {}
-    const tab = await chrome.tabs.get(toActivate).catch(() => null)
-    if (!tab) return {}
-    if (tab.windowId) {
-      await chrome.windows.update(tab.windowId, { focused: true }).catch(() => {})
-    }
-    await chrome.tabs.update(toActivate, { active: true }).catch(() => {})
-    return {}
-  }
-
-  const tabState = tabs.get(tabId)
-  const mainSessionId = tabState?.sessionId
-  const debuggerSession =
-    sessionId && mainSessionId && sessionId !== mainSessionId
-      ? { ...debuggee, sessionId }
-      : debuggee
-
-  return await chrome.debugger.sendCommand(debuggerSession, method, params)
-}
-
-function onDebuggerEvent(source, method, params) {
-  const tabId = source.tabId
-  if (!tabId) return
-  const tab = tabs.get(tabId)
-  if (!tab?.sessionId) return
-
-  if (method === 'Target.attachedToTarget' && params?.sessionId) {
-    childSessionToTab.set(String(params.sessionId), tabId)
-  }
-
-  if (method === 'Target.detachedFromTarget' && params?.sessionId) {
-    childSessionToTab.delete(String(params.sessionId))
-  }
-
-  try {
-    sendToRelay({
-      method: 'forwardCDPEvent',
-      params: {
-        sessionId: source.sessionId || tab.sessionId,
-        method,
-        params,
-      },
-    })
-  } catch {
-    // Relay may be down.
-  }
-}
-
-async function onDebuggerDetach(source, reason) {
-  const tabId = source.tabId
-  if (!tabId) return
-  if (!tabs.has(tabId)) return
-
-  // User explicitly cancelled or DevTools replaced the connection — respect their intent
-  if (reason === 'canceled_by_user' || reason === 'replaced_with_devtools') {
-    void detachTab(tabId, reason)
-    return
-  }
-
-  // Check if tab still exists — distinguishes navigation from tab close
-  let tabInfo
-  try {
-    tabInfo = await chrome.tabs.get(tabId)
-  } catch {
-    // Tab is gone (closed) — normal cleanup
-    void detachTab(tabId, reason)
-    return
-  }
-
-  if (tabInfo.url?.startsWith('chrome://') || tabInfo.url?.startsWith('chrome-extension://')) {
-    void detachTab(tabId, reason)
-    return
-  }
-
-  if (reattachPending.has(tabId)) return
-
-  const oldTab = tabs.get(tabId)
-  const oldSessionId = oldTab?.sessionId
-  const oldTargetId = oldTab?.targetId
-
-  if (oldSessionId) tabBySession.delete(oldSessionId)
-  tabs.delete(tabId)
-  for (const [childSessionId, parentTabId] of childSessionToTab.entries()) {
-    if (parentTabId === tabId) childSessionToTab.delete(childSessionId)
-  }
-
-  if (oldSessionId && oldTargetId) {
-    try {
-      sendToRelay({
-        method: 'forwardCDPEvent',
-        params: {
-          method: 'Target.detachedFromTarget',
-          params: { sessionId: oldSessionId, targetId: oldTargetId, reason: 'navigation-reattach' },
-        },
-      })
-    } catch {
-      // Relay may be down.
-    }
-  }
-
-  reattachPending.add(tabId)
-  setBadge(tabId, 'connecting')
-  void chrome.action.setTitle({
-    tabId,
-    title: 'OpenClaw Browser Relay: re-attaching after navigation…',
-  })
-
-  // Extend re-attach window from 2.5 s to ~7.7 s (5 attempts).
-  // SPAs and pages with heavy JS can take >2.5 s before the Chrome debugger
-  // is attachable, causing all three original attempts to fail and leaving
-  // the badge permanently off after every navigation.
-  const delays = [200, 500, 1000, 2000, 4000]
-  for (let attempt = 0; attempt < delays.length; attempt++) {
-    await new Promise((r) => setTimeout(r, delays[attempt]))
-
-    if (!reattachPending.has(tabId)) return
-
-    try {
-      await chrome.tabs.get(tabId)
-    } catch {
-      reattachPending.delete(tabId)
-      setBadge(tabId, 'off')
-      return
-    }
-
-    const relayUp = relayWs && relayWs.readyState === WebSocket.OPEN
-
-    try {
-      // When relay is down, still attach the debugger but skip sending the
-      // relay event. reannounceAttachedTabs() will notify the relay once it
-      // reconnects, so the tab stays tracked across transient relay drops.
-      await attachTab(tabId, { skipAttachedEvent: !relayUp })
-      reattachPending.delete(tabId)
-      if (!relayUp) {
-        setBadge(tabId, 'connecting')
-        void chrome.action.setTitle({
-          tabId,
-          title: 'OpenClaw Browser Relay: attached, waiting for relay reconnect…',
-        })
-      }
-      return
-    } catch {
-      // continue retries
-    }
-  }
-
-  reattachPending.delete(tabId)
-  setBadge(tabId, 'off')
-  void chrome.action.setTitle({
-    tabId,
-    title: 'OpenClaw Browser Relay: re-attach failed (click to retry)',
-  })
-}
-
-// Tab lifecycle listeners — clean up stale entries.
-chrome.tabs.onRemoved.addListener((tabId) => void whenReady(() => {
-  reattachPending.delete(tabId)
-  if (!tabs.has(tabId)) return
-  const tab = tabs.get(tabId)
-  if (tab?.sessionId) tabBySession.delete(tab.sessionId)
-  tabs.delete(tabId)
-  for (const [childSessionId, parentTabId] of childSessionToTab.entries()) {
-    if (parentTabId === tabId) childSessionToTab.delete(childSessionId)
-  }
-  if (tab?.sessionId && tab?.targetId) {
-    try {
-      sendToRelay({
-        method: 'forwardCDPEvent',
-        params: {
-          method: 'Target.detachedFromTarget',
-          params: { sessionId: tab.sessionId, targetId: tab.targetId, reason: 'tab_closed' },
-        },
-      })
-    } catch {
-      // Relay may be down.
-    }
-  }
-  void persistState()
-}))
-
-chrome.tabs.onReplaced.addListener((addedTabId, removedTabId) => void whenReady(() => {
-  const tab = tabs.get(removedTabId)
-  if (!tab) return
-  tabs.delete(removedTabId)
-  tabs.set(addedTabId, tab)
-  if (tab.sessionId) {
-    tabBySession.set(tab.sessionId, addedTabId)
-  }
-  for (const [childSessionId, parentTabId] of childSessionToTab.entries()) {
-    if (parentTabId === removedTabId) {
-      childSessionToTab.set(childSessionId, addedTabId)
-    }
-  }
-  setBadge(addedTabId, 'on')
-  void persistState()
-}))
-
-// Register debugger listeners at module scope so detach/event handling works
-// even when the relay WebSocket is down.
-chrome.debugger.onEvent.addListener((...args) => void whenReady(() => onDebuggerEvent(...args)))
-chrome.debugger.onDetach.addListener((...args) => void whenReady(() => onDebuggerDetach(...args)))
-
-chrome.action.onClicked.addListener(() => void whenReady(() => connectOrToggleForActiveTab()))
-
-// Refresh badge after navigation completes — service worker may have restarted
-// during navigation, losing ephemeral badge state.
-chrome.webNavigation.onCompleted.addListener(({ tabId, frameId }) => void whenReady(() => {
-  if (frameId !== 0) return
-  const tab = tabs.get(tabId)
-  if (tab?.state === 'connected') {
-    setBadge(tabId, relayWs && relayWs.readyState === WebSocket.OPEN ? 'on' : 'connecting')
-  }
-}))
-
-// Refresh badge when user switches to an attached tab.
-chrome.tabs.onActivated.addListener(({ tabId }) => void whenReady(() => {
-  const tab = tabs.get(tabId)
-  if (tab?.state === 'connected') {
-    setBadge(tabId, relayWs && relayWs.readyState === WebSocket.OPEN ? 'on' : 'connecting')
-  }
-}))
-
-chrome.runtime.onInstalled.addListener(() => {
-  void chrome.runtime.openOptionsPage()
-})
-
-// MV3 keepalive via chrome.alarms — more reliable than setInterval across
-// service worker restarts. Checks relay health and refreshes badges.
-chrome.alarms.create('relay-keepalive', { periodInMinutes: 0.5 })
-
-chrome.alarms.onAlarm.addListener(async (alarm) => {
-  if (alarm.name !== 'relay-keepalive') return
-  await initPromise
-
-  if (tabs.size === 0) return
-
-  // Refresh badges (ephemeral in MV3).
-  for (const [tabId, tab] of tabs.entries()) {
-    if (tab.state === 'connected') {
-      setBadge(tabId, relayWs && relayWs.readyState === WebSocket.OPEN ? 'on' : 'connecting')
-    }
-  }
-
-  // If relay is down and no reconnect is in progress, trigger one.
-  if (!relayWs || relayWs.readyState !== WebSocket.OPEN) {
-    if (!relayConnectPromise && !reconnectTimer) {
-      console.log('Keepalive: WebSocket unhealthy, triggering reconnect')
-      await ensureRelayConnection().catch(() => {
-        // ensureRelayConnection may throw without triggering onRelayClosed
-        // (e.g. preflight fetch fails before WS is created), so ensure
-        // reconnect is always scheduled on failure.
-        if (!reconnectTimer) {
-          scheduleReconnect()
-        }
-      })
-    }
-  }
-})
-
-// Rehydrate state on service worker startup. Split: rehydration is the gate
-// (fast), relay reconnect runs in background (slow, non-blocking).
-const initPromise = rehydrateState()
-
-initPromise.then(() => {
-  if (tabs.size > 0) {
-    ensureRelayConnection().then(() => {
-      reconnectAttempt = 0
-      return reannounceAttachedTabs()
-    }).catch(() => {
-      scheduleReconnect()
-    })
-  }
-})
-
-// Shared gate: all state-dependent handlers await this before accessing maps.
-async function whenReady(fn) {
-  await initPromise
-  return fn()
-}
-
-// Relay check handler for the options page. The service worker has
-// host_permissions and bypasses CORS preflight, so the options page
-// delegates token-validation requests here.
-chrome.runtime.onMessage.addListener((msg, _sender, sendResponse) => {
-  if (msg?.type !== 'relayCheck') return false
-  const { url, token } = msg
-  const headers = token ? { 'x-openclaw-relay-token': token } : {}
-  fetch(url, { method: 'GET', headers, signal: AbortSignal.timeout(2000) })
-    .then(async (res) => {
-      const contentType = String(res.headers.get('content-type') || '')
-      let json = null
-      if (contentType.includes('application/json')) {
-        try {
-          json = await res.json()
-        } catch {
-          json = null
-        }
-      }
-      sendResponse({ status: res.status, ok: res.ok, contentType, json })
-    })
-    .catch((err) => sendResponse({ status: 0, ok: false, error: String(err) }))
-  return true
-})
diff --git a/assets/chrome-extension/manifest.json b/assets/chrome-extension/manifest.json
deleted file mode 100644
index 62038276cd7..00000000000
--- a/assets/chrome-extension/manifest.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
-  "manifest_version": 3,
-  "name": "OpenClaw Browser Relay",
-  "version": "0.1.0",
-  "description": "Attach OpenClaw to your existing Chrome tab via a local CDP relay server.",
-  "icons": {
-    "16": "icons/icon16.png",
-    "32": "icons/icon32.png",
-    "48": "icons/icon48.png",
-    "128": "icons/icon128.png"
-  },
-  "permissions": ["debugger", "tabs", "activeTab", "storage", "alarms", "webNavigation"],
-  "host_permissions": ["http://127.0.0.1/*", "http://localhost/*"],
-  "background": { "service_worker": "background.js", "type": "module" },
-  "action": {
-    "default_title": "OpenClaw Browser Relay (click to attach/detach)",
-    "default_icon": {
-      "16": "icons/icon16.png",
-      "32": "icons/icon32.png",
-      "48": "icons/icon48.png",
-      "128": "icons/icon128.png"
-    }
-  },
-  "options_ui": { "page": "options.html", "open_in_tab": true }
-}
diff --git a/assets/chrome-extension/options-validation.js b/assets/chrome-extension/options-validation.js
deleted file mode 100644
index 53e2cd55014..00000000000
--- a/assets/chrome-extension/options-validation.js
+++ /dev/null
@@ -1,57 +0,0 @@
-const PORT_GUIDANCE = 'Use gateway port + 3 (for gateway 18789, relay is 18792).'
-
-function hasCdpVersionShape(data) {
-  return !!data && typeof data === 'object' && 'Browser' in data && 'Protocol-Version' in data
-}
-
-export function classifyRelayCheckResponse(res, port) {
-  if (!res) {
-    return { action: 'throw', error: 'No response from service worker' }
-  }
-
-  if (res.status === 401) {
-    return { action: 'status', kind: 'error', message: 'Gateway token rejected. Check token and save again.' }
-  }
-
-  if (res.error) {
-    return { action: 'throw', error: res.error }
-  }
-
-  if (!res.ok) {
-    return { action: 'throw', error: `HTTP ${res.status}` }
-  }
-
-  const contentType = String(res.contentType || '')
-  if (!contentType.includes('application/json')) {
-    return {
-      action: 'status',
-      kind: 'error',
-      message: `Wrong port: this is likely the gateway, not the relay. ${PORT_GUIDANCE}`,
-    }
-  }
-
-  if (!hasCdpVersionShape(res.json)) {
-    return {
-      action: 'status',
-      kind: 'error',
-      message: `Wrong port: expected relay /json/version response. ${PORT_GUIDANCE}`,
-    }
-  }
-
-  return { action: 'status', kind: 'ok', message: `Relay reachable and authenticated at http://127.0.0.1:${port}/` }
-}
-
-export function classifyRelayCheckException(err, port) {
-  const message = String(err || '').toLowerCase()
-  if (message.includes('json') || message.includes('syntax')) {
-    return {
-      kind: 'error',
-      message: `Wrong port: this is not a relay endpoint. ${PORT_GUIDANCE}`,
-    }
-  }
-
-  return {
-    kind: 'error',
-    message: `Relay not reachable/authenticated at http://127.0.0.1:${port}/. Start OpenClaw browser relay and verify token.`,
-  }
-}
diff --git a/assets/chrome-extension/options.html b/assets/chrome-extension/options.html
deleted file mode 100644
index 17fc6a79eed..00000000000
--- a/assets/chrome-extension/options.html
+++ /dev/null
@@ -1,200 +0,0 @@
-<!doctype html>
-<html lang="en">
-  <head>
-    <meta charset="utf-8" />
-    <meta name="viewport" content="width=device-width, initial-scale=1" />
-    <title>OpenClaw Browser Relay</title>
-    <style>
-      :root {
-        color-scheme: light dark;
-        --accent: #ff5a36;
-        --panel: color-mix(in oklab, canvas 92%, canvasText 8%);
-        --border: color-mix(in oklab, canvasText 18%, transparent);
-        --muted: color-mix(in oklab, canvasText 70%, transparent);
-        --shadow: 0 10px 30px color-mix(in oklab, canvasText 18%, transparent);
-        font-family: ui-rounded, system-ui, -apple-system, BlinkMacSystemFont, "SF Pro Rounded",
-          "SF Pro Display", "Segoe UI", sans-serif;
-        line-height: 1.4;
-      }
-      body {
-        margin: 0;
-        min-height: 100vh;
-        background:
-          radial-gradient(1000px 500px at 10% 0%, color-mix(in oklab, var(--accent) 30%, transparent), transparent 70%),
-          radial-gradient(900px 450px at 90% 0%, color-mix(in oklab, var(--accent) 18%, transparent), transparent 75%),
-          canvas;
-        color: canvasText;
-      }
-      .wrap {
-        max-width: 820px;
-        margin: 36px auto;
-        padding: 0 24px 48px 24px;
-      }
-      header {
-        display: flex;
-        align-items: center;
-        gap: 12px;
-        margin-bottom: 18px;
-      }
-      .logo {
-        width: 44px;
-        height: 44px;
-        border-radius: 14px;
-        background: color-mix(in oklab, var(--accent) 18%, transparent);
-        border: 1px solid color-mix(in oklab, var(--accent) 35%, transparent);
-        box-shadow: var(--shadow);
-        display: grid;
-        place-items: center;
-      }
-      .logo img {
-        width: 28px;
-        height: 28px;
-        image-rendering: pixelated;
-      }
-      h1 {
-        font-size: 20px;
-        margin: 0;
-        letter-spacing: -0.01em;
-      }
-      .subtitle {
-        margin: 2px 0 0 0;
-        color: var(--muted);
-        font-size: 13px;
-      }
-      .grid {
-        display: grid;
-        grid-template-columns: 1fr;
-        gap: 14px;
-      }
-      .card {
-        background: var(--panel);
-        border: 1px solid var(--border);
-        border-radius: 16px;
-        padding: 16px;
-        box-shadow: var(--shadow);
-      }
-      .card h2 {
-        margin: 0 0 10px 0;
-        font-size: 14px;
-        letter-spacing: 0.01em;
-      }
-      .card p {
-        margin: 8px 0 0 0;
-        color: var(--muted);
-        font-size: 13px;
-      }
-      .row {
-        display: flex;
-        align-items: center;
-        gap: 8px;
-        flex-wrap: wrap;
-      }
-      label {
-        display: block;
-        font-size: 12px;
-        color: var(--muted);
-        margin-bottom: 6px;
-      }
-      input {
-        width: 160px;
-        padding: 10px 12px;
-        border-radius: 12px;
-        border: 1px solid var(--border);
-        background: color-mix(in oklab, canvas 92%, canvasText 8%);
-        color: canvasText;
-        outline: none;
-      }
-      input:focus {
-        border-color: color-mix(in oklab, var(--accent) 70%, transparent);
-        box-shadow: 0 0 0 4px color-mix(in oklab, var(--accent) 20%, transparent);
-      }
-      button {
-        padding: 10px 14px;
-        border-radius: 12px;
-        border: 1px solid color-mix(in oklab, var(--accent) 55%, transparent);
-        background: linear-gradient(
-          180deg,
-          color-mix(in oklab, var(--accent) 80%, white 20%),
-          var(--accent)
-        );
-        color: white;
-        font-weight: 650;
-        letter-spacing: 0.01em;
-        cursor: pointer;
-      }
-      button:active {
-        transform: translateY(1px);
-      }
-      .hint {
-        margin-top: 10px;
-        font-size: 12px;
-        color: var(--muted);
-      }
-      code {
-        font-family: ui-monospace, Menlo, Monaco, Consolas, "SF Mono", monospace;
-        font-size: 12px;
-      }
-      a {
-        color: color-mix(in oklab, var(--accent) 85%, canvasText 15%);
-      }
-      .status {
-        margin-top: 10px;
-        font-size: 12px;
-        color: color-mix(in oklab, var(--accent) 70%, canvasText 30%);
-        min-height: 16px;
-      }
-      .status[data-kind='ok'] {
-        color: color-mix(in oklab, #16a34a 75%, canvasText 25%);
-      }
-      .status[data-kind='error'] {
-        color: color-mix(in oklab, #ef4444 75%, canvasText 25%);
-      }
-    </style>
-  </head>
-  <body>
-    <div class="wrap">
-      <header>
-        <div class="logo" aria-hidden="true">
-          <img src="icons/icon128.png" alt="" />
-        </div>
-        <div>
-          <h1>OpenClaw Browser Relay</h1>
-          <p class="subtitle">Click the toolbar button on a tab to attach / detach.</p>
-        </div>
-      </header>
-
-      <div class="grid">
-        <div class="card">
-          <h2>Getting started</h2>
-          <p>
-            If you see a red <code>!</code> badge on the extension icon, the relay server is not reachable.
-            Start OpenClaw’s browser relay on this machine (Gateway or node host), then click the toolbar button again.
-          </p>
-          <p>
-            Full guide (install, remote Gateway, security): <a href="https://docs.openclaw.ai/tools/chrome-extension" target="_blank" rel="noreferrer">docs.openclaw.ai/tools/chrome-extension</a>
-          </p>
-        </div>
-
-        <div class="card">
-          <h2>Relay connection</h2>
-          <label for="port">Port</label>
-          <div class="row">
-            <input id="port" inputmode="numeric" pattern="[0-9]*" />
-          </div>
-          <label for="token" style="margin-top: 10px">Gateway token</label>
-          <div class="row">
-            <input id="token" type="password" autocomplete="off" style="width: min(520px, 100%)" />
-            <button id="save" type="button">Save</button>
-          </div>
-          <div class="hint">
-            Default port: <code>18792</code>. Extension connects to: <code id="relay-url">http://127.0.0.1:&lt;port&gt;/</code>.
-            Gateway token must match <code>gateway.auth.token</code> (or <code>OPENCLAW_GATEWAY_TOKEN</code>).
-          </div>
-          <div class="status" id="status"></div>
-        </div>
-      </div>
-
-      <script type="module" src="options.js"></script>
-    </div>
-  </body>
-</html>
diff --git a/assets/chrome-extension/options.js b/assets/chrome-extension/options.js
deleted file mode 100644
index aa6fcc4901f..00000000000
--- a/assets/chrome-extension/options.js
+++ /dev/null
@@ -1,74 +0,0 @@
-import { deriveRelayToken } from './background-utils.js'
-import { classifyRelayCheckException, classifyRelayCheckResponse } from './options-validation.js'
-
-const DEFAULT_PORT = 18792
-
-function clampPort(value) {
-  const n = Number.parseInt(String(value || ''), 10)
-  if (!Number.isFinite(n)) return DEFAULT_PORT
-  if (n <= 0 || n > 65535) return DEFAULT_PORT
-  return n
-}
-
-function updateRelayUrl(port) {
-  const el = document.getElementById('relay-url')
-  if (!el) return
-  el.textContent = `http://127.0.0.1:${port}/`
-}
-
-function setStatus(kind, message) {
-  const status = document.getElementById('status')
-  if (!status) return
-  status.dataset.kind = kind || ''
-  status.textContent = message || ''
-}
-
-async function checkRelayReachable(port, token) {
-  const url = `http://127.0.0.1:${port}/json/version`
-  const trimmedToken = String(token || '').trim()
-  if (!trimmedToken) {
-    setStatus('error', 'Gateway token required. Save your gateway token to connect.')
-    return
-  }
-  try {
-    const relayToken = await deriveRelayToken(trimmedToken, port)
-    // Delegate the fetch to the background service worker to bypass
-    // CORS preflight on the custom x-openclaw-relay-token header.
-    const res = await chrome.runtime.sendMessage({
-      type: 'relayCheck',
-      url,
-      token: relayToken,
-    })
-    const result = classifyRelayCheckResponse(res, port)
-    if (result.action === 'throw') throw new Error(result.error)
-    setStatus(result.kind, result.message)
-  } catch (err) {
-    const result = classifyRelayCheckException(err, port)
-    setStatus(result.kind, result.message)
-  }
-}
-
-async function load() {
-  const stored = await chrome.storage.local.get(['relayPort', 'gatewayToken'])
-  const port = clampPort(stored.relayPort)
-  const token = String(stored.gatewayToken || '').trim()
-  document.getElementById('port').value = String(port)
-  document.getElementById('token').value = token
-  updateRelayUrl(port)
-  await checkRelayReachable(port, token)
-}
-
-async function save() {
-  const portInput = document.getElementById('port')
-  const tokenInput = document.getElementById('token')
-  const port = clampPort(portInput.value)
-  const token = String(tokenInput.value || '').trim()
-  await chrome.storage.local.set({ relayPort: port, gatewayToken: token })
-  portInput.value = String(port)
-  tokenInput.value = token
-  updateRelayUrl(port)
-  await checkRelayReachable(port, token)
-}
-
-document.getElementById('save').addEventListener('click', () => void save())
-void load()
diff --git a/docs/.generated/config-baseline.json b/docs/.generated/config-baseline.json
index 8a30b9c6fde..d162ba7a92e 100644
--- a/docs/.generated/config-baseline.json
+++ b/docs/.generated/config-baseline.json
@@ -8035,21 +8035,7 @@
         "storage"
       ],
       "label": "Browser Profile Driver",
-      "help": "Per-profile browser driver mode: \"openclaw\" (or legacy \"clawd\") or \"extension\" depending on connection/runtime strategy. Use the driver that matches your browser control stack to avoid protocol mismatches.",
-      "hasChildren": false
-    },
-    {
-      "path": "browser.relayBindHost",
-      "kind": "core",
-      "type": "string",
-      "required": false,
-      "deprecated": false,
-      "sensitive": false,
-      "tags": [
-        "advanced"
-      ],
-      "label": "Browser Relay Bind Address",
-      "help": "Bind IP address for the Chrome extension relay listener. Leave unset for loopback-only access, or set an explicit non-loopback IP such as 0.0.0.0 only when the relay must be reachable across network namespaces (for example WSL2) and the surrounding network is already trusted.",
+      "help": "Per-profile browser driver mode. Use \"openclaw\" (or legacy \"clawd\") for CDP-based profiles, or use \"existing-session\" for host-local Chrome MCP attachment.",
       "hasChildren": false
     },
     {
diff --git a/docs/.generated/config-baseline.jsonl b/docs/.generated/config-baseline.jsonl
index f8a5068394e..80b18c4cc4b 100644
--- a/docs/.generated/config-baseline.jsonl
+++ b/docs/.generated/config-baseline.jsonl
@@ -707,8 +707,7 @@
 {"recordType":"path","path":"browser.profiles.*.cdpPort","kind":"core","type":"integer","required":false,"deprecated":false,"sensitive":false,"tags":["storage"],"label":"Browser Profile CDP Port","help":"Per-profile local CDP port used when connecting to browser instances by port instead of URL. Use unique ports per profile to avoid connection collisions.","hasChildren":false}
 {"recordType":"path","path":"browser.profiles.*.cdpUrl","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["storage"],"label":"Browser Profile CDP URL","help":"Per-profile CDP websocket URL used for explicit remote browser routing by profile name. Use this when profile connections terminate on remote hosts or tunnels.","hasChildren":false}
 {"recordType":"path","path":"browser.profiles.*.color","kind":"core","type":"string","required":true,"deprecated":false,"sensitive":false,"tags":["storage"],"label":"Browser Profile Accent Color","help":"Per-profile accent color for visual differentiation in dashboards and browser-related UI hints. Use distinct colors for high-signal operator recognition of active profiles.","hasChildren":false}
-{"recordType":"path","path":"browser.profiles.*.driver","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["storage"],"label":"Browser Profile Driver","help":"Per-profile browser driver mode: \"openclaw\" (or legacy \"clawd\") or \"extension\" depending on connection/runtime strategy. Use the driver that matches your browser control stack to avoid protocol mismatches.","hasChildren":false}
-{"recordType":"path","path":"browser.relayBindHost","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Browser Relay Bind Address","help":"Bind IP address for the Chrome extension relay listener. Leave unset for loopback-only access, or set an explicit non-loopback IP such as 0.0.0.0 only when the relay must be reachable across network namespaces (for example WSL2) and the surrounding network is already trusted.","hasChildren":false}
+{"recordType":"path","path":"browser.profiles.*.driver","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["storage"],"label":"Browser Profile Driver","help":"Per-profile browser driver mode. Use \"openclaw\" (or legacy \"clawd\") for CDP-based profiles, or use \"existing-session\" for host-local Chrome MCP attachment.","hasChildren":false}
 {"recordType":"path","path":"browser.remoteCdpHandshakeTimeoutMs","kind":"core","type":"integer","required":false,"deprecated":false,"sensitive":false,"tags":["performance"],"label":"Remote CDP Handshake Timeout (ms)","help":"Timeout in milliseconds for post-connect CDP handshake readiness checks against remote browser targets. Raise this for slow-start remote browsers and lower to fail fast in automation loops.","hasChildren":false}
 {"recordType":"path","path":"browser.remoteCdpTimeoutMs","kind":"core","type":"integer","required":false,"deprecated":false,"sensitive":false,"tags":["performance"],"label":"Remote CDP Timeout (ms)","help":"Timeout in milliseconds for connecting to a remote CDP endpoint before failing the browser attach attempt. Increase for high-latency tunnels, or lower for faster failure detection.","hasChildren":false}
 {"recordType":"path","path":"browser.snapshotDefaults","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Browser Snapshot Defaults","help":"Default snapshot capture configuration used when callers do not provide explicit snapshot options. Tune this for consistent capture behavior across channels and automation paths.","hasChildren":true}
diff --git a/docs/cli/browser.md b/docs/cli/browser.md
index f9ddc151717..42af08f84f3 100644
--- a/docs/cli/browser.md
+++ b/docs/cli/browser.md
@@ -1,9 +1,9 @@
 ---
-summary: "CLI reference for `openclaw browser` (profiles, tabs, actions, extension relay)"
+summary: "CLI reference for `openclaw browser` (profiles, tabs, actions, Chrome MCP, and CDP)"
 read_when:
   - You use `openclaw browser` and want examples for common tasks
   - You want to control a browser running on another machine via a node host
-  - You want to use the Chrome extension relay (attach/detach via toolbar button)
+  - You want to attach to your local signed-in Chrome via Chrome MCP
 title: "browser"
 ---
 
@@ -14,7 +14,6 @@ Manage OpenClaw’s browser control server and run browser actions (tabs, snapsh
 Related:
 
 - Browser tool + API: [Browser tool](/tools/browser)
-- Chrome extension relay: [Chrome extension](/tools/chrome-extension)
 
 ## Common flags
 
@@ -37,13 +36,14 @@ openclaw browser --browser-profile openclaw snapshot
 
 Profiles are named browser routing configs. In practice:
 
-- `openclaw`: launches/attaches to a dedicated OpenClaw-managed Chrome instance (isolated user data dir).
+- `openclaw`: launches or attaches to a dedicated OpenClaw-managed Chrome instance (isolated user data dir).
 - `user`: controls your existing signed-in Chrome session via Chrome DevTools MCP.
-- `chrome-relay`: controls your existing Chrome tab(s) via the Chrome extension relay.
+- custom CDP profiles: point at a local or remote CDP endpoint.
 
 ```bash
 openclaw browser profiles
 openclaw browser create-profile --name work --color "#FF5A36"
+openclaw browser create-profile --name chrome-live --driver existing-session
 openclaw browser delete-profile --name work
 ```
 
@@ -84,20 +84,17 @@ openclaw browser click <ref>
 openclaw browser type <ref> "hello"
 ```
 
-## Chrome extension relay (attach via toolbar button)
+## Existing Chrome via MCP
 
-This mode lets the agent control an existing Chrome tab that you attach manually (it does not auto-attach).
-
-Install the unpacked extension to a stable path:
+Use the built-in `user` profile, or create your own `existing-session` profile:
 
 ```bash
-openclaw browser extension install
-openclaw browser extension path
+openclaw browser --browser-profile user tabs
+openclaw browser create-profile --name chrome-live --driver existing-session
+openclaw browser --browser-profile chrome-live tabs
 ```
 
-Then Chrome → `chrome://extensions` → enable “Developer mode” → “Load unpacked” → select the printed folder.
-
-Full guide: [Chrome extension](/tools/chrome-extension)
+This path is host-only. For Docker, headless servers, Browserless, or other remote setups, use a CDP profile instead.
 
 ## Remote browser control (node host proxy)
 
diff --git a/docs/cli/docs.md b/docs/cli/docs.md
index 6b79aabe6f1..744c50e1432 100644
--- a/docs/cli/docs.md
+++ b/docs/cli/docs.md
@@ -10,6 +10,6 @@ title: "docs"
 Search the live docs index.
 
 ```bash
-openclaw docs browser extension
+openclaw docs browser existing-session
 openclaw docs sandbox allowHostControl
 ```
diff --git a/docs/docs.json b/docs/docs.json
index 229699ec37e..80409046397 100644
--- a/docs/docs.json
+++ b/docs/docs.json
@@ -1018,7 +1018,6 @@
                 "pages": [
                   "tools/browser",
                   "tools/browser-login",
-                  "tools/chrome-extension",
                   "tools/browser-linux-troubleshooting"
                 ]
               },
@@ -1613,7 +1612,6 @@
                 "pages": [
                   "zh-CN/tools/browser",
                   "zh-CN/tools/browser-login",
-                  "zh-CN/tools/chrome-extension",
                   "zh-CN/tools/browser-linux-troubleshooting"
                 ]
               },
diff --git a/docs/gateway/configuration-reference.md b/docs/gateway/configuration-reference.md
index 0653fd3834f..a46f342a360 100644
--- a/docs/gateway/configuration-reference.md
+++ b/docs/gateway/configuration-reference.md
@@ -2442,13 +2442,13 @@ See [Plugins](/tools/plugin).
     profiles: {
       openclaw: { cdpPort: 18800, color: "#FF4500" },
       work: { cdpPort: 18801, color: "#0066CC" },
+      user: { driver: "existing-session", attachOnly: true, color: "#00AA00" },
       remote: { cdpUrl: "http://10.0.0.42:9222", color: "#00AA00" },
     },
     color: "#FF4500",
     // headless: false,
     // noSandbox: false,
     // extraArgs: [],
-    // relayBindHost: "0.0.0.0", // only when the extension relay must be reachable across namespaces (for example WSL2)
     // executablePath: "/Applications/Brave Browser.app/Contents/MacOS/Brave Browser",
     // attachOnly: false,
   },
@@ -2462,11 +2462,11 @@ See [Plugins](/tools/plugin).
 - `ssrfPolicy.allowPrivateNetwork` remains supported as a legacy alias.
 - In strict mode, use `ssrfPolicy.hostnameAllowlist` and `ssrfPolicy.allowedHostnames` for explicit exceptions.
 - Remote profiles are attach-only (start/stop/reset disabled).
+- `existing-session` profiles are host-only and use Chrome MCP instead of CDP.
 - Auto-detect order: default browser if Chromium-based → Chrome → Brave → Edge → Chromium → Chrome Canary.
 - Control service: loopback only (port derived from `gateway.port`, default `18791`).
 - `extraArgs` appends extra launch flags to local Chromium startup (for example
   `--disable-gpu`, window sizing, or debug flags).
-- `relayBindHost` changes where the Chrome extension relay listens. Leave unset for loopback-only access; set an explicit non-loopback bind address such as `0.0.0.0` only when the relay must cross a namespace boundary (for example WSL2) and the host network is already trusted.
 
 ---
 
diff --git a/docs/gateway/doctor.md b/docs/gateway/doctor.md
index 95027906750..6c0711c7aea 100644
--- a/docs/gateway/doctor.md
+++ b/docs/gateway/doctor.md
@@ -63,6 +63,7 @@ cat ~/.openclaw/openclaw.json
 - Health check + restart prompt.
 - Skills status summary (eligible/missing/blocked).
 - Config normalization for legacy values.
+- Browser migration checks for legacy Chrome extension configs and Chrome MCP readiness.
 - OpenCode provider override warnings (`models.providers.opencode` / `models.providers.opencode-go`).
 - Legacy on-disk state migration (sessions/agent dir/WhatsApp auth).
 - Legacy cron store migration (`jobId`, `schedule.cron`, top-level delivery/payload fields, payload `provider`, simple `notify: true` webhook fallback jobs).
@@ -128,6 +129,8 @@ Current migrations:
 - `agent.model`/`allowedModels`/`modelAliases`/`modelFallbacks`/`imageModelFallbacks`
   → `agents.defaults.models` + `agents.defaults.model.primary/fallbacks` + `agents.defaults.imageModel.primary/fallbacks`
 - `browser.ssrfPolicy.allowPrivateNetwork` → `browser.ssrfPolicy.dangerouslyAllowPrivateNetwork`
+- `browser.profiles.*.driver: "extension"` → `"existing-session"`
+- remove `browser.relayBindHost` (legacy extension relay setting)
 
 Doctor warnings also include account-default guidance for multi-account channels:
 
@@ -141,6 +144,33 @@ manually, it overrides the built-in OpenCode catalog from `@mariozechner/pi-ai`.
 That can force models onto the wrong API or zero out costs. Doctor warns so you
 can remove the override and restore per-model API routing + costs.
 
+### 2c) Browser migration and Chrome MCP readiness
+
+If your browser config still points at the removed Chrome extension path, doctor
+normalizes it to the current host-local Chrome MCP attach model:
+
+- `browser.profiles.*.driver: "extension"` becomes `"existing-session"`
+- `browser.relayBindHost` is removed
+
+Doctor also audits the host-local Chrome MCP path when you use `defaultProfile:
+"user"` or a configured `existing-session` profile:
+
+- checks whether Google Chrome is installed on the same host
+- checks the detected Chrome version and warns when it is below Chrome 144
+- reminds you to enable remote debugging in Chrome at
+  `chrome://inspect/#remote-debugging`
+
+Doctor cannot enable the Chrome-side setting for you. Host-local Chrome MCP
+still requires:
+
+- Google Chrome 144+ on the gateway/node host
+- Chrome running locally
+- remote debugging enabled in Chrome
+- approving the first attach consent prompt in Chrome
+
+This check does **not** apply to Docker, sandbox, remote-browser, or other
+headless flows. Those continue to use raw CDP.
+
 ### 3) Legacy state migrations (disk layout)
 
 Doctor can migrate older on-disk layouts into the current structure:
diff --git a/docs/gateway/security/index.md b/docs/gateway/security/index.md
index 595e50f2628..68be08fbed5 100644
--- a/docs/gateway/security/index.md
+++ b/docs/gateway/security/index.md
@@ -990,10 +990,9 @@ access those accounts and data. Treat browser profiles as **sensitive state**:
 - Treat browser downloads as untrusted input; prefer an isolated downloads directory.
 - Disable browser sync/password managers in the agent profile if possible (reduces blast radius).
 - For remote gateways, assume “browser control” is equivalent to “operator access” to whatever that profile can reach.
-- Keep the Gateway and node hosts tailnet-only; avoid exposing relay/control ports to LAN or public Internet.
-- The Chrome extension relay’s CDP endpoint is auth-gated; only OpenClaw clients can connect.
+- Keep the Gateway and node hosts tailnet-only; avoid exposing browser control ports to LAN or public Internet.
 - Disable browser proxy routing when you don’t need it (`gateway.nodes.browser.mode="off"`).
-- Chrome extension relay mode is **not** “safer”; it can take over your existing Chrome tabs. Assume it can act as you in whatever that tab/profile can reach.
+- Chrome MCP existing-session mode is **not** “safer”; it can act as you in whatever that host Chrome profile can reach.
 
 ### Browser SSRF policy (trusted-network default)
 
diff --git a/docs/gateway/troubleshooting.md b/docs/gateway/troubleshooting.md
index 41c697a67f1..aa75b9cf2b5 100644
--- a/docs/gateway/troubleshooting.md
+++ b/docs/gateway/troubleshooting.md
@@ -289,19 +289,18 @@ Look for:
 
 - Valid browser executable path.
 - CDP profile reachability.
-- Extension relay tab attachment (if an extension relay profile is configured).
+- Local Chrome availability for `existing-session` / `user` profiles.
 
 Common signatures:
 
 - `Failed to start Chrome CDP on port` → browser process failed to launch.
 - `browser.executablePath not found` → configured path is invalid.
-- `Chrome extension relay is running, but no tab is connected` → extension relay not attached.
+- `No Chrome tabs found for profile="user"` → the Chrome MCP attach profile has no open local Chrome tabs.
 - `Browser attachOnly is enabled ... not reachable` → attach-only profile has no reachable target.
 
 Related:
 
 - [/tools/browser-linux-troubleshooting](/tools/browser-linux-troubleshooting)
-- [/tools/chrome-extension](/tools/chrome-extension)
 - [/tools/browser](/tools/browser)
 
 ## If you upgraded and something suddenly broke
diff --git a/docs/help/faq.md b/docs/help/faq.md
index 8fdf39ab5c1..b32b1aac8c5 100644
--- a/docs/help/faq.md
+++ b/docs/help/faq.md
@@ -80,7 +80,7 @@ Quick answers plus deeper troubleshooting for real-world setups (local dev, VPS,
   - [Can OpenClaw run tasks on a schedule or continuously in the background?](#can-openclaw-run-tasks-on-a-schedule-or-continuously-in-the-background)
   - [Can I run Apple macOS-only skills from Linux?](#can-i-run-apple-macos-only-skills-from-linux)
   - [Do you have a Notion or HeyGen integration?](#do-you-have-a-notion-or-heygen-integration)
-  - [How do I install the Chrome extension for browser takeover?](#how-do-i-install-the-chrome-extension-for-browser-takeover)
+  - [How do I use my existing signed-in Chrome with OpenClaw?](#how-do-i-use-my-existing-signed-in-chrome-with-openclaw)
 - [Sandboxing and memory](#sandboxing-and-memory)
   - [Is there a dedicated sandboxing doc?](#is-there-a-dedicated-sandboxing-doc)
   - [How do I bind a host folder into the sandbox?](#how-do-i-bind-a-host-folder-into-the-sandbox)
@@ -1214,22 +1214,23 @@ clawhub update --all
 
 ClawHub installs into `./skills` under your current directory (or falls back to your configured OpenClaw workspace); OpenClaw treats that as `<workspace>/skills` on the next session. For shared skills across agents, place them in `~/.openclaw/skills/<name>/SKILL.md`. Some skills expect binaries installed via Homebrew; on Linux that means Linuxbrew (see the Homebrew Linux FAQ entry above). See [Skills](/tools/skills) and [ClawHub](/tools/clawhub).
 
-### How do I install the Chrome extension for browser takeover
+### How do I use my existing signed-in Chrome with OpenClaw
 
-Use the built-in installer, then load the unpacked extension in Chrome:
+Use the built-in `user` browser profile, which attaches through Chrome DevTools MCP:
 
 ```bash
-openclaw browser extension install
-openclaw browser extension path
+openclaw browser --browser-profile user tabs
+openclaw browser --browser-profile user snapshot
 ```
 
-Then Chrome → `chrome://extensions` → enable "Developer mode" → "Load unpacked" → pick that folder.
+If you want a custom name, create an explicit MCP profile:
 
-Full guide (including remote Gateway + security notes): [Chrome extension](/tools/chrome-extension)
+```bash
+openclaw browser create-profile --name chrome-live --driver existing-session
+openclaw browser --browser-profile chrome-live tabs
+```
 
-If the Gateway runs on the same machine as Chrome (default setup), you usually **do not** need anything extra.
-If the Gateway runs elsewhere, run a node host on the browser machine so the Gateway can proxy browser actions.
-You still need to click the extension button on the tab you want to control (it doesn't auto-attach).
+This path is host-local. If the Gateway runs elsewhere, either run a node host on the browser machine or use remote CDP instead.
 
 ## Sandboxing and memory
 
@@ -1665,13 +1666,12 @@ setup is an always-on host plus your laptop as a node.
 - **No inbound SSH required.** Nodes connect out to the Gateway WebSocket and use device pairing.
 - **Safer execution controls.** `system.run` is gated by node allowlists/approvals on that laptop.
 - **More device tools.** Nodes expose `canvas`, `camera`, and `screen` in addition to `system.run`.
-- **Local browser automation.** Keep the Gateway on a VPS, but run Chrome locally and relay control
-  with the Chrome extension + a node host on the laptop.
+- **Local browser automation.** Keep the Gateway on a VPS, but run Chrome locally through a node host on the laptop, or attach to local Chrome on the host via Chrome MCP.
 
 SSH is fine for ad-hoc shell access, but nodes are simpler for ongoing agent workflows and
 device automation.
 
-Docs: [Nodes](/nodes), [Nodes CLI](/cli/nodes), [Chrome extension](/tools/chrome-extension).
+Docs: [Nodes](/nodes), [Nodes CLI](/cli/nodes), [Browser](/tools/browser).
 
 ### Should I install on a second laptop or just add a node
 
@@ -2039,18 +2039,18 @@ Yes. Use **Multi-Agent Routing** to run multiple isolated agents and route inbou
 channel/account/peer. Slack is supported as a channel and can be bound to specific agents.
 
 Browser access is powerful but not "do anything a human can" - anti-bot, CAPTCHAs, and MFA can
-still block automation. For the most reliable browser control, use the Chrome extension relay
-on the machine that runs the browser (and keep the Gateway anywhere).
+still block automation. For the most reliable browser control, use local Chrome MCP on the host,
+or use CDP on the machine that actually runs the browser.
 
 Best-practice setup:
 
 - Always-on Gateway host (VPS/Mac mini).
 - One agent per role (bindings).
 - Slack channel(s) bound to those agents.
-- Local browser via extension relay (or a node) when needed.
+- Local browser via Chrome MCP or a node when needed.
 
 Docs: [Multi-Agent Routing](/concepts/multi-agent), [Slack](/channels/slack),
-[Browser](/tools/browser), [Chrome extension](/tools/chrome-extension), [Nodes](/nodes).
+[Browser](/tools/browser), [Nodes](/nodes).
 
 ## Models: defaults, selection, aliases, switching
 
diff --git a/docs/help/troubleshooting.md b/docs/help/troubleshooting.md
index a3988c4ea58..1660100ba8c 100644
--- a/docs/help/troubleshooting.md
+++ b/docs/help/troubleshooting.md
@@ -278,13 +278,13 @@ flowchart TD
     Good output looks like:
 
     - Browser status shows `running: true` and a chosen browser/profile.
-    - `openclaw` profile starts or `chrome` relay has an attached tab.
+    - `openclaw` starts, or `user` can see local Chrome tabs.
 
     Common log signatures:
 
     - `Failed to start Chrome CDP on port` → local browser launch failed.
     - `browser.executablePath not found` → configured binary path is wrong.
-    - `Chrome extension relay is running, but no tab is connected` → extension not attached.
+    - `No Chrome tabs found for profile="user"` → the Chrome MCP attach profile has no open local Chrome tabs.
     - `Browser attachOnly is enabled ... not reachable` → attach-only profile has no live CDP target.
 
     Deep pages:
@@ -292,7 +292,6 @@ flowchart TD
     - [/gateway/troubleshooting#browser-tool-fails](/gateway/troubleshooting#browser-tool-fails)
     - [/tools/browser-linux-troubleshooting](/tools/browser-linux-troubleshooting)
     - [/tools/browser-wsl2-windows-remote-cdp-troubleshooting](/tools/browser-wsl2-windows-remote-cdp-troubleshooting)
-    - [/tools/chrome-extension](/tools/chrome-extension)
 
   </Accordion>
 </AccordionGroup>
diff --git a/docs/install/docker.md b/docs/install/docker.md
index a3827075202..a9f6b578bd0 100644
--- a/docs/install/docker.md
+++ b/docs/install/docker.md
@@ -713,6 +713,7 @@ an optional noVNC observer (headful via Xvfb).
 
 Notes:
 
+- Docker and other headless/container browser flows stay on raw CDP. Chrome MCP `existing-session` is for host-local Chrome, not container takeover.
 - Headful (Xvfb) reduces bot blocking vs headless.
 - Headless can still be used by setting `agents.defaults.sandbox.browser.headless=true`.
 - No full desktop environment (GNOME) is needed; Xvfb provides the display.
diff --git a/docs/tools/browser-linux-troubleshooting.md b/docs/tools/browser-linux-troubleshooting.md
index 6f9940c1c67..2a5196c3739 100644
--- a/docs/tools/browser-linux-troubleshooting.md
+++ b/docs/tools/browser-linux-troubleshooting.md
@@ -121,19 +121,18 @@ curl -s http://127.0.0.1:18791/tabs
 | `browser.attachOnly`     | Don't launch browser, only attach to existing                        | `false`                                                     |
 | `browser.cdpPort`        | Chrome DevTools Protocol port                                        | `18800`                                                     |
 
-### Problem: "Chrome extension relay is running, but no tab is connected"
+### Problem: "No Chrome tabs found for profile=\"user\""
 
-You're using an extension relay profile. It expects the OpenClaw
-browser extension to be attached to a live tab.
+You're using an `existing-session` / Chrome MCP profile. OpenClaw can see local Chrome,
+but there are no open tabs available to attach to.
 
 Fix options:
 
 1. **Use the managed browser:** `openclaw browser start --browser-profile openclaw`
    (or set `browser.defaultProfile: "openclaw"`).
-2. **Use the extension relay:** install the extension, open a tab, and click the
-   OpenClaw extension icon to attach it.
+2. **Use Chrome MCP:** make sure local Chrome is running with at least one open tab, then retry with `--browser-profile user`.
 
 Notes:
 
-- The `chrome-relay` profile uses your **system default Chromium browser** when possible.
+- `user` is host-only. For Linux servers, containers, or remote hosts, prefer CDP profiles.
 - Local `openclaw` profiles auto-assign `cdpPort`/`cdpUrl`; only set those for remote CDP.
diff --git a/docs/tools/browser-login.md b/docs/tools/browser-login.md
index d570b3b2e87..52135a80673 100644
--- a/docs/tools/browser-login.md
+++ b/docs/tools/browser-login.md
@@ -24,7 +24,6 @@ For agent browser tool calls:
 
 - Default choice: the agent should use its isolated `openclaw` browser.
 - Use `profile="user"` only when existing logged-in sessions matter and the user is at the computer to click/approve any attach prompt.
-- Use `profile="chrome-relay"` only for the Chrome extension / toolbar-button attach flow.
 - If you have multiple user-browser profiles, specify the profile explicitly instead of guessing.
 
 Two easy ways to access it:
diff --git a/docs/tools/browser-wsl2-windows-remote-cdp-troubleshooting.md b/docs/tools/browser-wsl2-windows-remote-cdp-troubleshooting.md
index 2e7844860aa..6824cee6788 100644
--- a/docs/tools/browser-wsl2-windows-remote-cdp-troubleshooting.md
+++ b/docs/tools/browser-wsl2-windows-remote-cdp-troubleshooting.md
@@ -1,9 +1,9 @@
 ---
-summary: "Troubleshoot WSL2 Gateway + Windows Chrome remote CDP and extension-relay setups in layers"
+summary: "Troubleshoot WSL2 Gateway + Windows Chrome remote CDP in layers"
 read_when:
   - Running OpenClaw Gateway in WSL2 while Chrome lives on Windows
   - Seeing overlapping browser/control-ui errors across WSL2 and Windows
-  - Deciding between raw remote CDP and the Chrome extension relay in split-host setups
+  - Deciding between host-local Chrome MCP and raw remote CDP in split-host setups
 title: "WSL2 + Windows + remote Chrome CDP troubleshooting"
 ---
 
@@ -21,27 +21,27 @@ It also covers the layered failure pattern from [issue #39369](https://github.co
 
 You have two valid patterns:
 
-### Option 1: Raw remote CDP
+### Option 1: Raw remote CDP from WSL2 to Windows
 
 Use a remote browser profile that points from WSL2 to a Windows Chrome CDP endpoint.
 
 Choose this when:
 
-- you only need browser control
-- you are comfortable exposing Chrome remote debugging to WSL2
-- you do not need the Chrome extension relay
+- the Gateway stays inside WSL2
+- Chrome runs on Windows
+- you need browser control to cross the WSL2/Windows boundary
 
-### Option 2: Chrome extension relay
+### Option 2: Host-local Chrome MCP
 
-Use the built-in `chrome-relay` profile plus the OpenClaw Chrome extension.
+Use `existing-session` / `user` only when the Gateway itself runs on the same host as Chrome.
 
 Choose this when:
 
-- you want to attach to an existing Windows Chrome tab with the toolbar button
-- you want extension-based control instead of raw `--remote-debugging-port`
-- the relay itself must be reachable across the WSL2/Windows boundary
+- OpenClaw and Chrome are on the same machine
+- you want the local signed-in browser state
+- you do not need cross-host browser transport
 
-If you use the extension relay across namespaces, `browser.relayBindHost` is the important setting introduced in [Browser](/tools/browser) and [Chrome extension](/tools/chrome-extension).
+For WSL2 Gateway + Windows Chrome, prefer raw remote CDP. Chrome MCP is host-local, not a WSL2-to-Windows bridge.
 
 ## Working architecture
 
@@ -62,7 +62,6 @@ Several failures can overlap:
 - `gateway.controlUi.allowedOrigins` does not match the page origin
 - token or pairing is missing
 - the browser profile points at the wrong address
-- the extension relay is still loopback-only when you actually need cross-namespace access
 
 Because of that, fixing one layer can still leave a different error visible.
 
@@ -145,31 +144,7 @@ Notes:
 - keep `attachOnly: true` for externally managed browsers
 - test the same URL with `curl` before expecting OpenClaw to succeed
 
-### Layer 4: If you use the Chrome extension relay instead
-
-If the browser machine and the Gateway are separated by a namespace boundary, the relay may need a non-loopback bind address.
-
-Example:
-
-```json5
-{
-  browser: {
-    enabled: true,
-    defaultProfile: "chrome-relay",
-    relayBindHost: "0.0.0.0",
-  },
-}
-```
-
-Use this only when needed:
-
-- default behavior is safer because the relay stays loopback-only
-- `0.0.0.0` expands exposure surface
-- keep Gateway auth, node pairing, and the surrounding network private
-
-If you do not need the extension relay, prefer the raw remote CDP profile above.
-
-### Layer 5: Verify the Control UI layer separately
+### Layer 4: Verify the Control UI layer separately
 
 Open the UI from Windows:
 
@@ -185,7 +160,7 @@ Helpful page:
 
 - [Control UI](/web/control-ui)
 
-### Layer 6: Verify end-to-end browser control
+### Layer 5: Verify end-to-end browser control
 
 From WSL2:
 
@@ -194,12 +169,6 @@ openclaw browser open https://example.com --browser-profile remote
 openclaw browser tabs --browser-profile remote
 ```
 
-For the extension relay:
-
-```bash
-openclaw browser tabs --browser-profile chrome-relay
-```
-
 Good result:
 
 - the tab opens in Windows Chrome
@@ -220,8 +189,8 @@ Treat each message as a layer-specific clue:
   - WSL2 cannot reach the configured `cdpUrl`
 - `gateway timeout after 1500ms`
   - often still CDP reachability or a slow/unreachable remote endpoint
-- `Chrome extension relay is running, but no tab is connected`
-  - extension relay profile selected, but no attached tab exists yet
+- `No Chrome tabs found for profile="user"`
+  - local Chrome MCP profile selected where no host-local tabs are available
 
 ## Fast triage checklist
 
@@ -229,11 +198,11 @@ Treat each message as a layer-specific clue:
 2. WSL2: does `curl http://WINDOWS_HOST_OR_IP:9222/json/version` work?
 3. OpenClaw config: does `browser.profiles.<name>.cdpUrl` use that exact WSL2-reachable address?
 4. Control UI: are you opening `http://127.0.0.1:18789/` instead of a LAN IP?
-5. Extension relay only: do you actually need `browser.relayBindHost`, and if so is it set explicitly?
+5. Are you trying to use `existing-session` across WSL2 and Windows instead of raw remote CDP?
 
 ## Practical takeaway
 
-The setup is usually viable. The hard part is that browser transport, Control UI origin security, token/pairing, and extension-relay topology can each fail independently while looking similar from the user side.
+The setup is usually viable. The hard part is that browser transport, Control UI origin security, and token/pairing can each fail independently while looking similar from the user side.
 
 When in doubt:
 
diff --git a/docs/tools/browser.md b/docs/tools/browser.md
index c760c23998c..19ee23a25ca 100644
--- a/docs/tools/browser.md
+++ b/docs/tools/browser.md
@@ -18,8 +18,7 @@ Beginner view:
 - Think of it as a **separate, agent-only browser**.
 - The `openclaw` profile does **not** touch your personal browser profile.
 - The agent can **open tabs, read pages, click, and type** in a safe lane.
-- The built-in `user` profile attaches to your real signed-in Chrome session;
-  `chrome-relay` is the explicit extension-relay profile.
+- The built-in `user` profile attaches to your real signed-in Chrome session via Chrome MCP.
 
 ## What you get
 
@@ -43,21 +42,17 @@ openclaw browser --browser-profile openclaw snapshot
 If you get “Browser disabled”, enable it in config (see below) and restart the
 Gateway.
 
-## Profiles: `openclaw` vs `user` vs `chrome-relay`
+## Profiles: `openclaw` vs `user`
 
 - `openclaw`: managed, isolated browser (no extension required).
 - `user`: built-in Chrome MCP attach profile for your **real signed-in Chrome**
   session.
-- `chrome-relay`: extension relay to your **system browser** (requires the
-  OpenClaw extension to be attached to a tab).
 
 For agent browser tool calls:
 
 - Default: use the isolated `openclaw` browser.
 - Prefer `profile="user"` when existing logged-in sessions matter and the user
   is at the computer to click/approve any attach prompt.
-- Use `profile="chrome-relay"` only when the user explicitly wants the Chrome
-  extension / toolbar-button attach flow.
 - `profile` is the explicit override when you want a specific browser mode.
 
 Set `browser.defaultProfile: "openclaw"` if you want managed mode by default.
@@ -93,11 +88,6 @@ Browser settings live in `~/.openclaw/openclaw.json`.
         attachOnly: true,
         color: "#00AA00",
       },
-      "chrome-relay": {
-        driver: "extension",
-        cdpUrl: "http://127.0.0.1:18792",
-        color: "#00AA00",
-      },
       remote: { cdpUrl: "http://10.0.0.42:9222", color: "#00AA00" },
     },
   },
@@ -107,10 +97,10 @@ Browser settings live in `~/.openclaw/openclaw.json`.
 Notes:
 
 - The browser control service binds to loopback on a port derived from `gateway.port`
-  (default: `18791`, which is gateway + 2). The relay uses the next port (`18792`).
+  (default: `18791`, which is gateway + 2).
 - If you override the Gateway port (`gateway.port` or `OPENCLAW_GATEWAY_PORT`),
   the derived browser ports shift to stay in the same “family”.
-- `cdpUrl` defaults to the relay port when unset.
+- `cdpUrl` defaults to the managed local CDP port when unset.
 - `remoteCdpTimeoutMs` applies to remote (non-loopback) CDP reachability checks.
 - `remoteCdpHandshakeTimeoutMs` applies to remote CDP WebSocket reachability checks.
 - Browser navigation/open-tab is SSRF-guarded before navigation and best-effort re-checked on final `http(s)` URL after navigation.
@@ -119,7 +109,7 @@ Notes:
 - `browser.ssrfPolicy.allowPrivateNetwork` remains supported as a legacy alias for compatibility.
 - `attachOnly: true` means “never launch a local browser; only attach if it is already running.”
 - `color` + per-profile `color` tint the browser UI so you can see which profile is active.
-- Default profile is `openclaw` (OpenClaw-managed standalone browser). Use `defaultProfile: "user"` to opt into the signed-in user browser, or `defaultProfile: "chrome-relay"` for the extension relay.
+- Default profile is `openclaw` (OpenClaw-managed standalone browser). Use `defaultProfile: "user"` to opt into the signed-in user browser.
 - Auto-detect order: system default browser if Chromium-based; otherwise Chrome → Brave → Edge → Chromium → Chrome Canary.
 - Local `openclaw` profiles auto-assign `cdpPort`/`cdpUrl` — set those only for remote CDP.
 - `driver: "existing-session"` uses Chrome DevTools MCP instead of raw CDP. Do
@@ -287,77 +277,18 @@ OpenClaw supports multiple named profiles (routing configs). Profiles can be:
 
 - **openclaw-managed**: a dedicated Chromium-based browser instance with its own user data directory + CDP port
 - **remote**: an explicit CDP URL (Chromium-based browser running elsewhere)
-- **extension relay**: your existing Chrome tab(s) via the local relay + Chrome extension
 - **existing session**: your existing Chrome profile via Chrome DevTools MCP auto-connect
 
 Defaults:
 
 - The `openclaw` profile is auto-created if missing.
-- The `chrome-relay` profile is built-in for the Chrome extension relay (points at `http://127.0.0.1:18792` by default).
-- Existing-session profiles are opt-in; create them with `--driver existing-session`.
+- The `user` profile is built-in for Chrome MCP existing-session attach.
+- Existing-session profiles are opt-in beyond `user`; create them with `--driver existing-session`.
 - Local CDP ports allocate from **18800–18899** by default.
 - Deleting a profile moves its local data directory to Trash.
 
 All control endpoints accept `?profile=<name>`; the CLI uses `--browser-profile`.
 
-## Chrome extension relay (use your existing Chrome)
-
-OpenClaw can also drive **your existing Chrome tabs** (no separate “openclaw” Chrome instance) via a local CDP relay + a Chrome extension.
-
-Full guide: [Chrome extension](/tools/chrome-extension)
-
-Flow:
-
-- The Gateway runs locally (same machine) or a node host runs on the browser machine.
-- A local **relay server** listens at a loopback `cdpUrl` (default: `http://127.0.0.1:18792`).
-- You click the **OpenClaw Browser Relay** extension icon on a tab to attach (it does not auto-attach).
-- The agent controls that tab via the normal `browser` tool, by selecting the right profile.
-
-If the Gateway runs elsewhere, run a node host on the browser machine so the Gateway can proxy browser actions.
-
-### Sandboxed sessions
-
-If the agent session is sandboxed, the `browser` tool may default to `target="sandbox"` (sandbox browser).
-Chrome extension relay takeover requires host browser control, so either:
-
-- run the session unsandboxed, or
-- set `agents.defaults.sandbox.browser.allowHostControl: true` and use `target="host"` when calling the tool.
-
-### Setup
-
-1. Load the extension (dev/unpacked):
-
-```bash
-openclaw browser extension install
-```
-
-- Chrome → `chrome://extensions` → enable “Developer mode”
-- “Load unpacked” → select the directory printed by `openclaw browser extension path`
-- Pin the extension, then click it on the tab you want to control (badge shows `ON`).
-
-2. Use it:
-
-- CLI: `openclaw browser --browser-profile chrome-relay tabs`
-- Agent tool: `browser` with `profile="chrome-relay"`
-
-Optional: if you want a different name or relay port, create your own profile:
-
-```bash
-openclaw browser create-profile \
-  --name my-chrome \
-  --driver extension \
-  --cdp-url http://127.0.0.1:18792 \
-  --color "#00AA00"
-```
-
-Notes:
-
-- This mode relies on Playwright-on-CDP for most operations (screenshots/snapshots/actions).
-- Detach by clicking the extension icon again.
-- Agent use: prefer `profile="user"` for logged-in sites. Use `profile="chrome-relay"`
-  only when you specifically want the extension flow. The user must be present
-  to click the extension and attach the tab.
-
 ## Chrome existing-session via MCP
 
 OpenClaw can also attach to a running Chrome profile through the official
@@ -404,13 +335,14 @@ What to check if attach does not work:
 - Chrome is version `144+`
 - remote debugging is enabled at `chrome://inspect/#remote-debugging`
 - Chrome showed and you accepted the attach consent prompt
+- `openclaw doctor` migrates old extension-based browser config and checks that
+  Chrome is installed locally with a compatible version, but it cannot enable
+  Chrome-side remote debugging for you
 
 Agent use:
 
 - Use `profile="user"` when you need the user’s logged-in browser state.
 - If you use a custom existing-session profile, pass that explicit profile name.
-- Prefer `profile="user"` over `profile="chrome-relay"` unless the user
-  explicitly wants the extension / attach-tab flow.
 - Only choose this mode when the user is at the computer to approve the attach
   prompt.
 - the Gateway or node host can spawn `npx chrome-devtools-mcp@latest --autoConnect`
@@ -427,21 +359,10 @@ Notes:
   captures from snapshots, but not CSS `--element` selectors.
 - Existing-session `wait --url` supports exact, substring, and glob patterns
   like other browser drivers. `wait --load networkidle` is not supported yet.
-- Some features still require the extension relay or managed browser path, such
-  as PDF export and download interception.
-- Leave the relay loopback-only by default. If the relay must be reachable from a different network namespace (for example Gateway in WSL2, Chrome on Windows), set `browser.relayBindHost` to an explicit bind address such as `0.0.0.0` while keeping the surrounding network private and authenticated.
-
-WSL2 / cross-namespace example:
-
-```json5
-{
-  browser: {
-    enabled: true,
-    relayBindHost: "0.0.0.0",
-    defaultProfile: "chrome-relay",
-  },
-}
-```
+- Some features still require the managed browser path, such as PDF export and
+  download interception.
+- Existing-session is host-local. If Chrome lives on a different machine or a
+  different network namespace, use remote CDP or a node host instead.
 
 ## Isolation guarantees
 
@@ -496,7 +417,6 @@ If gateway auth is configured, browser HTTP routes require auth too:
 Some features (navigate/act/AI snapshot/role snapshot, element screenshots, PDF) require
 Playwright. If Playwright isn’t installed, those endpoints return a clear 501
 error. ARIA snapshots and basic screenshots still work for openclaw-managed Chrome.
-For the Chrome extension relay driver, ARIA snapshots and screenshots require Playwright.
 
 If you see `Playwright is not available in this gateway build`, install the full
 Playwright package (not `playwright-core`) and restart the gateway, or reinstall
diff --git a/docs/tools/chrome-extension.md b/docs/tools/chrome-extension.md
deleted file mode 100644
index 831897b9bde..00000000000
--- a/docs/tools/chrome-extension.md
+++ /dev/null
@@ -1,203 +0,0 @@
----
-summary: "Chrome extension: let OpenClaw drive your existing Chrome tab"
-read_when:
-  - You want the agent to drive an existing Chrome tab (toolbar button)
-  - You need remote Gateway + local browser automation via Tailscale
-  - You want to understand the security implications of browser takeover
-title: "Chrome Extension"
----
-
-# Chrome extension (browser relay)
-
-The OpenClaw Chrome extension lets the agent control your **existing Chrome tabs** (your normal Chrome window) instead of launching a separate openclaw-managed Chrome profile.
-
-Attach/detach happens via a **single Chrome toolbar button**.
-
-If you want Chrome’s official DevTools MCP attach flow instead of the OpenClaw
-extension relay, use an `existing-session` browser profile instead. See
-[Browser](/tools/browser#chrome-existing-session-via-mcp). For Chrome’s own
-setup docs, see [Chrome for Developers: Use Chrome DevTools MCP with your
-browser session](https://developer.chrome.com/blog/chrome-devtools-mcp-debug-your-browser-session)
-and the [Chrome DevTools MCP README](https://github.com/ChromeDevTools/chrome-devtools-mcp).
-
-## What it is (concept)
-
-There are three parts:
-
-- **Browser control service** (Gateway or node): the API the agent/tool calls (via the Gateway)
-- **Local relay server** (loopback CDP): bridges between the control server and the extension (`http://127.0.0.1:18792` by default)
-- **Chrome MV3 extension**: attaches to the active tab using `chrome.debugger` and pipes CDP messages to the relay
-
-OpenClaw then controls the attached tab through the normal `browser` tool surface (selecting the right profile).
-
-## Install / load (unpacked)
-
-1. Install the extension to a stable local path:
-
-```bash
-openclaw browser extension install
-```
-
-2. Print the installed extension directory path:
-
-```bash
-openclaw browser extension path
-```
-
-3. Chrome → `chrome://extensions`
-
-- Enable “Developer mode”
-- “Load unpacked” → select the directory printed above
-
-4. Pin the extension.
-
-## Updates (no build step)
-
-The extension ships inside the OpenClaw release (npm package) as static files. There is no separate “build” step.
-
-After upgrading OpenClaw:
-
-- Re-run `openclaw browser extension install` to refresh the installed files under your OpenClaw state directory.
-- Chrome → `chrome://extensions` → click “Reload” on the extension.
-
-## Use it (set gateway token once)
-
-To use the extension relay, create a browser profile for it:
-
-Before first attach, open extension Options and set:
-
-- `Port` (default `18792`)
-- `Gateway token` (must match `gateway.auth.token` / `OPENCLAW_GATEWAY_TOKEN`)
-
-Then create a profile:
-
-```bash
-openclaw browser create-profile \
-  --name my-chrome \
-  --driver extension \
-  --cdp-url http://127.0.0.1:18792 \
-  --color "#00AA00"
-```
-
-Use it:
-
-- CLI: `openclaw browser --browser-profile my-chrome tabs`
-- Agent tool: `browser` with `profile="my-chrome"`
-
-### Custom Gateway ports
-
-If you're using a custom gateway port, the extension relay port is automatically derived:
-
-**Extension Relay Port = Gateway Port + 3**
-
-Example: if `gateway.port: 19001`, then:
-
-- Extension relay port: `19004` (gateway + 3)
-
-Configure the extension to use the derived relay port in the extension Options page.
-
-## Attach / detach (toolbar button)
-
-- Open the tab you want OpenClaw to control.
-- Click the extension icon.
-  - Badge shows `ON` when attached.
-- Click again to detach.
-
-## Which tab does it control?
-
-- It does **not** automatically control “whatever tab you’re looking at”.
-- It controls **only the tab(s) you explicitly attached** by clicking the toolbar button.
-- To switch: open the other tab and click the extension icon there.
-
-## Badge + common errors
-
-- `ON`: attached; OpenClaw can drive that tab.
-- `…`: connecting to the local relay.
-- `!`: relay not reachable/authenticated (most common: relay server not running, or gateway token missing/wrong).
-
-If you see `!`:
-
-- Make sure the Gateway is running locally (default setup), or run a node host on this machine if the Gateway runs elsewhere.
-- Open the extension Options page; it validates relay reachability + gateway-token auth.
-
-## Remote Gateway (use a node host)
-
-### Local Gateway (same machine as Chrome) — usually **no extra steps**
-
-If the Gateway runs on the same machine as Chrome, it starts the browser control service on loopback
-and auto-starts the relay server. The extension talks to the local relay; the CLI/tool calls go to the Gateway.
-
-### Remote Gateway (Gateway runs elsewhere) — **run a node host**
-
-If your Gateway runs on another machine, start a node host on the machine that runs Chrome.
-The Gateway will proxy browser actions to that node; the extension + relay stay local to the browser machine.
-
-If multiple nodes are connected, pin one with `gateway.nodes.browser.node` or set `gateway.nodes.browser.mode`.
-
-## Sandboxing (tool containers)
-
-If your agent session is sandboxed (`agents.defaults.sandbox.mode != "off"`), the `browser` tool can be restricted:
-
-- By default, sandboxed sessions often target the **sandbox browser** (`target="sandbox"`), not your host Chrome.
-- Chrome extension relay takeover requires controlling the **host** browser control server.
-
-Options:
-
-- Easiest: use the extension from a **non-sandboxed** session/agent.
-- Or allow host browser control for sandboxed sessions:
-
-```json5
-{
-  agents: {
-    defaults: {
-      sandbox: {
-        browser: {
-          allowHostControl: true,
-        },
-      },
-    },
-  },
-}
-```
-
-Then ensure the tool isn’t denied by tool policy, and (if needed) call `browser` with `target="host"`.
-
-Debugging: `openclaw sandbox explain`
-
-## Remote access tips
-
-- Keep the Gateway and node host on the same tailnet; avoid exposing relay ports to LAN or public Internet.
-- Pair nodes intentionally; disable browser proxy routing if you don’t want remote control (`gateway.nodes.browser.mode="off"`).
-- Leave the relay on loopback unless you have a real cross-namespace need. For WSL2 or similar split-host setups, set `browser.relayBindHost` to an explicit bind address such as `0.0.0.0`, then keep access constrained with Gateway auth, node pairing, and a private network.
-
-## How “extension path” works
-
-`openclaw browser extension path` prints the **installed** on-disk directory containing the extension files.
-
-The CLI intentionally does **not** print a `node_modules` path. Always run `openclaw browser extension install` first to copy the extension to a stable location under your OpenClaw state directory.
-
-If you move or delete that install directory, Chrome will mark the extension as broken until you reload it from a valid path.
-
-## Security implications (read this)
-
-This is powerful and risky. Treat it like giving the model “hands on your browser”.
-
-- The extension uses Chrome’s debugger API (`chrome.debugger`). When attached, the model can:
-  - click/type/navigate in that tab
-  - read page content
-  - access whatever the tab’s logged-in session can access
-- **This is not isolated** like the dedicated openclaw-managed profile.
-  - If you attach to your daily-driver profile/tab, you’re granting access to that account state.
-
-Recommendations:
-
-- Prefer a dedicated Chrome profile (separate from your personal browsing) for extension relay usage.
-- Keep the Gateway and any node hosts tailnet-only; rely on Gateway auth + node pairing.
-- Avoid exposing relay ports over LAN (`0.0.0.0`) and avoid Funnel (public).
-- The relay blocks non-extension origins and requires gateway-token auth for both `/cdp` and `/extension`.
-
-Related:
-
-- Browser tool overview: [Browser](/tools/browser)
-- Security audit: [Security](/gateway/security)
-- Tailscale setup: [Tailscale](/gateway/tailscale)
diff --git a/docs/tools/index.md b/docs/tools/index.md
index dbca6cd26bf..deb42b0d76a 100644
--- a/docs/tools/index.md
+++ b/docs/tools/index.md
@@ -318,8 +318,7 @@ Common parameters:
 - All actions accept optional `profile` parameter for multi-instance support.
 - Omit `profile` for the safe default: isolated OpenClaw-managed browser (`openclaw`).
 - Use `profile="user"` for the real local host browser when existing logins/cookies matter and the user is present to click/approve any attach prompt.
-- Use `profile="chrome-relay"` only for the Chrome extension / toolbar-button attach flow.
-- `profile="user"` and `profile="chrome-relay"` are host-only; do not combine them with sandbox/node targets.
+- `profile="user"` is host-only; do not combine it with sandbox/node targets.
 - When `profile` is omitted, uses `browser.defaultProfile` (defaults to `openclaw`).
 - Profile names: lowercase alphanumeric + hyphens only (max 64 chars).
 - Port range: 18800-18899 (~100 profiles max).
diff --git a/scripts/test-parallel.mjs b/scripts/test-parallel.mjs
index c818344f886..76a0be3b466 100644
--- a/scripts/test-parallel.mjs
+++ b/scripts/test-parallel.mjs
@@ -60,7 +60,6 @@ const unitIsolatedFilesRaw = [
   // Skills discovery/snapshot suites are filesystem-heavy and high-variance in vmForks lanes.
   "src/agents/skills.test.ts",
   "src/agents/skills.buildworkspaceskillsnapshot.test.ts",
-  "src/browser/extension-relay.test.ts",
   "extensions/acpx/src/runtime.test.ts",
   // Shell-heavy script harness can contend under vmForks startup bursts.
   "test/scripts/ios-team-id.test.ts",
diff --git a/src/agents/tools/browser-tool.actions.ts b/src/agents/tools/browser-tool.actions.ts
index 0d0f5e26abb..dc78557eab2 100644
--- a/src/agents/tools/browser-tool.actions.ts
+++ b/src/agents/tools/browser-tool.actions.ts
@@ -1,7 +1,9 @@
 import type { AgentToolResult } from "@mariozechner/pi-agent-core";
 import { browserAct, browserConsoleMessages } from "../../browser/client-actions.js";
 import { browserSnapshot, browserTabs } from "../../browser/client.js";
+import { resolveBrowserConfig, resolveProfile } from "../../browser/config.js";
 import { DEFAULT_AI_SNAPSHOT_MAX_CHARS } from "../../browser/constants.js";
+import { getBrowserProfileCapabilities } from "../../browser/profile-capabilities.js";
 import { loadConfig } from "../../config/config.js";
 import { wrapExternalContent } from "../../security/external-content.js";
 import { imageResultFromFile, jsonResult } from "./common.js";
@@ -74,7 +76,17 @@ function formatConsoleToolResult(result: {
 }
 
 function isChromeStaleTargetError(profile: string | undefined, err: unknown): boolean {
-  if (profile !== "chrome-relay" && profile !== "chrome" && profile !== "user") {
+  if (!profile) {
+    return false;
+  }
+  if (profile === "user") {
+    const msg = String(err);
+    return msg.includes("404:") && msg.includes("tab not found");
+  }
+  const cfg = loadConfig();
+  const resolved = resolveBrowserConfig(cfg.browser, cfg);
+  const browserProfile = resolveProfile(resolved, profile);
+  if (!browserProfile || !getBrowserProfileCapabilities(browserProfile).usesChromeMcp) {
     return false;
   }
   const msg = String(err);
@@ -334,12 +346,8 @@ export async function executeActAction(params: {
         }
       }
       if (!tabs.length) {
-        // Extension relay profiles need the toolbar icon click; Chrome MCP just needs Chrome running.
-        const isRelayProfile = profile === "chrome-relay" || profile === "chrome";
         throw new Error(
-          isRelayProfile
-            ? "No Chrome tabs are attached via the OpenClaw Browser Relay extension. Click the toolbar icon on the tab you want to control (badge ON), then retry."
-            : `No Chrome tabs found for profile="${profile}". Make sure Chrome (v146+) is running and has open tabs, then retry.`,
+          `No Chrome tabs found for profile="${profile}". Make sure Chrome (v144+) is running and has open tabs, then retry.`,
           { cause: err },
         );
       }
diff --git a/src/agents/tools/browser-tool.test.ts b/src/agents/tools/browser-tool.test.ts
index b938d177624..622fa7ed8b3 100644
--- a/src/agents/tools/browser-tool.test.ts
+++ b/src/agents/tools/browser-tool.test.ts
@@ -64,12 +64,7 @@ const browserConfigMocks = vi.hoisted(() => ({
     if (!profile) {
       return null;
     }
-    const driver =
-      profile.driver === "extension"
-        ? "extension"
-        : profile.driver === "existing-session"
-          ? "existing-session"
-          : "openclaw";
+    const driver = profile.driver === "existing-session" ? "existing-session" : "openclaw";
     if (driver === "existing-session") {
       return {
         name,
@@ -287,29 +282,6 @@ describe("browser tool snapshot maxChars", () => {
     expect(opts?.mode).toBeUndefined();
   });
 
-  it("defaults to host when using an explicit extension relay profile (even in sandboxed sessions)", async () => {
-    setResolvedBrowserProfiles({
-      relay: {
-        driver: "extension",
-        cdpUrl: "http://127.0.0.1:18792",
-        color: "#0066CC",
-      },
-    });
-    const tool = createBrowserTool({ sandboxBridgeUrl: "http://127.0.0.1:9999" });
-    await tool.execute?.("call-1", {
-      action: "snapshot",
-      profile: "relay",
-      snapshotFormat: "ai",
-    });
-
-    expect(browserClientMocks.browserSnapshot).toHaveBeenCalledWith(
-      undefined,
-      expect.objectContaining({
-        profile: "relay",
-      }),
-    );
-  });
-
   it("defaults to host when using profile=user (even in sandboxed sessions)", async () => {
     setResolvedBrowserProfiles({
       user: { driver: "existing-session", attachOnly: true, color: "#00AA00" },
diff --git a/src/agents/tools/browser-tool.ts b/src/agents/tools/browser-tool.ts
index 54ddab2cb1f..c0111ab9977 100644
--- a/src/agents/tools/browser-tool.ts
+++ b/src/agents/tools/browser-tool.ts
@@ -290,7 +290,7 @@ function shouldPreferHostForProfile(profileName: string | undefined) {
     return false;
   }
   const capabilities = getBrowserProfileCapabilities(profile);
-  return capabilities.requiresRelay || capabilities.usesChromeMcp;
+  return capabilities.usesChromeMcp;
 }
 
 export function createBrowserTool(opts?: {
@@ -307,7 +307,7 @@ export function createBrowserTool(opts?: {
     description: [
       "Control the browser via OpenClaw's browser control server (status/start/stop/profiles/tabs/open/snapshot/screenshot/actions).",
       "Browser choice: omit profile by default for the isolated OpenClaw-managed browser (`openclaw`).",
-      'For the logged-in user browser on the local host, use profile="user". Chrome (v146+) must be running. Use only when existing logins/cookies matter and the user is present.',
+      'For the logged-in user browser on the local host, use profile="user". Chrome (v144+) must be running. Use only when existing logins/cookies matter and the user is present.',
       'When a node-hosted browser proxy is available, the tool may auto-route to it. Pin a node with node=<id|name> or target="node".',
       "When using refs from snapshot (e.g. e12), keep the same tab: prefer passing targetId from the snapshot response into subsequent actions (act/click/type/etc).",
       'For stable, self-resolving refs across calls, use snapshot with refs="aria" (Playwright aria-ref ids). Default refs="role" are role+name-based.',
@@ -326,7 +326,7 @@ export function createBrowserTool(opts?: {
       if (requestedNode && target && target !== "node") {
         throw new Error('node is only supported with target="node".');
       }
-      // User-browser profiles (existing-session, extension relay) are host-only.
+      // User-browser profiles (existing-session) are host-only.
       const isUserBrowserProfile = shouldPreferHostForProfile(profile);
       if (isUserBrowserProfile) {
         if (requestedNode || target === "node") {
diff --git a/src/browser/browser-utils.test.ts b/src/browser/browser-utils.test.ts
index accd36ba7ac..5bd45952321 100644
--- a/src/browser/browser-utils.test.ts
+++ b/src/browser/browser-utils.test.ts
@@ -7,15 +7,10 @@ import {
 import { __test } from "./client-fetch.js";
 import { resolveBrowserConfig, resolveProfile } from "./config.js";
 import { shouldRejectBrowserMutation } from "./csrf.js";
-import {
-  ensureChromeExtensionRelayServer,
-  stopChromeExtensionRelayServer,
-} from "./extension-relay.js";
 import { toBoolean } from "./routes/utils.js";
 import type { BrowserServerState } from "./server-context.js";
 import { listKnownProfileNames } from "./server-context.js";
 import { resolveTargetIdFromTabs } from "./target-id.js";
-import { getFreePort } from "./test-port.js";
 
 describe("toBoolean", () => {
   it("parses yes/no and 1/0", () => {
@@ -195,29 +190,8 @@ describe("cdp.helpers", () => {
     expect(headers.Authorization).toBe("Bearer token");
   });
 
-  it("does not add relay header for unknown loopback ports", () => {
-    const headers = getHeadersWithAuth("http://127.0.0.1:19444/json/version");
-    expect(headers["x-openclaw-relay-token"]).toBeUndefined();
-  });
-
-  it("adds relay header for known relay ports", async () => {
-    const port = await getFreePort();
-    const cdpUrl = `http://127.0.0.1:${port}`;
-    const prev = process.env.OPENCLAW_GATEWAY_TOKEN;
-    process.env.OPENCLAW_GATEWAY_TOKEN = "test-gateway-token";
-    try {
-      await ensureChromeExtensionRelayServer({ cdpUrl });
-      const headers = getHeadersWithAuth(`${cdpUrl}/json/version`);
-      expect(headers["x-openclaw-relay-token"]).toBeTruthy();
-      expect(headers["x-openclaw-relay-token"]).not.toBe("test-gateway-token");
-    } finally {
-      await stopChromeExtensionRelayServer({ cdpUrl }).catch(() => {});
-      if (prev === undefined) {
-        delete process.env.OPENCLAW_GATEWAY_TOKEN;
-      } else {
-        process.env.OPENCLAW_GATEWAY_TOKEN = prev;
-      }
-    }
+  it("does not add custom headers when none are required", () => {
+    expect(getHeadersWithAuth("http://127.0.0.1:19444/json/version")).toEqual({});
   });
 });
 
diff --git a/src/browser/cdp.helpers.ts b/src/browser/cdp.helpers.ts
index 399f0582d88..3bc02362b55 100644
--- a/src/browser/cdp.helpers.ts
+++ b/src/browser/cdp.helpers.ts
@@ -6,7 +6,6 @@ import { redactSensitiveText } from "../logging/redact.js";
 import { getDirectAgentForCdp, withNoProxyForCdpUrl } from "./cdp-proxy-bypass.js";
 import { CDP_HTTP_REQUEST_TIMEOUT_MS, CDP_WS_HANDSHAKE_TIMEOUT_MS } from "./cdp-timeouts.js";
 import { resolveBrowserRateLimitMessage } from "./client-fetch.js";
-import { getChromeExtensionRelayAuthHeaders } from "./extension-relay.js";
 
 export { isLoopbackHost };
 
@@ -76,8 +75,7 @@ export type CdpSendFn = (
 ) => Promise<unknown>;
 
 export function getHeadersWithAuth(url: string, headers: Record<string, string> = {}) {
-  const relayHeaders = getChromeExtensionRelayAuthHeaders(url);
-  const mergedHeaders = { ...relayHeaders, ...headers };
+  const mergedHeaders = { ...headers };
   try {
     const parsed = new URL(url);
     const hasAuthHeader = Object.keys(mergedHeaders).some(
diff --git a/src/browser/chrome-extension-background-utils.test.ts b/src/browser/chrome-extension-background-utils.test.ts
deleted file mode 100644
index b22b602116c..00000000000
--- a/src/browser/chrome-extension-background-utils.test.ts
+++ /dev/null
@@ -1,133 +0,0 @@
-import { createRequire } from "node:module";
-import { describe, expect, it } from "vitest";
-
-type BackgroundUtilsModule = {
-  buildRelayWsUrl: (port: number, gatewayToken: string) => Promise<string>;
-  deriveRelayToken: (gatewayToken: string, port: number) => Promise<string>;
-  isLastRemainingTab: (
-    allTabs: Array<{ id?: number | undefined } | null | undefined>,
-    tabIdToClose: number,
-  ) => boolean;
-  isMissingTabError: (err: unknown) => boolean;
-  isRetryableReconnectError: (err: unknown) => boolean;
-  reconnectDelayMs: (
-    attempt: number,
-    opts?: { baseMs?: number; maxMs?: number; jitterMs?: number; random?: () => number },
-  ) => number;
-};
-
-const require = createRequire(import.meta.url);
-const BACKGROUND_UTILS_MODULE = "../../assets/chrome-extension/background-utils.js";
-
-async function loadBackgroundUtils(): Promise<BackgroundUtilsModule> {
-  try {
-    return require(BACKGROUND_UTILS_MODULE) as BackgroundUtilsModule;
-  } catch (error) {
-    const message = error instanceof Error ? error.message : String(error);
-    if (!message.includes("Unexpected token 'export'")) {
-      throw error;
-    }
-    return (await import(BACKGROUND_UTILS_MODULE)) as BackgroundUtilsModule;
-  }
-}
-
-const {
-  buildRelayWsUrl,
-  deriveRelayToken,
-  isLastRemainingTab,
-  isMissingTabError,
-  isRetryableReconnectError,
-  reconnectDelayMs,
-} = await loadBackgroundUtils();
-
-describe("chrome extension background utils", () => {
-  it("derives relay token as HMAC-SHA256 of gateway token and port", async () => {
-    const relayToken = await deriveRelayToken("test-gateway-token", 18792);
-    expect(relayToken).toMatch(/^[0-9a-f]{64}$/);
-    const relayToken2 = await deriveRelayToken("test-gateway-token", 18792);
-    expect(relayToken).toBe(relayToken2);
-    const differentPort = await deriveRelayToken("test-gateway-token", 9999);
-    expect(relayToken).not.toBe(differentPort);
-  });
-
-  it("builds websocket url with derived relay token", async () => {
-    const url = await buildRelayWsUrl(18792, "test-token");
-    expect(url).toMatch(/^ws:\/\/127\.0\.0\.1:18792\/extension\?token=[0-9a-f]{64}$/);
-  });
-
-  it("throws when gateway token is missing", async () => {
-    await expect(buildRelayWsUrl(18792, "")).rejects.toThrow(/Missing gatewayToken/);
-    await expect(buildRelayWsUrl(18792, "   ")).rejects.toThrow(/Missing gatewayToken/);
-  });
-
-  it("uses exponential backoff from attempt index", () => {
-    expect(reconnectDelayMs(0, { baseMs: 1000, maxMs: 30000, jitterMs: 0, random: () => 0 })).toBe(
-      1000,
-    );
-    expect(reconnectDelayMs(1, { baseMs: 1000, maxMs: 30000, jitterMs: 0, random: () => 0 })).toBe(
-      2000,
-    );
-    expect(reconnectDelayMs(4, { baseMs: 1000, maxMs: 30000, jitterMs: 0, random: () => 0 })).toBe(
-      16000,
-    );
-  });
-
-  it("caps reconnect delay at max", () => {
-    const delay = reconnectDelayMs(20, {
-      baseMs: 1000,
-      maxMs: 30000,
-      jitterMs: 0,
-      random: () => 0,
-    });
-    expect(delay).toBe(30000);
-  });
-
-  it("adds jitter using injected random source", () => {
-    const delay = reconnectDelayMs(3, {
-      baseMs: 1000,
-      maxMs: 30000,
-      jitterMs: 1000,
-      random: () => 0.25,
-    });
-    expect(delay).toBe(8250);
-  });
-
-  it("sanitizes invalid attempts and options", () => {
-    expect(reconnectDelayMs(-2, { baseMs: 1000, maxMs: 30000, jitterMs: 0, random: () => 0 })).toBe(
-      1000,
-    );
-    expect(
-      reconnectDelayMs(Number.NaN, {
-        baseMs: Number.NaN,
-        maxMs: Number.NaN,
-        jitterMs: Number.NaN,
-        random: () => 0,
-      }),
-    ).toBe(1000);
-  });
-
-  it("marks missing token errors as non-retryable", () => {
-    expect(
-      isRetryableReconnectError(
-        new Error("Missing gatewayToken in extension settings (chrome.storage.local.gatewayToken)"),
-      ),
-    ).toBe(false);
-  });
-
-  it("keeps transient network errors retryable", () => {
-    expect(isRetryableReconnectError(new Error("WebSocket connect timeout"))).toBe(true);
-    expect(isRetryableReconnectError(new Error("Relay server not reachable"))).toBe(true);
-  });
-
-  it("recognizes missing-tab debugger errors", () => {
-    expect(isMissingTabError(new Error("No tab with given id"))).toBe(true);
-    expect(isMissingTabError(new Error("tab not found"))).toBe(true);
-    expect(isMissingTabError(new Error("Cannot access a chrome:// URL"))).toBe(false);
-  });
-
-  it("blocks closing the final remaining tab only", () => {
-    expect(isLastRemainingTab([{ id: 7 }], 7)).toBe(true);
-    expect(isLastRemainingTab([{ id: 7 }, { id: 8 }], 7)).toBe(false);
-    expect(isLastRemainingTab([{ id: 7 }, { id: 8 }], 8)).toBe(false);
-  });
-});
diff --git a/src/browser/chrome-extension-manifest.test.ts b/src/browser/chrome-extension-manifest.test.ts
deleted file mode 100644
index 4d4a0321724..00000000000
--- a/src/browser/chrome-extension-manifest.test.ts
+++ /dev/null
@@ -1,29 +0,0 @@
-import { readFileSync } from "node:fs";
-import { resolve } from "node:path";
-import { describe, expect, it } from "vitest";
-
-type ExtensionManifest = {
-  background?: { service_worker?: string; type?: string };
-  permissions?: string[];
-};
-
-function readManifest(): ExtensionManifest {
-  const path = resolve(process.cwd(), "assets/chrome-extension/manifest.json");
-  return JSON.parse(readFileSync(path, "utf8")) as ExtensionManifest;
-}
-
-describe("chrome extension manifest", () => {
-  it("keeps background worker configured as module", () => {
-    const manifest = readManifest();
-    expect(manifest.background?.service_worker).toBe("background.js");
-    expect(manifest.background?.type).toBe("module");
-  });
-
-  it("includes resilience permissions", () => {
-    const permissions = readManifest().permissions ?? [];
-    expect(permissions).toContain("alarms");
-    expect(permissions).toContain("webNavigation");
-    expect(permissions).toContain("storage");
-    expect(permissions).toContain("debugger");
-  });
-});
diff --git a/src/browser/chrome-extension-options-validation.test.ts b/src/browser/chrome-extension-options-validation.test.ts
deleted file mode 100644
index 23aa6d1ce06..00000000000
--- a/src/browser/chrome-extension-options-validation.test.ts
+++ /dev/null
@@ -1,113 +0,0 @@
-import { createRequire } from "node:module";
-import { describe, expect, it } from "vitest";
-
-type RelayCheckResponse = {
-  status?: number;
-  ok?: boolean;
-  error?: string;
-  contentType?: string;
-  json?: unknown;
-};
-
-type RelayCheckStatus =
-  | { action: "throw"; error: string }
-  | { action: "status"; kind: "ok" | "error"; message: string };
-
-type RelayCheckExceptionStatus = { kind: "error"; message: string };
-
-type OptionsValidationModule = {
-  classifyRelayCheckResponse: (
-    res: RelayCheckResponse | null | undefined,
-    port: number,
-  ) => RelayCheckStatus;
-  classifyRelayCheckException: (err: unknown, port: number) => RelayCheckExceptionStatus;
-};
-
-const require = createRequire(import.meta.url);
-const OPTIONS_VALIDATION_MODULE = "../../assets/chrome-extension/options-validation.js";
-
-async function loadOptionsValidation(): Promise<OptionsValidationModule> {
-  try {
-    return require(OPTIONS_VALIDATION_MODULE) as OptionsValidationModule;
-  } catch (error) {
-    const message = error instanceof Error ? error.message : String(error);
-    if (!message.includes("Unexpected token 'export'")) {
-      throw error;
-    }
-    return (await import(OPTIONS_VALIDATION_MODULE)) as OptionsValidationModule;
-  }
-}
-
-const { classifyRelayCheckException, classifyRelayCheckResponse } = await loadOptionsValidation();
-
-describe("chrome extension options validation", () => {
-  it("maps 401 response to token rejected error", () => {
-    const result = classifyRelayCheckResponse({ status: 401, ok: false }, 18792);
-    expect(result).toEqual({
-      action: "status",
-      kind: "error",
-      message: "Gateway token rejected. Check token and save again.",
-    });
-  });
-
-  it("maps non-json 200 response to wrong-port error", () => {
-    const result = classifyRelayCheckResponse(
-      { status: 200, ok: true, contentType: "text/html; charset=utf-8", json: null },
-      18792,
-    );
-    expect(result).toEqual({
-      action: "status",
-      kind: "error",
-      message:
-        "Wrong port: this is likely the gateway, not the relay. Use gateway port + 3 (for gateway 18789, relay is 18792).",
-    });
-  });
-
-  it("maps json response without CDP keys to wrong-port error", () => {
-    const result = classifyRelayCheckResponse(
-      { status: 200, ok: true, contentType: "application/json", json: { ok: true } },
-      18792,
-    );
-    expect(result).toEqual({
-      action: "status",
-      kind: "error",
-      message:
-        "Wrong port: expected relay /json/version response. Use gateway port + 3 (for gateway 18789, relay is 18792).",
-    });
-  });
-
-  it("maps valid relay json response to success", () => {
-    const result = classifyRelayCheckResponse(
-      {
-        status: 200,
-        ok: true,
-        contentType: "application/json",
-        json: { Browser: "Chrome/136", "Protocol-Version": "1.3" },
-      },
-      19004,
-    );
-    expect(result).toEqual({
-      action: "status",
-      kind: "ok",
-      message: "Relay reachable and authenticated at http://127.0.0.1:19004/",
-    });
-  });
-
-  it("maps syntax/json exceptions to wrong-endpoint error", () => {
-    const result = classifyRelayCheckException(new Error("SyntaxError: Unexpected token <"), 18792);
-    expect(result).toEqual({
-      kind: "error",
-      message:
-        "Wrong port: this is not a relay endpoint. Use gateway port + 3 (for gateway 18789, relay is 18792).",
-    });
-  });
-
-  it("maps generic exceptions to relay unreachable error", () => {
-    const result = classifyRelayCheckException(new Error("TypeError: Failed to fetch"), 18792);
-    expect(result).toEqual({
-      kind: "error",
-      message:
-        "Relay not reachable/authenticated at http://127.0.0.1:18792/. Start OpenClaw browser relay and verify token.",
-    });
-  });
-});
diff --git a/src/browser/chrome-mcp.ts b/src/browser/chrome-mcp.ts
index c649fe53633..a673feb2c27 100644
--- a/src/browser/chrome-mcp.ts
+++ b/src/browser/chrome-mcp.ts
@@ -193,7 +193,7 @@ async function createRealSession(profileName: string): Promise<ChromeMcpSession>
       await client.close().catch(() => {});
       throw new BrowserProfileUnavailableError(
         `Chrome MCP existing-session attach failed for profile "${profileName}". ` +
-          `Make sure Chrome (v146+) is running. ` +
+          `Make sure Chrome (v144+) is running. ` +
           `Details: ${String(err)}`,
       );
     }
diff --git a/src/browser/chrome.executables.ts b/src/browser/chrome.executables.ts
index 729127c9df9..6ef7bc0b155 100644
--- a/src/browser/chrome.executables.ts
+++ b/src/browser/chrome.executables.ts
@@ -9,6 +9,8 @@ export type BrowserExecutable = {
   path: string;
 };
 
+const CHROME_VERSION_RE = /(\d+)(?:\.\d+){0,3}/;
+
 const CHROMIUM_BUNDLE_IDS = new Set([
   "com.google.Chrome",
   "com.google.Chrome.beta",
@@ -453,6 +455,22 @@ function findFirstExecutable(candidates: Array<BrowserExecutable>): BrowserExecu
   return null;
 }
 
+function findFirstChromeExecutable(candidates: string[]): BrowserExecutable | null {
+  for (const candidate of candidates) {
+    if (exists(candidate)) {
+      return {
+        kind:
+          candidate.toLowerCase().includes("sxs") || candidate.toLowerCase().includes("canary")
+            ? "canary"
+            : "chrome",
+        path: candidate,
+      };
+    }
+  }
+
+  return null;
+}
+
 export function findChromeExecutableMac(): BrowserExecutable | null {
   const candidates: Array<BrowserExecutable> = [
     {
@@ -506,6 +524,18 @@ export function findChromeExecutableMac(): BrowserExecutable | null {
   return findFirstExecutable(candidates);
 }
 
+export function findGoogleChromeExecutableMac(): BrowserExecutable | null {
+  return findFirstChromeExecutable([
+    "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome",
+    path.join(os.homedir(), "Applications/Google Chrome.app/Contents/MacOS/Google Chrome"),
+    "/Applications/Google Chrome Canary.app/Contents/MacOS/Google Chrome Canary",
+    path.join(
+      os.homedir(),
+      "Applications/Google Chrome Canary.app/Contents/MacOS/Google Chrome Canary",
+    ),
+  ]);
+}
+
 export function findChromeExecutableLinux(): BrowserExecutable | null {
   const candidates: Array<BrowserExecutable> = [
     { kind: "chrome", path: "/usr/bin/google-chrome" },
@@ -525,6 +555,16 @@ export function findChromeExecutableLinux(): BrowserExecutable | null {
   return findFirstExecutable(candidates);
 }
 
+export function findGoogleChromeExecutableLinux(): BrowserExecutable | null {
+  return findFirstChromeExecutable([
+    "/usr/bin/google-chrome",
+    "/usr/bin/google-chrome-stable",
+    "/usr/bin/google-chrome-beta",
+    "/usr/bin/google-chrome-unstable",
+    "/snap/bin/google-chrome",
+  ]);
+}
+
 export function findChromeExecutableWindows(): BrowserExecutable | null {
   const localAppData = process.env.LOCALAPPDATA ?? "";
   const programFiles = process.env.ProgramFiles ?? "C:\\Program Files";
@@ -596,6 +636,56 @@ export function findChromeExecutableWindows(): BrowserExecutable | null {
   return findFirstExecutable(candidates);
 }
 
+export function findGoogleChromeExecutableWindows(): BrowserExecutable | null {
+  const localAppData = process.env.LOCALAPPDATA ?? "";
+  const programFiles = process.env.ProgramFiles ?? "C:\\Program Files";
+  const programFilesX86 = process.env["ProgramFiles(x86)"] ?? "C:\\Program Files (x86)";
+  const joinWin = path.win32.join;
+  const candidates: string[] = [];
+
+  if (localAppData) {
+    candidates.push(joinWin(localAppData, "Google", "Chrome", "Application", "chrome.exe"));
+    candidates.push(joinWin(localAppData, "Google", "Chrome SxS", "Application", "chrome.exe"));
+  }
+
+  candidates.push(joinWin(programFiles, "Google", "Chrome", "Application", "chrome.exe"));
+  candidates.push(joinWin(programFilesX86, "Google", "Chrome", "Application", "chrome.exe"));
+
+  return findFirstChromeExecutable(candidates);
+}
+
+export function resolveGoogleChromeExecutableForPlatform(
+  platform: NodeJS.Platform,
+): BrowserExecutable | null {
+  if (platform === "darwin") {
+    return findGoogleChromeExecutableMac();
+  }
+  if (platform === "linux") {
+    return findGoogleChromeExecutableLinux();
+  }
+  if (platform === "win32") {
+    return findGoogleChromeExecutableWindows();
+  }
+  return null;
+}
+
+export function readBrowserVersion(executablePath: string): string | null {
+  const output = execText(executablePath, ["--version"], 2000);
+  if (!output) {
+    return null;
+  }
+  return output.replace(/\s+/g, " ").trim();
+}
+
+export function parseBrowserMajorVersion(rawVersion: string | null | undefined): number | null {
+  const match = String(rawVersion ?? "").match(CHROME_VERSION_RE);
+  if (!match?.[1]) {
+    return null;
+  }
+  const major = Number.parseInt(match[1], 10);
+  return Number.isFinite(major) ? major : null;
+}
+
 export function resolveBrowserExecutableForPlatform(
   resolved: ResolvedBrowserConfig,
   platform: NodeJS.Platform,
diff --git a/src/browser/client.ts b/src/browser/client.ts
index 8e30762bfb1..7791b4405be 100644
--- a/src/browser/client.ts
+++ b/src/browser/client.ts
@@ -5,7 +5,7 @@ export type BrowserTransport = "cdp" | "chrome-mcp";
 export type BrowserStatus = {
   enabled: boolean;
   profile?: string;
-  driver?: "openclaw" | "extension" | "existing-session";
+  driver?: "openclaw" | "existing-session";
   transport?: BrowserTransport;
   running: boolean;
   cdpReady?: boolean;
@@ -31,7 +31,7 @@ export type ProfileStatus = {
   cdpPort: number | null;
   cdpUrl: string | null;
   color: string;
-  driver: "openclaw" | "extension" | "existing-session";
+  driver: "openclaw" | "existing-session";
   running: boolean;
   tabCount: number;
   isDefault: boolean;
@@ -172,7 +172,7 @@ export async function browserCreateProfile(
     name: string;
     color?: string;
     cdpUrl?: string;
-    driver?: "openclaw" | "extension" | "existing-session";
+    driver?: "openclaw" | "existing-session";
   },
 ): Promise<BrowserCreateProfileResult> {
   return await fetchBrowserJson<BrowserCreateProfileResult>(
diff --git a/src/browser/config.test.ts b/src/browser/config.test.ts
index 947cf10c0fa..7f80c4389a1 100644
--- a/src/browser/config.test.ts
+++ b/src/browser/config.test.ts
@@ -188,13 +188,6 @@ describe("browser config", () => {
     expect(profile?.cdpIsLoopback).toBe(true);
   });
 
-  it("trims relayBindHost when configured", () => {
-    const resolved = resolveBrowserConfig({
-      relayBindHost: " 0.0.0.0 ",
-    });
-    expect(resolved.relayBindHost).toBe("0.0.0.0");
-  });
-
   it("rejects unsupported protocols", () => {
     expect(() => resolveBrowserConfig({ cdpUrl: "ftp://127.0.0.1:18791" })).toThrow(
       "must be http(s) or ws(s)",
@@ -289,7 +282,6 @@ describe("browser config", () => {
     const resolved = resolveBrowserConfig({
       profiles: {
         "chrome-live": { driver: "existing-session", attachOnly: true, color: "#00AA00" },
-        relay: { driver: "extension", cdpUrl: "http://127.0.0.1:18792", color: "#0066CC" },
         work: { cdpPort: 18801, color: "#0066CC" },
       },
     });
@@ -300,9 +292,6 @@ describe("browser config", () => {
     const managed = resolveProfile(resolved, "openclaw")!;
     expect(getBrowserProfileCapabilities(managed).usesChromeMcp).toBe(false);
 
-    const extension = resolveProfile(resolved, "relay")!;
-    expect(getBrowserProfileCapabilities(extension).usesChromeMcp).toBe(false);
-
     const work = resolveProfile(resolved, "work")!;
     expect(getBrowserProfileCapabilities(work).usesChromeMcp).toBe(false);
   });
diff --git a/src/browser/config.ts b/src/browser/config.ts
index e535b926a96..64fffce865c 100644
--- a/src/browser/config.ts
+++ b/src/browser/config.ts
@@ -36,7 +36,6 @@ export type ResolvedBrowserConfig = {
   profiles: Record<string, BrowserProfileConfig>;
   ssrfPolicy?: SsrFPolicy;
   extraArgs: string[];
-  relayBindHost?: string;
 };
 
 export type ResolvedBrowserProfile = {
@@ -46,7 +45,7 @@ export type ResolvedBrowserProfile = {
   cdpHost: string;
   cdpIsLoopback: boolean;
   color: string;
-  driver: "openclaw" | "extension" | "existing-session";
+  driver: "openclaw" | "existing-session";
   attachOnly: boolean;
 };
 
@@ -279,8 +278,6 @@ export function resolveBrowserConfig(
     ? cfg.extraArgs.filter((a): a is string => typeof a === "string" && a.trim().length > 0)
     : [];
   const ssrfPolicy = resolveBrowserSsrFPolicy(cfg);
-  const relayBindHost = cfg?.relayBindHost?.trim() || undefined;
-
   return {
     enabled,
     evaluateEnabled,
@@ -301,7 +298,6 @@ export function resolveBrowserConfig(
     profiles,
     ssrfPolicy,
     extraArgs,
-    relayBindHost,
   };
 }
 
@@ -322,12 +318,7 @@ export function resolveProfile(
   let cdpHost = resolved.cdpHost;
   let cdpPort = profile.cdpPort ?? 0;
   let cdpUrl = "";
-  const driver =
-    profile.driver === "extension"
-      ? "extension"
-      : profile.driver === "existing-session"
-        ? "existing-session"
-        : "openclaw";
+  const driver = profile.driver === "existing-session" ? "existing-session" : "openclaw";
 
   if (driver === "existing-session") {
     // existing-session uses Chrome MCP auto-connect; no CDP port/URL needed
diff --git a/src/browser/extension-relay-auth.secretref.test.ts b/src/browser/extension-relay-auth.secretref.test.ts
deleted file mode 100644
index 7976064f35e..00000000000
--- a/src/browser/extension-relay-auth.secretref.test.ts
+++ /dev/null
@@ -1,117 +0,0 @@
-import fs from "node:fs/promises";
-import os from "node:os";
-import path from "node:path";
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-
-const loadConfigMock = vi.hoisted(() => vi.fn());
-
-vi.mock("../config/config.js", () => ({
-  loadConfig: loadConfigMock,
-}));
-
-const { resolveRelayAcceptedTokensForPort } = await import("./extension-relay-auth.js");
-
-describe("extension-relay-auth SecretRef handling", () => {
-  const ENV_KEYS = ["OPENCLAW_GATEWAY_TOKEN", "CLAWDBOT_GATEWAY_TOKEN", "CUSTOM_GATEWAY_TOKEN"];
-  const envSnapshot = new Map<string, string | undefined>();
-
-  beforeEach(() => {
-    for (const key of ENV_KEYS) {
-      envSnapshot.set(key, process.env[key]);
-      delete process.env[key];
-    }
-    loadConfigMock.mockReset();
-  });
-
-  afterEach(() => {
-    for (const key of ENV_KEYS) {
-      const previous = envSnapshot.get(key);
-      if (previous === undefined) {
-        delete process.env[key];
-      } else {
-        process.env[key] = previous;
-      }
-    }
-  });
-
-  it("resolves env-template gateway.auth.token from its referenced env var", async () => {
-    loadConfigMock.mockReturnValue({
-      gateway: { auth: { token: "${CUSTOM_GATEWAY_TOKEN}" } },
-      secrets: { providers: { default: { source: "env" } } },
-    });
-    process.env.CUSTOM_GATEWAY_TOKEN = "resolved-gateway-token";
-
-    const tokens = await resolveRelayAcceptedTokensForPort(18790);
-
-    expect(tokens).toContain("resolved-gateway-token");
-    expect(tokens[0]).not.toBe("resolved-gateway-token");
-  });
-
-  it("fails closed when env-template gateway.auth.token is unresolved", async () => {
-    loadConfigMock.mockReturnValue({
-      gateway: { auth: { token: "${CUSTOM_GATEWAY_TOKEN}" } },
-      secrets: { providers: { default: { source: "env" } } },
-    });
-
-    await expect(resolveRelayAcceptedTokensForPort(18790)).rejects.toThrow(
-      "gateway.auth.token SecretRef is unavailable",
-    );
-  });
-
-  it("resolves file-backed gateway.auth.token SecretRef", async () => {
-    const tempDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-relay-file-secret-"));
-    const secretFile = path.join(tempDir, "relay-secrets.json");
-    await fs.writeFile(secretFile, JSON.stringify({ relayToken: "resolved-file-relay-token" }));
-    await fs.chmod(secretFile, 0o600);
-
-    loadConfigMock.mockReturnValue({
-      secrets: {
-        providers: {
-          fileProvider: { source: "file", path: secretFile, mode: "json" },
-        },
-      },
-      gateway: {
-        auth: {
-          token: { source: "file", provider: "fileProvider", id: "/relayToken" },
-        },
-      },
-    });
-
-    try {
-      const tokens = await resolveRelayAcceptedTokensForPort(18790);
-      expect(tokens.length).toBeGreaterThan(0);
-      expect(tokens).toContain("resolved-file-relay-token");
-    } finally {
-      await fs.rm(tempDir, { recursive: true, force: true });
-    }
-  });
-
-  it("resolves exec-backed gateway.auth.token SecretRef", async () => {
-    const execProgram = [
-      "process.stdout.write(",
-      "JSON.stringify({ protocolVersion: 1, values: { RELAY_TOKEN: 'resolved-exec-relay-token' } })",
-      ");",
-    ].join("");
-    loadConfigMock.mockReturnValue({
-      secrets: {
-        providers: {
-          execProvider: {
-            source: "exec",
-            command: process.execPath,
-            args: ["-e", execProgram],
-            allowInsecurePath: true,
-          },
-        },
-      },
-      gateway: {
-        auth: {
-          token: { source: "exec", provider: "execProvider", id: "RELAY_TOKEN" },
-        },
-      },
-    });
-
-    const tokens = await resolveRelayAcceptedTokensForPort(18790);
-    expect(tokens.length).toBeGreaterThan(0);
-    expect(tokens).toContain("resolved-exec-relay-token");
-  });
-});
diff --git a/src/browser/extension-relay-auth.test.ts b/src/browser/extension-relay-auth.test.ts
deleted file mode 100644
index c052e31a209..00000000000
--- a/src/browser/extension-relay-auth.test.ts
+++ /dev/null
@@ -1,131 +0,0 @@
-import { createServer, type IncomingMessage, type ServerResponse } from "node:http";
-import type { AddressInfo } from "node:net";
-import { afterEach, beforeEach, describe, expect, it } from "vitest";
-import {
-  probeAuthenticatedOpenClawRelay,
-  resolveRelayAcceptedTokensForPort,
-  resolveRelayAuthTokenForPort,
-} from "./extension-relay-auth.js";
-import { getFreePort } from "./test-port.js";
-
-async function withRelayServer(
-  handler: (req: IncomingMessage, res: ServerResponse) => void,
-  run: (params: { port: number }) => Promise<void>,
-) {
-  const port = await getFreePort();
-  const server = createServer(handler);
-  await new Promise<void>((resolve, reject) => {
-    server.listen(port, "127.0.0.1", () => resolve());
-    server.once("error", reject);
-  });
-  try {
-    const actualPort = (server.address() as AddressInfo).port;
-    await run({ port: actualPort });
-  } finally {
-    await new Promise<void>((resolve) => server.close(() => resolve()));
-  }
-}
-
-function handleNonVersionRequest(req: IncomingMessage, res: ServerResponse): boolean {
-  if (req.url?.startsWith("/json/version")) {
-    return false;
-  }
-  res.writeHead(404);
-  res.end("not found");
-  return true;
-}
-
-async function probeRelay(baseUrl: string, relayAuthToken: string): Promise<boolean> {
-  return await probeAuthenticatedOpenClawRelay({
-    baseUrl,
-    relayAuthHeader: "x-openclaw-relay-token",
-    relayAuthToken,
-  });
-}
-
-describe("extension-relay-auth", () => {
-  const TEST_GATEWAY_TOKEN = "test-gateway-token";
-  let prevGatewayToken: string | undefined;
-
-  beforeEach(() => {
-    prevGatewayToken = process.env.OPENCLAW_GATEWAY_TOKEN;
-    process.env.OPENCLAW_GATEWAY_TOKEN = TEST_GATEWAY_TOKEN;
-  });
-
-  afterEach(() => {
-    if (prevGatewayToken === undefined) {
-      delete process.env.OPENCLAW_GATEWAY_TOKEN;
-    } else {
-      process.env.OPENCLAW_GATEWAY_TOKEN = prevGatewayToken;
-    }
-  });
-
-  it("derives deterministic relay tokens per port", async () => {
-    const tokenA1 = await resolveRelayAuthTokenForPort(18790);
-    const tokenA2 = await resolveRelayAuthTokenForPort(18790);
-    const tokenB = await resolveRelayAuthTokenForPort(18791);
-    expect(tokenA1).toBe(tokenA2);
-    expect(tokenA1).not.toBe(tokenB);
-    expect(tokenA1).not.toBe(TEST_GATEWAY_TOKEN);
-  });
-
-  it("accepts both relay-scoped and raw gateway tokens for compatibility", async () => {
-    const tokens = await resolveRelayAcceptedTokensForPort(18790);
-    expect(tokens).toContain(TEST_GATEWAY_TOKEN);
-    expect(tokens[0]).not.toBe(TEST_GATEWAY_TOKEN);
-    expect(tokens[0]).toBe(await resolveRelayAuthTokenForPort(18790));
-  });
-
-  it("accepts authenticated openclaw relay probe responses", async () => {
-    let seenToken: string | undefined;
-    await withRelayServer(
-      (req, res) => {
-        if (handleNonVersionRequest(req, res)) {
-          return;
-        }
-        const header = req.headers["x-openclaw-relay-token"];
-        seenToken = Array.isArray(header) ? header[0] : header;
-        res.writeHead(200, { "Content-Type": "application/json" });
-        res.end(JSON.stringify({ Browser: "OpenClaw/extension-relay" }));
-      },
-      async ({ port }) => {
-        const token = await resolveRelayAuthTokenForPort(port);
-        const ok = await probeRelay(`http://127.0.0.1:${port}`, token);
-        expect(ok).toBe(true);
-        expect(seenToken).toBe(token);
-      },
-    );
-  });
-
-  it("rejects unauthenticated probe responses", async () => {
-    await withRelayServer(
-      (req, res) => {
-        if (handleNonVersionRequest(req, res)) {
-          return;
-        }
-        res.writeHead(401);
-        res.end("Unauthorized");
-      },
-      async ({ port }) => {
-        const ok = await probeRelay(`http://127.0.0.1:${port}`, "irrelevant");
-        expect(ok).toBe(false);
-      },
-    );
-  });
-
-  it("rejects probe responses with wrong browser identity", async () => {
-    await withRelayServer(
-      (req, res) => {
-        if (handleNonVersionRequest(req, res)) {
-          return;
-        }
-        res.writeHead(200, { "Content-Type": "application/json" });
-        res.end(JSON.stringify({ Browser: "FakeRelay" }));
-      },
-      async ({ port }) => {
-        const ok = await probeRelay(`http://127.0.0.1:${port}`, "irrelevant");
-        expect(ok).toBe(false);
-      },
-    );
-  });
-});
diff --git a/src/browser/extension-relay-auth.ts b/src/browser/extension-relay-auth.ts
deleted file mode 100644
index 7143a6c716e..00000000000
--- a/src/browser/extension-relay-auth.ts
+++ /dev/null
@@ -1,113 +0,0 @@
-import { createHmac } from "node:crypto";
-import { loadConfig } from "../config/config.js";
-import { normalizeSecretInputString, resolveSecretInputRef } from "../config/types.secrets.js";
-import { secretRefKey } from "../secrets/ref-contract.js";
-import { resolveSecretRefValues } from "../secrets/resolve.js";
-
-const RELAY_TOKEN_CONTEXT = "openclaw-extension-relay-v1";
-const DEFAULT_RELAY_PROBE_TIMEOUT_MS = 500;
-const OPENCLAW_RELAY_BROWSER = "OpenClaw/extension-relay";
-
-class SecretRefUnavailableError extends Error {
-  readonly isSecretRefUnavailable = true;
-}
-
-function trimToUndefined(value: unknown): string | undefined {
-  if (typeof value !== "string") {
-    return undefined;
-  }
-  const trimmed = value.trim();
-  return trimmed.length > 0 ? trimmed : undefined;
-}
-
-async function resolveGatewayAuthToken(): Promise<string | null> {
-  const envToken =
-    process.env.OPENCLAW_GATEWAY_TOKEN?.trim() || process.env.CLAWDBOT_GATEWAY_TOKEN?.trim();
-  if (envToken) {
-    return envToken;
-  }
-  try {
-    const cfg = loadConfig();
-    const tokenRef = resolveSecretInputRef({
-      value: cfg.gateway?.auth?.token,
-      defaults: cfg.secrets?.defaults,
-    }).ref;
-    if (tokenRef) {
-      const refLabel = `${tokenRef.source}:${tokenRef.provider}:${tokenRef.id}`;
-      try {
-        const resolved = await resolveSecretRefValues([tokenRef], {
-          config: cfg,
-          env: process.env,
-        });
-        const resolvedToken = trimToUndefined(resolved.get(secretRefKey(tokenRef)));
-        if (resolvedToken) {
-          return resolvedToken;
-        }
-      } catch {
-        // handled below
-      }
-      throw new SecretRefUnavailableError(
-        `extension relay requires a resolved gateway token, but gateway.auth.token SecretRef is unavailable (${refLabel}). Set OPENCLAW_GATEWAY_TOKEN or resolve your secret provider.`,
-      );
-    }
-    const configToken = normalizeSecretInputString(cfg.gateway?.auth?.token);
-    if (configToken) {
-      return configToken;
-    }
-  } catch (err) {
-    if (err instanceof SecretRefUnavailableError) {
-      throw err;
-    }
-    // ignore config read failures; caller can fallback to per-process random token
-  }
-  return null;
-}
-
-function deriveRelayAuthToken(gatewayToken: string, port: number): string {
-  return createHmac("sha256", gatewayToken).update(`${RELAY_TOKEN_CONTEXT}:${port}`).digest("hex");
-}
-
-export async function resolveRelayAcceptedTokensForPort(port: number): Promise<string[]> {
-  const gatewayToken = await resolveGatewayAuthToken();
-  if (!gatewayToken) {
-    throw new Error(
-      "extension relay requires gateway auth token (set gateway.auth.token or OPENCLAW_GATEWAY_TOKEN)",
-    );
-  }
-  const relayToken = deriveRelayAuthToken(gatewayToken, port);
-  if (relayToken === gatewayToken) {
-    return [relayToken];
-  }
-  return [relayToken, gatewayToken];
-}
-
-export async function resolveRelayAuthTokenForPort(port: number): Promise<string> {
-  return (await resolveRelayAcceptedTokensForPort(port))[0];
-}
-
-export async function probeAuthenticatedOpenClawRelay(params: {
-  baseUrl: string;
-  relayAuthHeader: string;
-  relayAuthToken: string;
-  timeoutMs?: number;
-}): Promise<boolean> {
-  const ctrl = new AbortController();
-  const timer = setTimeout(() => ctrl.abort(), params.timeoutMs ?? DEFAULT_RELAY_PROBE_TIMEOUT_MS);
-  try {
-    const versionUrl = new URL("/json/version", `${params.baseUrl}/`).toString();
-    const res = await fetch(versionUrl, {
-      signal: ctrl.signal,
-      headers: { [params.relayAuthHeader]: params.relayAuthToken },
-    });
-    if (!res.ok) {
-      return false;
-    }
-    const body = (await res.json()) as { Browser?: unknown };
-    const browserName = typeof body?.Browser === "string" ? body.Browser.trim() : "";
-    return browserName === OPENCLAW_RELAY_BROWSER;
-  } catch {
-    return false;
-  } finally {
-    clearTimeout(timer);
-  }
-}
diff --git a/src/browser/extension-relay.bind-host.test.ts b/src/browser/extension-relay.bind-host.test.ts
deleted file mode 100644
index a029a2f1a95..00000000000
--- a/src/browser/extension-relay.bind-host.test.ts
+++ /dev/null
@@ -1,49 +0,0 @@
-import { afterEach, beforeEach, describe, expect, it } from "vitest";
-import { captureEnv } from "../test-utils/env.js";
-import {
-  ensureChromeExtensionRelayServer,
-  stopChromeExtensionRelayServer,
-} from "./extension-relay.js";
-import { getFreePort } from "./test-port.js";
-
-describe("chrome extension relay bindHost coordination", () => {
-  let cdpUrl = "";
-  let envSnapshot: ReturnType<typeof captureEnv>;
-
-  beforeEach(() => {
-    envSnapshot = captureEnv(["OPENCLAW_GATEWAY_TOKEN"]);
-    process.env.OPENCLAW_GATEWAY_TOKEN = "test-gateway-token";
-  });
-
-  afterEach(async () => {
-    if (cdpUrl) {
-      await stopChromeExtensionRelayServer({ cdpUrl }).catch(() => {});
-      cdpUrl = "";
-    }
-    envSnapshot.restore();
-  });
-
-  it("rebinds the relay when concurrent callers request different bind hosts", async () => {
-    const port = await getFreePort();
-    cdpUrl = `http://127.0.0.1:${port}`;
-
-    const [first, second] = await Promise.all([
-      ensureChromeExtensionRelayServer({ cdpUrl }),
-      ensureChromeExtensionRelayServer({ cdpUrl, bindHost: "0.0.0.0" }),
-    ]);
-
-    const settled = await ensureChromeExtensionRelayServer({
-      cdpUrl,
-      bindHost: "0.0.0.0",
-    });
-
-    expect(first.port).toBe(port);
-    expect(second.port).toBe(port);
-    expect(second).not.toBe(first);
-    expect(second.bindHost).toBe("0.0.0.0");
-    expect(settled).toBe(second);
-
-    const res = await fetch(`http://127.0.0.1:${port}/`);
-    expect(res.status).toBe(200);
-  });
-});
diff --git a/src/browser/extension-relay.test.ts b/src/browser/extension-relay.test.ts
deleted file mode 100644
index f6e14ee8803..00000000000
--- a/src/browser/extension-relay.test.ts
+++ /dev/null
@@ -1,1224 +0,0 @@
-import { createServer } from "node:http";
-import { afterAll, afterEach, beforeEach, describe, expect, it } from "vitest";
-import WebSocket from "ws";
-import { captureEnv } from "../test-utils/env.js";
-import {
-  ensureChromeExtensionRelayServer,
-  getChromeExtensionRelayAuthHeaders,
-  stopChromeExtensionRelayServer,
-} from "./extension-relay.js";
-import { getFreePort } from "./test-port.js";
-
-const RELAY_MESSAGE_TIMEOUT_MS = 1_200;
-const RELAY_LIST_MATCH_TIMEOUT_MS = 1_000;
-const RELAY_TEST_TIMEOUT_MS = 10_000;
-
-function waitForOpen(ws: WebSocket) {
-  return new Promise<void>((resolve, reject) => {
-    ws.once("open", () => resolve());
-    ws.once("error", reject);
-  });
-}
-
-function waitForError(ws: WebSocket) {
-  return new Promise<Error>((resolve, reject) => {
-    ws.once("error", (err) => resolve(err instanceof Error ? err : new Error(String(err))));
-    ws.once("open", () => reject(new Error("expected websocket error")));
-  });
-}
-
-function waitForClose(ws: WebSocket, timeoutMs = RELAY_MESSAGE_TIMEOUT_MS) {
-  return new Promise<void>((resolve, reject) => {
-    const timer = setTimeout(() => {
-      reject(new Error("timeout"));
-    }, timeoutMs);
-    ws.once("close", () => {
-      clearTimeout(timer);
-      resolve();
-    });
-    ws.once("error", (err) => {
-      clearTimeout(timer);
-      reject(err instanceof Error ? err : new Error(String(err)));
-    });
-  });
-}
-
-function relayAuthHeaders(url: string) {
-  return getChromeExtensionRelayAuthHeaders(url);
-}
-
-function createMessageQueue(ws: WebSocket) {
-  const queue: string[] = [];
-  let waiter: ((value: string) => void) | null = null;
-  let waiterReject: ((err: Error) => void) | null = null;
-  let waiterTimer: NodeJS.Timeout | null = null;
-
-  const flushWaiter = (value: string) => {
-    if (!waiter) {
-      return false;
-    }
-    const resolve = waiter;
-    waiter = null;
-    const reject = waiterReject;
-    waiterReject = null;
-    if (waiterTimer) {
-      clearTimeout(waiterTimer);
-    }
-    waiterTimer = null;
-    if (reject) {
-      // no-op (kept for symmetry)
-    }
-    resolve(value);
-    return true;
-  };
-
-  ws.on("message", (data) => {
-    const text =
-      typeof data === "string"
-        ? data
-        : Buffer.isBuffer(data)
-          ? data.toString("utf8")
-          : Array.isArray(data)
-            ? Buffer.concat(data).toString("utf8")
-            : Buffer.from(data).toString("utf8");
-    if (flushWaiter(text)) {
-      return;
-    }
-    queue.push(text);
-  });
-
-  ws.on("error", (err) => {
-    if (!waiterReject) {
-      return;
-    }
-    const reject = waiterReject;
-    waiterReject = null;
-    waiter = null;
-    if (waiterTimer) {
-      clearTimeout(waiterTimer);
-    }
-    waiterTimer = null;
-    reject(err instanceof Error ? err : new Error(String(err)));
-  });
-
-  const next = (timeoutMs = RELAY_MESSAGE_TIMEOUT_MS) =>
-    new Promise<string>((resolve, reject) => {
-      const existing = queue.shift();
-      if (existing !== undefined) {
-        return resolve(existing);
-      }
-      waiter = resolve;
-      waiterReject = reject;
-      waiterTimer = setTimeout(() => {
-        waiter = null;
-        waiterReject = null;
-        waiterTimer = null;
-        reject(new Error("timeout"));
-      }, timeoutMs);
-    });
-
-  return { next };
-}
-
-async function waitForListMatch<T>(
-  fetchList: () => Promise<T>,
-  predicate: (value: T) => boolean,
-  timeoutMs = RELAY_LIST_MATCH_TIMEOUT_MS,
-  intervalMs = 20,
-): Promise<T> {
-  const deadline = Date.now() + timeoutMs;
-  let latest: T | null = null;
-  while (Date.now() <= deadline) {
-    latest = await fetchList();
-    if (predicate(latest)) {
-      return latest;
-    }
-    await new Promise((resolve) => setTimeout(resolve, intervalMs));
-  }
-  throw new Error("timeout waiting for list match");
-}
-
-describe("chrome extension relay server", () => {
-  const TEST_GATEWAY_TOKEN = "test-gateway-token";
-  let cdpUrl = "";
-  let sharedCdpUrl = "";
-  let envSnapshot: ReturnType<typeof captureEnv>;
-
-  beforeEach(() => {
-    envSnapshot = captureEnv([
-      "OPENCLAW_GATEWAY_TOKEN",
-      "OPENCLAW_EXTENSION_RELAY_RECONNECT_GRACE_MS",
-      "OPENCLAW_EXTENSION_RELAY_COMMAND_RECONNECT_WAIT_MS",
-    ]);
-    process.env.OPENCLAW_GATEWAY_TOKEN = TEST_GATEWAY_TOKEN;
-    delete process.env.OPENCLAW_EXTENSION_RELAY_RECONNECT_GRACE_MS;
-    delete process.env.OPENCLAW_EXTENSION_RELAY_COMMAND_RECONNECT_WAIT_MS;
-  });
-
-  afterEach(async () => {
-    if (cdpUrl) {
-      await stopChromeExtensionRelayServer({ cdpUrl }).catch(() => {});
-      cdpUrl = "";
-    }
-    envSnapshot.restore();
-  });
-
-  afterAll(async () => {
-    if (!sharedCdpUrl) {
-      return;
-    }
-    await stopChromeExtensionRelayServer({ cdpUrl: sharedCdpUrl }).catch(() => {});
-    sharedCdpUrl = "";
-  });
-
-  async function ensureSharedRelayServer() {
-    if (sharedCdpUrl) {
-      return sharedCdpUrl;
-    }
-    const port = await getFreePort();
-    sharedCdpUrl = `http://127.0.0.1:${port}`;
-    await ensureChromeExtensionRelayServer({ cdpUrl: sharedCdpUrl });
-    return sharedCdpUrl;
-  }
-
-  async function startRelayWithExtension() {
-    const port = await getFreePort();
-    cdpUrl = `http://127.0.0.1:${port}`;
-    await ensureChromeExtensionRelayServer({ cdpUrl });
-    const ext = new WebSocket(`ws://127.0.0.1:${port}/extension`, {
-      headers: relayAuthHeaders(`ws://127.0.0.1:${port}/extension`),
-    });
-    await waitForOpen(ext);
-    return { port, ext };
-  }
-
-  it("advertises CDP WS only when extension is connected", async () => {
-    const port = await getFreePort();
-    cdpUrl = `http://127.0.0.1:${port}`;
-    await ensureChromeExtensionRelayServer({ cdpUrl });
-
-    const v1 = (await fetch(`${cdpUrl}/json/version`, {
-      headers: relayAuthHeaders(cdpUrl),
-    }).then((r) => r.json())) as {
-      webSocketDebuggerUrl?: string;
-    };
-    expect(v1.webSocketDebuggerUrl).toBeUndefined();
-
-    const ext = new WebSocket(`ws://127.0.0.1:${port}/extension`, {
-      headers: relayAuthHeaders(`ws://127.0.0.1:${port}/extension`),
-    });
-    await waitForOpen(ext);
-
-    const v2 = (await fetch(`${cdpUrl}/json/version`, {
-      headers: relayAuthHeaders(cdpUrl),
-    }).then((r) => r.json())) as {
-      webSocketDebuggerUrl?: string;
-    };
-    expect(String(v2.webSocketDebuggerUrl ?? "")).toContain(`/cdp`);
-
-    ext.close();
-  });
-
-  it("uses relay-scoped token only for known relay ports", async () => {
-    const port = await getFreePort();
-    const unknown = getChromeExtensionRelayAuthHeaders(`http://127.0.0.1:${port}`);
-    expect(unknown).toEqual({});
-
-    const sharedUrl = await ensureSharedRelayServer();
-
-    const headers = getChromeExtensionRelayAuthHeaders(sharedUrl);
-    expect(Object.keys(headers)).toContain("x-openclaw-relay-token");
-    expect(headers["x-openclaw-relay-token"]).not.toBe(TEST_GATEWAY_TOKEN);
-  });
-
-  it("rejects CDP access without relay auth token", async () => {
-    const sharedUrl = await ensureSharedRelayServer();
-    const sharedPort = new URL(sharedUrl).port;
-
-    const res = await fetch(`${sharedUrl}/json/version`);
-    expect(res.status).toBe(401);
-
-    const cdp = new WebSocket(`ws://127.0.0.1:${sharedPort}/cdp`);
-    const err = await waitForError(cdp);
-    expect(err.message).toContain("401");
-  });
-
-  it("returns 400 for malformed percent-encoding in target action routes", async () => {
-    const sharedUrl = await ensureSharedRelayServer();
-
-    const res = await fetch(`${sharedUrl}/json/activate/%E0%A4%A`, {
-      headers: relayAuthHeaders(sharedUrl),
-    });
-    expect(res.status).toBe(400);
-    expect(await res.text()).toContain("invalid targetId encoding");
-  });
-
-  it("deduplicates concurrent relay starts for the same requested port", async () => {
-    const sharedUrl = await ensureSharedRelayServer();
-    const port = Number(new URL(sharedUrl).port);
-    const [first, second] = await Promise.all([
-      ensureChromeExtensionRelayServer({ cdpUrl: sharedUrl }),
-      ensureChromeExtensionRelayServer({ cdpUrl: sharedUrl }),
-    ]);
-    expect(first).toBe(second);
-    expect(first.port).toBe(port);
-  });
-
-  it("allows CORS preflight from chrome-extension origins", async () => {
-    const sharedUrl = await ensureSharedRelayServer();
-
-    const origin = "chrome-extension://abcdefghijklmnop";
-    const res = await fetch(`${sharedUrl}/json/version`, {
-      method: "OPTIONS",
-      headers: {
-        Origin: origin,
-        "Access-Control-Request-Method": "GET",
-        "Access-Control-Request-Headers": "x-openclaw-relay-token",
-      },
-    });
-
-    expect(res.status).toBe(204);
-    expect(res.headers.get("access-control-allow-origin")).toBe(origin);
-    expect(res.headers.get("access-control-allow-headers") ?? "").toContain(
-      "x-openclaw-relay-token",
-    );
-  });
-
-  it("rejects CORS preflight from non-extension origins", async () => {
-    const sharedUrl = await ensureSharedRelayServer();
-
-    const res = await fetch(`${sharedUrl}/json/version`, {
-      method: "OPTIONS",
-      headers: {
-        Origin: "https://example.com",
-        "Access-Control-Request-Method": "GET",
-      },
-    });
-
-    expect(res.status).toBe(403);
-  });
-
-  it("returns CORS headers on JSON responses for extension origins", async () => {
-    const sharedUrl = await ensureSharedRelayServer();
-
-    const origin = "chrome-extension://abcdefghijklmnop";
-    const res = await fetch(`${sharedUrl}/json/version`, {
-      headers: {
-        Origin: origin,
-        ...relayAuthHeaders(sharedUrl),
-      },
-    });
-
-    expect(res.status).toBe(200);
-    expect(res.headers.get("access-control-allow-origin")).toBe(origin);
-  });
-
-  it("rejects extension websocket access without relay auth token", async () => {
-    const sharedUrl = await ensureSharedRelayServer();
-    const sharedPort = new URL(sharedUrl).port;
-
-    const ext = new WebSocket(`ws://127.0.0.1:${sharedPort}/extension`);
-    const err = await waitForError(ext);
-    expect(err.message).toContain("401");
-  });
-
-  it("rejects a second live extension connection with 409", async () => {
-    const port = await getFreePort();
-    cdpUrl = `http://127.0.0.1:${port}`;
-    await ensureChromeExtensionRelayServer({ cdpUrl });
-
-    const ext1 = new WebSocket(`ws://127.0.0.1:${port}/extension`, {
-      headers: relayAuthHeaders(`ws://127.0.0.1:${port}/extension`),
-    });
-    await waitForOpen(ext1);
-
-    const ext2 = new WebSocket(`ws://127.0.0.1:${port}/extension`, {
-      headers: relayAuthHeaders(`ws://127.0.0.1:${port}/extension`),
-    });
-    const err = await waitForError(ext2);
-    expect(err.message).toContain("409");
-
-    ext1.close();
-  });
-
-  it("allows immediate reconnect when prior extension socket is closing", async () => {
-    const port = await getFreePort();
-    cdpUrl = `http://127.0.0.1:${port}`;
-    await ensureChromeExtensionRelayServer({ cdpUrl });
-
-    const ext1 = new WebSocket(`ws://127.0.0.1:${port}/extension`, {
-      headers: relayAuthHeaders(`ws://127.0.0.1:${port}/extension`),
-    });
-    await waitForOpen(ext1);
-    const ext1Closed = new Promise<void>((resolve) => ext1.once("close", () => resolve()));
-
-    ext1.close();
-    const ext2 = new WebSocket(`ws://127.0.0.1:${port}/extension`, {
-      headers: relayAuthHeaders(`ws://127.0.0.1:${port}/extension`),
-    });
-    await waitForOpen(ext2);
-    await ext1Closed;
-
-    const status = (await fetch(`${cdpUrl}/extension/status`).then((r) => r.json())) as {
-      connected?: boolean;
-    };
-    expect(status.connected).toBe(true);
-
-    ext2.close();
-  });
-
-  it("keeps CDP clients alive across a brief extension reconnect", async () => {
-    const { port, ext: ext1 } = await startRelayWithExtension();
-    const cdp = new WebSocket(`ws://127.0.0.1:${port}/cdp`, {
-      headers: relayAuthHeaders(`ws://127.0.0.1:${port}/cdp`),
-    });
-    await waitForOpen(cdp);
-
-    let cdpClosed = false;
-    cdp.once("close", () => {
-      cdpClosed = true;
-    });
-
-    const ext1Closed = waitForClose(ext1, 2_000);
-    ext1.close();
-    await ext1Closed;
-    const ext2 = new WebSocket(`ws://127.0.0.1:${port}/extension`, {
-      headers: relayAuthHeaders(`ws://127.0.0.1:${port}/extension`),
-    });
-    await waitForOpen(ext2);
-    expect(cdpClosed).toBe(false);
-
-    cdp.close();
-    ext2.close();
-  });
-
-  it("keeps /json/version websocket endpoint during short extension disconnects", async () => {
-    const { port, ext } = await startRelayWithExtension();
-    ext.send(
-      JSON.stringify({
-        method: "forwardCDPEvent",
-        params: {
-          method: "Target.attachedToTarget",
-          params: {
-            sessionId: "cb-tab-disconnect",
-            targetInfo: {
-              targetId: "t-disconnect",
-              type: "page",
-              title: "Disconnect test",
-              url: "https://example.com",
-            },
-            waitingForDebugger: false,
-          },
-        },
-      }),
-    );
-
-    await waitForListMatch(
-      async () =>
-        (await fetch(`${cdpUrl}/json/list`, {
-          headers: relayAuthHeaders(cdpUrl),
-        }).then((r) => r.json())) as Array<{ id?: string }>,
-      (list) => list.some((entry) => entry.id === "t-disconnect"),
-    );
-
-    const extClosed = waitForClose(ext, 2_000);
-    ext.close();
-    await extClosed;
-
-    const version = (await fetch(`${cdpUrl}/json/version`, {
-      headers: relayAuthHeaders(cdpUrl),
-    }).then((r) => r.json())) as {
-      webSocketDebuggerUrl?: string;
-    };
-    expect(String(version.webSocketDebuggerUrl ?? "")).toContain("/cdp");
-
-    const cdp = new WebSocket(`ws://127.0.0.1:${port}/cdp`, {
-      headers: relayAuthHeaders(`ws://127.0.0.1:${port}/cdp`),
-    });
-    await waitForOpen(cdp);
-    cdp.close();
-  });
-
-  it("accepts re-announce attach events with minimal targetInfo", async () => {
-    const { ext } = await startRelayWithExtension();
-    ext.send(
-      JSON.stringify({
-        method: "forwardCDPEvent",
-        params: {
-          method: "Target.attachedToTarget",
-          params: {
-            sessionId: "cb-tab-minimal",
-            targetInfo: {
-              targetId: "t-minimal",
-            },
-            waitingForDebugger: false,
-          },
-        },
-      }),
-    );
-
-    await waitForListMatch(
-      async () =>
-        (await fetch(`${cdpUrl}/json/list`, {
-          headers: relayAuthHeaders(cdpUrl),
-        }).then((r) => r.json())) as Array<{ id?: string }>,
-      (entries) => entries.some((entry) => entry.id === "t-minimal"),
-    );
-  });
-
-  it("waits briefly for extension reconnect before failing CDP commands", async () => {
-    const { port, ext: ext1 } = await startRelayWithExtension();
-    const cdp = new WebSocket(`ws://127.0.0.1:${port}/cdp`, {
-      headers: relayAuthHeaders(`ws://127.0.0.1:${port}/cdp`),
-    });
-    await waitForOpen(cdp);
-    const cdpQueue = createMessageQueue(cdp);
-
-    const ext1Closed = waitForClose(ext1, 2_000);
-    ext1.close();
-    await ext1Closed;
-
-    cdp.send(JSON.stringify({ id: 41, method: "Runtime.enable" }));
-    await new Promise((r) => setTimeout(r, 30));
-
-    const ext2 = new WebSocket(`ws://127.0.0.1:${port}/extension`, {
-      headers: relayAuthHeaders(`ws://127.0.0.1:${port}/extension`),
-    });
-    const ext2Queue = createMessageQueue(ext2);
-    await waitForOpen(ext2);
-
-    while (true) {
-      const msg = JSON.parse(await ext2Queue.next(4_000)) as {
-        id?: number;
-        method?: string;
-      };
-      if (msg.method === "ping") {
-        ext2.send(JSON.stringify({ method: "pong" }));
-        continue;
-      }
-      if (msg.method === "forwardCDPCommand" && typeof msg.id === "number") {
-        ext2.send(JSON.stringify({ id: msg.id, result: { ok: true } }));
-        break;
-      }
-    }
-
-    const response = JSON.parse(await cdpQueue.next(6_000)) as {
-      id?: number;
-      result?: { ok?: boolean };
-      error?: { message?: string };
-    };
-    expect(response.id).toBe(41);
-    expect(response.error).toBeUndefined();
-    expect(response.result?.ok).toBe(true);
-
-    cdp.close();
-    ext2.close();
-  });
-
-  it("closes CDP clients after reconnect grace when extension stays disconnected", async () => {
-    process.env.OPENCLAW_EXTENSION_RELAY_RECONNECT_GRACE_MS = "150";
-
-    const { port, ext } = await startRelayWithExtension();
-    const cdp = new WebSocket(`ws://127.0.0.1:${port}/cdp`, {
-      headers: relayAuthHeaders(`ws://127.0.0.1:${port}/cdp`),
-    });
-    await waitForOpen(cdp);
-
-    ext.close();
-    await waitForClose(cdp, 2_000);
-  });
-
-  it("stops advertising websocket endpoint after reconnect grace expires", async () => {
-    process.env.OPENCLAW_EXTENSION_RELAY_RECONNECT_GRACE_MS = "120";
-
-    const { ext } = await startRelayWithExtension();
-    ext.send(
-      JSON.stringify({
-        method: "forwardCDPEvent",
-        params: {
-          method: "Target.attachedToTarget",
-          params: {
-            sessionId: "cb-tab-grace-expire",
-            targetInfo: {
-              targetId: "t-grace-expire",
-              type: "page",
-              title: "Grace expire",
-              url: "https://example.com",
-            },
-            waitingForDebugger: false,
-          },
-        },
-      }),
-    );
-
-    await waitForListMatch(
-      async () =>
-        (await fetch(`${cdpUrl}/json/list`, {
-          headers: relayAuthHeaders(cdpUrl),
-        }).then((r) => r.json())) as Array<{ id?: string }>,
-      (list) => list.some((entry) => entry.id === "t-grace-expire"),
-    );
-
-    ext.close();
-    await expect
-      .poll(
-        async () => {
-          const version = (await fetch(`${cdpUrl}/json/version`, {
-            headers: relayAuthHeaders(cdpUrl),
-          }).then((r) => r.json())) as { webSocketDebuggerUrl?: string };
-          return version.webSocketDebuggerUrl === undefined;
-        },
-        { timeout: 800, interval: 20 },
-      )
-      .toBe(true);
-  });
-
-  it("accepts extension websocket access with relay token query param", async () => {
-    const sharedUrl = await ensureSharedRelayServer();
-    const sharedPort = new URL(sharedUrl).port;
-
-    const token = relayAuthHeaders(`ws://127.0.0.1:${sharedPort}/extension`)[
-      "x-openclaw-relay-token"
-    ];
-    expect(token).toBeTruthy();
-    const ext = new WebSocket(
-      `ws://127.0.0.1:${sharedPort}/extension?token=${encodeURIComponent(String(token))}`,
-    );
-    await waitForOpen(ext);
-    ext.close();
-  });
-
-  it("accepts /json endpoints with relay token query param", async () => {
-    const sharedUrl = await ensureSharedRelayServer();
-
-    const token = relayAuthHeaders(sharedUrl)["x-openclaw-relay-token"];
-    expect(token).toBeTruthy();
-    const versionRes = await fetch(
-      `${sharedUrl}/json/version?token=${encodeURIComponent(String(token))}`,
-    );
-    expect(versionRes.status).toBe(200);
-  });
-
-  it("accepts raw gateway token for relay auth compatibility", async () => {
-    const sharedUrl = await ensureSharedRelayServer();
-    const sharedPort = new URL(sharedUrl).port;
-
-    const versionRes = await fetch(`${sharedUrl}/json/version`, {
-      headers: { "x-openclaw-relay-token": TEST_GATEWAY_TOKEN },
-    });
-    expect(versionRes.status).toBe(200);
-
-    const ext = new WebSocket(
-      `ws://127.0.0.1:${sharedPort}/extension?token=${encodeURIComponent(TEST_GATEWAY_TOKEN)}`,
-    );
-    await waitForOpen(ext);
-    ext.close();
-  });
-
-  it(
-    "tracks attached page targets and exposes them via CDP + /json/list",
-    async () => {
-      const { port, ext } = await startRelayWithExtension();
-
-      // Simulate a tab attach coming from the extension.
-      ext.send(
-        JSON.stringify({
-          method: "forwardCDPEvent",
-          params: {
-            method: "Target.attachedToTarget",
-            params: {
-              sessionId: "cb-tab-1",
-              targetInfo: {
-                targetId: "t1",
-                type: "page",
-                title: "Example",
-                url: "https://example.com",
-              },
-              waitingForDebugger: false,
-            },
-          },
-        }),
-      );
-
-      const list = (await fetch(`${cdpUrl}/json/list`, {
-        headers: relayAuthHeaders(cdpUrl),
-      }).then((r) => r.json())) as Array<{
-        id?: string;
-        url?: string;
-        title?: string;
-      }>;
-      expect(list.some((t) => t.id === "t1" && t.url === "https://example.com")).toBe(true);
-
-      // Simulate navigation updating tab metadata.
-      ext.send(
-        JSON.stringify({
-          method: "forwardCDPEvent",
-          params: {
-            method: "Target.targetInfoChanged",
-            params: {
-              targetInfo: {
-                targetId: "t1",
-                type: "page",
-                title: "DER STANDARD",
-                url: "https://www.derstandard.at/",
-              },
-            },
-          },
-        }),
-      );
-
-      await waitForListMatch(
-        async () =>
-          (await fetch(`${cdpUrl}/json/list`, {
-            headers: relayAuthHeaders(cdpUrl),
-          }).then((r) => r.json())) as Array<{
-            id?: string;
-            url?: string;
-            title?: string;
-          }>,
-        (list) =>
-          list.some(
-            (t) =>
-              t.id === "t1" &&
-              t.url === "https://www.derstandard.at/" &&
-              t.title === "DER STANDARD",
-          ),
-      );
-
-      const cdp = new WebSocket(`ws://127.0.0.1:${port}/cdp`, {
-        headers: relayAuthHeaders(`ws://127.0.0.1:${port}/cdp`),
-      });
-      await waitForOpen(cdp);
-      const q = createMessageQueue(cdp);
-
-      cdp.send(JSON.stringify({ id: 1, method: "Target.getTargets" }));
-      const res1 = JSON.parse(await q.next()) as { id: number; result?: unknown };
-      expect(res1.id).toBe(1);
-      const targetInfos = (
-        res1.result as { targetInfos?: Array<{ targetId?: string }> } | undefined
-      )?.targetInfos;
-      expect((targetInfos ?? []).some((target) => target.targetId === "t1")).toBe(true);
-
-      cdp.send(
-        JSON.stringify({
-          id: 2,
-          method: "Target.attachToTarget",
-          params: { targetId: "t1" },
-        }),
-      );
-      const received: Array<{
-        id?: number;
-        method?: string;
-        result?: unknown;
-        params?: unknown;
-      }> = [];
-      received.push(JSON.parse(await q.next()) as never);
-      received.push(JSON.parse(await q.next()) as never);
-
-      const res2 = received.find((m) => m.id === 2);
-      expect(res2?.id).toBe(2);
-      expect((res2?.result as { sessionId?: string } | undefined)?.sessionId).toBe("cb-tab-1");
-
-      const evt = received.find((m) => m.method === "Target.attachedToTarget");
-      expect(evt?.method).toBe("Target.attachedToTarget");
-      expect(
-        (evt?.params as { targetInfo?: { targetId?: string } } | undefined)?.targetInfo?.targetId,
-      ).toBe("t1");
-
-      cdp.close();
-      ext.close();
-    },
-    RELAY_TEST_TIMEOUT_MS,
-  );
-
-  it("removes cached targets from /json/list when targetDestroyed arrives", async () => {
-    const { ext } = await startRelayWithExtension();
-
-    ext.send(
-      JSON.stringify({
-        method: "forwardCDPEvent",
-        params: {
-          method: "Target.attachedToTarget",
-          params: {
-            sessionId: "cb-tab-1",
-            targetInfo: {
-              targetId: "t1",
-              type: "page",
-              title: "Example",
-              url: "https://example.com",
-            },
-            waitingForDebugger: false,
-          },
-        },
-      }),
-    );
-
-    await waitForListMatch(
-      async () =>
-        (await fetch(`${cdpUrl}/json/list`, {
-          headers: relayAuthHeaders(cdpUrl),
-        }).then((r) => r.json())) as Array<{ id?: string }>,
-      (list) => list.some((target) => target.id === "t1"),
-    );
-
-    ext.send(
-      JSON.stringify({
-        method: "forwardCDPEvent",
-        params: {
-          method: "Target.targetDestroyed",
-          params: { targetId: "t1" },
-        },
-      }),
-    );
-
-    await waitForListMatch(
-      async () =>
-        (await fetch(`${cdpUrl}/json/list`, {
-          headers: relayAuthHeaders(cdpUrl),
-        }).then((r) => r.json())) as Array<{ id?: string }>,
-      (list) => list.every((target) => target.id !== "t1"),
-    );
-    ext.close();
-  });
-
-  it("prunes stale cached targets after target-not-found command errors", async () => {
-    const { port, ext } = await startRelayWithExtension();
-    const extQueue = createMessageQueue(ext);
-
-    ext.send(
-      JSON.stringify({
-        method: "forwardCDPEvent",
-        params: {
-          method: "Target.attachedToTarget",
-          params: {
-            sessionId: "cb-tab-1",
-            targetInfo: {
-              targetId: "t1",
-              type: "page",
-              title: "Example",
-              url: "https://example.com",
-            },
-            waitingForDebugger: false,
-          },
-        },
-      }),
-    );
-
-    await waitForListMatch(
-      async () =>
-        (await fetch(`${cdpUrl}/json/list`, {
-          headers: relayAuthHeaders(cdpUrl),
-        }).then((r) => r.json())) as Array<{ id?: string }>,
-      (list) => list.some((target) => target.id === "t1"),
-    );
-
-    const cdp = new WebSocket(`ws://127.0.0.1:${port}/cdp`, {
-      headers: relayAuthHeaders(`ws://127.0.0.1:${port}/cdp`),
-    });
-    await waitForOpen(cdp);
-    const cdpQueue = createMessageQueue(cdp);
-
-    cdp.send(
-      JSON.stringify({
-        id: 77,
-        method: "Runtime.evaluate",
-        sessionId: "cb-tab-1",
-        params: { expression: "1+1" },
-      }),
-    );
-
-    let forwardedId: number | null = null;
-    for (let attempt = 0; attempt < 6; attempt++) {
-      const msg = JSON.parse(await extQueue.next()) as { method?: string; id?: number };
-      if (msg.method === "forwardCDPCommand" && typeof msg.id === "number") {
-        forwardedId = msg.id;
-        break;
-      }
-    }
-    expect(forwardedId).not.toBeNull();
-
-    ext.send(
-      JSON.stringify({
-        id: forwardedId,
-        error: "No target with given id",
-      }),
-    );
-
-    let response: { id?: number; error?: { message?: string } } | null = null;
-    for (let attempt = 0; attempt < 6; attempt++) {
-      const msg = JSON.parse(await cdpQueue.next()) as {
-        id?: number;
-        error?: { message?: string };
-      };
-      if (msg.id === 77) {
-        response = msg;
-        break;
-      }
-    }
-    expect(response?.id).toBe(77);
-    expect(response?.error?.message ?? "").toContain("No target with given id");
-
-    await waitForListMatch(
-      async () =>
-        (await fetch(`${cdpUrl}/json/list`, {
-          headers: relayAuthHeaders(cdpUrl),
-        }).then((r) => r.json())) as Array<{ id?: string }>,
-      (list) => list.every((target) => target.id !== "t1"),
-    );
-
-    cdp.close();
-    ext.close();
-  });
-
-  it("rebroadcasts attach when a session id is reused for a new target", async () => {
-    const { port, ext } = await startRelayWithExtension();
-
-    const cdp = new WebSocket(`ws://127.0.0.1:${port}/cdp`, {
-      headers: relayAuthHeaders(`ws://127.0.0.1:${port}/cdp`),
-    });
-    await waitForOpen(cdp);
-    const q = createMessageQueue(cdp);
-
-    ext.send(
-      JSON.stringify({
-        method: "forwardCDPEvent",
-        params: {
-          method: "Target.attachedToTarget",
-          params: {
-            sessionId: "shared-session",
-            targetInfo: {
-              targetId: "t1",
-              type: "page",
-              title: "First",
-              url: "https://example.com",
-            },
-            waitingForDebugger: false,
-          },
-        },
-      }),
-    );
-
-    const first = JSON.parse(await q.next()) as { method?: string; params?: unknown };
-    expect(first.method).toBe("Target.attachedToTarget");
-    expect(
-      (first.params as { targetInfo?: { targetId?: string } } | undefined)?.targetInfo?.targetId,
-    ).toBe("t1");
-
-    ext.send(
-      JSON.stringify({
-        method: "forwardCDPEvent",
-        params: {
-          method: "Target.attachedToTarget",
-          params: {
-            sessionId: "shared-session",
-            targetInfo: {
-              targetId: "t2",
-              type: "page",
-              title: "Second",
-              url: "https://example.org",
-            },
-            waitingForDebugger: false,
-          },
-        },
-      }),
-    );
-
-    const received: Array<{ method?: string; params?: unknown }> = [];
-    received.push(JSON.parse(await q.next()) as never);
-    received.push(JSON.parse(await q.next()) as never);
-
-    const detached = received.find((m) => m.method === "Target.detachedFromTarget");
-    const attached = received.find((m) => m.method === "Target.attachedToTarget");
-    expect((detached?.params as { targetId?: string } | undefined)?.targetId).toBe("t1");
-    expect(
-      (attached?.params as { targetInfo?: { targetId?: string } } | undefined)?.targetInfo
-        ?.targetId,
-    ).toBe("t2");
-
-    cdp.close();
-    ext.close();
-  });
-
-  it("reuses an already-bound relay port when another process owns it", async () => {
-    const port = await getFreePort();
-    let probeToken: string | undefined;
-    const fakeRelay = createServer((req, res) => {
-      if (req.url?.startsWith("/json/version")) {
-        const header = req.headers["x-openclaw-relay-token"];
-        probeToken = Array.isArray(header) ? header[0] : header;
-        if (!probeToken) {
-          res.writeHead(401);
-          res.end("Unauthorized");
-          return;
-        }
-        res.writeHead(200, { "Content-Type": "application/json" });
-        res.end(JSON.stringify({ Browser: "OpenClaw/extension-relay" }));
-        return;
-      }
-      if (req.url?.startsWith("/extension/status")) {
-        res.writeHead(200, { "Content-Type": "application/json" });
-        res.end(JSON.stringify({ connected: false }));
-        return;
-      }
-      res.writeHead(200, { "Content-Type": "text/plain; charset=utf-8" });
-      res.end("OK");
-    });
-    await new Promise<void>((resolve, reject) => {
-      fakeRelay.listen(port, "127.0.0.1", () => resolve());
-      fakeRelay.once("error", reject);
-    });
-
-    try {
-      cdpUrl = `http://127.0.0.1:${port}`;
-      const relay = await ensureChromeExtensionRelayServer({ cdpUrl });
-      expect(relay.port).toBe(port);
-      const status = (await fetch(`${cdpUrl}/extension/status`).then((r) => r.json())) as {
-        connected?: boolean;
-      };
-      expect(status.connected).toBe(false);
-      expect(probeToken).toBeTruthy();
-      expect(probeToken).not.toBe("test-gateway-token");
-    } finally {
-      await new Promise<void>((resolve) => fakeRelay.close(() => resolve()));
-    }
-  });
-
-  it(
-    "restores tabs after extension reconnects and re-announces",
-    async () => {
-      process.env.OPENCLAW_EXTENSION_RELAY_RECONNECT_GRACE_MS = "200";
-
-      const { port, ext: ext1 } = await startRelayWithExtension();
-
-      ext1.send(
-        JSON.stringify({
-          method: "forwardCDPEvent",
-          params: {
-            method: "Target.attachedToTarget",
-            params: {
-              sessionId: "cb-tab-10",
-              targetInfo: {
-                targetId: "t10",
-                type: "page",
-                title: "My Page",
-                url: "https://example.com",
-              },
-              waitingForDebugger: false,
-            },
-          },
-        }),
-      );
-
-      await waitForListMatch(
-        async () =>
-          (await fetch(`${cdpUrl}/json/list`, {
-            headers: relayAuthHeaders(cdpUrl),
-          }).then((r) => r.json())) as Array<{ id?: string }>,
-        (list) => list.some((t) => t.id === "t10"),
-      );
-
-      // Disconnect extension and wait for grace period cleanup.
-      const ext1Closed = waitForClose(ext1, 2_000);
-      ext1.close();
-      await ext1Closed;
-      await waitForListMatch(
-        async () =>
-          (await fetch(`${cdpUrl}/json/list`, {
-            headers: relayAuthHeaders(cdpUrl),
-          }).then((r) => r.json())) as Array<{ id?: string }>,
-        (list) => list.length === 0,
-      );
-
-      // Reconnect and re-announce the same tab (simulates reannounceAttachedTabs).
-      const ext2 = new WebSocket(`ws://127.0.0.1:${port}/extension`, {
-        headers: relayAuthHeaders(`ws://127.0.0.1:${port}/extension`),
-      });
-      await waitForOpen(ext2);
-
-      ext2.send(
-        JSON.stringify({
-          method: "forwardCDPEvent",
-          params: {
-            method: "Target.attachedToTarget",
-            params: {
-              sessionId: "cb-tab-10",
-              targetInfo: {
-                targetId: "t10",
-                type: "page",
-                title: "My Page",
-                url: "https://example.com",
-              },
-              waitingForDebugger: false,
-            },
-          },
-        }),
-      );
-
-      const list2 = await waitForListMatch(
-        async () =>
-          (await fetch(`${cdpUrl}/json/list`, {
-            headers: relayAuthHeaders(cdpUrl),
-          }).then((r) => r.json())) as Array<{ id?: string; title?: string }>,
-        (list) => list.some((t) => t.id === "t10"),
-      );
-      expect(list2.some((t) => t.id === "t10" && t.title === "My Page")).toBe(true);
-
-      ext2.close();
-    },
-    RELAY_TEST_TIMEOUT_MS,
-  );
-
-  it(
-    "preserves tab across a fast extension reconnect within grace period",
-    async () => {
-      process.env.OPENCLAW_EXTENSION_RELAY_RECONNECT_GRACE_MS = "2000";
-
-      const { port, ext: ext1 } = await startRelayWithExtension();
-
-      ext1.send(
-        JSON.stringify({
-          method: "forwardCDPEvent",
-          params: {
-            method: "Target.attachedToTarget",
-            params: {
-              sessionId: "cb-tab-20",
-              targetInfo: {
-                targetId: "t20",
-                type: "page",
-                title: "Persistent",
-                url: "https://example.org",
-              },
-              waitingForDebugger: false,
-            },
-          },
-        }),
-      );
-
-      await waitForListMatch(
-        async () =>
-          (await fetch(`${cdpUrl}/json/list`, {
-            headers: relayAuthHeaders(cdpUrl),
-          }).then((r) => r.json())) as Array<{ id?: string }>,
-        (list) => list.some((t) => t.id === "t20"),
-      );
-
-      // Disconnect briefly (within grace period).
-      const ext1Closed = waitForClose(ext1, 2_000);
-      ext1.close();
-      await ext1Closed;
-
-      // Tab should still be listed during grace period.
-      const listDuringGrace = (await fetch(`${cdpUrl}/json/list`, {
-        headers: relayAuthHeaders(cdpUrl),
-      }).then((r) => r.json())) as Array<{ id?: string }>;
-      expect(listDuringGrace.some((t) => t.id === "t20")).toBe(true);
-
-      // Reconnect within grace and re-announce with updated info.
-      const ext2 = new WebSocket(`ws://127.0.0.1:${port}/extension`, {
-        headers: relayAuthHeaders(`ws://127.0.0.1:${port}/extension`),
-      });
-      await waitForOpen(ext2);
-
-      ext2.send(
-        JSON.stringify({
-          method: "forwardCDPEvent",
-          params: {
-            method: "Target.attachedToTarget",
-            params: {
-              sessionId: "cb-tab-20",
-              targetInfo: {
-                targetId: "t20",
-                type: "page",
-                title: "Persistent Updated",
-                url: "https://example.org/new",
-              },
-              waitingForDebugger: false,
-            },
-          },
-        }),
-      );
-
-      const list2 = await waitForListMatch(
-        async () =>
-          (await fetch(`${cdpUrl}/json/list`, {
-            headers: relayAuthHeaders(cdpUrl),
-          }).then((r) => r.json())) as Array<{ id?: string; title?: string; url?: string }>,
-        (list) => list.some((t) => t.id === "t20" && t.title === "Persistent Updated"),
-      );
-      expect(list2.some((t) => t.id === "t20" && t.url === "https://example.org/new")).toBe(true);
-
-      ext2.close();
-    },
-    RELAY_TEST_TIMEOUT_MS,
-  );
-
-  it("does not swallow EADDRINUSE when occupied port is not an openclaw relay", async () => {
-    const port = await getFreePort();
-    const blocker = createServer((_, res) => {
-      res.writeHead(200, { "Content-Type": "text/plain; charset=utf-8" });
-      res.end("not-relay");
-    });
-    await new Promise<void>((resolve, reject) => {
-      blocker.listen(port, "127.0.0.1", () => resolve());
-      blocker.once("error", reject);
-    });
-    const blockedUrl = `http://127.0.0.1:${port}`;
-    await expect(ensureChromeExtensionRelayServer({ cdpUrl: blockedUrl })).rejects.toThrow(
-      /EADDRINUSE/i,
-    );
-    await new Promise<void>((resolve) => blocker.close(() => resolve()));
-  });
-
-  it(
-    "respects bindHost override to bind on a non-loopback address",
-    async () => {
-      const port = await getFreePort();
-      cdpUrl = `http://127.0.0.1:${port}`;
-      const relay = await ensureChromeExtensionRelayServer({
-        cdpUrl,
-        bindHost: "0.0.0.0",
-      });
-      expect(relay.port).toBe(port);
-      // Verify the server actually bound to 0.0.0.0, not the cdpUrl host.
-      expect(relay.bindHost).toBe("0.0.0.0");
-
-      const res = await fetch(`http://127.0.0.1:${port}/`);
-      expect(res.status).toBe(200);
-    },
-    RELAY_TEST_TIMEOUT_MS,
-  );
-
-  it(
-    "defaults bindHost to cdpUrl host when not specified",
-    async () => {
-      const port = await getFreePort();
-      cdpUrl = `http://127.0.0.1:${port}`;
-      const relay = await ensureChromeExtensionRelayServer({ cdpUrl });
-      expect(relay.host).toBe("127.0.0.1");
-      expect(relay.bindHost).toBe("127.0.0.1");
-
-      const res = await fetch(`http://127.0.0.1:${port}/`);
-      expect(res.status).toBe(200);
-    },
-    RELAY_TEST_TIMEOUT_MS,
-  );
-
-  it(
-    "restarts the relay when bindHost changes for the same port",
-    async () => {
-      const port = await getFreePort();
-      cdpUrl = `http://127.0.0.1:${port}`;
-
-      const initial = await ensureChromeExtensionRelayServer({ cdpUrl });
-      expect(initial.bindHost).toBe("127.0.0.1");
-
-      const rebound = await ensureChromeExtensionRelayServer({
-        cdpUrl,
-        bindHost: "0.0.0.0",
-      });
-      expect(rebound.bindHost).toBe("0.0.0.0");
-      expect(rebound.port).toBe(port);
-    },
-    RELAY_TEST_TIMEOUT_MS,
-  );
-});
diff --git a/src/browser/extension-relay.ts b/src/browser/extension-relay.ts
deleted file mode 100644
index 5a87670605e..00000000000
--- a/src/browser/extension-relay.ts
+++ /dev/null
@@ -1,1068 +0,0 @@
-import type { IncomingMessage } from "node:http";
-import { createServer } from "node:http";
-import type { AddressInfo } from "node:net";
-import type { Duplex } from "node:stream";
-import WebSocket, { WebSocketServer } from "ws";
-import { isLoopbackAddress, isLoopbackHost } from "../gateway/net.js";
-import { rawDataToString } from "../infra/ws.js";
-import {
-  probeAuthenticatedOpenClawRelay,
-  resolveRelayAcceptedTokensForPort,
-  resolveRelayAuthTokenForPort,
-} from "./extension-relay-auth.js";
-
-type CdpCommand = {
-  id: number;
-  method: string;
-  params?: unknown;
-  sessionId?: string;
-};
-
-type CdpResponse = {
-  id: number;
-  result?: unknown;
-  error?: { message: string };
-  sessionId?: string;
-};
-
-type CdpEvent = {
-  method: string;
-  params?: unknown;
-  sessionId?: string;
-};
-
-type ExtensionForwardCommandMessage = {
-  id: number;
-  method: "forwardCDPCommand";
-  params: { method: string; params?: unknown; sessionId?: string };
-};
-
-type ExtensionResponseMessage = {
-  id: number;
-  result?: unknown;
-  error?: string;
-};
-
-type ExtensionForwardEventMessage = {
-  method: "forwardCDPEvent";
-  params: { method: string; params?: unknown; sessionId?: string };
-};
-
-type ExtensionPingMessage = { method: "ping" };
-type ExtensionPongMessage = { method: "pong" };
-
-type ExtensionMessage =
-  | ExtensionResponseMessage
-  | ExtensionForwardEventMessage
-  | ExtensionPongMessage;
-
-type TargetInfo = {
-  targetId: string;
-  type?: string;
-  title?: string;
-  url?: string;
-  attached?: boolean;
-};
-
-type AttachedToTargetEvent = {
-  sessionId: string;
-  targetInfo: TargetInfo;
-  waitingForDebugger?: boolean;
-};
-
-type DetachedFromTargetEvent = {
-  sessionId: string;
-  targetId?: string;
-};
-
-type ConnectedTarget = {
-  sessionId: string;
-  targetId: string;
-  targetInfo: TargetInfo;
-};
-
-const RELAY_AUTH_HEADER = "x-openclaw-relay-token";
-const DEFAULT_EXTENSION_RECONNECT_GRACE_MS = 20_000;
-const DEFAULT_EXTENSION_COMMAND_RECONNECT_WAIT_MS = 3_000;
-
-function headerValue(value: string | string[] | undefined): string | undefined {
-  if (!value) {
-    return undefined;
-  }
-  if (Array.isArray(value)) {
-    return value[0];
-  }
-  return value;
-}
-
-function getHeader(req: IncomingMessage, name: string): string | undefined {
-  return headerValue(req.headers[name.toLowerCase()]);
-}
-
-function getRelayAuthTokenFromRequest(req: IncomingMessage, url?: URL): string | undefined {
-  const headerToken = getHeader(req, RELAY_AUTH_HEADER)?.trim();
-  if (headerToken) {
-    return headerToken;
-  }
-  const queryToken = url?.searchParams.get("token")?.trim();
-  if (queryToken) {
-    return queryToken;
-  }
-  return undefined;
-}
-
-export type ChromeExtensionRelayServer = {
-  host: string;
-  bindHost: string;
-  port: number;
-  baseUrl: string;
-  cdpWsUrl: string;
-  extensionConnected: () => boolean;
-  stop: () => Promise<void>;
-};
-
-type RelayRuntime = {
-  server: ChromeExtensionRelayServer;
-  relayAuthToken: string;
-};
-
-function parseUrlPort(parsed: URL): number | null {
-  const port =
-    parsed.port?.trim() !== "" ? Number(parsed.port) : parsed.protocol === "https:" ? 443 : 80;
-  if (!Number.isFinite(port) || port <= 0 || port > 65535) {
-    return null;
-  }
-  return port;
-}
-
-function parseBaseUrl(raw: string): {
-  host: string;
-  port: number;
-  baseUrl: string;
-} {
-  const parsed = new URL(raw.trim().replace(/\/$/, ""));
-  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
-    throw new Error(`extension relay cdpUrl must be http(s), got ${parsed.protocol}`);
-  }
-  const host = parsed.hostname;
-  const port = parseUrlPort(parsed);
-  if (!port) {
-    throw new Error(`extension relay cdpUrl has invalid port: ${parsed.port || "(empty)"}`);
-  }
-  return { host, port, baseUrl: parsed.toString().replace(/\/$/, "") };
-}
-
-function text(res: Duplex, status: number, bodyText: string) {
-  const body = Buffer.from(bodyText);
-  res.write(
-    `HTTP/1.1 ${status} ${status === 200 ? "OK" : "ERR"}\r\n` +
-      "Content-Type: text/plain; charset=utf-8\r\n" +
-      `Content-Length: ${body.length}\r\n` +
-      "Connection: close\r\n" +
-      "\r\n",
-  );
-  res.write(body);
-  res.end();
-}
-
-function rejectUpgrade(socket: Duplex, status: number, bodyText: string) {
-  text(socket, status, bodyText);
-  try {
-    socket.destroy();
-  } catch {
-    // ignore
-  }
-}
-
-function envMsOrDefault(name: string, fallback: number): number {
-  const raw = process.env[name];
-  if (!raw || raw.trim() === "") {
-    return fallback;
-  }
-  const parsed = Number.parseInt(raw, 10);
-  if (!Number.isFinite(parsed) || parsed <= 0) {
-    return fallback;
-  }
-  return parsed;
-}
-
-const relayRuntimeByPort = new Map<number, RelayRuntime>();
-const relayInitByPort = new Map<number, Promise<ChromeExtensionRelayServer>>();
-
-function isAddrInUseError(err: unknown): boolean {
-  return (
-    typeof err === "object" &&
-    err !== null &&
-    "code" in err &&
-    (err as { code?: unknown }).code === "EADDRINUSE"
-  );
-}
-
-function relayAuthTokenForUrl(url: string): string | null {
-  try {
-    const parsed = new URL(url);
-    if (!isLoopbackHost(parsed.hostname)) {
-      return null;
-    }
-    const port = parseUrlPort(parsed);
-    if (!port) {
-      return null;
-    }
-    return relayRuntimeByPort.get(port)?.relayAuthToken ?? null;
-  } catch {
-    return null;
-  }
-}
-
-export function getChromeExtensionRelayAuthHeaders(url: string): Record<string, string> {
-  const token = relayAuthTokenForUrl(url);
-  if (!token) {
-    return {};
-  }
-  return { [RELAY_AUTH_HEADER]: token };
-}
-
-export async function ensureChromeExtensionRelayServer(opts: {
-  cdpUrl: string;
-  bindHost?: string;
-}): Promise<ChromeExtensionRelayServer> {
-  const info = parseBaseUrl(opts.cdpUrl);
-  if (!isLoopbackHost(info.host)) {
-    throw new Error(`extension relay requires loopback cdpUrl host (got ${info.host})`);
-  }
-  const bindHost = opts.bindHost ?? info.host;
-
-  const existing = relayRuntimeByPort.get(info.port);
-  if (existing) {
-    if (existing.server.bindHost !== bindHost) {
-      await existing.server.stop();
-    } else {
-      return existing.server;
-    }
-  }
-
-  const inFlight = relayInitByPort.get(info.port);
-  if (inFlight) {
-    const server = await inFlight;
-    if (server.bindHost === bindHost) {
-      return server;
-    }
-    await server.stop();
-  }
-
-  const extensionReconnectGraceMs = envMsOrDefault(
-    "OPENCLAW_EXTENSION_RELAY_RECONNECT_GRACE_MS",
-    DEFAULT_EXTENSION_RECONNECT_GRACE_MS,
-  );
-  const extensionCommandReconnectWaitMs = envMsOrDefault(
-    "OPENCLAW_EXTENSION_RELAY_COMMAND_RECONNECT_WAIT_MS",
-    DEFAULT_EXTENSION_COMMAND_RECONNECT_WAIT_MS,
-  );
-
-  const initPromise = (async (): Promise<ChromeExtensionRelayServer> => {
-    const relayAuthToken = await resolveRelayAuthTokenForPort(info.port);
-    const relayAuthTokens = new Set(await resolveRelayAcceptedTokensForPort(info.port));
-
-    let extensionWs: WebSocket | null = null;
-    const cdpClients = new Set<WebSocket>();
-    const connectedTargets = new Map<string, ConnectedTarget>();
-    const extensionConnected = () => extensionWs?.readyState === WebSocket.OPEN;
-    const hasConnectedTargets = () => connectedTargets.size > 0;
-    let extensionDisconnectCleanupTimer: NodeJS.Timeout | null = null;
-    const extensionReconnectWaiters = new Set<(connected: boolean) => void>();
-
-    const flushExtensionReconnectWaiters = (connected: boolean) => {
-      if (extensionReconnectWaiters.size === 0) {
-        return;
-      }
-      const waiters = Array.from(extensionReconnectWaiters);
-      extensionReconnectWaiters.clear();
-      for (const waiter of waiters) {
-        waiter(connected);
-      }
-    };
-
-    const clearExtensionDisconnectCleanupTimer = () => {
-      if (!extensionDisconnectCleanupTimer) {
-        return;
-      }
-      clearTimeout(extensionDisconnectCleanupTimer);
-      extensionDisconnectCleanupTimer = null;
-    };
-
-    const closeCdpClientsAfterExtensionDisconnect = () => {
-      connectedTargets.clear();
-      for (const client of cdpClients) {
-        try {
-          client.close(1011, "extension disconnected");
-        } catch {
-          // ignore
-        }
-      }
-      cdpClients.clear();
-      flushExtensionReconnectWaiters(false);
-    };
-
-    const scheduleExtensionDisconnectCleanup = () => {
-      clearExtensionDisconnectCleanupTimer();
-      extensionDisconnectCleanupTimer = setTimeout(() => {
-        extensionDisconnectCleanupTimer = null;
-        if (extensionConnected()) {
-          return;
-        }
-        closeCdpClientsAfterExtensionDisconnect();
-      }, extensionReconnectGraceMs);
-    };
-
-    const waitForExtensionReconnect = async (timeoutMs: number): Promise<boolean> => {
-      if (extensionConnected()) {
-        return true;
-      }
-      return await new Promise<boolean>((resolve) => {
-        let settled = false;
-        const waiter = (connected: boolean) => {
-          if (settled) {
-            return;
-          }
-          settled = true;
-          clearTimeout(timer);
-          extensionReconnectWaiters.delete(waiter);
-          resolve(connected);
-        };
-        const timer = setTimeout(() => {
-          waiter(false);
-        }, timeoutMs);
-        extensionReconnectWaiters.add(waiter);
-      });
-    };
-
-    const pendingExtension = new Map<
-      number,
-      {
-        resolve: (v: unknown) => void;
-        reject: (e: Error) => void;
-        timer: NodeJS.Timeout;
-      }
-    >();
-    let nextExtensionId = 1;
-
-    const sendToExtension = async (payload: ExtensionForwardCommandMessage): Promise<unknown> => {
-      const ws = extensionWs;
-      if (!ws || ws.readyState !== WebSocket.OPEN) {
-        throw new Error("Chrome extension not connected");
-      }
-      ws.send(JSON.stringify(payload));
-      return await new Promise<unknown>((resolve, reject) => {
-        const timer = setTimeout(() => {
-          pendingExtension.delete(payload.id);
-          reject(new Error(`extension request timeout: ${payload.params.method}`));
-        }, 30_000);
-        pendingExtension.set(payload.id, { resolve, reject, timer });
-      });
-    };
-
-    const broadcastToCdpClients = (evt: CdpEvent) => {
-      const msg = JSON.stringify(evt);
-      for (const ws of cdpClients) {
-        if (ws.readyState !== WebSocket.OPEN) {
-          continue;
-        }
-        ws.send(msg);
-      }
-    };
-
-    const sendResponseToCdp = (ws: WebSocket, res: CdpResponse) => {
-      if (ws.readyState !== WebSocket.OPEN) {
-        return;
-      }
-      ws.send(JSON.stringify(res));
-    };
-
-    const dropConnectedTargetSession = (sessionId: string): ConnectedTarget | undefined => {
-      const existing = connectedTargets.get(sessionId);
-      if (!existing) {
-        return undefined;
-      }
-      connectedTargets.delete(sessionId);
-      return existing;
-    };
-
-    const dropConnectedTargetsByTargetId = (targetId: string): ConnectedTarget[] => {
-      const removed: ConnectedTarget[] = [];
-      for (const [sessionId, target] of connectedTargets) {
-        if (target.targetId !== targetId) {
-          continue;
-        }
-        connectedTargets.delete(sessionId);
-        removed.push(target);
-      }
-      return removed;
-    };
-
-    const broadcastDetachedTarget = (target: ConnectedTarget, targetId?: string) => {
-      broadcastToCdpClients({
-        method: "Target.detachedFromTarget",
-        params: {
-          sessionId: target.sessionId,
-          targetId: targetId ?? target.targetId,
-        },
-        sessionId: target.sessionId,
-      });
-    };
-
-    const isMissingTargetError = (err: unknown) => {
-      const message = (err instanceof Error ? err.message : String(err)).toLowerCase();
-      return (
-        message.includes("target not found") ||
-        message.includes("no target with given id") ||
-        message.includes("session not found") ||
-        message.includes("cannot find session")
-      );
-    };
-
-    const pruneStaleTargetsFromCommandFailure = (cmd: CdpCommand, err: unknown) => {
-      if (!isMissingTargetError(err)) {
-        return;
-      }
-      if (cmd.sessionId) {
-        const removed = dropConnectedTargetSession(cmd.sessionId);
-        if (removed) {
-          broadcastDetachedTarget(removed);
-          return;
-        }
-      }
-      const params = (cmd.params ?? {}) as { targetId?: unknown };
-      const targetId = typeof params.targetId === "string" ? params.targetId : undefined;
-      if (!targetId) {
-        return;
-      }
-      const removedTargets = dropConnectedTargetsByTargetId(targetId);
-      for (const removed of removedTargets) {
-        broadcastDetachedTarget(removed, targetId);
-      }
-    };
-
-    const ensureTargetEventsForClient = (ws: WebSocket, mode: "autoAttach" | "discover") => {
-      for (const target of connectedTargets.values()) {
-        if (mode === "autoAttach") {
-          ws.send(
-            JSON.stringify({
-              method: "Target.attachedToTarget",
-              params: {
-                sessionId: target.sessionId,
-                targetInfo: { ...target.targetInfo, attached: true },
-                waitingForDebugger: false,
-              },
-            } satisfies CdpEvent),
-          );
-        } else {
-          ws.send(
-            JSON.stringify({
-              method: "Target.targetCreated",
-              params: { targetInfo: { ...target.targetInfo, attached: true } },
-            } satisfies CdpEvent),
-          );
-        }
-      }
-    };
-
-    const routeCdpCommand = async (cmd: CdpCommand): Promise<unknown> => {
-      switch (cmd.method) {
-        case "Browser.getVersion":
-          return {
-            protocolVersion: "1.3",
-            product: "Chrome/OpenClaw-Extension-Relay",
-            revision: "0",
-            userAgent: "OpenClaw-Extension-Relay",
-            jsVersion: "V8",
-          };
-        case "Browser.setDownloadBehavior":
-          return {};
-        case "Target.setAutoAttach":
-        case "Target.setDiscoverTargets":
-          return {};
-        case "Target.getTargets":
-          return {
-            targetInfos: Array.from(connectedTargets.values()).map((t) => ({
-              ...t.targetInfo,
-              attached: true,
-            })),
-          };
-        case "Target.getTargetInfo": {
-          const params = (cmd.params ?? {}) as { targetId?: string };
-          const targetId = typeof params.targetId === "string" ? params.targetId : undefined;
-          if (targetId) {
-            for (const t of connectedTargets.values()) {
-              if (t.targetId === targetId) {
-                return { targetInfo: t.targetInfo };
-              }
-            }
-          }
-          if (cmd.sessionId && connectedTargets.has(cmd.sessionId)) {
-            const t = connectedTargets.get(cmd.sessionId);
-            if (t) {
-              return { targetInfo: t.targetInfo };
-            }
-          }
-          const first = Array.from(connectedTargets.values())[0];
-          return { targetInfo: first?.targetInfo };
-        }
-        case "Target.attachToTarget": {
-          const params = (cmd.params ?? {}) as { targetId?: string };
-          const targetId = typeof params.targetId === "string" ? params.targetId : undefined;
-          if (!targetId) {
-            throw new Error("targetId required");
-          }
-          for (const t of connectedTargets.values()) {
-            if (t.targetId === targetId) {
-              return { sessionId: t.sessionId };
-            }
-          }
-          throw new Error("target not found");
-        }
-        default: {
-          const id = nextExtensionId++;
-          return await sendToExtension({
-            id,
-            method: "forwardCDPCommand",
-            params: {
-              method: cmd.method,
-              sessionId: cmd.sessionId,
-              params: cmd.params,
-            },
-          });
-        }
-      }
-    };
-
-    const server = createServer((req, res) => {
-      const url = new URL(req.url ?? "/", info.baseUrl);
-      const path = url.pathname;
-      const origin = getHeader(req, "origin");
-      const isChromeExtensionOrigin =
-        typeof origin === "string" && origin.startsWith("chrome-extension://");
-
-      if (isChromeExtensionOrigin && origin) {
-        // Let extension pages call relay HTTP endpoints cross-origin.
-        res.setHeader("Access-Control-Allow-Origin", origin);
-        res.setHeader("Vary", "Origin");
-      }
-
-      // Handle CORS preflight requests from the browser extension.
-      if (req.method === "OPTIONS") {
-        if (origin && !isChromeExtensionOrigin) {
-          res.writeHead(403);
-          res.end("Forbidden");
-          return;
-        }
-        const requestedHeaders = (getHeader(req, "access-control-request-headers") ?? "")
-          .split(",")
-          .map((header) => header.trim().toLowerCase())
-          .filter((header) => header.length > 0);
-        const allowedHeaders = new Set(["content-type", RELAY_AUTH_HEADER, ...requestedHeaders]);
-        res.writeHead(204, {
-          "Access-Control-Allow-Origin": origin ?? "*",
-          "Access-Control-Allow-Methods": "GET, PUT, POST, OPTIONS",
-          "Access-Control-Allow-Headers": Array.from(allowedHeaders).join(", "),
-          "Access-Control-Max-Age": "86400",
-          Vary: "Origin, Access-Control-Request-Headers",
-        });
-        res.end();
-        return;
-      }
-
-      if (path.startsWith("/json")) {
-        const token = getRelayAuthTokenFromRequest(req, url);
-        if (!token || !relayAuthTokens.has(token)) {
-          res.writeHead(401);
-          res.end("Unauthorized");
-          return;
-        }
-      }
-
-      if (req.method === "HEAD" && path === "/") {
-        res.writeHead(200);
-        res.end();
-        return;
-      }
-
-      if (path === "/") {
-        res.writeHead(200, { "Content-Type": "text/plain; charset=utf-8" });
-        res.end("OK");
-        return;
-      }
-
-      if (path === "/extension/status") {
-        res.writeHead(200, { "Content-Type": "application/json" });
-        res.end(JSON.stringify({ connected: extensionConnected() }));
-        return;
-      }
-
-      const hostHeader = req.headers.host?.trim() || `${info.host}:${info.port}`;
-      const wsHost = `ws://${hostHeader}`;
-      const cdpWsUrl = `${wsHost}/cdp`;
-
-      if (
-        (path === "/json/version" || path === "/json/version/") &&
-        (req.method === "GET" || req.method === "PUT")
-      ) {
-        const payload: Record<string, unknown> = {
-          Browser: "OpenClaw/extension-relay",
-          "Protocol-Version": "1.3",
-        };
-        // Keep reporting CDP WS while attached targets are cached, so callers can
-        // reconnect through brief MV3 worker disconnects.
-        if (extensionConnected() || hasConnectedTargets()) {
-          payload.webSocketDebuggerUrl = cdpWsUrl;
-        }
-        res.writeHead(200, { "Content-Type": "application/json" });
-        res.end(JSON.stringify(payload));
-        return;
-      }
-
-      const listPaths = new Set(["/json", "/json/", "/json/list", "/json/list/"]);
-      if (listPaths.has(path) && (req.method === "GET" || req.method === "PUT")) {
-        const list = Array.from(connectedTargets.values()).map((t) => ({
-          id: t.targetId,
-          type: t.targetInfo.type ?? "page",
-          title: t.targetInfo.title ?? "",
-          description: t.targetInfo.title ?? "",
-          url: t.targetInfo.url ?? "",
-          webSocketDebuggerUrl: cdpWsUrl,
-          devtoolsFrontendUrl: `/devtools/inspector.html?ws=${cdpWsUrl.replace("ws://", "")}`,
-        }));
-        res.writeHead(200, { "Content-Type": "application/json" });
-        res.end(JSON.stringify(list));
-        return;
-      }
-
-      const handleTargetActionRoute = (
-        match: RegExpMatchArray | null,
-        cdpMethod: "Target.activateTarget" | "Target.closeTarget",
-      ): boolean => {
-        if (!match || (req.method !== "GET" && req.method !== "PUT")) {
-          return false;
-        }
-        let targetId = "";
-        try {
-          targetId = decodeURIComponent(match[1] ?? "").trim();
-        } catch {
-          res.writeHead(400);
-          res.end("invalid targetId encoding");
-          return true;
-        }
-        if (!targetId) {
-          res.writeHead(400);
-          res.end("targetId required");
-          return true;
-        }
-        void (async () => {
-          try {
-            await sendToExtension({
-              id: nextExtensionId++,
-              method: "forwardCDPCommand",
-              params: { method: cdpMethod, params: { targetId } },
-            });
-          } catch {
-            // ignore
-          }
-        })();
-        res.writeHead(200);
-        res.end("OK");
-        return true;
-      };
-
-      if (
-        handleTargetActionRoute(path.match(/^\/json\/activate\/(.+)$/), "Target.activateTarget")
-      ) {
-        return;
-      }
-      if (handleTargetActionRoute(path.match(/^\/json\/close\/(.+)$/), "Target.closeTarget")) {
-        return;
-      }
-
-      res.writeHead(404);
-      res.end("not found");
-    });
-
-    const wssExtension = new WebSocketServer({ noServer: true });
-    const wssCdp = new WebSocketServer({ noServer: true });
-
-    server.on("upgrade", (req, socket, head) => {
-      const url = new URL(req.url ?? "/", info.baseUrl);
-      const pathname = url.pathname;
-      const remote = req.socket.remoteAddress;
-
-      // When bindHost is explicitly non-loopback (e.g. 0.0.0.0 for WSL2),
-      // allow non-loopback connections; otherwise enforce loopback-only.
-      if (!isLoopbackAddress(remote) && isLoopbackHost(bindHost)) {
-        rejectUpgrade(socket, 403, "Forbidden");
-        return;
-      }
-
-      const origin = headerValue(req.headers.origin);
-      if (origin && !origin.startsWith("chrome-extension://")) {
-        rejectUpgrade(socket, 403, "Forbidden: invalid origin");
-        return;
-      }
-
-      if (pathname === "/extension") {
-        const token = getRelayAuthTokenFromRequest(req, url);
-        if (!token || !relayAuthTokens.has(token)) {
-          rejectUpgrade(socket, 401, "Unauthorized");
-          return;
-        }
-        // MV3 worker reconnect races can leave a stale non-OPEN socket reference.
-        if (extensionWs && extensionWs.readyState !== WebSocket.OPEN) {
-          try {
-            extensionWs.terminate();
-          } catch {
-            // ignore
-          }
-          extensionWs = null;
-        }
-        if (extensionConnected()) {
-          rejectUpgrade(socket, 409, "Extension already connected");
-          return;
-        }
-        wssExtension.handleUpgrade(req, socket, head, (ws) => {
-          wssExtension.emit("connection", ws, req);
-        });
-        return;
-      }
-
-      if (pathname === "/cdp") {
-        const token = getRelayAuthTokenFromRequest(req, url);
-        if (!token || !relayAuthTokens.has(token)) {
-          rejectUpgrade(socket, 401, "Unauthorized");
-          return;
-        }
-        // Allow CDP clients to connect even during brief extension worker drops.
-        // Individual commands already wait briefly for extension reconnect.
-        wssCdp.handleUpgrade(req, socket, head, (ws) => {
-          wssCdp.emit("connection", ws, req);
-        });
-        return;
-      }
-
-      rejectUpgrade(socket, 404, "Not Found");
-    });
-
-    wssExtension.on("connection", (ws) => {
-      extensionWs = ws;
-      clearExtensionDisconnectCleanupTimer();
-      flushExtensionReconnectWaiters(true);
-
-      const ping = setInterval(() => {
-        if (ws.readyState !== WebSocket.OPEN) {
-          return;
-        }
-        ws.send(JSON.stringify({ method: "ping" } satisfies ExtensionPingMessage));
-      }, 5000);
-
-      ws.on("message", (data) => {
-        if (extensionWs !== ws) {
-          return;
-        }
-        let parsed: ExtensionMessage | null = null;
-        try {
-          parsed = JSON.parse(rawDataToString(data)) as ExtensionMessage;
-        } catch {
-          return;
-        }
-
-        if (
-          parsed &&
-          typeof parsed === "object" &&
-          "id" in parsed &&
-          typeof parsed.id === "number"
-        ) {
-          const pending = pendingExtension.get(parsed.id);
-          if (!pending) {
-            return;
-          }
-          pendingExtension.delete(parsed.id);
-          clearTimeout(pending.timer);
-          if ("error" in parsed && typeof parsed.error === "string" && parsed.error.trim()) {
-            pending.reject(new Error(parsed.error));
-          } else {
-            pending.resolve(parsed.result);
-          }
-          return;
-        }
-
-        if (parsed && typeof parsed === "object" && "method" in parsed) {
-          if ((parsed as ExtensionPongMessage).method === "pong") {
-            return;
-          }
-          if ((parsed as ExtensionForwardEventMessage).method !== "forwardCDPEvent") {
-            return;
-          }
-          const evt = parsed as ExtensionForwardEventMessage;
-          const method = evt.params?.method;
-          const params = evt.params?.params;
-          const sessionId = evt.params?.sessionId;
-          if (!method || typeof method !== "string") {
-            return;
-          }
-
-          if (method === "Target.attachedToTarget") {
-            const attached = (params ?? {}) as AttachedToTargetEvent;
-            const targetType = attached?.targetInfo?.type ?? "page";
-            if (targetType !== "page") {
-              return;
-            }
-            if (attached?.sessionId && attached?.targetInfo?.targetId) {
-              const prev = connectedTargets.get(attached.sessionId);
-              const nextTargetId = attached.targetInfo.targetId;
-              const prevTargetId = prev?.targetId;
-              const changedTarget = Boolean(prev && prevTargetId && prevTargetId !== nextTargetId);
-              connectedTargets.set(attached.sessionId, {
-                sessionId: attached.sessionId,
-                targetId: nextTargetId,
-                targetInfo: attached.targetInfo,
-              });
-              if (changedTarget && prevTargetId) {
-                broadcastToCdpClients({
-                  method: "Target.detachedFromTarget",
-                  params: { sessionId: attached.sessionId, targetId: prevTargetId },
-                  sessionId: attached.sessionId,
-                });
-              }
-              if (!prev || changedTarget) {
-                broadcastToCdpClients({ method, params, sessionId });
-              }
-              return;
-            }
-          }
-
-          if (method === "Target.detachedFromTarget") {
-            const detached = (params ?? {}) as DetachedFromTargetEvent;
-            if (detached?.sessionId) {
-              dropConnectedTargetSession(detached.sessionId);
-            } else if (detached?.targetId) {
-              dropConnectedTargetsByTargetId(detached.targetId);
-            }
-            broadcastToCdpClients({ method, params, sessionId });
-            return;
-          }
-
-          if (method === "Target.targetDestroyed" || method === "Target.targetCrashed") {
-            const targetEvent = (params ?? {}) as { targetId?: string };
-            if (targetEvent.targetId) {
-              dropConnectedTargetsByTargetId(targetEvent.targetId);
-            }
-            broadcastToCdpClients({ method, params, sessionId });
-            return;
-          }
-
-          // Keep cached tab metadata fresh for /json/list.
-          // After navigation, Chrome updates URL/title via Target.targetInfoChanged.
-          if (method === "Target.targetInfoChanged") {
-            const changed = (params ?? {}) as { targetInfo?: { targetId?: string; type?: string } };
-            const targetInfo = changed?.targetInfo;
-            const targetId = targetInfo?.targetId;
-            if (targetId && (targetInfo?.type ?? "page") === "page") {
-              for (const [sid, target] of connectedTargets) {
-                if (target.targetId !== targetId) {
-                  continue;
-                }
-                connectedTargets.set(sid, {
-                  ...target,
-                  targetInfo: { ...target.targetInfo, ...(targetInfo as object) },
-                });
-              }
-            }
-          }
-
-          broadcastToCdpClients({ method, params, sessionId });
-        }
-      });
-
-      ws.on("close", () => {
-        clearInterval(ping);
-        if (extensionWs !== ws) {
-          return;
-        }
-        extensionWs = null;
-        for (const [, pending] of pendingExtension) {
-          clearTimeout(pending.timer);
-          pending.reject(new Error("extension disconnected"));
-        }
-        pendingExtension.clear();
-        scheduleExtensionDisconnectCleanup();
-      });
-    });
-
-    wssCdp.on("connection", (ws) => {
-      cdpClients.add(ws);
-
-      ws.on("message", async (data) => {
-        let cmd: CdpCommand | null = null;
-        try {
-          cmd = JSON.parse(rawDataToString(data)) as CdpCommand;
-        } catch {
-          return;
-        }
-        if (!cmd || typeof cmd !== "object") {
-          return;
-        }
-        if (typeof cmd.id !== "number" || typeof cmd.method !== "string") {
-          return;
-        }
-
-        if (!extensionConnected()) {
-          const reconnected = await waitForExtensionReconnect(extensionCommandReconnectWaitMs);
-          if (!reconnected || !extensionConnected()) {
-            sendResponseToCdp(ws, {
-              id: cmd.id,
-              sessionId: cmd.sessionId,
-              error: { message: "Extension not connected" },
-            });
-            return;
-          }
-        }
-
-        try {
-          const result = await routeCdpCommand(cmd);
-
-          if (cmd.method === "Target.setAutoAttach" && !cmd.sessionId) {
-            ensureTargetEventsForClient(ws, "autoAttach");
-          }
-          if (cmd.method === "Target.setDiscoverTargets") {
-            const discover = (cmd.params ?? {}) as { discover?: boolean };
-            if (discover.discover === true) {
-              ensureTargetEventsForClient(ws, "discover");
-            }
-          }
-          if (cmd.method === "Target.attachToTarget") {
-            const params = (cmd.params ?? {}) as { targetId?: string };
-            const targetId = typeof params.targetId === "string" ? params.targetId : undefined;
-            if (targetId) {
-              const target = Array.from(connectedTargets.values()).find(
-                (t) => t.targetId === targetId,
-              );
-              if (target) {
-                ws.send(
-                  JSON.stringify({
-                    method: "Target.attachedToTarget",
-                    params: {
-                      sessionId: target.sessionId,
-                      targetInfo: { ...target.targetInfo, attached: true },
-                      waitingForDebugger: false,
-                    },
-                  } satisfies CdpEvent),
-                );
-              }
-            }
-          }
-
-          sendResponseToCdp(ws, { id: cmd.id, sessionId: cmd.sessionId, result });
-        } catch (err) {
-          pruneStaleTargetsFromCommandFailure(cmd, err);
-          sendResponseToCdp(ws, {
-            id: cmd.id,
-            sessionId: cmd.sessionId,
-            error: { message: err instanceof Error ? err.message : String(err) },
-          });
-        }
-      });
-
-      ws.on("close", () => {
-        cdpClients.delete(ws);
-      });
-    });
-
-    try {
-      await new Promise<void>((resolve, reject) => {
-        server.listen(info.port, bindHost, () => resolve());
-        server.once("error", reject);
-      });
-    } catch (err) {
-      if (
-        isAddrInUseError(err) &&
-        (await probeAuthenticatedOpenClawRelay({
-          baseUrl: info.baseUrl,
-          relayAuthHeader: RELAY_AUTH_HEADER,
-          relayAuthToken,
-        }))
-      ) {
-        const existingRelay: ChromeExtensionRelayServer = {
-          host: info.host,
-          bindHost,
-          port: info.port,
-          baseUrl: info.baseUrl,
-          cdpWsUrl: `ws://${info.host}:${info.port}/cdp`,
-          extensionConnected: () => false,
-          stop: async () => {
-            relayRuntimeByPort.delete(info.port);
-          },
-        };
-        relayRuntimeByPort.set(info.port, { server: existingRelay, relayAuthToken });
-        return existingRelay;
-      }
-      throw err;
-    }
-
-    const addr = server.address() as AddressInfo | null;
-    const port = addr?.port ?? info.port;
-    const actualBindHost = addr?.address || bindHost;
-    const host = info.host;
-    const baseUrl = `${new URL(info.baseUrl).protocol}//${host}:${port}`;
-
-    const relay: ChromeExtensionRelayServer = {
-      host,
-      bindHost: actualBindHost,
-      port,
-      baseUrl,
-      cdpWsUrl: `ws://${host}:${port}/cdp`,
-      extensionConnected,
-      stop: async () => {
-        relayRuntimeByPort.delete(port);
-        clearExtensionDisconnectCleanupTimer();
-        flushExtensionReconnectWaiters(false);
-        for (const [, pending] of pendingExtension) {
-          clearTimeout(pending.timer);
-          pending.reject(new Error("server stopping"));
-        }
-        pendingExtension.clear();
-        try {
-          extensionWs?.close(1001, "server stopping");
-        } catch {
-          // ignore
-        }
-        for (const ws of cdpClients) {
-          try {
-            ws.close(1001, "server stopping");
-          } catch {
-            // ignore
-          }
-        }
-        await new Promise<void>((resolve) => {
-          server.close(() => resolve());
-        });
-        wssExtension.close();
-        wssCdp.close();
-      },
-    };
-
-    relayRuntimeByPort.set(port, { server: relay, relayAuthToken });
-    return relay;
-  })();
-  relayInitByPort.set(info.port, initPromise);
-  try {
-    return await initPromise;
-  } finally {
-    relayInitByPort.delete(info.port);
-  }
-}
-
-export async function stopChromeExtensionRelayServer(opts: { cdpUrl: string }): Promise<boolean> {
-  const info = parseBaseUrl(opts.cdpUrl);
-  const existing = relayRuntimeByPort.get(info.port);
-  if (!existing) {
-    return false;
-  }
-  await existing.server.stop();
-  return true;
-}
diff --git a/src/browser/profile-capabilities.ts b/src/browser/profile-capabilities.ts
index b736a77d943..994894239d1 100644
--- a/src/browser/profile-capabilities.ts
+++ b/src/browser/profile-capabilities.ts
@@ -1,18 +1,12 @@
 import type { ResolvedBrowserProfile } from "./config.js";
 
-export type BrowserProfileMode =
-  | "local-managed"
-  | "local-extension-relay"
-  | "local-existing-session"
-  | "remote-cdp";
+export type BrowserProfileMode = "local-managed" | "local-existing-session" | "remote-cdp";
 
 export type BrowserProfileCapabilities = {
   mode: BrowserProfileMode;
   isRemote: boolean;
   /** Profile uses the Chrome DevTools MCP server (existing-session driver). */
   usesChromeMcp: boolean;
-  requiresRelay: boolean;
-  requiresAttachedTab: boolean;
   usesPersistentPlaywright: boolean;
   supportsPerTabWs: boolean;
   supportsJsonTabEndpoints: boolean;
@@ -23,28 +17,11 @@ export type BrowserProfileCapabilities = {
 export function getBrowserProfileCapabilities(
   profile: ResolvedBrowserProfile,
 ): BrowserProfileCapabilities {
-  if (profile.driver === "extension") {
-    return {
-      mode: "local-extension-relay",
-      isRemote: false,
-      usesChromeMcp: false,
-      requiresRelay: true,
-      requiresAttachedTab: true,
-      usesPersistentPlaywright: false,
-      supportsPerTabWs: false,
-      supportsJsonTabEndpoints: true,
-      supportsReset: true,
-      supportsManagedTabLimit: false,
-    };
-  }
-
   if (profile.driver === "existing-session") {
     return {
       mode: "local-existing-session",
       isRemote: false,
       usesChromeMcp: true,
-      requiresRelay: false,
-      requiresAttachedTab: false,
       usesPersistentPlaywright: false,
       supportsPerTabWs: false,
       supportsJsonTabEndpoints: false,
@@ -58,8 +35,6 @@ export function getBrowserProfileCapabilities(
       mode: "remote-cdp",
       isRemote: true,
       usesChromeMcp: false,
-      requiresRelay: false,
-      requiresAttachedTab: false,
       usesPersistentPlaywright: true,
       supportsPerTabWs: false,
       supportsJsonTabEndpoints: false,
@@ -72,8 +47,6 @@ export function getBrowserProfileCapabilities(
     mode: "local-managed",
     isRemote: false,
     usesChromeMcp: false,
-    requiresRelay: false,
-    requiresAttachedTab: false,
     usesPersistentPlaywright: false,
     supportsPerTabWs: true,
     supportsJsonTabEndpoints: true,
@@ -96,9 +69,6 @@ export function resolveDefaultSnapshotFormat(params: {
   }
 
   const capabilities = getBrowserProfileCapabilities(params.profile);
-  if (capabilities.mode === "local-extension-relay") {
-    return "aria";
-  }
   if (capabilities.mode === "local-existing-session") {
     return "ai";
   }
@@ -112,16 +82,12 @@ export function shouldUsePlaywrightForScreenshot(params: {
   ref?: string;
   element?: string;
 }): boolean {
-  const capabilities = getBrowserProfileCapabilities(params.profile);
-  return (
-    capabilities.requiresRelay || !params.wsUrl || Boolean(params.ref) || Boolean(params.element)
-  );
+  return !params.wsUrl || Boolean(params.ref) || Boolean(params.element);
 }
 
 export function shouldUsePlaywrightForAriaSnapshot(params: {
   profile: ResolvedBrowserProfile;
   wsUrl?: string;
 }): boolean {
-  const capabilities = getBrowserProfileCapabilities(params.profile);
-  return capabilities.requiresRelay || !params.wsUrl;
+  return !params.wsUrl;
 }
diff --git a/src/browser/profiles-service.test.ts b/src/browser/profiles-service.test.ts
index 13bbdf27c49..b726ad3fbdb 100644
--- a/src/browser/profiles-service.test.ts
+++ b/src/browser/profiles-service.test.ts
@@ -136,37 +136,6 @@ describe("BrowserProfilesService", () => {
     );
   });
 
-  it("rejects driver=extension with non-loopback cdpUrl", async () => {
-    const resolved = resolveBrowserConfig({});
-    const { ctx } = createCtx(resolved);
-    vi.mocked(loadConfig).mockReturnValue({ browser: { profiles: {} } });
-
-    const service = createBrowserProfilesService(ctx);
-
-    await expect(
-      service.createProfile({
-        name: "chrome-remote",
-        driver: "extension",
-        cdpUrl: "http://10.0.0.42:9222",
-      }),
-    ).rejects.toThrow(/loopback cdpUrl host/i);
-  });
-
-  it("rejects driver=extension without an explicit cdpUrl", async () => {
-    const resolved = resolveBrowserConfig({});
-    const { ctx } = createCtx(resolved);
-    vi.mocked(loadConfig).mockReturnValue({ browser: { profiles: {} } });
-
-    const service = createBrowserProfilesService(ctx);
-
-    await expect(
-      service.createProfile({
-        name: "chrome-extension",
-        driver: "extension",
-      }),
-    ).rejects.toThrow(/requires an explicit loopback cdpUrl/i);
-  });
-
   it("creates existing-session profiles as attach-only local entries", async () => {
     const resolved = resolveBrowserConfig({});
     const { ctx, state } = createCtx(resolved);
diff --git a/src/browser/profiles-service.ts b/src/browser/profiles-service.ts
index 86321006e98..af747015e45 100644
--- a/src/browser/profiles-service.ts
+++ b/src/browser/profiles-service.ts
@@ -3,7 +3,6 @@ import path from "node:path";
 import type { BrowserProfileConfig, OpenClawConfig } from "../config/config.js";
 import { loadConfig, writeConfigFile } from "../config/config.js";
 import { deriveDefaultBrowserCdpPortRange } from "../config/port-defaults.js";
-import { isLoopbackHost } from "../gateway/net.js";
 import { resolveOpenClawUserDataDir } from "./chrome.js";
 import { parseHttpUrl, resolveProfile } from "./config.js";
 import {
@@ -27,7 +26,7 @@ export type CreateProfileParams = {
   name: string;
   color?: string;
   cdpUrl?: string;
-  driver?: "openclaw" | "extension" | "existing-session";
+  driver?: "openclaw" | "existing-session";
 };
 
 export type CreateProfileResult = {
@@ -80,12 +79,7 @@ export function createBrowserProfilesService(ctx: BrowserRouteContext) {
   const createProfile = async (params: CreateProfileParams): Promise<CreateProfileResult> => {
     const name = params.name.trim();
     const rawCdpUrl = params.cdpUrl?.trim() || undefined;
-    const driver =
-      params.driver === "extension"
-        ? "extension"
-        : params.driver === "existing-session"
-          ? "existing-session"
-          : undefined;
+    const driver = params.driver === "existing-session" ? "existing-session" : undefined;
 
     if (!isValidProfileName(name)) {
       throw new BrowserValidationError(
@@ -117,18 +111,6 @@ export function createBrowserProfilesService(ctx: BrowserRouteContext) {
       } catch (err) {
         throw new BrowserValidationError(String(err));
       }
-      if (driver === "extension") {
-        if (!isLoopbackHost(parsed.parsed.hostname)) {
-          throw new BrowserValidationError(
-            `driver=extension requires a loopback cdpUrl host, got: ${parsed.parsed.hostname}`,
-          );
-        }
-        if (parsed.parsed.protocol !== "http:" && parsed.parsed.protocol !== "https:") {
-          throw new BrowserValidationError(
-            `driver=extension requires an http(s) cdpUrl, got: ${parsed.parsed.protocol.replace(":", "")}`,
-          );
-        }
-      }
       if (driver === "existing-session") {
         throw new BrowserValidationError(
           "driver=existing-session does not accept cdpUrl; it attaches via the Chrome MCP auto-connect flow",
@@ -140,9 +122,6 @@ export function createBrowserProfilesService(ctx: BrowserRouteContext) {
         color: profileColor,
       };
     } else {
-      if (driver === "extension") {
-        throw new BrowserValidationError("driver=extension requires an explicit loopback cdpUrl");
-      }
       if (driver === "existing-session") {
         // existing-session uses Chrome MCP auto-connect; no CDP port needed
         profileConfig = {
diff --git a/src/browser/pw-session.get-page-for-targetid.extension-fallback.test.ts b/src/browser/pw-session.get-page-for-targetid.extension-fallback.test.ts
index 8f64b2bf575..2b3bdb32bd8 100644
--- a/src/browser/pw-session.get-page-for-targetid.extension-fallback.test.ts
+++ b/src/browser/pw-session.get-page-for-targetid.extension-fallback.test.ts
@@ -52,7 +52,7 @@ function createExtensionFallbackBrowserHarness(options?: {
 }
 
 describe("pw-session getPageForTargetId", () => {
-  it("falls back to the only page when CDP session attachment is blocked (extension relays)", async () => {
+  it("falls back to the only page when Playwright cannot resolve target ids", async () => {
     const { browserClose, pages } = createExtensionFallbackBrowserHarness();
     const [page] = pages;
 
@@ -94,26 +94,20 @@ describe("pw-session getPageForTargetId", () => {
     }
   });
 
-  it("resolves extension-relay pages from /json/list without probing page CDP sessions first", async () => {
+  it("resolves pages from /json/list when page CDP probing fails", async () => {
     const { newCDPSession, pages } = createExtensionFallbackBrowserHarness({
       urls: ["https://alpha.example", "https://beta.example"],
       newCDPSessionError: "Target.attachToBrowserTarget: Not allowed",
     });
     const [, pageB] = pages;
 
-    const fetchSpy = vi.spyOn(globalThis, "fetch");
-    fetchSpy
-      .mockResolvedValueOnce({
-        ok: true,
-        json: async () => ({ Browser: "OpenClaw/extension-relay" }),
-      } as Response)
-      .mockResolvedValueOnce({
-        ok: true,
-        json: async () => [
-          { id: "TARGET_A", url: "https://alpha.example" },
-          { id: "TARGET_B", url: "https://beta.example" },
-        ],
-      } as Response);
+    const fetchSpy = vi.spyOn(globalThis, "fetch").mockResolvedValue({
+      ok: true,
+      json: async () => [
+        { id: "TARGET_A", url: "https://alpha.example" },
+        { id: "TARGET_B", url: "https://beta.example" },
+      ],
+    } as Response);
 
     try {
       const resolved = await getPageForTargetId({
@@ -121,7 +115,7 @@ describe("pw-session getPageForTargetId", () => {
         targetId: "TARGET_B",
       });
       expect(resolved).toBe(pageB);
-      expect(newCDPSession).not.toHaveBeenCalled();
+      expect(newCDPSession).toHaveBeenCalled();
     } finally {
       fetchSpy.mockRestore();
     }
diff --git a/src/browser/pw-session.page-cdp.test.ts b/src/browser/pw-session.page-cdp.test.ts
index 1347cca20a1..c00f8af5a02 100644
--- a/src/browser/pw-session.page-cdp.test.ts
+++ b/src/browser/pw-session.page-cdp.test.ts
@@ -1,61 +1,12 @@
 import { beforeEach, describe, expect, it, vi } from "vitest";
-
-const cdpHelperMocks = vi.hoisted(() => ({
-  fetchJson: vi.fn(),
-  withCdpSocket: vi.fn(),
-}));
-
-const chromeMocks = vi.hoisted(() => ({
-  getChromeWebSocketUrl: vi.fn(async () => "ws://127.0.0.1:18792/cdp"),
-}));
-
-vi.mock("./cdp.helpers.js", async () => {
-  const actual = await vi.importActual<typeof import("./cdp.helpers.js")>("./cdp.helpers.js");
-  return {
-    ...actual,
-    fetchJson: cdpHelperMocks.fetchJson,
-    withCdpSocket: cdpHelperMocks.withCdpSocket,
-  };
-});
-
-vi.mock("./chrome.js", () => chromeMocks);
-
-import { isExtensionRelayCdpEndpoint, withPageScopedCdpClient } from "./pw-session.page-cdp.js";
+import { withPageScopedCdpClient } from "./pw-session.page-cdp.js";
 
 describe("pw-session page-scoped CDP client", () => {
   beforeEach(() => {
     vi.clearAllMocks();
   });
 
-  it("uses raw relay /cdp commands for extension endpoints when targetId is known", async () => {
-    cdpHelperMocks.fetchJson.mockResolvedValue({ Browser: "OpenClaw/extension-relay" });
-    const send = vi.fn(async () => ({ ok: true }));
-    cdpHelperMocks.withCdpSocket.mockImplementation(async (_wsUrl, fn) => await fn(send));
-    const newCDPSession = vi.fn();
-    const page = {
-      context: () => ({
-        newCDPSession,
-      }),
-    };
-
-    await withPageScopedCdpClient({
-      cdpUrl: "http://127.0.0.1:18792",
-      page: page as never,
-      targetId: "tab-1",
-      fn: async (pageSend) => {
-        await pageSend("Page.bringToFront", { foo: "bar" });
-      },
-    });
-
-    expect(send).toHaveBeenCalledWith("Page.bringToFront", {
-      foo: "bar",
-      targetId: "tab-1",
-    });
-    expect(newCDPSession).not.toHaveBeenCalled();
-  });
-
-  it("falls back to Playwright page sessions for non-relay endpoints", async () => {
-    cdpHelperMocks.fetchJson.mockResolvedValue({ Browser: "Chrome/145.0" });
+  it("uses Playwright page sessions", async () => {
     const sessionSend = vi.fn(async () => ({ ok: true }));
     const sessionDetach = vi.fn(async () => {});
     const newCDPSession = vi.fn(async () => ({
@@ -80,15 +31,5 @@ describe("pw-session page-scoped CDP client", () => {
     expect(newCDPSession).toHaveBeenCalledWith(page);
     expect(sessionSend).toHaveBeenCalledWith("Emulation.setLocaleOverride", { locale: "en-US" });
     expect(sessionDetach).toHaveBeenCalledTimes(1);
-    expect(cdpHelperMocks.withCdpSocket).not.toHaveBeenCalled();
-  });
-
-  it("caches extension-relay endpoint detection by cdpUrl", async () => {
-    cdpHelperMocks.fetchJson.mockResolvedValue({ Browser: "OpenClaw/extension-relay" });
-
-    await expect(isExtensionRelayCdpEndpoint("http://127.0.0.1:19992")).resolves.toBe(true);
-    await expect(isExtensionRelayCdpEndpoint("http://127.0.0.1:19992/")).resolves.toBe(true);
-
-    expect(cdpHelperMocks.fetchJson).toHaveBeenCalledTimes(1);
   });
 });
diff --git a/src/browser/pw-session.page-cdp.ts b/src/browser/pw-session.page-cdp.ts
index 8c2109293cd..ccfc2ee7f34 100644
--- a/src/browser/pw-session.page-cdp.ts
+++ b/src/browser/pw-session.page-cdp.ts
@@ -1,44 +1,7 @@
 import type { CDPSession, Page } from "playwright-core";
-import {
-  appendCdpPath,
-  fetchJson,
-  normalizeCdpHttpBaseForJsonEndpoints,
-  withCdpSocket,
-} from "./cdp.helpers.js";
-import { getChromeWebSocketUrl } from "./chrome.js";
-
-const OPENCLAW_EXTENSION_RELAY_BROWSER = "OpenClaw/extension-relay";
 
 type PageCdpSend = (method: string, params?: Record<string, unknown>) => Promise<unknown>;
 
-const extensionRelayByCdpUrl = new Map<string, boolean>();
-
-function normalizeCdpUrl(raw: string) {
-  return raw.replace(/\/$/, "");
-}
-
-export async function isExtensionRelayCdpEndpoint(cdpUrl: string): Promise<boolean> {
-  const normalized = normalizeCdpUrl(cdpUrl);
-  const cached = extensionRelayByCdpUrl.get(normalized);
-  if (cached !== undefined) {
-    return cached;
-  }
-
-  try {
-    const cdpHttpBase = normalizeCdpHttpBaseForJsonEndpoints(normalized);
-    const version = await fetchJson<{ Browser?: string }>(
-      appendCdpPath(cdpHttpBase, "/json/version"),
-      2000,
-    );
-    const isRelay = String(version?.Browser ?? "").trim() === OPENCLAW_EXTENSION_RELAY_BROWSER;
-    extensionRelayByCdpUrl.set(normalized, isRelay);
-    return isRelay;
-  } catch {
-    extensionRelayByCdpUrl.set(normalized, false);
-    return false;
-  }
-}
-
 async function withPlaywrightPageCdpSession<T>(
   page: Page,
   fn: (session: CDPSession) => Promise<T>,
@@ -57,17 +20,6 @@ export async function withPageScopedCdpClient<T>(opts: {
   targetId?: string;
   fn: (send: PageCdpSend) => Promise<T>;
 }): Promise<T> {
-  const targetId = opts.targetId?.trim();
-  if (targetId && (await isExtensionRelayCdpEndpoint(opts.cdpUrl))) {
-    const wsUrl = await getChromeWebSocketUrl(opts.cdpUrl, 2000);
-    if (!wsUrl) {
-      throw new Error("CDP websocket unavailable");
-    }
-    return await withCdpSocket(wsUrl, async (send) => {
-      return await opts.fn((method, params) => send(method, { ...params, targetId }));
-    });
-  }
-
   return await withPlaywrightPageCdpSession(opts.page, async (session) => {
     return await opts.fn((method, params) =>
       (
diff --git a/src/browser/pw-session.ts b/src/browser/pw-session.ts
index 2e63d190dea..97677557543 100644
--- a/src/browser/pw-session.ts
+++ b/src/browser/pw-session.ts
@@ -26,7 +26,7 @@ import {
   assertBrowserNavigationResultAllowed,
   withBrowserNavigationPolicy,
 } from "./navigation-guard.js";
-import { isExtensionRelayCdpEndpoint, withPageScopedCdpClient } from "./pw-session.page-cdp.js";
+import { withPageScopedCdpClient } from "./pw-session.page-cdp.js";
 
 export type BrowserConsoleMessage = {
   type: string;
@@ -454,21 +454,6 @@ async function findPageByTargetId(
   cdpUrl?: string,
 ): Promise<Page | null> {
   const pages = await getAllPages(browser);
-  const isExtensionRelay = cdpUrl
-    ? await isExtensionRelayCdpEndpoint(cdpUrl).catch(() => false)
-    : false;
-  if (cdpUrl && isExtensionRelay) {
-    try {
-      const matched = await findPageByTargetIdViaTargetList(pages, targetId, cdpUrl);
-      if (matched) {
-        return matched;
-      }
-    } catch {
-      // Ignore fetch errors and fall through to best-effort single-page fallback.
-    }
-    return pages.length === 1 ? (pages[0] ?? null) : null;
-  }
-
   let resolvedViaCdp = false;
   for (const page of pages) {
     let tid: string | null = null;
@@ -522,9 +507,7 @@ export async function getPageForTargetId(opts: {
   }
   const found = await findPageByTargetId(browser, opts.targetId, opts.cdpUrl);
   if (!found) {
-    // Extension relays can block CDP attachment APIs (e.g. Target.attachToBrowserTarget),
-    // which prevents us from resolving a page's targetId via newCDPSession(). If Playwright
-    // only exposes a single Page, use it as a best-effort fallback.
+    // If Playwright only exposes a single Page, use it as a best-effort fallback.
     if (pages.length === 1) {
       return first;
     }
diff --git a/src/browser/routes/agent.snapshot.plan.test.ts b/src/browser/routes/agent.snapshot.plan.test.ts
index 384e24a1c71..1fa8c54b81e 100644
--- a/src/browser/routes/agent.snapshot.plan.test.ts
+++ b/src/browser/routes/agent.snapshot.plan.test.ts
@@ -3,15 +3,15 @@ import { resolveBrowserConfig, resolveProfile } from "../config.js";
 import { resolveSnapshotPlan } from "./agent.snapshot.plan.js";
 
 describe("resolveSnapshotPlan", () => {
-  it("defaults extension relay snapshots to aria when format is omitted", () => {
+  it("defaults existing-session snapshots to ai when format is omitted", () => {
     const resolved = resolveBrowserConfig({
       profiles: {
-        relay: { driver: "extension", cdpUrl: "http://127.0.0.1:18792", color: "#0066CC" },
+        user: { driver: "existing-session", attachOnly: true, color: "#00AA00" },
       },
     });
-    const profile = resolveProfile(resolved, "relay");
+    const profile = resolveProfile(resolved, "user");
     expect(profile).toBeTruthy();
-    expect(profile?.driver).toBe("extension");
+    expect(profile?.driver).toBe("existing-session");
 
     const plan = resolveSnapshotPlan({
       profile: profile as NonNullable<typeof profile>,
@@ -19,7 +19,7 @@ describe("resolveSnapshotPlan", () => {
       hasPlaywright: true,
     });
 
-    expect(plan.format).toBe("aria");
+    expect(plan.format).toBe("ai");
   });
 
   it("keeps ai snapshots for managed browsers when Playwright is available", () => {
diff --git a/src/browser/routes/basic.ts b/src/browser/routes/basic.ts
index f6123ac4cf0..c4f5db47a59 100644
--- a/src/browser/routes/basic.ts
+++ b/src/browser/routes/basic.ts
@@ -176,15 +176,18 @@ export function registerBrowserBasicRoutes(app: BrowserRouteRegistrar, ctx: Brow
     const name = toStringOrEmpty((req.body as { name?: unknown })?.name);
     const color = toStringOrEmpty((req.body as { color?: unknown })?.color);
     const cdpUrl = toStringOrEmpty((req.body as { cdpUrl?: unknown })?.cdpUrl);
-    const driver = toStringOrEmpty((req.body as { driver?: unknown })?.driver) as
-      | "openclaw"
-      | "extension"
-      | "existing-session"
-      | "";
+    const driver = toStringOrEmpty((req.body as { driver?: unknown })?.driver);
 
     if (!name) {
       return jsonError(res, 400, "name is required");
     }
+    if (driver && driver !== "openclaw" && driver !== "clawd" && driver !== "existing-session") {
+      return jsonError(
+        res,
+        400,
+        `unsupported profile driver "${driver}"; use "openclaw", "clawd", or "existing-session"`,
+      );
+    }
 
     await withProfilesServiceMutation({
       res,
@@ -195,10 +198,10 @@ export function registerBrowserBasicRoutes(app: BrowserRouteRegistrar, ctx: Brow
           color: color || undefined,
           cdpUrl: cdpUrl || undefined,
           driver:
-            driver === "extension"
-              ? "extension"
-              : driver === "existing-session"
-                ? "existing-session"
+            driver === "existing-session"
+              ? "existing-session"
+              : driver === "openclaw" || driver === "clawd"
+                ? "openclaw"
                 : undefined,
         }),
     });
diff --git a/src/browser/server-context.availability.ts b/src/browser/server-context.availability.ts
index a0281d53d9f..d7d33fd0fde 100644
--- a/src/browser/server-context.availability.ts
+++ b/src/browser/server-context.availability.ts
@@ -15,11 +15,7 @@ import {
   stopOpenClawChrome,
 } from "./chrome.js";
 import type { ResolvedBrowserProfile } from "./config.js";
-import { BrowserConfigurationError, BrowserProfileUnavailableError } from "./errors.js";
-import {
-  ensureChromeExtensionRelayServer,
-  stopChromeExtensionRelayServer,
-} from "./extension-relay.js";
+import { BrowserProfileUnavailableError } from "./errors.js";
 import { getBrowserProfileCapabilities } from "./profile-capabilities.js";
 import {
   CDP_READY_AFTER_LAUNCH_MAX_TIMEOUT_MS,
@@ -124,9 +120,6 @@ export function createProfileAvailability({
       await stopOpenClawChrome(profileState.running).catch(() => {});
       setProfileRunning(null);
     }
-    if (previousProfile.driver === "extension") {
-      await stopChromeExtensionRelayServer({ cdpUrl: previousProfile.cdpUrl }).catch(() => false);
-    }
     if (getBrowserProfileCapabilities(previousProfile).usesChromeMcp) {
       await closeChromeMcpSession(previousProfile.name).catch(() => false);
     }
@@ -166,33 +159,9 @@ export function createProfileAvailability({
     const current = state();
     const remoteCdp = capabilities.isRemote;
     const attachOnly = profile.attachOnly;
-    const isExtension = capabilities.requiresRelay;
     const profileState = getProfileState();
     const httpReachable = await isHttpReachable();
 
-    if (isExtension && remoteCdp) {
-      throw new BrowserConfigurationError(
-        `Profile "${profile.name}" uses driver=extension but cdpUrl is not loopback (${profile.cdpUrl}).`,
-      );
-    }
-
-    if (isExtension) {
-      if (!httpReachable) {
-        await ensureChromeExtensionRelayServer({
-          cdpUrl: profile.cdpUrl,
-          bindHost: current.resolved.relayBindHost,
-        });
-        if (!(await isHttpReachable(PROFILE_ATTACH_RETRY_TIMEOUT_MS))) {
-          throw new BrowserProfileUnavailableError(
-            `Chrome extension relay for profile "${profile.name}" is not reachable at ${profile.cdpUrl}.`,
-          );
-        }
-      }
-      // Browser startup should only ensure relay availability.
-      // Tab attachment is checked when a tab is actually required.
-      return;
-    }
-
     if (!httpReachable) {
       if ((attachOnly || remoteCdp) && opts.onEnsureAttachTarget) {
         await opts.onEnsureAttachTarget(profile);
@@ -267,12 +236,6 @@ export function createProfileAvailability({
       const stopped = await closeChromeMcpSession(profile.name);
       return { stopped };
     }
-    if (capabilities.requiresRelay) {
-      const stopped = await stopChromeExtensionRelayServer({
-        cdpUrl: profile.cdpUrl,
-      });
-      return { stopped };
-    }
     const profileState = getProfileState();
     if (!profileState.running) {
       return { stopped: false };
diff --git a/src/browser/server-context.ensure-tab-available.prefers-last-target.test.ts b/src/browser/server-context.ensure-tab-available.prefers-last-target.test.ts
deleted file mode 100644
index d3760bd460d..00000000000
--- a/src/browser/server-context.ensure-tab-available.prefers-last-target.test.ts
+++ /dev/null
@@ -1,178 +0,0 @@
-import { describe, expect, it, vi } from "vitest";
-import { withFetchPreconnect } from "../test-utils/fetch-mock.js";
-import type { BrowserServerState } from "./server-context.js";
-import "./server-context.chrome-test-harness.js";
-import { createBrowserRouteContext } from "./server-context.js";
-
-function makeBrowserState(): BrowserServerState {
-  return {
-    // oxlint-disable-next-line typescript/no-explicit-any
-    server: null as any,
-    port: 0,
-    resolved: {
-      enabled: true,
-      controlPort: 18791,
-      cdpPortRangeStart: 18800,
-      cdpPortRangeEnd: 18899,
-      cdpProtocol: "http",
-      cdpHost: "127.0.0.1",
-      cdpIsLoopback: true,
-      evaluateEnabled: false,
-      remoteCdpTimeoutMs: 1500,
-      remoteCdpHandshakeTimeoutMs: 3000,
-      extraArgs: [],
-      color: "#FF4500",
-      headless: true,
-      noSandbox: false,
-      attachOnly: false,
-      defaultProfile: "chrome-relay",
-      profiles: {
-        "chrome-relay": {
-          driver: "extension",
-          cdpUrl: "http://127.0.0.1:18792",
-          cdpPort: 18792,
-          color: "#00AA00",
-        },
-        openclaw: { cdpPort: 18800, color: "#FF4500" },
-      },
-    },
-    profiles: new Map(),
-  };
-}
-
-function stubChromeJsonList(responses: unknown[]) {
-  const fetchMock = vi.fn();
-  const queue = [...responses];
-
-  fetchMock.mockImplementation(async (url: unknown) => {
-    const u = String(url);
-    if (!u.includes("/json/list")) {
-      throw new Error(`unexpected fetch: ${u}`);
-    }
-    const next = queue.shift();
-    if (!next) {
-      throw new Error("no more responses");
-    }
-    return {
-      ok: true,
-      json: async () => next,
-    } as unknown as Response;
-  });
-
-  global.fetch = withFetchPreconnect(fetchMock);
-  return fetchMock;
-}
-
-describe("browser server-context ensureTabAvailable", () => {
-  it("sticks to the last selected target when targetId is omitted", async () => {
-    // 1st call (snapshot): stable ordering A then B (twice)
-    // 2nd call (act): reversed ordering B then A (twice)
-    const responses = [
-      [
-        { id: "A", type: "page", url: "https://a.example", webSocketDebuggerUrl: "ws://x/a" },
-        { id: "B", type: "page", url: "https://b.example", webSocketDebuggerUrl: "ws://x/b" },
-      ],
-      [
-        { id: "A", type: "page", url: "https://a.example", webSocketDebuggerUrl: "ws://x/a" },
-        { id: "B", type: "page", url: "https://b.example", webSocketDebuggerUrl: "ws://x/b" },
-      ],
-      [
-        { id: "B", type: "page", url: "https://b.example", webSocketDebuggerUrl: "ws://x/b" },
-        { id: "A", type: "page", url: "https://a.example", webSocketDebuggerUrl: "ws://x/a" },
-      ],
-      [
-        { id: "B", type: "page", url: "https://b.example", webSocketDebuggerUrl: "ws://x/b" },
-        { id: "A", type: "page", url: "https://a.example", webSocketDebuggerUrl: "ws://x/a" },
-      ],
-    ];
-    stubChromeJsonList(responses);
-    const state = makeBrowserState();
-
-    const ctx = createBrowserRouteContext({
-      getState: () => state,
-    });
-
-    const chromeRelay = ctx.forProfile("chrome-relay");
-    const first = await chromeRelay.ensureTabAvailable();
-    expect(first.targetId).toBe("A");
-    const second = await chromeRelay.ensureTabAvailable();
-    expect(second.targetId).toBe("A");
-  });
-
-  it("rejects invalid targetId even when only one extension tab remains", async () => {
-    const responses = [
-      [{ id: "A", type: "page", url: "https://a.example", webSocketDebuggerUrl: "ws://x/a" }],
-      [{ id: "A", type: "page", url: "https://a.example", webSocketDebuggerUrl: "ws://x/a" }],
-    ];
-    stubChromeJsonList(responses);
-    const state = makeBrowserState();
-
-    const ctx = createBrowserRouteContext({ getState: () => state });
-    const chromeRelay = ctx.forProfile("chrome-relay");
-    await expect(chromeRelay.ensureTabAvailable("NOT_A_TAB")).rejects.toThrow(/tab not found/i);
-  });
-
-  it("returns a descriptive message when no extension tabs are attached", async () => {
-    const responses = [[]];
-    stubChromeJsonList(responses);
-    const state = makeBrowserState();
-
-    const ctx = createBrowserRouteContext({ getState: () => state });
-    const chromeRelay = ctx.forProfile("chrome-relay");
-    await expect(chromeRelay.ensureTabAvailable()).rejects.toThrow(/no attached Chrome tabs/i);
-  });
-
-  it("waits briefly for extension tabs to reappear when a previous target exists", async () => {
-    vi.useFakeTimers();
-    try {
-      const responses = [
-        // First call: select tab A and store lastTargetId.
-        [{ id: "A", type: "page", url: "https://a.example", webSocketDebuggerUrl: "ws://x/a" }],
-        [{ id: "A", type: "page", url: "https://a.example", webSocketDebuggerUrl: "ws://x/a" }],
-        // Second call: transient drop, then the extension re-announces attached tab A.
-        [],
-        [{ id: "A", type: "page", url: "https://a.example", webSocketDebuggerUrl: "ws://x/a" }],
-        [{ id: "A", type: "page", url: "https://a.example", webSocketDebuggerUrl: "ws://x/a" }],
-      ];
-      stubChromeJsonList(responses);
-      const state = makeBrowserState();
-
-      const ctx = createBrowserRouteContext({ getState: () => state });
-      const chromeRelay = ctx.forProfile("chrome-relay");
-      const first = await chromeRelay.ensureTabAvailable();
-      expect(first.targetId).toBe("A");
-
-      const secondPromise = chromeRelay.ensureTabAvailable();
-      await vi.advanceTimersByTimeAsync(250);
-      const second = await secondPromise;
-      expect(second.targetId).toBe("A");
-    } finally {
-      vi.useRealTimers();
-    }
-  });
-
-  it("still fails after the extension-tab grace window expires", async () => {
-    vi.useFakeTimers();
-    try {
-      const responses = [
-        [{ id: "A", type: "page", url: "https://a.example", webSocketDebuggerUrl: "ws://x/a" }],
-        [{ id: "A", type: "page", url: "https://a.example", webSocketDebuggerUrl: "ws://x/a" }],
-        ...Array.from({ length: 20 }, () => []),
-      ];
-      stubChromeJsonList(responses);
-      const state = makeBrowserState();
-
-      const ctx = createBrowserRouteContext({ getState: () => state });
-      const chromeRelay = ctx.forProfile("chrome-relay");
-      await chromeRelay.ensureTabAvailable();
-
-      const pending = expect(chromeRelay.ensureTabAvailable()).rejects.toThrow(
-        /no attached Chrome tabs/i,
-      );
-      await vi.advanceTimersByTimeAsync(3_500);
-      await pending;
-    } finally {
-      vi.useRealTimers();
-    }
-  });
-});
diff --git a/src/browser/server-context.reset.test.ts b/src/browser/server-context.reset.test.ts
index 7e74ffd3881..9fcbc1c2a7b 100644
--- a/src/browser/server-context.reset.test.ts
+++ b/src/browser/server-context.reset.test.ts
@@ -4,10 +4,6 @@ import path from "node:path";
 import { afterEach, describe, expect, it, vi } from "vitest";
 import { createProfileResetOps } from "./server-context.reset.js";
 
-const relayMocks = vi.hoisted(() => ({
-  stopChromeExtensionRelayServer: vi.fn(async () => true),
-}));
-
 const trashMocks = vi.hoisted(() => ({
   movePathToTrash: vi.fn(async (from: string) => `${from}.trashed`),
 }));
@@ -16,7 +12,6 @@ const pwAiMocks = vi.hoisted(() => ({
   closePlaywrightBrowserConnection: vi.fn(async () => {}),
 }));
 
-vi.mock("./extension-relay.js", () => relayMocks);
 vi.mock("./trash.js", () => trashMocks);
 vi.mock("./pw-ai.js", () => pwAiMocks);
 
@@ -54,23 +49,6 @@ function createStatelessResetOps(profile: Parameters<typeof createProfileResetOp
 }
 
 describe("createProfileResetOps", () => {
-  it("stops extension relay for extension profiles", async () => {
-    const ops = createStatelessResetOps({
-      ...localOpenClawProfile(),
-      name: "chrome",
-      driver: "extension",
-    });
-
-    await expect(ops.resetProfile()).resolves.toEqual({
-      moved: false,
-      from: "http://127.0.0.1:18800",
-    });
-    expect(relayMocks.stopChromeExtensionRelayServer).toHaveBeenCalledWith({
-      cdpUrl: "http://127.0.0.1:18800",
-    });
-    expect(trashMocks.movePathToTrash).not.toHaveBeenCalled();
-  });
-
   it("rejects remote non-extension profiles", async () => {
     const ops = createStatelessResetOps({
       ...localOpenClawProfile(),
diff --git a/src/browser/server-context.reset.ts b/src/browser/server-context.reset.ts
index 09bc31cbf38..ea478f56f31 100644
--- a/src/browser/server-context.reset.ts
+++ b/src/browser/server-context.reset.ts
@@ -1,7 +1,6 @@
 import fs from "node:fs";
 import type { ResolvedBrowserProfile } from "./config.js";
 import { BrowserResetUnsupportedError } from "./errors.js";
-import { stopChromeExtensionRelayServer } from "./extension-relay.js";
 import { getBrowserProfileCapabilities } from "./profile-capabilities.js";
 import type { ProfileRuntimeState } from "./server-context.types.js";
 import { movePathToTrash } from "./trash.js";
@@ -36,10 +35,6 @@ export function createProfileResetOps({
 }: ResetDeps): ResetOps {
   const capabilities = getBrowserProfileCapabilities(profile);
   const resetProfile = async () => {
-    if (capabilities.requiresRelay) {
-      await stopChromeExtensionRelayServer({ cdpUrl: profile.cdpUrl }).catch(() => {});
-      return { moved: false, from: profile.cdpUrl };
-    }
     if (!capabilities.supportsReset) {
       throw new BrowserResetUnsupportedError(
         `reset-profile is only supported for local profiles (profile "${profile.name}" is remote).`,
diff --git a/src/browser/server-context.selection.ts b/src/browser/server-context.selection.ts
index f0ce3e25e06..1a744e06b09 100644
--- a/src/browser/server-context.selection.ts
+++ b/src/browser/server-context.selection.ts
@@ -36,28 +36,9 @@ export function createProfileSelectionOps({
   const ensureTabAvailable = async (targetId?: string): Promise<BrowserTab> => {
     await ensureBrowserAvailable();
     const profileState = getProfileState();
-    let tabs1 = await listTabs();
+    const tabs1 = await listTabs();
     if (tabs1.length === 0) {
-      if (capabilities.requiresAttachedTab) {
-        // Chrome extension relay can briefly drop its WebSocket connection (MV3 service worker
-        // lifecycle, relay restart). If we previously had a target selected, wait briefly for
-        // the extension to reconnect and re-announce its attached tabs before failing.
-        if (profileState.lastTargetId?.trim()) {
-          const deadlineAt = Date.now() + 3_000;
-          while (tabs1.length === 0 && Date.now() < deadlineAt) {
-            await new Promise((resolve) => setTimeout(resolve, 200));
-            tabs1 = await listTabs();
-          }
-        }
-        if (tabs1.length === 0) {
-          throw new BrowserTabNotFoundError(
-            `tab not found (no attached Chrome tabs for profile "${profile.name}"). ` +
-              "Click the OpenClaw Browser Relay toolbar icon on the tab you want to control (badge ON).",
-          );
-        }
-      } else {
-        await openTab("about:blank");
-      }
+      await openTab("about:blank");
     }
 
     const tabs = await listTabs();
diff --git a/src/browser/server-lifecycle.test.ts b/src/browser/server-lifecycle.test.ts
index 5ef331f1784..c64e054f96a 100644
--- a/src/browser/server-lifecycle.test.ts
+++ b/src/browser/server-lifecycle.test.ts
@@ -1,13 +1,7 @@
 import { beforeEach, describe, expect, it, vi } from "vitest";
 
-const { resolveProfileMock, ensureChromeExtensionRelayServerMock } = vi.hoisted(() => ({
-  resolveProfileMock: vi.fn(),
-  ensureChromeExtensionRelayServerMock: vi.fn(),
-}));
-
-const { stopOpenClawChromeMock, stopChromeExtensionRelayServerMock } = vi.hoisted(() => ({
+const { stopOpenClawChromeMock } = vi.hoisted(() => ({
   stopOpenClawChromeMock: vi.fn(async () => {}),
-  stopChromeExtensionRelayServerMock: vi.fn(async () => true),
 }));
 
 const { createBrowserRouteContextMock, listKnownProfileNamesMock } = vi.hoisted(() => ({
@@ -19,15 +13,6 @@ vi.mock("./chrome.js", () => ({
   stopOpenClawChrome: stopOpenClawChromeMock,
 }));
 
-vi.mock("./config.js", () => ({
-  resolveProfile: resolveProfileMock,
-}));
-
-vi.mock("./extension-relay.js", () => ({
-  ensureChromeExtensionRelayServer: ensureChromeExtensionRelayServerMock,
-  stopChromeExtensionRelayServer: stopChromeExtensionRelayServerMock,
-}));
-
 vi.mock("./server-context.js", () => ({
   createBrowserRouteContext: createBrowserRouteContextMock,
   listKnownProfileNames: listKnownProfileNamesMock,
@@ -36,49 +21,13 @@ vi.mock("./server-context.js", () => ({
 import { ensureExtensionRelayForProfiles, stopKnownBrowserProfiles } from "./server-lifecycle.js";
 
 describe("ensureExtensionRelayForProfiles", () => {
-  beforeEach(() => {
-    resolveProfileMock.mockClear();
-    ensureChromeExtensionRelayServerMock.mockClear();
-  });
-
-  it("starts relay only for extension profiles", async () => {
-    resolveProfileMock.mockImplementation((_resolved: unknown, name: string) => {
-      if (name === "chrome-relay") {
-        return { driver: "extension", cdpUrl: "http://127.0.0.1:18888" };
-      }
-      return { driver: "openclaw", cdpUrl: "http://127.0.0.1:18889" };
-    });
-    ensureChromeExtensionRelayServerMock.mockResolvedValue(undefined);
-
-    await ensureExtensionRelayForProfiles({
-      resolved: {
-        profiles: {
-          "chrome-relay": {},
-          openclaw: {},
-        },
-      } as never,
-      onWarn: vi.fn(),
-    });
-
-    expect(ensureChromeExtensionRelayServerMock).toHaveBeenCalledTimes(1);
-    expect(ensureChromeExtensionRelayServerMock).toHaveBeenCalledWith({
-      cdpUrl: "http://127.0.0.1:18888",
-    });
-  });
-
-  it("reports relay startup errors", async () => {
-    resolveProfileMock.mockReturnValue({ driver: "extension", cdpUrl: "http://127.0.0.1:18888" });
-    ensureChromeExtensionRelayServerMock.mockRejectedValue(new Error("boom"));
-    const onWarn = vi.fn();
-
-    await ensureExtensionRelayForProfiles({
-      resolved: { profiles: { "chrome-relay": {} } } as never,
-      onWarn,
-    });
-
-    expect(onWarn).toHaveBeenCalledWith(
-      'Chrome extension relay init failed for profile "chrome-relay": Error: boom',
-    );
+  it("is a no-op after removing the Chrome extension relay path", async () => {
+    await expect(
+      ensureExtensionRelayForProfiles({
+        resolved: { profiles: {} } as never,
+        onWarn: vi.fn(),
+      }),
+    ).resolves.toBeUndefined();
   });
 });
 
@@ -87,14 +36,13 @@ describe("stopKnownBrowserProfiles", () => {
     createBrowserRouteContextMock.mockClear();
     listKnownProfileNamesMock.mockClear();
     stopOpenClawChromeMock.mockClear();
-    stopChromeExtensionRelayServerMock.mockClear();
   });
 
   it("stops all known profiles and ignores per-profile failures", async () => {
-    listKnownProfileNamesMock.mockReturnValue(["openclaw", "chrome-relay"]);
+    listKnownProfileNamesMock.mockReturnValue(["openclaw", "user"]);
     const stopMap: Record<string, ReturnType<typeof vi.fn>> = {
       openclaw: vi.fn(async () => {}),
-      "chrome-relay": vi.fn(async () => {
+      user: vi.fn(async () => {
         throw new Error("profile stop failed");
       }),
     };
@@ -112,12 +60,12 @@ describe("stopKnownBrowserProfiles", () => {
     });
 
     expect(stopMap.openclaw).toHaveBeenCalledTimes(1);
-    expect(stopMap["chrome-relay"]).toHaveBeenCalledTimes(1);
+    expect(stopMap.user).toHaveBeenCalledTimes(1);
     expect(onWarn).not.toHaveBeenCalled();
   });
 
   it("stops tracked runtime browsers even when the profile no longer resolves", async () => {
-    listKnownProfileNamesMock.mockReturnValue(["deleted-local", "deleted-extension"]);
+    listKnownProfileNamesMock.mockReturnValue(["deleted-local"]);
     createBrowserRouteContextMock.mockReturnValue({
       forProfile: vi.fn(() => {
         throw new Error("profile not found");
@@ -134,18 +82,7 @@ describe("stopKnownBrowserProfiles", () => {
       },
     };
     const launchedBrowser = localRuntime.running;
-    const extensionRuntime = {
-      profile: {
-        name: "deleted-extension",
-        driver: "extension",
-        cdpUrl: "http://127.0.0.1:19999",
-      },
-      running: null,
-    };
-    const profiles = new Map<string, unknown>([
-      ["deleted-local", localRuntime],
-      ["deleted-extension", extensionRuntime],
-    ]);
+    const profiles = new Map<string, unknown>([["deleted-local", localRuntime]]);
     const state = {
       resolved: { profiles: {} },
       profiles,
@@ -158,9 +95,6 @@ describe("stopKnownBrowserProfiles", () => {
 
     expect(stopOpenClawChromeMock).toHaveBeenCalledWith(launchedBrowser);
     expect(localRuntime.running).toBeNull();
-    expect(stopChromeExtensionRelayServerMock).toHaveBeenCalledWith({
-      cdpUrl: "http://127.0.0.1:19999",
-    });
   });
 
   it("warns when profile enumeration fails", async () => {
diff --git a/src/browser/server-lifecycle.ts b/src/browser/server-lifecycle.ts
index 7053d924b6d..1dd322f2bc9 100644
--- a/src/browser/server-lifecycle.ts
+++ b/src/browser/server-lifecycle.ts
@@ -1,32 +1,18 @@
 import { stopOpenClawChrome } from "./chrome.js";
 import type { ResolvedBrowserConfig } from "./config.js";
-import { resolveProfile } from "./config.js";
-import {
-  ensureChromeExtensionRelayServer,
-  stopChromeExtensionRelayServer,
-} from "./extension-relay.js";
 import {
   type BrowserServerState,
   createBrowserRouteContext,
   listKnownProfileNames,
 } from "./server-context.js";
 
-export async function ensureExtensionRelayForProfiles(params: {
+export async function ensureExtensionRelayForProfiles(_params: {
   resolved: ResolvedBrowserConfig;
   onWarn: (message: string) => void;
 }) {
-  for (const name of Object.keys(params.resolved.profiles)) {
-    const profile = resolveProfile(params.resolved, name);
-    if (!profile || profile.driver !== "extension") {
-      continue;
-    }
-    await ensureChromeExtensionRelayServer({
-      cdpUrl: profile.cdpUrl,
-      bindHost: params.resolved.relayBindHost,
-    }).catch((err) => {
-      params.onWarn(`Chrome extension relay init failed for profile "${name}": ${String(err)}`);
-    });
-  }
+  // Intentional no-op: the Chrome extension relay path has been removed.
+  // runtime-lifecycle still calls this helper, so keep the stub until the next
+  // breaking cleanup rather than changing the call graph in a patch release.
 }
 
 export async function stopKnownBrowserProfiles(params: {
@@ -50,12 +36,6 @@ export async function stopKnownBrowserProfiles(params: {
           runtime.running = null;
           continue;
         }
-        if (runtime?.profile.driver === "extension") {
-          await stopChromeExtensionRelayServer({ cdpUrl: runtime.profile.cdpUrl }).catch(
-            () => false,
-          );
-          continue;
-        }
         await ctx.forProfile(name).stopRunningBrowser();
       } catch {
         // ignore
diff --git a/src/browser/server.control-server.test-harness.ts b/src/browser/server.control-server.test-harness.ts
index 118c83dbb73..57b8d191655 100644
--- a/src/browser/server.control-server.test-harness.ts
+++ b/src/browser/server.control-server.test-harness.ts
@@ -18,7 +18,7 @@ type HarnessState = {
       cdpPort?: number;
       cdpUrl?: string;
       color: string;
-      driver?: "openclaw" | "extension" | "existing-session";
+      driver?: "openclaw" | "existing-session";
       attachOnly?: boolean;
     }
   >;
diff --git a/src/browser/server.post-tabs-open-profile-unknown-returns-404.test.ts b/src/browser/server.post-tabs-open-profile-unknown-returns-404.test.ts
index 8d84ef3c7a8..5ad1d5f7bd2 100644
--- a/src/browser/server.post-tabs-open-profile-unknown-returns-404.test.ts
+++ b/src/browser/server.post-tabs-open-profile-unknown-returns-404.test.ts
@@ -116,18 +116,29 @@ describe("profile CRUD endpoints", () => {
     const createBadRemoteBody = (await createBadRemote.json()) as { error: string };
     expect(createBadRemoteBody.error).toContain("cdpUrl");
 
-    const createBadExtension = await realFetch(`${base}/profiles/create`, {
+    const createClawd = await realFetch(`${base}/profiles/create`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({
-        name: "badextension",
-        driver: "extension",
-        cdpUrl: "http://10.0.0.42:9222",
-      }),
+      body: JSON.stringify({ name: "legacyclawd", driver: "clawd" }),
     });
-    expect(createBadExtension.status).toBe(400);
-    const createBadExtensionBody = (await createBadExtension.json()) as { error: string };
-    expect(createBadExtensionBody.error).toContain("loopback cdpUrl host");
+    expect(createClawd.status).toBe(200);
+    const createClawdBody = (await createClawd.json()) as {
+      profile?: string;
+      transport?: string;
+      cdpPort?: number | null;
+    };
+    expect(createClawdBody.profile).toBe("legacyclawd");
+    expect(createClawdBody.transport).toBe("cdp");
+    expect(createClawdBody.cdpPort).toBeTypeOf("number");
+
+    const createLegacyDriver = await realFetch(`${base}/profiles/create`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ name: "legacy", driver: "extension" }),
+    });
+    expect(createLegacyDriver.status).toBe(400);
+    const createLegacyDriverBody = (await createLegacyDriver.json()) as { error: string };
+    expect(createLegacyDriverBody.error).toContain('unsupported profile driver "extension"');
 
     const deleteMissing = await realFetch(`${base}/profiles/nonexistent`, {
       method: "DELETE",
diff --git a/src/cli/browser-cli-extension.test.ts b/src/cli/browser-cli-extension.test.ts
deleted file mode 100644
index 1c8c74d8c6e..00000000000
--- a/src/cli/browser-cli-extension.test.ts
+++ /dev/null
@@ -1,190 +0,0 @@
-import path from "node:path";
-import { Command } from "commander";
-import { beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
-import { withEnvAsync } from "../test-utils/env.js";
-
-const copyToClipboard = vi.fn();
-const runtime = {
-  log: vi.fn(),
-  error: vi.fn(),
-  exit: vi.fn(),
-};
-
-type FakeFsEntry = { kind: "file"; content: string } | { kind: "dir" };
-
-const state = vi.hoisted(() => ({
-  entries: new Map<string, FakeFsEntry>(),
-  counter: 0,
-}));
-
-const abs = (p: string) => path.resolve(p);
-
-function setFile(p: string, content = "") {
-  const resolved = abs(p);
-  state.entries.set(resolved, { kind: "file", content });
-  setDir(path.dirname(resolved));
-}
-
-function setDir(p: string) {
-  const resolved = abs(p);
-  if (!state.entries.has(resolved)) {
-    state.entries.set(resolved, { kind: "dir" });
-  }
-}
-
-function copyTree(src: string, dest: string) {
-  const srcAbs = abs(src);
-  const destAbs = abs(dest);
-  const srcPrefix = `${srcAbs}${path.sep}`;
-  for (const [key, entry] of state.entries.entries()) {
-    if (key === srcAbs || key.startsWith(srcPrefix)) {
-      const rel = key === srcAbs ? "" : key.slice(srcPrefix.length);
-      const next = rel ? path.join(destAbs, rel) : destAbs;
-      state.entries.set(next, entry);
-    }
-  }
-}
-
-vi.mock("node:fs", async (importOriginal) => {
-  const actual = await importOriginal<typeof import("node:fs")>();
-  const pathMod = await import("node:path");
-  const absInMock = (p: string) => pathMod.resolve(p);
-
-  const wrapped = {
-    ...actual,
-    existsSync: (p: string) => state.entries.has(absInMock(p)),
-    mkdirSync: (p: string, _opts?: unknown) => {
-      setDir(p);
-    },
-    writeFileSync: (p: string, content: string) => {
-      setFile(p, content);
-    },
-    renameSync: (from: string, to: string) => {
-      const fromAbs = absInMock(from);
-      const toAbs = absInMock(to);
-      const entry = state.entries.get(fromAbs);
-      if (!entry) {
-        throw new Error(`ENOENT: no such file or directory, rename '${from}' -> '${to}'`);
-      }
-      state.entries.delete(fromAbs);
-      state.entries.set(toAbs, entry);
-    },
-    rmSync: (p: string) => {
-      const root = absInMock(p);
-      const prefix = `${root}${pathMod.sep}`;
-      const keys = Array.from(state.entries.keys());
-      for (const key of keys) {
-        if (key === root || key.startsWith(prefix)) {
-          state.entries.delete(key);
-        }
-      }
-    },
-    mkdtempSync: (prefix: string) => {
-      const dir = `${prefix}${state.counter++}`;
-      setDir(dir);
-      return dir;
-    },
-    promises: {
-      ...actual.promises,
-      cp: async (src: string, dest: string, _opts?: unknown) => {
-        copyTree(src, dest);
-      },
-    },
-  };
-
-  return { ...wrapped, default: wrapped };
-});
-
-vi.mock("../infra/clipboard.js", () => ({
-  copyToClipboard,
-}));
-
-vi.mock("../runtime.js", () => ({
-  defaultRuntime: runtime,
-}));
-
-let resolveBundledExtensionRootDir: typeof import("./browser-cli-extension.js").resolveBundledExtensionRootDir;
-let installChromeExtension: typeof import("./browser-cli-extension.js").installChromeExtension;
-let registerBrowserExtensionCommands: typeof import("./browser-cli-extension.js").registerBrowserExtensionCommands;
-
-beforeAll(async () => {
-  ({ resolveBundledExtensionRootDir, installChromeExtension, registerBrowserExtensionCommands } =
-    await import("./browser-cli-extension.js"));
-});
-
-beforeEach(() => {
-  state.entries.clear();
-  state.counter = 0;
-  copyToClipboard.mockClear();
-  copyToClipboard.mockResolvedValue(false);
-  runtime.log.mockClear();
-  runtime.error.mockClear();
-  runtime.exit.mockClear();
-});
-
-function writeManifest(dir: string) {
-  setDir(dir);
-  setFile(path.join(dir, "manifest.json"), JSON.stringify({ manifest_version: 3 }));
-}
-
-describe("bundled extension resolver (fs-mocked)", () => {
-  it("walks up to find the assets directory", () => {
-    const root = abs("/tmp/openclaw-ext-root");
-    const here = path.join(root, "dist", "cli");
-    const assets = path.join(root, "assets", "chrome-extension");
-
-    writeManifest(assets);
-    setDir(here);
-
-    expect(resolveBundledExtensionRootDir(here)).toBe(assets);
-  });
-
-  it("prefers the nearest assets directory", () => {
-    const root = abs("/tmp/openclaw-ext-root-nearest");
-    const here = path.join(root, "dist", "cli");
-    const distAssets = path.join(root, "dist", "assets", "chrome-extension");
-    const rootAssets = path.join(root, "assets", "chrome-extension");
-
-    writeManifest(distAssets);
-    writeManifest(rootAssets);
-    setDir(here);
-
-    expect(resolveBundledExtensionRootDir(here)).toBe(distAssets);
-  });
-});
-
-describe("browser extension install (fs-mocked)", () => {
-  it("installs into the state dir (never node_modules)", async () => {
-    const tmp = abs("/tmp/openclaw-ext-install");
-    const sourceDir = path.join(tmp, "source-ext");
-    writeManifest(sourceDir);
-    setFile(path.join(sourceDir, "test.txt"), "ok");
-
-    const result = await installChromeExtension({ stateDir: tmp, sourceDir });
-
-    expect(result.path).toBe(path.join(tmp, "browser", "chrome-extension"));
-    expect(state.entries.has(abs(path.join(result.path, "manifest.json")))).toBe(true);
-    expect(state.entries.has(abs(path.join(result.path, "test.txt")))).toBe(true);
-    expect(result.path.includes("node_modules")).toBe(false);
-  });
-
-  it("copies extension path to clipboard", async () => {
-    const tmp = abs("/tmp/openclaw-ext-path");
-    await withEnvAsync({ OPENCLAW_STATE_DIR: tmp }, async () => {
-      copyToClipboard.mockResolvedValue(true);
-
-      const dir = path.join(tmp, "browser", "chrome-extension");
-      writeManifest(dir);
-
-      const program = new Command();
-      const browser = program.command("browser").option("--json", "JSON output", false);
-      registerBrowserExtensionCommands(
-        browser,
-        (cmd) => cmd.parent?.opts?.() as { json?: boolean },
-      );
-
-      await program.parseAsync(["browser", "extension", "path"], { from: "user" });
-      expect(copyToClipboard).toHaveBeenCalledWith(dir);
-    });
-  });
-});
diff --git a/src/cli/browser-cli-extension.ts b/src/cli/browser-cli-extension.ts
deleted file mode 100644
index a04059dfda6..00000000000
--- a/src/cli/browser-cli-extension.ts
+++ /dev/null
@@ -1,140 +0,0 @@
-import fs from "node:fs";
-import path from "node:path";
-import { fileURLToPath } from "node:url";
-import type { Command } from "commander";
-import { movePathToTrash } from "../browser/trash.js";
-import { resolveStateDir } from "../config/paths.js";
-import { danger, info } from "../globals.js";
-import { copyToClipboard } from "../infra/clipboard.js";
-import { defaultRuntime } from "../runtime.js";
-import { formatDocsLink } from "../terminal/links.js";
-import { theme } from "../terminal/theme.js";
-import { shortenHomePath } from "../utils.js";
-import { formatCliCommand } from "./command-format.js";
-
-export function resolveBundledExtensionRootDir(
-  here = path.dirname(fileURLToPath(import.meta.url)),
-) {
-  let current = here;
-  while (true) {
-    const candidate = path.join(current, "assets", "chrome-extension");
-    if (hasManifest(candidate)) {
-      return candidate;
-    }
-    const parent = path.dirname(current);
-    if (parent === current) {
-      break;
-    }
-    current = parent;
-  }
-
-  return path.resolve(here, "../../assets/chrome-extension");
-}
-
-function installedExtensionRootDir() {
-  return path.join(resolveStateDir(), "browser", "chrome-extension");
-}
-
-function hasManifest(dir: string) {
-  return fs.existsSync(path.join(dir, "manifest.json"));
-}
-
-export async function installChromeExtension(opts?: {
-  stateDir?: string;
-  sourceDir?: string;
-}): Promise<{ path: string }> {
-  const src = opts?.sourceDir ?? resolveBundledExtensionRootDir();
-  if (!hasManifest(src)) {
-    throw new Error("Bundled Chrome extension is missing. Reinstall OpenClaw and try again.");
-  }
-
-  const stateDir = opts?.stateDir ?? resolveStateDir();
-  const dest = path.join(stateDir, "browser", "chrome-extension");
-  fs.mkdirSync(path.dirname(dest), { recursive: true });
-
-  if (fs.existsSync(dest)) {
-    await movePathToTrash(dest).catch(() => {
-      const backup = `${dest}.old-${Date.now()}`;
-      fs.renameSync(dest, backup);
-    });
-  }
-
-  await fs.promises.cp(src, dest, { recursive: true });
-  if (!hasManifest(dest)) {
-    throw new Error("Chrome extension install failed (manifest.json missing). Try again.");
-  }
-
-  return { path: dest };
-}
-
-export function registerBrowserExtensionCommands(
-  browser: Command,
-  parentOpts: (cmd: Command) => { json?: boolean },
-) {
-  const ext = browser.command("extension").description("Chrome extension helpers");
-
-  ext
-    .command("install")
-    .description("Install the Chrome extension to a stable local path")
-    .action(async (_opts, cmd) => {
-      const parent = parentOpts(cmd);
-      let installed: { path: string };
-      try {
-        installed = await installChromeExtension();
-      } catch (err) {
-        defaultRuntime.error(danger(String(err)));
-        defaultRuntime.exit(1);
-        return;
-      }
-
-      if (parent?.json) {
-        defaultRuntime.log(JSON.stringify({ ok: true, path: installed.path }, null, 2));
-        return;
-      }
-      const displayPath = shortenHomePath(installed.path);
-      defaultRuntime.log(displayPath);
-      const copied = await copyToClipboard(installed.path).catch(() => false);
-      defaultRuntime.error(
-        info(
-          [
-            copied ? "Copied to clipboard." : "Copy to clipboard unavailable.",
-            "Next:",
-            `- Chrome → chrome://extensions → enable “Developer mode”`,
-            `- “Load unpacked” → select: ${displayPath}`,
-            `- Pin “OpenClaw Browser Relay”, then click it on the tab (badge shows ON)`,
-            "",
-            `${theme.muted("Docs:")} ${formatDocsLink("/tools/chrome-extension", "docs.openclaw.ai/tools/chrome-extension")}`,
-          ].join("\n"),
-        ),
-      );
-    });
-
-  ext
-    .command("path")
-    .description("Print the path to the installed Chrome extension (load unpacked)")
-    .action(async (_opts, cmd) => {
-      const parent = parentOpts(cmd);
-      const dir = installedExtensionRootDir();
-      if (!hasManifest(dir)) {
-        defaultRuntime.error(
-          danger(
-            [
-              `Chrome extension is not installed. Run: "${formatCliCommand("openclaw browser extension install")}"`,
-              `Docs: ${formatDocsLink("/tools/chrome-extension", "docs.openclaw.ai/tools/chrome-extension")}`,
-            ].join("\n"),
-          ),
-        );
-        defaultRuntime.exit(1);
-      }
-      if (parent?.json) {
-        defaultRuntime.log(JSON.stringify({ path: dir }, null, 2));
-        return;
-      }
-      const displayPath = shortenHomePath(dir);
-      defaultRuntime.log(displayPath);
-      const copied = await copyToClipboard(dir).catch(() => false);
-      if (copied) {
-        defaultRuntime.error(info("Copied to clipboard."));
-      }
-    });
-}
diff --git a/src/cli/browser-cli-manage.ts b/src/cli/browser-cli-manage.ts
index ddf207b28f0..e13b7af003a 100644
--- a/src/cli/browser-cli-manage.ts
+++ b/src/cli/browser-cli-manage.ts
@@ -105,14 +105,14 @@ function logBrowserTabs(tabs: BrowserTab[], json?: boolean) {
 
 function usesChromeMcpTransport(params: {
   transport?: BrowserTransport;
-  driver?: "openclaw" | "extension" | "existing-session";
+  driver?: "openclaw" | "existing-session";
 }): boolean {
   return params.transport === "chrome-mcp" || params.driver === "existing-session";
 }
 
 function formatBrowserConnectionSummary(params: {
   transport?: BrowserTransport;
-  driver?: "openclaw" | "extension" | "existing-session";
+  driver?: "openclaw" | "existing-session";
   isRemote?: boolean;
   cdpPort?: number | null;
   cdpUrl?: string | null;
@@ -455,10 +455,7 @@ export function registerBrowserManageCommands(
     .requiredOption("--name <name>", "Profile name (lowercase, numbers, hyphens)")
     .option("--color <hex>", "Profile color (hex format, e.g. #0066CC)")
     .option("--cdp-url <url>", "CDP URL for remote Chrome (http/https)")
-    .option(
-      "--driver <driver>",
-      "Profile driver (openclaw|extension|existing-session). Default: openclaw",
-    )
+    .option("--driver <driver>", "Profile driver (openclaw|existing-session). Default: openclaw")
     .action(
       async (opts: { name: string; color?: string; cdpUrl?: string; driver?: string }, cmd) => {
         const parent = parentOpts(cmd);
@@ -472,12 +469,7 @@ export function registerBrowserManageCommands(
                 name: opts.name,
                 color: opts.color,
                 cdpUrl: opts.cdpUrl,
-                driver:
-                  opts.driver === "extension"
-                    ? "extension"
-                    : opts.driver === "existing-session"
-                      ? "existing-session"
-                      : undefined,
+                driver: opts.driver === "existing-session" ? "existing-session" : undefined,
               },
             },
             { timeoutMs: 10_000 },
@@ -489,11 +481,7 @@ export function registerBrowserManageCommands(
           defaultRuntime.log(
             info(
               `🦞 Created profile "${result.profile}"\n${loc}\n  color: ${result.color}${
-                opts.driver === "extension"
-                  ? "\n  driver: extension"
-                  : opts.driver === "existing-session"
-                    ? "\n  driver: existing-session"
-                    : ""
+                opts.driver === "existing-session" ? "\n  driver: existing-session" : ""
               }`,
             ),
           );
diff --git a/src/cli/browser-cli.ts b/src/cli/browser-cli.ts
index 085d06cad80..fd4c9a4a8b3 100644
--- a/src/cli/browser-cli.ts
+++ b/src/cli/browser-cli.ts
@@ -7,7 +7,6 @@ import { registerBrowserActionInputCommands } from "./browser-cli-actions-input.
 import { registerBrowserActionObserveCommands } from "./browser-cli-actions-observe.js";
 import { registerBrowserDebugCommands } from "./browser-cli-debug.js";
 import { browserActionExamples, browserCoreExamples } from "./browser-cli-examples.js";
-import { registerBrowserExtensionCommands } from "./browser-cli-extension.js";
 import { registerBrowserInspectCommands } from "./browser-cli-inspect.js";
 import { registerBrowserManageCommands } from "./browser-cli-manage.js";
 import type { BrowserParentOpts } from "./browser-cli-shared.js";
@@ -46,7 +45,6 @@ export function registerBrowserCli(program: Command) {
   const parentOpts = (cmd: Command) => cmd.parent?.opts?.() as BrowserParentOpts;
 
   registerBrowserManageCommands(browser, parentOpts);
-  registerBrowserExtensionCommands(browser, parentOpts);
   registerBrowserInspectCommands(browser, parentOpts);
   registerBrowserActionInputCommands(browser, parentOpts);
   registerBrowserActionObserveCommands(browser, parentOpts);
diff --git a/src/commands/doctor-browser.test.ts b/src/commands/doctor-browser.test.ts
new file mode 100644
index 00000000000..da59fe5ed9a
--- /dev/null
+++ b/src/commands/doctor-browser.test.ts
@@ -0,0 +1,96 @@
+import { describe, expect, it, vi } from "vitest";
+import { noteChromeMcpBrowserReadiness } from "./doctor-browser.js";
+
+describe("doctor browser readiness", () => {
+  it("does nothing when Chrome MCP is not configured", async () => {
+    const noteFn = vi.fn();
+    await noteChromeMcpBrowserReadiness(
+      {
+        browser: {
+          profiles: {
+            openclaw: { color: "#FF4500" },
+          },
+        },
+      },
+      {
+        noteFn,
+      },
+    );
+    expect(noteFn).not.toHaveBeenCalled();
+  });
+
+  it("warns when Chrome MCP is configured but Chrome is missing", async () => {
+    const noteFn = vi.fn();
+    await noteChromeMcpBrowserReadiness(
+      {
+        browser: {
+          defaultProfile: "user",
+        },
+      },
+      {
+        noteFn,
+        platform: "darwin",
+        resolveChromeExecutable: () => null,
+      },
+    );
+
+    expect(noteFn).toHaveBeenCalledTimes(1);
+    expect(String(noteFn.mock.calls[0]?.[0])).toContain("Google Chrome was not found");
+    expect(String(noteFn.mock.calls[0]?.[0])).toContain("chrome://inspect/#remote-debugging");
+  });
+
+  it("warns when detected Chrome is too old for Chrome MCP", async () => {
+    const noteFn = vi.fn();
+    await noteChromeMcpBrowserReadiness(
+      {
+        browser: {
+          profiles: {
+            chromeLive: {
+              driver: "existing-session",
+              color: "#00AA00",
+            },
+          },
+        },
+      },
+      {
+        noteFn,
+        platform: "linux",
+        resolveChromeExecutable: () => ({ path: "/usr/bin/google-chrome" }),
+        readVersion: () => "Google Chrome 143.0.7499.4",
+      },
+    );
+
+    expect(noteFn).toHaveBeenCalledTimes(1);
+    expect(String(noteFn.mock.calls[0]?.[0])).toContain("too old");
+    expect(String(noteFn.mock.calls[0]?.[0])).toContain("Chrome 144+");
+  });
+
+  it("reports the detected Chrome version for existing-session profiles", async () => {
+    const noteFn = vi.fn();
+    await noteChromeMcpBrowserReadiness(
+      {
+        browser: {
+          profiles: {
+            chromeLive: {
+              driver: "existing-session",
+              color: "#00AA00",
+            },
+          },
+        },
+      },
+      {
+        noteFn,
+        platform: "win32",
+        resolveChromeExecutable: () => ({
+          path: "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
+        }),
+        readVersion: () => "Google Chrome 144.0.7534.0",
+      },
+    );
+
+    expect(noteFn).toHaveBeenCalledTimes(1);
+    expect(String(noteFn.mock.calls[0]?.[0])).toContain(
+      "Detected Chrome Google Chrome 144.0.7534.0",
+    );
+  });
+});
diff --git a/src/commands/doctor-browser.ts b/src/commands/doctor-browser.ts
new file mode 100644
index 00000000000..482e370b052
--- /dev/null
+++ b/src/commands/doctor-browser.ts
@@ -0,0 +1,108 @@
+import {
+  parseBrowserMajorVersion,
+  readBrowserVersion,
+  resolveGoogleChromeExecutableForPlatform,
+} from "../browser/chrome.executables.js";
+import type { OpenClawConfig } from "../config/config.js";
+import { note } from "../terminal/note.js";
+
+const CHROME_MCP_MIN_MAJOR = 144;
+
+function asRecord(value: unknown): Record<string, unknown> | null {
+  return value && typeof value === "object" && !Array.isArray(value)
+    ? (value as Record<string, unknown>)
+    : null;
+}
+
+function collectChromeMcpProfileNames(cfg: OpenClawConfig): string[] {
+  const browser = asRecord(cfg.browser);
+  if (!browser) {
+    return [];
+  }
+
+  const names = new Set<string>();
+  const defaultProfile =
+    typeof browser.defaultProfile === "string" ? browser.defaultProfile.trim() : "";
+  if (defaultProfile === "user") {
+    names.add("user");
+  }
+
+  const profiles = asRecord(browser.profiles);
+  if (!profiles) {
+    return [...names];
+  }
+
+  for (const [profileName, rawProfile] of Object.entries(profiles)) {
+    const profile = asRecord(rawProfile);
+    const driver = typeof profile?.driver === "string" ? profile.driver.trim() : "";
+    if (driver === "existing-session") {
+      names.add(profileName);
+    }
+  }
+
+  return [...names].toSorted((a, b) => a.localeCompare(b));
+}
+
+export async function noteChromeMcpBrowserReadiness(
+  cfg: OpenClawConfig,
+  deps?: {
+    platform?: NodeJS.Platform;
+    noteFn?: typeof note;
+    resolveChromeExecutable?: (platform: NodeJS.Platform) => { path: string } | null;
+    readVersion?: (executablePath: string) => string | null;
+  },
+) {
+  const profiles = collectChromeMcpProfileNames(cfg);
+  if (profiles.length === 0) {
+    return;
+  }
+
+  const noteFn = deps?.noteFn ?? note;
+  const platform = deps?.platform ?? process.platform;
+  const resolveChromeExecutable =
+    deps?.resolveChromeExecutable ?? resolveGoogleChromeExecutableForPlatform;
+  const readVersion = deps?.readVersion ?? readBrowserVersion;
+  const chrome = resolveChromeExecutable(platform);
+  const profileLabel = profiles.join(", ");
+
+  if (!chrome) {
+    noteFn(
+      [
+        `- Chrome MCP existing-session is configured for profile(s): ${profileLabel}.`,
+        "- Google Chrome was not found on this host. OpenClaw does not bundle Chrome.",
+        `- Install Google Chrome ${CHROME_MCP_MIN_MAJOR}+ on the same host as the Gateway or node.`,
+        "- In Chrome, enable remote debugging at chrome://inspect/#remote-debugging.",
+        "- Keep Chrome running and accept the attach consent prompt the first time OpenClaw connects.",
+        "- Docker, headless, and sandbox browser flows stay on raw CDP; this check only applies to host-local Chrome MCP attach.",
+      ].join("\n"),
+      "Browser",
+    );
+    return;
+  }
+
+  const versionRaw = readVersion(chrome.path);
+  const major = parseBrowserMajorVersion(versionRaw);
+  const lines = [
+    `- Chrome MCP existing-session is configured for profile(s): ${profileLabel}.`,
+    `- Chrome path: ${chrome.path}`,
+  ];
+
+  if (!versionRaw || major === null) {
+    lines.push(
+      `- Could not determine the installed Chrome version. Chrome MCP requires Google Chrome ${CHROME_MCP_MIN_MAJOR}+ on this host.`,
+    );
+  } else if (major < CHROME_MCP_MIN_MAJOR) {
+    lines.push(
+      `- Detected Chrome ${versionRaw}, which is too old for Chrome MCP existing-session attach. Upgrade to Chrome ${CHROME_MCP_MIN_MAJOR}+.`,
+    );
+  } else {
+    lines.push(`- Detected Chrome ${versionRaw}.`);
+  }
+
+  lines.push("- In Chrome, enable remote debugging at chrome://inspect/#remote-debugging.");
+  lines.push(
+    "- Keep Chrome running and accept the attach consent prompt the first time OpenClaw connects.",
+  );
+
+  noteFn(lines.join("\n"), "Browser");
+}
diff --git a/src/commands/doctor-config-flow.test.ts b/src/commands/doctor-config-flow.test.ts
index 265c90197e2..a1b204b5990 100644
--- a/src/commands/doctor-config-flow.test.ts
+++ b/src/commands/doctor-config-flow.test.ts
@@ -179,6 +179,60 @@ describe("doctor config flow", () => {
     });
   });
 
+  it("migrates legacy browser extension profiles to existing-session on repair", async () => {
+    const result = await runDoctorConfigWithInput({
+      repair: true,
+      config: {
+        browser: {
+          relayBindHost: "0.0.0.0",
+          profiles: {
+            chromeLive: {
+              driver: "extension",
+              color: "#00AA00",
+            },
+          },
+        },
+      },
+      run: loadAndMaybeMigrateDoctorConfig,
+    });
+
+    const browser = (result.cfg as { browser?: Record<string, unknown> }).browser ?? {};
+    expect(browser.relayBindHost).toBeUndefined();
+    expect(
+      ((browser.profiles as Record<string, { driver?: string }>)?.chromeLive ?? {}).driver,
+    ).toBe("existing-session");
+  });
+
+  it("notes legacy browser extension migration changes", async () => {
+    const noteSpy = vi.spyOn(noteModule, "note").mockImplementation(() => {});
+    try {
+      await runDoctorConfigWithInput({
+        config: {
+          browser: {
+            relayBindHost: "127.0.0.1",
+            profiles: {
+              chromeLive: {
+                driver: "extension",
+                color: "#00AA00",
+              },
+            },
+          },
+        },
+        run: loadAndMaybeMigrateDoctorConfig,
+      });
+
+      const messages = noteSpy.mock.calls
+        .filter((call) => call[1] === "Doctor changes")
+        .map((call) => String(call[0]));
+      expect(
+        messages.some((line) => line.includes('browser.profiles.chromeLive.driver "extension"')),
+      ).toBe(true);
+      expect(messages.some((line) => line.includes("browser.relayBindHost"))).toBe(true);
+    } finally {
+      noteSpy.mockRestore();
+    }
+  });
+
   it("preserves discord streaming intent while stripping unsupported keys on repair", async () => {
     const result = await runDoctorConfigWithInput({
       repair: true,
diff --git a/src/commands/doctor-legacy-config.ts b/src/commands/doctor-legacy-config.ts
index 50c9f38eb40..2d6bfa83a11 100644
--- a/src/commands/doctor-legacy-config.ts
+++ b/src/commands/doctor-legacy-config.ts
@@ -291,6 +291,67 @@ export function normalizeCompatibilityConfigValues(cfg: OpenClawConfig): {
     }
   };
 
+  const normalizeLegacyBrowserProfiles = () => {
+    const rawBrowser = next.browser;
+    if (!isRecord(rawBrowser)) {
+      return;
+    }
+
+    const browser = structuredClone(rawBrowser);
+    let browserChanged = false;
+
+    if ("relayBindHost" in browser) {
+      delete browser.relayBindHost;
+      browserChanged = true;
+      changes.push(
+        "Removed browser.relayBindHost (legacy Chrome extension relay setting; host-local Chrome now uses Chrome MCP existing-session attach).",
+      );
+    }
+
+    const rawProfiles = browser.profiles;
+    if (!isRecord(rawProfiles)) {
+      if (!browserChanged) {
+        return;
+      }
+      next = { ...next, browser };
+      return;
+    }
+
+    const profiles = { ...rawProfiles };
+    let profilesChanged = false;
+    for (const [profileName, rawProfile] of Object.entries(rawProfiles)) {
+      if (!isRecord(rawProfile)) {
+        continue;
+      }
+      const rawDriver = typeof rawProfile.driver === "string" ? rawProfile.driver.trim() : "";
+      if (rawDriver !== "extension") {
+        continue;
+      }
+      profiles[profileName] = {
+        ...rawProfile,
+        driver: "existing-session",
+      };
+      profilesChanged = true;
+      changes.push(
+        `Moved browser.profiles.${profileName}.driver "extension" → "existing-session" (Chrome MCP attach).`,
+      );
+    }
+
+    if (profilesChanged) {
+      browser.profiles = profiles;
+      browserChanged = true;
+    }
+
+    if (!browserChanged) {
+      return;
+    }
+
+    next = {
+      ...next,
+      browser,
+    };
+  };
+
   const seedMissingDefaultAccountsFromSingleAccountBase = () => {
     const channels = next.channels as Record<string, unknown> | undefined;
     if (!channels) {
@@ -365,6 +426,7 @@ export function normalizeCompatibilityConfigValues(cfg: OpenClawConfig): {
   normalizeProvider("slack");
   normalizeProvider("discord");
   seedMissingDefaultAccountsFromSingleAccountBase();
+  normalizeLegacyBrowserProfiles();
 
   const normalizeBrowserSsrFPolicyAlias = () => {
     const rawBrowser = next.browser;
diff --git a/src/commands/doctor.fast-path-mocks.ts b/src/commands/doctor.fast-path-mocks.ts
index f05e3d929a7..f9d25da73d8 100644
--- a/src/commands/doctor.fast-path-mocks.ts
+++ b/src/commands/doctor.fast-path-mocks.ts
@@ -8,6 +8,10 @@ vi.mock("./doctor-bootstrap-size.js", () => ({
   noteBootstrapFileSize: vi.fn().mockResolvedValue(undefined),
 }));
 
+vi.mock("./doctor-browser.js", () => ({
+  noteChromeMcpBrowserReadiness: vi.fn().mockResolvedValue(undefined),
+}));
+
 vi.mock("./doctor-gateway-daemon-flow.js", () => ({
   maybeRepairGatewayDaemon: vi.fn().mockResolvedValue(undefined),
 }));
diff --git a/src/commands/doctor.ts b/src/commands/doctor.ts
index bdde2781ff9..3e4cbebe5d0 100644
--- a/src/commands/doctor.ts
+++ b/src/commands/doctor.ts
@@ -29,6 +29,7 @@ import {
   noteAuthProfileHealth,
 } from "./doctor-auth.js";
 import { noteBootstrapFileSize } from "./doctor-bootstrap-size.js";
+import { noteChromeMcpBrowserReadiness } from "./doctor-browser.js";
 import { doctorShellCompletion } from "./doctor-completion.js";
 import { loadAndMaybeMigrateDoctorConfig } from "./doctor-config-flow.js";
 import { maybeRepairLegacyCronStore } from "./doctor-cron.js";
@@ -236,6 +237,7 @@ export async function doctorCommand(
   await noteMacLaunchctlGatewayEnvOverrides(cfg);
 
   await noteSecurityWarnings(cfg);
+  await noteChromeMcpBrowserReadiness(cfg);
   await noteOpenAIOAuthTlsPrerequisites({
     cfg,
     deep: options.deep === true,
diff --git a/src/config/schema.help.quality.test.ts b/src/config/schema.help.quality.test.ts
index 7de4e592b23..2680013a717 100644
--- a/src/config/schema.help.quality.test.ts
+++ b/src/config/schema.help.quality.test.ts
@@ -422,7 +422,7 @@ const ENUM_EXPECTATIONS: Record<string, string[]> = {
   "gateway.bind": ['"auto"', '"lan"', '"loopback"', '"custom"', '"tailnet"'],
   "gateway.auth.mode": ['"none"', '"token"', '"password"', '"trusted-proxy"'],
   "gateway.tailscale.mode": ['"off"', '"serve"', '"funnel"'],
-  "browser.profiles.*.driver": ['"openclaw"', '"clawd"', '"extension"'],
+  "browser.profiles.*.driver": ['"openclaw"', '"clawd"', '"existing-session"'],
   "discovery.mdns.mode": ['"off"', '"minimal"', '"full"'],
   "wizard.lastRunMode": ['"local"', '"remote"'],
   "diagnostics.otel.protocol": ['"http/protobuf"', '"grpc"'],
diff --git a/src/config/schema.help.ts b/src/config/schema.help.ts
index 8a71c0e9035..46cce98d193 100644
--- a/src/config/schema.help.ts
+++ b/src/config/schema.help.ts
@@ -254,8 +254,6 @@ export const FIELD_HELP: Record<string, string> = {
     "Starting local CDP port used for auto-allocated browser profile ports. Increase this when host-level port defaults conflict with other local services.",
   "browser.defaultProfile":
     "Default browser profile name selected when callers do not explicitly choose a profile. Use a stable low-privilege profile as the default to reduce accidental cross-context state use.",
-  "browser.relayBindHost":
-    "Bind IP address for the Chrome extension relay listener. Leave unset for loopback-only access, or set an explicit non-loopback IP such as 0.0.0.0 only when the relay must be reachable across network namespaces (for example WSL2) and the surrounding network is already trusted.",
   "browser.profiles":
     "Named browser profile connection map used for explicit routing to CDP ports or URLs with optional metadata. Keep profile names consistent and avoid overlapping endpoint definitions.",
   "browser.profiles.*.cdpPort":
@@ -263,7 +261,7 @@ export const FIELD_HELP: Record<string, string> = {
   "browser.profiles.*.cdpUrl":
     "Per-profile CDP websocket URL used for explicit remote browser routing by profile name. Use this when profile connections terminate on remote hosts or tunnels.",
   "browser.profiles.*.driver":
-    'Per-profile browser driver mode: "openclaw" (or legacy "clawd") or "extension" depending on connection/runtime strategy. Use the driver that matches your browser control stack to avoid protocol mismatches.',
+    'Per-profile browser driver mode. Use "openclaw" (or legacy "clawd") for CDP-based profiles, or use "existing-session" for host-local Chrome MCP attachment.',
   "browser.profiles.*.attachOnly":
     "Per-profile attach-only override that skips local browser launch and only attaches to an existing CDP endpoint. Useful when one profile is externally managed but others are locally launched.",
   "browser.profiles.*.color":
diff --git a/src/config/schema.labels.ts b/src/config/schema.labels.ts
index c8fb887924b..6843b8f410f 100644
--- a/src/config/schema.labels.ts
+++ b/src/config/schema.labels.ts
@@ -120,7 +120,6 @@ export const FIELD_LABELS: Record<string, string> = {
   "browser.attachOnly": "Browser Attach-only Mode",
   "browser.cdpPortRangeStart": "Browser CDP Port Range Start",
   "browser.defaultProfile": "Browser Default Profile",
-  "browser.relayBindHost": "Browser Relay Bind Address",
   "browser.profiles": "Browser Profiles",
   "browser.profiles.*.cdpPort": "Browser Profile CDP Port",
   "browser.profiles.*.cdpUrl": "Browser Profile CDP URL",
diff --git a/src/config/types.browser.ts b/src/config/types.browser.ts
index 5f8e28a0ebe..b50795fd9d0 100644
--- a/src/config/types.browser.ts
+++ b/src/config/types.browser.ts
@@ -4,7 +4,7 @@ export type BrowserProfileConfig = {
   /** CDP URL for this profile (use for remote Chrome). */
   cdpUrl?: string;
   /** Profile driver (default: openclaw). */
-  driver?: "openclaw" | "clawd" | "extension" | "existing-session";
+  driver?: "openclaw" | "clawd" | "existing-session";
   /** If true, never launch a browser for this profile; only attach. Falls back to browser.attachOnly. */
   attachOnly?: boolean;
   /** Profile color (hex). Auto-assigned at creation. */
@@ -66,10 +66,4 @@ export type BrowserConfig = {
    * Example: ["--window-size=1920,1080", "--disable-infobars"]
    */
   extraArgs?: string[];
-  /**
-   * Bind address for the Chrome extension relay server.
-   * Default: "127.0.0.1". Set to "0.0.0.0" for WSL2 or other environments where
-   * the relay must be reachable from a different network namespace.
-   */
-  relayBindHost?: string;
 };
diff --git a/src/config/zod-schema.ts b/src/config/zod-schema.ts
index 7c9b510080f..345c86b3097 100644
--- a/src/config/zod-schema.ts
+++ b/src/config/zod-schema.ts
@@ -360,12 +360,7 @@ export const OpenClawSchema = z
                 cdpPort: z.number().int().min(1).max(65535).optional(),
                 cdpUrl: z.string().optional(),
                 driver: z
-                  .union([
-                    z.literal("openclaw"),
-                    z.literal("clawd"),
-                    z.literal("extension"),
-                    z.literal("existing-session"),
-                  ])
+                  .union([z.literal("openclaw"), z.literal("clawd"), z.literal("existing-session")])
                   .optional(),
                 attachOnly: z.boolean().optional(),
                 color: HexColorSchema,
@@ -380,7 +375,6 @@ export const OpenClawSchema = z
           )
           .optional(),
         extraArgs: z.array(z.string()).optional(),
-        relayBindHost: z.union([z.string().ipv4(), z.string().ipv6()]).optional(),
       })
       .strict()
       .optional(),
diff --git a/src/node-host/invoke-browser.test.ts b/src/node-host/invoke-browser.test.ts
index c1dd0d1df76..7f8c51a2b39 100644
--- a/src/node-host/invoke-browser.test.ts
+++ b/src/node-host/invoke-browser.test.ts
@@ -70,12 +70,12 @@ describe("runBrowserProxyCommand", () => {
         JSON.stringify({
           method: "GET",
           path: "/snapshot",
-          profile: "chrome-relay",
+          profile: "openclaw",
           timeoutMs: 5,
         }),
       ),
     ).rejects.toThrow(
-      /browser proxy timed out for GET \/snapshot after 5ms; ws-backed browser action; profile=chrome-relay; status\(running=true, cdpHttp=true, cdpReady=false, cdpUrl=http:\/\/127\.0\.0\.1:18792\)/,
+      /browser proxy timed out for GET \/snapshot after 5ms; ws-backed browser action; profile=openclaw; status\(running=true, cdpHttp=true, cdpReady=false, cdpUrl=http:\/\/127\.0\.0\.1:18792\)/,
     );
   });
 
@@ -150,7 +150,7 @@ describe("runBrowserProxyCommand", () => {
         JSON.stringify({
           method: "POST",
           path: "/act",
-          profile: "chrome-relay",
+          profile: "openclaw",
           timeoutMs: 50,
         }),
       ),

From 3c6a49b27ea0c77f50b0183dea4aef4679feb911 Mon Sep 17 00:00:00 2001
From: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
Date: Mon, 16 Mar 2026 02:02:48 -0500
Subject: [PATCH 071/133] feishu: harden media support and align capability
 docs (#47968)

* feishu: harden media support and action surface

* feishu: format media action changes

* feishu: fix review follow-ups

* fix: scope Feishu target aliases to Feishu (#47968) (thanks @Takhoffman)
---
 CHANGELOG.md                                  |   2 +
 docs/channels/feishu.md                       |  28 +-
 extensions/feishu/src/bot.test.ts             |  45 ++
 extensions/feishu/src/bot.ts                  |   8 +-
 extensions/feishu/src/channel.runtime.ts      |   4 +-
 extensions/feishu/src/channel.test.ts         | 474 +++++++++++++++--
 extensions/feishu/src/channel.ts              | 481 +++++++++++++++---
 extensions/feishu/src/chat-schema.ts          |   7 +-
 extensions/feishu/src/chat.test.ts            |  34 +-
 extensions/feishu/src/chat.ts                 |  68 ++-
 extensions/feishu/src/directory.test.ts       | 106 +++-
 extensions/feishu/src/directory.ts            |  76 +--
 extensions/feishu/src/media.test.ts           |  75 +++
 extensions/feishu/src/media.ts                | 137 ++++-
 extensions/feishu/src/pins.ts                 | 108 ++++
 .../feishu/src/send.reply-fallback.test.ts    |  69 +++
 extensions/feishu/src/send.test.ts            |  97 +++-
 extensions/feishu/src/send.ts                 | 105 ++--
 src/agents/tools/message-tool.ts              |  13 +
 .../message-action-normalization.test.ts      |  41 ++
 .../outbound/message-action-normalization.ts  |  14 +-
 ...sage-action-runner.plugin-dispatch.test.ts |  99 ++++
 .../outbound/message-action-spec.test.ts      |  13 +
 src/infra/outbound/message-action-spec.ts     |  41 +-
 24 files changed, 1900 insertions(+), 245 deletions(-)
 create mode 100644 extensions/feishu/src/pins.ts

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 384fcffc330..a80bae4ced0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -38,6 +38,8 @@ Docs: https://docs.openclaw.ai
 - Control UI: scope persisted session selection per gateway, prevent stale session bleed across tokenized gateway opens, and cap stored gateway session history. (#47453) Thanks @sallyom.
 - Slack/interactive replies: preserve `channelData.slack.blocks` through live DM delivery and preview-finalized edits so Block Kit button and select directives render instead of falling back to raw text. (#45890) Thanks @vincentkoc.
 - Feishu/topic threads: fetch full thread context, including prior bot replies, when starting a topic-thread session so follow-up turns in Feishu topics keep the right conversation state. (#45254) Thanks @Coobiw.
+- Feishu/media: keep native image, file, audio, and video/media handling aligned across outbound sends, inbound downloads, thread replies, directory/action aliases, and capability docs so unsupported areas are explicit instead of implied.
+- Feishu/actions: expand the runtime action surface with message read/edit, explicit thread replies, pinning, and operator-facing chat/member inspection so Feishu can operate more of the workspace directly.
 - Configure/startup: move outbound send-deps resolution into a lightweight helper so `openclaw configure` no longer stalls after the banner while eagerly loading channel plugins. (#46301) thanks @scoootscooob.
 - Control UI/dashboard: preserve structured gateway shutdown reasons across restart disconnects so config-triggered restarts no longer fall back to `disconnected (1006): no reason`. (#46532) Thanks @vincentkoc.
 - Android/chat: theme the thinking dropdown and TLS trust dialogs explicitly so popup surfaces match the active app theme instead of falling back to mismatched Material defaults.
diff --git a/docs/channels/feishu.md b/docs/channels/feishu.md
index 3768906d940..41882e78264 100644
--- a/docs/channels/feishu.md
+++ b/docs/channels/feishu.md
@@ -711,7 +711,7 @@ Key options:
 - ✅ Images
 - ✅ Files
 - ✅ Audio
-- ✅ Video
+- ✅ Video/media
 - ✅ Stickers
 
 ### Send
@@ -720,4 +720,28 @@ Key options:
 - ✅ Images
 - ✅ Files
 - ✅ Audio
-- ⚠️ Rich text (partial support)
+- ✅ Video/media
+- ✅ Interactive cards
+- ⚠️ Rich text (post-style formatting and cards, not arbitrary Feishu authoring features)
+
+### Threads and replies
+
+- ✅ Inline replies
+- ✅ Topic-thread replies where Feishu exposes `reply_in_thread`
+- ✅ Media replies stay thread-aware when replying to a thread/topic message
+
+## Runtime action surface
+
+Feishu currently exposes these runtime actions:
+
+- `send`
+- `read`
+- `edit`
+- `thread-reply`
+- `pin`
+- `list-pins`
+- `unpin`
+- `member-info`
+- `channel-info`
+- `channel-list`
+- `react` and `reactions` when reactions are enabled in config
diff --git a/extensions/feishu/src/bot.test.ts b/extensions/feishu/src/bot.test.ts
index 3e14bcdadd5..df787b0106a 100644
--- a/extensions/feishu/src/bot.test.ts
+++ b/extensions/feishu/src/bot.test.ts
@@ -1163,6 +1163,51 @@ describe("handleFeishuMessage command authorization", () => {
     );
   });
 
+  it("falls back to the message payload filename when download metadata omits it", async () => {
+    mockShouldComputeCommandAuthorized.mockReturnValue(false);
+    mockDownloadMessageResourceFeishu.mockResolvedValueOnce({
+      buffer: Buffer.from("video"),
+      contentType: "video/mp4",
+    });
+
+    const cfg: ClawdbotConfig = {
+      channels: {
+        feishu: {
+          dmPolicy: "open",
+        },
+      },
+    } as ClawdbotConfig;
+
+    const event: FeishuMessageEvent = {
+      sender: {
+        sender_id: {
+          open_id: "ou-sender",
+        },
+      },
+      message: {
+        message_id: "msg-media-payload-name",
+        chat_id: "oc-dm",
+        chat_type: "p2p",
+        message_type: "media",
+        content: JSON.stringify({
+          file_key: "file_media_payload",
+          image_key: "img_media_thumb",
+          file_name: "payload-name.mp4",
+        }),
+      },
+    };
+
+    await dispatchMessage({ cfg, event });
+
+    expect(mockSaveMediaBuffer).toHaveBeenCalledWith(
+      expect.any(Buffer),
+      "video/mp4",
+      "inbound",
+      expect.any(Number),
+      "payload-name.mp4",
+    );
+  });
+
   it("downloads embedded media tags from post messages as files", async () => {
     mockShouldComputeCommandAuthorized.mockReturnValue(false);
 
diff --git a/extensions/feishu/src/bot.ts b/extensions/feishu/src/bot.ts
index fc84801b124..728bb9a8ffc 100644
--- a/extensions/feishu/src/bot.ts
+++ b/extensions/feishu/src/bot.ts
@@ -551,17 +551,17 @@ function parseMediaKeys(
     const fileKey = normalizeFeishuExternalKey(parsed.file_key);
     switch (messageType) {
       case "image":
-        return { imageKey };
+        return { imageKey, fileName: parsed.file_name };
       case "file":
         return { fileKey, fileName: parsed.file_name };
       case "audio":
-        return { fileKey };
+        return { fileKey, fileName: parsed.file_name };
       case "video":
       case "media":
         // Video/media has both file_key (video) and image_key (thumbnail)
-        return { fileKey, imageKey };
+        return { fileKey, imageKey, fileName: parsed.file_name };
       case "sticker":
-        return { fileKey };
+        return { fileKey, fileName: parsed.file_name };
       default:
         return {};
     }
diff --git a/extensions/feishu/src/channel.runtime.ts b/extensions/feishu/src/channel.runtime.ts
index 61f637a94de..0e4d9fc7583 100644
--- a/extensions/feishu/src/channel.runtime.ts
+++ b/extensions/feishu/src/channel.runtime.ts
@@ -1,5 +1,7 @@
 export { listFeishuDirectoryGroupsLive, listFeishuDirectoryPeersLive } from "./directory.js";
 export { feishuOutbound } from "./outbound.js";
+export { createPinFeishu, listPinsFeishu, removePinFeishu } from "./pins.js";
 export { probeFeishu } from "./probe.js";
 export { addReactionFeishu, listReactionsFeishu, removeReactionFeishu } from "./reactions.js";
-export { sendCardFeishu, sendMessageFeishu } from "./send.js";
+export { getChatInfo, getChatMembers, getFeishuMemberInfo } from "./chat.js";
+export { editMessageFeishu, getMessageFeishu, sendCardFeishu, sendMessageFeishu } from "./send.js";
diff --git a/extensions/feishu/src/channel.test.ts b/extensions/feishu/src/channel.test.ts
index e7db645be0b..826ca1c26fb 100644
--- a/extensions/feishu/src/channel.test.ts
+++ b/extensions/feishu/src/channel.test.ts
@@ -1,17 +1,49 @@
 import type { OpenClawConfig } from "openclaw/plugin-sdk/feishu";
-import { describe, expect, it, vi } from "vitest";
+import { beforeEach, describe, expect, it, vi } from "vitest";
 
 const probeFeishuMock = vi.hoisted(() => vi.fn());
+const createFeishuClientMock = vi.hoisted(() => vi.fn());
+const addReactionFeishuMock = vi.hoisted(() => vi.fn());
 const listReactionsFeishuMock = vi.hoisted(() => vi.fn());
+const removeReactionFeishuMock = vi.hoisted(() => vi.fn());
+const sendCardFeishuMock = vi.hoisted(() => vi.fn());
+const sendMessageFeishuMock = vi.hoisted(() => vi.fn());
+const getMessageFeishuMock = vi.hoisted(() => vi.fn());
+const editMessageFeishuMock = vi.hoisted(() => vi.fn());
+const createPinFeishuMock = vi.hoisted(() => vi.fn());
+const listPinsFeishuMock = vi.hoisted(() => vi.fn());
+const removePinFeishuMock = vi.hoisted(() => vi.fn());
+const getChatInfoMock = vi.hoisted(() => vi.fn());
+const getChatMembersMock = vi.hoisted(() => vi.fn());
+const getFeishuMemberInfoMock = vi.hoisted(() => vi.fn());
+const listFeishuDirectoryPeersLiveMock = vi.hoisted(() => vi.fn());
+const listFeishuDirectoryGroupsLiveMock = vi.hoisted(() => vi.fn());
 
 vi.mock("./probe.js", () => ({
   probeFeishu: probeFeishuMock,
 }));
 
-vi.mock("./reactions.js", () => ({
-  addReactionFeishu: vi.fn(),
+vi.mock("./client.js", () => ({
+  createFeishuClient: createFeishuClientMock,
+}));
+
+vi.mock("./channel.runtime.js", () => ({
+  addReactionFeishu: addReactionFeishuMock,
+  createPinFeishu: createPinFeishuMock,
+  editMessageFeishu: editMessageFeishuMock,
+  getChatInfo: getChatInfoMock,
+  getChatMembers: getChatMembersMock,
+  getFeishuMemberInfo: getFeishuMemberInfoMock,
+  getMessageFeishu: getMessageFeishuMock,
+  listFeishuDirectoryGroupsLive: listFeishuDirectoryGroupsLiveMock,
+  listFeishuDirectoryPeersLive: listFeishuDirectoryPeersLiveMock,
+  listPinsFeishu: listPinsFeishuMock,
   listReactionsFeishu: listReactionsFeishuMock,
-  removeReactionFeishu: vi.fn(),
+  probeFeishu: probeFeishuMock,
+  removePinFeishu: removePinFeishuMock,
+  removeReactionFeishu: removeReactionFeishuMock,
+  sendCardFeishu: sendCardFeishuMock,
+  sendMessageFeishu: sendMessageFeishuMock,
 }));
 
 import { feishuPlugin } from "./channel.js";
@@ -68,6 +100,28 @@ describe("feishuPlugin actions", () => {
     },
   } as OpenClawConfig;
 
+  beforeEach(() => {
+    vi.clearAllMocks();
+    createFeishuClientMock.mockReturnValue({ tag: "client" });
+  });
+
+  it("advertises the expanded Feishu action surface", () => {
+    expect(feishuPlugin.actions?.listActions?.({ cfg })).toEqual([
+      "send",
+      "read",
+      "edit",
+      "thread-reply",
+      "pin",
+      "list-pins",
+      "unpin",
+      "member-info",
+      "channel-info",
+      "channel-list",
+      "react",
+      "reactions",
+    ]);
+  });
+
   it("does not advertise reactions when disabled via actions config", () => {
     const disabledCfg = {
       channels: {
@@ -82,41 +136,355 @@ describe("feishuPlugin actions", () => {
       },
     } as OpenClawConfig;
 
-    expect(feishuPlugin.actions?.listActions?.({ cfg: disabledCfg })).toEqual([]);
+    expect(feishuPlugin.actions?.listActions?.({ cfg: disabledCfg })).toEqual([
+      "send",
+      "read",
+      "edit",
+      "thread-reply",
+      "pin",
+      "list-pins",
+      "unpin",
+      "member-info",
+      "channel-info",
+      "channel-list",
+    ]);
   });
 
-  it("advertises reactions when any enabled configured account allows them", () => {
-    const cfg = {
-      channels: {
-        feishu: {
-          enabled: true,
-          defaultAccount: "main",
-          actions: {
-            reactions: false,
-          },
-          accounts: {
-            main: {
-              appId: "cli_main",
-              appSecret: "secret_main",
-              enabled: true,
-              actions: {
-                reactions: false,
-              },
-            },
-            secondary: {
-              appId: "cli_secondary",
-              appSecret: "secret_secondary",
-              enabled: true,
-              actions: {
-                reactions: true,
-              },
-            },
-          },
-        },
-      },
-    } as OpenClawConfig;
+  it("sends text messages", async () => {
+    sendMessageFeishuMock.mockResolvedValueOnce({ messageId: "om_sent", chatId: "oc_group_1" });
 
-    expect(feishuPlugin.actions?.listActions?.({ cfg })).toEqual(["react", "reactions"]);
+    const result = await feishuPlugin.actions?.handleAction?.({
+      action: "send",
+      params: { to: "chat:oc_group_1", message: "hello" },
+      cfg,
+      accountId: undefined,
+      toolContext: {},
+    } as never);
+
+    expect(sendMessageFeishuMock).toHaveBeenCalledWith({
+      cfg,
+      to: "chat:oc_group_1",
+      text: "hello",
+      accountId: undefined,
+      replyToMessageId: undefined,
+      replyInThread: false,
+    });
+    expect(result?.details).toMatchObject({ ok: true, messageId: "om_sent", chatId: "oc_group_1" });
+  });
+
+  it("sends card messages", async () => {
+    sendCardFeishuMock.mockResolvedValueOnce({ messageId: "om_card", chatId: "oc_group_1" });
+
+    const result = await feishuPlugin.actions?.handleAction?.({
+      action: "send",
+      params: { to: "chat:oc_group_1", card: { schema: "2.0" } },
+      cfg,
+      accountId: undefined,
+      toolContext: {},
+    } as never);
+
+    expect(sendCardFeishuMock).toHaveBeenCalledWith({
+      cfg,
+      to: "chat:oc_group_1",
+      card: { schema: "2.0" },
+      accountId: undefined,
+      replyToMessageId: undefined,
+      replyInThread: false,
+    });
+    expect(result?.details).toMatchObject({ ok: true, messageId: "om_card", chatId: "oc_group_1" });
+  });
+
+  it("reads messages", async () => {
+    getMessageFeishuMock.mockResolvedValueOnce({
+      messageId: "om_1",
+      content: "hello",
+      contentType: "text",
+    });
+
+    const result = await feishuPlugin.actions?.handleAction?.({
+      action: "read",
+      params: { messageId: "om_1" },
+      cfg,
+      accountId: undefined,
+    } as never);
+
+    expect(getMessageFeishuMock).toHaveBeenCalledWith({
+      cfg,
+      messageId: "om_1",
+      accountId: undefined,
+    });
+    expect(result?.details).toMatchObject({
+      ok: true,
+      message: expect.objectContaining({ messageId: "om_1", content: "hello" }),
+    });
+  });
+
+  it("returns an error result when message reads fail", async () => {
+    getMessageFeishuMock.mockResolvedValueOnce(null);
+
+    const result = await feishuPlugin.actions?.handleAction?.({
+      action: "read",
+      params: { messageId: "om_missing" },
+      cfg,
+      accountId: undefined,
+    } as never);
+
+    expect((result as { isError?: boolean } | undefined)?.isError).toBe(true);
+    expect(result?.details).toEqual({
+      error: "Feishu read failed or message not found: om_missing",
+    });
+  });
+
+  it("edits messages", async () => {
+    editMessageFeishuMock.mockResolvedValueOnce({ messageId: "om_2", contentType: "post" });
+
+    const result = await feishuPlugin.actions?.handleAction?.({
+      action: "edit",
+      params: { messageId: "om_2", text: "updated" },
+      cfg,
+      accountId: undefined,
+    } as never);
+
+    expect(editMessageFeishuMock).toHaveBeenCalledWith({
+      cfg,
+      messageId: "om_2",
+      text: "updated",
+      card: undefined,
+      accountId: undefined,
+    });
+    expect(result?.details).toMatchObject({ ok: true, messageId: "om_2", contentType: "post" });
+  });
+
+  it("sends explicit thread replies with reply_in_thread semantics", async () => {
+    sendMessageFeishuMock.mockResolvedValueOnce({ messageId: "om_reply", chatId: "oc_group_1" });
+
+    const result = await feishuPlugin.actions?.handleAction?.({
+      action: "thread-reply",
+      params: { to: "chat:oc_group_1", messageId: "om_parent", text: "reply body" },
+      cfg,
+      accountId: undefined,
+      toolContext: {},
+    } as never);
+
+    expect(sendMessageFeishuMock).toHaveBeenCalledWith({
+      cfg,
+      to: "chat:oc_group_1",
+      text: "reply body",
+      accountId: undefined,
+      replyToMessageId: "om_parent",
+      replyInThread: true,
+    });
+    expect(result?.details).toMatchObject({
+      ok: true,
+      action: "thread-reply",
+      messageId: "om_reply",
+    });
+  });
+
+  it("creates pins", async () => {
+    createPinFeishuMock.mockResolvedValueOnce({ messageId: "om_pin", chatId: "oc_group_1" });
+
+    const result = await feishuPlugin.actions?.handleAction?.({
+      action: "pin",
+      params: { messageId: "om_pin" },
+      cfg,
+      accountId: undefined,
+    } as never);
+
+    expect(createPinFeishuMock).toHaveBeenCalledWith({
+      cfg,
+      messageId: "om_pin",
+      accountId: undefined,
+    });
+    expect(result?.details).toMatchObject({
+      ok: true,
+      pin: expect.objectContaining({ messageId: "om_pin" }),
+    });
+  });
+
+  it("lists pins", async () => {
+    listPinsFeishuMock.mockResolvedValueOnce({
+      chatId: "oc_group_1",
+      pins: [{ messageId: "om_pin" }],
+      hasMore: false,
+      pageToken: undefined,
+    });
+
+    const result = await feishuPlugin.actions?.handleAction?.({
+      action: "list-pins",
+      params: { chatId: "oc_group_1" },
+      cfg,
+      accountId: undefined,
+      toolContext: {},
+    } as never);
+
+    expect(listPinsFeishuMock).toHaveBeenCalledWith({
+      cfg,
+      chatId: "oc_group_1",
+      startTime: undefined,
+      endTime: undefined,
+      pageSize: undefined,
+      pageToken: undefined,
+      accountId: undefined,
+    });
+    expect(result?.details).toMatchObject({
+      ok: true,
+      pins: [expect.objectContaining({ messageId: "om_pin" })],
+    });
+  });
+
+  it("removes pins", async () => {
+    const result = await feishuPlugin.actions?.handleAction?.({
+      action: "unpin",
+      params: { messageId: "om_pin" },
+      cfg,
+      accountId: undefined,
+    } as never);
+
+    expect(removePinFeishuMock).toHaveBeenCalledWith({
+      cfg,
+      messageId: "om_pin",
+      accountId: undefined,
+    });
+    expect(result?.details).toMatchObject({ ok: true, messageId: "om_pin" });
+  });
+
+  it("fetches channel info", async () => {
+    getChatInfoMock.mockResolvedValueOnce({ chat_id: "oc_group_1", name: "Eng" });
+
+    const result = await feishuPlugin.actions?.handleAction?.({
+      action: "channel-info",
+      params: { chatId: "oc_group_1" },
+      cfg,
+      accountId: undefined,
+      toolContext: {},
+    } as never);
+
+    expect(createFeishuClientMock).toHaveBeenCalled();
+    expect(getChatInfoMock).toHaveBeenCalledWith({ tag: "client" }, "oc_group_1");
+    expect(result?.details).toMatchObject({
+      ok: true,
+      channel: expect.objectContaining({ chat_id: "oc_group_1", name: "Eng" }),
+    });
+  });
+
+  it("fetches member lists from a chat", async () => {
+    getChatMembersMock.mockResolvedValueOnce({
+      chat_id: "oc_group_1",
+      members: [{ member_id: "ou_1", name: "Alice" }],
+      has_more: false,
+    });
+
+    const result = await feishuPlugin.actions?.handleAction?.({
+      action: "member-info",
+      params: { chatId: "oc_group_1" },
+      cfg,
+      accountId: undefined,
+      toolContext: {},
+    } as never);
+
+    expect(getChatMembersMock).toHaveBeenCalledWith(
+      { tag: "client" },
+      "oc_group_1",
+      undefined,
+      undefined,
+      "open_id",
+    );
+    expect(result?.details).toMatchObject({
+      ok: true,
+      members: [expect.objectContaining({ member_id: "ou_1", name: "Alice" })],
+    });
+  });
+
+  it("fetches individual member info", async () => {
+    getFeishuMemberInfoMock.mockResolvedValueOnce({ member_id: "ou_1", name: "Alice" });
+
+    const result = await feishuPlugin.actions?.handleAction?.({
+      action: "member-info",
+      params: { memberId: "ou_1" },
+      cfg,
+      accountId: undefined,
+      toolContext: {},
+    } as never);
+
+    expect(getFeishuMemberInfoMock).toHaveBeenCalledWith({ tag: "client" }, "ou_1", "open_id");
+    expect(result?.details).toMatchObject({
+      ok: true,
+      member: expect.objectContaining({ member_id: "ou_1", name: "Alice" }),
+    });
+  });
+
+  it("infers user_id lookups from the userId alias", async () => {
+    getFeishuMemberInfoMock.mockResolvedValueOnce({ member_id: "u_1", name: "Alice" });
+
+    await feishuPlugin.actions?.handleAction?.({
+      action: "member-info",
+      params: { userId: "u_1" },
+      cfg,
+      accountId: undefined,
+      toolContext: {},
+    } as never);
+
+    expect(getFeishuMemberInfoMock).toHaveBeenCalledWith({ tag: "client" }, "u_1", "user_id");
+  });
+
+  it("honors explicit open_id over alias heuristics", async () => {
+    getFeishuMemberInfoMock.mockResolvedValueOnce({ member_id: "u_1", name: "Alice" });
+
+    await feishuPlugin.actions?.handleAction?.({
+      action: "member-info",
+      params: { userId: "u_1", memberIdType: "open_id" },
+      cfg,
+      accountId: undefined,
+      toolContext: {},
+    } as never);
+
+    expect(getFeishuMemberInfoMock).toHaveBeenCalledWith({ tag: "client" }, "u_1", "open_id");
+  });
+
+  it("lists directory-backed peers and groups", async () => {
+    listFeishuDirectoryGroupsLiveMock.mockResolvedValueOnce([{ kind: "group", id: "oc_group_1" }]);
+    listFeishuDirectoryPeersLiveMock.mockResolvedValueOnce([{ kind: "user", id: "ou_1" }]);
+
+    const result = await feishuPlugin.actions?.handleAction?.({
+      action: "channel-list",
+      params: { query: "eng", limit: 5 },
+      cfg,
+      accountId: undefined,
+    } as never);
+
+    expect(listFeishuDirectoryGroupsLiveMock).toHaveBeenCalledWith({
+      cfg,
+      query: "eng",
+      limit: 5,
+      fallbackToStatic: false,
+      accountId: undefined,
+    });
+    expect(listFeishuDirectoryPeersLiveMock).toHaveBeenCalledWith({
+      cfg,
+      query: "eng",
+      limit: 5,
+      fallbackToStatic: false,
+      accountId: undefined,
+    });
+    expect(result?.details).toMatchObject({
+      ok: true,
+      groups: [expect.objectContaining({ id: "oc_group_1" })],
+      peers: [expect.objectContaining({ id: "ou_1" })],
+    });
+  });
+
+  it("fails channel-list when live discovery fails", async () => {
+    listFeishuDirectoryGroupsLiveMock.mockRejectedValueOnce(new Error("token expired"));
+
+    await expect(
+      feishuPlugin.actions?.handleAction?.({
+        action: "channel-list",
+        params: { query: "eng", limit: 5, scope: "groups" },
+        cfg,
+        accountId: undefined,
+      } as never),
+    ).rejects.toThrow("token expired");
   });
 
   it("requires clearAll=true before removing all bot reactions", async () => {
@@ -132,17 +500,6 @@ describe("feishuPlugin actions", () => {
     );
   });
 
-  it("throws for unsupported Feishu send actions without card payload", async () => {
-    await expect(
-      feishuPlugin.actions?.handleAction?.({
-        action: "send",
-        params: { to: "chat:oc_group_1", message: "hello" },
-        cfg,
-        accountId: undefined,
-      } as never),
-    ).rejects.toThrow('Unsupported Feishu action: "send"');
-  });
-
   it("allows explicit clearAll=true when removing all bot reactions", async () => {
     listReactionsFeishuMock.mockResolvedValueOnce([
       { reactionId: "r1", operatorType: "app" },
@@ -161,6 +518,29 @@ describe("feishuPlugin actions", () => {
       messageId: "om_msg1",
       accountId: undefined,
     });
+    expect(removeReactionFeishuMock).toHaveBeenCalledTimes(2);
     expect(result?.details).toMatchObject({ ok: true, removed: 2 });
   });
+
+  it("fails for missing params on supported actions", async () => {
+    await expect(
+      feishuPlugin.actions?.handleAction?.({
+        action: "thread-reply",
+        params: { to: "chat:oc_group_1", message: "reply body" },
+        cfg,
+        accountId: undefined,
+      } as never),
+    ).rejects.toThrow("Feishu thread-reply requires messageId.");
+  });
+
+  it("fails for unsupported action names", async () => {
+    await expect(
+      feishuPlugin.actions?.handleAction?.({
+        action: "search",
+        params: {},
+        cfg,
+        accountId: undefined,
+      } as never),
+    ).rejects.toThrow('Unsupported Feishu action: "search"');
+  });
 });
diff --git a/extensions/feishu/src/channel.ts b/extensions/feishu/src/channel.ts
index 450b1fbe88f..5d47c55e16b 100644
--- a/extensions/feishu/src/channel.ts
+++ b/extensions/feishu/src/channel.ts
@@ -21,6 +21,7 @@ import {
   listEnabledFeishuAccounts,
   resolveDefaultFeishuAccountId,
 } from "./accounts.js";
+import { createFeishuClient } from "./client.js";
 import { FeishuConfigSchema } from "./config-schema.js";
 import { parseFeishuConversationId } from "./conversation-id.js";
 import { listFeishuDirectoryPeers, listFeishuDirectoryGroups } from "./directory.static.js";
@@ -167,6 +168,118 @@ function matchFeishuAcpConversation(params: {
   };
 }
 
+function jsonActionResult(details: Record<string, unknown>) {
+  return {
+    content: [{ type: "text" as const, text: JSON.stringify(details) }],
+    details,
+  };
+}
+
+function readFirstString(
+  params: Record<string, unknown>,
+  keys: string[],
+  fallback?: string | null,
+): string | undefined {
+  for (const key of keys) {
+    const value = params[key];
+    if (typeof value === "string" && value.trim()) {
+      return value.trim();
+    }
+  }
+  if (typeof fallback === "string" && fallback.trim()) {
+    return fallback.trim();
+  }
+  return undefined;
+}
+
+function readOptionalNumber(params: Record<string, unknown>, keys: string[]): number | undefined {
+  for (const key of keys) {
+    const value = params[key];
+    if (typeof value === "number" && Number.isFinite(value)) {
+      return value;
+    }
+    if (typeof value === "string" && value.trim()) {
+      const parsed = Number(value);
+      if (Number.isFinite(parsed)) {
+        return parsed;
+      }
+    }
+  }
+  return undefined;
+}
+
+function resolveFeishuActionTarget(ctx: {
+  params: Record<string, unknown>;
+  toolContext?: { currentChannelId?: string } | null;
+}): string | undefined {
+  return readFirstString(ctx.params, ["to", "target"], ctx.toolContext?.currentChannelId);
+}
+
+function resolveFeishuChatId(ctx: {
+  params: Record<string, unknown>;
+  toolContext?: { currentChannelId?: string } | null;
+}): string | undefined {
+  const raw = readFirstString(
+    ctx.params,
+    ["chatId", "chat_id", "channelId", "channel_id", "to", "target"],
+    ctx.toolContext?.currentChannelId,
+  );
+  if (!raw) {
+    return undefined;
+  }
+  if (/^(user|dm|open_id):/i.test(raw)) {
+    return undefined;
+  }
+  if (/^(chat|group|channel):/i.test(raw)) {
+    return normalizeFeishuTarget(raw) ?? undefined;
+  }
+  return raw;
+}
+
+function resolveFeishuMessageId(params: Record<string, unknown>): string | undefined {
+  return readFirstString(params, ["messageId", "message_id", "replyTo", "reply_to"]);
+}
+
+function resolveFeishuMemberId(params: Record<string, unknown>): string | undefined {
+  return readFirstString(params, [
+    "memberId",
+    "member_id",
+    "userId",
+    "user_id",
+    "openId",
+    "open_id",
+    "unionId",
+    "union_id",
+  ]);
+}
+
+function resolveFeishuMemberIdType(
+  params: Record<string, unknown>,
+): "open_id" | "user_id" | "union_id" {
+  const raw = readFirstString(params, [
+    "memberIdType",
+    "member_id_type",
+    "userIdType",
+    "user_id_type",
+  ]);
+  if (raw === "open_id" || raw === "user_id" || raw === "union_id") {
+    return raw;
+  }
+  if (
+    readFirstString(params, ["userId", "user_id"]) &&
+    !readFirstString(params, ["openId", "open_id", "unionId", "union_id"])
+  ) {
+    return "user_id";
+  }
+  if (
+    readFirstString(params, ["unionId", "union_id"]) &&
+    !readFirstString(params, ["openId", "open_id"])
+  ) {
+    return "union_id";
+  }
+  return "open_id";
+}
+
 export const feishuPlugin: ChannelPlugin<ResolvedFeishuAccount> = {
   id: "feishu",
   meta: {
@@ -196,7 +309,8 @@ export const feishuPlugin: ChannelPlugin<ResolvedFeishuAccount> = {
   agentPrompt: {
     messageToolHints: () => [
       "- Feishu targeting: omit `target` to reply to the current conversation (auto-inferred). Explicit targets: `user:open_id` or `chat:chat_id`.",
-      "- Feishu supports interactive cards for rich messages.",
+      "- Feishu supports interactive cards plus native image, file, audio, and video/media delivery.",
+      "- Feishu supports `send`, `read`, `edit`, `thread-reply`, pins, and channel/member lookup, plus reactions when enabled.",
     ],
   },
   groups: {
@@ -284,7 +398,18 @@ export const feishuPlugin: ChannelPlugin<ResolvedFeishuAccount> = {
       if (listEnabledFeishuAccounts(cfg).length === 0) {
         return [];
       }
-      const actions = new Set<ChannelMessageActionName>();
+      const actions = new Set<ChannelMessageActionName>([
+        "send",
+        "read",
+        "edit",
+        "thread-reply",
+        "pin",
+        "list-pins",
+        "unpin",
+        "member-info",
+        "channel-info",
+        "channel-list",
+      ]);
       if (areAnyFeishuReactionActionsEnabled(cfg)) {
         actions.add("react");
         actions.add("reactions");
@@ -305,49 +430,303 @@ export const feishuPlugin: ChannelPlugin<ResolvedFeishuAccount> = {
       ) {
         throw new Error("Feishu reactions are disabled via actions.reactions.");
       }
-      if (ctx.action === "send" && ctx.params.card) {
-        const card = ctx.params.card as Record<string, unknown>;
-        const to =
-          typeof ctx.params.to === "string"
-            ? ctx.params.to.trim()
-            : typeof ctx.params.target === "string"
-              ? ctx.params.target.trim()
-              : "";
+      if (ctx.action === "send" || ctx.action === "thread-reply") {
+        const to = resolveFeishuActionTarget(ctx);
         if (!to) {
-          return {
-            isError: true,
-            content: [{ type: "text" as const, text: "Feishu card send requires a target (to)." }],
-            details: { error: "Feishu card send requires a target (to)." },
-          };
+          throw new Error(`Feishu ${ctx.action} requires a target (to).`);
         }
         const replyToMessageId =
-          typeof ctx.params.replyTo === "string"
-            ? ctx.params.replyTo.trim() || undefined
+          ctx.action === "thread-reply" ? resolveFeishuMessageId(ctx.params) : undefined;
+        if (ctx.action === "thread-reply" && !replyToMessageId) {
+          throw new Error("Feishu thread-reply requires messageId.");
+        }
+        const card =
+          ctx.params.card && typeof ctx.params.card === "object"
+            ? (ctx.params.card as Record<string, unknown>)
             : undefined;
-        const { sendCardFeishu } = await loadFeishuChannelRuntime();
-        const result = await sendCardFeishu({
+        const text = readFirstString(ctx.params, ["text", "message"]);
+        if (!card && !text) {
+          throw new Error(`Feishu ${ctx.action} requires text/message or card.`);
+        }
+        const runtime = await loadFeishuChannelRuntime();
+        const result = card
+          ? await runtime.sendCardFeishu({
+              cfg: ctx.cfg,
+              to,
+              card,
+              accountId: ctx.accountId ?? undefined,
+              replyToMessageId,
+              replyInThread: ctx.action === "thread-reply",
+            })
+          : await runtime.sendMessageFeishu({
+              cfg: ctx.cfg,
+              to,
+              text: text!,
+              accountId: ctx.accountId ?? undefined,
+              replyToMessageId,
+              replyInThread: ctx.action === "thread-reply",
+            });
+        return jsonActionResult({
+          ok: true,
+          channel: "feishu",
+          action: ctx.action,
+          ...result,
+        });
+      }
+
+      if (ctx.action === "read") {
+        const messageId = resolveFeishuMessageId(ctx.params);
+        if (!messageId) {
+          throw new Error("Feishu read requires messageId.");
+        }
+        const { getMessageFeishu } = await loadFeishuChannelRuntime();
+        const message = await getMessageFeishu({
           cfg: ctx.cfg,
-          to,
+          messageId,
+          accountId: ctx.accountId ?? undefined,
+        });
+        if (!message) {
+          return {
+            isError: true,
+            content: [
+              {
+                type: "text" as const,
+                text: JSON.stringify({
+                  error: `Feishu read failed or message not found: ${messageId}`,
+                }),
+              },
+            ],
+            details: { error: `Feishu read failed or message not found: ${messageId}` },
+          };
+        }
+        return jsonActionResult({ ok: true, channel: "feishu", action: "read", message });
+      }
+
+      if (ctx.action === "edit") {
+        const messageId = resolveFeishuMessageId(ctx.params);
+        if (!messageId) {
+          throw new Error("Feishu edit requires messageId.");
+        }
+        const text = readFirstString(ctx.params, ["text", "message"]);
+        const card =
+          ctx.params.card && typeof ctx.params.card === "object"
+            ? (ctx.params.card as Record<string, unknown>)
+            : undefined;
+        const { editMessageFeishu } = await loadFeishuChannelRuntime();
+        const result = await editMessageFeishu({
+          cfg: ctx.cfg,
+          messageId,
+          text,
           card,
           accountId: ctx.accountId ?? undefined,
-          replyToMessageId,
         });
-        return {
-          content: [
-            {
-              type: "text" as const,
-              text: JSON.stringify({ ok: true, channel: "feishu", ...result }),
-            },
-          ],
-          details: { ok: true, channel: "feishu", ...result },
-        };
+        return jsonActionResult({
+          ok: true,
+          channel: "feishu",
+          action: "edit",
+          ...result,
+        });
+      }
+
+      if (ctx.action === "pin") {
+        const messageId = resolveFeishuMessageId(ctx.params);
+        if (!messageId) {
+          throw new Error("Feishu pin requires messageId.");
+        }
+        const { createPinFeishu } = await loadFeishuChannelRuntime();
+        const pin = await createPinFeishu({
+          cfg: ctx.cfg,
+          messageId,
+          accountId: ctx.accountId ?? undefined,
+        });
+        return jsonActionResult({ ok: true, channel: "feishu", action: "pin", pin });
+      }
+
+      if (ctx.action === "unpin") {
+        const messageId = resolveFeishuMessageId(ctx.params);
+        if (!messageId) {
+          throw new Error("Feishu unpin requires messageId.");
+        }
+        const { removePinFeishu } = await loadFeishuChannelRuntime();
+        await removePinFeishu({
+          cfg: ctx.cfg,
+          messageId,
+          accountId: ctx.accountId ?? undefined,
+        });
+        return jsonActionResult({
+          ok: true,
+          channel: "feishu",
+          action: "unpin",
+          messageId,
+        });
+      }
+
+      if (ctx.action === "list-pins") {
+        const chatId = resolveFeishuChatId(ctx);
+        if (!chatId) {
+          throw new Error("Feishu list-pins requires chatId or channelId.");
+        }
+        const { listPinsFeishu } = await loadFeishuChannelRuntime();
+        const result = await listPinsFeishu({
+          cfg: ctx.cfg,
+          chatId,
+          startTime: readFirstString(ctx.params, ["startTime", "start_time"]),
+          endTime: readFirstString(ctx.params, ["endTime", "end_time"]),
+          pageSize: readOptionalNumber(ctx.params, ["pageSize", "page_size"]),
+          pageToken: readFirstString(ctx.params, ["pageToken", "page_token"]),
+          accountId: ctx.accountId ?? undefined,
+        });
+        return jsonActionResult({
+          ok: true,
+          channel: "feishu",
+          action: "list-pins",
+          ...result,
+        });
+      }
+
+      if (ctx.action === "channel-info") {
+        const chatId = resolveFeishuChatId(ctx);
+        if (!chatId) {
+          throw new Error("Feishu channel-info requires chatId or channelId.");
+        }
+        const runtime = await loadFeishuChannelRuntime();
+        const client = createFeishuClient(account);
+        const channel = await runtime.getChatInfo(client, chatId);
+        const includeMembers = ctx.params.includeMembers === true || ctx.params.members === true;
+        if (!includeMembers) {
+          return jsonActionResult({
+            ok: true,
+            provider: "feishu",
+            action: "channel-info",
+            channel,
+          });
+        }
+        const members = await runtime.getChatMembers(
+          client,
+          chatId,
+          readOptionalNumber(ctx.params, ["pageSize", "page_size"]),
+          readFirstString(ctx.params, ["pageToken", "page_token"]),
+          resolveFeishuMemberIdType(ctx.params),
+        );
+        return jsonActionResult({
+          ok: true,
+          provider: "feishu",
+          action: "channel-info",
+          channel,
+          members,
+        });
+      }
+
+      if (ctx.action === "member-info") {
+        const runtime = await loadFeishuChannelRuntime();
+        const client = createFeishuClient(account);
+        const memberId = resolveFeishuMemberId(ctx.params);
+        if (memberId) {
+          const member = await runtime.getFeishuMemberInfo(
+            client,
+            memberId,
+            resolveFeishuMemberIdType(ctx.params),
+          );
+          return jsonActionResult({
+            ok: true,
+            channel: "feishu",
+            action: "member-info",
+            member,
+          });
+        }
+        const chatId = resolveFeishuChatId(ctx);
+        if (!chatId) {
+          throw new Error("Feishu member-info requires memberId or chatId/channelId.");
+        }
+        const members = await runtime.getChatMembers(
+          client,
+          chatId,
+          readOptionalNumber(ctx.params, ["pageSize", "page_size"]),
+          readFirstString(ctx.params, ["pageToken", "page_token"]),
+          resolveFeishuMemberIdType(ctx.params),
+        );
+        return jsonActionResult({
+          ok: true,
+          channel: "feishu",
+          action: "member-info",
+          ...members,
+        });
+      }
+
+      if (ctx.action === "channel-list") {
+        const runtime = await loadFeishuChannelRuntime();
+        const query = readFirstString(ctx.params, ["query"]);
+        const limit = readOptionalNumber(ctx.params, ["limit"]);
+        const scope = readFirstString(ctx.params, ["scope", "kind"]) ?? "all";
+        if (
+          scope === "groups" ||
+          scope === "group" ||
+          scope === "channels" ||
+          scope === "channel"
+        ) {
+          const groups = await runtime.listFeishuDirectoryGroupsLive({
+            cfg: ctx.cfg,
+            query,
+            limit,
+            fallbackToStatic: false,
+            accountId: ctx.accountId ?? undefined,
+          });
+          return jsonActionResult({
+            ok: true,
+            channel: "feishu",
+            action: "channel-list",
+            groups,
+          });
+        }
+        if (
+          scope === "peers" ||
+          scope === "peer" ||
+          scope === "members" ||
+          scope === "member" ||
+          scope === "users" ||
+          scope === "user"
+        ) {
+          const peers = await runtime.listFeishuDirectoryPeersLive({
+            cfg: ctx.cfg,
+            query,
+            limit,
+            fallbackToStatic: false,
+            accountId: ctx.accountId ?? undefined,
+          });
+          return jsonActionResult({
+            ok: true,
+            channel: "feishu",
+            action: "channel-list",
+            peers,
+          });
+        }
+        const [groups, peers] = await Promise.all([
+          runtime.listFeishuDirectoryGroupsLive({
+            cfg: ctx.cfg,
+            query,
+            limit,
+            fallbackToStatic: false,
+            accountId: ctx.accountId ?? undefined,
+          }),
+          runtime.listFeishuDirectoryPeersLive({
+            cfg: ctx.cfg,
+            query,
+            limit,
+            fallbackToStatic: false,
+            accountId: ctx.accountId ?? undefined,
+          }),
+        ]);
+        return jsonActionResult({
+          ok: true,
+          channel: "feishu",
+          action: "channel-list",
+          groups,
+          peers,
+        });
       }
 
       if (ctx.action === "react") {
-        const messageId =
-          (typeof ctx.params.messageId === "string" && ctx.params.messageId.trim()) ||
-          (typeof ctx.params.message_id === "string" && ctx.params.message_id.trim()) ||
-          undefined;
+        const messageId = resolveFeishuMessageId(ctx.params);
         if (!messageId) {
           throw new Error("Feishu reaction requires messageId.");
         }
@@ -367,12 +746,7 @@ export const feishuPlugin: ChannelPlugin<ResolvedFeishuAccount> = {
           });
           const ownReaction = matches.find((entry) => entry.operatorType === "app");
           if (!ownReaction) {
-            return {
-              content: [
-                { type: "text" as const, text: JSON.stringify({ ok: true, removed: null }) },
-              ],
-              details: { ok: true, removed: null },
-            };
+            return jsonActionResult({ ok: true, removed: null });
           }
           await removeReactionFeishu({
             cfg: ctx.cfg,
@@ -380,12 +754,7 @@ export const feishuPlugin: ChannelPlugin<ResolvedFeishuAccount> = {
             reactionId: ownReaction.reactionId,
             accountId: ctx.accountId ?? undefined,
           });
-          return {
-            content: [
-              { type: "text" as const, text: JSON.stringify({ ok: true, removed: emoji }) },
-            ],
-            details: { ok: true, removed: emoji },
-          };
+          return jsonActionResult({ ok: true, removed: emoji });
         }
         if (!emoji) {
           if (!clearAll) {
@@ -409,10 +778,7 @@ export const feishuPlugin: ChannelPlugin<ResolvedFeishuAccount> = {
             });
             removed += 1;
           }
-          return {
-            content: [{ type: "text" as const, text: JSON.stringify({ ok: true, removed }) }],
-            details: { ok: true, removed },
-          };
+          return jsonActionResult({ ok: true, removed });
         }
         const { addReactionFeishu } = await loadFeishuChannelRuntime();
         await addReactionFeishu({
@@ -421,17 +787,11 @@ export const feishuPlugin: ChannelPlugin<ResolvedFeishuAccount> = {
           emojiType: emoji,
           accountId: ctx.accountId ?? undefined,
         });
-        return {
-          content: [{ type: "text" as const, text: JSON.stringify({ ok: true, added: emoji }) }],
-          details: { ok: true, added: emoji },
-        };
+        return jsonActionResult({ ok: true, added: emoji });
       }
 
       if (ctx.action === "reactions") {
-        const messageId =
-          (typeof ctx.params.messageId === "string" && ctx.params.messageId.trim()) ||
-          (typeof ctx.params.message_id === "string" && ctx.params.message_id.trim()) ||
-          undefined;
+        const messageId = resolveFeishuMessageId(ctx.params);
         if (!messageId) {
           throw new Error("Feishu reactions lookup requires messageId.");
         }
@@ -441,10 +801,7 @@ export const feishuPlugin: ChannelPlugin<ResolvedFeishuAccount> = {
           messageId,
           accountId: ctx.accountId ?? undefined,
         });
-        return {
-          content: [{ type: "text" as const, text: JSON.stringify({ ok: true, reactions }) }],
-          details: { ok: true, reactions },
-        };
+        return jsonActionResult({ ok: true, reactions });
       }
 
       throw new Error(`Unsupported Feishu action: "${String(ctx.action)}"`);
diff --git a/extensions/feishu/src/chat-schema.ts b/extensions/feishu/src/chat-schema.ts
index 5f7bdd6a5c7..5460f11dcc9 100644
--- a/extensions/feishu/src/chat-schema.ts
+++ b/extensions/feishu/src/chat-schema.ts
@@ -1,15 +1,16 @@
 import { Type, type Static } from "@sinclair/typebox";
 
-const CHAT_ACTION_VALUES = ["members", "info"] as const;
+const CHAT_ACTION_VALUES = ["members", "info", "member_info"] as const;
 const MEMBER_ID_TYPE_VALUES = ["open_id", "user_id", "union_id"] as const;
 
 export const FeishuChatSchema = Type.Object({
   action: Type.Unsafe<(typeof CHAT_ACTION_VALUES)[number]>({
     type: "string",
     enum: [...CHAT_ACTION_VALUES],
-    description: "Action to run: members | info",
+    description: "Action to run: members | info | member_info",
   }),
-  chat_id: Type.String({ description: "Chat ID (from URL or event payload)" }),
+  chat_id: Type.Optional(Type.String({ description: "Chat ID (from URL or event payload)" })),
+  member_id: Type.Optional(Type.String({ description: "Member ID for member_info lookups" })),
   page_size: Type.Optional(Type.Number({ description: "Page size (1-100, default 50)" })),
   page_token: Type.Optional(Type.String({ description: "Pagination token" })),
   member_id_type: Type.Optional(
diff --git a/extensions/feishu/src/chat.test.ts b/extensions/feishu/src/chat.test.ts
index 9ebf579f962..d06442b12f8 100644
--- a/extensions/feishu/src/chat.test.ts
+++ b/extensions/feishu/src/chat.test.ts
@@ -2,15 +2,15 @@ import { beforeEach, describe, expect, it, vi } from "vitest";
 import { registerFeishuChatTools } from "./chat.js";
 
 const createFeishuClientMock = vi.hoisted(() => vi.fn());
+const chatGetMock = vi.hoisted(() => vi.fn());
+const chatMembersGetMock = vi.hoisted(() => vi.fn());
+const contactUserGetMock = vi.hoisted(() => vi.fn());
 
 vi.mock("./client.js", () => ({
   createFeishuClient: createFeishuClientMock,
 }));
 
 describe("registerFeishuChatTools", () => {
-  const chatGetMock = vi.hoisted(() => vi.fn());
-  const chatMembersGetMock = vi.hoisted(() => vi.fn());
-
   beforeEach(() => {
     vi.clearAllMocks();
     createFeishuClientMock.mockReturnValue({
@@ -18,6 +18,9 @@ describe("registerFeishuChatTools", () => {
         chat: { get: chatGetMock },
         chatMembers: { get: chatMembersGetMock },
       },
+      contact: {
+        user: { get: contactUserGetMock },
+      },
     });
   });
 
@@ -66,6 +69,31 @@ describe("registerFeishuChatTools", () => {
         members: [expect.objectContaining({ member_id: "ou_1", name: "member1" })],
       }),
     );
+
+    contactUserGetMock.mockResolvedValueOnce({
+      code: 0,
+      data: {
+        user: {
+          open_id: "ou_1",
+          name: "member1",
+          email: "member1@example.com",
+          department_ids: ["od_1"],
+        },
+      },
+    });
+    const memberInfoResult = await tool.execute("tc_3", {
+      action: "member_info",
+      member_id: "ou_1",
+    });
+    expect(memberInfoResult.details).toEqual(
+      expect.objectContaining({
+        member_id: "ou_1",
+        open_id: "ou_1",
+        name: "member1",
+        email: "member1@example.com",
+        department_ids: ["od_1"],
+      }),
+    );
   });
 
   it("skips registration when chat tool is disabled", () => {
diff --git a/extensions/feishu/src/chat.ts b/extensions/feishu/src/chat.ts
index df168d579ee..9c62e5648b2 100644
--- a/extensions/feishu/src/chat.ts
+++ b/extensions/feishu/src/chat.ts
@@ -12,7 +12,7 @@ function json(data: unknown) {
   };
 }
 
-async function getChatInfo(client: Lark.Client, chatId: string) {
+export async function getChatInfo(client: Lark.Client, chatId: string) {
   const res = await client.im.chat.get({ path: { chat_id: chatId } });
   if (res.code !== 0) {
     throw new Error(res.msg);
@@ -36,7 +36,7 @@ async function getChatInfo(client: Lark.Client, chatId: string) {
   };
 }
 
-async function getChatMembers(
+export async function getChatMembers(
   client: Lark.Client,
   chatId: string,
   pageSize?: number,
@@ -71,6 +71,55 @@ async function getChatMembers(
   };
 }
 
+export async function getFeishuMemberInfo(
+  client: Lark.Client,
+  memberId: string,
+  memberIdType: "open_id" | "user_id" | "union_id" = "open_id",
+) {
+  const res = await client.contact.user.get({
+    path: { user_id: memberId },
+    params: {
+      user_id_type: memberIdType,
+      department_id_type: "open_department_id",
+    },
+  });
+
+  if (res.code !== 0) {
+    throw new Error(res.msg);
+  }
+
+  const user = res.data?.user;
+  return {
+    member_id: memberId,
+    member_id_type: memberIdType,
+    open_id: user?.open_id,
+    user_id: user?.user_id,
+    union_id: user?.union_id,
+    name: user?.name,
+    en_name: user?.en_name,
+    nickname: user?.nickname,
+    email: user?.email,
+    enterprise_email: user?.enterprise_email,
+    mobile: user?.mobile,
+    mobile_visible: user?.mobile_visible,
+    status: user?.status,
+    avatar: user?.avatar,
+    department_ids: user?.department_ids,
+    department_path: user?.department_path,
+    leader_user_id: user?.leader_user_id,
+    city: user?.city,
+    country: user?.country,
+    work_station: user?.work_station,
+    join_time: user?.join_time,
+    is_tenant_manager: user?.is_tenant_manager,
+    employee_no: user?.employee_no,
+    employee_type: user?.employee_type,
+    description: user?.description,
+    job_title: user?.job_title,
+    geo: user?.geo,
+  };
+}
+
 export function registerFeishuChatTools(api: OpenClawPluginApi) {
   if (!api.config) {
     api.logger.debug?.("feishu_chat: No config available, skipping chat tools");
@@ -96,7 +145,7 @@ export function registerFeishuChatTools(api: OpenClawPluginApi) {
     {
       name: "feishu_chat",
       label: "Feishu Chat",
-      description: "Feishu chat operations. Actions: members, info",
+      description: "Feishu chat operations. Actions: members, info, member_info",
       parameters: FeishuChatSchema,
       async execute(_toolCallId, params) {
         const p = params as FeishuChatParams;
@@ -104,6 +153,9 @@ export function registerFeishuChatTools(api: OpenClawPluginApi) {
           const client = getClient();
           switch (p.action) {
             case "members":
+              if (!p.chat_id) {
+                return json({ error: "chat_id is required for action members" });
+              }
               return json(
                 await getChatMembers(
                   client,
@@ -114,7 +166,17 @@ export function registerFeishuChatTools(api: OpenClawPluginApi) {
                 ),
               );
             case "info":
+              if (!p.chat_id) {
+                return json({ error: "chat_id is required for action info" });
+              }
               return json(await getChatInfo(client, p.chat_id));
+            case "member_info":
+              if (!p.member_id) {
+                return json({ error: "member_id is required for action member_info" });
+              }
+              return json(
+                await getFeishuMemberInfo(client, p.member_id, p.member_id_type ?? "open_id"),
+              );
             default:
               return json({ error: `Unknown action: ${String(p.action)}` });
           }
diff --git a/extensions/feishu/src/directory.test.ts b/extensions/feishu/src/directory.test.ts
index c06b2fb6c80..805f2f006e9 100644
--- a/extensions/feishu/src/directory.test.ts
+++ b/extensions/feishu/src/directory.test.ts
@@ -1,27 +1,45 @@
 import type { ClawdbotConfig } from "openclaw/plugin-sdk/feishu";
 import { describe, expect, it, vi } from "vitest";
 
+const resolveFeishuAccountMock = vi.hoisted(() => vi.fn());
+const createFeishuClientMock = vi.hoisted(() => vi.fn());
+
 vi.mock("./accounts.js", () => ({
-  resolveFeishuAccount: vi.fn(() => ({
-    configured: false,
-    config: {
-      allowFrom: ["user:alice", "user:bob"],
-      dms: {
-        "user:carla": {},
-      },
-      groups: {
-        "chat-1": {},
-      },
-      groupAllowFrom: ["chat-2"],
-    },
-  })),
+  resolveFeishuAccount: resolveFeishuAccountMock,
 }));
 
-import { listFeishuDirectoryGroups, listFeishuDirectoryPeers } from "./directory.js";
+vi.mock("./client.js", () => ({
+  createFeishuClient: createFeishuClientMock,
+}));
+
+import {
+  listFeishuDirectoryGroups,
+  listFeishuDirectoryGroupsLive,
+  listFeishuDirectoryPeers,
+  listFeishuDirectoryPeersLive,
+} from "./directory.js";
 
 describe("feishu directory (config-backed)", () => {
   const cfg = {} as ClawdbotConfig;
 
+  function makeStaticAccount() {
+    return {
+      configured: false,
+      config: {
+        allowFrom: ["user:alice", "user:bob"],
+        dms: {
+          "user:carla": {},
+        },
+        groups: {
+          "chat-1": {},
+        },
+        groupAllowFrom: ["chat-2"],
+      },
+    };
+  }
+
+  resolveFeishuAccountMock.mockImplementation(() => makeStaticAccount());
+
   it("merges allowFrom + dms into peer entries", async () => {
     const peers = await listFeishuDirectoryPeers({ cfg, query: "a" });
     expect(peers).toEqual([
@@ -37,4 +55,64 @@ describe("feishu directory (config-backed)", () => {
       { kind: "group", id: "chat-2" },
     ]);
   });
+
+  it("falls back to static peers on live lookup failure by default", async () => {
+    resolveFeishuAccountMock.mockReturnValueOnce({
+      ...makeStaticAccount(),
+      configured: true,
+    });
+    createFeishuClientMock.mockReturnValueOnce({
+      contact: {
+        user: {
+          list: vi.fn(async () => {
+            throw new Error("token expired");
+          }),
+        },
+      },
+    });
+
+    const peers = await listFeishuDirectoryPeersLive({ cfg, query: "a" });
+    expect(peers).toEqual([
+      { kind: "user", id: "alice" },
+      { kind: "user", id: "carla" },
+    ]);
+  });
+
+  it("surfaces live peer lookup failures when fallback is disabled", async () => {
+    resolveFeishuAccountMock.mockReturnValueOnce({
+      ...makeStaticAccount(),
+      configured: true,
+    });
+    createFeishuClientMock.mockReturnValueOnce({
+      contact: {
+        user: {
+          list: vi.fn(async () => {
+            throw new Error("token expired");
+          }),
+        },
+      },
+    });
+
+    await expect(listFeishuDirectoryPeersLive({ cfg, fallbackToStatic: false })).rejects.toThrow(
+      "token expired",
+    );
+  });
+
+  it("surfaces live group lookup failures when fallback is disabled", async () => {
+    resolveFeishuAccountMock.mockReturnValueOnce({
+      ...makeStaticAccount(),
+      configured: true,
+    });
+    createFeishuClientMock.mockReturnValueOnce({
+      im: {
+        chat: {
+          list: vi.fn(async () => ({ code: 999, msg: "forbidden" })),
+        },
+      },
+    });
+
+    await expect(listFeishuDirectoryGroupsLive({ cfg, fallbackToStatic: false })).rejects.toThrow(
+      "forbidden",
+    );
+  });
 });
diff --git a/extensions/feishu/src/directory.ts b/extensions/feishu/src/directory.ts
index c6366990204..af6ed8859cf 100644
--- a/extensions/feishu/src/directory.ts
+++ b/extensions/feishu/src/directory.ts
@@ -15,6 +15,7 @@ export async function listFeishuDirectoryPeersLive(params: {
   query?: string;
   limit?: number;
   accountId?: string;
+  fallbackToStatic?: boolean;
 }): Promise<FeishuDirectoryPeer[]> {
   const account = resolveFeishuAccount({ cfg: params.cfg, accountId: params.accountId });
   if (!account.configured) {
@@ -32,27 +33,32 @@ export async function listFeishuDirectoryPeersLive(params: {
       },
     });
 
-    if (response.code === 0 && response.data?.items) {
-      for (const user of response.data.items) {
-        if (user.open_id) {
-          const q = params.query?.trim().toLowerCase() || "";
-          const name = user.name || "";
-          if (!q || user.open_id.toLowerCase().includes(q) || name.toLowerCase().includes(q)) {
-            peers.push({
-              kind: "user",
-              id: user.open_id,
-              name: name || undefined,
-            });
-          }
-        }
-        if (peers.length >= limit) {
-          break;
+    if (response.code !== 0) {
+      throw new Error(response.msg || `code ${response.code}`);
+    }
+
+    for (const user of response.data?.items ?? []) {
+      if (user.open_id) {
+        const q = params.query?.trim().toLowerCase() || "";
+        const name = user.name || "";
+        if (!q || user.open_id.toLowerCase().includes(q) || name.toLowerCase().includes(q)) {
+          peers.push({
+            kind: "user",
+            id: user.open_id,
+            name: name || undefined,
+          });
         }
       }
+      if (peers.length >= limit) {
+        break;
+      }
     }
 
     return peers;
-  } catch {
+  } catch (err) {
+    if (params.fallbackToStatic === false) {
+      throw err instanceof Error ? err : new Error("Feishu live peer lookup failed");
+    }
     return listFeishuDirectoryPeers(params);
   }
 }
@@ -62,6 +68,7 @@ export async function listFeishuDirectoryGroupsLive(params: {
   query?: string;
   limit?: number;
   accountId?: string;
+  fallbackToStatic?: boolean;
 }): Promise<FeishuDirectoryGroup[]> {
   const account = resolveFeishuAccount({ cfg: params.cfg, accountId: params.accountId });
   if (!account.configured) {
@@ -79,27 +86,32 @@ export async function listFeishuDirectoryGroupsLive(params: {
       },
     });
 
-    if (response.code === 0 && response.data?.items) {
-      for (const chat of response.data.items) {
-        if (chat.chat_id) {
-          const q = params.query?.trim().toLowerCase() || "";
-          const name = chat.name || "";
-          if (!q || chat.chat_id.toLowerCase().includes(q) || name.toLowerCase().includes(q)) {
-            groups.push({
-              kind: "group",
-              id: chat.chat_id,
-              name: name || undefined,
-            });
-          }
-        }
-        if (groups.length >= limit) {
-          break;
+    if (response.code !== 0) {
+      throw new Error(response.msg || `code ${response.code}`);
+    }
+
+    for (const chat of response.data?.items ?? []) {
+      if (chat.chat_id) {
+        const q = params.query?.trim().toLowerCase() || "";
+        const name = chat.name || "";
+        if (!q || chat.chat_id.toLowerCase().includes(q) || name.toLowerCase().includes(q)) {
+          groups.push({
+            kind: "group",
+            id: chat.chat_id,
+            name: name || undefined,
+          });
         }
       }
+      if (groups.length >= limit) {
+        break;
+      }
     }
 
     return groups;
-  } catch {
+  } catch (err) {
+    if (params.fallbackToStatic === false) {
+      throw err instanceof Error ? err : new Error("Feishu live group lookup failed");
+    }
     return listFeishuDirectoryGroups(params);
   }
 }
diff --git a/extensions/feishu/src/media.test.ts b/extensions/feishu/src/media.test.ts
index 80555c294ae..67ea2c1b77f 100644
--- a/extensions/feishu/src/media.test.ts
+++ b/extensions/feishu/src/media.test.ts
@@ -195,6 +195,58 @@ describe("sendMediaFeishu msg_type routing", () => {
     );
   });
 
+  it("uses msg_type=media for remote mp4 content even when the filename is generic", async () => {
+    loadWebMediaMock.mockResolvedValueOnce({
+      buffer: Buffer.from("remote-video"),
+      fileName: "download",
+      kind: "video",
+      contentType: "video/mp4",
+    });
+
+    await sendMediaFeishu({
+      cfg: {} as any,
+      to: "user:ou_target",
+      mediaUrl: "https://example.com/video",
+    });
+
+    expect(fileCreateMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        data: expect.objectContaining({ file_type: "mp4" }),
+      }),
+    );
+    expect(messageCreateMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        data: expect.objectContaining({ msg_type: "media" }),
+      }),
+    );
+  });
+
+  it("falls back to generic file for unsupported audio formats", async () => {
+    loadWebMediaMock.mockResolvedValueOnce({
+      buffer: Buffer.from("remote-mp3"),
+      fileName: "song.mp3",
+      kind: "audio",
+      contentType: "audio/mpeg",
+    });
+
+    await sendMediaFeishu({
+      cfg: {} as any,
+      to: "user:ou_target",
+      mediaUrl: "https://example.com/song.mp3",
+    });
+
+    expect(fileCreateMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        data: expect.objectContaining({ file_type: "stream" }),
+      }),
+    );
+    expect(messageCreateMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        data: expect.objectContaining({ msg_type: "file" }),
+      }),
+    );
+  });
+
   it("configures the media client timeout for image uploads", async () => {
     await sendMediaFeishu({
       cfg: {} as any,
@@ -520,4 +572,27 @@ describe("downloadMessageResourceFeishu", () => {
     expectMediaTimeoutClientConfigured();
     expect(result.buffer).toBeInstanceOf(Buffer);
   });
+
+  it("extracts content-type and filename metadata from download headers", async () => {
+    messageResourceGetMock.mockResolvedValueOnce({
+      data: Buffer.from("fake-video-data"),
+      headers: {
+        "content-type": "video/mp4",
+        "content-disposition": `attachment; filename="clip.mp4"`,
+      },
+    });
+
+    const result = await downloadMessageResourceFeishu({
+      cfg: {} as any,
+      messageId: "om_video_msg",
+      fileKey: "file_key_video",
+      type: "file",
+    });
+
+    expect(result).toMatchObject({
+      buffer: Buffer.from("fake-video-data"),
+      contentType: "video/mp4",
+      fileName: "clip.mp4",
+    });
+  });
 });
diff --git a/extensions/feishu/src/media.ts b/extensions/feishu/src/media.ts
index 45596fe45ed..b7888b7069e 100644
--- a/extensions/feishu/src/media.ts
+++ b/extensions/feishu/src/media.ts
@@ -2,6 +2,7 @@ import fs from "fs";
 import path from "path";
 import { Readable } from "stream";
 import { withTempDownloadPath, type ClawdbotConfig } from "openclaw/plugin-sdk/feishu";
+import { mediaKindFromMime } from "../../../src/media/constants.js";
 import { resolveFeishuAccount } from "./accounts.js";
 import { createFeishuClient } from "./client.js";
 import { normalizeFeishuExternalKey } from "./external-keys.js";
@@ -61,6 +62,75 @@ function extractFeishuUploadKey(
   return key;
 }
 
+function readHeaderValue(
+  headers: Record<string, unknown> | undefined,
+  name: string,
+): string | undefined {
+  if (!headers) {
+    return undefined;
+  }
+  const target = name.toLowerCase();
+  for (const [key, value] of Object.entries(headers)) {
+    if (key.toLowerCase() !== target) {
+      continue;
+    }
+    if (typeof value === "string" && value.trim()) {
+      return value.trim();
+    }
+    if (Array.isArray(value)) {
+      const first = value.find((entry) => typeof entry === "string" && entry.trim());
+      if (typeof first === "string") {
+        return first.trim();
+      }
+    }
+  }
+  return undefined;
+}
+
+function decodeDispositionFileName(value: string): string | undefined {
+  const utf8Match = value.match(/filename\*=UTF-8''([^;]+)/i);
+  if (utf8Match?.[1]) {
+    try {
+      return decodeURIComponent(utf8Match[1].trim().replace(/^"(.*)"$/, "$1"));
+    } catch {
+      return utf8Match[1].trim().replace(/^"(.*)"$/, "$1");
+    }
+  }
+
+  const plainMatch = value.match(/filename="?([^";]+)"?/i);
+  return plainMatch?.[1]?.trim();
+}
+
+function extractFeishuDownloadMetadata(response: unknown): {
+  contentType?: string;
+  fileName?: string;
+} {
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- SDK response type
+  const responseAny = response as any;
+  const headers =
+    (responseAny.headers as Record<string, unknown> | undefined) ??
+    (responseAny.header as Record<string, unknown> | undefined);
+
+  const contentType =
+    readHeaderValue(headers, "content-type") ??
+    (typeof responseAny.contentType === "string" ? responseAny.contentType : undefined) ??
+    (typeof responseAny.mime_type === "string" ? responseAny.mime_type : undefined) ??
+    (typeof responseAny.data?.contentType === "string"
+      ? responseAny.data.contentType
+      : undefined) ??
+    (typeof responseAny.data?.mime_type === "string" ? responseAny.data.mime_type : undefined);
+
+  const disposition = readHeaderValue(headers, "content-disposition");
+  const fileName =
+    (disposition ? decodeDispositionFileName(disposition) : undefined) ??
+    (typeof responseAny.file_name === "string" ? responseAny.file_name : undefined) ??
+    (typeof responseAny.fileName === "string" ? responseAny.fileName : undefined) ??
+    (typeof responseAny.data?.file_name === "string" ? responseAny.data.file_name : undefined) ??
+    (typeof responseAny.data?.fileName === "string" ? responseAny.data.fileName : undefined);
+
+  return { contentType, fileName };
+}
+
 async function readFeishuResponseBuffer(params: {
   response: unknown;
   tmpDirPrefix: string;
@@ -144,7 +214,8 @@ export async function downloadImageFeishu(params: {
     tmpDirPrefix: "openclaw-feishu-img-",
     errorPrefix: "Feishu image download failed",
   });
-  return { buffer };
+  const meta = extractFeishuDownloadMetadata(response);
+  return { buffer, contentType: meta.contentType };
 }
 
 /**
@@ -175,7 +246,7 @@ export async function downloadMessageResourceFeishu(params: {
     tmpDirPrefix: "openclaw-feishu-resource-",
     errorPrefix: "Feishu message resource download failed",
   });
-  return { buffer };
+  return { buffer, ...extractFeishuDownloadMetadata(response) };
 }
 
 export type UploadImageResult = {
@@ -401,6 +472,53 @@ export function detectFileType(
   }
 }
 
+function resolveFeishuOutboundMediaKind(params: { fileName: string; contentType?: string }): {
+  fileType?: "opus" | "mp4" | "pdf" | "doc" | "xls" | "ppt" | "stream";
+  msgType: "image" | "file" | "audio" | "media";
+} {
+  const { fileName, contentType } = params;
+  const ext = path.extname(fileName).toLowerCase();
+  const mimeKind = mediaKindFromMime(contentType);
+
+  const isImageExt = [".jpg", ".jpeg", ".png", ".gif", ".webp", ".bmp", ".ico", ".tiff"].includes(
+    ext,
+  );
+  if (isImageExt || mimeKind === "image") {
+    return { msgType: "image" };
+  }
+
+  if (
+    ext === ".opus" ||
+    ext === ".ogg" ||
+    contentType === "audio/ogg" ||
+    contentType === "audio/opus"
+  ) {
+    return { fileType: "opus", msgType: "audio" };
+  }
+
+  if (
+    [".mp4", ".mov", ".avi"].includes(ext) ||
+    contentType === "video/mp4" ||
+    contentType === "video/quicktime" ||
+    contentType === "video/x-msvideo"
+  ) {
+    return { fileType: "mp4", msgType: "media" };
+  }
+
+  const fileType = detectFileType(fileName);
+  return {
+    fileType,
+    msgType:
+      fileType === "stream"
+        ? "file"
+        : fileType === "opus"
+          ? "audio"
+          : fileType === "mp4"
+            ? "media"
+            : "file",
+  };
+}
+
 /**
  * Upload and send media (image or file) from URL, local path, or buffer.
  * When mediaUrl is a local path, mediaLocalRoots (from core outbound context)
@@ -437,6 +555,7 @@ export async function sendMediaFeishu(params: {
 
   let buffer: Buffer;
   let name: string;
+  let contentType: string | undefined;
 
   if (mediaBuffer) {
     buffer = mediaBuffer;
@@ -449,33 +568,29 @@ export async function sendMediaFeishu(params: {
     });
     buffer = loaded.buffer;
     name = fileName ?? loaded.fileName ?? "file";
+    contentType = loaded.contentType;
   } else {
     throw new Error("Either mediaUrl or mediaBuffer must be provided");
   }
 
-  // Determine if it's an image based on extension
-  const ext = path.extname(name).toLowerCase();
-  const isImage = [".jpg", ".jpeg", ".png", ".gif", ".webp", ".bmp", ".ico", ".tiff"].includes(ext);
+  const routing = resolveFeishuOutboundMediaKind({ fileName: name, contentType });
 
-  if (isImage) {
+  if (routing.msgType === "image") {
     const { imageKey } = await uploadImageFeishu({ cfg, image: buffer, accountId });
     return sendImageFeishu({ cfg, to, imageKey, replyToMessageId, replyInThread, accountId });
   } else {
-    const fileType = detectFileType(name);
     const { fileKey } = await uploadFileFeishu({
       cfg,
       file: buffer,
       fileName: name,
-      fileType,
+      fileType: routing.fileType ?? "stream",
       accountId,
     });
-    // Feishu API: opus -> "audio", mp4/video -> "media" (playable), others -> "file"
-    const msgType = fileType === "opus" ? "audio" : fileType === "mp4" ? "media" : "file";
     return sendFileFeishu({
       cfg,
       to,
       fileKey,
-      msgType,
+      msgType: routing.msgType,
       replyToMessageId,
       replyInThread,
       accountId,
diff --git a/extensions/feishu/src/pins.ts b/extensions/feishu/src/pins.ts
new file mode 100644
index 00000000000..0205acf3aa3
--- /dev/null
+++ b/extensions/feishu/src/pins.ts
@@ -0,0 +1,108 @@
+import type { ClawdbotConfig } from "openclaw/plugin-sdk/feishu";
+import { resolveFeishuAccount } from "./accounts.js";
+import { createFeishuClient } from "./client.js";
+
+export type FeishuPin = {
+  messageId: string;
+  chatId?: string;
+  operatorId?: string;
+  operatorIdType?: string;
+  createTime?: string;
+};
+
+function assertFeishuPinApiSuccess(response: { code?: number; msg?: string }, action: string) {
+  if (response.code !== 0) {
+    throw new Error(`Feishu ${action} failed: ${response.msg || `code ${response.code}`}`);
+  }
+}
+
+function normalizePin(pin: {
+  message_id: string;
+  chat_id?: string;
+  operator_id?: string;
+  operator_id_type?: string;
+  create_time?: string;
+}): FeishuPin {
+  return {
+    messageId: pin.message_id,
+    chatId: pin.chat_id,
+    operatorId: pin.operator_id,
+    operatorIdType: pin.operator_id_type,
+    createTime: pin.create_time,
+  };
+}
+
+export async function createPinFeishu(params: {
+  cfg: ClawdbotConfig;
+  messageId: string;
+  accountId?: string;
+}): Promise<FeishuPin | null> {
+  const account = resolveFeishuAccount({ cfg: params.cfg, accountId: params.accountId });
+  if (!account.configured) {
+    throw new Error(`Feishu account "${account.accountId}" not configured`);
+  }
+
+  const client = createFeishuClient(account);
+  const response = await client.im.pin.create({
+    data: {
+      message_id: params.messageId,
+    },
+  });
+  assertFeishuPinApiSuccess(response, "pin create");
+  return response.data?.pin ? normalizePin(response.data.pin) : null;
+}
+
+export async function removePinFeishu(params: {
+  cfg: ClawdbotConfig;
+  messageId: string;
+  accountId?: string;
+}): Promise<void> {
+  const account = resolveFeishuAccount({ cfg: params.cfg, accountId: params.accountId });
+  if (!account.configured) {
+    throw new Error(`Feishu account "${account.accountId}" not configured`);
+  }
+
+  const client = createFeishuClient(account);
+  const response = await client.im.pin.delete({
+    path: {
+      message_id: params.messageId,
+    },
+  });
+  assertFeishuPinApiSuccess(response, "pin delete");
+}
+
+export async function listPinsFeishu(params: {
+  cfg: ClawdbotConfig;
+  chatId: string;
+  startTime?: string;
+  endTime?: string;
+  pageSize?: number;
+  pageToken?: string;
+  accountId?: string;
+}): Promise<{ chatId: string; pins: FeishuPin[]; hasMore: boolean; pageToken?: string }> {
+  const account = resolveFeishuAccount({ cfg: params.cfg, accountId: params.accountId });
+  if (!account.configured) {
+    throw new Error(`Feishu account "${account.accountId}" not configured`);
+  }
+
+  const client = createFeishuClient(account);
+  const response = await client.im.pin.list({
+    params: {
+      chat_id: params.chatId,
+      ...(params.startTime ? { start_time: params.startTime } : {}),
+      ...(params.endTime ? { end_time: params.endTime } : {}),
+      ...(typeof params.pageSize === "number"
+        ? { page_size: Math.max(1, Math.min(100, Math.floor(params.pageSize))) }
+        : {}),
+      ...(params.pageToken ? { page_token: params.pageToken } : {}),
+    },
+  });
+  assertFeishuPinApiSuccess(response, "pin list");
+
+  return {
+    chatId: params.chatId,
+    pins: (response.data?.items ?? []).map(normalizePin),
+    hasMore: response.data?.has_more === true,
+    pageToken: response.data?.page_token,
+  };
+}
diff --git a/extensions/feishu/src/send.reply-fallback.test.ts b/extensions/feishu/src/send.reply-fallback.test.ts
index 610ded167fd..d4a2f023ac1 100644
--- a/extensions/feishu/src/send.reply-fallback.test.ts
+++ b/extensions/feishu/src/send.reply-fallback.test.ts
@@ -171,6 +171,75 @@ describe("Feishu reply fallback for withdrawn/deleted targets", () => {
     expect(createMock).not.toHaveBeenCalled();
   });
 
+  it("fails thread replies instead of falling back to a top-level send", async () => {
+    replyMock.mockResolvedValue({
+      code: 230011,
+      msg: "The message was withdrawn.",
+    });
+
+    await expect(
+      sendMessageFeishu({
+        cfg: {} as never,
+        to: "chat:oc_group_1",
+        text: "hello",
+        replyToMessageId: "om_parent",
+        replyInThread: true,
+      }),
+    ).rejects.toThrow(
+      "Feishu thread reply failed: reply target is unavailable and cannot safely fall back to a top-level send.",
+    );
+
+    expect(createMock).not.toHaveBeenCalled();
+    expect(replyMock).toHaveBeenCalledWith({
+      path: { message_id: "om_parent" },
+      data: expect.objectContaining({
+        reply_in_thread: true,
+      }),
+    });
+  });
+
+  it("fails thrown withdrawn thread replies instead of falling back to create", async () => {
+    const sdkError = Object.assign(new Error("request failed"), { code: 230011 });
+    replyMock.mockRejectedValue(sdkError);
+
+    await expect(
+      sendMessageFeishu({
+        cfg: {} as never,
+        to: "chat:oc_group_1",
+        text: "hello",
+        replyToMessageId: "om_parent",
+        replyInThread: true,
+      }),
+    ).rejects.toThrow(
+      "Feishu thread reply failed: reply target is unavailable and cannot safely fall back to a top-level send.",
+    );
+
+    expect(createMock).not.toHaveBeenCalled();
+  });
+
+  it("still falls back for non-thread replies to withdrawn targets", async () => {
+    replyMock.mockResolvedValue({
+      code: 230011,
+      msg: "The message was withdrawn.",
+    });
+    createMock.mockResolvedValue({
+      code: 0,
+      data: { message_id: "om_non_thread_fallback" },
+    });
+
+    await expectFallbackResult(
+      () =>
+        sendMessageFeishu({
+          cfg: {} as never,
+          to: "user:ou_target",
+          text: "hello",
+          replyToMessageId: "om_parent",
+          replyInThread: false,
+        }),
+      "om_non_thread_fallback",
+    );
+  });
+
   it("re-throws non-withdrawn thrown errors for card messages", async () => {
     const sdkError = Object.assign(new Error("permission denied"), { code: 99991401 });
     replyMock.mockRejectedValue(sdkError);
diff --git a/extensions/feishu/src/send.test.ts b/extensions/feishu/src/send.test.ts
index 21ef7e53a1a..ecad7a6332e 100644
--- a/extensions/feishu/src/send.test.ts
+++ b/extensions/feishu/src/send.test.ts
@@ -2,18 +2,25 @@ import type { ClawdbotConfig } from "openclaw/plugin-sdk/feishu";
 import { beforeEach, describe, expect, it, vi } from "vitest";
 import {
   buildStructuredCard,
+  editMessageFeishu,
   getMessageFeishu,
   listFeishuThreadMessages,
   resolveFeishuCardTemplate,
 } from "./send.js";
 
-const { mockClientGet, mockClientList, mockCreateFeishuClient, mockResolveFeishuAccount } =
-  vi.hoisted(() => ({
-    mockClientGet: vi.fn(),
-    mockClientList: vi.fn(),
-    mockCreateFeishuClient: vi.fn(),
-    mockResolveFeishuAccount: vi.fn(),
-  }));
+const {
+  mockClientGet,
+  mockClientList,
+  mockClientPatch,
+  mockCreateFeishuClient,
+  mockResolveFeishuAccount,
+} = vi.hoisted(() => ({
+  mockClientGet: vi.fn(),
+  mockClientList: vi.fn(),
+  mockClientPatch: vi.fn(),
+  mockCreateFeishuClient: vi.fn(),
+  mockResolveFeishuAccount: vi.fn(),
+}));
 
 vi.mock("./client.js", () => ({
   createFeishuClient: mockCreateFeishuClient,
@@ -23,6 +30,17 @@ vi.mock("./accounts.js", () => ({
   resolveFeishuAccount: mockResolveFeishuAccount,
 }));
 
+vi.mock("./runtime.js", () => ({
+  getFeishuRuntime: () => ({
+    channel: {
+      text: {
+        resolveMarkdownTableMode: () => "preserve",
+        convertMarkdownTables: (text: string) => text,
+      },
+    },
+  }),
+}));
+
 describe("getMessageFeishu", () => {
   beforeEach(() => {
     vi.clearAllMocks();
@@ -35,6 +53,7 @@ describe("getMessageFeishu", () => {
         message: {
           get: mockClientGet,
           list: mockClientList,
+          patch: mockClientPatch,
         },
       },
     });
@@ -239,6 +258,70 @@ describe("getMessageFeishu", () => {
   });
 });
 
+describe("editMessageFeishu", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    mockResolveFeishuAccount.mockReturnValue({
+      accountId: "default",
+      configured: true,
+    });
+    mockCreateFeishuClient.mockReturnValue({
+      im: {
+        message: {
+          patch: mockClientPatch,
+        },
+      },
+    });
+  });
+
+  it("patches post content for text edits", async () => {
+    mockClientPatch.mockResolvedValueOnce({ code: 0 });
+
+    const result = await editMessageFeishu({
+      cfg: {} as ClawdbotConfig,
+      messageId: "om_edit",
+      text: "updated body",
+    });
+
+    expect(mockClientPatch).toHaveBeenCalledWith({
+      path: { message_id: "om_edit" },
+      data: {
+        content: JSON.stringify({
+          zh_cn: {
+            content: [
+              [
+                {
+                  tag: "md",
+                  text: "updated body",
+                },
+              ],
+            ],
+          },
+        }),
+      },
+    });
+    expect(result).toEqual({ messageId: "om_edit", contentType: "post" });
+  });
+
+  it("patches interactive content for card edits", async () => {
+    mockClientPatch.mockResolvedValueOnce({ code: 0 });
+
+    const result = await editMessageFeishu({
+      cfg: {} as ClawdbotConfig,
+      messageId: "om_card",
+      card: { schema: "2.0" },
+    });
+
+    expect(mockClientPatch).toHaveBeenCalledWith({
+      path: { message_id: "om_card" },
+      data: {
+        content: JSON.stringify({ schema: "2.0" }),
+      },
+    });
+    expect(result).toEqual({ messageId: "om_card", contentType: "interactive" });
+  });
+});
+
 describe("resolveFeishuCardTemplate", () => {
   it("accepts supported Feishu templates", () => {
     expect(resolveFeishuCardTemplate(" purple ")).toBe("purple");
diff --git a/extensions/feishu/src/send.ts b/extensions/feishu/src/send.ts
index 57c0fbc0600..09015ee593b 100644
--- a/extensions/feishu/src/send.ts
+++ b/extensions/feishu/src/send.ts
@@ -139,6 +139,12 @@ async function sendReplyOrFallbackDirect(
     return sendFallbackDirect(client, params.directParams, params.directErrorPrefix);
   }
 
+  const threadReplyFallbackError = params.replyInThread
+    ? new Error(
+        "Feishu thread reply failed: reply target is unavailable and cannot safely fall back to a top-level send.",
+      )
+    : null;
+
   let response: { code?: number; msg?: string; data?: { message_id?: string } };
   try {
     response = await client.im.message.reply({
@@ -153,9 +159,15 @@ async function sendReplyOrFallbackDirect(
     if (!isWithdrawnReplyError(err)) {
       throw err;
     }
+    if (threadReplyFallbackError) {
+      throw threadReplyFallbackError;
+    }
     return sendFallbackDirect(client, params.directParams, params.directErrorPrefix);
   }
   if (shouldFallbackFromReplyTarget(response)) {
+    if (threadReplyFallbackError) {
+      throw threadReplyFallbackError;
+    }
     return sendFallbackDirect(client, params.directParams, params.directErrorPrefix);
   }
   assertFeishuMessageApiSuccess(response, params.replyErrorPrefix);
@@ -406,7 +418,7 @@ export type SendFeishuMessageParams = {
   accountId?: string;
 };
 
-function buildFeishuPostMessagePayload(params: { messageText: string }): {
+export function buildFeishuPostMessagePayload(params: { messageText: string }): {
   content: string;
   msgType: string;
 } {
@@ -486,6 +498,59 @@ export async function sendCardFeishu(params: SendFeishuCardParams): Promise<Feis
   });
 }
 
+export async function editMessageFeishu(params: {
+  cfg: ClawdbotConfig;
+  messageId: string;
+  text?: string;
+  card?: Record<string, unknown>;
+  accountId?: string;
+}): Promise<{ messageId: string; contentType: "post" | "interactive" }> {
+  const { cfg, messageId, text, card, accountId } = params;
+  const account = resolveFeishuAccount({ cfg, accountId });
+  if (!account.configured) {
+    throw new Error(`Feishu account "${account.accountId}" not configured`);
+  }
+
+  const hasText = typeof text === "string" && text.trim().length > 0;
+  const hasCard = Boolean(card);
+  if (hasText === hasCard) {
+    throw new Error("Feishu edit requires exactly one of text or card.");
+  }
+
+  const client = createFeishuClient(account);
+
+  if (card) {
+    const content = JSON.stringify(card);
+    const response = await client.im.message.patch({
+      path: { message_id: messageId },
+      data: { content },
+    });
+
+    if (response.code !== 0) {
+      throw new Error(`Feishu message edit failed: ${response.msg || `code ${response.code}`}`);
+    }
+
+    return { messageId, contentType: "interactive" };
+  }
+
+  const tableMode = getFeishuRuntime().channel.text.resolveMarkdownTableMode({
+    cfg,
+    channel: "feishu",
+  });
+  const messageText = getFeishuRuntime().channel.text.convertMarkdownTables(text!, tableMode);
+  const payload = buildFeishuPostMessagePayload({ messageText });
+  const response = await client.im.message.patch({
+    path: { message_id: messageId },
+    data: { content: payload.content },
+  });
+
+  if (response.code !== 0) {
+    throw new Error(`Feishu message edit failed: ${response.msg || `code ${response.code}`}`);
+  }
+
+  return { messageId, contentType: "post" };
+}
+
 export async function updateCardFeishu(params: {
   cfg: ClawdbotConfig;
   messageId: string;
@@ -627,41 +692,3 @@ export async function sendMarkdownCardFeishu(params: {
   const card = buildMarkdownCard(cardText);
   return sendCardFeishu({ cfg, to, card, replyToMessageId, replyInThread, accountId });
 }
-
-/**
- * Edit an existing text message.
- * Note: Feishu only allows editing messages within 24 hours.
- */
-export async function editMessageFeishu(params: {
-  cfg: ClawdbotConfig;
-  messageId: string;
-  text: string;
-  accountId?: string;
-}): Promise<void> {
-  const { cfg, messageId, text, accountId } = params;
-  const account = resolveFeishuAccount({ cfg, accountId });
-  if (!account.configured) {
-    throw new Error(`Feishu account "${account.accountId}" not configured`);
-  }
-
-  const client = createFeishuClient(account);
-  const tableMode = getFeishuRuntime().channel.text.resolveMarkdownTableMode({
-    cfg,
-    channel: "feishu",
-  });
-  const messageText = getFeishuRuntime().channel.text.convertMarkdownTables(text ?? "", tableMode);
-
-  const { content, msgType } = buildFeishuPostMessagePayload({ messageText });
-
-  const response = await client.im.message.update({
-    path: { message_id: messageId },
-    data: {
-      msg_type: msgType,
-      content,
-    },
-  });
-
-  if (response.code !== 0) {
-    throw new Error(`Feishu message edit failed: ${response.msg || `code ${response.code}`}`);
-  }
-}
diff --git a/src/agents/tools/message-tool.ts b/src/agents/tools/message-tool.ts
index e0711ecf8ae..0e6c846e75d 100644
--- a/src/agents/tools/message-tool.ts
+++ b/src/agents/tools/message-tool.ts
@@ -319,6 +319,8 @@ function buildReactionSchema() {
 function buildFetchSchema() {
   return {
     limit: Type.Optional(Type.Number()),
+    pageSize: Type.Optional(Type.Number()),
+    pageToken: Type.Optional(Type.String()),
     before: Type.Optional(Type.String()),
     after: Type.Optional(Type.String()),
     around: Type.Optional(Type.String()),
@@ -386,16 +388,27 @@ function buildChannelTargetSchema() {
     channelId: Type.Optional(
       Type.String({ description: "Channel id filter (search/thread list/event create)." }),
     ),
+    chatId: Type.Optional(
+      Type.String({ description: "Chat id for chat-scoped metadata actions." }),
+    ),
     channelIds: Type.Optional(
       Type.Array(Type.String({ description: "Channel id filter (repeatable)." })),
     ),
+    memberId: Type.Optional(Type.String()),
+    memberIdType: Type.Optional(Type.String()),
     guildId: Type.Optional(Type.String()),
     userId: Type.Optional(Type.String()),
+    openId: Type.Optional(Type.String()),
+    unionId: Type.Optional(Type.String()),
     authorId: Type.Optional(Type.String()),
     authorIds: Type.Optional(Type.Array(Type.String())),
     roleId: Type.Optional(Type.String()),
     roleIds: Type.Optional(Type.Array(Type.String())),
     participant: Type.Optional(Type.String()),
+    includeMembers: Type.Optional(Type.Boolean()),
+    members: Type.Optional(Type.Boolean()),
+    scope: Type.Optional(Type.String()),
+    kind: Type.Optional(Type.String()),
   };
 }
 
diff --git a/src/infra/outbound/message-action-normalization.test.ts b/src/infra/outbound/message-action-normalization.test.ts
index 87fa7a8503c..2ee5f35b3dd 100644
--- a/src/infra/outbound/message-action-normalization.test.ts
+++ b/src/infra/outbound/message-action-normalization.test.ts
@@ -115,6 +115,47 @@ describe("normalizeMessageActionInput", () => {
     expect("to" in normalized).toBe(false);
   });
 
+  it("keeps Feishu message and chat aliases without forcing canonical targets", () => {
+    const pin = normalizeMessageActionInput({
+      action: "pin",
+      args: {
+        channel: "feishu",
+        messageId: "om_123",
+      },
+    });
+    const listPins = normalizeMessageActionInput({
+      action: "list-pins",
+      args: {
+        channel: "feishu",
+        chatId: "oc_123",
+      },
+    });
+
+    expect(pin.messageId).toBe("om_123");
+    expect("target" in pin).toBe(false);
+    expect("to" in pin).toBe(false);
+    expect(listPins.chatId).toBe("oc_123");
+    expect("target" in listPins).toBe(false);
+    expect("to" in listPins).toBe(false);
+  });
+
+  it("still backfills target for non-Feishu read actions with messageId-only input", () => {
+    const normalized = normalizeMessageActionInput({
+      action: "read",
+      args: {
+        channel: "slack",
+        messageId: "123.456",
+      },
+      toolContext: {
+        currentChannelId: "C12345678",
+        currentChannelProvider: "slack",
+      },
+    });
+
+    expect(normalized.target).toBe("C12345678");
+    expect(normalized.messageId).toBe("123.456");
+  });
+
   it("maps legacy channelId inputs through canonical target for channel-id actions", () => {
     const normalized = normalizeMessageActionInput({
       action: "channel-info",
diff --git a/src/infra/outbound/message-action-normalization.ts b/src/infra/outbound/message-action-normalization.ts
index a4b4f4829bd..ff40ca45e6a 100644
--- a/src/infra/outbound/message-action-normalization.ts
+++ b/src/infra/outbound/message-action-normalization.ts
@@ -16,6 +16,10 @@ export function normalizeMessageActionInput(params: {
 }): Record<string, unknown> {
   const normalizedArgs = { ...params.args };
   const { action, toolContext } = params;
+  const explicitChannel =
+    typeof normalizedArgs.channel === "string" ? normalizedArgs.channel.trim() : "";
+  const inferredChannel =
+    explicitChannel || normalizeMessageChannel(toolContext?.currentChannelProvider) || "";
 
   const explicitTarget =
     typeof normalizedArgs.target === "string" ? normalizedArgs.target.trim() : "";
@@ -34,7 +38,7 @@ export function normalizeMessageActionInput(params: {
     !explicitTarget &&
     !hasLegacyTarget &&
     actionRequiresTarget(action) &&
-    !actionHasTarget(action, normalizedArgs)
+    !actionHasTarget(action, normalizedArgs, { channel: inferredChannel })
   ) {
     const inferredTarget = toolContext?.currentChannelId?.trim();
     if (inferredTarget) {
@@ -54,17 +58,17 @@ export function normalizeMessageActionInput(params: {
     }
   }
 
-  const explicitChannel =
-    typeof normalizedArgs.channel === "string" ? normalizedArgs.channel.trim() : "";
   if (!explicitChannel) {
-    const inferredChannel = normalizeMessageChannel(toolContext?.currentChannelProvider);
     if (inferredChannel && isDeliverableMessageChannel(inferredChannel)) {
       normalizedArgs.channel = inferredChannel;
     }
   }
 
   applyTargetToParams({ action, args: normalizedArgs });
-  if (actionRequiresTarget(action) && !actionHasTarget(action, normalizedArgs)) {
+  if (
+    actionRequiresTarget(action) &&
+    !actionHasTarget(action, normalizedArgs, { channel: inferredChannel })
+  ) {
     throw new Error(`Action ${action} requires a target.`);
   }
 
diff --git a/src/infra/outbound/message-action-runner.plugin-dispatch.test.ts b/src/infra/outbound/message-action-runner.plugin-dispatch.test.ts
index 00c4bafef11..952bf16f51c 100644
--- a/src/infra/outbound/message-action-runner.plugin-dispatch.test.ts
+++ b/src/infra/outbound/message-action-runner.plugin-dispatch.test.ts
@@ -15,6 +15,105 @@ function createAlwaysConfiguredPluginConfig(account: Record<string, unknown> = {
 }
 
 describe("runMessageAction plugin dispatch", () => {
+  describe("alias-based plugin action dispatch", () => {
+    const handleAction = vi.fn(async ({ params }: { params: Record<string, unknown> }) =>
+      jsonResult({
+        ok: true,
+        params,
+      }),
+    );
+
+    const feishuLikePlugin: ChannelPlugin = {
+      id: "feishu",
+      meta: {
+        id: "feishu",
+        label: "Feishu",
+        selectionLabel: "Feishu",
+        docsPath: "/channels/feishu",
+        blurb: "Feishu action dispatch test plugin.",
+      },
+      capabilities: { chatTypes: ["direct", "channel"] },
+      config: createAlwaysConfiguredPluginConfig(),
+      actions: {
+        listActions: () => ["pin", "list-pins", "member-info"],
+        supportsAction: ({ action }) =>
+          action === "pin" || action === "list-pins" || action === "member-info",
+        handleAction,
+      },
+    };
+
+    beforeEach(() => {
+      setActivePluginRegistry(
+        createTestRegistry([
+          {
+            pluginId: "feishu",
+            source: "test",
+            plugin: feishuLikePlugin,
+          },
+        ]),
+      );
+      handleAction.mockClear();
+    });
+
+    afterEach(() => {
+      setActivePluginRegistry(createTestRegistry([]));
+      vi.clearAllMocks();
+    });
+
+    it("dispatches messageId/chatId-based Feishu actions through the shared runner", async () => {
+      await runMessageAction({
+        cfg: {
+          channels: {
+            feishu: {
+              enabled: true,
+            },
+          },
+        } as OpenClawConfig,
+        action: "pin",
+        params: {
+          channel: "feishu",
+          messageId: "om_123",
+        },
+        dryRun: false,
+      });
+
+      await runMessageAction({
+        cfg: {
+          channels: {
+            feishu: {
+              enabled: true,
+            },
+          },
+        } as OpenClawConfig,
+        action: "list-pins",
+        params: {
+          channel: "feishu",
+          chatId: "oc_123",
+        },
+        dryRun: false,
+      });
+
+      expect(handleAction).toHaveBeenNthCalledWith(
+        1,
+        expect.objectContaining({
+          action: "pin",
+          params: expect.objectContaining({
+            messageId: "om_123",
+          }),
+        }),
+      );
+      expect(handleAction).toHaveBeenNthCalledWith(
+        2,
+        expect.objectContaining({
+          action: "list-pins",
+          params: expect.objectContaining({
+            chatId: "oc_123",
+          }),
+        }),
+      );
+    });
+  });
+
   describe("media caption behavior", () => {
     afterEach(() => {
       setActivePluginRegistry(createTestRegistry([]));
diff --git a/src/infra/outbound/message-action-spec.test.ts b/src/infra/outbound/message-action-spec.test.ts
index 138f61e08a0..cc8a127799f 100644
--- a/src/infra/outbound/message-action-spec.test.ts
+++ b/src/infra/outbound/message-action-spec.test.ts
@@ -20,12 +20,25 @@ describe("actionHasTarget", () => {
   });
 
   it("detects alias targets for message and chat actions", () => {
+    expect(actionHasTarget("read", { messageId: "msg_123" }, { channel: "feishu" })).toBe(true);
     expect(actionHasTarget("edit", { messageId: "  msg_123  " })).toBe(true);
+    expect(actionHasTarget("pin", { messageId: "msg_123" }, { channel: "feishu" })).toBe(true);
+    expect(actionHasTarget("unpin", { messageId: "msg_123" }, { channel: "feishu" })).toBe(true);
+    expect(actionHasTarget("list-pins", { chatId: "oc_123" }, { channel: "feishu" })).toBe(true);
+    expect(actionHasTarget("channel-info", { chatId: "oc_123" }, { channel: "feishu" })).toBe(true);
     expect(actionHasTarget("react", { chatGuid: "chat-guid" })).toBe(true);
     expect(actionHasTarget("react", { chatIdentifier: "chat-id" })).toBe(true);
     expect(actionHasTarget("react", { chatId: 42 })).toBe(true);
   });
 
+  it("scopes Feishu-only aliases to Feishu", () => {
+    expect(actionHasTarget("read", { messageId: "msg_123" })).toBe(false);
+    expect(actionHasTarget("pin", { messageId: "msg_123" }, { channel: "slack" })).toBe(false);
+    expect(actionHasTarget("channel-info", { chatId: "oc_123" }, { channel: "discord" })).toBe(
+      false,
+    );
+  });
+
   it("rejects blank and non-finite alias targets", () => {
     expect(actionHasTarget("edit", { messageId: "   " })).toBe(false);
     expect(actionHasTarget("react", { chatGuid: "" })).toBe(false);
diff --git a/src/infra/outbound/message-action-spec.ts b/src/infra/outbound/message-action-spec.ts
index f4f715d869d..a71bc35b6fb 100644
--- a/src/infra/outbound/message-action-spec.ts
+++ b/src/infra/outbound/message-action-spec.ts
@@ -60,15 +60,25 @@ export const MESSAGE_ACTION_TARGET_MODE: Record<ChannelMessageActionName, Messag
     "download-file": "none",
   };
 
-const ACTION_TARGET_ALIASES: Partial<Record<ChannelMessageActionName, string[]>> = {
-  unsend: ["messageId"],
-  edit: ["messageId"],
-  react: ["chatGuid", "chatIdentifier", "chatId"],
-  renameGroup: ["chatGuid", "chatIdentifier", "chatId"],
-  setGroupIcon: ["chatGuid", "chatIdentifier", "chatId"],
-  addParticipant: ["chatGuid", "chatIdentifier", "chatId"],
-  removeParticipant: ["chatGuid", "chatIdentifier", "chatId"],
-  leaveGroup: ["chatGuid", "chatIdentifier", "chatId"],
+type ActionTargetAliasSpec = {
+  aliases: string[];
+  channels?: string[];
+};
+
+const ACTION_TARGET_ALIASES: Partial<Record<ChannelMessageActionName, ActionTargetAliasSpec>> = {
+  read: { aliases: ["messageId"], channels: ["feishu"] },
+  unsend: { aliases: ["messageId"] },
+  edit: { aliases: ["messageId"] },
+  pin: { aliases: ["messageId"], channels: ["feishu"] },
+  unpin: { aliases: ["messageId"], channels: ["feishu"] },
+  "list-pins": { aliases: ["chatId"], channels: ["feishu"] },
+  "channel-info": { aliases: ["chatId"], channels: ["feishu"] },
+  react: { aliases: ["chatGuid", "chatIdentifier", "chatId"] },
+  renameGroup: { aliases: ["chatGuid", "chatIdentifier", "chatId"] },
+  setGroupIcon: { aliases: ["chatGuid", "chatIdentifier", "chatId"] },
+  addParticipant: { aliases: ["chatGuid", "chatIdentifier", "chatId"] },
+  removeParticipant: { aliases: ["chatGuid", "chatIdentifier", "chatId"] },
+  leaveGroup: { aliases: ["chatGuid", "chatIdentifier", "chatId"] },
 };
 
 export function actionRequiresTarget(action: ChannelMessageActionName): boolean {
@@ -78,6 +88,7 @@ export function actionRequiresTarget(action: ChannelMessageActionName): boolean
 export function actionHasTarget(
   action: ChannelMessageActionName,
   params: Record<string, unknown>,
+  options?: { channel?: string },
 ): boolean {
   const to = typeof params.to === "string" ? params.to.trim() : "";
   if (to) {
@@ -87,11 +98,17 @@ export function actionHasTarget(
   if (channelId) {
     return true;
   }
-  const aliases = ACTION_TARGET_ALIASES[action];
-  if (!aliases) {
+  const spec = ACTION_TARGET_ALIASES[action];
+  if (!spec) {
     return false;
   }
-  return aliases.some((alias) => {
+  if (
+    spec.channels &&
+    (!options?.channel || !spec.channels.includes(options.channel.trim().toLowerCase()))
+  ) {
+    return false;
+  }
+  return spec.aliases.some((alias) => {
     const value = params[alias];
     if (typeof value === "string") {
       return value.trim().length > 0;

From edab939f4d5036fd436a47a674d82f69acc7710c Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 07:02:44 +0000
Subject: [PATCH 072/133] fix: make docs i18n use gpt-5.4 overrides

---
 scripts/docs-i18n/pi_rpc_client.go   |  4 +--
 scripts/docs-i18n/process.go         | 12 ++++----
 scripts/docs-i18n/translator.go      | 28 ++++++++++++++---
 scripts/docs-i18n/translator_test.go | 26 +++++++++++++++-
 scripts/docs-i18n/util.go            | 46 +++++++++++++++++++++++++---
 scripts/docs-i18n/util_test.go       | 41 +++++++++++++++++++++++++
 6 files changed, 140 insertions(+), 17 deletions(-)
 create mode 100644 scripts/docs-i18n/util_test.go

diff --git a/scripts/docs-i18n/pi_rpc_client.go b/scripts/docs-i18n/pi_rpc_client.go
index d995c6a171f..7535b04799b 100644
--- a/scripts/docs-i18n/pi_rpc_client.go
+++ b/scripts/docs-i18n/pi_rpc_client.go
@@ -73,8 +73,8 @@ func startDocsPiClient(ctx context.Context, options docsPiClientOptions) (*docsP
 	args := append([]string{}, command.Args...)
 	args = append(args,
 		"--mode", "rpc",
-		"--provider", "anthropic",
-		"--model", modelVersion,
+		"--provider", docsPiProvider(),
+		"--model", docsPiModel(),
 		"--thinking", options.Thinking,
 		"--no-session",
 	)
diff --git a/scripts/docs-i18n/process.go b/scripts/docs-i18n/process.go
index c792d3c11bc..cbcd1d4abc2 100644
--- a/scripts/docs-i18n/process.go
+++ b/scripts/docs-i18n/process.go
@@ -64,8 +64,8 @@ func processFile(ctx context.Context, translator *PiTranslator, tm *TranslationM
 			TextHash:   seg.TextHash,
 			Text:       seg.Text,
 			Translated: translated,
-			Provider:   providerName,
-			Model:      modelVersion,
+			Provider:   docsPiProvider(),
+			Model:      docsPiModel(),
 			SrcLang:    srcLang,
 			TgtLang:    tgtLang,
 			UpdatedAt:  time.Now().UTC().Format(time.RFC3339),
@@ -121,8 +121,8 @@ func encodeFrontMatter(frontData map[string]any, relPath string, source []byte)
 	frontData["x-i18n"] = map[string]any{
 		"source_path":  relPath,
 		"source_hash":  hashBytes(source),
-		"provider":     providerName,
-		"model":        modelVersion,
+		"provider":     docsPiProvider(),
+		"model":        docsPiModel(),
 		"workflow":     workflowVersion,
 		"generated_at": time.Now().UTC().Format(time.RFC3339),
 	}
@@ -191,8 +191,8 @@ func translateSnippet(ctx context.Context, translator *PiTranslator, tm *Transla
 		TextHash:   textHash,
 		Text:       textValue,
 		Translated: translated,
-		Provider:   providerName,
-		Model:      modelVersion,
+		Provider:   docsPiProvider(),
+		Model:      docsPiModel(),
 		SrcLang:    srcLang,
 		TgtLang:    tgtLang,
 		UpdatedAt:  time.Now().UTC().Format(time.RFC3339),
diff --git a/scripts/docs-i18n/translator.go b/scripts/docs-i18n/translator.go
index 122a30ec5d5..59a41959af1 100644
--- a/scripts/docs-i18n/translator.go
+++ b/scripts/docs-i18n/translator.go
@@ -4,14 +4,16 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"os"
 	"strings"
 	"time"
 )
 
 const (
-	translateMaxAttempts = 3
-	translateBaseDelay   = 15 * time.Second
-	translatePromptTimeout = 2 * time.Minute
+	translateMaxAttempts     = 3
+	translateBaseDelay       = 15 * time.Second
+	defaultPromptTimeout     = 2 * time.Minute
+	envDocsI18nPromptTimeout = "OPENCLAW_DOCS_I18N_PROMPT_TIMEOUT"
 )
 
 var errEmptyTranslation = errors.New("empty translation")
@@ -112,10 +114,16 @@ func isRetryableTranslateError(err error) bool {
 	if err == nil {
 		return false
 	}
+	if errors.Is(err, context.DeadlineExceeded) || errors.Is(err, context.Canceled) {
+		return false
+	}
 	if errors.Is(err, errEmptyTranslation) {
 		return true
 	}
 	message := strings.ToLower(err.Error())
+	if strings.Contains(message, "authentication failed") {
+		return false
+	}
 	return strings.Contains(message, "placeholder missing") || strings.Contains(message, "rate limit") || strings.Contains(message, "429")
 }
 
@@ -142,7 +150,7 @@ type promptRunner interface {
 }
 
 func runPrompt(ctx context.Context, client promptRunner, message string) (string, error) {
-	promptCtx, cancel := context.WithTimeout(ctx, translatePromptTimeout)
+	promptCtx, cancel := context.WithTimeout(ctx, docsI18nPromptTimeout())
 	defer cancel()
 
 	result, err := client.Prompt(promptCtx, message)
@@ -171,3 +179,15 @@ func normalizeThinking(value string) string {
 		return "high"
 	}
 }
+
+func docsI18nPromptTimeout() time.Duration {
+	value := strings.TrimSpace(os.Getenv(envDocsI18nPromptTimeout))
+	if value == "" {
+		return defaultPromptTimeout
+	}
+	parsed, err := time.ParseDuration(value)
+	if err != nil || parsed <= 0 {
+		return defaultPromptTimeout
+	}
+	return parsed
+}
diff --git a/scripts/docs-i18n/translator_test.go b/scripts/docs-i18n/translator_test.go
index 3872d6dff07..759f3aa276a 100644
--- a/scripts/docs-i18n/translator_test.go
+++ b/scripts/docs-i18n/translator_test.go
@@ -50,11 +50,35 @@ func TestRunPromptAddsTimeout(t *testing.T) {
 	}
 
 	remaining := time.Until(deadline)
-	if remaining <= time.Minute || remaining > translatePromptTimeout {
+	if remaining <= time.Minute || remaining > docsI18nPromptTimeout() {
 		t.Fatalf("unexpected timeout window %s", remaining)
 	}
 }
 
+func TestDocsI18nPromptTimeoutUsesEnvOverride(t *testing.T) {
+	t.Setenv(envDocsI18nPromptTimeout, "5m")
+
+	if got := docsI18nPromptTimeout(); got != 5*time.Minute {
+		t.Fatalf("expected 5m timeout, got %s", got)
+	}
+}
+
+func TestIsRetryableTranslateErrorRejectsDeadlineExceeded(t *testing.T) {
+	t.Parallel()
+
+	if isRetryableTranslateError(context.DeadlineExceeded) {
+		t.Fatal("deadline exceeded should not retry")
+	}
+}
+
+func TestIsRetryableTranslateErrorRejectsAuthenticationFailures(t *testing.T) {
+	t.Parallel()
+
+	if isRetryableTranslateError(errors.New(`Authentication failed for "openai"`)) {
+		t.Fatal("auth failures should not retry")
+	}
+}
+
 func TestRunPromptIncludesStderr(t *testing.T) {
 	t.Parallel()
 
diff --git a/scripts/docs-i18n/util.go b/scripts/docs-i18n/util.go
index 3be70ee3076..e7a8e6daaf3 100644
--- a/scripts/docs-i18n/util.go
+++ b/scripts/docs-i18n/util.go
@@ -10,13 +10,24 @@ import (
 )
 
 const (
-	workflowVersion = 15
-	providerName    = "pi"
-	modelVersion    = "claude-opus-4-6"
+	workflowVersion          = 15
+	docsI18nEngineName       = "pi"
+	envDocsI18nProvider      = "OPENCLAW_DOCS_I18N_PROVIDER"
+	envDocsI18nModel         = "OPENCLAW_DOCS_I18N_MODEL"
+	defaultOpenAIModel       = "gpt-5.4"
+	defaultAnthropicModel    = "claude-opus-4-6"
+	defaultFallbackProvider  = "openai"
+	defaultFallbackModelName = defaultOpenAIModel
 )
 
 func cacheNamespace() string {
-	return fmt.Sprintf("wf=%d|provider=%s|model=%s", workflowVersion, providerName, modelVersion)
+	return fmt.Sprintf(
+		"wf=%d|engine=%s|provider=%s|model=%s",
+		workflowVersion,
+		docsI18nEngineName,
+		docsPiProvider(),
+		docsPiModel(),
+	)
 }
 
 func cacheKey(namespace, srcLang, tgtLang, segmentID, textHash string) string {
@@ -40,6 +51,33 @@ func normalizeText(text string) string {
 	return strings.Join(strings.Fields(strings.TrimSpace(text)), " ")
 }
 
+func docsPiProvider() string {
+	if value := strings.TrimSpace(os.Getenv(envDocsI18nProvider)); value != "" {
+		return value
+	}
+	if strings.TrimSpace(os.Getenv("OPENAI_API_KEY")) != "" {
+		return "openai"
+	}
+	if strings.TrimSpace(os.Getenv("ANTHROPIC_API_KEY")) != "" {
+		return "anthropic"
+	}
+	return defaultFallbackProvider
+}
+
+func docsPiModel() string {
+	if value := strings.TrimSpace(os.Getenv(envDocsI18nModel)); value != "" {
+		return value
+	}
+	switch docsPiProvider() {
+	case "anthropic":
+		return defaultAnthropicModel
+	case "openai":
+		return defaultOpenAIModel
+	default:
+		return defaultFallbackModelName
+	}
+}
+
 func segmentID(relPath, textHash string) string {
 	shortHash := textHash
 	if len(shortHash) > 16 {
diff --git a/scripts/docs-i18n/util_test.go b/scripts/docs-i18n/util_test.go
new file mode 100644
index 00000000000..77b5ca82a73
--- /dev/null
+++ b/scripts/docs-i18n/util_test.go
@@ -0,0 +1,41 @@
+package main
+
+import "testing"
+
+func TestDocsPiProviderPrefersExplicitOverride(t *testing.T) {
+	t.Setenv(envDocsI18nProvider, "anthropic")
+	t.Setenv("OPENAI_API_KEY", "openai-key")
+	t.Setenv("ANTHROPIC_API_KEY", "anthropic-key")
+
+	if got := docsPiProvider(); got != "anthropic" {
+		t.Fatalf("expected anthropic override, got %q", got)
+	}
+}
+
+func TestDocsPiProviderPrefersOpenAIEnvWhenAvailable(t *testing.T) {
+	t.Setenv(envDocsI18nProvider, "")
+	t.Setenv("OPENAI_API_KEY", "openai-key")
+	t.Setenv("ANTHROPIC_API_KEY", "anthropic-key")
+
+	if got := docsPiProvider(); got != "openai" {
+		t.Fatalf("expected openai provider, got %q", got)
+	}
+}
+
+func TestDocsPiModelUsesProviderDefault(t *testing.T) {
+	t.Setenv(envDocsI18nProvider, "anthropic")
+	t.Setenv(envDocsI18nModel, "")
+
+	if got := docsPiModel(); got != defaultAnthropicModel {
+		t.Fatalf("expected anthropic default model, got %q", got)
+	}
+}
+
+func TestDocsPiModelPrefersExplicitOverride(t *testing.T) {
+	t.Setenv(envDocsI18nProvider, "openai")
+	t.Setenv(envDocsI18nModel, "gpt-5.2")
+
+	if got := docsPiModel(); got != "gpt-5.2" {
+		t.Fatalf("expected explicit model override, got %q", got)
+	}
+}

From 00ef214d59d21d383cb8b18b7810ad6b0241693a Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 07:02:46 +0000
Subject: [PATCH 073/133] docs: regenerate zh-CN onboarding references

---
 docs/zh-CN/automation/hooks.md                |  539 ++-
 docs/zh-CN/channels/bluebubbles.md            |  237 +-
 docs/zh-CN/channels/feishu.md                 |  565 ++-
 docs/zh-CN/channels/nostr.md                  |  119 +-
 docs/zh-CN/channels/synology-chat.md          |  138 +
 docs/zh-CN/cli/index.md                       |  417 +-
 docs/zh-CN/cli/onboard.md                     |  152 +-
 docs/zh-CN/cli/setup.md                       |   14 +-
 docs/zh-CN/concepts/agent-workspace.md        |  142 +-
 docs/zh-CN/concepts/model-providers.md        |  501 ++-
 docs/zh-CN/concepts/models.md                 |  151 +-
 docs/zh-CN/concepts/oauth.md                  |  115 +-
 docs/zh-CN/gateway/authentication.md          |  112 +-
 docs/zh-CN/gateway/configuration-reference.md | 3103 ++++++++++++++
 docs/zh-CN/gateway/configuration.md           | 3770 +++--------------
 docs/zh-CN/gateway/local-models.md            |   78 +-
 docs/zh-CN/gateway/multiple-gateways.md       |   78 +-
 docs/zh-CN/help/faq.md                        |    4 +-
 docs/zh-CN/install/exe-dev.md                 |   68 +-
 docs/zh-CN/install/index.md                   |  296 +-
 docs/zh-CN/install/installer.md               |  452 +-
 docs/zh-CN/install/macos-vm.md                |  158 +-
 docs/zh-CN/platforms/digitalocean.md          |  160 +-
 docs/zh-CN/platforms/index.md                 |   32 +-
 docs/zh-CN/platforms/linux.md                 |   35 +-
 docs/zh-CN/platforms/raspberry-pi.md          |  267 +-
 docs/zh-CN/platforms/windows.md               |  155 +-
 docs/zh-CN/providers/anthropic.md             |  200 +-
 docs/zh-CN/providers/cloudflare-ai-gateway.md |   78 +
 docs/zh-CN/providers/glm.md                   |   39 +-
 docs/zh-CN/providers/huggingface.md           |  216 +
 docs/zh-CN/providers/index.md                 |   46 +-
 docs/zh-CN/providers/kilocode.md              |   80 +
 docs/zh-CN/providers/litellm.md               |  160 +
 docs/zh-CN/providers/minimax.md               |  156 +-
 docs/zh-CN/providers/mistral.md               |   61 +
 docs/zh-CN/providers/models.md                |   40 +-
 docs/zh-CN/providers/moonshot.md              |   69 +-
 docs/zh-CN/providers/nvidia.md                |   62 +
 docs/zh-CN/providers/ollama.md                |  251 +-
 docs/zh-CN/providers/openai.md                |  282 +-
 docs/zh-CN/providers/opencode-go.md           |   52 +
 docs/zh-CN/providers/opencode.md              |   60 +-
 docs/zh-CN/providers/openrouter.md            |   21 +-
 docs/zh-CN/providers/qianfan.md               |   45 +-
 docs/zh-CN/providers/sglang.md                |  111 +
 docs/zh-CN/providers/synthetic.md             |   86 +-
 docs/zh-CN/providers/together.md              |   72 +
 docs/zh-CN/providers/venice.md                |  255 +-
 docs/zh-CN/providers/vercel-ai-gateway.md     |   35 +-
 docs/zh-CN/providers/xiaomi.md                |   25 +-
 docs/zh-CN/providers/zai.md                   |   42 +-
 docs/zh-CN/reference/wizard.md                |  243 +-
 docs/zh-CN/start/getting-started.md           |  271 +-
 docs/zh-CN/start/onboarding-overview.md       |   58 +
 docs/zh-CN/start/wizard-cli-automation.md     |  222 +
 docs/zh-CN/start/wizard-cli-reference.md      |  306 ++
 docs/zh-CN/start/wizard.md                    |  371 +-
 docs/zh-CN/tools/plugin.md                    | 1283 +++++-
 59 files changed, 10929 insertions(+), 6227 deletions(-)
 create mode 100644 docs/zh-CN/channels/synology-chat.md
 create mode 100644 docs/zh-CN/gateway/configuration-reference.md
 create mode 100644 docs/zh-CN/providers/cloudflare-ai-gateway.md
 create mode 100644 docs/zh-CN/providers/huggingface.md
 create mode 100644 docs/zh-CN/providers/kilocode.md
 create mode 100644 docs/zh-CN/providers/litellm.md
 create mode 100644 docs/zh-CN/providers/mistral.md
 create mode 100644 docs/zh-CN/providers/nvidia.md
 create mode 100644 docs/zh-CN/providers/opencode-go.md
 create mode 100644 docs/zh-CN/providers/sglang.md
 create mode 100644 docs/zh-CN/providers/together.md
 create mode 100644 docs/zh-CN/start/onboarding-overview.md
 create mode 100644 docs/zh-CN/start/wizard-cli-automation.md
 create mode 100644 docs/zh-CN/start/wizard-cli-reference.md

diff --git a/docs/zh-CN/automation/hooks.md b/docs/zh-CN/automation/hooks.md
index b5806e2bdd0..b0615569eec 100644
--- a/docs/zh-CN/automation/hooks.md
+++ b/docs/zh-CN/automation/hooks.md
@@ -1,60 +1,61 @@
 ---
 read_when:
-  - 你想为 /new、/reset、/stop 和智能体生命周期事件实现事件驱动自动化
-  - 你想构建、安装或调试 hooks
+  - 你希望为 `/new`、`/reset`、`/stop` 和智能体生命周期事件使用事件驱动自动化
+  - 你希望构建、安装或调试 Hooks
 summary: Hooks：用于命令和生命周期事件的事件驱动自动化
 title: Hooks
 x-i18n:
-  generated_at: "2026-02-03T07:50:59Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 853227a0f1abd20790b425fa64dda60efc6b5f93c1b13ecd2dcb788268f71d79
+  generated_at: "2026-03-16T06:21:34Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: fc1370a05127d778eb685f687ee9a52062aa6f5c895e80152b9de41c3a02c592
   source_path: automation/hooks.md
   workflow: 15
 ---
 
 # Hooks
 
-Hooks 提供了一个可扩展的事件驱动系统，用于响应智能体命令和事件自动执行操作。Hooks 从目录中自动发现，可以通过 CLI 命令管理，类似于 OpenClaw 中 Skills 的工作方式。
+Hooks 提供了一个可扩展的事件驱动系统，用于在响应智能体命令和事件时自动执行操作。Hooks 会从目录中自动发现，并且可以通过 CLI 命令进行管理，方式与 OpenClaw 中的 Skills 类似。
 
-## 入门指南
+## 熟悉基础
 
-Hooks 是在事件发生时运行的小脚本。有两种类型：
+Hooks 是在某些事情发生时运行的小脚本。它们有两种类型：
 
-- **Hooks**（本页）：当智能体事件触发时在 Gateway 网关内运行，如 `/new`、`/reset`、`/stop` 或生命周期事件。
-- **Webhooks**：外部 HTTP webhooks，让其他系统触发 OpenClaw 中的工作。参见 [Webhook Hooks](/automation/webhook) 或使用 `openclaw webhooks` 获取 Gmail 助手命令。
+- **Hooks**（本页）：当智能体事件触发时，在 Gateway 网关内运行，例如 `/new`、`/reset`、`/stop` 或生命周期事件。
+- **Webhooks**：外部 HTTP webhook，可让其他系统在 OpenClaw 中触发工作。请参阅 [Webhook Hooks](/automation/webhook)，或使用 `openclaw webhooks` 获取 Gmail 辅助命令。
 
-Hooks 也可以捆绑在插件中；参见 [插件](/tools/plugin#plugin-hooks)。
+Hooks 也可以打包在插件中；请参阅 [Plugins](/tools/plugin#plugin-hooks)。
 
 常见用途：
 
-- 重置会话时保存记忆快照
-- 保留命令审计跟踪用于故障排除或合规
-- 会话开始或结束时触发后续自动化
-- 事件触发时向智能体工作区写入文件或调用外部 API
+- 当你重置会话时保存一份内存快照
+- 为故障排除或合规保留命令审计轨迹
+- 当会话开始或结束时触发后续自动化
+- 当事件触发时，将文件写入智能体工作区或调用外部 API
 
-如果你能写一个小的 TypeScript 函数，你就能写一个 hook。Hooks 会自动发现，你可以通过 CLI 启用或禁用它们。
+如果你会写一个小型 TypeScript 函数，你就能编写一个 hook。Hooks 会被自动发现，你可以通过 CLI 启用或禁用它们。
 
-## 概述
+## 概览
 
-hooks 系统允许你：
+Hooks 系统允许你：
 
-- 在发出 `/new` 时将会话上下文保存到记忆
+- 当发出 `/new` 时，将会话上下文保存到 memory
 - 记录所有命令以供审计
 - 在智能体生命周期事件上触发自定义自动化
 - 在不修改核心代码的情况下扩展 OpenClaw 的行为
 
-## 入门
+## 入门指南
 
-### 捆绑的 Hooks
+### 内置 Hooks
 
-OpenClaw 附带三个自动发现的捆绑 hooks：
+OpenClaw 自带四个会被自动发现的内置 hook：
 
-- **💾 session-memory**：当你发出 `/new` 时将会话上下文保存到智能体工作区（默认 `~/.openclaw/workspace/memory/`）
+- **💾 session-memory**：当你发出 `/new` 时，将会话上下文保存到你的智能体工作区（默认是 `~/.openclaw/workspace/memory/`）
+- **📎 bootstrap-extra-files**：在 `agent:bootstrap` 期间，从已配置的 glob/路径模式中注入额外的工作区引导文件
 - **📝 command-logger**：将所有命令事件记录到 `~/.openclaw/logs/commands.log`
 - **🚀 boot-md**：当 Gateway 网关启动时运行 `BOOT.md`（需要启用内部 hooks）
 
-列出可用的 hooks：
+列出可用 hooks：
 
 ```bash
 openclaw hooks list
@@ -80,35 +81,40 @@ openclaw hooks info session-memory
 
 ### 新手引导
 
-在新手引导期间（`openclaw onboard`），你将被提示启用推荐的 hooks。向导会自动发现符合条件的 hooks 并呈现供选择。
+在新手引导期间（`openclaw onboard`），系统会提示你启用推荐的 hooks。向导会自动发现符合条件的 hooks 并供你选择。
 
 ## Hook 发现
 
-Hooks 从三个目录自动发现（按优先级顺序）：
+Hooks 会从三个目录中自动发现（按优先级顺序）：
 
-1. **工作区 hooks**：`<workspace>/hooks/`（每智能体，最高优先级）
-2. **托管 hooks**：`~/.openclaw/hooks/`（用户安装，跨工作区共享）
-3. **捆绑 hooks**：`<openclaw>/dist/hooks/bundled/`（随 OpenClaw 附带）
+1. **工作区 hooks**：`<workspace>/hooks/`（每个智能体单独配置，优先级最高）
+2. **托管 hooks**：`~/.openclaw/hooks/`（用户安装，在各工作区之间共享）
+3. **内置 hooks**：`<openclaw>/dist/hooks/bundled/`（随 OpenClaw 一起提供）
 
-托管 hook 目录可以是**单个 hook** 或 **hook 包**（包目录）。
+托管 hook 目录既可以是 **单个 hook**，也可以是 **hook 包**（包目录）。
 
-每个 hook 是一个包含以下内容的目录：
+每个 hook 都是一个包含以下内容的目录：
 
 ```
 my-hook/
 ├── HOOK.md          # 元数据 + 文档
-└── handler.ts       # 处理程序实现
+└── handler.ts       # 处理器实现
 ```
 
-## Hook 包（npm/archives）
+## Hook 包（npm/归档）
 
-Hook 包是标准的 npm 包，通过 `package.json` 中的 `openclaw.hooks` 导出一个或多个 hooks。使用以下命令安装：
+Hook 包是标准的 npm 包，它们通过 `package.json` 中的 `openclaw.hooks` 导出一个或多个 hook。使用以下命令安装它们：
 
 ```bash
 openclaw hooks install <path-or-spec>
 ```
 
-示例 `package.json`：
+npm spec 仅支持注册表形式（包名 + 可选的精确版本或 dist-tag）。
+Git/URL/file spec 和 semver 范围会被拒绝。
+
+裸 spec 和 `@latest` 会保持在稳定轨道上。如果 npm 将其中任意一种解析为预发布版本，OpenClaw 会停止并要求你通过预发布标签（例如 `@beta`/`@rc`）或精确的预发布版本显式选择加入。
+
+`package.json` 示例：
 
 ```json
 {
@@ -120,19 +126,23 @@ openclaw hooks install <path-or-spec>
 }
 ```
 
-每个条目指向包含 `HOOK.md` 和 `handler.ts`（或 `index.ts`）的 hook 目录。
-Hook 包可以附带依赖；它们将安装在 `~/.openclaw/hooks/<id>` 下。
+每个条目都指向一个包含 `HOOK.md` 和 `handler.ts`（或 `index.ts`）的 hook 目录。
+Hook 包可以携带依赖；它们会安装到 `~/.openclaw/hooks/<id>` 下。
+每个 `openclaw.hooks` 条目在解析符号链接后都必须保持在包目录内部；超出目录范围的条目会被拒绝。
+
+安全说明：`openclaw hooks install` 会使用 `npm install --ignore-scripts` 安装依赖
+（不运行生命周期脚本）。请保持 hook 包依赖树为“纯 JS/TS”，并避免依赖 `postinstall` 构建的包。
 
 ## Hook 结构
 
 ### HOOK.md 格式
 
-`HOOK.md` 文件在 YAML frontmatter 中包含元数据，加上 Markdown 文档：
+`HOOK.md` 文件包含 YAML frontmatter 中的元数据以及 Markdown 文档：
 
 ```markdown
 ---
 name: my-hook
-description: "Short description of what this hook does"
+description: "关于此 hook 功能的简短描述"
 homepage: https://docs.openclaw.ai/automation/hooks#my-hook
 metadata:
   { "openclaw": { "emoji": "🔗", "events": ["command:new"], "requires": { "bins": ["node"] } } }
@@ -140,49 +150,47 @@ metadata:
 
 # My Hook
 
-Detailed documentation goes here...
+详细文档写在这里……
 
-## What It Does
+## 它的作用
 
-- Listens for `/new` commands
-- Performs some action
-- Logs the result
+- 监听 `/new` 命令
+- 执行某些操作
+- 记录结果
 
-## Requirements
+## 要求
 
-- Node.js must be installed
+- 必须安装 Node.js
 
-## Configuration
+## 配置
 
-No configuration needed.
+无需配置。
 ```
 
 ### 元数据字段
 
 `metadata.openclaw` 对象支持：
 
-- **`emoji`**：CLI 的显示表情符号（例如 `"💾"`）
+- **`emoji`**：CLI 显示用 emoji（例如 `"💾"`）
 - **`events`**：要监听的事件数组（例如 `["command:new", "command:reset"]`）
 - **`export`**：要使用的命名导出（默认为 `"default"`）
 - **`homepage`**：文档 URL
 - **`requires`**：可选要求
-  - **`bins`**：PATH 中需要的二进制文件（例如 `["git", "node"]`）
-  - **`anyBins`**：这些二进制文件中至少有一个必须存在
-  - **`env`**：需要的环境变量
-  - **`config`**：需要的配置路径（例如 `["workspace.dir"]`）
-  - **`os`**：需要的平台（例如 `["darwin", "linux"]`）
+  - **`bins`**：PATH 中必须存在的二进制文件（例如 `["git", "node"]`）
+  - **`anyBins`**：这些二进制文件中至少要存在一个
+  - **`env`**：必需的环境变量
+  - **`config`**：必需的配置路径（例如 `["workspace.dir"]`）
+  - **`os`**：支持的平台（例如 `["darwin", "linux"]`）
 - **`always`**：绕过资格检查（布尔值）
-- **`install`**：安装方法（对于捆绑 hooks：`[{"id":"bundled","kind":"bundled"}]`）
+- **`install`**：安装方式（对于内置 hooks：`[{"id":"bundled","kind":"bundled"}]`）
 
-### 处理程序实现
+### 处理器实现
 
-`handler.ts` 文件导出一个 `HookHandler` 函数：
+`handler.ts` 文件会导出一个 `HookHandler` 函数：
 
 ```typescript
-import type { HookHandler } from "../../src/hooks/hooks.js";
-
-const myHandler: HookHandler = async (event) => {
-  // Only trigger on 'new' command
+const myHandler = async (event) => {
+  // 仅在 'new' 命令时触发
   if (event.type !== "command" || event.action !== "new") {
     return;
   }
@@ -191,9 +199,9 @@ const myHandler: HookHandler = async (event) => {
   console.log(`  Session: ${event.sessionKey}`);
   console.log(`  Timestamp: ${event.timestamp.toISOString()}`);
 
-  // Your custom logic here
+  // 你的自定义逻辑写在这里
 
-  // Optionally send message to user
+  // 可选：向用户发送消息
   event.messages.push("✨ My hook executed!");
 };
 
@@ -202,24 +210,31 @@ export default myHandler;
 
 #### 事件上下文
 
-每个事件包含：
+每个事件都包含：
 
 ```typescript
 {
-  type: 'command' | 'session' | 'agent' | 'gateway',
-  action: string,              // e.g., 'new', 'reset', 'stop'
-  sessionKey: string,          // Session identifier
-  timestamp: Date,             // When the event occurred
-  messages: string[],          // Push messages here to send to user
+  type: 'command' | 'session' | 'agent' | 'gateway' | 'message',
+  action: string,              // 例如 'new'、'reset'、'stop'、'received'、'sent'
+  sessionKey: string,          // 会话标识符
+  timestamp: Date,             // 事件发生时间
+  messages: string[],          // 将消息推入这里以发送给用户
   context: {
+    // 命令事件：
     sessionEntry?: SessionEntry,
     sessionId?: string,
     sessionFile?: string,
-    commandSource?: string,    // e.g., 'whatsapp', 'telegram'
+    commandSource?: string,    // 例如 'whatsapp'、'telegram'
     senderId?: string,
     workspaceDir?: string,
     bootstrapFiles?: WorkspaceBootstrapFile[],
-    cfg?: OpenClawConfig
+    cfg?: OpenClawConfig,
+    // 消息事件（完整详情见“消息事件”部分）：
+    from?: string,             // message:received
+    to?: string,               // message:sent
+    content?: string,
+    channelId?: string,
+    success?: boolean,         // message:sent
   }
 }
 ```
@@ -228,28 +243,135 @@ export default myHandler;
 
 ### 命令事件
 
-当发出智能体命令时触发：
+在发出智能体命令时触发：
 
 - **`command`**：所有命令事件（通用监听器）
-- **`command:new`**：当发出 `/new` 命令时
-- **`command:reset`**：当发出 `/reset` 命令时
-- **`command:stop`**：当发出 `/stop` 命令时
+- **`command:new`**：发出 `/new` 命令时
+- **`command:reset`**：发出 `/reset` 命令时
+- **`command:stop`**：发出 `/stop` 命令时
+
+### 会话事件
+
+- **`session:compact:before`**：在压缩开始总结历史记录之前
+- **`session:compact:after`**：在压缩完成并带有摘要元数据之后
+
+内部 hook 负载会将这些事件表示为 `type: "session"`，并将 `action` 设为 `"compact:before"` / `"compact:after"`；监听器使用上面的组合键进行订阅。
+具体处理器注册使用字面量键格式 `${type}:${action}`。对于这些事件，请注册 `session:compact:before` 和 `session:compact:after`。
 
 ### 智能体事件
 
-- **`agent:bootstrap`**：在注入工作区引导文件之前（hooks 可以修改 `context.bootstrapFiles`）
+- **`agent:bootstrap`**：在工作区引导文件被注入之前（hooks 可以修改 `context.bootstrapFiles`）
 
 ### Gateway 网关事件
 
-当 Gateway 网关启动时触发：
+在 Gateway 网关启动时触发：
 
-- **`gateway:startup`**：在渠道启动和 hooks 加载之后
+- **`gateway:startup`**：在渠道启动且 hooks 已加载之后
+
+### 消息事件
+
+在消息被接收或发送时触发：
+
+- **`message`**：所有消息事件（通用监听器）
+- **`message:received`**：当从任意渠道收到入站消息时。在处理的早期阶段触发，此时媒体理解尚未完成。对于尚未处理的媒体附件，内容中可能包含类似 `<media:audio>` 的原始占位符。
+- **`message:transcribed`**：当一条消息已被完全处理，包括音频转写和链接理解时触发。此时，`transcript` 包含音频消息的完整转写文本。当你需要访问已转写的音频内容时，请使用此 hook。
+- **`message:preprocessed`**：在所有媒体 + 链接理解完成后，为每条消息触发，使 hooks 可以在智能体看到消息之前访问完全增强的正文（转写、图像描述、链接摘要）。
+- **`message:sent`**：当出站消息成功发送时
+
+#### 消息事件上下文
+
+消息事件包含关于消息的丰富上下文：
+
+```typescript
+// message:received context
+{
+  from: string,           // 发送者标识符（电话号码、用户 ID 等）
+  content: string,        // 消息内容
+  timestamp?: number,     // 接收时的 Unix 时间戳
+  channelId: string,      // 渠道（例如 "whatsapp"、"telegram"、"discord"）
+  accountId?: string,     // 多账号设置中的提供商账号 ID
+  conversationId?: string, // 聊天/会话 ID
+  messageId?: string,     // 提供商返回的消息 ID
+  metadata?: {            // 额外的提供商特定数据
+    to?: string,
+    provider?: string,
+    surface?: string,
+    threadId?: string,
+    senderId?: string,
+    senderName?: string,
+    senderUsername?: string,
+    senderE164?: string,
+  }
+}
+
+// message:sent context
+{
+  to: string,             // 接收者标识符
+  content: string,        // 已发送的消息内容
+  success: boolean,       // 发送是否成功
+  error?: string,         // 如果发送失败，则为错误消息
+  channelId: string,      // 渠道（例如 "whatsapp"、"telegram"、"discord"）
+  accountId?: string,     // 提供商账号 ID
+  conversationId?: string, // 聊天/会话 ID
+  messageId?: string,     // 提供商返回的消息 ID
+  isGroup?: boolean,      // 此出站消息是否属于群组/渠道上下文
+  groupId?: string,       // 用于与 message:received 关联的群组/渠道标识符
+}
+
+// message:transcribed context
+{
+  body?: string,          // 增强前的原始入站正文
+  bodyForAgent?: string,  // 对智能体可见的增强正文
+  transcript: string,     // 音频转写文本
+  channelId: string,      // 渠道（例如 "telegram"、"whatsapp"）
+  conversationId?: string,
+  messageId?: string,
+}
+
+// message:preprocessed context
+{
+  body?: string,          // 原始入站正文
+  bodyForAgent?: string,  // 媒体/链接理解后的最终增强正文
+  transcript?: string,    // 存在音频时的转写内容
+  channelId: string,      // 渠道（例如 "telegram"、"whatsapp"）
+  conversationId?: string,
+  messageId?: string,
+  isGroup?: boolean,
+  groupId?: string,
+}
+```
+
+#### 示例：消息记录器 Hook
+
+```typescript
+const isMessageReceivedEvent = (event: { type: string; action: string }) =>
+  event.type === "message" && event.action === "received";
+const isMessageSentEvent = (event: { type: string; action: string }) =>
+  event.type === "message" && event.action === "sent";
+
+const handler = async (event) => {
+  if (isMessageReceivedEvent(event as { type: string; action: string })) {
+    console.log(`[message-logger] Received from ${event.context.from}: ${event.context.content}`);
+  } else if (isMessageSentEvent(event as { type: string; action: string })) {
+    console.log(`[message-logger] Sent to ${event.context.to}: ${event.context.content}`);
+  }
+};
+
+export default handler;
+```
 
 ### 工具结果 Hooks（插件 API）
 
-这些 hooks 不是事件流监听器；它们让插件在 OpenClaw 持久化工具结果之前同步调整它们。
+这些 hooks 不是事件流监听器；它们允许插件在 OpenClaw 持久化工具结果之前同步调整工具结果。
 
-- **`tool_result_persist`**：在工具结果写入会话记录之前转换它们。必须是同步的；返回更新后的工具结果负载或 `undefined` 保持原样。参见 [智能体循环](/concepts/agent-loop)。
+- **`tool_result_persist`**：在工具结果写入会话转录之前对其进行转换。必须是同步的；返回更新后的工具结果负载，或返回 `undefined` 以保持原样。请参阅 [Agent Loop](/concepts/agent-loop)。
+
+### 插件 Hook 事件
+
+通过插件 hook 运行器公开的压缩生命周期 hooks：
+
+- **`before_compaction`**：在压缩前运行，并带有计数/token 元数据
+- **`after_compaction`**：在压缩后运行，并带有压缩摘要元数据
 
 ### 未来事件
 
@@ -258,14 +380,12 @@ export default myHandler;
 - **`session:start`**：当新会话开始时
 - **`session:end`**：当会话结束时
 - **`agent:error`**：当智能体遇到错误时
-- **`message:sent`**：当消息被发送时
-- **`message:received`**：当消息被接收时
 
 ## 创建自定义 Hooks
 
 ### 1. 选择位置
 
-- **工作区 hooks**（`<workspace>/hooks/`）：每智能体，最高优先级
+- **工作区 hooks**（`<workspace>/hooks/`）：每个智能体单独配置，优先级最高
 - **托管 hooks**（`~/.openclaw/hooks/`）：跨工作区共享
 
 ### 2. 创建目录结构
@@ -280,27 +400,25 @@ cd ~/.openclaw/hooks/my-hook
 ```markdown
 ---
 name: my-hook
-description: "Does something useful"
+description: "执行某些有用的事情"
 metadata: { "openclaw": { "emoji": "🎯", "events": ["command:new"] } }
 ---
 
 # My Custom Hook
 
-This hook does something useful when you issue `/new`.
+当你发出 `/new` 时，此 hook 会执行一些有用的事情。
 ```
 
 ### 4. 创建 handler.ts
 
 ```typescript
-import type { HookHandler } from "../../src/hooks/hooks.js";
-
-const handler: HookHandler = async (event) => {
+const handler = async (event) => {
   if (event.type !== "command" || event.action !== "new") {
     return;
   }
 
   console.log("[my-hook] Running!");
-  // Your logic here
+  // 你的逻辑写在这里
 };
 
 export default handler;
@@ -309,16 +427,16 @@ export default handler;
 ### 5. 启用并测试
 
 ```bash
-# Verify hook is discovered
+# 验证 hook 已被发现
 openclaw hooks list
 
-# Enable it
+# 启用它
 openclaw hooks enable my-hook
 
-# Restart your gateway process (menu bar app restart on macOS, or restart your dev process)
+# 重启你的 Gateway 网关进程（macOS 上重启菜单栏应用，或重启你的开发进程）
 
-# Trigger the event
-# Send /new via your messaging channel
+# 触发事件
+# 通过你的消息渠道发送 /new
 ```
 
 ## 配置
@@ -339,9 +457,9 @@ openclaw hooks enable my-hook
 }
 ```
 
-### 每 Hook 配置
+### 每个 Hook 的配置
 
-Hooks 可以有自定义配置：
+Hooks 可以具有自定义配置：
 
 ```json
 {
@@ -378,9 +496,9 @@ Hooks 可以有自定义配置：
 }
 ```
 
-### 遗留配置格式（仍然支持）
+### 旧版配置格式（仍受支持）
 
-旧配置格式仍然有效以保持向后兼容：
+旧配置格式仍可用于向后兼容：
 
 ```json
 {
@@ -399,74 +517,76 @@ Hooks 可以有自定义配置：
 }
 ```
 
-**迁移**：对新 hooks 使用基于发现的新系统。遗留处理程序在基于目录的 hooks 之后加载。
+注意：`module` 必须是相对于工作区的路径。绝对路径和超出工作区范围的遍历路径会被拒绝。
+
+**迁移**：对于新的 hooks，请使用基于发现的新系统。旧版 handlers 会在基于目录的 hooks 之后加载。
 
 ## CLI 命令
 
 ### 列出 Hooks
 
 ```bash
-# List all hooks
+# 列出所有 hooks
 openclaw hooks list
 
-# Show only eligible hooks
+# 仅显示符合条件的 hooks
 openclaw hooks list --eligible
 
-# Verbose output (show missing requirements)
+# 详细输出（显示缺失的要求）
 openclaw hooks list --verbose
 
-# JSON output
+# JSON 输出
 openclaw hooks list --json
 ```
 
 ### Hook 信息
 
 ```bash
-# Show detailed info about a hook
+# 显示某个 hook 的详细信息
 openclaw hooks info session-memory
 
-# JSON output
+# JSON 输出
 openclaw hooks info session-memory --json
 ```
 
 ### 检查资格
 
 ```bash
-# Show eligibility summary
+# 显示资格摘要
 openclaw hooks check
 
-# JSON output
+# JSON 输出
 openclaw hooks check --json
 ```
 
 ### 启用/禁用
 
 ```bash
-# Enable a hook
+# 启用一个 hook
 openclaw hooks enable session-memory
 
-# Disable a hook
+# 禁用一个 hook
 openclaw hooks disable command-logger
 ```
 
-## 捆绑的 Hooks
+## 内置 hook 参考
 
 ### session-memory
 
-当你发出 `/new` 时将会话上下文保存到记忆。
+当你发出 `/new` 时，将会话上下文保存到 memory。
 
 **事件**：`command:new`
 
 **要求**：必须配置 `workspace.dir`
 
-**输出**：`<workspace>/memory/YYYY-MM-DD-slug.md`（默认为 `~/.openclaw/workspace`）
+**输出**：`<workspace>/memory/YYYY-MM-DD-slug.md`（默认是 `~/.openclaw/workspace`）
 
-**功能**：
+**它的作用**：
 
-1. 使用预重置会话条目定位正确的记录
-2. 提取最后 15 行对话
-3. 使用 LLM 生成描述性文件名 slug
-4. 将会话元数据保存到带日期的记忆文件
+1. 使用重置前的会话条目定位正确的转录
+2. 提取最近 15 行对话
+3. 使用 LLM 生成描述性的文件名 slug
+4. 将会话元数据保存到带日期的 memory 文件中
 
 **示例输出**：
 
@@ -482,7 +602,7 @@ openclaw hooks disable command-logger
 
 - `2026-01-16-vendor-pitch.md`
 - `2026-01-16-api-design.md`
-- `2026-01-16-1430.md`（如果 slug 生成失败则回退到时间戳）
+- `2026-01-16-1430.md`（如果 slug 生成失败，则回退为时间戳）
 
 **启用**：
 
@@ -490,9 +610,50 @@ openclaw hooks disable command-logger
 openclaw hooks enable session-memory
 ```
 
+### bootstrap-extra-files
+
+在 `agent:bootstrap` 期间注入额外的引导文件（例如 monorepo 本地的 `AGENTS.md` / `TOOLS.md`）。
+
+**事件**：`agent:bootstrap`
+
+**要求**：必须配置 `workspace.dir`
+
+**输出**：不写入文件；仅在内存中修改引导上下文。
+
+**配置**：
+
+```json
+{
+  "hooks": {
+    "internal": {
+      "enabled": true,
+      "entries": {
+        "bootstrap-extra-files": {
+          "enabled": true,
+          "paths": ["packages/*/AGENTS.md", "packages/*/TOOLS.md"]
+        }
+      }
+    }
+  }
+}
+```
+
+**说明**：
+
+- 路径相对于工作区解析。
+- 文件必须保持在工作区内部（通过 realpath 检查）。
+- 仅加载已识别的引导基础文件名。
+- 会保留子智能体允许列表（仅 `AGENTS.md` 和 `TOOLS.md`）。
+
+**启用**：
+
+```bash
+openclaw hooks enable bootstrap-extra-files
+```
+
 ### command-logger
 
-将所有命令事件记录到集中审计文件。
+将所有命令事件记录到集中式审计文件。
 
 **事件**：`command`
 
@@ -500,10 +661,10 @@ openclaw hooks enable session-memory
 
 **输出**：`~/.openclaw/logs/commands.log`
 
-**功能**：
+**它的作用**：
 
 1. 捕获事件详情（命令操作、时间戳、会话键、发送者 ID、来源）
-2. 以 JSONL 格式追加到日志文件
+2. 以 JSONL 格式附加到日志文件
 3. 在后台静默运行
 
 **示例日志条目**：
@@ -516,13 +677,13 @@ openclaw hooks enable session-memory
 **查看日志**：
 
 ```bash
-# View recent commands
+# 查看最近的命令
 tail -n 20 ~/.openclaw/logs/commands.log
 
-# Pretty-print with jq
+# 使用 jq 美化输出
 cat ~/.openclaw/logs/commands.log | jq .
 
-# Filter by action
+# 按操作筛选
 grep '"action":"new"' ~/.openclaw/logs/commands.log | jq .
 ```
 
@@ -534,18 +695,18 @@ openclaw hooks enable command-logger
 
 ### boot-md
 
-当 Gateway 网关启动时运行 `BOOT.md`（在渠道启动之后）。
-必须启用内部 hooks 才能运行。
+当 Gateway 网关启动时（渠道启动之后）运行 `BOOT.md`。
+必须启用内部 hooks，此功能才会运行。
 
 **事件**：`gateway:startup`
 
 **要求**：必须配置 `workspace.dir`
 
-**功能**：
+**它的作用**：
 
 1. 从你的工作区读取 `BOOT.md`
-2. 通过智能体运行器运行指令
-3. 通过 message 工具发送任何请求的出站消息
+2. 通过智能体运行器执行其中的指令
+3. 通过消息工具发送任何请求的出站消息
 
 **启用**：
 
@@ -555,26 +716,26 @@ openclaw hooks enable boot-md
 
 ## 最佳实践
 
-### 保持处理程序快速
+### 保持处理器快速
 
-Hooks 在命令处理期间运行。保持它们轻量：
+Hooks 在命令处理期间运行。请保持其轻量：
 
 ```typescript
-// ✓ Good - async work, returns immediately
+// ✓ 好 - 异步工作，立即返回
 const handler: HookHandler = async (event) => {
-  void processInBackground(event); // Fire and forget
+  void processInBackground(event); // 触发后不等待
 };
 
-// ✗ Bad - blocks command processing
+// ✗ 差 - 阻塞命令处理
 const handler: HookHandler = async (event) => {
   await slowDatabaseQuery(event);
   await evenSlowerAPICall(event);
 };
 ```
 
-### 优雅处理错误
+### 优雅地处理错误
 
-始终包装有风险的操作：
+始终包装高风险操作：
 
 ```typescript
 const handler: HookHandler = async (event) => {
@@ -582,112 +743,117 @@ const handler: HookHandler = async (event) => {
     await riskyOperation(event);
   } catch (err) {
     console.error("[my-handler] Failed:", err instanceof Error ? err.message : String(err));
-    // Don't throw - let other handlers run
+    // 不要抛出错误 - 让其他处理器继续运行
   }
 };
 ```
 
 ### 尽早过滤事件
 
-如果事件不相关则尽早返回：
+如果事件不相关，请尽早返回：
 
 ```typescript
 const handler: HookHandler = async (event) => {
-  // Only handle 'new' commands
+  // 仅处理 'new' 命令
   if (event.type !== "command" || event.action !== "new") {
     return;
   }
 
-  // Your logic here
+  // 你的逻辑写在这里
 };
 ```
 
-### 使用特定事件键
+### 使用具体事件键
 
-尽可能在元数据中指定确切事件：
+如果可能，请在元数据中指定精确事件：
 
 ```yaml
-metadata: { "openclaw": { "events": ["command:new"] } } # Specific
+metadata: { "openclaw": { "events": ["command:new"] } } # 精确
 ```
 
 而不是：
 
 ```yaml
-metadata: { "openclaw": { "events": ["command"] } } # General - more overhead
+metadata: { "openclaw": { "events": ["command"] } } # 通用 - 开销更大
 ```
 
 ## 调试
 
 ### 启用 Hook 日志
 
-Gateway 网关在启动时记录 hook 加载：
+Gateway 网关会在启动时记录 hook 加载情况：
 
 ```
 Registered hook: session-memory -> command:new
+Registered hook: bootstrap-extra-files -> agent:bootstrap
 Registered hook: command-logger -> command
 Registered hook: boot-md -> gateway:startup
 ```
 
-### 检查发现
+### 检查发现情况
 
-列出所有发现的 hooks：
+列出所有已发现的 hooks：
 
 ```bash
 openclaw hooks list --verbose
 ```
 
-### 检查注册
+### 检查注册情况
 
-在你的处理程序中，记录它被调用的时间：
+在你的处理器中，记录它何时被调用：
 
 ```typescript
 const handler: HookHandler = async (event) => {
   console.log("[my-handler] Triggered:", event.type, event.action);
-  // Your logic
+  // 你的逻辑
 };
 ```
 
 ### 验证资格
 
-检查为什么 hook 不符合条件：
+检查某个 hook 为什么不符合条件：
 
 ```bash
 openclaw hooks info my-hook
 ```
 
-在输出中查找缺失的要求。
+查看输出中缺失的要求。
 
 ## 测试
 
 ### Gateway 网关日志
 
-监控 Gateway 网关日志以查看 hook 执行：
+监控 Gateway 网关日志以查看 hook 执行情况：
 
 ```bash
 # macOS
 ./scripts/clawlog.sh -f
 
-# Other platforms
+# 其他平台
 tail -f ~/.openclaw/gateway.log
 ```
 
 ### 直接测试 Hooks
 
-隔离测试你的处理程序：
+单独测试你的 handlers：
 
 ```typescript
 import { test } from "vitest";
-import { createHookEvent } from "./src/hooks/hooks.js";
 import myHandler from "./hooks/my-hook/handler.js";
 
 test("my handler works", async () => {
-  const event = createHookEvent("command", "new", "test-session", {
-    foo: "bar",
-  });
+  const event = {
+    type: "command",
+    action: "new",
+    sessionKey: "test-session",
+    timestamp: new Date(),
+    messages: [],
+    context: { foo: "bar" },
+  };
 
   await myHandler(event);
 
-  // Assert side effects
+  // 断言副作用
 });
 ```
 
@@ -696,8 +862,8 @@ test("my handler works", async () => {
 ### 核心组件
 
 - **`src/hooks/types.ts`**：类型定义
-- **`src/hooks/workspace.ts`**：目录扫描和加载
-- **`src/hooks/frontmatter.ts`**：HOOK.md 元数据解析
+- **`src/hooks/workspace.ts`**：目录扫描与加载
+- **`src/hooks/frontmatter.ts`**：`HOOK.md` 元数据解析
 - **`src/hooks/config.ts`**：资格检查
 - **`src/hooks/hooks-status.ts`**：状态报告
 - **`src/hooks/loader.ts`**：动态模块加载器
@@ -710,15 +876,15 @@ test("my handler works", async () => {
 ```
 Gateway 网关启动
     ↓
-扫描目录（工作区 → 托管 → 捆绑）
+扫描目录（工作区 → 托管 → 内置）
     ↓
 解析 HOOK.md 文件
     ↓
 检查资格（bins、env、config、os）
     ↓
-从符合条件的 hooks 加载处理程序
+从符合条件的 hooks 加载 handlers
     ↓
-为事件注册处理程序
+为事件注册 handlers
 ```
 
 ### 事件流程
@@ -726,11 +892,11 @@ Gateway 网关启动
 ```
 用户发送 /new
     ↓
-命令验证
+命令校验
     ↓
 创建 hook 事件
     ↓
-触发 hook（所有注册的处理程序）
+触发 hook（所有已注册的 handlers）
     ↓
 命令处理继续
     ↓
@@ -745,17 +911,18 @@ Gateway 网关启动
 
    ```bash
    ls -la ~/.openclaw/hooks/my-hook/
-   # Should show: HOOK.md, handler.ts
+   # 应显示：HOOK.md, handler.ts
    ```
 
 2. 验证 HOOK.md 格式：
 
    ```bash
    cat ~/.openclaw/hooks/my-hook/HOOK.md
-   # Should have YAML frontmatter with name and metadata
+   # 应包含带有 name 和 metadata 的 YAML frontmatter
    ```
 
-3. 列出所有发现的 hooks：
+3. 列出所有已发现的 hooks：
+
    ```bash
    openclaw hooks list
    ```
@@ -768,12 +935,12 @@ Gateway 网关启动
 openclaw hooks info my-hook
 ```
 
-查找缺失的：
+查看是否缺少：
 
 - 二进制文件（检查 PATH）
 - 环境变量
 - 配置值
-- 操作系统兼容性
+- OS 兼容性
 
 ### Hook 未执行
 
@@ -781,30 +948,31 @@ openclaw hooks info my-hook
 
    ```bash
    openclaw hooks list
-   # Should show ✓ next to enabled hooks
+   # 应在已启用的 hooks 旁显示 ✓
    ```
 
 2. 重启你的 Gateway 网关进程以重新加载 hooks。
 
 3. 检查 Gateway 网关日志中的错误：
+
    ```bash
    ./scripts/clawlog.sh | grep hook
    ```
 
-### 处理程序错误
+### 处理器错误
 
 检查 TypeScript/import 错误：
 
 ```bash
-# Test import directly
+# 直接测试导入
 node -e "import('./path/to/handler.ts').then(console.log)"
 ```
 
 ## 迁移指南
 
-### 从遗留配置到发现
+### 从旧版配置迁移到发现机制
 
-**之前**：
+**迁移前**：
 
 ```json
 {
@@ -822,7 +990,7 @@ node -e "import('./path/to/handler.ts').then(console.log)"
 }
 ```
 
-**之后**：
+**迁移后**：
 
 1. 创建 hook 目录：
 
@@ -836,13 +1004,13 @@ node -e "import('./path/to/handler.ts').then(console.log)"
    ```markdown
    ---
    name: my-hook
-   description: "My custom hook"
+   description: "我的自定义 hook"
    metadata: { "openclaw": { "emoji": "🎯", "events": ["command:new"] } }
    ---
 
    # My Hook
 
-   Does something useful.
+   执行某些有用的事情。
    ```
 
 3. 更新配置：
@@ -861,9 +1029,10 @@ node -e "import('./path/to/handler.ts').then(console.log)"
    ```
 
 4. 验证并重启你的 Gateway 网关进程：
+
    ```bash
    openclaw hooks list
-   # Should show: 🎯 my-hook ✓
+   # 应显示：🎯 my-hook ✓
    ```
 
 **迁移的好处**：
@@ -876,7 +1045,7 @@ node -e "import('./path/to/handler.ts').then(console.log)"
 
 ## 另请参阅
 
-- [CLI 参考：hooks](/cli/hooks)
-- [捆绑 Hooks README](https://github.com/openclaw/openclaw/tree/main/src/hooks/bundled)
+- [CLI Reference: hooks](/cli/hooks)
+- [Bundled Hooks README](https://github.com/openclaw/openclaw/tree/main/src/hooks/bundled)
 - [Webhook Hooks](/automation/webhook)
-- [配置](/gateway/configuration#hooks)
+- [Configuration](/gateway/configuration#hooks)
diff --git a/docs/zh-CN/channels/bluebubbles.md b/docs/zh-CN/channels/bluebubbles.md
index 4ee4cb71e3e..b7f8534065b 100644
--- a/docs/zh-CN/channels/bluebubbles.md
+++ b/docs/zh-CN/channels/bluebubbles.md
@@ -6,34 +6,35 @@ read_when:
 summary: 通过 BlueBubbles macOS 服务器使用 iMessage（REST 发送/接收、输入状态、回应、配对、高级操作）。
 title: BlueBubbles
 x-i18n:
-  generated_at: "2026-02-03T10:04:52Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 3aae277a8bec479800a7f6268bfbca912c65a4aadc6e513694057fb873597b69
+  generated_at: "2026-03-16T06:21:08Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 877592bf7b9b06abdddd7567d56e756eff229d6ffa5056ef33fa3356086aa580
   source_path: channels/bluebubbles.md
   workflow: 15
 ---
 
 # BlueBubbles（macOS REST）
 
-状态：内置插件，通过 HTTP 与 BlueBubbles macOS 服务器通信。由于其更丰富的 API 和更简便的设置，**推荐用于 iMessage 集成**，优于旧版 imsg 渠道。
+状态：内置插件，通过 HTTP 与 BlueBubbles macOS 服务器通信。由于其 API 更丰富且设置比旧版 imsg 渠道更简单，**推荐用于 iMessage 集成**。
 
-## 概述
+## 概览
 
 - 通过 BlueBubbles 辅助应用在 macOS 上运行（[bluebubbles.app](https://bluebubbles.app)）。
-- 推荐/已测试版本：macOS Sequoia (15)。macOS Tahoe (26) 可用；但在 Tahoe 上编辑功能目前不可用，群组图标更新可能显示成功但实际未同步。
-- OpenClaw 通过其 REST API 与之通信（`GET /api/v1/ping`、`POST /message/text`、`POST /chat/:id/*`）。
-- 传入消息通过 webhook 到达；发出的回复、输入指示器、已读回执和 tapback 均为 REST 调用。
-- 附件和贴纸作为入站媒体被接收（并在可能时呈现给智能体）。
-- 配对/白名单的工作方式与其他渠道相同（`/channels/pairing` 等），使用 `channels.bluebubbles.allowFrom` + 配对码。
-- 回应作为系统事件呈现，与 Slack/Telegram 类似，智能体可以在回复前"提及"它们。
+- 推荐/已测试：macOS Sequoia（15）。macOS Tahoe（26）可用；目前编辑功能在 Tahoe 上已损坏，群组图标更新可能会报告成功但不会同步。
+- OpenClaw 通过其 REST API 与其通信（`GET /api/v1/ping`、`POST /message/text`、`POST /chat/:id/*`）。
+- 传入消息通过 webhook 到达；传出回复、输入状态指示、已读回执和 tapback 都通过 REST 调用完成。
+- 附件和贴纸会作为入站媒体接收（并在可能时展示给智能体）。
+- 配对/allowlist 的工作方式与其他渠道相同（`/channels/pairing` 等），使用 `channels.bluebubbles.allowFrom` + 配对码。
+- 回应会像 Slack/Telegram 一样作为系统事件呈现，因此智能体可以在回复前“提及”它们。
 - 高级功能：编辑、撤回、回复线程、消息效果、群组管理。
 
 ## 快速开始
 
-1. 在你的 Mac 上安装 BlueBubbles 服务器（按照 [bluebubbles.app/install](https://bluebubbles.app/install) 的说明操作）。
-2. 在 BlueBubbles 配置中，启用 web API 并设置密码。
+1. 在你的 Mac 上安装 BlueBubbles 服务器（按照 [bluebubbles.app/install](https://bluebubbles.app/install) 上的说明操作）。
+2. 在 BlueBubbles 配置中启用 Web API 并设置密码。
 3. 运行 `openclaw onboard` 并选择 BlueBubbles，或手动配置：
+
    ```json5
    {
      channels: {
@@ -46,8 +47,89 @@ x-i18n:
      },
    }
    ```
+
 4. 将 BlueBubbles webhook 指向你的 Gateway 网关（示例：`https://your-gateway-host:3000/bluebubbles-webhook?password=<password>`）。
-5. 启动 Gateway 网关；它将注册 webhook 处理程序并开始配对。
+5. 启动 Gateway 网关；它会注册 webhook 处理器并开始配对。
+
+安全说明：
+
+- 始终设置 webhook 密码。
+- 始终要求进行 webhook 身份验证。无论 loopback/代理拓扑如何，除非 BlueBubbles webhook 请求包含与 `channels.bluebubbles.password` 匹配的 password/guid（例如 `?password=<password>` 或 `x-password`），否则 OpenClaw 会拒绝该请求。
+- 在读取/解析完整 webhook 请求体之前就会检查密码身份验证。
+
+## 保持 Messages.app 处于活动状态（VM / 无头设置）
+
+某些 macOS VM / 常开设置可能会导致 Messages.app 进入“空闲”状态（传入事件会停止，直到应用被打开/切到前台）。一个简单的解决方法是使用 AppleScript + LaunchAgent **每 5 分钟“触碰”一次 Messages**。
+
+### 1）保存 AppleScript
+
+将以下内容保存为：
+
+- `~/Scripts/poke-messages.scpt`
+
+示例脚本（非交互式；不会抢占焦点）：
+
+```applescript
+try
+  tell application "Messages"
+    if not running then
+      launch
+    end if
+
+    -- Touch the scripting interface to keep the process responsive.
+    set _chatCount to (count of chats)
+  end tell
+on error
+  -- Ignore transient failures (first-run prompts, locked session, etc).
+end try
+```
+
+### 2）安装 LaunchAgent
+
+将以下内容保存为：
+
+- `~/Library/LaunchAgents/com.user.poke-messages.plist`
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>Label</key>
+    <string>com.user.poke-messages</string>
+
+    <key>ProgramArguments</key>
+    <array>
+      <string>/bin/bash</string>
+      <string>-lc</string>
+      <string>/usr/bin/osascript &quot;$HOME/Scripts/poke-messages.scpt&quot;</string>
+    </array>
+
+    <key>RunAtLoad</key>
+    <true/>
+
+    <key>StartInterval</key>
+    <integer>300</integer>
+
+    <key>StandardOutPath</key>
+    <string>/tmp/poke-messages.log</string>
+    <key>StandardErrorPath</key>
+    <string>/tmp/poke-messages.err</string>
+  </dict>
+</plist>
+```
+
+说明：
+
+- 这会**每 300 秒**运行一次，并且**在登录时**运行。
+- 首次运行可能会触发 macOS 的**自动化**权限提示（`osascript` → Messages）。请在运行该 LaunchAgent 的同一用户会话中批准这些提示。
+
+加载它：
+
+```bash
+launchctl unload ~/Library/LaunchAgents/com.user.poke-messages.plist 2>/dev/null || true
+launchctl load ~/Library/LaunchAgents/com.user.poke-messages.plist
+```
 
 ## 新手引导
 
@@ -60,10 +142,10 @@ openclaw onboard
 向导会提示输入：
 
 - **服务器 URL**（必填）：BlueBubbles 服务器地址（例如 `http://192.168.1.100:1234`）
-- **密码**（必填）：来自 BlueBubbles 服务器设置的 API 密码
+- **密码**（必填）：来自 BlueBubbles Server 设置的 API 密码
 - **Webhook 路径**（可选）：默认为 `/bluebubbles-webhook`
-- **私信策略**：配对、白名单、开放或禁用
-- **白名单**：电话号码、电子邮件或聊天目标
+- **私信策略**：pairing、allowlist、open 或 disabled
+- **允许列表**：电话号码、电子邮件或聊天目标
 
 你也可以通过 CLI 添加 BlueBubbles：
 
@@ -75,12 +157,12 @@ openclaw channels add bluebubbles --http-url http://192.168.1.100:1234 --passwor
 
 私信：
 
-- 默认：`channels.bluebubbles.dmPolicy = "pairing"`。
-- 未知发送者会收到配对码；在批准之前消息会被忽略（配对码 1 小时后过期）。
-- 批准方式：
+- 默认值：`channels.bluebubbles.dmPolicy = "pairing"`。
+- 未知发送者会收到一个配对码；在获得批准前，消息会被忽略（代码 1 小时后过期）。
+- 通过以下方式批准：
   - `openclaw pairing list bluebubbles`
   - `openclaw pairing approve bluebubbles <CODE>`
-- 配对是默认的令牌交换方式。详情：[配对](/channels/pairing)
+- 配对是默认的令牌交换方式。详情见：[配对](/channels/pairing)
 
 群组：
 
@@ -89,13 +171,13 @@ openclaw channels add bluebubbles --http-url http://192.168.1.100:1234 --passwor
 
 ### 提及门控（群组）
 
-BlueBubbles 支持群聊的提及门控，与 iMessage/WhatsApp 行为一致：
+BlueBubbles 支持群聊中的提及门控，与 iMessage/WhatsApp 的行为一致：
 
 - 使用 `agents.list[].groupChat.mentionPatterns`（或 `messages.groupChat.mentionPatterns`）检测提及。
-- 当群组启用 `requireMention` 时，智能体仅在被提及时响应。
+- 当某个群组启用 `requireMention` 时，智能体只有在被提及时才会响应。
 - 来自授权发送者的控制命令会绕过提及门控。
 
-单群组配置：
+每群组配置：
 
 ```json5
 {
@@ -104,8 +186,8 @@ BlueBubbles 支持群聊的提及门控，与 iMessage/WhatsApp 行为一致：
       groupPolicy: "allowlist",
       groupAllowFrom: ["+15555550123"],
       groups: {
-        "*": { requireMention: true }, // 所有群组的默认设置
-        "iMessage;-;chat123": { requireMention: false }, // 特定群组的覆盖设置
+        "*": { requireMention: true }, // 所有群组的默认值
+        "iMessage;-;chat123": { requireMention: false }, // 对特定群组覆盖
       },
     },
   },
@@ -115,14 +197,14 @@ BlueBubbles 支持群聊的提及门控，与 iMessage/WhatsApp 行为一致：
 ### 命令门控
 
 - 控制命令（例如 `/config`、`/model`）需要授权。
-- 使用 `allowFrom` 和 `groupAllowFrom` 确定命令授权。
-- 授权发送者即使在群组中未被提及也可以运行控制命令。
+- 使用 `allowFrom` 和 `groupAllowFrom` 来判断命令授权。
+- 授权发送者即使在群组中未提及，也可以运行控制命令。
 
 ## 输入状态 + 已读回执
 
-- **输入指示器**：在响应生成前和生成期间自动发送。
+- **输入状态指示**：会在生成响应之前和期间自动发送。
 - **已读回执**：由 `channels.bluebubbles.sendReadReceipts` 控制（默认：`true`）。
-- **输入指示器**：OpenClaw 发送输入开始事件；BlueBubbles 在发送或超时时自动清除输入状态（通过 DELETE 手动停止不可靠）。
+- **输入状态指示**：OpenClaw 会发送输入开始事件；BlueBubbles 会在发送后或超时后自动清除输入状态（通过 DELETE 手动停止并不可靠）。
 
 ```json5
 {
@@ -136,7 +218,7 @@ BlueBubbles 支持群聊的提及门控，与 iMessage/WhatsApp 行为一致：
 
 ## 高级操作
 
-BlueBubbles 在配置中启用时支持高级消息操作：
+在配置中启用后，BlueBubbles 支持高级消息操作：
 
 ```json5
 {
@@ -144,15 +226,15 @@ BlueBubbles 在配置中启用时支持高级消息操作：
     bluebubbles: {
       actions: {
         reactions: true, // tapback（默认：true）
-        edit: true, // 编辑已发送消息（macOS 13+，在 macOS 26 Tahoe 上不可用）
+        edit: true, // 编辑已发送消息（macOS 13+，在 macOS 26 Tahoe 上已损坏）
         unsend: true, // 撤回消息（macOS 13+）
-        reply: true, // 通过消息 GUID 进行回复线程
+        reply: true, // 按消息 GUID 回复线程
         sendWithEffect: true, // 消息效果（slam、loud 等）
         renameGroup: true, // 重命名群聊
         setGroupIcon: true, // 设置群聊图标/照片（在 macOS 26 Tahoe 上不稳定）
-        addParticipant: true, // 将参与者添加到群组
+        addParticipant: true, // 向群组添加参与者
         removeParticipant: true, // 从群组移除参与者
-        leaveGroup: true, // 离开群聊
+        leaveGroup: true, // 退出群聊
         sendAttachment: true, // 发送附件/媒体
       },
     },
@@ -163,37 +245,37 @@ BlueBubbles 在配置中启用时支持高级消息操作：
 可用操作：
 
 - **react**：添加/移除 tapback 回应（`messageId`、`emoji`、`remove`）
-- **edit**：编辑已发送的消息（`messageId`、`text`）
+- **edit**：编辑已发送消息（`messageId`、`text`）
 - **unsend**：撤回消息（`messageId`）
 - **reply**：回复特定消息（`messageId`、`text`、`to`）
 - **sendWithEffect**：带 iMessage 效果发送（`text`、`to`、`effectId`）
 - **renameGroup**：重命名群聊（`chatGuid`、`displayName`）
-- **setGroupIcon**：设置群聊图标/照片（`chatGuid`、`media`）— 在 macOS 26 Tahoe 上不稳定（API 可能返回成功但图标未同步）。
-- **addParticipant**：将某人添加到群组（`chatGuid`、`address`）
-- **removeParticipant**：将某人从群组移除（`chatGuid`、`address`）
-- **leaveGroup**：离开群聊（`chatGuid`）
+- **setGroupIcon**：设置群聊图标/照片（`chatGuid`、`media`）——在 macOS 26 Tahoe 上不稳定（API 可能返回成功，但图标不会同步）。
+- **addParticipant**：向群组添加某人（`chatGuid`、`address`）
+- **removeParticipant**：从群组移除某人（`chatGuid`、`address`）
+- **leaveGroup**：退出群聊（`chatGuid`）
 - **sendAttachment**：发送媒体/文件（`to`、`buffer`、`filename`、`asVoice`）
-  - 语音备忘录：将 `asVoice: true` 与 **MP3** 或 **CAF** 音频一起设置，以 iMessage 语音消息形式发送。BlueBubbles 在发送语音备忘录时会将 MP3 转换为 CAF。
+  - 语音备忘录：将 `asVoice: true` 与 **MP3** 或 **CAF** 音频一起设置，即可作为 iMessage 语音消息发送。BlueBubbles 在发送语音备忘录时会将 MP3 转换为 CAF。
 
-### 消息 ID（短格式 vs 完整格式）
+### 消息 ID（短 ID 与完整 ID）
 
 OpenClaw 可能会显示*短*消息 ID（例如 `1`、`2`）以节省 token。
 
 - `MessageSid` / `ReplyToId` 可以是短 ID。
 - `MessageSidFull` / `ReplyToIdFull` 包含提供商的完整 ID。
-- 短 ID 存储在内存中；它们可能在重启或缓存清除后过期。
-- 操作接受短或完整的 `messageId`，但如果短 ID 不再可用将会报错。
+- 短 ID 存在于内存中；它们可能会在重启或缓存清除后失效。
+- 操作接受短或完整 `messageId`，但如果短 ID 不再可用，就会报错。
 
 对于持久化自动化和存储，请使用完整 ID：
 
 - 模板：`{{MessageSidFull}}`、`{{ReplyToIdFull}}`
 - 上下文：入站负载中的 `MessageSidFull` / `ReplyToIdFull`
 
-参见[配置](/gateway/configuration)了解模板变量。
+模板变量请参见[配置](/gateway/configuration)。
 
 ## 分块流式传输
 
-控制响应是作为单条消息发送还是分块流式传输：
+控制响应是作为单条消息发送，还是按块流式发送：
 
 ```json5
 {
@@ -208,8 +290,8 @@ OpenClaw 可能会显示*短*消息 ID（例如 `1`、`2`）以节省 token。
 ## 媒体 + 限制
 
 - 入站附件会被下载并存储在媒体缓存中。
-- 媒体上限通过 `channels.bluebubbles.mediaMaxMb` 设置（默认：8 MB）。
-- 出站文本按 `channels.bluebubbles.textChunkLimit` 分块（默认：4000 字符）。
+- 通过 `channels.bluebubbles.mediaMaxMb` 控制入站和出站媒体大小上限（默认：8 MB）。
+- 出站文本会按 `channels.bluebubbles.textChunkLimit` 分块（默认：4000 个字符）。
 
 ## 配置参考
 
@@ -217,22 +299,23 @@ OpenClaw 可能会显示*短*消息 ID（例如 `1`、`2`）以节省 token。
 
 提供商选项：
 
-- `channels.bluebubbles.enabled`：启用/禁用渠道。
+- `channels.bluebubbles.enabled`：启用/禁用该渠道。
 - `channels.bluebubbles.serverUrl`：BlueBubbles REST API 基础 URL。
 - `channels.bluebubbles.password`：API 密码。
 - `channels.bluebubbles.webhookPath`：Webhook 端点路径（默认：`/bluebubbles-webhook`）。
 - `channels.bluebubbles.dmPolicy`：`pairing | allowlist | open | disabled`（默认：`pairing`）。
-- `channels.bluebubbles.allowFrom`：私信白名单（句柄、电子邮件、E.164 号码、`chat_id:*`、`chat_guid:*`）。
+- `channels.bluebubbles.allowFrom`：私信 allowlist（handle、电子邮件、E.164 号码、`chat_id:*`、`chat_guid:*`）。
 - `channels.bluebubbles.groupPolicy`：`open | allowlist | disabled`（默认：`allowlist`）。
-- `channels.bluebubbles.groupAllowFrom`：群组发送者白名单。
-- `channels.bluebubbles.groups`：单群组配置（`requireMention` 等）。
+- `channels.bluebubbles.groupAllowFrom`：群组发送者 allowlist。
+- `channels.bluebubbles.groups`：每群组配置（`requireMention` 等）。
 - `channels.bluebubbles.sendReadReceipts`：发送已读回执（默认：`true`）。
-- `channels.bluebubbles.blockStreaming`：启用分块流式传输（默认：`false`；流式回复必需）。
-- `channels.bluebubbles.textChunkLimit`：出站分块大小（字符）（默认：4000）。
-- `channels.bluebubbles.chunkMode`：`length`（默认）仅在超过 `textChunkLimit` 时分割；`newline` 在长度分块前先按空行（段落边界）分割。
-- `channels.bluebubbles.mediaMaxMb`：入站媒体上限（MB）（默认：8）。
-- `channels.bluebubbles.historyLimit`：上下文的最大群组消息数（0 表示禁用）。
-- `channels.bluebubbles.dmHistoryLimit`：私信历史限制。
+- `channels.bluebubbles.blockStreaming`：启用分块流式传输（默认：`false`；流式回复所必需）。
+- `channels.bluebubbles.textChunkLimit`：出站分块大小（按字符计，默认：4000）。
+- `channels.bluebubbles.chunkMode`：`length`（默认）仅在超过 `textChunkLimit` 时拆分；`newline` 会先按空行（段落边界）拆分，再按长度分块。
+- `channels.bluebubbles.mediaMaxMb`：入站/出站媒体大小上限（MB，默认：8）。
+- `channels.bluebubbles.mediaLocalRoots`：允许用于出站本地媒体路径的绝对本地目录显式 allowlist。默认情况下，本地路径发送会被拒绝，除非配置了此项。每账户覆盖：`channels.bluebubbles.accounts.<accountId>.mediaLocalRoots`。
+- `channels.bluebubbles.historyLimit`：用于上下文的最大群组消息数（0 表示禁用）。
+- `channels.bluebubbles.dmHistoryLimit`：私信历史记录上限。
 - `channels.bluebubbles.actions`：启用/禁用特定操作。
 - `channels.bluebubbles.accounts`：多账户配置。
 
@@ -241,31 +324,31 @@ OpenClaw 可能会显示*短*消息 ID（例如 `1`、`2`）以节省 token。
 - `agents.list[].groupChat.mentionPatterns`（或 `messages.groupChat.mentionPatterns`）。
 - `messages.responsePrefix`。
 
-## 地址 / 投递目标
+## 寻址 / 送达目标
 
-优先使用 `chat_guid` 以获得稳定的路由：
+优先使用 `chat_guid` 以获得稳定路由：
 
-- `chat_guid:iMessage;-;+15555550123`（群组推荐）
+- `chat_guid:iMessage;-;+15555550123`（群组首选）
 - `chat_id:123`
 - `chat_identifier:...`
-- 直接句柄：`+15555550123`、`user@example.com`
-  - 如果直接句柄没有现有的私信聊天，OpenClaw 将通过 `POST /api/v1/chat/new` 创建一个。这需要启用 BlueBubbles Private API。
+- 直接 handle：`+15555550123`、`user@example.com`
+  - 如果某个直接 handle 没有现有私信聊天，OpenClaw 会通过 `POST /api/v1/chat/new` 创建一个。这要求启用 BlueBubbles Private API。
 
-## 安全性
+## 安全
 
-- Webhook 请求通过比较 `guid`/`password` 查询参数或头部与 `channels.bluebubbles.password` 进行身份验证。来自 `localhost` 的请求也会被接受。
-- 保持 API 密码和 webhook 端点的机密性（将它们视为凭证）。
-- localhost 信任意味着同主机的反向代理可能无意中绕过密码验证。如果你使用代理 Gateway 网关，请在代理处要求身份验证并配置 `gateway.trustedProxies`。参见 [Gateway 网关安全性](/gateway/security#reverse-proxy-configuration)。
-- 如果将 BlueBubbles 服务器暴露在局域网之外，请启用 HTTPS + 防火墙规则。
+- 通过将查询参数或请求头中的 `guid`/`password` 与 `channels.bluebubbles.password` 进行比较来验证 webhook 请求。来自 `localhost` 的请求也会被接受。
+- 请妥善保管 API 密码和 webhook 端点（将它们视为凭证）。
+- 对 localhost 的信任意味着同主机上的反向代理可能会无意中绕过密码。如果你对 Gateway 网关进行了代理，请在代理层要求身份验证，并配置 `gateway.trustedProxies`。请参见 [Gateway 网关安全](/gateway/security#reverse-proxy-configuration)。
+- 如果要在局域网外暴露 BlueBubbles 服务器，请启用 HTTPS + 防火墙规则。
 
 ## 故障排除
 
-- 如果输入/已读事件停止工作，请检查 BlueBubbles webhook 日志并验证 Gateway 网关路径是否与 `channels.bluebubbles.webhookPath` 匹配。
-- 配对码在一小时后过期；使用 `openclaw pairing list bluebubbles` 和 `openclaw pairing approve bluebubbles <code>`。
-- 回应需要 BlueBubbles private API（`POST /api/v1/message/react`）；确保服务器版本支持它。
-- 编辑/撤回需要 macOS 13+ 和兼容的 BlueBubbles 服务器版本。在 macOS 26（Tahoe）上，由于 private API 变更，编辑功能目前不可用。
-- 在 macOS 26（Tahoe）上群组图标更新可能不稳定：API 可能返回成功但新图标未同步。
-- OpenClaw 会根据 BlueBubbles 服务器的 macOS 版本自动隐藏已知不可用的操作。如果在 macOS 26（Tahoe）上编辑仍然显示，请使用 `channels.bluebubbles.actions.edit=false` 手动禁用。
-- 查看状态/健康信息：`openclaw status --all` 或 `openclaw status --deep`。
+- 如果输入状态/已读事件停止工作，请检查 BlueBubbles webhook 日志，并验证 Gateway 网关路径与 `channels.bluebubbles.webhookPath` 一致。
+- 配对码会在一小时后过期；使用 `openclaw pairing list bluebubbles` 和 `openclaw pairing approve bluebubbles <code>`。
+- 回应需要 BlueBubbles private API（`POST /api/v1/message/react`）；请确保服务器版本提供该接口。
+- 编辑/撤回需要 macOS 13+ 以及兼容的 BlueBubbles 服务器版本。在 macOS 26（Tahoe）上，由于 private API 变更，编辑功能目前已损坏。
+- 群组图标更新在 macOS 26（Tahoe）上可能不稳定：API 可能返回成功，但新图标不会同步。
+- OpenClaw 会根据 BlueBubbles 服务器的 macOS 版本自动隐藏已知损坏的操作。如果在 macOS 26（Tahoe）上仍显示编辑操作，请手动使用 `channels.bluebubbles.actions.edit=false` 禁用它。
+- 状态/健康信息请使用：`openclaw status --all` 或 `openclaw status --deep`。
 
-有关通用渠道工作流参考，请参阅[渠道](/channels)和[插件](/tools/plugin)指南。
+有关通用渠道工作流程参考，请参见 [Channels](/channels) 和 [Plugins](/tools/plugin) 指南。
diff --git a/docs/zh-CN/channels/feishu.md b/docs/zh-CN/channels/feishu.md
index 6a8d8633af9..af561e3a8ea 100644
--- a/docs/zh-CN/channels/feishu.md
+++ b/docs/zh-CN/channels/feishu.md
@@ -1,22 +1,29 @@
 ---
-summary: "飞书机器人支持状态、功能和配置"
 read_when:
-  - 您想要连接飞书机器人
-  - 您正在配置飞书渠道
+  - 你想连接一个飞书/Lark 机器人
+  - 你正在配置飞书渠道
+summary: 飞书机器人概览、功能和配置
 title: 飞书
+x-i18n:
+  generated_at: "2026-03-16T06:21:11Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 951e78c5c7264471382f863fa896a15ddeaf0717ef782da20d0f1b3eb23396ba
+  source_path: channels/feishu.md
+  workflow: 15
 ---
 
 # 飞书机器人
 
-状态：生产就绪，支持机器人私聊和群组。使用 WebSocket 长连接模式接收消息。
+飞书（Lark）是企业用于消息沟通与协作的团队聊天平台。此插件通过平台的 WebSocket 事件订阅将 OpenClaw 连接到飞书/Lark 机器人，因此无需暴露公共 webhook URL 即可接收消息。
 
 ---
 
-## 内置插件
+## 捆绑插件
 
-当前版本的 OpenClaw 已内置 Feishu 插件，因此通常不需要单独安装。
+飞书随当前的 OpenClaw 版本一同捆绑提供，因此无需单独安装插件。
 
-如果你使用的是较旧版本，或是没有内置 Feishu 的自定义安装，可手动安装：
+如果你使用的是较旧版本，或使用了不包含捆绑飞书的自定义安装，请手动安装：
 
 ```bash
 openclaw plugins install @openclaw/feishu
@@ -26,75 +33,75 @@ openclaw plugins install @openclaw/feishu
 
 ## 快速开始
 
-添加飞书渠道有两种方式：
+有两种方式可添加飞书渠道：
 
-### 方式一：通过安装向导添加（推荐）
+### 方法 1：设置向导（推荐）
 
-如果您刚安装完 OpenClaw，可以直接运行向导，根据提示添加飞书：
+如果你刚安装 OpenClaw，请运行设置向导：
 
 ```bash
 openclaw onboard
 ```
 
-向导会引导您完成：
+向导会引导你完成以下步骤：
 
-1. 创建飞书应用并获取凭证
-2. 配置应用凭证
-3. 启动网关
+1. 创建飞书应用并收集凭证
+2. 在 OpenClaw 中配置应用凭证
+3. 启动 Gateway 网关
 
-✅ **完成配置后**，您可以使用以下命令检查网关状态：
+✅ **配置完成后**，检查 Gateway 网关状态：
 
-- `openclaw gateway status` - 查看网关运行状态
-- `openclaw logs --follow` - 查看实时日志
+- `openclaw gateway status`
+- `openclaw logs --follow`
 
-### 方式二：通过命令行添加
+### 方法 2：CLI 设置
 
-如果您已经完成了初始安装，可以用以下命令添加飞书渠道：
+如果你已经完成初始安装，可通过 CLI 添加该渠道：
 
 ```bash
 openclaw channels add
 ```
 
-然后根据交互式提示选择 Feishu，输入 App ID 和 App Secret 即可。
+选择 **Feishu**，然后输入 App ID 和 App Secret。
 
-✅ **完成配置后**，您可以使用以下命令管理网关：
+✅ **配置完成后**，管理 Gateway 网关：
 
-- `openclaw gateway status` - 查看网关运行状态
-- `openclaw gateway restart` - 重启网关以应用新配置
-- `openclaw logs --follow` - 查看实时日志
+- `openclaw gateway status`
+- `openclaw gateway restart`
+- `openclaw logs --follow`
 
 ---
 
-## 第一步：创建飞书应用
+## 第 1 步：创建飞书应用
 
 ### 1. 打开飞书开放平台
 
-访问 [飞书开放平台](https://open.feishu.cn/app)，使用飞书账号登录。
+访问 [Feishu Open Platform](https://open.feishu.cn/app) 并登录。
 
-Lark（国际版）请使用 https://open.larksuite.com/app，并在配置中设置 `domain: "lark"`。
+Lark（国际版）租户应使用 [https://open.larksuite.com/app](https://open.larksuite.com/app)，并在飞书配置中设置 `domain: "lark"`。
 
 ### 2. 创建应用
 
-1. 点击 **创建企业自建应用**
+1. 点击 **Create enterprise app**
 2. 填写应用名称和描述
 3. 选择应用图标
 
-![创建企业自建应用](/images/feishu-step2-create-app.png)
+![Create enterprise app](../images/feishu-step2-create-app.png)
 
-### 3. 获取应用凭证
+### 3. 复制凭证
 
-在应用的 **凭证与基础信息** 页面，复制：
+在 **Credentials & Basic Info** 中，复制：
 
-- **App ID**（格式如 `cli_xxx`）
+- **App ID**（格式：`cli_xxx`）
 - **App Secret**
 
-❗ **重要**：请妥善保管 App Secret，不要分享给他人。
+❗ **重要：**请将 App Secret 妥善保密。
 
-![获取应用凭证](/images/feishu-step3-credentials.png)
+![Get credentials](../images/feishu-step3-credentials.png)
 
-### 4. 配置应用权限
+### 4. 配置权限
 
-在 **权限管理** 页面，点击 **批量导入** 按钮，粘贴以下 JSON 配置一键导入所需权限：
+在 **Permissions** 中，点击 **Batch import** 并粘贴：
 
 ```json
 {
@@ -105,81 +112,71 @@ Lark（国际版）请使用 https://open.larksuite.com/app，并在配置中设
       "application:application.app_message_stats.overview:readonly",
       "application:application:self_manage",
       "application:bot.menu:write",
+      "cardkit:card:read",
       "cardkit:card:write",
       "contact:user.employee_id:readonly",
       "corehr:file:download",
-      "docs:document.content:read",
       "event:ip_list",
-      "im:chat",
       "im:chat.access_event.bot_p2p_chat:read",
       "im:chat.members:bot_access",
       "im:message",
       "im:message.group_at_msg:readonly",
-      "im:message.group_msg",
       "im:message.p2p_msg:readonly",
       "im:message:readonly",
       "im:message:send_as_bot",
-      "im:resource",
-      "sheets:spreadsheet",
-      "wiki:wiki:readonly"
+      "im:resource"
     ],
     "user": ["aily:file:read", "aily:file:write", "im:chat.access_event.bot_p2p_chat:read"]
   }
 }
 ```
 
-![配置应用权限](/images/feishu-step4-permissions.png)
+![Configure permissions](../images/feishu-step4-permissions.png)
 
 ### 5. 启用机器人能力
 
-在 **应用能力** > **机器人** 页面：
+在 **App Capability** > **Bot** 中：
 
-1. 开启机器人能力
-2. 配置机器人名称
+1. 启用机器人能力
+2. 设置机器人名称
 
-![启用机器人能力](/images/feishu-step5-bot-capability.png)
+![Enable bot capability](../images/feishu-step5-bot-capability.png)
 
 ### 6. 配置事件订阅
 
-⚠️ **重要提醒**：在配置事件订阅前，请务必确保已完成以下步骤：
+⚠️ **重要：**在设置事件订阅前，请确保：
 
-1. 运行 `openclaw channels add` 添加了 Feishu 渠道
-2. 网关处于启动状态（可通过 `openclaw gateway status` 检查状态）
+1. 你已经为飞书运行过 `openclaw channels add`
+2. Gateway 网关正在运行（`openclaw gateway status`）
 
-在 **事件订阅** 页面：
+在 **Event Subscription** 中：
 
-1. 选择 **使用长连接接收事件**（WebSocket 模式）
-2. 添加事件：
-   - `im.message.receive_v1`
-   - `im.message.reaction.created_v1`
-   - `im.message.reaction.deleted_v1`
-   - `application.bot.menu_v6`
+1. 选择 **Use long connection to receive events**（WebSocket）
+2. 添加事件：`im.message.receive_v1`
 
-⚠️ **注意**：如果网关未启动或渠道未添加，长连接设置将保存失败。
+⚠️ 如果 Gateway 网关未运行，长连接设置可能无法保存。
 
-![配置事件订阅](/images/feishu-step6-event-subscription.png)
+![Configure event subscription](../images/feishu-step6-event-subscription.png)
 
 ### 7. 发布应用
 
-1. 在 **版本管理与发布** 页面创建版本
+1. 在 **Version Management & Release** 中创建版本
 2. 提交审核并发布
-3. 等待管理员审批（企业自建应用通常自动通过）
+3. 等待管理员批准（企业应用通常会自动批准）
 
 ---
 
-## 第二步：配置 OpenClaw
+## 第 2 步：配置 OpenClaw
 
-### 通过向导配置（推荐）
-
-运行以下命令，根据提示粘贴 App ID 和 App Secret：
+### 使用向导配置（推荐）
 
 ```bash
 openclaw channels add
 ```
 
-选择 **Feishu**，然后输入您在第一步获取的凭证即可。
+选择 **Feishu**，然后粘贴你的 App ID 和 App Secret。
 
-### 通过配置文件配置
+### 通过配置文件进行配置
 
 编辑 `~/.openclaw/openclaw.json`：
 
@@ -193,7 +190,7 @@ openclaw channels add
         main: {
           appId: "cli_xxx",
           appSecret: "xxx",
-          botName: "我的AI助手",
+          botName: "My AI assistant",
         },
       },
     },
@@ -201,18 +198,20 @@ openclaw channels add
 }
 ```
 
-若使用 `connectionMode: "webhook"`，需设置 `verificationToken`。飞书 Webhook 服务默认绑定 `127.0.0.1`；仅在需要不同监听地址时设置 `webhookHost`。
+如果你使用 `connectionMode: "webhook"`，请同时设置 `verificationToken` 和 `encryptKey`。飞书 webhook 服务器默认绑定到 `127.0.0.1`；只有在你明确需要不同绑定地址时，才设置 `webhookHost`。
 
-#### 获取 Verification Token（仅 Webhook 模式）
+#### Verification Token 和 Encrypt Key（webhook 模式）
 
-使用 Webhook 模式时，需在配置中设置 `channels.feishu.verificationToken`。获取方式：
+使用 webhook 模式时，请在配置中同时设置 `channels.feishu.verificationToken` 和 `channels.feishu.encryptKey`。获取这些值的方法如下：
 
-1. 在飞书开放平台打开您的应用
-2. 进入 **开发配置** → **事件与回调**
-3. 打开 **加密策略** 选项卡
-4. 复制 **Verification Token**（校验令牌）
+1. 在飞书开放平台中，打开你的应用
+2. 前往 **Development** → **Events & Callbacks**（开发配置 → 事件与回调）
+3. 打开 **Encryption** 标签页（加密策略）
+4. 复制 **Verification Token** 和 **Encrypt Key**
 
-![Verification Token 位置](/images/feishu-verification-token.png)
+下图展示了 **Verification Token** 的位置。**Encrypt Key** 位于同一个 **Encryption** 区域中。
+
+![Verification Token location](../images/feishu-verification-token.png)
 
 ### 通过环境变量配置
 
@@ -223,7 +222,7 @@ export FEISHU_APP_SECRET="xxx"
 
 ### Lark（国际版）域名
 
-如果您的租户在 Lark（国际版），请设置域名为 `lark`（或完整域名），可配置 `channels.feishu.domain` 或 `channels.feishu.accounts.<id>.domain`：
+如果你的租户位于 Lark（国际版），请将域名设置为 `lark`（或完整域名字串）。你可以在 `channels.feishu.domain` 设置，也可以按账户设置（`channels.feishu.accounts.<id>.domain`）。
 
 ```json5
 {
@@ -241,14 +240,14 @@ export FEISHU_APP_SECRET="xxx"
 }
 ```
 
-### 配额优化
+### 配额优化标志
 
-可通过以下可选配置减少飞书 API 调用：
+你可以使用两个可选标志来减少飞书 API 使用量：
 
-- `typingIndicator`（默认 `true`）：设为 `false` 时不发送“正在输入”状态。
-- `resolveSenderNames`（默认 `true`）：设为 `false` 时不拉取发送者资料。
+- `typingIndicator`（默认 `true`）：设为 `false` 时，跳过“正在输入”反应调用。
+- `resolveSenderNames`（默认 `true`）：设为 `false` 时，跳过发送者资料查询调用。
 
-可在渠道级或账号级配置：
+你可以在顶层或按账户进行设置：
 
 ```json5
 {
@@ -271,9 +270,9 @@ export FEISHU_APP_SECRET="xxx"
 
 ---
 
-## 第三步：启动并测试
+## 第 3 步：启动并测试
 
-### 1. 启动网关
+### 1. 启动 Gateway 网关
 
 ```bash
 openclaw gateway
@@ -281,74 +280,74 @@ openclaw gateway
 
 ### 2. 发送测试消息
 
-在飞书中找到您创建的机器人，发送一条消息。
+在飞书中找到你的机器人并发送一条消息。
 
-### 3. 配对授权
+### 3. 批准配对
 
-默认情况下，机器人会回复一个 **配对码**。您需要批准此代码：
+默认情况下，机器人会回复一个配对码。批准它：
 
 ```bash
-openclaw pairing approve feishu <配对码>
+openclaw pairing approve feishu <CODE>
 ```
 
-批准后即可正常对话。
+批准后，你就可以正常聊天了。
 
 ---
 
-## 介绍
+## 概览
 
-- **飞书机器人渠道**：由网关管理的飞书机器人
-- **确定性路由**：回复始终返回飞书，模型不会选择渠道
-- **会话隔离**：私聊共享主会话；群组独立隔离
-- **WebSocket 连接**：使用飞书 SDK 的长连接模式，无需公网 URL
+- **飞书机器人渠道**：由 Gateway 网关管理的飞书机器人
+- **确定性路由**：回复始终返回到飞书
+- **会话隔离**：私信共享主会话；群组彼此隔离
+- **WebSocket 连接**：通过飞书 SDK 建立长连接，无需公共 URL
 
 ---
 
 ## 访问控制
 
-### 私聊访问
+### 私信
 
-- **默认**：`dmPolicy: "pairing"`，陌生用户会收到配对码
+- **默认**：`dmPolicy: "pairing"`（未知用户会收到配对码）
 - **批准配对**：
-  ```bash
-  openclaw pairing list feishu      # 查看待审批列表
-  openclaw pairing approve feishu <CODE>  # 批准
-  ```
-- **白名单模式**：通过 `channels.feishu.allowFrom` 配置允许的用户 Open ID
 
-### 群组访问
+  ```bash
+  openclaw pairing list feishu
+  openclaw pairing approve feishu <CODE>
+  ```
+
+- **Allowlist 模式**：设置 `channels.feishu.allowFrom`，填入允许的 Open ID
+
+### 群聊
 
 **1. 群组策略**（`channels.feishu.groupPolicy`）：
 
-- `"open"` = 允许群组中所有人（默认）
-- `"allowlist"` = 仅允许 `groupAllowFrom` 中的群组
-- `"disabled"` = 禁用群组消息
+- `"open"` = 允许群组中的所有人（默认）
+- `"allowlist"` = 仅允许 `groupAllowFrom`
+- `"disabled"` = 禁用群消息
 
-**2. @提及要求**（`channels.feishu.groups.<chat_id>.requireMention`）：
+**2. 提及要求**（`channels.feishu.groups.<chat_id>.requireMention`）：
 
-- `true` = 需要 @机器人才响应（默认）
-- `false` = 无需 @也响应
+- `true` = 需要 @ 提及（默认）
+- `false` = 无需提及也会回复
 
 ---
 
 ## 群组配置示例
 
-### 允许所有群组，需要 @提及（默认行为）
+### 允许所有群组，要求 @ 提及（默认）
 
 ```json5
 {
   channels: {
     feishu: {
       groupPolicy: "open",
-      // 默认 requireMention: true
+      // Default requireMention: true
     },
   },
 }
 ```
 
-### 允许所有群组，无需 @提及
-
-需要为特定群组配置：
+### 允许所有群组，无需 @ 提及
 
 ```json5
 {
@@ -369,16 +368,16 @@ openclaw pairing approve feishu <配对码>
   channels: {
     feishu: {
       groupPolicy: "allowlist",
-      // 群组 ID 格式为 oc_xxx
+      // Feishu group IDs (chat_id) look like: oc_xxx
       groupAllowFrom: ["oc_xxx", "oc_yyy"],
     },
   },
 }
 ```
 
-### 仅允许特定成员在群组中发信（发送者白名单）
+### 限制哪些发送者可以在群组中发消息（发送者 allowlist）
 
-除群组白名单外，该群组内**所有消息**均按发送者 open_id 校验：仅 `groups.<chat_id>.allowFrom` 中列出的用户消息会被处理，其他成员的消息会被忽略（此为发送者级白名单，不仅针对 /reset、/new 等控制命令）。
+除了允许群组本身外，该群组中的**所有消息**还会按发送者 `open_id` 进行限制：只有列在 `groups.<chat_id>.allowFrom` 中的用户，其消息才会被处理；其他成员发送的消息会被忽略（这是完整的发送者级限制，而不只是对 `/reset` 或 `/new` 等控制命令生效）。
 
 ```json5
 {
@@ -388,7 +387,7 @@ openclaw pairing approve feishu <配对码>
       groupAllowFrom: ["oc_xxx"],
       groups: {
         oc_xxx: {
-          // 用户 open_id 格式为 ou_xxx
+          // Feishu user IDs (open_id) look like: ou_xxx
           allowFrom: ["ou_user1", "ou_user2"],
         },
       },
@@ -401,29 +400,31 @@ openclaw pairing approve feishu <配对码>
 
 ## 获取群组/用户 ID
 
-### 获取群组 ID（chat_id）
+### 群组 ID（`chat_id`）
 
-群组 ID 格式为 `oc_xxx`，可以通过以下方式获取：
+群组 ID 看起来像 `oc_xxx`。
 
-**方法一**（推荐）：
+**方法 1（推荐）**
 
-1. 启动网关并在群组中 @机器人发消息
-2. 运行 `openclaw logs --follow` 查看日志中的 `chat_id`
+1. 启动 Gateway 网关并在群里 @ 提及机器人
+2. 运行 `openclaw logs --follow` 并查找 `chat_id`
 
-**方法二**：
-使用飞书 API 调试工具获取机器人所在群组列表。
+**方法 2**
 
-### 获取用户 ID（open_id）
+使用飞书 API 调试器列出群聊。
 
-用户 ID 格式为 `ou_xxx`，可以通过以下方式获取：
+### 用户 ID（`open_id`）
 
-**方法一**（推荐）：
+用户 ID 看起来像 `ou_xxx`。
 
-1. 启动网关并给机器人发消息
-2. 运行 `openclaw logs --follow` 查看日志中的 `open_id`
+**方法 1（推荐）**
 
-**方法二**：
-查看配对请求列表，其中包含用户的 Open ID：
+1. 启动 Gateway 网关并向机器人发送私信
+2. 运行 `openclaw logs --follow` 并查找 `open_id`
+
+**方法 2**
+
+检查配对请求中的用户 Open ID：
 
 ```bash
 openclaw pairing list feishu
@@ -433,65 +434,61 @@ openclaw pairing list feishu
 
 ## 常用命令
 
-| 命令      | 说明           |
+| Command   | Description    |
 | --------- | -------------- |
-| `/status` | 查看机器人状态 |
-| `/reset`  | 重置对话会话   |
-| `/model`  | 查看/切换模型  |
+| `/status` | 显示机器人状态 |
+| `/reset`  | 重置会话       |
+| `/model`  | 显示/切换模型  |
 
-飞书机器人菜单建议直接在飞书开放平台的机器人能力页面配置。OpenClaw 当前支持接收 `application.bot.menu_v6` 事件，并把点击事件转换成普通文本命令（例如 `/menu <eventKey>`）继续走现有消息路由，但不通过渠道配置自动创建或同步菜单。
+> 注意：飞书暂不支持原生命令菜单，因此命令必须以文本形式发送。
 
-## 网关管理命令
+## Gateway 网关管理命令
 
-在配置和使用飞书渠道时，您可能需要使用以下网关管理命令：
-
-| 命令                       | 说明              |
-| -------------------------- | ----------------- |
-| `openclaw gateway status`  | 查看网关运行状态  |
-| `openclaw gateway install` | 安装/启动网关服务 |
-| `openclaw gateway stop`    | 停止网关服务      |
-| `openclaw gateway restart` | 重启网关服务      |
-| `openclaw logs --follow`   | 实时查看日志输出  |
+| Command                    | Description                |
+| -------------------------- | -------------------------- |
+| `openclaw gateway status`  | 显示 Gateway 网关状态      |
+| `openclaw gateway install` | 安装/启动 Gateway 网关服务 |
+| `openclaw gateway stop`    | 停止 Gateway 网关服务      |
+| `openclaw gateway restart` | 重启 Gateway 网关服务      |
+| `openclaw logs --follow`   | 跟踪 Gateway 网关日志      |
 
 ---
 
 ## 故障排除
 
-### 机器人在群组中不响应
+### 机器人在群聊中没有响应
 
-1. 检查机器人是否已添加到群组
-2. 检查是否 @了机器人（默认需要 @提及）
-3. 检查 `groupPolicy` 是否为 `"disabled"`
-4. 查看日志：`openclaw logs --follow`
+1. 确保机器人已加入群组
+2. 确保你 @ 提及了机器人（默认行为）
+3. 检查 `groupPolicy` 未设置为 `"disabled"`
+4. 检查日志：`openclaw logs --follow`
 
-### 机器人收不到消息
+### 机器人未接收到消息
 
-1. 检查应用是否已发布并审批通过
-2. 检查事件订阅是否配置正确（`im.message.receive_v1`）
-3. 检查是否选择了 **长连接** 模式
-4. 检查应用权限是否完整
-5. 检查网关是否正在运行：`openclaw gateway status`
-6. 查看实时日志：`openclaw logs --follow`
+1. 确保应用已发布并获批准
+2. 确保事件订阅包含 `im.message.receive_v1`
+3. 确保已启用**长连接**
+4. 确保应用权限完整
+5. 确保 Gateway 网关正在运行：`openclaw gateway status`
+6. 检查日志：`openclaw logs --follow`
 
-### App Secret 泄露怎么办
+### App Secret 泄露
 
-1. 在飞书开放平台重置 App Secret
-2. 更新配置文件中的 App Secret
-3. 重启网关
+1. 在飞书开放平台中重置 App Secret
+2. 在你的配置中更新 App Secret
+3. 重启 Gateway 网关
 
-### 发送消息失败
+### 消息发送失败
 
-1. 检查应用是否有 `im:message:send_as_bot` 权限
-2. 检查应用是否已发布
-3. 查看日志获取详细错误信息
+1. 确保应用具有 `im:message:send_as_bot` 权限
+2. 确保应用已发布
+3. 查看日志以获取详细错误信息
 
 ---
 
 ## 高级配置
 
-### 多账号配置
-
-如果需要管理多个飞书机器人，可配置 `defaultAccount` 指定出站未显式指定 `accountId` 时使用的账号：
+### 多账户
 
 ```json5
 {
@@ -502,13 +499,13 @@ openclaw pairing list feishu
         main: {
           appId: "cli_xxx",
           appSecret: "xxx",
-          botName: "主机器人",
+          botName: "Primary bot",
         },
         backup: {
           appId: "cli_yyy",
           appSecret: "yyy",
-          botName: "备用机器人",
-          enabled: false, // 暂时禁用
+          botName: "Backup bot",
+          enabled: false,
         },
       },
     },
@@ -516,104 +513,102 @@ openclaw pairing list feishu
 }
 ```
 
+`defaultAccount` 用于控制当出站 API 未显式指定 `accountId` 时，使用哪个飞书账户。
+
 ### 消息限制
 
-- `textChunkLimit`：出站文本分块大小（默认 2000 字符）
-- `mediaMaxMb`：媒体上传/下载限制（默认 30MB）
+- `textChunkLimit`：出站文本分块大小（默认：2000 个字符）
+- `mediaMaxMb`：媒体上传/下载限制（默认：30 MB）
 
-### 流式输出
+### 流式传输
 
-飞书支持通过交互式卡片实现流式输出，机器人会实时更新卡片内容显示生成进度。默认配置：
+飞书通过交互式卡片支持流式回复。启用后，机器人会在生成文本时更新卡片。
 
 ```json5
 {
   channels: {
     feishu: {
       streaming: true, // 启用流式卡片输出（默认 true）
-      blockStreamingCoalesce: {
-        enabled: true,
-        minDelayMs: 50,
-        maxDelayMs: 250,
-      },
+      blockStreaming: true, // 启用分块流式传输（默认 true）
     },
   },
 }
 ```
 
-如需禁用流式输出（等待完整回复后一次性发送），可设置 `streaming: false`。
+将 `streaming: false` 设为等待完整回复生成后再发送。
 
-### 交互式卡片
+### ACP 会话
 
-OpenClaw 默认会在需要时发送 Markdown 卡片；如果你需要完整的 Feishu 原生交互式卡片，也可以显式发送原始 `card` payload。
+飞书支持以下 ACP 场景：
 
-- 默认路径：文本自动渲染或 Markdown 卡片
-- 显式卡片：通过消息动作的 `card` 参数发送原始交互卡片
-- 更新卡片：同一消息支持后续 patch/update
+- 私信
+- 群组话题会话
 
-卡片按钮回调当前走文本回退路径：
+飞书 ACP 由文本命令驱动。没有原生斜杠命令菜单，因此请直接在会话中使用 `/acp ...` 消息。
 
-- 若 `action.value.text` 存在，则作为入站文本继续处理
-- 若 `action.value.command` 存在，则作为命令文本继续处理
-- 其他对象值会序列化为 JSON 文本
+#### 持久化 ACP 绑定
 
-这样可以保持与现有消息/命令路由兼容，而不要求下游先理解 Feishu 专有的交互 payload。
-
-### 表情反应
-
-飞书渠道现已完整支持表情反应生命周期：
-
-- 接收 `reaction created`
-- 接收 `reaction deleted`
-- 主动添加反应
-- 主动删除自身反应
-- 查询消息上的反应列表
-
-是否把入站反应转成内部消息，可通过 `reactionNotifications` 控制：
-
-| 值    | 行为                         |
-| ----- | ---------------------------- |
-| `off` | 不生成反应通知               |
-| `own` | 仅当反应发生在机器人消息上时 |
-| `all` | 所有可验证的反应都生成通知   |
-
-### 消息引用
-
-在群聊中，机器人的回复可以引用用户发送的原始消息，让对话上下文更加清晰。
-
-配置选项：
+使用顶层类型化 ACP 绑定，将飞书私信或话题会话固定到持久化 ACP 会话。
 
 ```json5
 {
-  channels: {
-    feishu: {
-      // 账户级别配置（默认 "all"）
-      replyToMode: "all",
-      groups: {
-        oc_xxx: {
-          // 特定群组可以覆盖
-          replyToMode: "first",
+  agents: {
+    list: [
+      {
+        id: "codex",
+        runtime: {
+          type: "acp",
+          acp: {
+            agent: "codex",
+            backend: "acpx",
+            mode: "persistent",
+            cwd: "/workspace/openclaw",
+          },
         },
       },
-    },
+    ],
   },
+  bindings: [
+    {
+      type: "acp",
+      agentId: "codex",
+      match: {
+        channel: "feishu",
+        accountId: "default",
+        peer: { kind: "direct", id: "ou_1234567890" },
+      },
+    },
+    {
+      type: "acp",
+      agentId: "codex",
+      match: {
+        channel: "feishu",
+        accountId: "default",
+        peer: { kind: "group", id: "oc_group_chat:topic:om_topic_root" },
+      },
+      acp: { label: "codex-feishu-topic" },
+    },
+  ],
 }
 ```
 
-`replyToMode` 值说明：
+#### 从聊天中按线程绑定 ACP 生成
 
-| 值        | 行为                               |
-| --------- | ---------------------------------- |
-| `"off"`   | 不引用原消息（私聊默认值）         |
-| `"first"` | 仅在第一条回复时引用原消息         |
-| `"all"`   | 所有回复都引用原消息（群聊默认值） |
+在飞书私信或话题会话中，你可以就地生成并绑定一个 ACP 会话：
 
-> 注意：消息引用功能与流式卡片输出（`streaming: true`）不能同时使用。当启用流式输出时，回复会以卡片形式呈现，不会显示引用。
+```text
+/acp spawn codex --thread here
+```
 
-### 多 Agent 路由
+说明：
 
-通过 `bindings` 配置，您可以用一个飞书机器人对接多个不同功能或性格的 Agent。系统会根据用户 ID 或群组 ID 自动将对话分发到对应的 Agent。
+- `--thread here` 适用于私信和飞书话题。
+- 绑定后的私信/话题中的后续消息会直接路由到该 ACP 会话。
+- v1 不支持针对通用的非话题群聊。
 
-配置示例：
+### 多智能体路由
+
+使用 `bindings` 将飞书私信或群组路由到不同的智能体。
 
 ```json5
 {
@@ -634,91 +629,81 @@ OpenClaw 默认会在需要时发送 Markdown 卡片；如果你需要完整的
   },
   bindings: [
     {
-      // 用户 A 的私聊 → main agent
       agentId: "main",
       match: {
         channel: "feishu",
-        peer: { kind: "dm", id: "ou_28b31a88..." },
+        peer: { kind: "direct", id: "ou_xxx" },
       },
     },
     {
-      // 用户 B 的私聊 → clawd-fan agent
       agentId: "clawd-fan",
       match: {
         channel: "feishu",
-        peer: { kind: "dm", id: "ou_0fe6b1c9..." },
+        peer: { kind: "direct", id: "ou_yyy" },
       },
     },
     {
-      // 某个群组 → clawd-xi agent
       agentId: "clawd-xi",
       match: {
         channel: "feishu",
-        peer: { kind: "group", id: "oc_xxx..." },
+        peer: { kind: "group", id: "oc_zzz" },
       },
     },
   ],
 }
 ```
 
-匹配规则说明：
+路由字段：
 
-| 字段              | 说明                                          |
-| ----------------- | --------------------------------------------- |
-| `agentId`         | 目标 Agent 的 ID，需要在 `agents.list` 中定义 |
-| `match.channel`   | 渠道类型，这里固定为 `"feishu"`               |
-| `match.peer.kind` | 对话类型：`"dm"`（私聊）或 `"group"`（群组）  |
-| `match.peer.id`   | 用户 Open ID（`ou_xxx`）或群组 ID（`oc_xxx`） |
+- `match.channel`：`"feishu"`
+- `match.peer.kind`：`"direct"` 或 `"group"`
+- `match.peer.id`：用户 Open ID（`ou_xxx`）或群组 ID（`oc_xxx`）
 
-> 获取 ID 的方法：参见上文 [获取群组/用户 ID](#获取群组用户-id) 章节。
+查找提示请参见 [获取群组/用户 ID](#get-groupuser-ids)。
 
 ---
 
 ## 配置参考
 
-完整配置请参考：[网关配置](/gateway/configuration)
+完整配置：[Gateway 网关配置](/gateway/configuration)
 
-主要选项：
+关键选项：
 
-| 配置项                                            | 说明                              | 默认值           |
-| ------------------------------------------------- | --------------------------------- | ---------------- |
-| `channels.feishu.enabled`                         | 启用/禁用渠道                     | `true`           |
-| `channels.feishu.domain`                          | API 域名（`feishu` 或 `lark`）    | `feishu`         |
-| `channels.feishu.connectionMode`                  | 事件传输模式（websocket/webhook） | `websocket`      |
-| `channels.feishu.defaultAccount`                  | 出站路由默认账号 ID               | `default`        |
-| `channels.feishu.verificationToken`               | Webhook 模式必填                  | -                |
-| `channels.feishu.webhookPath`                     | Webhook 路由路径                  | `/feishu/events` |
-| `channels.feishu.webhookHost`                     | Webhook 监听地址                  | `127.0.0.1`      |
-| `channels.feishu.webhookPort`                     | Webhook 监听端口                  | `3000`           |
-| `channels.feishu.accounts.<id>.appId`             | 应用 App ID                       | -                |
-| `channels.feishu.accounts.<id>.appSecret`         | 应用 App Secret                   | -                |
-| `channels.feishu.accounts.<id>.domain`            | 单账号 API 域名覆盖               | `feishu`         |
-| `channels.feishu.dmPolicy`                        | 私聊策略                          | `pairing`        |
-| `channels.feishu.allowFrom`                       | 私聊白名单（open_id 列表）        | -                |
-| `channels.feishu.groupPolicy`                     | 群组策略                          | `allowlist`      |
-| `channels.feishu.groupAllowFrom`                  | 群组白名单                        | -                |
-| `channels.feishu.groups.<chat_id>.requireMention` | 是否需要 @提及                    | `true`           |
-| `channels.feishu.groups.<chat_id>.enabled`        | 是否启用该群组                    | `true`           |
-| `channels.feishu.replyInThread`                   | 群聊回复是否进入飞书话题线程      | `disabled`       |
-| `channels.feishu.groupSessionScope`               | 群聊会话隔离粒度                  | `group`          |
-| `channels.feishu.textChunkLimit`                  | 消息分块大小                      | `2000`           |
-| `channels.feishu.mediaMaxMb`                      | 媒体大小限制                      | `30`             |
-| `channels.feishu.streaming`                       | 启用流式卡片输出                  | `true`           |
-| `channels.feishu.blockStreamingCoalesce.enabled`  | 启用块级流式合并                  | `true`           |
-| `channels.feishu.typingIndicator`                 | 发送“正在输入”状态                | `true`           |
-| `channels.feishu.resolveSenderNames`              | 拉取发送者名称                    | `true`           |
-| `channels.feishu.reactionNotifications`           | 入站反应通知策略                  | `own`            |
+| Setting                                           | Description                      | Default          |
+| ------------------------------------------------- | -------------------------------- | ---------------- |
+| `channels.feishu.enabled`                         | 启用/禁用渠道                    | `true`           |
+| `channels.feishu.domain`                          | API 域名（`feishu` 或 `lark`）   | `feishu`         |
+| `channels.feishu.connectionMode`                  | 事件传输模式                     | `websocket`      |
+| `channels.feishu.defaultAccount`                  | 出站路由的默认账户 ID            | `default`        |
+| `channels.feishu.verificationToken`               | webhook 模式必填                 | -                |
+| `channels.feishu.encryptKey`                      | webhook 模式必填                 | -                |
+| `channels.feishu.webhookPath`                     | webhook 路由路径                 | `/feishu/events` |
+| `channels.feishu.webhookHost`                     | webhook 绑定主机                 | `127.0.0.1`      |
+| `channels.feishu.webhookPort`                     | webhook 绑定端口                 | `3000`           |
+| `channels.feishu.accounts.<id>.appId`             | App ID                           | -                |
+| `channels.feishu.accounts.<id>.appSecret`         | App Secret                       | -                |
+| `channels.feishu.accounts.<id>.domain`            | 按账户覆盖 API 域名              | `feishu`         |
+| `channels.feishu.dmPolicy`                        | 私信策略                         | `pairing`        |
+| `channels.feishu.allowFrom`                       | 私信 allowlist（`open_id` 列表） | -                |
+| `channels.feishu.groupPolicy`                     | 群组策略                         | `open`           |
+| `channels.feishu.groupAllowFrom`                  | 群组 allowlist                   | -                |
+| `channels.feishu.groups.<chat_id>.requireMention` | 要求 @ 提及                      | `true`           |
+| `channels.feishu.groups.<chat_id>.enabled`        | 启用群组                         | `true`           |
+| `channels.feishu.textChunkLimit`                  | 消息分块大小                     | `2000`           |
+| `channels.feishu.mediaMaxMb`                      | 媒体大小限制                     | `30`             |
+| `channels.feishu.streaming`                       | 启用流式卡片输出                 | `true`           |
+| `channels.feishu.blockStreaming`                  | 启用分块流式传输                 | `true`           |
 
 ---
 
-## dmPolicy 策略说明
+## dmPolicy 参考
 
-| 值            | 行为                                               |
-| ------------- | -------------------------------------------------- |
-| `"pairing"`   | **默认**。未知用户收到配对码，管理员批准后才能对话 |
-| `"allowlist"` | 仅 `allowFrom` 列表中的用户可对话，其他静默忽略    |
-| `"open"`      | 允许所有人对话（需在 allowFrom 中加 `"*"`）        |
-| `"disabled"`  | 完全禁止私聊                                       |
+| Value         | Behavior                                             |
+| ------------- | ---------------------------------------------------- |
+| `"pairing"`   | **默认。**未知用户会收到配对码；必须获批准后才能使用 |
+| `"allowlist"` | 只有 `allowFrom` 中的用户可以聊天                    |
+| `"open"`      | 允许所有用户（要求 `allowFrom` 中有 `"*"`）          |
+| `"disabled"`  | 禁用私信                                             |
 
 ---
 
@@ -726,17 +711,17 @@ OpenClaw 默认会在需要时发送 Markdown 卡片；如果你需要完整的
 
 ### 接收
 
-- ✅ 文本消息
-- ✅ 富文本（帖子）
+- ✅ 文本
+- ✅ 富文本（post）
 - ✅ 图片
 - ✅ 文件
 - ✅ 音频
 - ✅ 视频
-- ✅ 表情包
+- ✅ 贴纸
 
 ### 发送
 
-- ✅ 文本消息
+- ✅ 文本
 - ✅ 图片
 - ✅ 文件
 - ✅ 音频
diff --git a/docs/zh-CN/channels/nostr.md b/docs/zh-CN/channels/nostr.md
index 7d0359ce21d..47efa40aedf 100644
--- a/docs/zh-CN/channels/nostr.md
+++ b/docs/zh-CN/channels/nostr.md
@@ -1,14 +1,14 @@
 ---
 read_when:
-  - 你希望 OpenClaw 通过 Nostr 接收私信
-  - 你正在设置去中心化消息
-summary: 通过 NIP-04 加密消息的 Nostr 私信渠道
+  - 你想让 OpenClaw 通过 Nostr 接收私信
+  - 你正在设置去中心化消息传递
+summary: 通过 NIP-04 加密消息实现的 Nostr 私信渠道
 title: Nostr
 x-i18n:
-  generated_at: "2026-02-03T07:44:13Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 6b9fe4c74bf5e7c0f59bbaa129ec5270fd29a248551a8a9a7dde6cff8fb46111
+  generated_at: "2026-03-16T06:20:37Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: fcce57da49256971420c4bb099aebb7944f8c7e8619b17b163da685add225001
   source_path: channels/nostr.md
   workflow: 15
 ---
@@ -17,21 +17,21 @@ x-i18n:
 
 **状态：** 可选插件（默认禁用）。
 
-Nostr 是一个去中心化的社交网络协议。此渠道使 OpenClaw 能够通过 NIP-04 接收和回复加密私信（DMs）。
+Nostr 是一种用于社交网络的去中心化协议。此渠道使 OpenClaw 能够通过 NIP-04 接收并回复加密私信。
 
 ## 安装（按需）
 
 ### 新手引导（推荐）
 
-- 新手引导向导（`openclaw onboard`）和 `openclaw channels add` 会列出可选的渠道插件。
-- 选择 Nostr 会提示你按需安装插件。
+- 设置向导（`openclaw onboard`）和 `openclaw channels add` 会列出可选渠道插件。
+- 选择 Nostr 时，系统会提示你按需安装该插件。
 
-安装默认值：
+安装默认行为：
 
-- **Dev 渠道 + git checkout 可用：** 使用本地插件路径。
-- **Stable/Beta：** 从 npm 下载。
+- **Dev 渠道 + 可用的 git 检出：** 使用本地插件路径。
+- **稳定版 / Beta：** 从 npm 下载。
 
-你可以随时在提示中覆盖选择。
+你始终可以在提示中覆盖该选择。
 
 ### 手动安装
 
@@ -39,24 +39,33 @@ Nostr 是一个去中心化的社交网络协议。此渠道使 OpenClaw 能够
 openclaw plugins install @openclaw/nostr
 ```
 
-使用本地 checkout（开发工作流）：
+使用本地检出（dev 工作流）：
 
 ```bash
 openclaw plugins install --link <path-to-openclaw>/extensions/nostr
 ```
 
-安装或启用插件后重启 Gateway 网关。
+安装或启用插件后，重启 Gateway 网关。
+
+### 非交互式设置
+
+```bash
+openclaw channels add --channel nostr --private-key "$NOSTR_PRIVATE_KEY"
+openclaw channels add --channel nostr --private-key "$NOSTR_PRIVATE_KEY" --relay-urls "wss://relay.damus.io,wss://relay.primal.net"
+```
+
+使用 `--use-env` 可将 `NOSTR_PRIVATE_KEY` 保留在环境中，而不是将密钥存储在配置里。
 
 ## 快速设置
 
-1. 生成 Nostr 密钥对（如需要）：
+1. 生成一个 Nostr 密钥对（如有需要）：
 
 ```bash
-# 使用 nak
+# Using nak
 nak key generate
 ```
 
-2. 添加到配置：
+2. 添加到配置中：
 
 ```json
 {
@@ -78,19 +87,19 @@ export NOSTR_PRIVATE_KEY="nsec1..."
 
 ## 配置参考
 
-| 键           | 类型     | 默认值                                      | 描述                        |
+| 键           | 类型     | 默认值                                      | 说明                        |
 | ------------ | -------- | ------------------------------------------- | --------------------------- |
 | `privateKey` | string   | 必填                                        | `nsec` 或十六进制格式的私钥 |
 | `relays`     | string[] | `['wss://relay.damus.io', 'wss://nos.lol']` | 中继 URL（WebSocket）       |
 | `dmPolicy`   | string   | `pairing`                                   | 私信访问策略                |
-| `allowFrom`  | string[] | `[]`                                        | 允许的发送者公钥            |
-| `enabled`    | boolean  | `true`                                      | 启用/禁用渠道               |
+| `allowFrom`  | string[] | `[]`                                        | 允许的发送方公钥            |
+| `enabled`    | boolean  | `true`                                      | 启用 / 禁用渠道             |
 | `name`       | string   | -                                           | 显示名称                    |
-| `profile`    | object   | -                                           | NIP-01 个人资料元数据       |
+| `profile`    | object   | -                                           | NIP-01 资料元数据           |
 
-## 个人资料元数据
+## 资料元数据
 
-个人资料数据作为 NIP-01 `kind:0` 事件发布。你可以从控制界面（Channels -> Nostr -> Profile）管理它，或直接在配置中设置。
+资料数据会作为 NIP-01 `kind:0` 事件发布。你可以在控制 UI 中管理它（Channels -> Nostr -> Profile），也可以直接在配置中设置。
 
 示例：
 
@@ -114,19 +123,19 @@ export NOSTR_PRIVATE_KEY="nsec1..."
 }
 ```
 
-注意事项：
+注意：
 
-- 个人资料 URL 必须使用 `https://`。
-- 从中继导入会合并字段并保留本地覆盖。
+- 资料 URL 必须使用 `https://`。
+- 从中继导入时会合并字段，并保留本地覆盖项。
 
 ## 访问控制
 
 ### 私信策略
 
-- **pairing**（默认）：未知发送者会收到配对码。
+- **pairing**（默认）：未知发送方会收到一个配对码。
 - **allowlist**：只有 `allowFrom` 中的公钥可以发送私信。
-- **open**：公开接收私信（需要 `allowFrom: ["*"]`）。
-- **disabled**：忽略接收的私信。
+- **open**：公开接收入站私信（要求 `allowFrom: ["*"]`）。
+- **disabled**：忽略入站私信。
 
 ### 允许列表示例
 
@@ -166,26 +175,26 @@ export NOSTR_PRIVATE_KEY="nsec1..."
 
 提示：
 
-- 使用 2-3 个中继以实现冗余。
+- 使用 2 到 3 个中继以实现冗余。
 - 避免使用过多中继（延迟、重复）。
 - 付费中继可以提高可靠性。
-- 本地中继适合测试（`ws://localhost:7777`）。
+- 本地中继也适合测试（`ws://localhost:7777`）。
 
 ## 协议支持
 
-| NIP    | 状态   | 描述                          |
-| ------ | ------ | ----------------------------- |
-| NIP-01 | 已支持 | 基本事件格式 + 个人资料元数据 |
-| NIP-04 | 已支持 | 加密私信（`kind:4`）          |
-| NIP-17 | 计划中 | 礼物包装私信                  |
-| NIP-44 | 计划中 | 版本化加密                    |
+| NIP    | 状态   | 说明                      |
+| ------ | ------ | ------------------------- |
+| NIP-01 | 已支持 | 基础事件格式 + 资料元数据 |
+| NIP-04 | 已支持 | 加密私信（`kind:4`）      |
+| NIP-17 | 计划中 | Gift-wrapped 私信         |
+| NIP-44 | 计划中 | 版本化加密                |
 
 ## 测试
 
 ### 本地中继
 
 ```bash
-# 启动 strfry
+# Start strfry
 docker run -p 7777:7777 ghcr.io/hoytech/strfry
 ```
 
@@ -203,38 +212,38 @@ docker run -p 7777:7777 ghcr.io/hoytech/strfry
 ### 手动测试
 
 1. 从日志中记下机器人公钥（npub）。
-2. 打开 Nostr 客户端（Damus、Amethyst 等）。
-3. 向机器人公钥发送私信。
-4. 验证响应。
+2. 打开一个 Nostr 客户端（Damus、Amethyst 等）。
+3. 向该机器人公钥发送私信。
+4. 验证回复。
 
 ## 故障排除
 
-### 未收到消息
+### 未接收到消息
 
-- 验证私钥是否有效。
-- 确保中继 URL 可访问并使用 `wss://`（本地使用 `ws://`）。
+- 验证私钥有效。
+- 确保中继 URL 可访问，并使用 `wss://`（本地则使用 `ws://`）。
 - 确认 `enabled` 不是 `false`。
 - 检查 Gateway 网关日志中的中继连接错误。
 
-### 未发送响应
+### 未发送回复
 
 - 检查中继是否接受写入。
-- 验证出站连接。
+- 验证出站连接性。
 - 注意中继速率限制。
 
-### 重复响应
+### 重复回复
 
-- 使用多个中继时属于正常现象。
-- 消息按事件 ID 去重；只有首次投递会触发响应。
+- 使用多个中继时这是预期行为。
+- 消息会按事件 ID 去重；只有首次投递会触发回复。
 
-## 安全
+## 安全性
 
 - 切勿提交私钥。
-- 使用环境变量存储密钥。
-- 生产环境机器人考虑使用 `allowlist`。
+- 对密钥使用环境变量。
+- 对生产机器人考虑使用 `allowlist`。
 
 ## 限制（MVP）
 
 - 仅支持私信（不支持群聊）。
 - 不支持媒体附件。
-- 仅支持 NIP-04（计划支持 NIP-17 礼物包装）。
+- 仅支持 NIP-04（计划支持 NIP-17 gift-wrap）。
diff --git a/docs/zh-CN/channels/synology-chat.md b/docs/zh-CN/channels/synology-chat.md
new file mode 100644
index 00000000000..4323e5d12d7
--- /dev/null
+++ b/docs/zh-CN/channels/synology-chat.md
@@ -0,0 +1,138 @@
+---
+read_when:
+  - 设置 OpenClaw 与 Synology Chat
+  - 调试 Synology Chat webhook 路由
+summary: Synology Chat webhook 设置与 OpenClaw 配置
+title: Synology Chat
+x-i18n:
+  generated_at: "2026-03-16T06:20:51Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 7d77598ea759f89873a1edf0a3a7e7fedc1e4a7067709aaca6b999056a89eb1a
+  source_path: channels/synology-chat.md
+  workflow: 15
+---
+
+# Synology Chat（插件）
+
+状态：通过插件支持，作为使用 Synology Chat webhook 的私信渠道。
+该插件接受来自 Synology Chat 出站 webhook 的入站消息，并通过 Synology Chat 入站 webhook 发送回复。
+
+## 需要插件
+
+Synology Chat 基于插件，不属于默认的核心渠道安装内容。
+
+从本地检出安装：
+
+```bash
+openclaw plugins install ./extensions/synology-chat
+```
+
+详情：[插件](/tools/plugin)
+
+## 快速设置
+
+1. 安装并启用 Synology Chat 插件。
+   - `openclaw onboard` 现在会在与 `openclaw channels add` 相同的渠道设置列表中显示 Synology Chat。
+   - 非交互式设置：`openclaw channels add --channel synology-chat --token <token> --url <incoming-webhook-url>`
+2. 在 Synology Chat 集成中：
+   - 创建一个入站 webhook 并复制其 URL。
+   - 使用你的 secret token 创建一个出站 webhook。
+3. 将出站 webhook URL 指向你的 OpenClaw Gateway 网关：
+   - 默认是 `https://gateway-host/webhook/synology`。
+   - 或者使用你自定义的 `channels.synology-chat.webhookPath`。
+4. 在 OpenClaw 中完成设置。
+   - 引导式：`openclaw onboard`
+   - 直接设置：`openclaw channels add --channel synology-chat --token <token> --url <incoming-webhook-url>`
+5. 重启 Gateway 网关，并向 Synology Chat 机器人发送一条私信。
+
+最小配置：
+
+```json5
+{
+  channels: {
+    "synology-chat": {
+      enabled: true,
+      token: "synology-outgoing-token",
+      incomingUrl: "https://nas.example.com/webapi/entry.cgi?api=SYNO.Chat.External&method=incoming&version=2&token=...",
+      webhookPath: "/webhook/synology",
+      dmPolicy: "allowlist",
+      allowedUserIds: ["123456"],
+      rateLimitPerMinute: 30,
+      allowInsecureSsl: false,
+    },
+  },
+}
+```
+
+## 环境变量
+
+对于默认账户，你可以使用环境变量：
+
+- `SYNOLOGY_CHAT_TOKEN`
+- `SYNOLOGY_CHAT_INCOMING_URL`
+- `SYNOLOGY_NAS_HOST`
+- `SYNOLOGY_ALLOWED_USER_IDS`（逗号分隔）
+- `SYNOLOGY_RATE_LIMIT`
+- `OPENCLAW_BOT_NAME`
+
+配置值会覆盖环境变量。
+
+## 私信策略与访问控制
+
+- 推荐的默认值是 `dmPolicy: "allowlist"`。
+- `allowedUserIds` 接受 Synology 用户 ID 列表（或逗号分隔字符串）。
+- 在 `allowlist` 模式下，空的 `allowedUserIds` 列表会被视为配置错误，webhook 路由将不会启动（如需允许所有人，请使用 `dmPolicy: "open"`）。
+- `dmPolicy: "open"` 允许任何发送方。
+- `dmPolicy: "disabled"` 会阻止私信。
+- 配对批准可配合以下命令使用：
+  - `openclaw pairing list synology-chat`
+  - `openclaw pairing approve synology-chat <CODE>`
+
+## 出站投递
+
+使用数字形式的 Synology Chat 用户 ID 作为目标。
+
+示例：
+
+```bash
+openclaw message send --channel synology-chat --target 123456 --text "Hello from OpenClaw"
+openclaw message send --channel synology-chat --target synology-chat:123456 --text "Hello again"
+```
+
+支持通过基于 URL 的文件投递发送媒体。
+
+## 多账户
+
+支持在 `channels.synology-chat.accounts` 下配置多个 Synology Chat 账户。
+每个账户都可以覆盖 token、入站 URL、webhook 路径、私信策略和限制。
+
+```json5
+{
+  channels: {
+    "synology-chat": {
+      enabled: true,
+      accounts: {
+        default: {
+          token: "token-a",
+          incomingUrl: "https://nas-a.example.com/...token=...",
+        },
+        alerts: {
+          token: "token-b",
+          incomingUrl: "https://nas-b.example.com/...token=...",
+          webhookPath: "/webhook/synology-alerts",
+          dmPolicy: "allowlist",
+          allowedUserIds: ["987654"],
+        },
+      },
+    },
+  },
+}
+```
+
+## 安全说明
+
+- 妥善保管 `token`，如果泄露请轮换。
+- 除非你明确可信任本地 NAS 的自签名证书，否则请保持 `allowInsecureSsl: false`。
+- 入站 webhook 请求会按 token 验证，并按发送方进行速率限制。
+- 生产环境优先使用 `dmPolicy: "allowlist"`。
diff --git a/docs/zh-CN/cli/index.md b/docs/zh-CN/cli/index.md
index e7ae99ef935..46be3ef8ab1 100644
--- a/docs/zh-CN/cli/index.md
+++ b/docs/zh-CN/cli/index.md
@@ -1,14 +1,14 @@
 ---
 read_when:
-  - 添加或修改 CLI 命令或选项
-  - 为新命令界面编写文档
-summary: OpenClaw `openclaw` 命令、子命令和选项的 CLI 参考
+  - 添加或修改 CLI 命令或选项时
+  - 为新的命令界面编写文档时
+summary: "`openclaw` 命令、子命令和选项的 OpenClaw CLI 参考"
 title: CLI 参考
 x-i18n:
-  generated_at: "2026-02-03T07:47:54Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: a73923763d7b89d4b183f569d543927ffbfd1f3e02f9e66639913f6daf226850
+  generated_at: "2026-03-16T06:22:35Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: a2bca34fca64558a8d91fc640ad3880e79677e81d0f605083edc6cbe86bfba53
   source_path: cli/index.md
   workflow: 15
 ---
@@ -23,8 +23,10 @@ x-i18n:
 - [`onboard`](/cli/onboard)
 - [`configure`](/cli/configure)
 - [`config`](/cli/config)
+- [`completion`](/cli/completion)
 - [`doctor`](/cli/doctor)
 - [`dashboard`](/cli/dashboard)
+- [`backup`](/cli/backup)
 - [`reset`](/cli/reset)
 - [`uninstall`](/cli/uninstall)
 - [`update`](/cli/update)
@@ -40,6 +42,7 @@ x-i18n:
 - [`system`](/cli/system)
 - [`models`](/cli/models)
 - [`memory`](/cli/memory)
+- [`directory`](/cli/directory)
 - [`nodes`](/cli/nodes)
 - [`devices`](/cli/devices)
 - [`node`](/cli/node)
@@ -53,42 +56,46 @@ x-i18n:
 - [`hooks`](/cli/hooks)
 - [`webhooks`](/cli/webhooks)
 - [`pairing`](/cli/pairing)
+- [`qr`](/cli/qr)
 - [`plugins`](/cli/plugins)（插件命令）
 - [`channels`](/cli/channels)
 - [`security`](/cli/security)
+- [`secrets`](/cli/secrets)
 - [`skills`](/cli/skills)
+- [`daemon`](/cli/daemon)（Gateway 网关服务命令的旧别名）
+- [`clawbot`](/cli/clawbot)（旧别名命名空间）
 - [`voicecall`](/cli/voicecall)（插件；如已安装）
 
 ## 全局标志
 
-- `--dev`：将状态隔离到 `~/.openclaw-dev` 下并调整默认端口。
+- `--dev`：将状态隔离到 `~/.openclaw-dev` 下，并变更默认端口。
 - `--profile <name>`：将状态隔离到 `~/.openclaw-<name>` 下。
 - `--no-color`：禁用 ANSI 颜色。
-- `--update`：`openclaw update` 的简写（仅限源码安装）。
-- `-V`、`--version`、`-v`：打印版本并退出。
+- `--update`：`openclaw update` 的简写（仅适用于源码安装）。
+- `-V`, `--version`, `-v`：打印版本并退出。
 
 ## 输出样式
 
 - ANSI 颜色和进度指示器仅在 TTY 会话中渲染。
-- OSC-8 超链接在支持的终端中渲染为可点击链接；否则回退到纯 URL。
-- `--json`（以及支持的地方使用 `--plain`）禁用样式以获得干净输出。
-- `--no-color` 禁用 ANSI 样式；也支持 `NO_COLOR=1`。
-- 长时间运行的命令显示进度指示器（支持时使用 OSC 9;4）。
+- OSC-8 超链接会在受支持的终端中显示为可点击链接；否则会回退为纯 URL。
+- `--json`（以及在支持处的 `--plain`）会禁用样式，以获得干净输出。
+- `--no-color` 会禁用 ANSI 样式；同时也支持 `NO_COLOR=1`。
+- 长时间运行的命令会显示进度指示器（支持时使用 OSC 9;4）。
 
-## 颜色调色板
+## 调色板
 
-OpenClaw 在 CLI 输出中使用龙虾调色板。
+OpenClaw 在 CLI 输出中使用龙虾色调调色板。
 
-- `accent`（#FF5A2D）：标题、标签、主要高亮。
-- `accentBright`（#FF7A3D）：命令名称、强调。
-- `accentDim`（#D14A22）：次要高亮文本。
-- `info`（#FF8A5B）：信息性值。
-- `success`（#2FBF71）：成功状态。
-- `warn`（#FFB020）：警告、回退、注意。
-- `error`（#E23D2D）：错误、失败。
-- `muted`（#8B7F77）：弱化、元数据。
+- `accent` (#FF5A2D)：标题、标签、主要高亮。
+- `accentBright` (#FF7A3D)：命令名称、强调。
+- `accentDim` (#D14A22)：次级高亮文本。
+- `info` (#FF8A5B)：信息性值。
+- `success` (#2FBF71)：成功状态。
+- `warn` (#FFB020)：警告、回退、注意事项。
+- `error` (#E23D2D)：错误、失败。
+- `muted` (#8B7F77)：弱化显示、元数据。
 
-调色板权威来源：`src/terminal/palette.ts`（又名"lobster seam"）。
+调色板唯一来源：`src/terminal/palette.ts`（也称为 “lobster seam”）。
 
 ## 命令树
 
@@ -101,9 +108,17 @@ openclaw [--dev] [--profile <name>] <command>
     get
     set
     unset
+  completion
   doctor
+  dashboard
+  backup
+    create
+    verify
   security
     audit
+  secrets
+    reload
+    migrate
   reset
   uninstall
   update
@@ -115,6 +130,7 @@ openclaw [--dev] [--profile <name>] <command>
     remove
     login
     logout
+  directory
   skills
     list
     info
@@ -152,6 +168,13 @@ openclaw [--dev] [--profile <name>] <command>
     stop
     restart
     run
+  daemon
+    status
+    install
+    uninstall
+    start
+    stop
+    restart
   logs
   system
     event
@@ -238,49 +261,59 @@ openclaw [--dev] [--profile <name>] <command>
   pairing
     list
     approve
+  qr
+  clawbot
+    qr
   docs
   dns
     setup
   tui
 ```
 
-注意：插件可以添加额外的顶级命令（例如 `openclaw voicecall`）。
+注意：插件可以添加额外的顶层命令（例如 `openclaw voicecall`）。
 
 ## 安全
 
-- `openclaw security audit` — 审计配置 + 本地状态中常见的安全隐患。
+- `openclaw security audit` — 审计配置 + 本地状态中常见的安全陷阱。
 - `openclaw security audit --deep` — 尽力进行实时 Gateway 网关探测。
-- `openclaw security audit --fix` — 收紧安全默认值并 chmod 状态/配置。
+- `openclaw security audit --fix` — 收紧安全默认值并对状态 / 配置执行 chmod。
+
+## 密钥
+
+- `openclaw secrets reload` — 重新解析引用，并以原子方式替换运行时快照。
+- `openclaw secrets audit` — 扫描明文残留、未解析引用和优先级漂移。
+- `openclaw secrets configure` — 用于提供商设置 + SecretRef 映射 + 预检 / 应用的交互式助手。
+- `openclaw secrets apply --from <plan.json>` — 应用先前生成的计划（支持 `--dry-run`）。
 
 ## 插件
 
 管理扩展及其配置：
 
-- `openclaw plugins list` — 发现插件（使用 `--json` 获取机器可读输出）。
+- `openclaw plugins list` — 发现插件（机器输出请使用 `--json`）。
 - `openclaw plugins info <id>` — 显示插件详情。
 - `openclaw plugins install <path|.tgz|npm-spec>` — 安装插件（或将插件路径添加到 `plugins.load.paths`）。
 - `openclaw plugins enable <id>` / `disable <id>` — 切换 `plugins.entries.<id>.enabled`。
 - `openclaw plugins doctor` — 报告插件加载错误。
 
-大多数插件更改需要重启 Gateway 网关。参见 [/plugin](/tools/plugin)。
+大多数插件更改都需要重启 gateway。参见 [/plugin](/tools/plugin)。
 
-## 记忆
+## 内存
 
-对 `MEMORY.md` + `memory/*.md` 进行向量搜索：
+对 `MEMORY.md` + `memory/*.md` 执行向量搜索：
 
-- `openclaw memory status` — 显示索引统计。
-- `openclaw memory index` — 重新索引记忆文件。
-- `openclaw memory search "<query>"` — 对记忆进行语义搜索。
+- `openclaw memory status` — 显示索引统计信息。
+- `openclaw memory index` — 重新索引内存文件。
+- `openclaw memory search "<query>"`（或 `--query "<query>"`）— 对内存执行语义搜索。
 
 ## 聊天斜杠命令
 
 聊天消息支持 `/...` 命令（文本和原生）。参见 [/tools/slash-commands](/tools/slash-commands)。
 
-亮点：
+重点：
 
 - `/status` 用于快速诊断。
 - `/config` 用于持久化配置更改。
-- `/debug` 用于仅运行时的配置覆盖（内存中，不写入磁盘；需要 `commands.debug: true`）。
+- `/debug` 用于仅运行时的配置覆盖（内存中，不写磁盘；要求 `commands.debug: true`）。
 
 ## 设置 + 新手引导
 
@@ -291,32 +324,35 @@ openclaw [--dev] [--profile <name>] <command>
 选项：
 
 - `--workspace <dir>`：智能体工作区路径（默认 `~/.openclaw/workspace`）。
-- `--wizard`：运行新手引导向导。
+- `--wizard`：运行设置向导。
 - `--non-interactive`：无提示运行向导。
 - `--mode <local|remote>`：向导模式。
 - `--remote-url <url>`：远程 Gateway 网关 URL。
-- `--remote-token <token>`：远程 Gateway 网关令牌。
+- `--remote-token <token>`：远程 Gateway 网关 token。
 
-当存在任何向导标志（`--non-interactive`、`--mode`、`--remote-url`、`--remote-token`）时，向导自动运行。
+只要存在任意向导标志（`--non-interactive`, `--mode`, `--remote-url`, `--remote-token`），就会自动运行向导。
 
 ### `onboard`
 
-交互式向导，用于设置 Gateway 网关、工作区和 Skills。
+用于设置 gateway、工作区和 Skills 的交互式向导。
 
 选项：
 
 - `--workspace <dir>`
-- `--reset`（在向导之前重置配置 + 凭证 + 会话 + 工作区）
+- `--reset`（在运行向导前重置配置 + 凭据 + 会话）
+- `--reset-scope <config|config+creds+sessions|full>`（默认 `config+creds+sessions`；使用 `full` 还会删除工作区）
 - `--non-interactive`
 - `--mode <local|remote>`
-- `--flow <quickstart|advanced|manual>`（manual 是 advanced 的别名）
-- `--auth-choice <setup-token|token|chutes|openai-codex|openai-api-key|openrouter-api-key|ai-gateway-api-key|moonshot-api-key|kimi-code-api-key|synthetic-api-key|venice-api-key|gemini-api-key|zai-api-key|apiKey|minimax-api|minimax-api-lightning|opencode-zen|skip>`
-- `--token-provider <id>`（非交互式；与 `--auth-choice token` 配合使用）
-- `--token <token>`（非交互式；与 `--auth-choice token` 配合使用）
+- `--flow <quickstart|advanced|manual>`（`manual` 是 `advanced` 的别名）
+- `--auth-choice <setup-token|token|chutes|openai-codex|openai-api-key|openrouter-api-key|ollama|ai-gateway-api-key|moonshot-api-key|moonshot-api-key-cn|kimi-code-api-key|synthetic-api-key|venice-api-key|gemini-api-key|zai-api-key|mistral-api-key|apiKey|minimax-api|minimax-api-lightning|opencode-zen|opencode-go|custom-api-key|skip>`
+- `--token-provider <id>`（非交互式；与 `--auth-choice token` 一起使用）
+- `--token <token>`（非交互式；与 `--auth-choice token` 一起使用）
 - `--token-profile-id <id>`（非交互式；默认：`<provider>:manual`）
 - `--token-expires-in <duration>`（非交互式；例如 `365d`、`12h`）
+- `--secret-input-mode <plaintext|ref>`（默认 `plaintext`；使用 `ref` 可存储提供商默认环境引用，而非明文密钥）
 - `--anthropic-api-key <key>`
 - `--openai-api-key <key>`
+- `--mistral-api-key <key>`
 - `--openrouter-api-key <key>`
 - `--ai-gateway-api-key <key>`
 - `--moonshot-api-key <key>`
@@ -325,10 +361,17 @@ openclaw [--dev] [--profile <name>] <command>
 - `--zai-api-key <key>`
 - `--minimax-api-key <key>`
 - `--opencode-zen-api-key <key>`
+- `--opencode-go-api-key <key>`
+- `--custom-base-url <url>`（非交互式；与 `--auth-choice custom-api-key` 或 `--auth-choice ollama` 一起使用）
+- `--custom-model-id <id>`（非交互式；与 `--auth-choice custom-api-key` 或 `--auth-choice ollama` 一起使用）
+- `--custom-api-key <key>`（非交互式；可选；与 `--auth-choice custom-api-key` 一起使用；省略时回退到 `CUSTOM_API_KEY`）
+- `--custom-provider-id <id>`（非交互式；可选自定义提供商 id）
+- `--custom-compatibility <openai|anthropic>`（非交互式；可选；默认 `openai`）
 - `--gateway-port <port>`
 - `--gateway-bind <loopback|lan|tailnet|auto|custom>`
 - `--gateway-auth <token|password>`
 - `--gateway-token <token>`
+- `--gateway-token-ref-env <name>`（非交互式；将 `gateway.auth.token` 存储为环境 SecretRef；要求该环境变量已设置；不能与 `--gateway-token` 一起使用）
 - `--gateway-password <password>`
 - `--remote-url <url>`
 - `--remote-token <token>`
@@ -341,35 +384,39 @@ openclaw [--dev] [--profile <name>] <command>
 - `--skip-skills`
 - `--skip-health`
 - `--skip-ui`
-- `--node-manager <npm|pnpm|bun>`（推荐 pnpm；不建议将 bun 用于 Gateway 网关运行时）
+- `--node-manager <npm|pnpm|bun>`（推荐 pnpm；不推荐将 bun 用作 Gateway 网关运行时）
 - `--json`
 
 ### `configure`
 
-交互式配置向导（模型、渠道、Skills、Gateway 网关）。
+交互式配置向导（模型、渠道、Skills、gateway）。
 
 ### `config`
 
-非交互式配置辅助工具（get/set/unset）。不带子命令运行 `openclaw config` 会启动向导。
+非交互式配置助手（get/set/unset/file/validate）。直接运行 `openclaw config` 而不带
+子命令会启动向导。
 
 子命令：
 
-- `config get <path>`：打印配置值（点/括号路径）。
-- `config set <path> <value>`：设置值（JSON5 或原始字符串）。
-- `config unset <path>`：删除值。
+- `config get <path>`：打印一个配置值（点 / 方括号路径）。
+- `config set <path> <value>`：设置一个值（JSON5 或原始字符串）。
+- `config unset <path>`：移除一个值。
+- `config file`：打印当前活动配置文件路径。
+- `config validate`：根据 schema 验证当前配置，而不启动 gateway。
+- `config validate --json`：输出机器可读的 JSON。
 
 ### `doctor`
 
-健康检查 + 快速修复（配置 + Gateway 网关 + 旧版服务）。
+健康检查 + 快速修复（配置 + gateway + 旧版服务）。
 
 选项：
 
-- `--no-workspace-suggestions`：禁用工作区记忆提示。
-- `--yes`：无提示接受默认值（无头模式）。
+- `--no-workspace-suggestions`：禁用工作区内存提示。
+- `--yes`：接受默认值而不提示（无头）。
 - `--non-interactive`：跳过提示；仅应用安全迁移。
-- `--deep`：扫描系统服务以查找额外的 Gateway 网关安装。
+- `--deep`：扫描系统服务以查找额外的 gateway 安装。
 
-## 渠道辅助工具
+## 渠道助手
 
 ### `channels`
 
@@ -378,19 +425,21 @@ openclaw [--dev] [--profile <name>] <command>
 子命令：
 
 - `channels list`：显示已配置的渠道和认证配置文件。
-- `channels status`：检查 Gateway 网关可达性和渠道健康状况（`--probe` 运行额外检查；使用 `openclaw health` 或 `openclaw status --deep` 进行 Gateway 网关健康探测）。
-- 提示：`channels status` 在检测到常见配置错误时会打印带有建议修复的警告（然后指向 `openclaw doctor`）。
-- `channels logs`：显示 Gateway 网关日志文件中最近的渠道日志。
-- `channels add`：不传标志时使用向导式设置；标志切换到非交互模式。
-- `channels remove`：默认禁用；传 `--delete` 可无提示删除配置条目。
-- `channels login`：交互式渠道登录（仅限 WhatsApp Web）。
-- `channels logout`：登出渠道会话（如支持）。
+- `channels status`：检查 gateway 可达性和渠道健康状态（`--probe` 会运行额外检查；gateway 健康探测请使用 `openclaw health` 或 `openclaw status --deep`）。
+- 提示：如果能够检测到常见配置错误，`channels status` 会打印带建议修复方式的警告（随后指向 `openclaw doctor`）。
+- `channels logs`：显示 gateway 日志文件中的最近渠道日志。
+- `channels add`：未传入任何标志时为向导式设置；传入标志后切换为非交互模式。
+  - 当向仍使用单账户顶层配置的渠道添加非默认账户时，OpenClaw 会先将账户作用域值移动到 `channels.<channel>.accounts.default`，再写入新账户。
+  - 非交互式 `channels add` 不会自动创建 / 升级绑定；仅渠道绑定会继续匹配默认账户。
+- `channels remove`：默认执行禁用；传入 `--delete` 可在无提示下删除配置项。
+- `channels login`：交互式渠道登录（仅 WhatsApp Web）。
+- `channels logout`：登出某个渠道会话（如支持）。
 
 通用选项：
 
 - `--channel <name>`：`whatsapp|telegram|discord|googlechat|slack|mattermost|signal|imessage|msteams`
 - `--account <id>`：渠道账户 id（默认 `default`）
-- `--name <label>`：账户的显示名称
+- `--name <label>`：账户显示名称
 
 `channels login` 选项：
 
@@ -405,8 +454,8 @@ openclaw [--dev] [--profile <name>] <command>
 
 `channels list` 选项：
 
-- `--no-usage`：跳过模型提供商用量/配额快照（仅限 OAuth/API 支持的）。
-- `--json`：输出 JSON（除非设置 `--no-usage`，否则包含用量）。
+- `--no-usage`：跳过模型提供商用量 / 配额快照（仅 OAuth / API 支持）。
+- `--json`：输出 JSON（除非设置了 `--no-usage`，否则包含用量）。
 
 `channels logs` 选项：
 
@@ -414,7 +463,7 @@ openclaw [--dev] [--profile <name>] <command>
 - `--lines <n>`（默认 `200`）
 - `--json`
 
-更多详情：[/concepts/oauth](/concepts/oauth)
+更多细节：[/concepts/oauth](/concepts/oauth)
 
 示例：
 
@@ -428,19 +477,19 @@ openclaw status --deep
 
 ### `skills`
 
-列出和检查可用的 Skills 及就绪信息。
+列出并检查可用 Skills，以及就绪信息。
 
 子命令：
 
-- `skills list`：列出 Skills（无子命令时的默认行为）。
+- `skills list`：列出 Skills（未指定子命令时的默认行为）。
 - `skills info <name>`：显示单个 Skill 的详情。
-- `skills check`：就绪与缺失需求的摘要。
+- `skills check`：汇总已就绪与缺失的要求。
 
 选项：
 
-- `--eligible`：仅显示就绪的 Skills。
+- `--eligible`：仅显示已就绪的 Skills。
 - `--json`：输出 JSON（无样式）。
-- `-v`、`--verbose`：包含缺失需求详情。
+- `-v`, `--verbose`：包含缺失要求的详细信息。
 
 提示：使用 `npx clawhub` 搜索、安装和同步 Skills。
 
@@ -450,31 +499,46 @@ openclaw status --deep
 
 子命令：
 
-- `pairing list <channel> [--json]`
-- `pairing approve <channel> <code> [--notify]`
+- `pairing list [channel] [--channel <channel>] [--account <id>] [--json]`
+- `pairing approve <channel> <code> [--account <id>] [--notify]`
+- `pairing approve --channel <channel> [--account <id>] <code> [--notify]`
 
-### `webhooks gmail`
+### `devices`
 
-Gmail Pub/Sub 钩子设置 + 运行器。参见 [/automation/gmail-pubsub](/automation/gmail-pubsub)。
+管理 gateway 设备配对条目和按角色划分的设备 token。
 
 子命令：
 
-- `webhooks gmail setup`（需要 `--account <email>`；支持 `--project`、`--topic`、`--subscription`、`--label`、`--hook-url`、`--hook-token`、`--push-token`、`--bind`、`--port`、`--path`、`--include-body`、`--max-bytes`、`--renew-minutes`、`--tailscale`、`--tailscale-path`、`--tailscale-target`、`--push-endpoint`、`--json`）
-- `webhooks gmail run`（相同标志的运行时覆盖）
+- `devices list [--json]`
+- `devices approve [requestId] [--latest]`
+- `devices reject <requestId>`
+- `devices remove <deviceId>`
+- `devices clear --yes [--pending]`
+- `devices rotate --device <id> --role <role> [--scope <scope...>]`
+- `devices revoke --device <id> --role <role>`
+
+### `webhooks gmail`
+
+Gmail Pub/Sub hook 设置 + 运行器。参见 [/automation/gmail-pubsub](/automation/gmail-pubsub)。
+
+子命令：
+
+- `webhooks gmail setup`（要求 `--account <email>`；支持 `--project`, `--topic`, `--subscription`, `--label`, `--hook-url`, `--hook-token`, `--push-token`, `--bind`, `--port`, `--path`, `--include-body`, `--max-bytes`, `--renew-minutes`, `--tailscale`, `--tailscale-path`, `--tailscale-target`, `--push-endpoint`, `--json`）
+- `webhooks gmail run`（对相同标志进行运行时覆盖）
 
 ### `dns setup`
 
-广域发现 DNS 辅助工具（CoreDNS + Tailscale）。参见 [/gateway/discovery](/gateway/discovery)。
+广域设备发现 DNS 助手（CoreDNS + Tailscale）。参见 [/gateway/discovery](/gateway/discovery)。
 
 选项：
 
-- `--apply`：安装/更新 CoreDNS 配置（需要 sudo；仅限 macOS）。
+- `--apply`：安装 / 更新 CoreDNS 配置（需要 sudo；仅 macOS）。
 
 ## 消息 + 智能体
 
 ### `message`
 
-统一的出站消息 + 渠道操作。
+统一的出站消息发送 + 渠道操作。
 
 参见：[/cli/message](/cli/message)
 
@@ -497,17 +561,17 @@ Gmail Pub/Sub 钩子设置 + 运行器。参见 [/automation/gmail-pubsub](/auto
 
 ### `agent`
 
-通过 Gateway 网关运行一个智能体回合（或使用 `--local` 嵌入式运行）。
+通过 Gateway 网关（或 `--local` 嵌入模式）运行一次智能体轮次。
 
-必需：
+必需项：
 
 - `--message <text>`
 
 选项：
 
-- `--to <dest>`（用于会话键和可选发送）
+- `--to <dest>`（用于会话键以及可选投递）
 - `--session-id <id>`
-- `--thinking <off|minimal|low|medium|high|xhigh>`（仅限 GPT-5.2 + Codex 模型）
+- `--thinking <off|minimal|low|medium|high|xhigh>`（仅适用于 GPT-5.2 + Codex 模型）
 - `--verbose <on|full|off>`
 - `--channel <whatsapp|telegram|discord|slack|mattermost|signal|imessage|msteams>`
 - `--local`
@@ -530,7 +594,7 @@ Gmail Pub/Sub 钩子设置 + 运行器。参见 [/automation/gmail-pubsub](/auto
 
 #### `agents add [name]`
 
-添加新的隔离智能体。除非传入标志（或 `--non-interactive`），否则运行引导向导；非交互模式下 `--workspace` 是必需的。
+添加一个新的隔离智能体。除非传入标志（或 `--non-interactive`），否则会运行引导式向导；在非交互模式下必须提供 `--workspace`。
 
 选项：
 
@@ -541,11 +605,41 @@ Gmail Pub/Sub 钩子设置 + 运行器。参见 [/automation/gmail-pubsub](/auto
 - `--non-interactive`
 - `--json`
 
-绑定规范使用 `channel[:accountId]`。对于 WhatsApp，省略 `accountId` 时使用默认账户 id。
+绑定规范使用 `channel[:accountId]`。省略 `accountId` 时，OpenClaw 可能通过渠道默认值 / 插件 hook 解析账户作用域；否则这就是不带显式账户作用域的渠道绑定。
+
+#### `agents bindings`
+
+列出路由绑定。
+
+选项：
+
+- `--agent <id>`
+- `--json`
+
+#### `agents bind`
+
+为智能体添加路由绑定。
+
+选项：
+
+- `--agent <id>`
+- `--bind <channel[:accountId]>`（可重复）
+- `--json`
+
+#### `agents unbind`
+
+移除智能体的路由绑定。
+
+选项：
+
+- `--agent <id>`
+- `--bind <channel[:accountId]>`（可重复）
+- `--all`
+- `--json`
 
 #### `agents delete <id>`
 
-删除智能体并清理其工作区 + 状态。
+删除一个智能体并清理其工作区 + 状态。
 
 选项：
 
@@ -554,44 +648,44 @@ Gmail Pub/Sub 钩子设置 + 运行器。参见 [/automation/gmail-pubsub](/auto
 
 ### `acp`
 
-运行连接 IDE 到 Gateway 网关的 ACP 桥接。
+运行将 IDE 连接到 Gateway 网关的 ACP 桥接器。
 
-完整选项和示例参见 [`acp`](/cli/acp)。
+完整选项和示例请参见 [`acp`](/cli/acp)。
 
 ### `status`
 
-显示关联会话健康状况和最近的收件人。
+显示已链接会话的健康状态和最近收件人。
 
 选项：
 
 - `--json`
-- `--all`（完整诊断；只读，可粘贴）
+- `--all`（完整诊断；只读、可粘贴）
 - `--deep`（探测渠道）
-- `--usage`（显示模型提供商用量/配额）
+- `--usage`（显示模型提供商用量 / 配额）
 - `--timeout <ms>`
 - `--verbose`
 - `--debug`（`--verbose` 的别名）
 
 说明：
 
-- 概览包含 Gateway 网关 + 节点主机服务状态（如可用）。
+- 概览中会在可用时包含 Gateway 网关 + node host 服务状态。
 
 ### 用量跟踪
 
-当 OAuth/API 凭证可用时，OpenClaw 可以显示提供商用量/配额。
+在 OAuth / API 凭据可用时，OpenClaw 可以显示提供商用量 / 配额。
 
-显示位置：
+展示位置：
 
-- `/status`（可用时添加简短的提供商用量行）
+- `/status`（可用时添加一行简短的提供商用量信息）
 - `openclaw status --usage`（打印完整的提供商明细）
-- macOS 菜单栏（上下文下的用量部分）
+- macOS 菜单栏（Context 下的 Usage 部分）
 
 说明：
 
-- 数据直接来自提供商用量端点（非估算）。
-- 提供商：Anthropic、GitHub Copilot、OpenAI Codex OAuth，以及通过捆绑 `google` 插件提供的 Gemini CLI 和已配置的 Antigravity。
-- 如果没有匹配的凭证，用量会被隐藏。
-- 详情：参见[用量跟踪](/concepts/usage-tracking)。
+- 数据直接来自提供商用量端点（不是估算值）。
+- 提供商：Anthropic、GitHub Copilot、OpenAI Codex OAuth，以及打包的 `google` 插件所提供的 Gemini CLI 和在已配置情况下的 Antigravity。
+- 如果不存在匹配的凭据，则不会显示用量。
+- 详情：参见 [用量跟踪](/concepts/usage-tracking)。
 
 ### `health`
 
@@ -605,7 +699,7 @@ Gmail Pub/Sub 钩子设置 + 运行器。参见 [/automation/gmail-pubsub](/auto
 
 ### `sessions`
 
-列出存储的对话会话。
+列出已存储的对话会话。
 
 选项：
 
@@ -614,11 +708,11 @@ Gmail Pub/Sub 钩子设置 + 运行器。参见 [/automation/gmail-pubsub](/auto
 - `--store <path>`
 - `--active <minutes>`
 
-## 重置/卸载
+## 重置 / 卸载
 
 ### `reset`
 
-重置本地配置/状态（保留 CLI 安装）。
+重置本地配置 / 状态（保留已安装的 CLI）。
 
 选项：
 
@@ -629,11 +723,11 @@ Gmail Pub/Sub 钩子设置 + 运行器。参见 [/automation/gmail-pubsub](/auto
 
 说明：
 
-- `--non-interactive` 需要 `--scope` 和 `--yes`。
+- `--non-interactive` 要求同时提供 `--scope` 和 `--yes`。
 
 ### `uninstall`
 
-卸载 Gateway 网关服务 + 本地数据（CLI 保留）。
+卸载 gateway 服务 + 本地数据（CLI 保留）。
 
 选项：
 
@@ -648,7 +742,7 @@ Gmail Pub/Sub 钩子设置 + 运行器。参见 [/automation/gmail-pubsub](/auto
 
 说明：
 
-- `--non-interactive` 需要 `--yes` 和明确的范围（或 `--all`）。
+- `--non-interactive` 要求 `--yes` 和显式作用域（或 `--all`）。
 
 ## Gateway 网关
 
@@ -663,12 +757,13 @@ Gmail Pub/Sub 钩子设置 + 运行器。参见 [/automation/gmail-pubsub](/auto
 - `--token <token>`
 - `--auth <token|password>`
 - `--password <password>`
+- `--password-file <path>`
 - `--tailscale <off|serve|funnel>`
 - `--tailscale-reset-on-exit`
 - `--allow-unconfigured`
 - `--dev`
-- `--reset`（重置 dev 配置 + 凭证 + 会话 + 工作区）
-- `--force`（终止端口上的现有监听器）
+- `--reset`（重置 dev 配置 + 凭据 + 会话 + 工作区）
+- `--force`（杀掉端口上的现有监听器）
 - `--verbose`
 - `--claude-cli-logs`
 - `--ws-log <auto|full|compact>`
@@ -683,7 +778,7 @@ Gmail Pub/Sub 钩子设置 + 运行器。参见 [/automation/gmail-pubsub](/auto
 子命令：
 
 - `gateway status`（默认探测 Gateway 网关 RPC）
-- `gateway install`（服务安装）
+- `gateway install`（安装服务）
 - `gateway uninstall`
 - `gateway start`
 - `gateway stop`
@@ -691,12 +786,14 @@ Gmail Pub/Sub 钩子设置 + 运行器。参见 [/automation/gmail-pubsub](/auto
 
 说明：
 
-- `gateway status` 默认使用服务解析的端口/配置探测 Gateway 网关 RPC（使用 `--url/--token/--password` 覆盖）。
-- `gateway status` 支持 `--no-probe`、`--deep` 和 `--json` 用于脚本化。
-- `gateway status` 在检测到旧版或额外的 Gateway 网关服务时也会显示（`--deep` 添加系统级扫描）。配置文件命名的 OpenClaw 服务被视为一等公民，不会被标记为"额外"。
-- `gateway status` 打印 CLI 使用的配置路径与服务可能使用的配置（服务环境），以及解析的探测目标 URL。
-- `gateway install|uninstall|start|stop|restart` 支持 `--json` 用于脚本化（默认输出保持人类友好）。
-- `gateway install` 默认使用 Node 运行时；**不建议**使用 bun（WhatsApp/Telegram bug）。
+- `gateway status` 默认使用服务解析出的端口 / 配置来探测 Gateway 网关 RPC（可用 `--url/--token/--password` 覆盖）。
+- `gateway status` 支持 `--no-probe`、`--deep`、`--require-rpc` 和 `--json`，便于脚本化。
+- `gateway status` 还能在检测到时显示旧版或额外的 gateway 服务（`--deep` 会增加系统级扫描）。带 profile 名称的 OpenClaw 服务会被视为一等公民，不会标记为“额外”。
+- `gateway status` 会打印 CLI 使用的是哪个配置路径、服务可能使用的是哪个配置（服务环境），以及解析出的探测目标 URL。
+- 如果 gateway 认证 SecretRef 在当前命令路径中未解析，`gateway status --json` 仅会在探测连接 / 认证失败时报告 `rpc.authWarning`（探测成功时会抑制警告）。
+- 在 Linux systemd 安装中，状态 token 漂移检查同时包括 `Environment=` 和 `EnvironmentFile=` 单元来源。
+- `gateway install|uninstall|start|stop|restart` 支持 `--json`，便于脚本化（默认输出仍然更适合人类阅读）。
+- `gateway install` 默认使用 Node 运行时；**不推荐** bun（存在 WhatsApp / Telegram bug）。
 - `gateway install` 选项：`--port`、`--runtime`、`--token`、`--force`、`--json`。
 
 ### `logs`
@@ -705,8 +802,8 @@ Gmail Pub/Sub 钩子设置 + 运行器。参见 [/automation/gmail-pubsub](/auto
 
 说明：
 
-- TTY 会话渲染彩色、结构化视图；非 TTY 回退到纯文本。
-- `--json` 输出行分隔的 JSON（每行一个日志事件）。
+- TTY 会话会渲染彩色的结构化视图；非 TTY 会回退为纯文本。
+- `--json` 会输出逐行 JSON（每行一个日志事件）。
 
 示例：
 
@@ -720,7 +817,9 @@ openclaw logs --no-color
 
 ### `gateway <subcommand>`
 
-Gateway 网关 CLI 辅助工具（RPC 子命令使用 `--url`、`--token`、`--password`、`--timeout`、`--expect-final`）。
+Gateway 网关 CLI 助手（RPC 子命令可使用 `--url`、`--token`、`--password`、`--timeout`、`--expect-final`）。
+当你传入 `--url` 时，CLI 不会自动应用配置或环境凭据。
+请显式包含 `--token` 或 `--password`。缺少显式凭据会报错。
 
 子命令：
 
@@ -738,13 +837,14 @@ Gateway 网关 CLI 辅助工具（RPC 子命令使用 `--url`、`--token`、`--p
 - `config.patch`（合并部分更新 + 重启 + 唤醒）
 - `update.run`（运行更新 + 重启 + 唤醒）
 
-提示：直接调用 `config.set`/`config.apply`/`config.patch` 时，如果配置已存在，请传入来自 `config.get` 的 `baseHash`。
+提示：直接调用 `config.set`/`config.apply`/`config.patch` 时，如果配置已存在，请从
+`config.get` 传入 `baseHash`。
 
 ## 模型
 
-回退行为和扫描策略参见 [/concepts/models](/concepts/models)。
+关于回退行为和扫描策略，请参见 [/concepts/models](/concepts/models)。
 
-首选 Anthropic 认证（setup-token）：
+Anthropic setup-token（已支持）：
 
 ```bash
 claude setup-token
@@ -752,6 +852,10 @@ openclaw models auth setup-token --provider anthropic
 openclaw models status
 ```
 
+策略说明：这是技术兼容性。Anthropic 过去曾阻止某些
+Claude Code 之外的订阅使用；在生产环境依赖 setup-token 之前，请确认当前的 Anthropic
+条款。
+
 ### `models`（根命令）
 
 `openclaw models` 是 `models status` 的别名。
@@ -777,15 +881,16 @@ openclaw models status
 
 - `--json`
 - `--plain`
-- `--check`（退出码 1=过期/缺失，2=即将过期）
+- `--check`（退出码 1=已过期 / 缺失，2=即将过期）
 - `--probe`（对已配置认证配置文件进行实时探测）
 - `--probe-provider <name>`
-- `--probe-profile <id>`（重复或逗号分隔）
+- `--probe-profile <id>`（可重复或逗号分隔）
 - `--probe-timeout <ms>`
 - `--probe-concurrency <n>`
 - `--probe-max-tokens <n>`
 
-始终包含认证概览和认证存储中配置文件的 OAuth 过期状态。`--probe` 运行实时请求（可能消耗令牌并触发速率限制）。
+始终包含认证总览以及认证存储中配置文件的 OAuth 过期状态。
+`--probe` 会发起实时请求（可能消耗 token 并触发速率限制）。
 
 ### `models set <model>`
 
@@ -842,7 +947,7 @@ openclaw models status
 
 选项：
 
-- `add`：交互式认证辅助工具
+- `add`：交互式认证助手
 - `setup-token`：`--provider <name>`（默认 `anthropic`）、`--yes`
 - `paste-token`：`--provider <name>`、`--profile-id <id>`、`--expires-in <duration>`
 
@@ -858,9 +963,9 @@ openclaw models status
 
 ### `system event`
 
-将系统事件加入队列并可选触发心跳（Gateway 网关 RPC）。
+将一个系统事件加入队列，并可选择触发一次 heartbeat（Gateway 网关 RPC）。
 
-必需：
+必需项：
 
 - `--text <text>`
 
@@ -868,47 +973,48 @@ openclaw models status
 
 - `--mode <now|next-heartbeat>`
 - `--json`
-- `--url`、`--token`、`--timeout`、`--expect-final`
+- `--url`, `--token`, `--timeout`, `--expect-final`
 
 ### `system heartbeat last|enable|disable`
 
-心跳控制（Gateway 网关 RPC）。
+heartbeat 控制（Gateway 网关 RPC）。
 
 选项：
 
 - `--json`
-- `--url`、`--token`、`--timeout`、`--expect-final`
+- `--url`, `--token`, `--timeout`, `--expect-final`
 
 ### `system presence`
 
-列出系统存在条目（Gateway 网关 RPC）。
+列出系统 presence 条目（Gateway 网关 RPC）。
 
 选项：
 
 - `--json`
-- `--url`、`--token`、`--timeout`、`--expect-final`
+- `--url`, `--token`, `--timeout`, `--expect-final`
 
-## 定时任务
+## Cron
 
 管理计划任务（Gateway 网关 RPC）。参见 [/automation/cron-jobs](/automation/cron-jobs)。
 
 子命令：
 
 - `cron status [--json]`
-- `cron list [--all] [--json]`（默认表格输出；使用 `--json` 获取原始数据）
-- `cron add`（别名：`create`；需要 `--name` 和 `--at` | `--every` | `--cron` 三选一，以及 `--system-event` | `--message` 负载二选一）
-- `cron edit <id>`（补丁字段）
-- `cron rm <id>`（别名：`remove`、`delete`）
+- `cron list [--all] [--json]`（默认输出表格；原始输出请使用 `--json`）
+- `cron add`（别名：`create`；要求 `--name`，并且必须且只能提供 `--at` | `--every` | `--cron` 之一，以及 `--system-event` | `--message` 之一作为负载）
+- `cron edit <id>`（修补字段）
+- `cron rm <id>`（别名：`remove`, `delete`）
 - `cron enable <id>`
 - `cron disable <id>`
 - `cron runs --id <id> [--limit <n>]`
 - `cron run <id> [--force]`
 
-所有 `cron` 命令接受 `--url`、`--token`、`--timeout`、`--expect-final`。
+所有 `cron` 命令都接受 `--url`、`--token`、`--timeout`、`--expect-final`。
 
-## 节点主机
+## Node 主机
 
-`node` 运行**无头节点主机**或将其作为后台服务管理。参见 [`openclaw node`](/cli/node)。
+`node` 运行一个**无头 node host**，或将其作为后台服务进行管理。参见
+[`openclaw node`](/cli/node)。
 
 子命令：
 
@@ -919,13 +1025,18 @@ openclaw models status
 - `node stop`
 - `node restart`
 
-## 节点
+认证说明：
 
-`nodes` 与 Gateway 网关通信并针对已配对的节点。参见 [/nodes](/nodes)。
+- `node` 从环境 / 配置解析 gateway 认证（不支持 `--token`/`--password` 标志）：`OPENCLAW_GATEWAY_TOKEN` / `OPENCLAW_GATEWAY_PASSWORD`，然后是 `gateway.auth.*`。在本地模式下，node host 会有意忽略 `gateway.remote.*`；在 `gateway.mode=remote` 时，`gateway.remote.*` 会根据远程优先级规则参与解析。
+- 旧版 `CLAWDBOT_GATEWAY_*` 环境变量会被有意忽略，不用于 node-host 认证解析。
+
+## Nodes
+
+`nodes` 与 Gateway 网关通信，并以已配对节点为目标。参见 [/nodes](/nodes)。
 
 通用选项：
 
-- `--url`、`--token`、`--timeout`、`--json`
+- `--url`, `--token`, `--timeout`, `--json`
 
 子命令：
 
@@ -937,8 +1048,8 @@ openclaw models status
 - `nodes reject <requestId>`
 - `nodes rename --node <id|name|ip> --name <displayName>`
 - `nodes invoke --node <id|name|ip> --command <command> [--params <json>] [--invoke-timeout <ms>] [--idempotency-key <key>]`
-- `nodes run --node <id|name|ip> [--cwd <path>] [--env KEY=VAL] [--command-timeout <ms>] [--needs-screen-recording] [--invoke-timeout <ms>] <command...>`（mac 节点或无头节点主机）
-- `nodes notify --node <id|name|ip> [--title <text>] [--body <text>] [--sound <name>] [--priority <passive|active|timeSensitive>] [--delivery <system|overlay|auto>] [--invoke-timeout <ms>]`（仅限 mac）
+- `nodes run --node <id|name|ip> [--cwd <path>] [--env KEY=VAL] [--command-timeout <ms>] [--needs-screen-recording] [--invoke-timeout <ms>] <command...>`（mac 节点或无头 node host）
+- `nodes notify --node <id|name|ip> [--title <text>] [--body <text>] [--sound <name>] [--priority <passive|active|timeSensitive>] [--delivery <system|overlay|auto>] [--invoke-timeout <ms>]`（仅 mac）
 
 相机：
 
@@ -946,7 +1057,7 @@ openclaw models status
 - `nodes camera snap --node <id|name|ip> [--facing front|back|both] [--device-id <id>] [--max-width <px>] [--quality <0-1>] [--delay-ms <ms>] [--invoke-timeout <ms>]`
 - `nodes camera clip --node <id|name|ip> [--facing front|back] [--device-id <id>] [--duration <ms|10s|1m>] [--no-audio] [--invoke-timeout <ms>]`
 
-画布 + 屏幕：
+Canvas + 屏幕：
 
 - `nodes canvas snapshot --node <id|name|ip> [--format png|jpg|jpeg] [--max-width <px>] [--quality <0-1>] [--invoke-timeout <ms>]`
 - `nodes canvas present --node <id|name|ip> [--target <urlOrPath>] [--x <px>] [--y <px>] [--width <px>] [--height <px>] [--invoke-timeout <ms>]`
@@ -963,11 +1074,11 @@ openclaw models status
 
 ## 浏览器
 
-浏览器控制 CLI（专用 Chrome/Brave/Edge/Chromium）。参见 [`openclaw browser`](/cli/browser) 和[浏览器工具](/tools/browser)。
+浏览器控制 CLI（专用 Chrome/Brave/Edge/Chromium）。参见 [`openclaw browser`](/cli/browser) 和 [Browser 工具](/tools/browser)。
 
 通用选项：
 
-- `--url`、`--token`、`--timeout`、`--json`
+- `--url`, `--token`, `--timeout`, `--json`
 - `--browser-profile <name>`
 
 管理：
@@ -1011,7 +1122,7 @@ openclaw models status
 
 ### `docs [query...]`
 
-搜索在线文档索引。
+搜索实时文档索引。
 
 ## TUI
 
@@ -1028,5 +1139,5 @@ openclaw models status
 - `--deliver`
 - `--thinking <level>`
 - `--message <text>`
-- `--timeout-ms <ms>`（默认为 `agents.defaults.timeoutSeconds`）
+- `--timeout-ms <ms>`（默认值为 `agents.defaults.timeoutSeconds`）
 - `--history-limit <n>`
diff --git a/docs/zh-CN/cli/onboard.md b/docs/zh-CN/cli/onboard.md
index a68329d84cc..66588b9d795 100644
--- a/docs/zh-CN/cli/onboard.md
+++ b/docs/zh-CN/cli/onboard.md
@@ -1,24 +1,28 @@
 ---
 read_when:
-  - 你想要 Gateway 网关、工作区、认证、渠道和 Skills 的引导式设置
-summary: "`openclaw onboard` 的 CLI 参考（交互式新手引导向导）"
+  - 你想通过引导式设置来配置 Gateway 网关、工作区、身份验证、渠道和 Skills
+summary: "`openclaw onboard` 的 CLI 参考（交互式设置向导）"
 title: onboard
 x-i18n:
-  generated_at: "2026-02-03T07:45:00Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: a661049a6983233986a880a68440a3bcc6869ee2c4c6f5e9f3ab8ff973e22f60
+  generated_at: "2026-03-16T06:21:32Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 04d7747342c582abcfcafff28847b4297f65ada665157d9cfbe3dbb258ee31d9
   source_path: cli/onboard.md
   workflow: 15
 ---
 
 # `openclaw onboard`
 
-交互式新手引导向导（本地或远程 Gateway 网关设置）。
+交互式设置向导（本地或远程 Gateway 网关设置）。
 
-相关内容：
+## 相关指南
 
-- 向导指南：[新手引导](/start/onboarding)
+- CLI 新手引导中心：[设置向导（CLI）](/start/wizard)
+- 新手引导概览：[新手引导概览](/start/onboarding-overview)
+- CLI 新手引导参考：[CLI 设置参考](/start/wizard-cli-reference)
+- CLI 自动化：[CLI 自动化](/start/wizard-cli-automation)
+- macOS 新手引导：[新手引导（macOS 应用）](/start/onboarding)
 
 ## 示例
 
@@ -26,11 +30,135 @@ x-i18n:
 openclaw onboard
 openclaw onboard --flow quickstart
 openclaw onboard --flow manual
-openclaw onboard --mode remote --remote-url ws://gateway-host:18789
+openclaw onboard --mode remote --remote-url wss://gateway-host:18789
+```
+
+对于明文私有网络 `ws://` 目标（仅限受信任网络），请在新手引导进程环境中设置
+`OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1`。
+
+非交互式自定义提供商：
+
+```bash
+openclaw onboard --non-interactive \
+  --auth-choice custom-api-key \
+  --custom-base-url "https://llm.example.com/v1" \
+  --custom-model-id "foo-large" \
+  --custom-api-key "$CUSTOM_API_KEY" \
+  --secret-input-mode plaintext \
+  --custom-compatibility openai
+```
+
+在非交互式模式下，`--custom-api-key` 是可选的。如果省略，新手引导会检查 `CUSTOM_API_KEY`。
+
+非交互式 Ollama：
+
+```bash
+openclaw onboard --non-interactive \
+  --auth-choice ollama \
+  --custom-base-url "http://ollama-host:11434" \
+  --custom-model-id "qwen3.5:27b" \
+  --accept-risk
+```
+
+`--custom-base-url` 默认为 `http://127.0.0.1:11434`。`--custom-model-id` 是可选的；如果省略，新手引导会使用 Ollama 建议的默认值。像 `kimi-k2.5:cloud` 这样的云端模型 ID 在这里也可用。
+
+将提供商密钥存储为引用而不是明文：
+
+```bash
+openclaw onboard --non-interactive \
+  --auth-choice openai-api-key \
+  --secret-input-mode ref \
+  --accept-risk
+```
+
+使用 `--secret-input-mode ref` 时，新手引导会写入由环境变量支持的引用，而不是明文密钥值。
+对于由 auth-profile 支持的提供商，这会写入 `keyRef` 条目；对于自定义提供商，这会将 `models.providers.<id>.apiKey` 写为环境变量引用（例如 `{ source: "env", provider: "default", id: "CUSTOM_API_KEY" }`）。
+
+非交互式 `ref` 模式约定：
+
+- 在新手引导进程环境中设置提供商环境变量（例如 `OPENAI_API_KEY`）。
+- 不要传递内联密钥标志（例如 `--openai-api-key`），除非该环境变量也已设置。
+- 如果传递了内联密钥标志但未设置所需环境变量，新手引导会快速失败并提供指引。
+
+非交互式模式中的 Gateway 网关令牌选项：
+
+- `--gateway-auth token --gateway-token <token>` 存储明文令牌。
+- `--gateway-auth token --gateway-token-ref-env <name>` 将 `gateway.auth.token` 存储为环境变量 SecretRef。
+- `--gateway-token` 和 `--gateway-token-ref-env` 互斥。
+- `--gateway-token-ref-env` 要求在新手引导进程环境中存在一个非空环境变量。
+- 使用 `--install-daemon` 时，当令牌身份验证需要令牌时，由 SecretRef 管理的 Gateway 网关令牌会被验证，但不会以已解析的明文形式持久化到 supervisor 服务环境元数据中。
+- 使用 `--install-daemon` 时，如果令牌模式需要令牌，而配置的令牌 SecretRef 未解析，新手引导会以封闭失败方式终止，并提供修复指引。
+- 使用 `--install-daemon` 时，如果同时配置了 `gateway.auth.token` 和 `gateway.auth.password`，且 `gateway.auth.mode` 未设置，新手引导会阻止安装，直到显式设置 mode。
+
+示例：
+
+```bash
+export OPENCLAW_GATEWAY_TOKEN="your-token"
+openclaw onboard --non-interactive \
+  --mode local \
+  --auth-choice skip \
+  --gateway-auth token \
+  --gateway-token-ref-env OPENCLAW_GATEWAY_TOKEN \
+  --accept-risk
+```
+
+非交互式本地 Gateway 网关健康检查：
+
+- 除非你传递 `--skip-health`，否则新手引导会等待本地 Gateway 网关可访问后才成功退出。
+- `--install-daemon` 会先启动受管 Gateway 网关安装路径。不使用它时，你必须已经有一个正在运行的本地 Gateway 网关，例如 `openclaw gateway run`。
+- 如果你只想在自动化中写入配置/工作区/bootstrap，请使用 `--skip-health`。
+- 在原生 Windows 上，`--install-daemon` 会先尝试 Scheduled Tasks；如果任务创建被拒绝，则回退到每用户 Startup 文件夹登录项。
+
+带引用模式的交互式新手引导行为：
+
+- 出现提示时，选择**使用密钥引用**。
+- 然后选择以下之一：
+  - 环境变量
+  - 已配置的密钥提供商（`file` 或 `exec`）
+- 新手引导会在保存引用前执行快速预检验证。
+  - 如果验证失败，新手引导会显示错误并让你重试。
+
+非交互式 Z.AI 端点选择：
+
+注意：`--auth-choice zai-api-key` 现在会为你的密钥自动检测最佳 Z.AI 端点（优先使用通用 API 搭配 `zai/glm-5`）。
+如果你明确想使用 GLM Coding Plan 端点，请选择 `zai-coding-global` 或 `zai-coding-cn`。
+
+```bash
+# 无提示端点选择
+openclaw onboard --non-interactive \
+  --auth-choice zai-coding-global \
+  --zai-api-key "$ZAI_API_KEY"
+
+# 其他 Z.AI 端点选择：
+# --auth-choice zai-coding-cn
+# --auth-choice zai-global
+# --auth-choice zai-cn
+```
+
+非交互式 Mistral 示例：
+
+```bash
+openclaw onboard --non-interactive \
+  --auth-choice mistral-api-key \
+  --mistral-api-key "$MISTRAL_API_KEY"
 ```
 
 流程说明：
 
 - `quickstart`：最少提示，自动生成 Gateway 网关令牌。
-- `manual`：完整的端口/绑定/认证提示（`advanced` 的别名）。
-- 最快开始聊天：`openclaw dashboard`（控制 UI，无需渠道设置）。
+- `manual`：提供端口/绑定/身份验证的完整提示（`advanced` 的别名）。
+- 本地新手引导私信范围行为：[CLI 设置参考](/start/wizard-cli-reference#outputs-and-internals)。
+- 最快开始第一次聊天：`openclaw dashboard`（控制 UI，无需设置渠道）。
+- 自定义提供商：连接任何兼容 OpenAI 或 Anthropic 的端点，
+  包括未列出的托管提供商。使用 Unknown 进行自动检测。
+
+## 常见后续命令
+
+```bash
+openclaw configure
+openclaw agents add <name>
+```
+
+<Note>
+`--json` 不代表非交互式模式。脚本请使用 `--non-interactive`。
+</Note>
diff --git a/docs/zh-CN/cli/setup.md b/docs/zh-CN/cli/setup.md
index ec67b889bca..18936b3bd24 100644
--- a/docs/zh-CN/cli/setup.md
+++ b/docs/zh-CN/cli/setup.md
@@ -1,16 +1,16 @@
 ---
 read_when:
-  - 你在不使用完整新手引导向导的情况下进行首次设置
+  - 你正在进行首次运行设置，但不使用完整的设置向导
   - 你想设置默认工作区路径
 summary: "`openclaw setup` 的 CLI 参考（初始化配置 + 工作区）"
 title: setup
 x-i18n:
-  generated_at: "2026-02-01T20:21:26Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 7f3fc8b246924edf48501785be2c0d356bd31bfbb133e75a139a5ee41dbf57f4
+  generated_at: "2026-03-16T06:21:20Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: b6d6fef6642a4fdf9880ea4f752981b5ed0404289274ee3429ee31702873e3ea
   source_path: cli/setup.md
-  workflow: 14
+  workflow: 15
 ---
 
 # `openclaw setup`
@@ -19,7 +19,7 @@ x-i18n:
 
 相关内容：
 
-- 快速开始：[快速开始](/start/getting-started)
+- 入门指南：[入门指南](/start/getting-started)
 - 向导：[新手引导](/start/onboarding)
 
 ## 示例
diff --git a/docs/zh-CN/concepts/agent-workspace.md b/docs/zh-CN/concepts/agent-workspace.md
index 7438a790d2c..698518691f6 100644
--- a/docs/zh-CN/concepts/agent-workspace.md
+++ b/docs/zh-CN/concepts/agent-workspace.md
@@ -5,28 +5,26 @@ read_when:
 summary: 智能体工作区：位置、布局和备份策略
 title: 智能体工作区
 x-i18n:
-  generated_at: "2026-02-03T07:45:49Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 84c550fd89b5f2474aeae586795485fd29d36effbb462f13342b31540fc18b82
+  generated_at: "2026-03-16T06:21:45Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 6854ddbebe2d21da08c4e1773da6a44f02c815070677821996dab4c91cfb9cd4
   source_path: concepts/agent-workspace.md
   workflow: 15
 ---
 
 # 智能体工作区
 
-工作区是智能体的家。它是文件工具和工作区上下文使用的唯一工作目录。请保持其私密性并将其视为记忆。
+工作区是智能体的“家”。它是文件工具和工作区上下文所使用的唯一工作目录。请将其保持为私有，并将其视为记忆。
 
-这与 `~/.openclaw/` 是分开的，后者存储配置、凭证和会话。
+这与存储配置、凭证和会话的 `~/.openclaw/` 是分开的。
 
-**重要：** 工作区是**默认 cwd**，而不是硬性沙箱。工具会根据工作区解析相对路径，但绝对路径仍然可以访问主机上的其他位置，除非启用了沙箱隔离。如果你需要隔离，请使用
-[`agents.defaults.sandbox`](/gateway/sandboxing)（和/或每智能体沙箱配置）。
-当启用沙箱隔离且 `workspaceAccess` 不是 `"rw"` 时，工具在 `~/.openclaw/sandboxes` 下的沙箱工作区内操作，而不是你的主机工作区。
+**重要：**工作区是**默认 cwd**，而不是硬性沙箱。工具会相对于工作区解析相对路径，但除非启用沙箱隔离，否则绝对路径仍然可以访问主机上的其他位置。如果你需要隔离，请使用 [`agents.defaults.sandbox`](/gateway/sandboxing)（和/或按智能体配置的沙箱）。启用沙箱隔离后，如果 `workspaceAccess` 不是 `"rw"`，工具会在 `~/.openclaw/sandboxes` 下的沙箱工作区中运行，而不是在你的主机工作区中运行。
 
 ## 默认位置
 
-- 默认：`~/.openclaw/workspace`
-- 如果设置了 `OPENCLAW_PROFILE` 且不是 `"default"`，默认值变为
+- 默认值：`~/.openclaw/workspace`
+- 如果设置了 `OPENCLAW_PROFILE` 且其值不是 `"default"`，默认值将变为
   `~/.openclaw/workspace-<profile>`。
 - 在 `~/.openclaw/openclaw.json` 中覆盖：
 
@@ -38,9 +36,10 @@ x-i18n:
 }
 ```
 
-`openclaw onboard`、`openclaw configure` 或 `openclaw setup` 将创建工作区并在缺失时填充引导文件。
+`openclaw onboard`、`openclaw configure` 或 `openclaw setup` 会在工作区缺失时创建工作区并植入引导文件。
+沙箱种子复制仅接受工作区内的常规文件；解析到源工作区外部的符号链接/硬链接别名会被忽略。
 
-如果你已经自己管理工作区文件，可以禁用引导文件创建：
+如果你已经自行管理工作区文件，可以禁用引导文件创建：
 
 ```json5
 { agent: { skipBootstrap: true } }
@@ -48,91 +47,92 @@ x-i18n:
 
 ## 额外的工作区文件夹
 
-旧版安装可能创建了 `~/openclaw`。保留多个工作区目录可能会导致混乱的认证或状态漂移，因为同一时间只有一个工作区是活动的。
+较旧的安装可能创建过 `~/openclaw`。保留多个工作区目录可能会导致令人困惑的凭证或状态漂移，因为同一时间只有一个工作区处于活动状态。
 
-**建议：** 保持单个活动工作区。如果你不再使用额外的文件夹，请归档或移至废纸篓（例如 `trash ~/openclaw`）。
-如果你有意保留多个工作区，请确保 `agents.defaults.workspace` 指向活动的那个。
+**建议：**只保留一个活动工作区。如果你不再使用额外的文件夹，请将其归档或移到废纸篓（例如 `trash ~/openclaw`）。
+如果你有意保留多个工作区，请确保
+`agents.defaults.workspace` 指向当前活动的那个。
 
-`openclaw doctor` 在检测到额外工作区目录时会发出警告。
+当 `openclaw doctor` 检测到额外的工作区目录时，会发出警告。
 
 ## 工作区文件映射（每个文件的含义）
 
-这些是 OpenClaw 在工作区内期望的标准文件：
+以下是 OpenClaw 在工作区内预期的标准文件：
 
 - `AGENTS.md`
-  - 智能体的操作指南以及它应该如何使用记忆。
-  - 在每个会话开始时加载。
-  - 适合放置规则、优先级和"如何行为"的详细信息。
+  - 智能体的操作说明，以及它应如何使用记忆。
+  - 每次会话开始时加载。
+  - 很适合放置规则、优先级和“如何表现”之类的细节。
 
 - `SOUL.md`
   - 人设、语气和边界。
-  - 每个会话加载。
+  - 每次会话都会加载。
 
 - `USER.md`
-  - 用户是谁以及如何称呼他们。
-  - 每个会话加载。
+  - 用户是谁，以及应如何称呼他们。
+  - 每次会话都会加载。
 
 - `IDENTITY.md`
-  - 智能体的名称、风格和表情符号。
+  - 智能体的名称、风格和 emoji。
   - 在引导仪式期间创建/更新。
 
 - `TOOLS.md`
-  - 关于你本地工具和惯例的注释。
-  - 不控制工具可用性；仅作为指导。
+  - 关于你的本地工具和约定的说明。
+  - 它不控制工具可用性；仅提供指导。
 
 - `HEARTBEAT.md`
-  - 可选的心跳运行小型检查清单。
-  - 保持简短以避免 token 消耗。
+  - 可选的心跳运行微型检查清单。
+  - 保持简短以避免消耗过多 token。
 
 - `BOOT.md`
-  - 当启用内部 hooks 时，在 Gateway 网关重启时执行的可选启动检查清单。
-  - 保持简短；使用 message 工具进行出站发送。
+  - 可选的启动检查清单；当启用内部 hooks 时，会在 Gateway 网关重启时执行。
+  - 保持简短；出站发送请使用消息工具。
 
 - `BOOTSTRAP.md`
-  - 一次性首次运行仪式。
-  - 仅为全新工作区创建。
-  - 仪式完成后删除它。
+  - 一次性的首次运行仪式。
+  - 仅为全新的工作区创建。
+  - 仪式完成后请将其删除。
 
 - `memory/YYYY-MM-DD.md`
   - 每日记忆日志（每天一个文件）。
-  - 建议在会话开始时读取今天 + 昨天的内容。
+  - 建议在会话开始时阅读今天和昨天的内容。
 
 - `MEMORY.md`（可选）
   - 精选的长期记忆。
-  - 仅在主私密会话中加载（不在共享/群组上下文中）。
+  - 仅在主私有会话中加载（不在共享/群组上下文中加载）。
 
-参见 [记忆](/concepts/memory) 了解工作流程和自动记忆刷新。
+有关工作流和自动记忆刷新，请参见[记忆](/concepts/memory)。
 
 - `skills/`（可选）
-  - 工作区特定的 Skills。
-  - 当名称冲突时覆盖托管/捆绑的 Skills。
+  - 工作区专用技能。
+  - 名称冲突时会覆盖托管/捆绑的 Skills。
 
 - `canvas/`（可选）
   - 用于节点显示的 Canvas UI 文件（例如 `canvas/index.html`）。
 
-如果任何引导文件缺失，OpenClaw 会在会话中注入"缺失文件"标记并继续。大型引导文件在注入时会被截断；使用 `agents.defaults.bootstrapMaxChars` 调整限制（默认：20000）。
-`openclaw setup` 可以重新创建缺失的默认值而不覆盖现有文件。
+如果任何引导文件缺失，OpenClaw 会在会话中注入一个“缺失文件”标记并继续执行。注入时，大型引导文件会被截断；可使用 `agents.defaults.bootstrapMaxChars`（默认：20000）和 `agents.defaults.bootstrapTotalMaxChars`（默认：150000）调整限制。
+`openclaw setup` 可以重新创建缺失的默认文件，而不会覆盖现有文件。
 
-## 工作区中不包含的内容
+## 不在工作区中的内容
 
-这些位于 `~/.openclaw/` 下，不应提交到工作区仓库：
+这些内容位于 `~/.openclaw/` 下，**不应**提交到工作区仓库：
 
 - `~/.openclaw/openclaw.json`（配置）
-- `~/.openclaw/credentials/`（OAuth token、API 密钥）
-- `~/.openclaw/agents/<agentId>/sessions/`（会话记录 + 元数据）
-- `~/.openclaw/skills/`（托管的 Skills）
+- `~/.openclaw/credentials/`（OAuth 令牌、API 密钥）
+- `~/.openclaw/agents/<agentId>/sessions/`（会话记录和元数据）
+- `~/.openclaw/skills/`（托管 Skills）
 
-如果你需要迁移会话或配置，请单独复制它们并将它们排除在版本控制之外。
+如果你需要迁移会话或配置，请单独复制它们，并确保不要将其纳入版本控制。
 
 ## Git 备份（推荐，私有）
 
-将工作区视为私密记忆。将其放入**私有** git 仓库以便备份和恢复。
+将工作区视为私有记忆。把它放进一个**私有** git 仓库，以便备份并可恢复。
 
-在运行 Gateway 网关的机器上执行这些步骤（工作区就在那里）。
+请在 Gateway 网关运行的机器上执行这些步骤（工作区就位于那里）。
 
 ### 1）初始化仓库
 
-如果安装了 git，全新工作区会自动初始化。如果此工作区还不是仓库，请运行：
+如果已安装 git，全新工作区会自动初始化。如果这个工作区还不是仓库，请运行：
 
 ```bash
 cd ~/.openclaw/workspace
@@ -141,14 +141,14 @@ git add AGENTS.md SOUL.md TOOLS.md IDENTITY.md USER.md HEARTBEAT.md memory/
 git commit -m "Add agent workspace"
 ```
 
-### 2）添加私有远程（适合初学者的选项）
+### 2）添加私有远程仓库（适合新手的选项）
 
-选项 A：GitHub 网页界面
+选项 A：GitHub Web UI
 
-1. 在 GitHub 上创建新的**私有**仓库。
-2. 不要用 README 初始化（避免合并冲突）。
+1. 在 GitHub 上创建一个新的**私有**仓库。
+2. 不要使用 README 初始化（以避免合并冲突）。
 3. 复制 HTTPS 远程 URL。
-4. 添加远程并推送：
+4. 添加远程仓库并推送：
 
 ```bash
 git branch -M main
@@ -163,12 +163,12 @@ gh auth login
 gh repo create openclaw-workspace --private --source . --remote origin --push
 ```
 
-选项 C：GitLab 网页界面
+选项 C：GitLab Web UI
 
-1. 在 GitLab 上创建新的**私有**仓库。
-2. 不要用 README 初始化（避免合并冲突）。
+1. 在 GitLab 上创建一个新的**私有**仓库。
+2. 不要使用 README 初始化（以避免合并冲突）。
 3. 复制 HTTPS 远程 URL。
-4. 添加远程并推送：
+4. 添加远程仓库并推送：
 
 ```bash
 git branch -M main
@@ -187,15 +187,15 @@ git push
 
 ## 不要提交密钥
 
-即使在私有仓库中，也要避免在工作区中存储密钥：
+即使在私有仓库中，也应避免在工作区中存储密钥：
 
-- API 密钥、OAuth token、密码或私有凭证。
+- API 密钥、OAuth 令牌、密码或私有凭证。
 - `~/.openclaw/` 下的任何内容。
-- 聊天的原始转储或敏感附件。
+- 聊天原始转储或敏感附件。
 
-如果你必须存储敏感引用，请使用占位符并将真正的密钥保存在其他地方（密码管理器、环境变量或 `~/.openclaw/`）。
+如果你必须存储敏感引用，请使用占位符，并将真实密钥保存在其他地方（密码管理器、环境变量或 `~/.openclaw/`）。
 
-建议的 `.gitignore` 起始配置：
+建议的 `.gitignore` 起始内容：
 
 ```gitignore
 .DS_Store
@@ -207,13 +207,13 @@ git push
 
 ## 将工作区迁移到新机器
 
-1. 将仓库克隆到所需路径（默认 `~/.openclaw/workspace`）。
+1. 将仓库克隆到所需路径（默认是 `~/.openclaw/workspace`）。
 2. 在 `~/.openclaw/openclaw.json` 中将 `agents.defaults.workspace` 设置为该路径。
-3. 运行 `openclaw setup --workspace <path>` 来填充任何缺失的文件。
-4. 如果你需要会话，请单独从旧机器复制 `~/.openclaw/agents/<agentId>/sessions/`。
+3. 运行 `openclaw setup --workspace <path>` 以植入任何缺失的文件。
+4. 如果你需要会话，请将旧机器上的 `~/.openclaw/agents/<agentId>/sessions/` 单独复制过来。
 
-## 高级注意事项
+## 高级说明
 
-- 多智能体路由可以为每个智能体使用不同的工作区。参见
-  [渠道路由](/channels/channel-routing) 了解路由配置。
-- 如果启用了 `agents.defaults.sandbox`，非主会话可以在 `agents.defaults.sandbox.workspaceRoot` 下使用每会话沙箱工作区。
+- 多智能体路由可以为不同智能体使用不同的工作区。有关路由配置，请参见
+  [渠道路由](/channels/channel-routing)。
+- 如果启用了 `agents.defaults.sandbox`，非主会话可以在 `agents.defaults.sandbox.workspaceRoot` 下使用按会话划分的沙箱工作区。
diff --git a/docs/zh-CN/concepts/model-providers.md b/docs/zh-CN/concepts/model-providers.md
index 716e007a3ba..ebbe5af3271 100644
--- a/docs/zh-CN/concepts/model-providers.md
+++ b/docs/zh-CN/concepts/model-providers.md
@@ -1,107 +1,155 @@
 ---
 read_when:
-  - 你需要一份逐提供商的模型设置参考
-  - 你需要模型提供商的示例配置或 CLI 新手引导命令
-summary: 模型提供商概览，包含示例配置和 CLI 流程
+  - 你需要按提供商划分的模型设置参考
+  - 你想要模型提供商的示例配置或 CLI 新手引导命令
+summary: 模型提供商概览，包含示例配置 + CLI 流程
 title: 模型提供商
 x-i18n:
-  generated_at: "2026-03-16T02:12:40Z"
-  model: claude-opus-4-6
-  provider: pi
-  source_hash: 978798c80c5809c162f9807072ab48fdf99bfe0db39b2b3c245ce8b4e5451603
+  generated_at: "2026-03-16T06:22:52Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 1b84eea0103a59e77571f82c800c9c0ad9fc554e8c9b2c1fd15c2cc121e7f6b4
   source_path: concepts/model-providers.md
   workflow: 15
 ---
 
 # 模型提供商
 
-本页涵盖 **LLM/模型提供商** （不是 WhatsApp/Telegram 等聊天渠道）。
-有关模型选择规则，请参阅 [/concepts/models](/concepts/models)。
+本页介绍的是 **LLM/模型提供商**（而不是像 WhatsApp/Telegram 这样的聊天渠道）。
+有关模型选择规则，请参见 [/concepts/models](/concepts/models)。
 
 ## 快速规则
 
-- 模型引用使用 `provider/model` （例如： `opencode/claude-opus-4-6`）。
-- 如果你设置了 `agents.defaults.models`，它将成为允许列表。
-- CLI 辅助命令： `openclaw onboard`， `openclaw models list`， `openclaw models set <provider/model>`。
-- 提供商插件可以通过以下方式注入模型目录 `registerProvider({ catalog })`；
-  OpenClaw 将该输出合并到 `models.providers` 之后再写入
-  `models.json`。
-- 提供商插件还可以通过以下方式控制提供商的运行时行为
-  `resolveDynamicModel`， `prepareDynamicModel`， `normalizeResolvedModel`，
-  `capabilities`， `prepareExtraParams`， `wrapStreamFn`，
-  `isCacheTtlEligible`， `prepareRuntimeAuth`， `resolveUsageAuth`，以及
+- 模型引用使用 `provider/model`（示例：`opencode/claude-opus-4-6`）。
+- 如果你设置了 `agents.defaults.models`，它就会成为 allowlist。
+- CLI 辅助命令：`openclaw onboard`、`openclaw models list`、`openclaw models set <provider/model>`。
+- 提供商插件可以通过 `registerProvider({ catalog })` 注入模型目录；
+  OpenClaw 会在写入
+  `models.json` 之前将该输出合并到 `models.providers` 中。
+- 提供商清单可以声明 `providerAuthEnvVars`，这样基于通用环境变量的
+  身份验证探测就不需要加载插件运行时。其余的核心环境变量映射
+  现在只用于非插件/核心提供商，以及少数通用优先级场景，
+  例如 Anthropic 以 API 密钥优先的新手引导。
+- 提供商插件还可以通过以下机制接管提供商运行时行为：
+  `resolveDynamicModel`、`prepareDynamicModel`、`normalizeResolvedModel`、
+  `capabilities`、`prepareExtraParams`、`wrapStreamFn`、`formatApiKey`、
+  `refreshOAuth`、`buildAuthDoctorHint`、
+  `isCacheTtlEligible`、`buildMissingAuthMessage`、
+  `suppressBuiltInModel`、`augmentModelCatalog`、`isBinaryThinking`、
+  `supportsXHighThinking`、`resolveDefaultThinkingLevel`、
+  `isModernModelRef`、`prepareRuntimeAuth`、`resolveUsageAuth`，以及
   `fetchUsageSnapshot`。
 
-## 插件管理的提供商行为
+## 插件接管的提供商行为
 
-提供商插件现在可以管理大部分提供商特定逻辑，而 OpenClaw 负责维护通用推理循环。
+提供商插件现在可以接管大多数提供商特定逻辑，而 OpenClaw 保留
+通用推理循环。
 
-典型分工：
+典型划分：
 
-- `catalog`：提供商出现在 `models.providers`
-- `resolveDynamicModel`：提供商接受尚未出现在本地静态目录中的模型 ID
-- `prepareDynamicModel`：提供商在重试动态解析之前需要刷新元数据
-- `normalizeResolvedModel`：提供商需要传输层或基础 URL 重写
-- `capabilities`：提供商发布会话记录/工具/提供商系列的特殊行为
-- `prepareExtraParams`：提供商默认或规范化每个模型的请求参数
-- `wrapStreamFn`：提供商应用请求头/请求体/模型兼容性封装
+- `auth[].run` / `auth[].runNonInteractive`：提供商接管 `openclaw onboard`、`openclaw models auth` 和无头设置的
+  新手引导/登录流程
+- `wizard.onboarding` / `wizard.modelPicker`：提供商接管新手引导/模型选择器中的身份验证选项标签、
+  提示和设置条目
+- `catalog`：提供商出现在 `models.providers` 中
+- `resolveDynamicModel`：提供商接受尚未出现在本地静态
+  目录中的模型 ID
+- `prepareDynamicModel`：提供商在重试
+  动态解析之前需要刷新元数据
+- `normalizeResolvedModel`：提供商需要重写传输或基础 URL
+- `capabilities`：提供商发布 transcript/工具/提供商家族的特殊行为
+- `prepareExtraParams`：提供商为每个模型请求参数提供默认值或进行标准化
+- `wrapStreamFn`：提供商应用请求头/请求体/模型兼容包装器
+- `formatApiKey`：提供商将存储的 auth profile 格式化为
+  传输层预期的运行时 `apiKey` 字符串
+- `refreshOAuth`：当共享的 `pi-ai`
+  刷新器不足时，由提供商接管 OAuth 刷新
+- `buildAuthDoctorHint`：当 OAuth 刷新
+  失败时，提供商附加修复指引
 - `isCacheTtlEligible`：提供商决定哪些上游模型 ID 支持 prompt-cache TTL
-- `prepareRuntimeAuth`：提供商将配置的凭证转换为短期运行时令牌
-- `resolveUsageAuth`：提供商为以下用途解析使用量/配额凭证 `/usage`
-  以及相关的状态/报告界面
-- `fetchUsageSnapshot`：提供商负责使用量端点的获取/解析，而核心仍负责摘要外壳和格式化
+- `buildMissingAuthMessage`：提供商用提供商特定的恢复提示
+  替换通用 auth-store 错误
+- `suppressBuiltInModel`：提供商隐藏过时的上游条目，并且可以在直接解析失败时返回
+  供应商自有错误
+- `augmentModelCatalog`：提供商在
+  发现和配置合并后追加合成/最终目录条目
+- `isBinaryThinking`：提供商接管二元开/关 thinking UX
+- `supportsXHighThinking`：提供商让选定模型支持 `xhigh`
+- `resolveDefaultThinkingLevel`：提供商接管某个
+  模型家族默认 `/think` 策略
+- `isModernModelRef`：提供商接管 live/smoke 首选模型匹配
+- `prepareRuntimeAuth`：提供商将已配置凭证转换为短期
+  运行时令牌
+- `resolveUsageAuth`：提供商为 `/usage`
+  以及相关状态/报告界面解析使用量/配额凭证
+- `fetchUsageSnapshot`：提供商接管使用量端点的获取/解析，而核心仍负责摘要外壳和格式化
 
 当前内置示例：
 
-- `anthropic`：Claude 4.6 向前兼容回退、使用量端点获取，以及 cache-TTL/提供商系列元数据
-- `openrouter`：直通模型 ID、请求封装、提供商能力提示，以及 cache-TTL 策略
-- `github-copilot`：向前兼容模型回退、Claude-thinking 会话记录提示、运行时令牌交换，以及使用量端点获取
-- `openai`：GPT-5.4 向前兼容回退、直接 OpenAI 传输规范化，以及提供商系列元数据
-- `openai-codex`：向前兼容模型回退、传输规范化，以及默认传输参数和使用量端点获取
-- `google-gemini-cli`：Gemini 3.1 向前兼容回退，以及使用量界面的 usage-token 解析和配额端点获取
-- `moonshot`：共享传输、插件管理的 thinking 负载规范化
-- `kilocode`：共享传输、插件管理的请求头、推理负载规范化、Gemini 会话记录提示，以及 cache-TTL 策略
-- `zai`：GLM-5 向前兼容回退， `tool_stream` 默认值、cache-TTL 策略，以及使用量认证和配额获取
-- `mistral`， `opencode`，以及`opencode-go`：插件管理的能力元数据
-- `byteplus`， `cloudflare-ai-gateway`， `huggingface`， `kimi-coding`，
-  `minimax-portal`， `modelstudio`， `nvidia`， `qianfan`， `qwen-portal`，
-  `synthetic`， `together`， `venice`， `vercel-ai-gateway`，以及`volcengine`：仅限插件管理的目录
-- `minimax` 和 `xiaomi`：插件管理的目录以及使用量认证/快照逻辑
+- `anthropic`：Claude 4.6 前向兼容回退、身份验证修复提示、使用量
+  端点获取，以及 cache-TTL/提供商家族元数据
+- `openrouter`：直通模型 ID、请求包装器、提供商能力
+  提示，以及 cache-TTL 策略
+- `github-copilot`：新手引导/设备登录、前向兼容模型回退、
+  Claude-thinking transcript 提示、运行时令牌交换，以及使用量端点
+  获取
+- `openai`：GPT-5.4 前向兼容回退、直接 OpenAI 传输
+  标准化、Codex 感知的缺失身份验证提示、Spark 抑制、合成
+  OpenAI/Codex 目录条目、thinking/live-model 策略，以及
+  提供商家族元数据
+- `google` 和 `google-gemini-cli`：Gemini 3.1 前向兼容回退和
+  现代模型匹配；Gemini CLI OAuth 还接管 auth-profile 令牌
+  格式化、usage-token 解析，以及面向使用量界面的配额端点获取
+- `moonshot`：共享传输、插件接管的 thinking 负载标准化
+- `kilocode`：共享传输、插件接管的请求头、reasoning 负载
+  标准化、Gemini transcript 提示，以及 cache-TTL 策略
+- `zai`：GLM-5 前向兼容回退、`tool_stream` 默认值、cache-TTL
+  策略、二元 thinking/live-model 策略，以及使用量身份验证 + 配额获取
+- `mistral`、`opencode` 和 `opencode-go`：插件接管的能力元数据
+- `byteplus`、`cloudflare-ai-gateway`、`huggingface`、`kimi-coding`、
+  `modelstudio`、`nvidia`、`qianfan`、`synthetic`、`together`、`venice`、
+  `vercel-ai-gateway` 和 `volcengine`：仅插件接管的目录
+- `qwen-portal`：插件接管的目录、OAuth 登录和 OAuth 刷新
+- `minimax` 和 `xiaomi`：插件接管的目录，以及使用量身份验证/快照逻辑
 
-以上涵盖了仍然适用于 OpenClaw 常规传输层的提供商。如果某个提供商需要完全自定义的请求执行器，则属于一个独立的、更深层的扩展层面。
+内置的 `openai` 插件现在接管两个提供商 ID：`openai` 和
+`openai-codex`。
+
+以上涵盖了仍适合 OpenClaw 常规传输的提供商。若某个提供商
+需要完全自定义的请求执行器，那就是另一个更深层的扩展接口。
 
 ## API 密钥轮换
 
-- 支持对选定提供商的通用提供商轮换。
+- 支持为选定提供商进行通用提供商轮换。
 - 通过以下方式配置多个密钥：
-  - `OPENCLAW_LIVE_<PROVIDER>_KEY` （单个实时覆盖，最高优先级）
-  - `<PROVIDER>_API_KEYS` （逗号或分号分隔的列表）
-  - `<PROVIDER>_API_KEY` （主密钥）
-  - `<PROVIDER>_API_KEY_*` （编号列表，例如 `<PROVIDER>_API_KEY_1`）
-- 对于 Google 提供商， `GOOGLE_API_KEY` 也作为备选项包含在内。
-- 密钥选择顺序按优先级排列并去除重复值。
-- 仅在速率限制响应时使用下一个密钥重试请求（例如 `429`， `rate_limit`， `quota`， `resource exhausted`）。
-- 非速率限制的失败会立即报错；不会尝试密钥轮换。
-- 当所有候选密钥均失败时，返回最后一次尝试的错误。
+  - `OPENCLAW_LIVE_<PROVIDER>_KEY`（单个 live 覆盖，最高优先级）
+  - `<PROVIDER>_API_KEYS`（逗号或分号分隔列表）
+  - `<PROVIDER>_API_KEY`（主密钥）
+  - `<PROVIDER>_API_KEY_*`（编号列表，例如 `<PROVIDER>_API_KEY_1`）
+- 对于 Google 提供商，还会包含 `GOOGLE_API_KEY` 作为回退。
+- 密钥选择顺序会保留优先级并对值去重。
+- 仅在速率限制响应时才会使用下一个密钥重试请求（例如 `429`、`rate_limit`、`quota`、`resource exhausted`）。
+- 非速率限制失败会立即失败；不会尝试密钥轮换。
+- 当所有候选密钥都失败时，将返回最后一次尝试的最终错误。
 
 ## 内置提供商（pi-ai 目录）
 
-OpenClaw 附带 pi-ai 目录。这些提供商需要 **无需**
-`models.providers` 配置；只需设置认证并选择一个模型。
+OpenClaw 附带 pi‑ai 目录。这些提供商**不需要**
+`models.providers` 配置；只需设置身份验证 + 选择一个模型。
 
 ### OpenAI
 
-- 提供商： `openai`
-- 认证： `OPENAI_API_KEY`
-- 可选轮换： `OPENAI_API_KEYS`， `OPENAI_API_KEY_1`， `OPENAI_API_KEY_2`，加上 `OPENCLAW_LIVE_OPENAI_KEY` （单个覆盖）
-- 示例模型： `openai/gpt-5.4`， `openai/gpt-5.4-pro`
-- CLI： `openclaw onboard --auth-choice openai-api-key`
-- 默认传输为 `auto` （WebSocket 优先，SSE 备选）
-- 通过以下方式覆盖每个模型 `agents.defaults.models["openai/<model>"].params.transport` （`"sse"`， `"websocket"`，或 `"auto"`）
-- OpenAI Responses WebSocket 预热默认通过以下方式启用 `params.openaiWsWarmup` （`true`/`false`）
-- OpenAI 优先处理可以通过以下方式启用 `agents.defaults.models["openai/<model>"].params.serviceTier`
-- OpenAI 快速模式可以通过以下方式为每个模型启用 `agents.defaults.models["<provider>/<model>"].params.fastMode`
-- `openai/gpt-5.3-codex-spark` 在 OpenClaw 中被有意屏蔽，因为 OpenAI 实时 API 会拒绝它；Spark 被视为仅限 Codex 使用
+- 提供商：`openai`
+- 身份验证：`OPENAI_API_KEY`
+- 可选轮换：`OPENAI_API_KEYS`、`OPENAI_API_KEY_1`、`OPENAI_API_KEY_2`，以及 `OPENCLAW_LIVE_OPENAI_KEY`（单个覆盖）
+- 示例模型：`openai/gpt-5.4`、`openai/gpt-5.4-pro`
+- CLI：`openclaw onboard --auth-choice openai-api-key`
+- 默认传输为 `auto`（优先 WebSocket，SSE 回退）
+- 通过 `agents.defaults.models["openai/<model>"].params.transport` 按模型覆盖（`"sse"`、`"websocket"` 或 `"auto"`）
+- OpenAI Responses WebSocket 预热默认通过 `params.openaiWsWarmup` 启用（`true`/`false`）
+- 可通过 `agents.defaults.models["openai/<model>"].params.serviceTier` 启用 OpenAI 优先处理
+- 可通过 `agents.defaults.models["<provider>/<model>"].params.fastMode` 为每个模型启用 OpenAI 快速模式
+- `openai/gpt-5.3-codex-spark` 在 OpenClaw 中被有意抑制，因为 live OpenAI API 会拒绝它；Spark 被视为仅限 Codex
 
 ```json5
 {
@@ -111,14 +159,14 @@ OpenClaw 附带 pi-ai 目录。这些提供商需要 **无需**
 
 ### Anthropic
 
-- 提供商： `anthropic`
-- 认证： `ANTHROPIC_API_KEY` 或 `claude setup-token`
-- 可选轮换： `ANTHROPIC_API_KEYS`， `ANTHROPIC_API_KEY_1`， `ANTHROPIC_API_KEY_2`，加上 `OPENCLAW_LIVE_ANTHROPIC_KEY` （单个覆盖）
-- 示例模型： `anthropic/claude-opus-4-6`
-- CLI： `openclaw onboard --auth-choice token` （粘贴 setup-token）或 `openclaw models auth paste-token --provider anthropic`
-- 直接 API 密钥模型支持共享的 `/fast` 切换和 `params.fastMode`；OpenClaw 将其映射到 Anthropic 的 `service_tier` （`auto` 与 `standard_only`）
-- 策略说明：setup-token 支持属于技术兼容性；Anthropic 过去曾阻止部分订阅在 Claude Code 之外的使用。请核实当前 Anthropic 条款，并根据你的风险承受能力做出决定。
-- 建议：Anthropic API 密钥认证是比订阅 setup-token 认证更安全的推荐方式。
+- 提供商：`anthropic`
+- 身份验证：`ANTHROPIC_API_KEY` 或 `claude setup-token`
+- 可选轮换：`ANTHROPIC_API_KEYS`、`ANTHROPIC_API_KEY_1`、`ANTHROPIC_API_KEY_2`，以及 `OPENCLAW_LIVE_ANTHROPIC_KEY`（单个覆盖）
+- 示例模型：`anthropic/claude-opus-4-6`
+- CLI：`openclaw onboard --auth-choice token`（粘贴 setup-token）或 `openclaw models auth paste-token --provider anthropic`
+- 直接 API 密钥模型支持共享的 `/fast` 开关和 `params.fastMode`；OpenClaw 会将其映射到 Anthropic `service_tier`（`auto` 与 `standard_only`）
+- 策略说明：setup-token 支持属于技术兼容性；Anthropic 过去曾阻止某些在 Claude Code 之外的订阅用法。请核实当前 Anthropic 条款，并根据你的风险承受能力做出决定。
+- 建议：相比订阅 setup-token 身份验证，Anthropic API 密钥身份验证是更安全、也更推荐的路径。
 
 ```json5
 {
@@ -126,17 +174,17 @@ OpenClaw 附带 pi-ai 目录。这些提供商需要 **无需**
 }
 ```
 
-### OpenAI Code (Codex)
+### OpenAI Code（Codex）
 
-- 提供商： `openai-codex`
-- 认证：OAuth (ChatGPT)
-- 示例模型： `openai-codex/gpt-5.4`
-- CLI： `openclaw onboard --auth-choice openai-codex` 或 `openclaw models auth login --provider openai-codex`
-- 默认传输为 `auto` （WebSocket 优先，SSE 备选）
-- 通过以下方式覆盖每个模型 `agents.defaults.models["openai-codex/<model>"].params.transport` （`"sse"`， `"websocket"`，或 `"auto"`）
-- 与相同的 `/fast` 切换和 `params.fastMode` 配置共享，如同直接的 `openai/*`
-- `openai-codex/gpt-5.3-codex-spark` 当 Codex OAuth 目录公开时仍然可用；取决于授权资格
-- 策略说明：OpenAI Codex OAuth 明确支持 OpenClaw 等外部工具/工作流。
+- 提供商：`openai-codex`
+- 身份验证：OAuth（ChatGPT）
+- 示例模型：`openai-codex/gpt-5.4`
+- CLI：`openclaw onboard --auth-choice openai-codex` 或 `openclaw models auth login --provider openai-codex`
+- 默认传输为 `auto`（优先 WebSocket，SSE 回退）
+- 通过 `agents.defaults.models["openai-codex/<model>"].params.transport` 按模型覆盖（`"sse"`、`"websocket"` 或 `"auto"`）
+- 与直接 `openai/*` 共享相同的 `/fast` 开关和 `params.fastMode` 配置
+- 当 Codex OAuth 目录暴露它时，`openai-codex/gpt-5.3-codex-spark` 仍然可用；取决于 entitlement
+- 策略说明：OpenAI Codex OAuth 明确支持 OpenClaw 这样的外部工具/工作流。
 
 ```json5
 {
@@ -146,11 +194,11 @@ OpenClaw 附带 pi-ai 目录。这些提供商需要 **无需**
 
 ### OpenCode
 
-- 认证： `OPENCODE_API_KEY` （或 `OPENCODE_ZEN_API_KEY`）
-- Zen 运行时提供商： `opencode`
-- Go 运行时提供商： `opencode-go`
-- 示例模型： `opencode/claude-opus-4-6`， `opencode-go/kimi-k2.5`
-- CLI： `openclaw onboard --auth-choice opencode-zen` 或 `openclaw onboard --auth-choice opencode-go`
+- 身份验证：`OPENCODE_API_KEY`（或 `OPENCODE_ZEN_API_KEY`）
+- Zen 运行时提供商：`opencode`
+- Go 运行时提供商：`opencode-go`
+- 示例模型：`opencode/claude-opus-4-6`、`opencode-go/kimi-k2.5`
+- CLI：`openclaw onboard --auth-choice opencode-zen` 或 `openclaw onboard --auth-choice opencode-go`
 
 ```json5
 {
@@ -160,94 +208,97 @@ OpenClaw 附带 pi-ai 目录。这些提供商需要 **无需**
 
 ### Google Gemini（API 密钥）
 
-- 提供商： `google`
-- 认证： `GEMINI_API_KEY`
-- 可选轮换： `GEMINI_API_KEYS`， `GEMINI_API_KEY_1`， `GEMINI_API_KEY_2`， `GOOGLE_API_KEY` 备选，以及 `OPENCLAW_LIVE_GEMINI_KEY` （单个覆盖）
-- 示例模型： `google/gemini-3.1-pro-preview`， `google/gemini-3-flash-preview`
-- 兼容性：使用旧版 OpenClaw 配置的 `google/gemini-3.1-flash-preview` 会被规范化为 `google/gemini-3-flash-preview`
-- CLI： `openclaw onboard --auth-choice gemini-api-key`
+- 提供商：`google`
+- 身份验证：`GEMINI_API_KEY`
+- 可选轮换：`GEMINI_API_KEYS`、`GEMINI_API_KEY_1`、`GEMINI_API_KEY_2`、`GOOGLE_API_KEY` 回退，以及 `OPENCLAW_LIVE_GEMINI_KEY`（单个覆盖）
+- 示例模型：`google/gemini-3.1-pro-preview`、`google/gemini-3-flash-preview`
+- 兼容性：使用 `google/gemini-3.1-flash-preview` 的旧版 OpenClaw 配置会被标准化为 `google/gemini-3-flash-preview`
+- CLI：`openclaw onboard --auth-choice gemini-api-key`
 
 ### Google Vertex 和 Gemini CLI
 
-- 提供商： `google-vertex`， `google-gemini-cli`
-- 认证：Vertex 使用 gcloud ADC；Gemini CLI 使用其 OAuth 流程
-- 注意：OpenClaw 中的 Gemini CLI OAuth 是非官方集成。部分用户报告称在使用第三方客户端后 Google 账户受到限制。请查阅 Google 条款，如果你选择继续，建议使用非关键账户。
-- Gemini CLI OAuth 作为内置的 `google` 插件的一部分提供。
-  - 启用： `openclaw plugins enable google`
-  - 登录： `openclaw models auth login --provider google-gemini-cli --set-default`
-  - 注意：你确实 **不** 需要将 client ID 或 secret 粘贴到 `openclaw.json`中。CLI 登录流程将令牌存储在 Gateway 网关主机的认证配置文件中。
+- 提供商：`google-vertex`、`google-gemini-cli`
+- 身份验证：Vertex 使用 gcloud ADC；Gemini CLI 使用其 OAuth 流程
+- 注意：OpenClaw 中的 Gemini CLI OAuth 是非官方集成。一些用户报告在使用第三方客户端后遭遇 Google 账号限制。请查看 Google 条款，如果你决定继续，建议使用非关键账号。
+- Gemini CLI OAuth 作为内置 `google` 插件的一部分提供。
+  - 启用：`openclaw plugins enable google`
+  - 登录：`openclaw models auth login --provider google-gemini-cli --set-default`
+  - 注意：你**不需要**将客户端 ID 或密钥粘贴到 `openclaw.json` 中。CLI 登录流程会将
+    令牌存储在 Gateway 网关主机上的 auth profile 中。
 
-### Z.AI (GLM)
+### Z.AI（GLM）
 
-- 提供商： `zai`
-- 认证： `ZAI_API_KEY`
-- 示例模型： `zai/glm-5`
-- CLI： `openclaw onboard --auth-choice zai-api-key`
-  - 别名： `z.ai/*` 和 `z-ai/*` 规范化为 `zai/*`
+- 提供商：`zai`
+- 身份验证：`ZAI_API_KEY`
+- 示例模型：`zai/glm-5`
+- CLI：`openclaw onboard --auth-choice zai-api-key`
+  - 别名：`z.ai/*` 和 `z-ai/*` 会标准化为 `zai/*`
 
 ### Vercel AI Gateway
 
-- 提供商： `vercel-ai-gateway`
-- 认证： `AI_GATEWAY_API_KEY`
-- 示例模型： `vercel-ai-gateway/anthropic/claude-opus-4.6`
-- CLI： `openclaw onboard --auth-choice ai-gateway-api-key`
+- 提供商：`vercel-ai-gateway`
+- 身份验证：`AI_GATEWAY_API_KEY`
+- 示例模型：`vercel-ai-gateway/anthropic/claude-opus-4.6`
+- CLI：`openclaw onboard --auth-choice ai-gateway-api-key`
 
 ### Kilo Gateway
 
-- 提供商： `kilocode`
-- 认证： `KILOCODE_API_KEY`
-- 示例模型： `kilocode/anthropic/claude-opus-4.6`
-- CLI： `openclaw onboard --kilocode-api-key <key>`
-- 基础 URL： `https://api.kilo.ai/api/gateway/`
-- 扩展的内置目录包括 GLM-5 Free、MiniMax M2.5 Free、GPT-5.2、Gemini 3 Pro Preview、Gemini 3 Flash Preview、Grok Code Fast 1 和 Kimi K2.5。
+- 提供商：`kilocode`
+- 身份验证：`KILOCODE_API_KEY`
+- 示例模型：`kilocode/anthropic/claude-opus-4.6`
+- CLI：`openclaw onboard --kilocode-api-key <key>`
+- 基础 URL：`https://api.kilo.ai/api/gateway/`
+- 扩展后的内置目录包括 GLM-5 Free、MiniMax M2.5 Free、GPT-5.2、Gemini 3 Pro Preview、Gemini 3 Flash Preview、Grok Code Fast 1 和 Kimi K2.5。
 
-参阅 [/providers/kilocode](/providers/kilocode) 了解详情。
+设置详情请参见 [/providers/kilocode](/providers/kilocode)。
 
 ### 其他内置提供商插件
 
-- OpenRouter： `openrouter` （`OPENROUTER_API_KEY`）
-- 示例模型： `openrouter/anthropic/claude-sonnet-4-5`
-- Kilo Gateway： `kilocode` （`KILOCODE_API_KEY`）
-- 示例模型： `kilocode/anthropic/claude-opus-4.6`
-- MiniMax： `minimax` （`MINIMAX_API_KEY`）
-- Moonshot： `moonshot` （`MOONSHOT_API_KEY`）
-- Kimi Coding： `kimi-coding` （`KIMI_API_KEY` 或 `KIMICODE_API_KEY`）
-- Qianfan： `qianfan` （`QIANFAN_API_KEY`）
-- Model Studio： `modelstudio` （`MODELSTUDIO_API_KEY`）
-- NVIDIA： `nvidia` （`NVIDIA_API_KEY`）
-- Together： `together` （`TOGETHER_API_KEY`）
-- Venice： `venice` （`VENICE_API_KEY`）
-- Xiaomi： `xiaomi` （`XIAOMI_API_KEY`）
-- Vercel AI Gateway： `vercel-ai-gateway` （`AI_GATEWAY_API_KEY`）
-- Hugging Face Inference： `huggingface` （`HUGGINGFACE_HUB_TOKEN` 或 `HF_TOKEN`）
-- Cloudflare AI Gateway： `cloudflare-ai-gateway` （`CLOUDFLARE_AI_GATEWAY_API_KEY`）
-- Volcengine： `volcengine` （`VOLCANO_ENGINE_API_KEY`）
-- BytePlus： `byteplus` （`BYTEPLUS_API_KEY`）
-- xAI： `xai` （`XAI_API_KEY`）
-- Mistral： `mistral` （`MISTRAL_API_KEY`）
-- 示例模型： `mistral/mistral-large-latest`
-- CLI： `openclaw onboard --auth-choice mistral-api-key`
-- Groq： `groq` （`GROQ_API_KEY`）
-- Cerebras： `cerebras` （`CEREBRAS_API_KEY`）
+- OpenRouter：`openrouter`（`OPENROUTER_API_KEY`）
+- 示例模型：`openrouter/anthropic/claude-sonnet-4-5`
+- Kilo Gateway：`kilocode`（`KILOCODE_API_KEY`）
+- 示例模型：`kilocode/anthropic/claude-opus-4.6`
+- MiniMax：`minimax`（`MINIMAX_API_KEY`）
+- Moonshot：`moonshot`（`MOONSHOT_API_KEY`）
+- Kimi Coding：`kimi-coding`（`KIMI_API_KEY` 或 `KIMICODE_API_KEY`）
+- Qianfan：`qianfan`（`QIANFAN_API_KEY`）
+- Model Studio：`modelstudio`（`MODELSTUDIO_API_KEY`）
+- NVIDIA：`nvidia`（`NVIDIA_API_KEY`）
+- Together：`together`（`TOGETHER_API_KEY`）
+- Venice：`venice`（`VENICE_API_KEY`）
+- Xiaomi：`xiaomi`（`XIAOMI_API_KEY`）
+- Vercel AI Gateway：`vercel-ai-gateway`（`AI_GATEWAY_API_KEY`）
+- Hugging Face Inference：`huggingface`（`HUGGINGFACE_HUB_TOKEN` 或 `HF_TOKEN`）
+- Cloudflare AI Gateway：`cloudflare-ai-gateway`（`CLOUDFLARE_AI_GATEWAY_API_KEY`）
+- Volcengine：`volcengine`（`VOLCANO_ENGINE_API_KEY`）
+- BytePlus：`byteplus`（`BYTEPLUS_API_KEY`）
+- xAI：`xai`（`XAI_API_KEY`）
+- Mistral：`mistral`（`MISTRAL_API_KEY`）
+- 示例模型：`mistral/mistral-large-latest`
+- CLI：`openclaw onboard --auth-choice mistral-api-key`
+- Groq：`groq`（`GROQ_API_KEY`）
+- Cerebras：`cerebras`（`CEREBRAS_API_KEY`）
   - Cerebras 上的 GLM 模型使用 ID `zai-glm-4.7` 和 `zai-glm-4.6`。
-  - 兼容 OpenAI 的基础 URL： `https://api.cerebras.ai/v1`。
-- GitHub Copilot： `github-copilot` （`COPILOT_GITHUB_TOKEN`/`GH_TOKEN`/`GITHUB_TOKEN`）
-- Hugging Face Inference 示例模型： `huggingface/deepseek-ai/DeepSeek-R1`；CLI： `openclaw onboard --auth-choice huggingface-api-key`。参阅 [Hugging Face (Inference)](/providers/huggingface)。
+  - OpenAI 兼容基础 URL：`https://api.cerebras.ai/v1`。
+- GitHub Copilot：`github-copilot`（`COPILOT_GITHUB_TOKEN` / `GH_TOKEN` / `GITHUB_TOKEN`）
+- Hugging Face Inference 示例模型：`huggingface/deepseek-ai/DeepSeek-R1`；CLI：`openclaw onboard --auth-choice huggingface-api-key`。请参见 [Hugging Face（Inference）](/providers/huggingface)。
 
-## 通过以下方式提供的提供商 `models.providers` （自定义/基础 URL）
+## 通过 `models.providers` 配置的提供商（自定义/基础 URL）
 
-使用 `models.providers` （或 `models.json`）来添加 **自定义** 提供商或 OpenAI/Anthropic 兼容代理。
+使用 `models.providers`（或 `models.json`）来添加**自定义**提供商或
+兼容 OpenAI/Anthropic 的代理。
 
-下方许多内置提供商插件已经发布了默认目录。
-使用显式的 `models.providers.<id>` 条目仅在你需要覆盖默认基础 URL、请求头或模型列表时使用。
+下面许多内置提供商插件已经发布了默认目录。
+只有在你希望覆盖默认
+基础 URL、请求头或模型列表时，才使用显式 `models.providers.<id>` 条目。
 
-### Moonshot AI (Kimi)
+### Moonshot AI（Kimi）
 
 Moonshot 使用兼容 OpenAI 的端点，因此将其配置为自定义提供商：
 
-- 提供商： `moonshot`
-- 认证： `MOONSHOT_API_KEY`
-- 示例模型： `moonshot/kimi-k2.5`
+- 提供商：`moonshot`
+- 身份验证：`MOONSHOT_API_KEY`
+- 示例模型：`moonshot/kimi-k2.5`
 
 Kimi K2 模型 ID：
 
@@ -284,9 +335,9 @@ Kimi K2 模型 ID：
 
 Kimi Coding 使用 Moonshot AI 的 Anthropic 兼容端点：
 
-- 提供商： `kimi-coding`
-- 认证： `KIMI_API_KEY`
-- 示例模型： `kimi-coding/k2p5`
+- 提供商：`kimi-coding`
+- 身份验证：`KIMI_API_KEY`
+- 示例模型：`kimi-coding/k2p5`
 
 ```json5
 {
@@ -297,10 +348,10 @@ Kimi Coding 使用 Moonshot AI 的 Anthropic 兼容端点：
 }
 ```
 
-### Qwen OAuth（免费套餐）
+### Qwen OAuth（免费层）
 
-Qwen 通过设备码流程提供对 Qwen Coder + Vision 的 OAuth 访问。
-内置提供商插件默认启用，只需登录：
+Qwen 通过设备代码流程提供对 Qwen Coder + Vision 的 OAuth 访问。
+内置提供商插件默认启用，因此只需登录：
 
 ```bash
 openclaw models auth login --provider qwen-portal --set-default
@@ -311,16 +362,16 @@ openclaw models auth login --provider qwen-portal --set-default
 - `qwen-portal/coder-model`
 - `qwen-portal/vision-model`
 
-参阅 [/providers/qwen](/providers/qwen) 了解详情和注意事项。
+设置详情和说明请参见 [/providers/qwen](/providers/qwen)。
 
-### 火山引擎（豆包）
+### Volcano Engine（Doubao）
 
-火山引擎提供对豆包及中国其他模型的访问。
+Volcano Engine（火山引擎）为中国用户提供对 Doubao 和其他模型的访问。
 
-- 提供商： `volcengine` （编码： `volcengine-plan`）
-- 认证： `VOLCANO_ENGINE_API_KEY`
-- 示例模型： `volcengine/doubao-seed-1-8-251228`
-- CLI： `openclaw onboard --auth-choice volcengine-api-key`
+- 提供商：`volcengine`（编码：`volcengine-plan`）
+- 身份验证：`VOLCANO_ENGINE_API_KEY`
+- 示例模型：`volcengine/doubao-seed-1-8-251228`
+- CLI：`openclaw onboard --auth-choice volcengine-api-key`
 
 ```json5
 {
@@ -332,11 +383,11 @@ openclaw models auth login --provider qwen-portal --set-default
 
 可用模型：
 
-- `volcengine/doubao-seed-1-8-251228` （豆包 Seed 1.8）
+- `volcengine/doubao-seed-1-8-251228`（Doubao Seed 1.8）
 - `volcengine/doubao-seed-code-preview-251028`
-- `volcengine/kimi-k2-5-260127` （Kimi K2.5）
-- `volcengine/glm-4-7-251222` （GLM 4.7）
-- `volcengine/deepseek-v3-2-251201` （DeepSeek V3.2 128K）
+- `volcengine/kimi-k2-5-260127`（Kimi K2.5）
+- `volcengine/glm-4-7-251222`（GLM 4.7）
+- `volcengine/deepseek-v3-2-251201`（DeepSeek V3.2 128K）
 
 编码模型（`volcengine-plan`）：
 
@@ -348,12 +399,12 @@ openclaw models auth login --provider qwen-portal --set-default
 
 ### BytePlus（国际版）
 
-BytePlus ARK 为国际用户提供与火山引擎相同的模型访问。
+BytePlus ARK 为国际用户提供与 Volcano Engine 相同模型的访问。
 
-- 提供商： `byteplus` （编码： `byteplus-plan`）
-- 认证： `BYTEPLUS_API_KEY`
-- 示例模型： `byteplus/seed-1-8-251228`
-- CLI： `openclaw onboard --auth-choice byteplus-api-key`
+- 提供商：`byteplus`（编码：`byteplus-plan`）
+- 身份验证：`BYTEPLUS_API_KEY`
+- 示例模型：`byteplus/seed-1-8-251228`
+- CLI：`openclaw onboard --auth-choice byteplus-api-key`
 
 ```json5
 {
@@ -365,9 +416,9 @@ BytePlus ARK 为国际用户提供与火山引擎相同的模型访问。
 
 可用模型：
 
-- `byteplus/seed-1-8-251228` （Seed 1.8）
-- `byteplus/kimi-k2-5-260127` （Kimi K2.5）
-- `byteplus/glm-4-7-251222` （GLM 4.7）
+- `byteplus/seed-1-8-251228`（Seed 1.8）
+- `byteplus/kimi-k2-5-260127`（Kimi K2.5）
+- `byteplus/glm-4-7-251222`（GLM 4.7）
 
 编码模型（`byteplus-plan`）：
 
@@ -379,12 +430,12 @@ BytePlus ARK 为国际用户提供与火山引擎相同的模型访问。
 
 ### Synthetic
 
-Synthetic 提供 Anthropic 兼容模型，位于 `synthetic` 提供商背后：
+Synthetic 通过 `synthetic` 提供商提供兼容 Anthropic 的模型：
 
-- 提供商： `synthetic`
-- 认证： `SYNTHETIC_API_KEY`
-- 示例模型： `synthetic/hf:MiniMaxAI/MiniMax-M2.5`
-- CLI： `openclaw onboard --auth-choice synthetic-api-key`
+- 提供商：`synthetic`
+- 身份验证：`SYNTHETIC_API_KEY`
+- 示例模型：`synthetic/hf:MiniMaxAI/MiniMax-M2.5`
+- CLI：`openclaw onboard --auth-choice synthetic-api-key`
 
 ```json5
 {
@@ -407,24 +458,24 @@ Synthetic 提供 Anthropic 兼容模型，位于 `synthetic` 提供商背后：
 
 ### MiniMax
 
-MiniMax 通过以下方式配置 `models.providers` ，因为它使用自定义端点：
+MiniMax 通过 `models.providers` 配置，因为它使用自定义端点：
 
-- MiniMax（Anthropic 兼容）： `--auth-choice minimax-api`
-- 认证： `MINIMAX_API_KEY`
+- MiniMax（兼容 Anthropic）：`--auth-choice minimax-api`
+- 身份验证：`MINIMAX_API_KEY`
 
-参阅 [/providers/minimax](/providers/minimax) 了解详情、模型选项和配置代码片段。
+设置详情、模型选项和配置片段请参见 [/providers/minimax](/providers/minimax)。
 
 ### Ollama
 
 Ollama 作为内置提供商插件提供，并使用 Ollama 的原生 API：
 
-- 提供商： `ollama`
-- 认证：无需（本地服务器）
-- 示例模型： `ollama/llama3.3`
-- 安装： [https://ollama.com/download](https://ollama.com/download)
+- 提供商：`ollama`
+- 身份验证：无需（本地服务器）
+- 示例模型：`ollama/llama3.3`
+- 安装：[https://ollama.com/download](https://ollama.com/download)
 
 ```bash
-# Install Ollama, then pull a model:
+# 安装 Ollama，然后拉取一个模型：
 ollama pull llama3.3
 ```
 
@@ -436,26 +487,26 @@ ollama pull llama3.3
 }
 ```
 
-Ollama 在本地通过以下地址检测 `http://127.0.0.1:11434` 当你通过以下方式选择启用时
-`OLLAMA_API_KEY`，内置提供商插件会将 Ollama 直接添加到
-`openclaw onboard` 和模型选择器中。参阅 [/providers/ollama](/providers/ollama)
-了解新手引导、云端/本地模式和自定义配置。
+当你通过
+`OLLAMA_API_KEY` 选择加入时，Ollama 会在本地 `http://127.0.0.1:11434` 被检测到，内置提供商插件会将 Ollama 直接添加到
+`openclaw onboard` 和模型选择器中。有关新手引导、云端/本地模式和自定义配置，请参见 [/providers/ollama](/providers/ollama)。
 
 ### vLLM
 
-vLLM 作为内置提供商插件提供，用于本地/自托管的兼容 OpenAI 服务器：
+vLLM 作为内置提供商插件提供，用于本地/自托管的 OpenAI 兼容
+服务器：
 
-- 提供商： `vllm`
-- 认证：可选（取决于你的服务器）
-- 默认基础 URL： `http://127.0.0.1:8000/v1`
+- 提供商：`vllm`
+- 身份验证：可选（取决于你的服务器）
+- 默认基础 URL：`http://127.0.0.1:8000/v1`
 
-要在本地选择启用自动发现（如果你的服务器不强制认证，任何值均可）：
+要选择加入本地自动发现（如果你的服务器不强制身份验证，则任意值均可）：
 
 ```bash
 export VLLM_API_KEY="vllm-local"
 ```
 
-然后设置一个模型（替换为由 `/v1/models`）：
+然后设置一个模型（替换为 `/v1/models` 返回的某个 ID）：
 
 ```json5
 {
@@ -465,23 +516,25 @@ export VLLM_API_KEY="vllm-local"
 }
 ```
 
-参阅 [/providers/vllm](/providers/vllm) 了解详情。
+详情请参见 [/providers/vllm](/providers/vllm)。
 
 ### SGLang
 
-SGLang 作为内置提供商插件提供，用于快速自托管的兼容 OpenAI 服务器：
+SGLang 作为内置提供商插件提供，用于高速自托管
+OpenAI 兼容服务器：
 
-- 提供商： `sglang`
-- 认证：可选（取决于你的服务器）
-- 默认基础 URL： `http://127.0.0.1:30000/v1`
+- 提供商：`sglang`
+- 身份验证：可选（取决于你的服务器）
+- 默认基础 URL：`http://127.0.0.1:30000/v1`
 
-要在本地选择启用自动发现（如果你的服务器不强制认证，任何值均可）：
+要选择加入本地自动发现（如果你的服务器不
+强制身份验证，则任意值均可）：
 
 ```bash
 export SGLANG_API_KEY="sglang-local"
 ```
 
-然后设置一个模型（替换为由 `/v1/models`）：
+然后设置一个模型（替换为 `/v1/models` 返回的某个 ID）：
 
 ```json5
 {
@@ -491,7 +544,7 @@ export SGLANG_API_KEY="sglang-local"
 }
 ```
 
-参阅 [/providers/sglang](/providers/sglang) 了解详情。
+详情请参见 [/providers/sglang](/providers/sglang)。
 
 ### 本地代理（LM Studio、vLLM、LiteLLM 等）
 
@@ -528,19 +581,19 @@ export SGLANG_API_KEY="sglang-local"
 }
 ```
 
-注意事项：
+说明：
 
-- 对于自定义提供商， `reasoning`， `input`， `cost`， `contextWindow`，以及`maxTokens` 是可选的。
-  省略时，OpenClaw 默认为：
+- 对于自定义提供商，`reasoning`、`input`、`cost`、`contextWindow` 和 `maxTokens` 是可选的。
+  如果省略，OpenClaw 默认使用：
   - `reasoning: false`
   - `input: ["text"]`
   - `cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 }`
   - `contextWindow: 200000`
   - `maxTokens: 8192`
-- 建议：设置与你的代理/模型限制相匹配的显式值。
-- 对于 `api: "openai-completions"` 在非原生端点上（任何非空的 `baseUrl` 且主机不是 `api.openai.com`），OpenClaw 强制使用 `compat.supportsDeveloperRole: false` 以避免提供商对不支持的 `developer` 角色返回 400 错误。
-- 如果 `baseUrl` 为空/省略，OpenClaw 保持默认的 OpenAI 行为（解析为 `api.openai.com`）。
-- 为安全起见，显式的 `compat.supportsDeveloperRole: true` 在非原生 `openai-completions` 端点上仍会被覆盖。
+- 建议：设置与你的代理/模型限制匹配的显式值。
+- 对于非原生端点上的 `api: "openai-completions"`（任何主机不是 `api.openai.com` 的非空 `baseUrl`），OpenClaw 会强制设置 `compat.supportsDeveloperRole: false`，以避免提供商因不支持 `developer` 角色而返回 400 错误。
+- 如果 `baseUrl` 为空/省略，OpenClaw 会保留默认 OpenAI 行为（即解析为 `api.openai.com`）。
+- 出于安全考虑，在非原生 `openai-completions` 端点上，显式的 `compat.supportsDeveloperRole: true` 仍会被覆盖。
 
 ## CLI 示例
 
@@ -550,4 +603,4 @@ openclaw models set opencode/claude-opus-4-6
 openclaw models list
 ```
 
-另请参阅： [/gateway/configuration](/gateway/configuration) 查看完整配置示例。
+另请参见：[/gateway/configuration](/gateway/configuration) 了解完整配置示例。
diff --git a/docs/zh-CN/concepts/models.md b/docs/zh-CN/concepts/models.md
index 01bb8e14202..f81c68b069b 100644
--- a/docs/zh-CN/concepts/models.md
+++ b/docs/zh-CN/concepts/models.md
@@ -1,79 +1,85 @@
 ---
 read_when:
-  - 添加或修改模型 CLI（models list/set/scan/aliases/fallbacks）
-  - 更改模型回退行为或选择用户体验
-  - 更新模型扫描探测（工具/图像）
-summary: 模型 CLI：列表、设置、别名、回退、扫描、状态
-title: 模型 CLI
+  - 添加或修改 models CLI（models list/set/scan/aliases/fallbacks）
+  - 更改模型回退行为或选择 UX
+  - 更新模型扫描探测（tools/images）
+summary: Models CLI：列出、设置、别名、回退、扫描、状态
+title: Models CLI
 x-i18n:
-  generated_at: "2026-02-03T10:05:42Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: e8b54bb370b4f63a9b917594fb0f6ff48192e168196d30c713b8bbe72b78fef6
+  generated_at: "2026-03-16T06:22:01Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 26150aef638bc3375866dec736b98eac32384466a8ef2b0a471fb7ff7729b13c
   source_path: concepts/models.md
   workflow: 15
 ---
 
-# 模型 CLI
+# Models CLI
 
-参见 [/concepts/model-failover](/concepts/model-failover) 了解认证配置文件轮换、冷却时间及其与回退的交互。
-快速提供商概述 + 示例：[/concepts/model-providers](/concepts/model-providers)。
+关于凭证配置轮换、冷却时间以及它们如何与回退交互，请参阅 [/concepts/model-failover](/concepts/model-failover)。
+快速提供商概览 + 示例：[/concepts/model-providers](/concepts/model-providers)。
 
-## 模型选择工作原理
+## 模型选择的工作方式
 
 OpenClaw 按以下顺序选择模型：
 
-1. **主要**模型（`agents.defaults.model.primary` 或 `agents.defaults.model`）。
-2. `agents.defaults.model.fallbacks` 中的**回退**（按顺序）。
-3. **提供商认证故障转移**在移动到下一个模型之前在提供商内部发生。
+1. **主模型**（`agents.defaults.model.primary` 或 `agents.defaults.model`）。
+2. `agents.defaults.model.fallbacks` 中的 **回退模型**（按顺序）。
+3. **提供商凭证故障切换** 会在单个提供商内部发生，然后才会移动到下一个模型。
 
-相关：
+相关内容：
 
-- `agents.defaults.models` 是 OpenClaw 可使用的模型白名单/目录（加上别名）。
-- `agents.defaults.imageModel` **仅在**主要模型无法接受图像时使用。
-- 每个智能体的默认值可以通过 `agents.list[].model` 加绑定覆盖 `agents.defaults.model`（参见 [/concepts/multi-agent](/concepts/multi-agent)）。
+- `agents.defaults.models` 是 OpenClaw 可使用的模型允许列表/目录（以及别名）。
+- `agents.defaults.imageModel` **仅在** 主模型无法接受图像时使用。
+- 每个智能体的默认值可以通过 `agents.list[].model` 加上绑定来覆盖 `agents.defaults.model`（见 [/concepts/multi-agent](/concepts/multi-agent)）。
 
-## 快速模型推荐（经验之谈）
+## 快速模型策略
 
-- **GLM**：在编程/工具调用方面稍好。
-- **MiniMax**：在写作和氛围方面更好。
+- 将你的主模型设置为你可用的、最新一代中最强的模型。
+- 对于对成本/延迟敏感的任务和风险较低的聊天，使用回退模型。
+- 对于启用了工具的智能体或不受信任的输入，避免使用较旧/较弱的模型层级。
 
 ## 设置向导（推荐）
 
-如果你不想手动编辑配置，请运行新手引导向导：
+如果你不想手动编辑配置，请运行设置向导：
 
 ```bash
 openclaw onboard
 ```
 
-它可以为常见提供商设置模型 + 认证，包括 **OpenAI Code（Codex）订阅**（OAuth）和 **Anthropic**（推荐使用 API 密钥；也支持 `claude setup-token`）。
+它可以为常见提供商设置模型 + 凭证，包括 **OpenAI Code (Codex)**
+订阅（OAuth）和 **Anthropic**（API key 或 `claude setup-token`）。
 
-## 配置键（概述）
+## 配置键（概览）
 
 - `agents.defaults.model.primary` 和 `agents.defaults.model.fallbacks`
 - `agents.defaults.imageModel.primary` 和 `agents.defaults.imageModel.fallbacks`
-- `agents.defaults.models`（白名单 + 别名 + 提供商参数）
+- `agents.defaults.models`（允许列表 + 别名 + 提供商参数）
 - `models.providers`（写入 `models.json` 的自定义提供商）
 
-模型引用会规范化为小写。提供商别名如 `z.ai/*` 会规范化为 `zai/*`。
+模型引用会被规范化为小写。像 `z.ai/*` 这样的提供商别名会被规范化
+为 `zai/*`。
 
-提供商配置示例（包括 OpenCode Zen）在 [/gateway/configuration](/gateway/configuration#opencode-zen-multi-model-proxy)。
+提供商配置示例（包括 OpenCode）位于
+[/gateway/configuration](/gateway/configuration#opencode)。
 
-## "Model is not allowed"（以及为什么回复停止）
+## “Model is not allowed”（以及为什么回复会停止）
 
-如果设置了 `agents.defaults.models`，它将成为 `/model` 和会话覆盖的**白名单**。当用户选择不在该白名单中的模型时，OpenClaw 返回：
+如果设置了 `agents.defaults.models`，它就会成为 `/model` 和会话覆盖的 **允许列表**。当用户选择了不在该允许列表中的模型时，
+OpenClaw 会返回：
 
 ```
 Model "provider/model" is not allowed. Use /model to list available models.
 ```
 
-这发生在正常回复生成**之前**，所以消息可能感觉像"没有响应"。修复方法是：
+这会在生成正常回复 **之前** 发生，因此消息可能会让人觉得
+它“没有响应”。修复方法是：
 
-- 将模型添加到 `agents.defaults.models`，或
-- 清除白名单（删除 `agents.defaults.models`），或
+- 将该模型添加到 `agents.defaults.models`，或者
+- 清除允许列表（移除 `agents.defaults.models`），或者
 - 从 `/model list` 中选择一个模型。
 
-白名单配置示例：
+允许列表示例配置：
 
 ```json5
 {
@@ -81,7 +87,7 @@ Model "provider/model" is not allowed. Use /model to list available models.
     model: { primary: "anthropic/claude-sonnet-4-5" },
     models: {
       "anthropic/claude-sonnet-4-5": { alias: "Sonnet" },
-      "anthropic/claude-opus-4-5": { alias: "Opus" },
+      "anthropic/claude-opus-4-6": { alias: "Opus" },
     },
   },
 }
@@ -89,7 +95,7 @@ Model "provider/model" is not allowed. Use /model to list available models.
 
 ## 在聊天中切换模型（`/model`）
 
-你可以在不重启的情况下切换当前会话的模型：
+你可以在不重启的情况下为当前会话切换模型：
 
 ```
 /model
@@ -99,16 +105,17 @@ Model "provider/model" is not allowed. Use /model to list available models.
 /model status
 ```
 
-注意事项：
+说明：
 
-- `/model`（和 `/model list`）是紧凑的编号选择器（模型系列 + 可用提供商）。
-- `/model <#>` 从该选择器中选择。
-- `/model status` 是详细视图（认证候选项，以及配置时的提供商端点 `baseUrl` + `api` 模式）。
-- 模型引用通过在**第一个** `/` 处分割来解析。输入 `/model <ref>` 时使用 `provider/model`。
-- 如果模型 ID 本身包含 `/`（OpenRouter 风格），你必须包含提供商前缀（例如：`/model openrouter/moonshotai/kimi-k2`）。
-- 如果省略提供商，OpenClaw 将输入视为别名或**默认提供商**的模型（仅在模型 ID 中没有 `/` 时有效）。
+- `/model`（以及 `/model list`）是一个紧凑的编号选择器（模型家族 + 可用提供商）。
+- 在 Discord 上，`/model` 和 `/models` 会打开一个交互式选择器，其中包含提供商和模型下拉菜单，以及一个 Submit 步骤。
+- `/model <#>` 会从该选择器中进行选择。
+- `/model status` 是详细视图（凭证候选项，以及在已配置时显示提供商端点 `baseUrl` + `api` 模式）。
+- 模型引用是通过按 **第一个** `/` 进行分割来解析的。输入 `/model <ref>` 时请使用 `provider/model`。
+- 如果模型 ID 本身包含 `/`（OpenRouter 风格），你必须包含提供商前缀（示例：`/model openrouter/moonshotai/kimi-k2`）。
+- 如果你省略提供商，OpenClaw 会将输入视为别名或 **默认提供商** 的模型（仅在模型 ID 中没有 `/` 时有效）。
 
-完整命令行为/配置：[斜杠命令](/tools/slash-commands)。
+完整命令行为/配置： [Slash commands](/tools/slash-commands)。
 
 ## CLI 命令
 
@@ -137,7 +144,7 @@ openclaw models image-fallbacks clear
 
 ### `models list`
 
-默认显示已配置的模型。有用的标志：
+默认显示已配置的模型。常用标志：
 
 - `--all`：完整目录
 - `--local`：仅本地提供商
@@ -147,12 +154,18 @@ openclaw models image-fallbacks clear
 
 ### `models status`
 
-显示已解析的主要模型、回退、图像模型，以及已配置提供商的认证概述。它还显示认证存储中找到的配置文件的 OAuth 过期状态（默认在 24 小时内警告）。`--plain` 仅打印已解析的主要模型。
-OAuth 状态始终显示（并包含在 `--json` 输出中）。如果已配置的提供商没有凭证，`models status` 会打印 **Missing auth** 部分。
-JSON 包括 `auth.oauth`（警告窗口 + 配置文件）和 `auth.providers`（每个提供商的有效认证）。
-使用 `--check` 进行自动化（缺失/过期时退出 `1`，即将过期时退出 `2`）。
+显示已解析的主模型、回退模型、图像模型，以及已配置提供商的凭证概览。它还会显示凭证存储中找到的配置文件的 OAuth 过期状态
+（默认会在 24 小时内到期时警告）。`--plain` 仅打印已解析的
+主模型。
+OAuth 状态始终会显示（并包含在 `--json` 输出中）。如果某个已配置的
+提供商没有凭证，`models status` 会打印一个 **Missing auth** 部分。
+JSON 包含 `auth.oauth`（警告窗口 + 配置文件）和 `auth.providers`
+（每个提供商的有效凭证）。
+自动化场景请使用 `--check`（缺失/已过期时退出码为 `1`，即将过期时为 `2`）。
 
-首选的 Anthropic 认证是 Claude Code CLI setup-token（在任何地方运行；如需要在 Gateway 网关主机上粘贴）：
+凭证选择取决于提供商/账号。对于始终在线的 Gateway 网关主机，API key 通常最可预测；也支持订阅 token 流程。
+
+示例（Anthropic setup-token）：
 
 ```bash
 claude setup-token
@@ -161,21 +174,23 @@ openclaw models status
 
 ## 扫描（OpenRouter 免费模型）
 
-`openclaw models scan` 检查 OpenRouter 的**免费模型目录**，并可选择性地探测模型的工具和图像支持。
+`openclaw models scan` 会检查 OpenRouter 的 **免费模型目录**，并且可以
+选择性地探测模型对工具和图像的支持。
 
 关键标志：
 
 - `--no-probe`：跳过实时探测（仅元数据）
-- `--min-params <b>`：最小参数量（十亿）
-- `--max-age-days <days>`：跳过较旧的模型
+- `--min-params <b>`：最小参数规模（十亿）
+- `--max-age-days <days>`：跳过较旧模型
 - `--provider <name>`：提供商前缀筛选
 - `--max-candidates <n>`：回退列表大小
-- `--set-default`：将 `agents.defaults.model.primary` 设置为第一个选择
-- `--set-image`：将 `agents.defaults.imageModel.primary` 设置为第一个图像选择
+- `--set-default`：将 `agents.defaults.model.primary` 设置为第一个选择项
+- `--set-image`：将 `agents.defaults.imageModel.primary` 设置为第一个图像选择项
 
-探测需要 OpenRouter API 密钥（来自认证配置文件或 `OPENROUTER_API_KEY`）。没有密钥时，使用 `--no-probe` 仅列出候选项。
+探测需要 OpenRouter API key（来自凭证配置文件或
+`OPENROUTER_API_KEY`）。如果没有 key，请使用 `--no-probe` 仅列出候选项。
 
-扫描结果按以下顺序排名：
+扫描结果按以下顺序排序：
 
 1. 图像支持
 2. 工具延迟
@@ -185,12 +200,26 @@ openclaw models status
 输入
 
 - OpenRouter `/models` 列表（筛选 `:free`）
-- 需要来自认证配置文件或 `OPENROUTER_API_KEY` 的 OpenRouter API 密钥（参见 [/environment](/help/environment)）
+- 需要来自凭证配置文件或 `OPENROUTER_API_KEY` 的 OpenRouter API key（见 [/environment](/help/environment)）
 - 可选筛选器：`--max-age-days`、`--min-params`、`--provider`、`--max-candidates`
 - 探测控制：`--timeout`、`--concurrency`
 
-在 TTY 中运行时，你可以交互式选择回退。在非交互模式下，传递 `--yes` 接受默认值。
+在 TTY 中运行时，你可以交互式选择回退模型。在非交互
+模式下，传入 `--yes` 以接受默认值。
 
 ## 模型注册表（`models.json`）
 
-`models.providers` 中的自定义提供商会写入智能体目录下的 `models.json`（默认 `~/.openclaw/agents/<agentId>/models.json`）。除非 `models.mode` 设置为 `replace`，否则此文件默认会被合并。
+`models.providers` 中的自定义提供商会写入
+智能体目录下的 `models.json`（默认是 `~/.openclaw/agents/<agentId>/agent/models.json`）。默认会合并此文件，除非将 `models.mode` 设置为 `replace`。
+
+匹配提供商 ID 时的合并模式优先级：
+
+- 智能体 `models.json` 中已存在的非空 `baseUrl` 优先。
+- 智能体 `models.json` 中的非空 `apiKey` 仅在该提供商在当前配置/凭证配置文件上下文中不是 SecretRef 管理时才优先。
+- 由 SecretRef 管理的提供商 `apiKey` 值会从源标记（环境变量引用使用 `ENV_VAR_NAME`，文件/exec 引用使用 `secretref-managed`）刷新，而不是持久化已解析的 secret。
+- 由 SecretRef 管理的提供商 header 值会从源标记（环境变量引用使用 `secretref-env:ENV_VAR_NAME`，文件/exec 引用使用 `secretref-managed`）刷新。
+- 智能体中为空或缺失的 `apiKey`/`baseUrl` 会回退到配置中的 `models.providers`。
+- 其他提供商字段会从配置和规范化后的目录数据中刷新。
+
+标记持久化以源为准：OpenClaw 会根据活动源配置快照（预解析）写入标记，而不是根据运行时已解析的 secret 值写入。
+这适用于 OpenClaw 重新生成 `models.json` 的所有情况，包括像 `openclaw agent` 这样的命令驱动路径。
diff --git a/docs/zh-CN/concepts/oauth.md b/docs/zh-CN/concepts/oauth.md
index 74cf7b8f3c0..b7f37164b97 100644
--- a/docs/zh-CN/concepts/oauth.md
+++ b/docs/zh-CN/concepts/oauth.md
@@ -1,69 +1,80 @@
 ---
 read_when:
-  - 你想全面了解 OpenClaw 的 OAuth 流程
+  - 你想端到端了解 OpenClaw OAuth
   - 你遇到了令牌失效/登出问题
-  - 你想了解 setup-token 或 OAuth 认证流程
-  - 你想使用多账户或配置文件路由
+  - 你想使用 setup-token 或 OAuth 认证流程
+  - 你想使用多个账户或配置文件路由
 summary: OpenClaw 中的 OAuth：令牌交换、存储和多账户模式
 title: OAuth
 x-i18n:
-  generated_at: "2026-02-01T20:23:29Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: af714bdadc4a89295a18da1eba5f5b857c8d533ebabe9b0758b722fe60c36124
+  generated_at: "2026-03-16T06:22:05Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 976668c3e02ee50500fcaaa585a89af718398dc41988318ec3a583c2d5449df3
   source_path: concepts/oauth.md
-  workflow: 14
+  workflow: 15
 ---
 
 # OAuth
 
-OpenClaw 支持通过 OAuth 进行"订阅认证"，适用于提供此功能的提供商（特别是 **OpenAI Codex（ChatGPT OAuth）**）。对于 Anthropic 订阅，请使用 **setup-token** 流程。本页说明：
+OpenClaw 通过 OAuth 支持提供商提供的“订阅认证”，适用于支持此方式的提供商（尤其是 **OpenAI Codex（ChatGPT OAuth）**）。对于 Anthropic 订阅，请使用 **setup-token** 流程。过去有些用户在 Claude Code 之外使用 Anthropic 订阅时曾受限，因此这应视为用户自行选择承担的风险，你应自行核实 Anthropic 当前的政策。OpenAI Codex OAuth 明确支持在 OpenClaw 这样的外部工具中使用。本页说明：
 
-- OAuth **令牌交换**的工作原理（PKCE）
-- 令牌**存储**在哪里（以及原因）
-- 如何处理**多账户**（配置文件 + 按会话覆盖）
+对于生产环境中的 Anthropic，相比订阅 setup-token 认证，API 密钥认证是更安全、也更推荐的路径。
 
-OpenClaw 还支持**提供商插件**，它们自带 OAuth 或 API 密钥流程。通过以下命令运行：
+- OAuth **令牌交换** 如何工作（PKCE）
+- 令牌**存储**在哪里（以及为什么）
+- 如何处理**多个账户**（配置文件 + 按会话覆盖）
+
+OpenClaw 也支持自带 OAuth 或 API 密钥流程的**提供商插件**。运行方式如下：
 
 ```bash
 openclaw models auth login --provider <id>
 ```
 
-## 令牌汇聚点（为什么需要它）
+## 令牌汇点（为什么需要它）
 
-OAuth 提供商通常在登录/刷新流程中发放**新的刷新令牌**。某些提供商（或 OAuth 客户端）在为同一用户/应用发放新令牌时，可能会使旧的刷新令牌失效。
+OAuth 提供商通常会在登录/刷新流程中签发一个**新的刷新令牌**。某些提供商（或 OAuth 客户端）会在为同一用户/应用签发新令牌时使旧的刷新令牌失效。
 
 实际症状：
 
-- 你通过 OpenClaw _和_ Claude Code / Codex CLI 登录 → 其中一个稍后会随机"登出"
+- 你同时通过 OpenClaw _和_ Claude Code / Codex CLI 登录 → 之后其中一个会随机“被登出”
 
-为减少这种情况，OpenClaw 将 `auth-profiles.json` 视为**令牌汇聚点**：
+为减少这种情况，OpenClaw 将 `auth-profiles.json` 视为一个**令牌汇点**：
 
-- 运行时从**同一个位置**读取凭据
-- 我们可以保留多个配置文件并确定性地路由它们
+- 运行时从**同一个地方**读取凭证
+- 我们可以保留多个配置文件，并进行确定性路由
 
 ## 存储（令牌存放位置）
 
-密钥按**智能体**存储：
+密钥按**每个智能体**存储：
 
-- 认证配置文件（OAuth + API 密钥）：`~/.openclaw/agents/<agentId>/agent/auth-profiles.json`
-- 运行时缓存（自动管理；请勿编辑）：`~/.openclaw/agents/<agentId>/agent/auth.json`
+- 认证配置文件（OAuth + API 密钥 + 可选的值级引用）：`~/.openclaw/agents/<agentId>/agent/auth-profiles.json`
+- 旧版兼容文件：`~/.openclaw/agents/<agentId>/agent/auth.json`
+  （发现静态 `api_key` 条目时会进行清理）
 
-仅用于导入的旧版文件（仍然支持，但不是主存储）：
+仅用于旧版导入的文件（仍受支持，但不是主存储）：
 
-- `~/.openclaw/credentials/oauth.json`（首次使用时导入到 `auth-profiles.json`）
+- `~/.openclaw/credentials/oauth.json`（首次使用时会导入到 `auth-profiles.json`）
 
-以上所有路径也遵循 `$OPENCLAW_STATE_DIR`（状态目录覆盖）。完整参考：[/gateway/configuration](/gateway/configuration#auth-storage-oauth--api-keys)
+以上所有位置也都遵循 `$OPENCLAW_STATE_DIR`（状态目录覆盖）。完整参考：[/gateway/configuration](/gateway/configuration#auth-storage-oauth--api-keys)
+
+有关静态密钥引用和运行时快照激活行为，请参见 [Secrets Management](/gateway/secrets)。
 
 ## Anthropic setup-token（订阅认证）
 
+<Warning>
+Anthropic setup-token 支持是技术兼容性，并非策略保证。
+Anthropic 过去曾阻止过某些在 Claude Code 之外的订阅使用。
+是否使用订阅认证由你自行决定，并请核实 Anthropic 当前的条款。
+</Warning>
+
 在任意机器上运行 `claude setup-token`，然后将其粘贴到 OpenClaw 中：
 
 ```bash
 openclaw models auth setup-token --provider anthropic
 ```
 
-如果你在其他地方生成了令牌，可以手动粘贴：
+如果你是在其他地方生成的令牌，可手动粘贴：
 
 ```bash
 openclaw models auth paste-token --provider anthropic
@@ -75,77 +86,79 @@ openclaw models auth paste-token --provider anthropic
 openclaw models status
 ```
 
-## OAuth 交换（登录工作原理）
+## OAuth 交换（登录如何工作）
 
-OpenClaw 的交互式登录流程在 `@mariozechner/pi-ai` 中实现，并集成到向导/命令中。
+OpenClaw 的交互式登录流程在 `@mariozechner/pi-ai` 中实现，并接入到各类向导/命令中。
 
-### Anthropic（Claude Pro/Max）setup-token
+### Anthropic setup-token
 
-流程概要：
+流程形态：
 
 1. 运行 `claude setup-token`
 2. 将令牌粘贴到 OpenClaw
-3. 作为令牌认证配置文件存储（无刷新）
+3. 存储为令牌认证配置文件（不刷新）
 
 向导路径为 `openclaw onboard` → 认证选择 `setup-token`（Anthropic）。
 
 ### OpenAI Codex（ChatGPT OAuth）
 
-流程概要（PKCE）：
+OpenAI Codex OAuth 明确支持在 Codex CLI 之外使用，包括 OpenClaw 工作流。
 
-1. 生成 PKCE 验证器/质询 + 随机 `state`
+流程形态（PKCE）：
+
+1. 生成 PKCE verifier/challenge 和随机 `state`
 2. 打开 `https://auth.openai.com/oauth/authorize?...`
 3. 尝试在 `http://127.0.0.1:1455/auth/callback` 捕获回调
-4. 如果回调无法绑定（或你在远程/无头环境中），手动粘贴重定向 URL/代码
-5. 在 `https://auth.openai.com/oauth/token` 进行交换
+4. 如果回调无法绑定（或你是在远程/无头环境中），则粘贴重定向 URL/code
+5. 在 `https://auth.openai.com/oauth/token` 交换令牌
 6. 从访问令牌中提取 `accountId` 并存储 `{ access, refresh, expires, accountId }`
 
 向导路径为 `openclaw onboard` → 认证选择 `openai-codex`。
 
-## 刷新 + 过期
+## 刷新和过期
 
-配置文件存储 `expires` 时间戳。
+配置文件会存储一个 `expires` 时间戳。
 
-运行时：
+在运行时：
 
-- 如果 `expires` 在未来 → 使用已存储的访问令牌
-- 如果已过期 → 刷新（在文件锁下）并覆盖已存储的凭据
+- 如果 `expires` 尚未到期 → 使用已存储的访问令牌
+- 如果已过期 → 在文件锁下刷新，并覆盖已存储的凭证
 
-刷新流程是自动的；你通常不需要手动管理令牌。
+刷新流程是自动的；通常你不需要手动管理令牌。
 
-## 多账户（配置文件）+ 路由
+## 多个账户（配置文件）+ 路由
 
-两种模式：
+有两种模式：
 
-### 1）推荐：独立智能体
+### 1）推荐：分离的智能体
 
-如果你希望"个人"和"工作"永远不交叉，请使用隔离的智能体（独立的会话 + 凭据 + 工作区）：
+如果你希望“个人”和“工作”永不交叉，请使用隔离的智能体（独立的会话 + 凭证 + 工作区）：
 
 ```bash
 openclaw agents add work
 openclaw agents add personal
 ```
 
-然后按智能体配置认证（向导），并将聊天路由到正确的智能体。
+然后按智能体配置认证（使用向导），并将聊天路由到正确的智能体。
 
 ### 2）高级：单个智能体中的多个配置文件
 
-`auth-profiles.json` 支持同一提供商的多个配置文件 ID。
+`auth-profiles.json` 支持同一提供商下的多个配置文件 ID。
 
 选择使用哪个配置文件：
 
-- 通过配置顺序全局设置（`auth.order`）
-- 通过 `/model ...@<profileId>` 按会话设置
+- 通过配置排序全局选择（`auth.order`）
+- 通过 `/model ...@<profileId>` 按会话选择
 
 示例（会话覆盖）：
 
 - `/model Opus@anthropic:work`
 
-如何查看存在哪些配置文件 ID：
+查看现有配置文件 ID 的方法：
 
 - `openclaw channels list --json`（显示 `auth[]`）
 
 相关文档：
 
 - [/concepts/model-failover](/concepts/model-failover)（轮换 + 冷却规则）
-- [/tools/slash-commands](/tools/slash-commands)（命令界面）
+- [/tools/slash-commands](/tools/slash-commands)（命令入口）
diff --git a/docs/zh-CN/gateway/authentication.md b/docs/zh-CN/gateway/authentication.md
index 6d3ce45f20a..a1a5a06ffec 100644
--- a/docs/zh-CN/gateway/authentication.md
+++ b/docs/zh-CN/gateway/authentication.md
@@ -1,41 +1,50 @@
 ---
 read_when:
   - 调试模型认证或 OAuth 过期
-  - 记录认证或凭证存储
-summary: 模型认证：OAuth、API 密钥和 setup-token
+  - 编写有关认证或凭证存储的文档
+summary: 模型认证：OAuth、API key 和 setup-token
 title: 认证
 x-i18n:
-  generated_at: "2026-02-03T07:47:32Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 66fa2c64ff374c9cfcdb4e7a951b0d164d512295e65513eb682f12191b75e557
+  generated_at: "2026-03-16T06:22:17Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 219ac1acd7d192a5a12779e204cca65dae77a852fdc668271c45c01e0c69b7c9
   source_path: gateway/authentication.md
   workflow: 15
 ---
 
 # 认证
 
-OpenClaw 支持模型提供商的 OAuth 和 API 密钥。对于 Anthropic 账户，我们推荐使用 **API 密钥**。对于 Claude 订阅访问，使用 `claude setup-token` 创建的长期令牌。
+OpenClaw 支持模型提供商使用 OAuth 和 API key。对于始终在线的 Gateway 网关
+主机，API key 通常是最可预测的选项。当它们与你的提供商账号模型匹配时，
+也支持订阅/OAuth 流程。
 
-参阅 [/concepts/oauth](/concepts/oauth) 了解完整的 OAuth 流程和存储布局。
+完整的 OAuth 流程和存储布局，请参阅 [/concepts/oauth](/concepts/oauth)。
+关于基于 SecretRef 的认证（`env`/`file`/`exec` 提供商），请参阅 [Secrets Management](/gateway/secrets)。
+关于 `models status --probe` 使用的凭证资格/原因码规则，请参阅
+[Auth Credential Semantics](/auth-credential-semantics)。
 
-## 推荐的 Anthropic 设置（API 密钥）
+## 推荐设置（API key，任意提供商）
 
-如果你直接使用 Anthropic，请使用 API 密钥。
+如果你正在运行长期存活的 Gateway 网关，请先为你选择的
+提供商配置一个 API key。
+对于 Anthropic，API key 认证是更稳妥的方式，推荐优先于
+订阅 setup-token 认证。
 
-1. 在 Anthropic 控制台创建 API 密钥。
-2. 将其放在 **Gateway 网关主机**（运行 `openclaw gateway` 的机器）上。
+1. 在你的提供商控制台中创建一个 API key。
+2. 将它放在 **Gateway 网关主机** 上（运行 `openclaw gateway` 的机器）。
 
 ```bash
-export ANTHROPIC_API_KEY="..."
+export <PROVIDER>_API_KEY="..."
 openclaw models status
 ```
 
-3. 如果 Gateway 网关在 systemd/launchd 下运行，最好将密钥放在 `~/.openclaw/.env` 中以便守护进程可以读取：
+3. 如果 Gateway 通过 systemd/launchd 运行，建议将 key 放入
+   `~/.openclaw/.env`，这样守护进程就可以读取它：
 
 ```bash
 cat >> ~/.openclaw/.env <<'EOF'
-ANTHROPIC_API_KEY=...
+<PROVIDER>_API_KEY=...
 EOF
 ```
 
@@ -46,25 +55,28 @@ openclaw models status
 openclaw doctor
 ```
 
-如果你不想自己管理环境变量，新手引导向导可以为守护进程使用存储 API 密钥：`openclaw onboard`。
+如果你不想自己管理环境变量，设置向导可以为守护进程使用场景存储
+API key：`openclaw onboard`。
 
-参阅[帮助](/help)了解环境变量继承的详情（`env.shellEnv`、`~/.openclaw/.env`、systemd/launchd）。
+有关环境继承（`env.shellEnv`、
+`~/.openclaw/.env`、systemd/launchd）的详细信息，请参阅 [Help](/help)。
 
 ## Anthropic：setup-token（订阅认证）
 
-对于 Anthropic，推荐的路径是 **API 密钥**。如果你使用 Claude 订阅，也支持 setup-token 流程。在 **Gateway 网关主机**上运行：
+如果你使用的是 Claude 订阅，则支持 setup-token 流程。请在
+**Gateway 网关主机** 上运行：
 
 ```bash
 claude setup-token
 ```
 
-然后将其粘贴到 OpenClaw：
+然后将它粘贴到 OpenClaw 中：
 
 ```bash
 openclaw models auth setup-token --provider anthropic
 ```
 
-如果令牌是在另一台机器上创建的，手动粘贴：
+如果 token 是在另一台机器上创建的，请手动粘贴：
 
 ```bash
 openclaw models auth paste-token --provider anthropic
@@ -76,22 +88,34 @@ openclaw models auth paste-token --provider anthropic
 This credential is only authorized for use with Claude Code and cannot be used for other API requests.
 ```
 
-…请改用 Anthropic API 密钥。
+……请改用 Anthropic API key。
 
-手动令牌输入（任何提供商；写入 `auth-profiles.json` + 更新配置）：
+<Warning>
+Anthropic setup-token 支持仅是技术兼容性。Anthropic 过去曾阻止
+Claude Code 之外的某些订阅用法。只有在你认为相关策略风险可接受时才使用它，
+并请你自行核实 Anthropic 当前的条款。
+</Warning>
+
+手动输入 token（任意提供商；会写入 `auth-profiles.json` + 更新配置）：
 
 ```bash
 openclaw models auth paste-token --provider anthropic
 openclaw models auth paste-token --provider openrouter
 ```
 
-自动化友好检查（过期/缺失时退出 `1`，即将过期时退出 `2`）：
+静态凭证也支持凭证配置文件引用：
+
+- `api_key` 凭证可以使用 `keyRef: { source, provider, id }`
+- `token` 凭证可以使用 `tokenRef: { source, provider, id }`
+
+适合自动化的检查（已过期/缺失时退出码为 `1`，即将过期时为 `2`）：
 
 ```bash
 openclaw models status --check
 ```
 
-可选的运维脚本（systemd/Termux）在此处记录：[/automation/auth-monitoring](/automation/auth-monitoring)
+可选的运维脚本（systemd/Termux）记录在这里：
+[/automation/auth-monitoring](/automation/auth-monitoring)
 
 > `claude setup-token` 需要交互式 TTY。
 
@@ -102,17 +126,33 @@ openclaw models status
 openclaw doctor
 ```
 
+## API key 轮换行为（Gateway 网关）
+
+某些提供商支持在 API 调用触发提供商限流时，使用替代 key 重试请求。
+
+- 优先级顺序：
+  - `OPENCLAW_LIVE_<PROVIDER>_KEY`（单个覆盖值）
+  - `<PROVIDER>_API_KEYS`
+  - `<PROVIDER>_API_KEY`
+  - `<PROVIDER>_API_KEY_*`
+- Google 提供商还将 `GOOGLE_API_KEY` 作为额外回退项。
+- 使用前会对同一组 key 列表去重。
+- 仅当出现限流错误时，OpenClaw 才会使用下一个 key 重试（例如
+  `429`、`rate_limit`、`quota`、`resource exhausted`）。
+- 非限流错误不会使用替代 key 重试。
+- 如果所有 key 都失败，则返回最后一次尝试的最终错误。
+
 ## 控制使用哪个凭证
 
-### 每会话（聊天命令）
+### 每个会话（聊天命令）
 
-使用 `/model <alias-or-id>@<profileId>` 为当前会话固定特定的提供商凭证（示例配置文件 ID：`anthropic:default`、`anthropic:work`）。
+使用 `/model <alias-or-id>@<profileId>` 为当前会话固定使用特定的提供商凭证（示例配置文件 id：`anthropic:default`、`anthropic:work`）。
 
-使用 `/model`（或 `/model list`）获取紧凑的选择器；使用 `/model status` 获取完整视图（候选项 + 下一个认证配置文件，以及配置时的提供商端点详情）。
+使用 `/model`（或 `/model list`）查看紧凑选择器；使用 `/model status` 查看完整视图（候选项 + 下一个凭证配置文件，以及在已配置时显示提供商端点详情）。
 
-### 每智能体（CLI 覆盖）
+### 每个智能体（CLI 覆盖）
 
-为智能体设置显式的认证配置文件顺序覆盖（存储在该智能体的 `auth-profiles.json` 中）：
+为智能体设置显式的凭证配置文件顺序覆盖（存储在该智能体的 `auth-profiles.json` 中）：
 
 ```bash
 openclaw models auth order get --provider anthropic
@@ -120,23 +160,25 @@ openclaw models auth order set --provider anthropic anthropic:default
 openclaw models auth order clear --provider anthropic
 ```
 
-使用 `--agent <id>` 指定特定智能体；省略它则使用配置的默认智能体。
+使用 `--agent <id>` 指定特定智能体；省略它则使用已配置的默认智能体。
 
 ## 故障排除
 
-### "No credentials found"
+### “No credentials found”
 
-如果 Anthropic 令牌配置文件缺失，在 **Gateway 网关主机**上运行 `claude setup-token`，然后重新检查：
+如果缺少 Anthropic token 配置文件，请在
+**Gateway 网关主机** 上运行 `claude setup-token`，然后重新检查：
 
 ```bash
 openclaw models status
 ```
 
-### 令牌即将过期/已过期
+### Token 即将过期/已过期
 
-运行 `openclaw models status` 确认哪个配置文件即将过期。如果配置文件缺失，重新运行 `claude setup-token` 并再次粘贴令牌。
+运行 `openclaw models status` 以确认哪个配置文件即将过期。如果该配置文件
+缺失，请重新运行 `claude setup-token` 并再次粘贴 token。
 
 ## 要求
 
-- Claude Max 或 Pro 订阅（用于 `claude setup-token`）
+- Anthropic 订阅账号（用于 `claude setup-token`）
 - 已安装 Claude Code CLI（`claude` 命令可用）
diff --git a/docs/zh-CN/gateway/configuration-reference.md b/docs/zh-CN/gateway/configuration-reference.md
new file mode 100644
index 00000000000..0e46566c9ce
--- /dev/null
+++ b/docs/zh-CN/gateway/configuration-reference.md
@@ -0,0 +1,3103 @@
+---
+description: Complete field-by-field reference for ~/.openclaw/openclaw.json
+read_when:
+  - 你需要精确到字段级别的配置语义或默认值
+  - 你正在验证渠道、模型、Gateway 网关或工具配置块
+summary: 每个 OpenClaw 配置键、默认值和渠道设置的完整参考
+title: 配置参考
+x-i18n:
+  generated_at: "2026-03-16T06:27:43Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: c2926153fa94bbb3141ac7cd9ebfa381394c9c9ad7a1cf1d21fb91c879905d51
+  source_path: gateway/configuration-reference.md
+  workflow: 15
+---
+
+# 配置参考
+
+`~/.openclaw/openclaw.json` 中所有可用字段。若需面向任务的概览，请参见 [Configuration](/gateway/configuration)。
+
+配置格式为 **JSON5**（允许注释和尾随逗号）。所有字段都是可选的——省略时，OpenClaw 会使用安全默认值。
+
+---
+
+## 渠道
+
+只要某个渠道的配置节存在，它就会自动启动（除非设置了 `enabled: false`）。
+
+### 私信和群组访问
+
+所有渠道都支持私信策略和群组策略：
+
+| DM policy         | Behavior                                            |
+| ----------------- | --------------------------------------------------- |
+| `pairing`（默认） | 未知发送者会收到一次性配对码；所有者必须批准        |
+| `allowlist`       | 仅 `allowFrom` 中的发送者（或已配对的允许列表存储） |
+| `open`            | 允许所有入站私信（要求 `allowFrom: ["*"]`）         |
+| `disabled`        | 忽略所有入站私信                                    |
+
+| Group policy        | Behavior                               |
+| ------------------- | -------------------------------------- |
+| `allowlist`（默认） | 仅允许匹配已配置 allowlist 的群组      |
+| `open`              | 绕过群组 allowlist（仍会应用提及门控） |
+| `disabled`          | 阻止所有群组/房间消息                  |
+
+<Note>
+`channels.defaults.groupPolicy` 会在某个提供商的 `groupPolicy` 未设置时作为默认值。
+配对码会在 1 小时后过期。待处理的私信配对请求每个渠道最多 **3 个**。
+如果某个提供商配置块完全缺失（`channels.<provider>` 不存在），运行时群组策略会回退到 `allowlist`（默认拒绝），并在启动时发出警告。
+</Note>
+
+### 渠道模型覆盖
+
+使用 `channels.modelByChannel` 可将特定渠道 ID 固定到某个模型。值接受 `provider/model` 或已配置的模型别名。当会话尚未存在模型覆盖时（例如通过 `/model` 设置），才会应用渠道映射。
+
+```json5
+{
+  channels: {
+    modelByChannel: {
+      discord: {
+        "123456789012345678": "anthropic/claude-opus-4-6",
+      },
+      slack: {
+        C1234567890: "openai/gpt-4.1",
+      },
+      telegram: {
+        "-1001234567890": "openai/gpt-4.1-mini",
+        "-1001234567890:topic:99": "anthropic/claude-sonnet-4-6",
+      },
+    },
+  },
+}
+```
+
+### 渠道默认值和心跳
+
+使用 `channels.defaults` 为多个提供商共享群组策略和心跳行为：
+
+```json5
+{
+  channels: {
+    defaults: {
+      groupPolicy: "allowlist", // open | allowlist | disabled
+      heartbeat: {
+        showOk: false,
+        showAlerts: true,
+        useIndicator: true,
+      },
+    },
+  },
+}
+```
+
+- `channels.defaults.groupPolicy`：当提供商级 `groupPolicy` 未设置时使用的回退群组策略。
+- `channels.defaults.heartbeat.showOk`：在心跳输出中包含健康的渠道状态。
+- `channels.defaults.heartbeat.showAlerts`：在心跳输出中包含降级/错误状态。
+- `channels.defaults.heartbeat.useIndicator`：以紧凑的指示器样式渲染心跳输出。
+
+### WhatsApp
+
+WhatsApp 通过 Gateway 网关的 Web 渠道（Baileys Web）运行。当存在已关联的会话时，它会自动启动。
+
+```json5
+{
+  channels: {
+    whatsapp: {
+      dmPolicy: "pairing", // pairing | allowlist | open | disabled
+      allowFrom: ["+15555550123", "+447700900123"],
+      textChunkLimit: 4000,
+      chunkMode: "length", // length | newline
+      mediaMaxMb: 50,
+      sendReadReceipts: true, // 蓝色双勾（自聊模式下为 false）
+      groups: {
+        "*": { requireMention: true },
+      },
+      groupPolicy: "allowlist",
+      groupAllowFrom: ["+15551234567"],
+    },
+  },
+  web: {
+    enabled: true,
+    heartbeatSeconds: 60,
+    reconnect: {
+      initialMs: 2000,
+      maxMs: 120000,
+      factor: 1.4,
+      jitter: 0.2,
+      maxAttempts: 0,
+    },
+  },
+}
+```
+
+<Accordion title="多账户 WhatsApp">
+
+```json5
+{
+  channels: {
+    whatsapp: {
+      accounts: {
+        default: {},
+        personal: {},
+        biz: {
+          // authDir: "~/.openclaw/credentials/whatsapp/biz",
+        },
+      },
+    },
+  },
+}
+```
+
+- 出站命令默认使用账户 `default`（若存在）；否则使用第一个已配置的账户 ID（排序后）。
+- 可选的 `channels.whatsapp.defaultAccount` 会在其与某个已配置账户 ID 匹配时，覆盖该回退默认账户选择。
+- 旧版单账户 Baileys 认证目录会由 `openclaw doctor` 迁移到 `whatsapp/default`。
+- 按账户覆盖：`channels.whatsapp.accounts.<id>.sendReadReceipts`、`channels.whatsapp.accounts.<id>.dmPolicy`、`channels.whatsapp.accounts.<id>.allowFrom`。
+
+</Accordion>
+
+### Telegram
+
+```json5
+{
+  channels: {
+    telegram: {
+      enabled: true,
+      botToken: "your-bot-token",
+      dmPolicy: "pairing",
+      allowFrom: ["tg:123456789"],
+      groups: {
+        "*": { requireMention: true },
+        "-1001234567890": {
+          allowFrom: ["@admin"],
+          systemPrompt: "Keep answers brief.",
+          topics: {
+            "99": {
+              requireMention: false,
+              skills: ["search"],
+              systemPrompt: "Stay on topic.",
+            },
+          },
+        },
+      },
+      customCommands: [
+        { command: "backup", description: "Git backup" },
+        { command: "generate", description: "Create an image" },
+      ],
+      historyLimit: 50,
+      replyToMode: "first", // off | first | all
+      linkPreview: true,
+      streaming: "partial", // off | partial | block | progress（默认：off）
+      actions: { reactions: true, sendMessage: true },
+      reactionNotifications: "own", // off | own | all
+      mediaMaxMb: 100,
+      retry: {
+        attempts: 3,
+        minDelayMs: 400,
+        maxDelayMs: 30000,
+        jitter: 0.1,
+      },
+      network: {
+        autoSelectFamily: true,
+        dnsResultOrder: "ipv4first",
+      },
+      proxy: "socks5://localhost:9050",
+      webhookUrl: "https://example.com/telegram-webhook",
+      webhookSecret: "secret",
+      webhookPath: "/telegram-webhook",
+    },
+  },
+}
+```
+
+- 机器人令牌：`channels.telegram.botToken` 或 `channels.telegram.tokenFile`（仅常规文件；拒绝符号链接），默认账户还可回退到 `TELEGRAM_BOT_TOKEN`。
+- 可选的 `channels.telegram.defaultAccount` 会在其与某个已配置账户 ID 匹配时覆盖默认账户选择。
+- 在多账户设置（2 个及以上账户 ID）中，请设置显式默认值（`channels.telegram.defaultAccount` 或 `channels.telegram.accounts.default`），以避免回退路由；如果缺失或无效，`openclaw doctor` 会发出警告。
+- `configWrites: false` 会阻止 Telegram 发起的配置写入（超级群组 ID 迁移、`/config set|unset`）。
+- 顶层 `bindings[]` 中 `type: "acp"` 的条目会为论坛话题配置持久化 ACP 绑定（在 `match.peer.id` 中使用规范形式 `chatId:topic:topicId`）。字段语义与 [ACP Agents](/tools/acp-agents#channel-specific-settings) 共享。
+- Telegram 流式预览使用 `sendMessage` + `editMessageText`（适用于私聊和群聊）。
+- 重试策略：参见 [Retry policy](/concepts/retry)。
+
+### Discord
+
+```json5
+{
+  channels: {
+    discord: {
+      enabled: true,
+      token: "your-bot-token",
+      mediaMaxMb: 8,
+      allowBots: false,
+      actions: {
+        reactions: true,
+        stickers: true,
+        polls: true,
+        permissions: true,
+        messages: true,
+        threads: true,
+        pins: true,
+        search: true,
+        memberInfo: true,
+        roleInfo: true,
+        roles: false,
+        channelInfo: true,
+        voiceStatus: true,
+        events: true,
+        moderation: false,
+      },
+      replyToMode: "off", // off | first | all
+      dmPolicy: "pairing",
+      allowFrom: ["1234567890", "123456789012345678"],
+      dm: { enabled: true, groupEnabled: false, groupChannels: ["openclaw-dm"] },
+      guilds: {
+        "123456789012345678": {
+          slug: "friends-of-openclaw",
+          requireMention: false,
+          ignoreOtherMentions: true,
+          reactionNotifications: "own",
+          users: ["987654321098765432"],
+          channels: {
+            general: { allow: true },
+            help: {
+              allow: true,
+              requireMention: true,
+              users: ["987654321098765432"],
+              skills: ["docs"],
+              systemPrompt: "Short answers only.",
+            },
+          },
+        },
+      },
+      historyLimit: 20,
+      textChunkLimit: 2000,
+      chunkMode: "length", // length | newline
+      streaming: "off", // off | partial | block | progress（在 Discord 上 progress 映射为 partial）
+      maxLinesPerMessage: 17,
+      ui: {
+        components: {
+          accentColor: "#5865F2",
+        },
+      },
+      threadBindings: {
+        enabled: true,
+        idleHours: 24,
+        maxAgeHours: 0,
+        spawnSubagentSessions: false, // 为 `sessions_spawn({ thread: true })` 选择性启用
+      },
+      voice: {
+        enabled: true,
+        autoJoin: [
+          {
+            guildId: "123456789012345678",
+            channelId: "234567890123456789",
+          },
+        ],
+        daveEncryption: true,
+        decryptionFailureTolerance: 24,
+        tts: {
+          provider: "openai",
+          openai: { voice: "alloy" },
+        },
+      },
+      retry: {
+        attempts: 3,
+        minDelayMs: 500,
+        maxDelayMs: 30000,
+        jitter: 0.1,
+      },
+    },
+  },
+}
+```
+
+- 令牌：`channels.discord.token`，默认账户还可回退到 `DISCORD_BOT_TOKEN`。
+- 显式提供 Discord `token` 的直接出站调用会使用该令牌；账户重试/策略设置仍来自当前活动运行时快照中的所选账户。
+- 可选的 `channels.discord.defaultAccount` 会在其与某个已配置账户 ID 匹配时覆盖默认账户选择。
+- 对投递目标请使用 `user:<id>`（私信）或 `channel:<id>`（服务器频道）；裸数字 ID 会被拒绝。
+- 服务器 slug 为小写且空格替换为 `-`；频道键使用 slug 化名称（不含 `#`）。优先使用 guild ID。
+- 默认会忽略机器人自己发出的消息。`allowBots: true` 可启用；使用 `allowBots: "mentions"` 可仅接受提及该机器人的机器人消息（仍会过滤自己的消息）。
+- `channels.discord.guilds.<id>.ignoreOtherMentions`（及频道级覆盖）会丢弃那些提及了其他用户或角色但未提及机器人的消息（不含 @everyone/@here）。
+- `maxLinesPerMessage`（默认 17）会在消息过高时拆分，即便未超过 2000 个字符。
+- `channels.discord.threadBindings` 控制 Discord 线程绑定路由：
+  - `enabled`：线程绑定会话功能的 Discord 覆盖（`/focus`、`/unfocus`、`/agents`、`/session idle`、`/session max-age` 以及绑定后的投递/路由）
+  - `idleHours`：不活动自动取消聚焦的 Discord 覆盖值（小时，`0` 表示禁用）
+  - `maxAgeHours`：硬性最大年龄的 Discord 覆盖值（小时，`0` 表示禁用）
+  - `spawnSubagentSessions`：为 `sessions_spawn({ thread: true })` 自动创建/绑定线程的选择性开关
+- 顶层 `bindings[]` 中 `type: "acp"` 的条目会为频道和线程配置持久化 ACP 绑定（在 `match.peer.id` 中使用频道/线程 ID）。字段语义与 [ACP Agents](/tools/acp-agents#channel-specific-settings) 共享。
+- `channels.discord.ui.components.accentColor` 设置 Discord components v2 容器的强调色。
+- `channels.discord.voice` 启用 Discord 语音频道对话，以及可选的自动加入 + TTS 覆盖。
+- `channels.discord.voice.daveEncryption` 和 `channels.discord.voice.decryptionFailureTolerance` 会透传给 `@discordjs/voice` 的 DAVE 选项（默认分别为 `true` 和 `24`）。
+- 在重复解密失败后，OpenClaw 还会尝试通过离开/重新加入语音会话来恢复语音接收。
+- `channels.discord.streaming` 是规范的流式模式键。旧版 `streamMode` 和布尔型 `streaming` 值会自动迁移。
+- `channels.discord.autoPresence` 将运行时可用性映射为机器人状态（健康 => online，降级 => idle，耗尽 => dnd），并允许可选的状态文本覆盖。
+- `channels.discord.dangerouslyAllowNameMatching` 会重新启用可变名称/tag 匹配（紧急兼容模式）。
+
+**反应通知模式：**`off`（无）、`own`（机器人的消息，默认）、`all`（所有消息）、`allowlist`（`guilds.<id>.users` 中所有消息）。
+
+### Google Chat
+
+```json5
+{
+  channels: {
+    googlechat: {
+      enabled: true,
+      serviceAccountFile: "/path/to/service-account.json",
+      audienceType: "app-url", // app-url | project-number
+      audience: "https://gateway.example.com/googlechat",
+      webhookPath: "/googlechat",
+      botUser: "users/1234567890",
+      dm: {
+        enabled: true,
+        policy: "pairing",
+        allowFrom: ["users/1234567890"],
+      },
+      groupPolicy: "allowlist",
+      groups: {
+        "spaces/AAAA": { allow: true, requireMention: true },
+      },
+      actions: { reactions: true },
+      typingIndicator: "message",
+      mediaMaxMb: 20,
+    },
+  },
+}
+```
+
+- 服务账户 JSON：支持内联（`serviceAccount`）或基于文件（`serviceAccountFile`）。
+- 也支持服务账户 SecretRef（`serviceAccountRef`）。
+- 环境变量回退：`GOOGLE_CHAT_SERVICE_ACCOUNT` 或 `GOOGLE_CHAT_SERVICE_ACCOUNT_FILE`。
+- 对投递目标使用 `spaces/<spaceId>` 或 `users/<userId>`。
+- `channels.googlechat.dangerouslyAllowNameMatching` 会重新启用可变电子邮件主体匹配（紧急兼容模式）。
+
+### Slack
+
+```json5
+{
+  channels: {
+    slack: {
+      enabled: true,
+      botToken: "xoxb-...",
+      appToken: "xapp-...",
+      dmPolicy: "pairing",
+      allowFrom: ["U123", "U456", "*"],
+      dm: { enabled: true, groupEnabled: false, groupChannels: ["G123"] },
+      channels: {
+        C123: { allow: true, requireMention: true, allowBots: false },
+        "#general": {
+          allow: true,
+          requireMention: true,
+          allowBots: false,
+          users: ["U123"],
+          skills: ["docs"],
+          systemPrompt: "Short answers only.",
+        },
+      },
+      historyLimit: 50,
+      allowBots: false,
+      reactionNotifications: "own",
+      reactionAllowlist: ["U123"],
+      replyToMode: "off", // off | first | all
+      thread: {
+        historyScope: "thread", // thread | channel
+        inheritParent: false,
+      },
+      actions: {
+        reactions: true,
+        messages: true,
+        pins: true,
+        memberInfo: true,
+        emojiList: true,
+      },
+      slashCommand: {
+        enabled: true,
+        name: "openclaw",
+        sessionPrefix: "slack:slash",
+        ephemeral: true,
+      },
+      typingReaction: "hourglass_flowing_sand",
+      textChunkLimit: 4000,
+      chunkMode: "length",
+      streaming: "partial", // off | partial | block | progress（预览模式）
+      nativeStreaming: true, // 当 streaming=partial 时使用 Slack 原生流式 API
+      mediaMaxMb: 20,
+    },
+  },
+}
+```
+
+- **Socket mode** 需要同时提供 `botToken` 和 `appToken`（默认账户环境变量回退为 `SLACK_BOT_TOKEN` + `SLACK_APP_TOKEN`）。
+- **HTTP mode** 需要 `botToken`，外加 `signingSecret`（根级或按账户）。
+- `configWrites: false` 会阻止 Slack 发起的配置写入。
+- 可选的 `channels.slack.defaultAccount` 会在其与某个已配置账户 ID 匹配时覆盖默认账户选择。
+- `channels.slack.streaming` 是规范的流式模式键。旧版 `streamMode` 和布尔型 `streaming` 值会自动迁移。
+- 对投递目标使用 `user:<id>`（私信）或 `channel:<id>`（频道）。
+
+**反应通知模式：**`off`、`own`（默认）、`all`、`allowlist`（来自 `reactionAllowlist`）。
+
+**线程会话隔离：**`thread.historyScope` 可设为按线程（默认）或在频道内共享。`thread.inheritParent` 会将父频道记录复制到新线程。
+
+- `typingReaction` 会在回复运行期间，为入站 Slack 消息添加一个临时反应，并在完成后移除。请使用 Slack emoji 短代码，例如 `"hourglass_flowing_sand"`。
+
+| Action group | Default | Notes               |
+| ------------ | ------- | ------------------- |
+| reactions    | 已启用  | 添加反应 + 列出反应 |
+| messages     | 已启用  | 读取/发送/编辑/删除 |
+| pins         | 已启用  | 置顶/取消置顶/列出  |
+| memberInfo   | 已启用  | 成员信息            |
+| emojiList    | 已启用  | 自定义 emoji 列表   |
+
+### Mattermost
+
+Mattermost 以插件形式提供：`openclaw plugins install @openclaw/mattermost`。
+
+```json5
+{
+  channels: {
+    mattermost: {
+      enabled: true,
+      botToken: "mm-token",
+      baseUrl: "https://chat.example.com",
+      dmPolicy: "pairing",
+      chatmode: "oncall", // oncall | onmessage | onchar
+      oncharPrefixes: [">", "!"],
+      commands: {
+        native: true, // 选择性启用
+        nativeSkills: true,
+        callbackPath: "/api/channels/mattermost/command",
+        // 为反向代理/公共部署提供可选的显式 URL
+        callbackUrl: "https://gateway.example.com/api/channels/mattermost/command",
+      },
+      textChunkLimit: 4000,
+      chunkMode: "length",
+    },
+  },
+}
+```
+
+聊天模式：`oncall`（在 @ 提及时回复，默认）、`onmessage`（每条消息都回复）、`onchar`（以触发前缀开头的消息）。
+
+启用 Mattermost 原生命令时：
+
+- `commands.callbackPath` 必须是路径（例如 `/api/channels/mattermost/command`），不能是完整 URL。
+- `commands.callbackUrl` 必须解析到 OpenClaw Gateway 网关端点，并且 Mattermost 服务器可以访问它。
+- 对于私有/tailnet/内网回调主机，Mattermost 可能要求
+  `ServiceSettings.AllowedUntrustedInternalConnections` 包含该回调主机/域名。
+  请使用主机/域名值，而不是完整 URL。
+- `channels.mattermost.configWrites`：允许或拒绝 Mattermost 发起的配置写入。
+- `channels.mattermost.requireMention`：在频道中回复前要求 `@mention`。
+- 可选的 `channels.mattermost.defaultAccount` 会在其与某个已配置账户 ID 匹配时覆盖默认账户选择。
+
+### Signal
+
+```json5
+{
+  channels: {
+    signal: {
+      enabled: true,
+      account: "+15555550123", // 可选账户绑定
+      dmPolicy: "pairing",
+      allowFrom: ["+15551234567", "uuid:123e4567-e89b-12d3-a456-426614174000"],
+      configWrites: true,
+      reactionNotifications: "own", // off | own | all | allowlist
+      reactionAllowlist: ["+15551234567", "uuid:123e4567-e89b-12d3-a456-426614174000"],
+      historyLimit: 50,
+    },
+  },
+}
+```
+
+**反应通知模式：**`off`、`own`（默认）、`all`、`allowlist`（来自 `reactionAllowlist`）。
+
+- `channels.signal.account`：将渠道启动固定到特定 Signal 账户身份。
+- `channels.signal.configWrites`：允许或拒绝 Signal 发起的配置写入。
+- 可选的 `channels.signal.defaultAccount` 会在其与某个已配置账户 ID 匹配时覆盖默认账户选择。
+
+### BlueBubbles
+
+BlueBubbles 是推荐的 iMessage 路径（由插件支持，配置在 `channels.bluebubbles` 下）。
+
+```json5
+{
+  channels: {
+    bluebubbles: {
+      enabled: true,
+      dmPolicy: "pairing",
+      // serverUrl、password、webhookPath、群组控制和高级操作：
+      // 见 /channels/bluebubbles
+    },
+  },
+}
+```
+
+- 此处涵盖的核心键路径：`channels.bluebubbles`、`channels.bluebubbles.dmPolicy`。
+- 可选的 `channels.bluebubbles.defaultAccount` 会在其与某个已配置账户 ID 匹配时覆盖默认账户选择。
+- 完整的 BlueBubbles 渠道配置文档见 [BlueBubbles](/channels/bluebubbles)。
+
+### iMessage
+
+OpenClaw 会启动 `imsg rpc`（通过 stdio 的 JSON-RPC）。不需要守护进程或端口。
+
+```json5
+{
+  channels: {
+    imessage: {
+      enabled: true,
+      cliPath: "imsg",
+      dbPath: "~/Library/Messages/chat.db",
+      remoteHost: "user@gateway-host",
+      dmPolicy: "pairing",
+      allowFrom: ["+15555550123", "user@example.com", "chat_id:123"],
+      historyLimit: 50,
+      includeAttachments: false,
+      attachmentRoots: ["/Users/*/Library/Messages/Attachments"],
+      remoteAttachmentRoots: ["/Users/*/Library/Messages/Attachments"],
+      mediaMaxMb: 16,
+      service: "auto",
+      region: "US",
+    },
+  },
+}
+```
+
+- 可选的 `channels.imessage.defaultAccount` 会在其与某个已配置账户 ID 匹配时覆盖默认账户选择。
+
+- 需要对 Messages DB 具有 Full Disk Access。
+- 优先使用 `chat_id:<id>` 目标。使用 `imsg chats --limit 20` 列出聊天。
+- `cliPath` 可以指向 SSH 包装器；设置 `remoteHost`（`host` 或 `user@host`）以通过 SCP 获取附件。
+- `attachmentRoots` 和 `remoteAttachmentRoots` 会限制入站附件路径（默认：`/Users/*/Library/Messages/Attachments`）。
+- SCP 使用严格主机密钥检查，因此请确保中继主机密钥已存在于 `~/.ssh/known_hosts`。
+- `channels.imessage.configWrites`：允许或拒绝 iMessage 发起的配置写入。
+
+<Accordion title="iMessage SSH 包装器示例">
+
+```bash
+#!/usr/bin/env bash
+exec ssh -T gateway-host imsg "$@"
+```
+
+</Accordion>
+
+### Microsoft Teams
+
+Microsoft Teams 由扩展支持，并配置在 `channels.msteams` 下。
+
+```json5
+{
+  channels: {
+    msteams: {
+      enabled: true,
+      configWrites: true,
+      // appId、appPassword、tenantId、webhook、团队/频道策略：
+      // 见 /channels/msteams
+    },
+  },
+}
+```
+
+- 此处涵盖的核心键路径：`channels.msteams`、`channels.msteams.configWrites`。
+- 完整的 Teams 配置（凭证、webhook、私信/群组策略、按团队/按频道覆盖）见 [Microsoft Teams](/channels/msteams)。
+
+### IRC
+
+IRC 由扩展支持，并配置在 `channels.irc` 下。
+
+```json5
+{
+  channels: {
+    irc: {
+      enabled: true,
+      dmPolicy: "pairing",
+      configWrites: true,
+      nickserv: {
+        enabled: true,
+        service: "NickServ",
+        password: "${IRC_NICKSERV_PASSWORD}",
+        register: false,
+        registerEmail: "bot@example.com",
+      },
+    },
+  },
+}
+```
+
+- 此处涵盖的核心键路径：`channels.irc`、`channels.irc.dmPolicy`、`channels.irc.configWrites`、`channels.irc.nickserv.*`。
+- 可选的 `channels.irc.defaultAccount` 会在其与某个已配置账户 ID 匹配时覆盖默认账户选择。
+- 完整的 IRC 渠道配置（主机/端口/TLS/频道/allowlist/提及门控）见 [IRC](/channels/irc)。
+
+### 多账户（所有渠道）
+
+按渠道运行多个账户（每个账户有自己的 `accountId`）：
+
+```json5
+{
+  channels: {
+    telegram: {
+      accounts: {
+        default: {
+          name: "Primary bot",
+          botToken: "123456:ABC...",
+        },
+        alerts: {
+          name: "Alerts bot",
+          botToken: "987654:XYZ...",
+        },
+      },
+    },
+  },
+}
+```
+
+- 省略 `accountId` 时使用 `default`（CLI + 路由）。
+- 环境变量令牌仅适用于 **default** 账户。
+- 基础渠道设置适用于所有账户，除非按账户覆盖。
+- 使用 `bindings[].match.accountId` 将每个账户路由到不同智能体。
+- 如果你通过 `openclaw channels add`（或渠道新手引导）添加了一个非默认账户，而当前仍是单账户顶层渠道配置，OpenClaw 会先将带账户作用域的顶层单账户值移动到 `channels.<channel>.accounts.default`，以便原始账户继续工作。
+- 现有仅渠道绑定（无 `accountId`）仍会匹配默认账户；账户作用域绑定仍是可选的。
+- 当存在命名账户但缺少 `default` 时，`openclaw doctor --fix` 也会通过将带账户作用域的顶层单账户值移动到 `accounts.default` 来修复混合形状。
+
+### 其他扩展渠道
+
+许多扩展渠道都配置为 `channels.<id>`，并在其专属渠道页面中记录（例如 Feishu、Matrix、LINE、Nostr、Zalo、Nextcloud Talk、Synology Chat 和 Twitch）。
+查看完整渠道索引：[Channels](/channels)。
+
+### 群聊提及门控
+
+群消息默认**要求提及**（元数据提及或安全正则模式）。适用于 WhatsApp、Telegram、Discord、Google Chat 和 iMessage 群聊。
+
+**提及类型：**
+
+- **元数据提及**：平台原生 @ 提及。在 WhatsApp 自聊模式中会被忽略。
+- **文本模式**：位于 `agents.list[].groupChat.mentionPatterns` 中的安全正则模式。无效模式和不安全的嵌套重复会被忽略。
+- 只有在可以检测提及的情况下（原生提及或至少一个模式），才会强制执行提及门控。
+
+```json5
+{
+  messages: {
+    groupChat: { historyLimit: 50 },
+  },
+  agents: {
+    list: [{ id: "main", groupChat: { mentionPatterns: ["@openclaw", "openclaw"] } }],
+  },
+}
+```
+
+`messages.groupChat.historyLimit` 设置全局默认值。渠道可通过 `channels.<channel>.historyLimit`（或按账户）覆盖。设为 `0` 可禁用。
+
+#### 私信历史限制
+
+```json5
+{
+  channels: {
+    telegram: {
+      dmHistoryLimit: 30,
+      dms: {
+        "123456789": { historyLimit: 50 },
+      },
+    },
+  },
+}
+```
+
+解析顺序：按私信覆盖 → 提供商默认值 → 无限制（全部保留）。
+
+支持：`telegram`、`whatsapp`、`discord`、`slack`、`signal`、`imessage`、`msteams`。
+
+#### 自聊模式
+
+将你自己的号码包含在 `allowFrom` 中可启用自聊模式（忽略原生 @ 提及，仅响应文本模式）：
+
+```json5
+{
+  channels: {
+    whatsapp: {
+      allowFrom: ["+15555550123"],
+      groups: { "*": { requireMention: true } },
+    },
+  },
+  agents: {
+    list: [
+      {
+        id: "main",
+        groupChat: { mentionPatterns: ["reisponde", "@openclaw"] },
+      },
+    ],
+  },
+}
+```
+
+### 命令（聊天命令处理）
+
+```json5
+{
+  commands: {
+    native: "auto", // 在支持时注册原生命令
+    text: true, // 解析聊天消息中的 /commands
+    bash: false, // 允许 !（别名：/bash）
+    bashForegroundMs: 2000,
+    config: false, // 允许 /config
+    debug: false, // 允许 /debug
+    restart: false, // 允许 /restart + gateway restart 工具
+    allowFrom: {
+      "*": ["user1"],
+      discord: ["user:123"],
+    },
+    useAccessGroups: true,
+  },
+}
+```
+
+<Accordion title="命令详情">
+
+- 文本命令必须是以 `/` 开头的**独立**消息。
+- `native: "auto"` 会为 Discord/Telegram 打开原生命令，而让 Slack 保持关闭。
+- 可按渠道覆盖：`channels.discord.commands.native`（布尔值或 `"auto"`）。`false` 会清除先前已注册的命令。
+- `channels.telegram.customCommands` 可添加额外的 Telegram 机器人菜单项。
+- `bash: true` 会为主机 shell 启用 `! <cmd>`。要求 `tools.elevated.enabled` 已启用，且发送者在 `tools.elevated.allowFrom.<channel>` 中。
+- `config: true` 启用 `/config`（读取/写入 `openclaw.json`）。对于 gateway `chat.send` 客户端，持久化的 `/config set|unset` 写入还要求 `operator.admin`；只读的 `/config show` 对普通写作用域 operator 客户端仍然可用。
+- `channels.<provider>.configWrites` 按渠道控制配置变更（默认：true）。
+- 对多账户渠道，`channels.<provider>.accounts.<id>.configWrites` 也会控制针对该账户的写入（例如 `/allowlist --config --account <id>` 或 `/config set channels.<provider>.accounts.<id>...`）。
+- `allowFrom` 是按提供商配置的。设置后，它将成为**唯一**的授权来源（渠道 allowlist/配对和 `useAccessGroups` 都会被忽略）。
+- 当 `allowFrom` 未设置时，`useAccessGroups: false` 允许命令绕过访问组策略。
+
+</Accordion>
+
+---
+
+## 智能体默认值
+
+### `agents.defaults.workspace`
+
+默认值：`~/.openclaw/workspace`。
+
+```json5
+{
+  agents: { defaults: { workspace: "~/.openclaw/workspace" } },
+}
+```
+
+### `agents.defaults.repoRoot`
+
+可选的仓库根目录，会显示在系统提示的 Runtime 行中。如果未设置，OpenClaw 会从工作区向上遍历自动检测。
+
+```json5
+{
+  agents: { defaults: { repoRoot: "~/Projects/openclaw" } },
+}
+```
+
+### `agents.defaults.skipBootstrap`
+
+禁用自动创建工作区引导文件（`AGENTS.md`、`SOUL.md`、`TOOLS.md`、`IDENTITY.md`、`USER.md`、`HEARTBEAT.md`、`BOOTSTRAP.md`）。
+
+```json5
+{
+  agents: { defaults: { skipBootstrap: true } },
+}
+```
+
+### `agents.defaults.bootstrapMaxChars`
+
+单个工作区引导文件在截断前的最大字符数。默认：`20000`。
+
+```json5
+{
+  agents: { defaults: { bootstrapMaxChars: 20000 } },
+}
+```
+
+### `agents.defaults.bootstrapTotalMaxChars`
+
+所有工作区引导文件注入时的最大总字符数。默认：`150000`。
+
+```json5
+{
+  agents: { defaults: { bootstrapTotalMaxChars: 150000 } },
+}
+```
+
+### `agents.defaults.bootstrapPromptTruncationWarning`
+
+控制引导上下文被截断时，对智能体可见的警告文本。
+默认：`"once"`。
+
+- `"off"`：绝不向系统提示注入警告文本。
+- `"once"`：对每个唯一的截断签名仅注入一次警告（推荐）。
+- `"always"`：只要存在截断，就在每次运行时注入警告。
+
+```json5
+{
+  agents: { defaults: { bootstrapPromptTruncationWarning: "once" } }, // off | once | always
+}
+```
+
+### `agents.defaults.imageMaxDimensionPx`
+
+在调用提供商之前，记录/工具图像块中最长边的最大像素尺寸。
+默认：`1200`。
+
+较低的值通常会降低视觉 token 用量以及截图密集型运行的请求负载大小。
+较高的值可保留更多视觉细节。
+
+```json5
+{
+  agents: { defaults: { imageMaxDimensionPx: 1200 } },
+}
+```
+
+### `agents.defaults.userTimezone`
+
+系统提示上下文使用的时区（不是消息时间戳）。回退到主机时区。
+
+```json5
+{
+  agents: { defaults: { userTimezone: "America/Chicago" } },
+}
+```
+
+### `agents.defaults.timeFormat`
+
+系统提示中的时间格式。默认：`auto`（操作系统偏好）。
+
+```json5
+{
+  agents: { defaults: { timeFormat: "auto" } }, // auto | 12 | 24
+}
+```
+
+### `agents.defaults.model`
+
+```json5
+{
+  agents: {
+    defaults: {
+      models: {
+        "anthropic/claude-opus-4-6": { alias: "opus" },
+        "minimax/MiniMax-M2.5": { alias: "minimax" },
+      },
+      model: {
+        primary: "anthropic/claude-opus-4-6",
+        fallbacks: ["minimax/MiniMax-M2.5"],
+      },
+      imageModel: {
+        primary: "openrouter/qwen/qwen-2.5-vl-72b-instruct:free",
+        fallbacks: ["openrouter/google/gemini-2.0-flash-vision:free"],
+      },
+      pdfModel: {
+        primary: "anthropic/claude-opus-4-6",
+        fallbacks: ["openai/gpt-5-mini"],
+      },
+      pdfMaxBytesMb: 10,
+      pdfMaxPages: 20,
+      thinkingDefault: "low",
+      verboseDefault: "off",
+      elevatedDefault: "on",
+      timeoutSeconds: 600,
+      mediaMaxMb: 5,
+      contextTokens: 200000,
+      maxConcurrent: 3,
+    },
+  },
+}
+```
+
+- `model`：接受字符串（`"provider/model"`）或对象（`{ primary, fallbacks }`）。
+  - 字符串形式只设置主模型。
+  - 对象形式设置主模型以及按顺序排列的故障切换模型。
+- `imageModel`：接受字符串（`"provider/model"`）或对象（`{ primary, fallbacks }`）。
+  - 由 `image` 工具路径作为其视觉模型配置使用。
+  - 当所选/默认模型无法接受图像输入时，也用作回退路由。
+- `pdfModel`：接受字符串（`"provider/model"`）或对象（`{ primary, fallbacks }`）。
+  - 由 `pdf` 工具用于模型路由。
+  - 如果省略，PDF 工具会回退到 `imageModel`，再回退到提供商的尽力默认值。
+- `pdfMaxBytesMb`：`pdf` 工具在调用时未传入 `maxBytesMb` 时使用的默认 PDF 大小限制。
+- `pdfMaxPages`：`pdf` 工具在提取回退模式下考虑的默认最大页数。
+- `model.primary`：格式为 `provider/model`（例如 `anthropic/claude-opus-4-6`）。如果省略 provider，OpenClaw 会假定为 `anthropic`（已弃用）。
+- `models`：为 `/model` 配置的模型目录和 allowlist。每项可包含 `alias`（快捷方式）和 `params`（提供商特定参数，例如 `temperature`、`maxTokens`、`cacheRetention`、`context1m`）。
+- `params` 合并优先级（配置）：`agents.defaults.models["provider/model"].params` 为基础，然后由 `agents.list[].params`（匹配的智能体 ID）按键覆盖。
+- 会修改这些字段的配置写入器（例如 `/models set`、`/models set-image` 以及故障切换增删命令）会保存为规范的对象形式，并尽可能保留现有故障切换列表。
+- `maxConcurrent`：会话之间并行的智能体运行最大数（每个会话本身仍是串行）。默认：1。
+
+**内置别名简写**（仅当模型位于 `agents.defaults.models` 中时适用）：
+
+| Alias               | Model                                  |
+| ------------------- | -------------------------------------- |
+| `opus`              | `anthropic/claude-opus-4-6`            |
+| `sonnet`            | `anthropic/claude-sonnet-4-6`          |
+| `gpt`               | `openai/gpt-5.4`                       |
+| `gpt-mini`          | `openai/gpt-5-mini`                    |
+| `gemini`            | `google/gemini-3.1-pro-preview`        |
+| `gemini-flash`      | `google/gemini-3-flash-preview`        |
+| `gemini-flash-lite` | `google/gemini-3.1-flash-lite-preview` |
+
+你配置的别名始终优先于默认值。
+
+Z.AI 的 GLM-4.x 模型会自动启用 thinking 模式，除非你设置 `--thinking off`，或自行定义 `agents.defaults.models["zai/<model>"].params.thinking`。
+Z.AI 模型默认启用 `tool_stream` 以支持工具调用流式传输。将 `agents.defaults.models["zai/<model>"].params.tool_stream` 设为 `false` 可禁用。
+Anthropic Claude 4.6 模型在未显式设置 thinking 级别时，默认使用 `adaptive` thinking。
+
+### `agents.defaults.cliBackends`
+
+文本专用回退运行（无工具调用）的可选 CLI 后端。当 API 提供商失败时，可作为备份。
+
+```json5
+{
+  agents: {
+    defaults: {
+      cliBackends: {
+        "claude-cli": {
+          command: "/opt/homebrew/bin/claude",
+        },
+        "my-cli": {
+          command: "my-cli",
+          args: ["--json"],
+          output: "json",
+          modelArg: "--model",
+          sessionArg: "--session",
+          sessionMode: "existing",
+          systemPromptArg: "--system",
+          systemPromptWhen: "first",
+          imageArg: "--image",
+          imageMode: "repeat",
+        },
+      },
+    },
+  },
+}
+```
+
+- CLI 后端以文本为主；工具始终禁用。
+- 设置了 `sessionArg` 时支持会话。
+- 当 `imageArg` 接受文件路径时，支持图像透传。
+
+### `agents.defaults.heartbeat`
+
+周期性心跳运行。
+
+```json5
+{
+  agents: {
+    defaults: {
+      heartbeat: {
+        every: "30m", // 0m 表示禁用
+        model: "openai/gpt-5.2-mini",
+        includeReasoning: false,
+        lightContext: false, // 默认：false；true 仅保留工作区引导文件中的 HEARTBEAT.md
+        isolatedSession: false, // 默认：false；true 表示每次心跳都在全新会话中运行（无对话历史）
+        session: "main",
+        to: "+15555550123",
+        directPolicy: "allow", // allow（默认）| block
+        target: "none", // 默认：none | 可选：last | whatsapp | telegram | discord | ...
+        prompt: "Read HEARTBEAT.md if it exists...",
+        ackMaxChars: 300,
+        suppressToolErrorWarnings: false,
+      },
+    },
+  },
+}
+```
+
+- `every`：时长字符串（ms/s/m/h）。默认：`30m`。
+- `suppressToolErrorWarnings`：为 true 时，在心跳运行期间抑制工具错误警告负载。
+- `directPolicy`：直接/私信投递策略。`allow`（默认）允许直接目标投递。`block` 会抑制直接目标投递，并发出 `reason=dm-blocked`。
+- `lightContext`：为 true 时，心跳运行使用轻量引导上下文，并且只保留工作区引导文件中的 `HEARTBEAT.md`。
+- `isolatedSession`：为 true 时，每次心跳都会在无先前对话历史的全新会话中运行。与 cron `sessionTarget: "isolated"` 使用相同的隔离模式。可将每次心跳的 token 成本从约 100K 降到约 2-5K。
+- 按智能体设置：使用 `agents.list[].heartbeat`。当任一智能体定义了 `heartbeat` 时，**只有这些智能体**会运行心跳。
+- 心跳会执行完整的智能体轮次——间隔越短，消耗的 token 越多。
+
+### `agents.defaults.compaction`
+
+```json5
+{
+  agents: {
+    defaults: {
+      compaction: {
+        mode: "safeguard", // default | safeguard
+        timeoutSeconds: 900,
+        reserveTokensFloor: 24000,
+        identifierPolicy: "strict", // strict | off | custom
+        identifierInstructions: "Preserve deployment IDs, ticket IDs, and host:port pairs exactly.", // 当 identifierPolicy=custom 时使用
+        postCompactionSections: ["Session Startup", "Red Lines"], // [] 表示禁用重新注入
+        model: "openrouter/anthropic/claude-sonnet-4-5", // 可选，仅用于压缩的模型覆盖
+        memoryFlush: {
+          enabled: true,
+          softThresholdTokens: 6000,
+          systemPrompt: "Session nearing compaction. Store durable memories now.",
+          prompt: "Write any lasting notes to memory/YYYY-MM-DD.md; reply with NO_REPLY if nothing to store.",
+        },
+      },
+    },
+  },
+}
+```
+
+- `mode`：`default` 或 `safeguard`（用于长历史的分块摘要）。见 [Compaction](/concepts/compaction)。
+- `timeoutSeconds`：OpenClaw 中止前，单次压缩操作允许的最大秒数。默认：`900`。
+- `identifierPolicy`：`strict`（默认）、`off` 或 `custom`。`strict` 会在压缩摘要时预置内置的不透明标识符保留指导。
+- `identifierInstructions`：当 `identifierPolicy=custom` 时使用的可选自定义标识符保留文本。
+- `postCompactionSections`：压缩后重新注入的可选 AGENTS.md H2/H3 节名称。默认是 `["Session Startup", "Red Lines"]`；设为 `[]` 可禁用重新注入。当未设置或显式设置为该默认组合时，旧版 `Every Session`/`Safety` 标题也会作为兼容回退被接受。
+- `model`：仅用于压缩摘要的可选 `provider/model-id` 覆盖。当主会话应保留一个模型，但压缩摘要应在另一个模型上运行时使用；未设置时，压缩会使用会话的主模型。
+- `memoryFlush`：自动压缩前的静默智能体轮次，用于存储持久记忆。工作区为只读时会跳过。
+
+### `agents.defaults.contextPruning`
+
+在发送到 LLM 之前，从内存上下文中裁剪**旧的工具结果**。**不会**修改磁盘上的会话历史。
+
+```json5
+{
+  agents: {
+    defaults: {
+      contextPruning: {
+        mode: "cache-ttl", // off | cache-ttl
+        ttl: "1h", // 时长（ms/s/m/h），默认单位：分钟
+        keepLastAssistants: 3,
+        softTrimRatio: 0.3,
+        hardClearRatio: 0.5,
+        minPrunableToolChars: 50000,
+        softTrim: { maxChars: 4000, headChars: 1500, tailChars: 1500 },
+        hardClear: { enabled: true, placeholder: "[Old tool result content cleared]" },
+        tools: { deny: ["browser", "canvas"] },
+      },
+    },
+  },
+}
+```
+
+<Accordion title="cache-ttl 模式行为">
+
+- `mode: "cache-ttl"` 启用裁剪过程。
+- `ttl` 控制在上次缓存触碰后，多久才能再次运行裁剪。
+- 裁剪会先对过大的工具结果进行软裁剪，如仍有需要，再对更旧的工具结果执行硬清除。
+
+**软裁剪**保留开头和结尾，并在中间插入 `...`。
+
+**硬清除**用占位符替换整个工具结果。
+
+说明：
+
+- 图像块永远不会被裁剪/清除。
+- 比例是基于字符的（近似），不是精确 token 数。
+- 如果 assistant 消息少于 `keepLastAssistants`，则跳过裁剪。
+
+</Accordion>
+
+行为细节见 [Session Pruning](/concepts/session-pruning)。
+
+### 分块流式传输
+
+```json5
+{
+  agents: {
+    defaults: {
+      blockStreamingDefault: "off", // on | off
+      blockStreamingBreak: "text_end", // text_end | message_end
+      blockStreamingChunk: { minChars: 800, maxChars: 1200 },
+      blockStreamingCoalesce: { idleMs: 1000 },
+      humanDelay: { mode: "natural" }, // off | natural | custom（使用 minMs/maxMs）
+    },
+  },
+}
+```
+
+- 非 Telegram 渠道需要显式设置 `*.blockStreaming: true` 才会启用分块回复。
+- 渠道覆盖：`channels.<channel>.blockStreamingCoalesce`（以及按账户变体）。Signal/Slack/Discord/Google Chat 默认 `minChars: 1500`。
+- `humanDelay`：分块回复之间的随机暂停。`natural` = 800–2500 ms。按智能体覆盖：`agents.list[].humanDelay`。
+
+行为和分块细节见 [Streaming](/concepts/streaming)。
+
+### 输入指示器
+
+```json5
+{
+  agents: {
+    defaults: {
+      typingMode: "instant", // never | instant | thinking | message
+      typingIntervalSeconds: 6,
+    },
+  },
+}
+```
+
+- 默认值：私聊/被提及时为 `instant`，未提及的群聊中为 `message`。
+- 按会话覆盖：`session.typingMode`、`session.typingIntervalSeconds`。
+
+见 [Typing Indicators](/concepts/typing-indicators)。
+
+### `agents.defaults.sandbox`
+
+嵌入式智能体的可选沙箱隔离。完整指南见 [沙箱隔离](/gateway/sandboxing)。
+
+```json5
+{
+  agents: {
+    defaults: {
+      sandbox: {
+        mode: "non-main", // off | non-main | all
+        backend: "docker", // docker | ssh | openshell
+        scope: "agent", // session | agent | shared
+        workspaceAccess: "none", // none | ro | rw
+        workspaceRoot: "~/.openclaw/sandboxes",
+        docker: {
+          image: "openclaw-sandbox:bookworm-slim",
+          containerPrefix: "openclaw-sbx-",
+          workdir: "/workspace",
+          readOnlyRoot: true,
+          tmpfs: ["/tmp", "/var/tmp", "/run"],
+          network: "none",
+          user: "1000:1000",
+          capDrop: ["ALL"],
+          env: { LANG: "C.UTF-8" },
+          setupCommand: "apt-get update && apt-get install -y git curl jq",
+          pidsLimit: 256,
+          memory: "1g",
+          memorySwap: "2g",
+          cpus: 1,
+          ulimits: {
+            nofile: { soft: 1024, hard: 2048 },
+            nproc: 256,
+          },
+          seccompProfile: "/path/to/seccomp.json",
+          apparmorProfile: "openclaw-sandbox",
+          dns: ["1.1.1.1", "8.8.8.8"],
+          extraHosts: ["internal.service:10.0.0.5"],
+          binds: ["/home/user/source:/source:rw"],
+        },
+        ssh: {
+          target: "user@gateway-host:22",
+          command: "ssh",
+          workspaceRoot: "/tmp/openclaw-sandboxes",
+          strictHostKeyChecking: true,
+          updateHostKeys: true,
+          identityFile: "~/.ssh/id_ed25519",
+          certificateFile: "~/.ssh/id_ed25519-cert.pub",
+          knownHostsFile: "~/.ssh/known_hosts",
+          // 也支持 SecretRef / 内联内容：
+          // identityData: { source: "env", provider: "default", id: "SSH_IDENTITY" },
+          // certificateData: { source: "env", provider: "default", id: "SSH_CERTIFICATE" },
+          // knownHostsData: { source: "env", provider: "default", id: "SSH_KNOWN_HOSTS" },
+        },
+        browser: {
+          enabled: false,
+          image: "openclaw-sandbox-browser:bookworm-slim",
+          network: "openclaw-sandbox-browser",
+          cdpPort: 9222,
+          cdpSourceRange: "172.21.0.1/32",
+          vncPort: 5900,
+          noVncPort: 6080,
+          headless: false,
+          enableNoVnc: true,
+          allowHostControl: false,
+          autoStart: true,
+          autoStartTimeoutMs: 12000,
+        },
+        prune: {
+          idleHours: 24,
+          maxAgeDays: 7,
+        },
+      },
+    },
+  },
+  tools: {
+    sandbox: {
+      tools: {
+        allow: [
+          "exec",
+          "process",
+          "read",
+          "write",
+          "edit",
+          "apply_patch",
+          "sessions_list",
+          "sessions_history",
+          "sessions_send",
+          "sessions_spawn",
+          "session_status",
+        ],
+        deny: ["browser", "canvas", "nodes", "cron", "discord", "gateway"],
+      },
+    },
+  },
+}
+```
+
+<Accordion title="沙箱详情">
+
+**后端：**
+
+- `docker`：本地 Docker 运行时（默认）
+- `ssh`：通用的 SSH 远程运行时
+- `openshell`：OpenShell 运行时
+
+选择 `backend: "openshell"` 时，运行时特定设置会移动到
+`plugins.entries.openshell.config`。
+
+**SSH 后端配置：**
+
+- `target`：`user@host[:port]` 形式的 SSH 目标
+- `command`：SSH 客户端命令（默认：`ssh`）
+- `workspaceRoot`：按作用域工作区使用的远程绝对根目录
+- `identityFile` / `certificateFile` / `knownHostsFile`：传递给 OpenSSH 的现有本地文件
+- `identityData` / `certificateData` / `knownHostsData`：内联内容或 SecretRef，OpenClaw 会在运行时将其物化为临时文件
+- `strictHostKeyChecking` / `updateHostKeys`：OpenSSH 主机密钥策略开关
+
+**SSH 认证优先级：**
+
+- `identityData` 优先于 `identityFile`
+- `certificateData` 优先于 `certificateFile`
+- `knownHostsData` 优先于 `knownHostsFile`
+- 由 SecretRef 支持的 `*Data` 值会在沙箱会话启动前，从活动 secrets 运行时快照中解析
+
+**SSH 后端行为：**
+
+- 在创建或重建后，对远程工作区进行一次种子初始化
+- 之后保持远程 SSH 工作区为规范副本
+- 通过 SSH 路由 `exec`、文件工具和媒体路径
+- 不会自动将远程更改同步回主机
+- 不支持沙箱浏览器容器
+
+**工作区访问：**
+
+- `none`：位于 `~/.openclaw/sandboxes` 下的按作用域划分的沙箱工作区
+- `ro`：沙箱工作区位于 `/workspace`，智能体工作区以只读方式挂载到 `/agent`
+- `rw`：智能体工作区以读写方式挂载到 `/workspace`
+
+**作用域：**
+
+- `session`：每个会话一个容器 + 工作区
+- `agent`：每个智能体一个容器 + 工作区（默认）
+- `shared`：共享容器和工作区（无跨会话隔离）
+
+**OpenShell 插件配置：**
+
+```json5
+{
+  plugins: {
+    entries: {
+      openshell: {
+        enabled: true,
+        config: {
+          mode: "mirror", // mirror | remote
+          from: "openclaw",
+          remoteWorkspaceDir: "/sandbox",
+          remoteAgentWorkspaceDir: "/agent",
+          gateway: "lab", // 可选
+          gatewayEndpoint: "https://lab.example", // 可选
+          policy: "strict", // 可选的 OpenShell policy id
+          providers: ["openai"], // 可选
+          autoProviders: true,
+          timeoutSeconds: 120,
+        },
+      },
+    },
+  },
+}
+```
+
+**OpenShell 模式：**
+
+- `mirror`：执行前从本地为远程植入种子，执行后同步回本地；本地工作区保持为规范副本
+- `remote`：在创建沙箱时只为远程植入一次种子，之后保持远程工作区为规范副本
+
+在 `remote` 模式下，在 OpenClaw 外部对主机本地所做的编辑，不会在种子步骤后自动同步进沙箱。
+传输层是通过 SSH 进入 OpenShell 沙箱，但插件拥有沙箱生命周期以及可选的镜像同步。
+
+**`setupCommand`** 会在容器创建后运行一次（通过 `sh -lc`）。需要网络出口、可写根文件系统以及 root 用户。
+
+**容器默认使用 `network: "none"`** ——如果智能体需要出站访问，请设为 `"bridge"`（或自定义 bridge 网络）。
+默认会阻止 `"host"`。除非你显式设置
+`sandbox.docker.dangerouslyAllowContainerNamespaceJoin: true`（紧急模式），否则默认也会阻止 `"container:<id>"`。
+
+**入站附件** 会暂存到活动工作区中的 `media/inbound/*`。
+
+**`docker.binds`** 会挂载额外的主机目录；全局和按智能体的 binds 会合并。
+
+**沙箱浏览器**（`sandbox.browser.enabled`）：容器中的 Chromium + CDP。noVNC URL 会注入系统提示中。不要求在 `openclaw.json` 中启用 `browser.enabled`。
+noVNC 观察者访问默认使用 VNC 身份验证，OpenClaw 会发出一个短期有效的 token URL（而不是在共享 URL 中暴露密码）。
+
+- `allowHostControl: false`（默认）会阻止沙箱会话指向主机浏览器。
+- `network` 默认为 `openclaw-sandbox-browser`（专用 bridge 网络）。仅当你明确需要全局 bridge 连接时，才设为 `bridge`。
+- `cdpSourceRange` 可选地将容器边缘的 CDP 入站限制为某个 CIDR 范围（例如 `172.21.0.1/32`）。
+- `sandbox.browser.binds` 仅将额外主机目录挂载到沙箱浏览器容器中。设置后（包括 `[]`），它会替换浏览器容器的 `docker.binds`。
+- 启动默认值定义于 `scripts/sandbox-browser-entrypoint.sh` 中，并针对容器主机进行了调优：
+  - `--remote-debugging-address=127.0.0.1`
+  - `--remote-debugging-port=<derived from OPENCLAW_BROWSER_CDP_PORT>`
+  - `--user-data-dir=${HOME}/.chrome`
+  - `--no-first-run`
+  - `--no-default-browser-check`
+  - `--disable-3d-apis`
+  - `--disable-gpu`
+  - `--disable-software-rasterizer`
+  - `--disable-dev-shm-usage`
+  - `--disable-background-networking`
+  - `--disable-features=TranslateUI`
+  - `--disable-breakpad`
+  - `--disable-crash-reporter`
+  - `--renderer-process-limit=2`
+  - `--no-zygote`
+  - `--metrics-recording-only`
+  - `--disable-extensions`（默认启用）
+  - `--disable-3d-apis`、`--disable-software-rasterizer` 和 `--disable-gpu`
+    默认启用，如果 WebGL/3D 使用场景需要，可通过
+    `OPENCLAW_BROWSER_DISABLE_GRAPHICS_FLAGS=0` 禁用这些标志。
+  - `OPENCLAW_BROWSER_DISABLE_EXTENSIONS=0` 会重新启用扩展，如果你的工作流
+    依赖它们。
+  - `--renderer-process-limit=2` 可通过
+    `OPENCLAW_BROWSER_RENDERER_PROCESS_LIMIT=<N>` 更改；设为 `0` 将使用 Chromium 的
+    默认进程上限。
+  - 若启用了 `noSandbox`，还会额外加上 `--no-sandbox` 和 `--disable-setuid-sandbox`。
+  - 默认值是容器镜像的基线；若要更改容器默认值，请使用自定义浏览器镜像及自定义
+    entrypoint。
+
+</Accordion>
+
+浏览器沙箱隔离和 `sandbox.docker.binds` 当前仅支持 Docker。
+
+构建镜像：
+
+```bash
+scripts/sandbox-setup.sh           # 主沙箱镜像
+scripts/sandbox-browser-setup.sh   # 可选的浏览器镜像
+```
+
+### `agents.list`（按智能体覆盖）
+
+```json5
+{
+  agents: {
+    list: [
+      {
+        id: "main",
+        default: true,
+        name: "Main Agent",
+        workspace: "~/.openclaw/workspace",
+        agentDir: "~/.openclaw/agents/main/agent",
+        model: "anthropic/claude-opus-4-6", // 或 { primary, fallbacks }
+        params: { cacheRetention: "none" }, // 按键覆盖匹配的 defaults.models params
+        identity: {
+          name: "Samantha",
+          theme: "helpful sloth",
+          emoji: "🦥",
+          avatar: "avatars/samantha.png",
+        },
+        groupChat: { mentionPatterns: ["@openclaw"] },
+        sandbox: { mode: "off" },
+        runtime: {
+          type: "acp",
+          acp: {
+            agent: "codex",
+            backend: "acpx",
+            mode: "persistent",
+            cwd: "/workspace/openclaw",
+          },
+        },
+        subagents: { allowAgents: ["*"] },
+        tools: {
+          profile: "coding",
+          allow: ["browser"],
+          deny: ["canvas"],
+          elevated: { enabled: true },
+        },
+      },
+    ],
+  },
+}
+```
+
+- `id`：稳定的智能体 ID（必填）。
+- `default`：若设置了多个，则第一个生效（会记录警告）。若一个都未设，则列表第一项为默认。
+- `model`：字符串形式只覆盖 `primary`；对象形式 `{ primary, fallbacks }` 同时覆盖两者（`[]` 会禁用全局故障切换）。仅覆盖 `primary` 的 Cron 作业仍会继承默认故障切换，除非你设置 `fallbacks: []`。
+- `params`：按智能体的流参数，会合并到 `agents.defaults.models` 中所选模型条目之上。用于为智能体添加特定覆盖，例如 `cacheRetention`、`temperature` 或 `maxTokens`，而无需复制整个模型目录。
+- `runtime`：可选的按智能体运行时描述符。当智能体应默认使用 ACP harness 会话时，可使用 `type: "acp"`，并在 `runtime.acp` 中设置默认值（`agent`、`backend`、`mode`、`cwd`）。
+- `identity.avatar`：工作区相对路径、`http(s)` URL 或 `data:` URI。
+- `identity` 会派生默认值：从 `emoji` 派生 `ackReaction`，从 `name`/`emoji` 派生 `mentionPatterns`。
+- `subagents.allowAgents`：`sessions_spawn` 的智能体 ID allowlist（`["*"]` = 任意；默认：仅同一智能体）。
+- 沙箱继承保护：若请求方会话处于沙箱中，`sessions_spawn` 会拒绝那些将以非沙箱方式运行的目标。
+
+---
+
+## 多智能体路由
+
+在一个 Gateway 网关中运行多个隔离的智能体。见 [Multi-Agent](/concepts/multi-agent)。
+
+```json5
+{
+  agents: {
+    list: [
+      { id: "home", default: true, workspace: "~/.openclaw/workspace-home" },
+      { id: "work", workspace: "~/.openclaw/workspace-work" },
+    ],
+  },
+  bindings: [
+    { agentId: "home", match: { channel: "whatsapp", accountId: "personal" } },
+    { agentId: "work", match: { channel: "whatsapp", accountId: "biz" } },
+  ],
+}
+```
+
+### 绑定匹配字段
+
+- `type`（可选）：普通路由使用 `route`（缺失时默认为 route），持久化 ACP 对话绑定使用 `acp`。
+- `match.channel`（必填）
+- `match.accountId`（可选；`*` = 任意账户；省略 = 默认账户）
+- `match.peer`（可选；`{ kind: direct|group|channel, id }`）
+- `match.guildId` / `match.teamId`（可选；渠道特定）
+- `acp`（可选；仅用于 `type: "acp"`）：`{ mode, label, cwd, backend }`
+
+**确定性匹配顺序：**
+
+1. `match.peer`
+2. `match.guildId`
+3. `match.teamId`
+4. `match.accountId`（精确匹配，无 peer/guild/team）
+5. `match.accountId: "*"`（全渠道）
+6. 默认智能体
+
+在每一层内，第一个匹配的 `bindings` 条目胜出。
+
+对于 `type: "acp"` 条目，OpenClaw 会按精确对话身份（`match.channel` + account + `match.peer.id`）解析，不使用上述 route 绑定层级顺序。
+
+### 按智能体的访问配置
+
+<Accordion title="完全访问（无沙箱）">
+
+```json5
+{
+  agents: {
+    list: [
+      {
+        id: "personal",
+        workspace: "~/.openclaw/workspace-personal",
+        sandbox: { mode: "off" },
+      },
+    ],
+  },
+}
+```
+
+</Accordion>
+
+<Accordion title="只读工具 + 工作区">
+
+```json5
+{
+  agents: {
+    list: [
+      {
+        id: "family",
+        workspace: "~/.openclaw/workspace-family",
+        sandbox: { mode: "all", scope: "agent", workspaceAccess: "ro" },
+        tools: {
+          allow: [
+            "read",
+            "sessions_list",
+            "sessions_history",
+            "sessions_send",
+            "sessions_spawn",
+            "session_status",
+          ],
+          deny: ["write", "edit", "apply_patch", "exec", "process", "browser"],
+        },
+      },
+    ],
+  },
+}
+```
+
+</Accordion>
+
+<Accordion title="无文件系统访问（仅消息）">
+
+```json5
+{
+  agents: {
+    list: [
+      {
+        id: "public",
+        workspace: "~/.openclaw/workspace-public",
+        sandbox: { mode: "all", scope: "agent", workspaceAccess: "none" },
+        tools: {
+          allow: [
+            "sessions_list",
+            "sessions_history",
+            "sessions_send",
+            "sessions_spawn",
+            "session_status",
+            "whatsapp",
+            "telegram",
+            "slack",
+            "discord",
+            "gateway",
+          ],
+          deny: [
+            "read",
+            "write",
+            "edit",
+            "apply_patch",
+            "exec",
+            "process",
+            "browser",
+            "canvas",
+            "nodes",
+            "cron",
+            "gateway",
+            "image",
+          ],
+        },
+      },
+    ],
+  },
+}
+```
+
+</Accordion>
+
+优先级细节见 [Multi-Agent Sandbox & Tools](/tools/multi-agent-sandbox-tools)。
+
+---
+
+## 会话
+
+```json5
+{
+  session: {
+    scope: "per-sender",
+    dmScope: "main", // main | per-peer | per-channel-peer | per-account-channel-peer
+    identityLinks: {
+      alice: ["telegram:123456789", "discord:987654321012345678"],
+    },
+    reset: {
+      mode: "daily", // daily | idle
+      atHour: 4,
+      idleMinutes: 60,
+    },
+    resetByType: {
+      thread: { mode: "daily", atHour: 4 },
+      direct: { mode: "idle", idleMinutes: 240 },
+      group: { mode: "idle", idleMinutes: 120 },
+    },
+    resetTriggers: ["/new", "/reset"],
+    store: "~/.openclaw/agents/{agentId}/sessions/sessions.json",
+    parentForkMaxTokens: 100000, // 超过此 token 数则跳过父线程 fork（0 表示禁用）
+    maintenance: {
+      mode: "warn", // warn | enforce
+      pruneAfter: "30d",
+      maxEntries: 500,
+      rotateBytes: "10mb",
+      resetArchiveRetention: "30d", // 时长或 false
+      maxDiskBytes: "500mb", // 可选硬预算
+      highWaterBytes: "400mb", // 可选清理目标
+    },
+    threadBindings: {
+      enabled: true,
+      idleHours: 24, // 默认不活动自动取消聚焦时长（小时，`0` 表示禁用）
+      maxAgeHours: 0, // 默认硬性最大年龄（小时，`0` 表示禁用）
+    },
+    mainKey: "main", // 旧字段（运行时始终使用 "main"）
+    agentToAgent: { maxPingPongTurns: 5 },
+    sendPolicy: {
+      rules: [{ action: "deny", match: { channel: "discord", chatType: "group" } }],
+      default: "allow",
+    },
+  },
+}
+```
+
+<Accordion title="会话字段详情">
+
+- **`dmScope`**：私信如何分组。
+  - `main`：所有私信共享主会话。
+  - `per-peer`：按发送者 ID 跨渠道隔离。
+  - `per-channel-peer`：按渠道 + 发送者隔离（推荐用于多用户收件箱）。
+  - `per-account-channel-peer`：按账户 + 渠道 + 发送者隔离（推荐用于多账户）。
+- **`identityLinks`**：将规范 ID 映射到带提供商前缀的 peer，用于跨渠道共享会话。
+- **`reset`**：主重置策略。`daily` 会在本地时间 `atHour` 重置；`idle` 会在 `idleMinutes` 后重置。如果两者都配置，谁先到期谁生效。
+- **`resetByType`**：按类型覆盖（`direct`、`group`、`thread`）。旧版 `dm` 仍接受为 `direct` 的别名。
+- **`parentForkMaxTokens`**：创建分叉线程会话时，父会话允许的最大 `totalTokens`（默认 `100000`）。
+  - 如果父会话 `totalTokens` 高于该值，OpenClaw 会启动一个新的线程会话，而不是继承父会话的记录历史。
+  - 设为 `0` 可禁用此保护，并始终允许父会话分叉。
+- **`mainKey`**：旧字段。运行时现在始终为主直聊桶使用 `"main"`。
+- **`sendPolicy`**：可按 `channel`、`chatType`（`direct|group|channel`，旧版 `dm` 仍为别名）、`keyPrefix` 或 `rawKeyPrefix` 匹配。第一个 deny 生效。
+- **`maintenance`**：会话存储清理 + 保留控制。
+  - `mode`：`warn` 仅发出警告；`enforce` 应用清理。
+  - `pruneAfter`：过期条目的年龄阈值（默认 `30d`）。
+  - `maxEntries`：`sessions.json` 中的最大条目数（默认 `500`）。
+  - `rotateBytes`：当 `sessions.json` 超过此大小时轮转（默认 `10mb`）。
+  - `resetArchiveRetention`：`*.reset.<timestamp>` 会话记录归档的保留期限。默认跟随 `pruneAfter`；设为 `false` 可禁用。
+  - `maxDiskBytes`：可选的会话目录磁盘预算。在 `warn` 模式下会记录警告；在 `enforce` 模式下会优先删除最旧的工件/会话。
+  - `highWaterBytes`：预算清理后的可选目标值。默认是 `maxDiskBytes` 的 `80%`。
+- **`threadBindings`**：线程绑定会话功能的全局默认值。
+  - `enabled`：主默认开关（提供商可覆盖；Discord 使用 `channels.discord.threadBindings.enabled`）
+  - `idleHours`：默认不活动自动取消聚焦时长（小时，`0` 表示禁用；提供商可覆盖）
+  - `maxAgeHours`：默认硬性最大年龄（小时，`0` 表示禁用；提供商可覆盖）
+
+</Accordion>
+
+---
+
+## 消息
+
+```json5
+{
+  messages: {
+    responsePrefix: "🦞", // 或 "auto"
+    ackReaction: "👀",
+    ackReactionScope: "group-mentions", // group-mentions | group-all | direct | all
+    removeAckAfterReply: false,
+    queue: {
+      mode: "collect", // steer | followup | collect | steer-backlog | steer+backlog | queue | interrupt
+      debounceMs: 1000,
+      cap: 20,
+      drop: "summarize", // old | new | summarize
+      byChannel: {
+        whatsapp: "collect",
+        telegram: "collect",
+      },
+    },
+    inbound: {
+      debounceMs: 2000, // 0 表示禁用
+      byChannel: {
+        whatsapp: 5000,
+        slack: 1500,
+      },
+    },
+  },
+}
+```
+
+### 回复前缀
+
+按渠道/按账户覆盖：`channels.<channel>.responsePrefix`、`channels.<channel>.accounts.<id>.responsePrefix`。
+
+解析顺序（最具体者优先）：账户 → 渠道 → 全局。`""` 会禁用并停止级联。`"auto"` 会派生为 `[{identity.name}]`。
+
+**模板变量：**
+
+| Variable          | Description        | Example                     |
+| ----------------- | ------------------ | --------------------------- |
+| `{model}`         | 短模型名           | `claude-opus-4-6`           |
+| `{modelFull}`     | 完整模型标识符     | `anthropic/claude-opus-4-6` |
+| `{provider}`      | 提供商名称         | `anthropic`                 |
+| `{thinkingLevel}` | 当前 thinking 级别 | `high`、`low`、`off`        |
+| `{identity.name}` | 智能体身份名称     | （与 `"auto"` 相同）        |
+
+变量不区分大小写。`{think}` 是 `{thinkingLevel}` 的别名。
+
+### 确认反应
+
+- 默认取活动智能体的 `identity.emoji`，否则为 `"👀"`。设为 `""` 可禁用。
+- 按渠道覆盖：`channels.<channel>.ackReaction`、`channels.<channel>.accounts.<id>.ackReaction`。
+- 解析顺序：账户 → 渠道 → `messages.ackReaction` → identity 回退。
+- 作用域：`group-mentions`（默认）、`group-all`、`direct`、`all`。
+- `removeAckAfterReply`：回复后移除确认反应（仅 Slack/Discord/Telegram/Google Chat）。
+
+### 入站防抖
+
+将同一发送者快速连续发送的纯文本消息合并为一次智能体轮次。媒体/附件会立即冲刷。控制命令会绕过防抖。
+
+### TTS（文本转语音）
+
+```json5
+{
+  messages: {
+    tts: {
+      auto: "always", // off | always | inbound | tagged
+      mode: "final", // final | all
+      provider: "elevenlabs",
+      summaryModel: "openai/gpt-4.1-mini",
+      modelOverrides: { enabled: true },
+      maxTextLength: 4000,
+      timeoutMs: 30000,
+      prefsPath: "~/.openclaw/settings/tts.json",
+      elevenlabs: {
+        apiKey: "elevenlabs_api_key",
+        baseUrl: "https://api.elevenlabs.io",
+        voiceId: "voice_id",
+        modelId: "eleven_multilingual_v2",
+        seed: 42,
+        applyTextNormalization: "auto",
+        languageCode: "en",
+        voiceSettings: {
+          stability: 0.5,
+          similarityBoost: 0.75,
+          style: 0.0,
+          useSpeakerBoost: true,
+          speed: 1.0,
+        },
+      },
+      openai: {
+        apiKey: "openai_api_key",
+        baseUrl: "https://api.openai.com/v1",
+        model: "gpt-4o-mini-tts",
+        voice: "alloy",
+      },
+    },
+  },
+}
+```
+
+- `auto` 控制自动 TTS。`/tts off|always|inbound|tagged` 可按会话覆盖。
+- `summaryModel` 会覆盖 `agents.defaults.model.primary` 用于自动摘要。
+- `modelOverrides` 默认启用；`modelOverrides.allowProvider` 默认是 `false`（需显式选择启用）。
+- API 密钥回退到 `ELEVENLABS_API_KEY`/`XI_API_KEY` 和 `OPENAI_API_KEY`。
+- `openai.baseUrl` 会覆盖 OpenAI TTS 端点。解析顺序是配置、然后 `OPENAI_TTS_BASE_URL`、再然后 `https://api.openai.com/v1`。
+- 当 `openai.baseUrl` 指向非 OpenAI 端点时，OpenClaw 会将其视为兼容 OpenAI 的 TTS 服务器，并放宽模型/语音校验。
+
+---
+
+## Talk
+
+Talk 模式的默认值（macOS/iOS/Android）。
+
+```json5
+{
+  talk: {
+    voiceId: "elevenlabs_voice_id",
+    voiceAliases: {
+      Clawd: "EXAVITQu4vr4xnSDxMaL",
+      Roger: "CwhRBWXzGAHq8TQ4Fs17",
+    },
+    modelId: "eleven_v3",
+    outputFormat: "mp3_44100_128",
+    apiKey: "elevenlabs_api_key",
+    silenceTimeoutMs: 1500,
+    interruptOnSpeech: true,
+  },
+}
+```
+
+- 语音 ID 会回退到 `ELEVENLABS_VOICE_ID` 或 `SAG_VOICE_ID`。
+- `apiKey` 和 `providers.*.apiKey` 接受明文字符串或 SecretRef 对象。
+- 仅在未配置 Talk API key 时，才会回退到 `ELEVENLABS_API_KEY`。
+- `voiceAliases` 让 Talk 指令可以使用友好的名称。
+- `silenceTimeoutMs` 控制 Talk 模式在用户停止说话后等待多久才发送转录。未设置时使用平台默认暂停窗口（`macOS 和 Android 上为 700 ms，iOS 上为 900 ms`）。
+
+---
+
+## 工具
+
+### 工具配置文件
+
+`tools.profile` 会在 `tools.allow`/`tools.deny` 之前设置基础 allowlist：
+
+本地新手引导会在未设置时，把新的本地配置默认设为 `tools.profile: "coding"`（现有显式配置文件会保留）。
+
+| Profile     | Includes                                                                                  |
+| ----------- | ----------------------------------------------------------------------------------------- |
+| `minimal`   | 仅 `session_status`                                                                       |
+| `coding`    | `group:fs`、`group:runtime`、`group:sessions`、`group:memory`、`image`                    |
+| `messaging` | `group:messaging`、`sessions_list`、`sessions_history`、`sessions_send`、`session_status` |
+| `full`      | 不限制（等同于未设置）                                                                    |
+
+### 工具组
+
+| Group              | Tools                                                                                    |
+| ------------------ | ---------------------------------------------------------------------------------------- |
+| `group:runtime`    | `exec`、`process`（`bash` 可作为 `exec` 的别名）                                         |
+| `group:fs`         | `read`、`write`、`edit`、`apply_patch`                                                   |
+| `group:sessions`   | `sessions_list`、`sessions_history`、`sessions_send`、`sessions_spawn`、`session_status` |
+| `group:memory`     | `memory_search`、`memory_get`                                                            |
+| `group:web`        | `web_search`、`web_fetch`                                                                |
+| `group:ui`         | `browser`、`canvas`                                                                      |
+| `group:automation` | `cron`、`gateway`                                                                        |
+| `group:messaging`  | `message`                                                                                |
+| `group:nodes`      | `nodes`                                                                                  |
+| `group:openclaw`   | 所有内置工具（不含提供商插件）                                                           |
+
+### `tools.allow` / `tools.deny`
+
+全局工具 allow/deny 策略（deny 优先）。不区分大小写，支持 `*` 通配符。即使 Docker 沙箱关闭，也会应用。
+
+```json5
+{
+  tools: { deny: ["browser", "canvas"] },
+}
+```
+
+### `tools.byProvider`
+
+进一步限制特定提供商或模型的工具。顺序：基础配置文件 → 提供商配置文件 → allow/deny。
+
+```json5
+{
+  tools: {
+    profile: "coding",
+    byProvider: {
+      "google-antigravity": { profile: "minimal" },
+      "openai/gpt-5.2": { allow: ["group:fs", "sessions_list"] },
+    },
+  },
+}
+```
+
+### `tools.elevated`
+
+控制提升权限（主机）`exec` 访问：
+
+```json5
+{
+  tools: {
+    elevated: {
+      enabled: true,
+      allowFrom: {
+        whatsapp: ["+15555550123"],
+        discord: ["1234567890123", "987654321098765432"],
+      },
+    },
+  },
+}
+```
+
+- 按智能体覆盖（`agents.list[].tools.elevated`）只能进一步收紧限制。
+- `/elevated on|off|ask|full` 会按会话保存状态；内联指令仅作用于单条消息。
+- 提升权限的 `exec` 会在主机上运行，并绕过沙箱隔离。
+
+### `tools.exec`
+
+```json5
+{
+  tools: {
+    exec: {
+      backgroundMs: 10000,
+      timeoutSec: 1800,
+      cleanupMs: 1800000,
+      notifyOnExit: true,
+      notifyOnExitEmptySuccess: false,
+      applyPatch: {
+        enabled: false,
+        allowModels: ["gpt-5.2"],
+      },
+    },
+  },
+}
+```
+
+### `tools.loopDetection`
+
+工具循环安全检查**默认禁用**。设置 `enabled: true` 可启用检测。
+可在全局 `tools.loopDetection` 中定义设置，并在 `agents.list[].tools.loopDetection` 中按智能体覆盖。
+
+```json5
+{
+  tools: {
+    loopDetection: {
+      enabled: true,
+      historySize: 30,
+      warningThreshold: 10,
+      criticalThreshold: 20,
+      globalCircuitBreakerThreshold: 30,
+      detectors: {
+        genericRepeat: true,
+        knownPollNoProgress: true,
+        pingPong: true,
+      },
+    },
+  },
+}
+```
+
+- `historySize`：为循环分析保留的最大工具调用历史。
+- `warningThreshold`：用于发出警告的重复无进展模式阈值。
+- `criticalThreshold`：用于阻止严重循环的更高重复阈值。
+- `globalCircuitBreakerThreshold`：对任何无进展运行的硬性停止阈值。
+- `detectors.genericRepeat`：对重复的相同工具/相同参数调用发出警告。
+- `detectors.knownPollNoProgress`：对已知轮询工具（`process.poll`、`command_status` 等）的无进展情况发出警告/阻止。
+- `detectors.pingPong`：对交替出现的无进展成对模式发出警告/阻止。
+- 如果 `warningThreshold >= criticalThreshold` 或 `criticalThreshold >= globalCircuitBreakerThreshold`，校验会失败。
+
+### `tools.web`
+
+```json5
+{
+  tools: {
+    web: {
+      search: {
+        enabled: true,
+        apiKey: "brave_api_key", // 或 BRAVE_API_KEY 环境变量
+        maxResults: 5,
+        timeoutSeconds: 30,
+        cacheTtlMinutes: 15,
+      },
+      fetch: {
+        enabled: true,
+        maxChars: 50000,
+        maxCharsCap: 50000,
+        timeoutSeconds: 30,
+        cacheTtlMinutes: 15,
+        userAgent: "custom-ua",
+      },
+    },
+  },
+}
+```
+
+### `tools.media`
+
+配置入站媒体理解（图像/音频/视频）：
+
+```json5
+{
+  tools: {
+    media: {
+      concurrency: 2,
+      audio: {
+        enabled: true,
+        maxBytes: 20971520,
+        scope: {
+          default: "deny",
+          rules: [{ action: "allow", match: { chatType: "direct" } }],
+        },
+        models: [
+          { provider: "openai", model: "gpt-4o-mini-transcribe" },
+          { type: "cli", command: "whisper", args: ["--model", "base", "{{MediaPath}}"] },
+        ],
+      },
+      video: {
+        enabled: true,
+        maxBytes: 52428800,
+        models: [{ provider: "google", model: "gemini-3-flash-preview" }],
+      },
+    },
+  },
+}
+```
+
+<Accordion title="媒体模型条目字段">
+
+**提供商条目**（`type: "provider"` 或省略）：
+
+- `provider`：API 提供商 ID（`openai`、`anthropic`、`google`/`gemini`、`groq` 等）
+- `model`：模型 ID 覆盖
+- `profile` / `preferredProfile`：`auth-profiles.json` 配置文件选择
+
+**CLI 条目**（`type: "cli"`）：
+
+- `command`：要运行的可执行文件
+- `args`：模板化参数（支持 `{{MediaPath}}`、`{{Prompt}}`、`{{MaxChars}}` 等）
+
+**通用字段：**
+
+- `capabilities`：可选列表（`image`、`audio`、`video`）。默认值：`openai`/`anthropic`/`minimax` → 图像，`google` → 图像+音频+视频，`groq` → 音频。
+- `prompt`、`maxChars`、`maxBytes`、`timeoutSeconds`、`language`：按条目覆盖。
+- 失败时会回退到下一个条目。
+
+提供商认证遵循标准顺序：`auth-profiles.json` → 环境变量 → `models.providers.*.apiKey`。
+
+</Accordion>
+
+### `tools.agentToAgent`
+
+```json5
+{
+  tools: {
+    agentToAgent: {
+      enabled: false,
+      allow: ["home", "work"],
+    },
+  },
+}
+```
+
+### `tools.sessions`
+
+控制会话工具（`sessions_list`、`sessions_history`、`sessions_send`）可以定位哪些会话。
+
+默认值：`tree`（当前会话 + 由其派生的会话，例如子智能体）。
+
+```json5
+{
+  tools: {
+    sessions: {
+      // "self" | "tree" | "agent" | "all"
+      visibility: "tree",
+    },
+  },
+}
+```
+
+说明：
+
+- `self`：仅当前会话键。
+- `tree`：当前会话 + 由当前会话派生的会话（子智能体）。
+- `agent`：属于当前智能体 ID 的任意会话（如果你在相同智能体 ID 下运行按发送者划分的会话，可能包含其他用户）。
+- `all`：任意会话。跨智能体定位仍需要 `tools.agentToAgent`。
+- 沙箱钳制：当当前会话处于沙箱中且 `agents.defaults.sandbox.sessionToolsVisibility="spawned"` 时，即使 `tools.sessions.visibility="all"`，可见性也会被强制为 `tree`。
+
+### `tools.sessions_spawn`
+
+控制 `sessions_spawn` 的内联附件支持。
+
+```json5
+{
+  tools: {
+    sessions_spawn: {
+      attachments: {
+        enabled: false, // 选择性启用：设为 true 以允许内联文件附件
+        maxTotalBytes: 5242880, // 所有文件合计 5 MB
+        maxFiles: 50,
+        maxFileBytes: 1048576, // 每个文件 1 MB
+        retainOnSessionKeep: false, // 当 cleanup="keep" 时保留附件
+      },
+    },
+  },
+}
+```
+
+说明：
+
+- 仅 `runtime: "subagent"` 支持附件。ACP 运行时会拒绝它们。
+- 文件会被物化到子工作区中的 `.openclaw/attachments/<uuid>/`，并附带一个 `.manifest.json`。
+- 附件内容会自动从会话记录持久化中脱敏。
+- Base64 输入会通过严格的字母表/填充检查和解码前大小保护进行校验。
+- 文件权限为目录 `0700`、文件 `0600`。
+- 清理遵循 `cleanup` 策略：`delete` 总会删除附件；`keep` 仅在 `retainOnSessionKeep: true` 时保留。
+
+### `tools.subagents`
+
+```json5
+{
+  agents: {
+    defaults: {
+      subagents: {
+        model: "minimax/MiniMax-M2.5",
+        maxConcurrent: 1,
+        runTimeoutSeconds: 900,
+        archiveAfterMinutes: 60,
+      },
+    },
+  },
+}
+```
+
+- `model`：派生子智能体的默认模型。如果省略，子智能体会继承调用方的模型。
+- `runTimeoutSeconds`：当工具调用省略 `runTimeoutSeconds` 时，`sessions_spawn` 使用的默认超时（秒）。`0` 表示无超时。
+- 每个子智能体的工具策略：`tools.subagents.tools.allow` / `tools.subagents.tools.deny`。
+
+---
+
+## 自定义提供商和 base URL
+
+OpenClaw 使用 pi-coding-agent 模型目录。可通过配置中的 `models.providers` 或 `~/.openclaw/agents/<agentId>/agent/models.json` 添加自定义提供商。
+
+```json5
+{
+  models: {
+    mode: "merge", // merge（默认）| replace
+    providers: {
+      "custom-proxy": {
+        baseUrl: "http://localhost:4000/v1",
+        apiKey: "LITELLM_KEY",
+        api: "openai-completions", // openai-completions | openai-responses | anthropic-messages | google-generative-ai
+        models: [
+          {
+            id: "llama-3.1-8b",
+            name: "Llama 3.1 8B",
+            reasoning: false,
+            input: ["text"],
+            cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
+            contextWindow: 128000,
+            maxTokens: 32000,
+          },
+        ],
+      },
+    },
+  },
+}
+```
+
+- 对自定义认证需求可使用 `authHeader: true` + `headers`。
+- 使用 `OPENCLAW_AGENT_DIR`（或 `PI_CODING_AGENT_DIR`）覆盖智能体配置根目录。
+- 对匹配的 provider ID，合并优先级如下：
+  - 非空的智能体 `models.json` `baseUrl` 优先。
+  - 非空的智能体 `apiKey` 仅在该提供商未由当前配置/auth-profile 上下文中的 SecretRef 管理时优先。
+  - 由 SecretRef 管理的提供商 `apiKey` 会从源标记（环境变量引用为 `ENV_VAR_NAME`，file/exec 引用为 `secretref-managed`）刷新，而不是持久化已解析的密钥。
+  - 由 SecretRef 管理的提供商 header 值会从源标记刷新（环境变量引用为 `secretref-env:ENV_VAR_NAME`，file/exec 引用为 `secretref-managed`）。
+  - 为空或缺失的智能体 `apiKey`/`baseUrl` 会回退到配置中的 `models.providers`。
+  - 匹配模型的 `contextWindow`/`maxTokens` 会在显式配置值与隐式目录值之间取较大者。
+  - 当你希望配置完全重写 `models.json` 时，请使用 `models.mode: "replace"`。
+  - 标记持久化以源为准：写入的标记来自活动源配置快照（解析前），而不是解析后的运行时密钥值。
+
+### 提供商字段详情
+
+- `models.mode`：提供商目录行为（`merge` 或 `replace`）。
+- `models.providers`：以提供商 ID 为键的自定义提供商映射。
+- `models.providers.*.api`：请求适配器（`openai-completions`、`openai-responses`、`anthropic-messages`、`google-generative-ai` 等）。
+- `models.providers.*.apiKey`：提供商凭证（优先使用 SecretRef/环境变量替换）。
+- `models.providers.*.auth`：认证策略（`api-key`、`token`、`oauth`、`aws-sdk`）。
+- `models.providers.*.injectNumCtxForOpenAICompat`：对 Ollama + `openai-completions`，将 `options.num_ctx` 注入请求（默认：`true`）。
+- `models.providers.*.authHeader`：在需要时强制通过 `Authorization` 头传输凭证。
+- `models.providers.*.baseUrl`：上游 API base URL。
+- `models.providers.*.headers`：用于代理/租户路由的额外静态 header。
+- `models.providers.*.models`：显式的提供商模型目录条目。
+- `models.providers.*.models.*.compat.supportsDeveloperRole`：可选的兼容性提示。对 `api: "openai-completions"` 且非空、非原生 `baseUrl`（主机不是 `api.openai.com`）的情况，OpenClaw 会在运行时将其强制设为 `false`。空或省略的 `baseUrl` 会保留默认 OpenAI 行为。
+- `models.bedrockDiscovery`：Bedrock 自动发现设置根。
+- `models.bedrockDiscovery.enabled`：开启/关闭发现轮询。
+- `models.bedrockDiscovery.region`：发现使用的 AWS 区域。
+- `models.bedrockDiscovery.providerFilter`：用于定向发现的可选 provider-id 过滤器。
+- `models.bedrockDiscovery.refreshInterval`：发现刷新的轮询间隔。
+- `models.bedrockDiscovery.defaultContextWindow`：发现模型的回退上下文窗口。
+- `models.bedrockDiscovery.defaultMaxTokens`：发现模型的回退最大输出 token 数。
+
+### 提供商示例
+
+<Accordion title="Cerebras（GLM 4.6 / 4.7）">
+
+```json5
+{
+  env: { CEREBRAS_API_KEY: "sk-..." },
+  agents: {
+    defaults: {
+      model: {
+        primary: "cerebras/zai-glm-4.7",
+        fallbacks: ["cerebras/zai-glm-4.6"],
+      },
+      models: {
+        "cerebras/zai-glm-4.7": { alias: "GLM 4.7 (Cerebras)" },
+        "cerebras/zai-glm-4.6": { alias: "GLM 4.6 (Cerebras)" },
+      },
+    },
+  },
+  models: {
+    mode: "merge",
+    providers: {
+      cerebras: {
+        baseUrl: "https://api.cerebras.ai/v1",
+        apiKey: "${CEREBRAS_API_KEY}",
+        api: "openai-completions",
+        models: [
+          { id: "zai-glm-4.7", name: "GLM 4.7 (Cerebras)" },
+          { id: "zai-glm-4.6", name: "GLM 4.6 (Cerebras)" },
+        ],
+      },
+    },
+  },
+}
+```
+
+对 Cerebras 使用 `cerebras/zai-glm-4.7`；对 Z.AI 直连使用 `zai/glm-4.7`。
+
+</Accordion>
+
+<Accordion title="OpenCode">
+
+```json5
+{
+  agents: {
+    defaults: {
+      model: { primary: "opencode/claude-opus-4-6" },
+      models: { "opencode/claude-opus-4-6": { alias: "Opus" } },
+    },
+  },
+}
+```
+
+设置 `OPENCODE_API_KEY`（或 `OPENCODE_ZEN_API_KEY`）。Zen 目录使用 `opencode/...` 引用，Go 目录使用 `opencode-go/...` 引用。快捷方式：`openclaw onboard --auth-choice opencode-zen` 或 `openclaw onboard --auth-choice opencode-go`。
+
+</Accordion>
+
+<Accordion title="Z.AI（GLM-4.7）">
+
+```json5
+{
+  agents: {
+    defaults: {
+      model: { primary: "zai/glm-4.7" },
+      models: { "zai/glm-4.7": {} },
+    },
+  },
+}
+```
+
+设置 `ZAI_API_KEY`。`z.ai/*` 和 `z-ai/*` 都是可接受的别名。快捷方式：`openclaw onboard --auth-choice zai-api-key`。
+
+- 通用端点：`https://api.z.ai/api/paas/v4`
+- 编码端点（默认）：`https://api.z.ai/api/coding/paas/v4`
+- 对于通用端点，请定义一个带有 base URL 覆盖的自定义提供商。
+
+</Accordion>
+
+<Accordion title="Moonshot AI（Kimi）">
+
+```json5
+{
+  env: { MOONSHOT_API_KEY: "sk-..." },
+  agents: {
+    defaults: {
+      model: { primary: "moonshot/kimi-k2.5" },
+      models: { "moonshot/kimi-k2.5": { alias: "Kimi K2.5" } },
+    },
+  },
+  models: {
+    mode: "merge",
+    providers: {
+      moonshot: {
+        baseUrl: "https://api.moonshot.ai/v1",
+        apiKey: "${MOONSHOT_API_KEY}",
+        api: "openai-completions",
+        models: [
+          {
+            id: "kimi-k2.5",
+            name: "Kimi K2.5",
+            reasoning: false,
+            input: ["text"],
+            cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
+            contextWindow: 256000,
+            maxTokens: 8192,
+          },
+        ],
+      },
+    },
+  },
+}
+```
+
+中国端点可使用：`baseUrl: "https://api.moonshot.cn/v1"` 或 `openclaw onboard --auth-choice moonshot-api-key-cn`。
+
+</Accordion>
+
+<Accordion title="Kimi Coding">
+
+```json5
+{
+  env: { KIMI_API_KEY: "sk-..." },
+  agents: {
+    defaults: {
+      model: { primary: "kimi-coding/k2p5" },
+      models: { "kimi-coding/k2p5": { alias: "Kimi K2.5" } },
+    },
+  },
+}
+```
+
+兼容 Anthropic 的内置提供商。快捷方式：`openclaw onboard --auth-choice kimi-code-api-key`。
+
+</Accordion>
+
+<Accordion title="Synthetic（兼容 Anthropic）">
+
+```json5
+{
+  env: { SYNTHETIC_API_KEY: "sk-..." },
+  agents: {
+    defaults: {
+      model: { primary: "synthetic/hf:MiniMaxAI/MiniMax-M2.5" },
+      models: { "synthetic/hf:MiniMaxAI/MiniMax-M2.5": { alias: "MiniMax M2.5" } },
+    },
+  },
+  models: {
+    mode: "merge",
+    providers: {
+      synthetic: {
+        baseUrl: "https://api.synthetic.new/anthropic",
+        apiKey: "${SYNTHETIC_API_KEY}",
+        api: "anthropic-messages",
+        models: [
+          {
+            id: "hf:MiniMaxAI/MiniMax-M2.5",
+            name: "MiniMax M2.5",
+            reasoning: true,
+            input: ["text"],
+            cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
+            contextWindow: 192000,
+            maxTokens: 65536,
+          },
+        ],
+      },
+    },
+  },
+}
+```
+
+Base URL 不应包含 `/v1`（Anthropic 客户端会追加它）。快捷方式：`openclaw onboard --auth-choice synthetic-api-key`。
+
+</Accordion>
+
+<Accordion title="MiniMax M2.5（直连）">
+
+```json5
+{
+  agents: {
+    defaults: {
+      model: { primary: "minimax/MiniMax-M2.5" },
+      models: {
+        "minimax/MiniMax-M2.5": { alias: "Minimax" },
+      },
+    },
+  },
+  models: {
+    mode: "merge",
+    providers: {
+      minimax: {
+        baseUrl: "https://api.minimax.io/anthropic",
+        apiKey: "${MINIMAX_API_KEY}",
+        api: "anthropic-messages",
+        models: [
+          {
+            id: "MiniMax-M2.5",
+            name: "MiniMax M2.5",
+            reasoning: true,
+            input: ["text"],
+            cost: { input: 15, output: 60, cacheRead: 2, cacheWrite: 10 },
+            contextWindow: 200000,
+            maxTokens: 8192,
+          },
+        ],
+      },
+    },
+  },
+}
+```
+
+设置 `MINIMAX_API_KEY`。快捷方式：`openclaw onboard --auth-choice minimax-api`。
+
+</Accordion>
+
+<Accordion title="本地模型（LM Studio）">
+
+参见 [Local Models](/gateway/local-models)。简而言之：在强劲硬件上通过 LM Studio Responses API 运行 MiniMax M2.5；并保留托管模型合并，以便故障切换。
+
+</Accordion>
+
+---
+
+## Skills
+
+```json5
+{
+  skills: {
+    allowBundled: ["gemini", "peekaboo"],
+    load: {
+      extraDirs: ["~/Projects/agent-scripts/skills"],
+    },
+    install: {
+      preferBrew: true,
+      nodeManager: "npm", // npm | pnpm | yarn
+    },
+    entries: {
+      "nano-banana-pro": {
+        apiKey: { source: "env", provider: "default", id: "GEMINI_API_KEY" }, // 或明文字符串
+        env: { GEMINI_API_KEY: "GEMINI_KEY_HERE" },
+      },
+      peekaboo: { enabled: true },
+      sag: { enabled: false },
+    },
+  },
+}
+```
+
+- `allowBundled`：仅针对捆绑 Skills 的可选 allowlist（托管/工作区 Skills 不受影响）。
+- `entries.<skillKey>.enabled: false`：即使某个技能已捆绑/已安装，也会禁用它。
+- `entries.<skillKey>.apiKey`：针对声明主环境变量的技能提供的便捷字段（明文字符串或 SecretRef 对象）。
+
+---
+
+## 插件
+
+```json5
+{
+  plugins: {
+    enabled: true,
+    allow: ["voice-call"],
+    deny: [],
+    load: {
+      paths: ["~/Projects/oss/voice-call-extension"],
+    },
+    entries: {
+      "voice-call": {
+        enabled: true,
+        hooks: {
+          allowPromptInjection: false,
+        },
+        config: { provider: "twilio" },
+      },
+    },
+  },
+}
+```
+
+- 从 `~/.openclaw/extensions`、`<workspace>/.openclaw/extensions` 以及 `plugins.load.paths` 加载。
+- 设备发现同时接受原生 OpenClaw 插件、兼容的 Codex bundle 和 Claude bundle，包括无 manifest 的 Claude 默认布局 bundle。
+- **配置更改需要重启 Gateway 网关。**
+- `allow`：可选 allowlist（仅加载列出的插件）。`deny` 优先。
+- `plugins.entries.<id>.apiKey`：插件级 API key 便捷字段（插件支持时）。
+- `plugins.entries.<id>.env`：插件作用域环境变量映射。
+- `plugins.entries.<id>.hooks.allowPromptInjection`：为 `false` 时，核心会阻止 `before_prompt_build`，并忽略旧版 `before_agent_start` 中会修改 prompt 的字段，同时保留旧版 `modelOverride` 和 `providerOverride`。适用于原生插件 hook 以及受支持 bundle 提供的 hook 目录。
+- `plugins.entries.<id>.config`：插件定义的配置对象（如有可用原生 OpenClaw 插件 schema，则会校验）。
+- 已启用的 Claude bundle 插件也可以从 `settings.json` 提供嵌入式 Pi 默认值；OpenClaw 会将其作为净化后的智能体设置应用，而不是作为原始 OpenClaw 配置补丁。
+- `plugins.slots.memory`：选择活动记忆插件 ID，或设为 `"none"` 以禁用记忆插件。
+- `plugins.slots.contextEngine`：选择活动上下文引擎插件 ID；默认是 `"legacy"`，除非你安装并选择了其他引擎。
+- `plugins.installs`：由 CLI 管理的安装元数据，供 `openclaw plugins update` 使用。
+  - 包括 `source`、`spec`、`sourcePath`、`installPath`、`version`、`resolvedName`、`resolvedVersion`、`resolvedSpec`、`integrity`、`shasum`、`resolvedAt`、`installedAt`。
+  - 请将 `plugins.installs.*` 视为托管状态；优先使用 CLI 命令，而不是手动编辑。
+
+见 [Plugins](/tools/plugin)。
+
+---
+
+## 浏览器
+
+```json5
+{
+  browser: {
+    enabled: true,
+    evaluateEnabled: true,
+    defaultProfile: "user",
+    ssrfPolicy: {
+      dangerouslyAllowPrivateNetwork: true, // 默认可信网络模式
+      // allowPrivateNetwork: true, // 旧别名
+      // hostnameAllowlist: ["*.example.com", "example.com"],
+      // allowedHostnames: ["localhost"],
+    },
+    profiles: {
+      openclaw: { cdpPort: 18800, color: "#FF4500" },
+      work: { cdpPort: 18801, color: "#0066CC" },
+      remote: { cdpUrl: "http://10.0.0.42:9222", color: "#00AA00" },
+    },
+    color: "#FF4500",
+    // headless: false,
+    // noSandbox: false,
+    // extraArgs: [],
+    // relayBindHost: "0.0.0.0", // 仅在扩展 relay 需要跨命名空间可达时（例如 WSL2）
+    // executablePath: "/Applications/Brave Browser.app/Contents/MacOS/Brave Browser",
+    // attachOnly: false,
+  },
+}
+```
+
+- `evaluateEnabled: false` 会禁用 `act:evaluate` 和 `wait --fn`。
+- `ssrfPolicy.dangerouslyAllowPrivateNetwork` 在未设置时默认为 `true`（可信网络模型）。
+- 若要启用严格的仅公共网络浏览导航，请设置 `ssrfPolicy.dangerouslyAllowPrivateNetwork: false`。
+- 在严格模式下，远程 CDP 配置文件端点（`profiles.*.cdpUrl`）在可达性/发现检查期间也受相同的私有网络阻止规则限制。
+- `ssrfPolicy.allowPrivateNetwork` 仍支持作为旧别名。
+- 在严格模式下，可使用 `ssrfPolicy.hostnameAllowlist` 和 `ssrfPolicy.allowedHostnames` 显式放行例外。
+- 远程配置文件为仅附加模式（禁止启动/停止/重置）。
+- 自动检测顺序：默认浏览器如果是基于 Chromium → Chrome → Brave → Edge → Chromium → Chrome Canary。
+- 控制服务：仅 loopback（端口由 `gateway.port` 派生，默认 `18791`）。
+- `extraArgs` 会向本地 Chromium 启动追加额外标志（例如
+  `--disable-gpu`、窗口大小设置或调试标志）。
+- `relayBindHost` 更改 Chrome 扩展 relay 的监听地址。若只需 loopback 访问请保持未设置；仅当 relay 必须跨命名空间边界可达（例如 WSL2）且主机网络已受信任时，才显式设置为非 loopback 地址，例如 `0.0.0.0`。
+
+---
+
+## UI
+
+```json5
+{
+  ui: {
+    seamColor: "#FF4500",
+    assistant: {
+      name: "OpenClaw",
+      avatar: "CB", // emoji、短文本、图片 URL 或 data URI
+    },
+  },
+}
+```
+
+- `seamColor`：原生应用 UI 外观的强调色（Talk 模式气泡着色等）。
+- `assistant`：Control UI 身份覆盖。回退到活动智能体身份。
+
+---
+
+## Gateway 网关
+
+```json5
+{
+  gateway: {
+    mode: "local", // local | remote
+    port: 18789,
+    bind: "loopback",
+    auth: {
+      mode: "token", // none | token | password | trusted-proxy
+      token: "your-token",
+      // password: "your-password", // 或 OPENCLAW_GATEWAY_PASSWORD
+      // trustedProxy: { userHeader: "x-forwarded-user" }, // 用于 mode=trusted-proxy；见 /gateway/trusted-proxy-auth
+      allowTailscale: true,
+      rateLimit: {
+        maxAttempts: 10,
+        windowMs: 60000,
+        lockoutMs: 300000,
+        exemptLoopback: true,
+      },
+    },
+    tailscale: {
+      mode: "off", // off | serve | funnel
+      resetOnExit: false,
+    },
+    controlUi: {
+      enabled: true,
+      basePath: "/openclaw",
+      // root: "dist/control-ui",
+      // allowedOrigins: ["https://control.example.com"], // 非 loopback Control UI 必需
+      // dangerouslyAllowHostHeaderOriginFallback: false, // 危险的 Host-header origin 回退模式
+      // allowInsecureAuth: false,
+      // dangerouslyDisableDeviceAuth: false,
+    },
+    remote: {
+      url: "ws://gateway.tailnet:18789",
+      transport: "ssh", // ssh | direct
+      token: "your-token",
+      // password: "your-password",
+    },
+    trustedProxies: ["10.0.0.1"],
+    // 可选。默认 false。
+    allowRealIpFallback: false,
+    tools: {
+      // 额外的 /tools/invoke HTTP deny
+      deny: ["browser"],
+      // 从默认 HTTP deny 列表中移除工具
+      allow: ["gateway"],
+    },
+    push: {
+      apns: {
+        relay: {
+          baseUrl: "https://relay.example.com",
+          timeoutMs: 10000,
+        },
+      },
+    },
+  },
+}
+```
+
+<Accordion title="Gateway 网关字段详情">
+
+- `mode`：`local`（运行网关）或 `remote`（连接远程网关）。除非为 `local`，否则 Gateway 网关拒绝启动。
+- `port`：用于 WS + HTTP 的单一复用端口。优先级：`--port` > `OPENCLAW_GATEWAY_PORT` > `gateway.port` > `18789`。
+- `bind`：`auto`、`loopback`（默认）、`lan`（`0.0.0.0`）、`tailnet`（仅 Tailscale IP）或 `custom`。
+- **旧版 bind 别名**：请在 `gateway.bind` 中使用 bind 模式值（`auto`、`loopback`、`lan`、`tailnet`、`custom`），不要使用主机别名（`0.0.0.0`、`127.0.0.1`、`localhost`、`::`、`::1`）。
+- **Docker 说明**：默认的 `loopback` bind 在容器内监听 `127.0.0.1`。在 Docker bridge 网络（`-p 18789:18789`）下，流量从 `eth0` 进入，因此网关不可达。请使用 `--network host`，或设置 `bind: "lan"`（或 `bind: "custom"` 并配合 `customBindHost: "0.0.0.0"`）以监听所有接口。
+- **认证**：默认要求认证。非 loopback bind 需要共享 token/password。新手引导默认会生成一个 token。
+- 如果同时配置了 `gateway.auth.token` 和 `gateway.auth.password`（包括 SecretRef），请显式设置 `gateway.auth.mode` 为 `token` 或 `password`。如果两者都已配置但 mode 未设置，启动和服务安装/修复流程都会失败。
+- `gateway.auth.mode: "none"`：显式无认证模式。仅用于受信任的本地 local loopback 设置；新手引导提示中故意不提供此选项。
+- `gateway.auth.mode: "trusted-proxy"`：将认证委托给具备身份感知能力的反向代理，并信任来自 `gateway.trustedProxies` 的身份头（见 [Trusted Proxy Auth](/gateway/trusted-proxy-auth)）。
+- `gateway.auth.allowTailscale`：为 `true` 时，Tailscale Serve 身份头可满足 Control UI/WebSocket 认证（通过 `tailscale whois` 验证）；HTTP API 端点仍要求 token/password 认证。这种无 token 流程假定网关主机是受信任的。当 `tailscale.mode = "serve"` 时默认值为 `true`。
+- `gateway.auth.rateLimit`：可选的认证失败限流器。按客户端 IP 和认证范围生效（共享密钥和设备 token 分别跟踪）。被阻止的尝试返回 `429` + `Retry-After`。
+  - `gateway.auth.rateLimit.exemptLoopback` 默认值为 `true`；当你有意希望 localhost 流量也受限流时（用于测试设置或严格代理部署），请设为 `false`。
+- 来自浏览器 origin 的 WS 认证尝试始终会在禁用 loopback 豁免的情况下限流（作为对基于浏览器的 localhost 暴力破解的纵深防御）。
+- `tailscale.mode`：`serve`（仅 tailnet，loopback bind）或 `funnel`（公开，需要认证）。
+- `controlUi.allowedOrigins`：用于 Gateway 网关 WebSocket 连接的显式浏览器 origin allowlist。当浏览器客户端预期来自非 loopback origin 时必须设置。
+- `controlUi.dangerouslyAllowHostHeaderOriginFallback`：危险模式，为那些刻意依赖 Host-header origin 策略的部署启用 Host-header origin 回退。
+- `remote.transport`：`ssh`（默认）或 `direct`（ws/wss）。对于 `direct`，`remote.url` 必须是 `ws://` 或 `wss://`。
+- `OPENCLAW_ALLOW_INSECURE_PRIVATE_WS=1`：客户端侧的紧急覆盖，允许对受信任的私有网络 IP 使用明文 `ws://`；默认仍只允许 loopback 使用明文。
+- `gateway.remote.token` / `.password` 是远程客户端凭证字段。它们本身不会配置网关认证。
+- `gateway.push.apns.relay.baseUrl`：官方/TestFlight iOS 版本在将基于 relay 的注册发布到网关后，供网关使用的外部 APNs relay 基础 HTTPS URL。该 URL 必须与编译进 iOS 构建中的 relay URL 一致。
+- `gateway.push.apns.relay.timeoutMs`：网关到 relay 的发送超时（毫秒）。默认值为 `10000`。
+- 基于 relay 的注册会被委派给一个特定网关身份。配对的 iOS 应用会获取 `gateway.identity.get`，将该身份包含到 relay 注册中，并将带注册作用域的发送授权转发给网关。其他网关不能复用该已存储注册。
+- `OPENCLAW_APNS_RELAY_BASE_URL` / `OPENCLAW_APNS_RELAY_TIMEOUT_MS`：用于覆盖上述 relay 配置的临时环境变量。
+- `OPENCLAW_APNS_RELAY_ALLOW_HTTP=true`：仅开发用的逃生口，用于 loopback HTTP relay URL。生产 relay URL 应保持为 HTTPS。
+- `gateway.channelHealthCheckMinutes`：渠道健康检查监视间隔（分钟）。设为 `0` 可全局禁用健康检查重启。默认：`5`。
+- `gateway.channelStaleEventThresholdMinutes`：陈旧 socket 阈值（分钟）。请保持其大于或等于 `gateway.channelHealthCheckMinutes`。默认：`30`。
+- `gateway.channelMaxRestartsPerHour`：滚动一小时内，每个渠道/账户允许的最大健康检查重启次数。默认：`10`。
+- `channels.<provider>.healthMonitor.enabled`：按渠道选择退出健康检查重启，同时保留全局监视器开启。
+- `channels.<provider>.accounts.<accountId>.healthMonitor.enabled`：多账户渠道的按账户覆盖。设置后，它优先于渠道级覆盖。
+- 仅当 `gateway.auth.*` 未设置时，本地 Gateway 网关调用路径才可回退到 `gateway.remote.*`。
+- 如果 `gateway.auth.token` / `gateway.auth.password` 通过 SecretRef 显式配置但无法解析，解析会以默认拒绝方式失败（不会用 remote 回退掩盖）。
+- `trustedProxies`：终止 TLS 的反向代理 IP。仅列出你控制的代理。
+- `allowRealIpFallback`：为 `true` 时，当缺失 `X-Forwarded-For` 时，Gateway 网关接受 `X-Real-IP`。默认为 `false`，以实现默认拒绝行为。
+- `gateway.tools.deny`：对 HTTP `POST /tools/invoke` 额外阻止的工具名（扩展默认 deny 列表）。
+- `gateway.tools.allow`：从默认 HTTP deny 列表中移除工具名。
+
+</Accordion>
+
+### 兼容 OpenAI 的端点
+
+- Chat Completions：默认禁用。通过 `gateway.http.endpoints.chatCompletions.enabled: true` 启用。
+- Responses API：`gateway.http.endpoints.responses.enabled`。
+- Responses URL 输入加固：
+  - `gateway.http.endpoints.responses.maxUrlParts`
+  - `gateway.http.endpoints.responses.files.urlAllowlist`
+  - `gateway.http.endpoints.responses.images.urlAllowlist`
+- 可选的响应加固 header：
+  - `gateway.http.securityHeaders.strictTransportSecurity`（仅对你控制的 HTTPS origin 设置；见 [Trusted Proxy Auth](/gateway/trusted-proxy-auth#tls-termination-and-hsts)）
+
+### 多实例隔离
+
+使用不同端口和状态目录，在一台主机上运行多个网关：
+
+```bash
+OPENCLAW_CONFIG_PATH=~/.openclaw/a.json \
+OPENCLAW_STATE_DIR=~/.openclaw-a \
+openclaw gateway --port 19001
+```
+
+便捷标志：`--dev`（使用 `~/.openclaw-dev` + 端口 `19001`）、`--profile <name>`（使用 `~/.openclaw-<name>`）。
+
+见 [Multiple Gateways](/gateway/multiple-gateways)。
+
+---
+
+## Hooks
+
+```json5
+{
+  hooks: {
+    enabled: true,
+    token: "shared-secret",
+    path: "/hooks",
+    maxBodyBytes: 262144,
+    defaultSessionKey: "hook:ingress",
+    allowRequestSessionKey: false,
+    allowedSessionKeyPrefixes: ["hook:"],
+    allowedAgentIds: ["hooks", "main"],
+    presets: ["gmail"],
+    transformsDir: "~/.openclaw/hooks/transforms",
+    mappings: [
+      {
+        match: { path: "gmail" },
+        action: "agent",
+        agentId: "hooks",
+        wakeMode: "now",
+        name: "Gmail",
+        sessionKey: "hook:gmail:{{messages[0].id}}",
+        messageTemplate: "From: {{messages[0].from}}\nSubject: {{messages[0].subject}}\n{{messages[0].snippet}}",
+        deliver: true,
+        channel: "last",
+        model: "openai/gpt-5.2-mini",
+      },
+    ],
+  },
+}
+```
+
+认证：`Authorization: Bearer <token>` 或 `x-openclaw-token: <token>`。
+
+**端点：**
+
+- `POST /hooks/wake` → `{ text, mode?: "now"|"next-heartbeat" }`
+- `POST /hooks/agent` → `{ message, name?, agentId?, sessionKey?, wakeMode?, deliver?, channel?, to?, model?, thinking?, timeoutSeconds? }`
+  - 仅当 `hooks.allowRequestSessionKey=true`（默认：`false`）时，才接受请求负载中的 `sessionKey`。
+- `POST /hooks/<name>` → 通过 `hooks.mappings` 解析
+
+<Accordion title="映射详情">
+
+- `match.path` 匹配 `/hooks` 之后的子路径（例如 `/hooks/gmail` → `gmail`）。
+- `match.source` 匹配通用路径中的某个负载字段。
+- 像 `{{messages[0].subject}}` 这样的模板会从负载中读取。
+- `transform` 可指向返回 hook 操作的 JS/TS 模块。
+  - `transform.module` 必须是相对路径，并且始终位于 `hooks.transformsDir` 内（绝对路径和路径穿越会被拒绝）。
+- `agentId` 会路由到指定智能体；未知 ID 会回退到默认值。
+- `allowedAgentIds`：限制显式路由（`*` 或省略 = 允许全部，`[]` = 全部拒绝）。
+- `defaultSessionKey`：可选的固定会话键，用于未显式提供 `sessionKey` 的 hook 智能体运行。
+- `allowRequestSessionKey`：允许 `/hooks/agent` 调用方设置 `sessionKey`（默认：`false`）。
+- `allowedSessionKeyPrefixes`：针对显式 `sessionKey` 值（请求 + 映射）的可选前缀 allowlist，例如 `["hook:"]`。
+- `deliver: true` 会将最终回复发送到某个渠道；`channel` 默认为 `last`。
+- `model` 会覆盖此次 hook 运行的 LLM（如果已设置模型目录，则必须是允许的模型）。
+
+</Accordion>
+
+### Gmail 集成
+
+```json5
+{
+  hooks: {
+    gmail: {
+      account: "openclaw@gmail.com",
+      topic: "projects/<project-id>/topics/gog-gmail-watch",
+      subscription: "gog-gmail-watch-push",
+      pushToken: "shared-push-token",
+      hookUrl: "http://127.0.0.1:18789/hooks/gmail",
+      includeBody: true,
+      maxBytes: 20000,
+      renewEveryMinutes: 720,
+      serve: { bind: "127.0.0.1", port: 8788, path: "/" },
+      tailscale: { mode: "funnel", path: "/gmail-pubsub" },
+      model: "openrouter/meta-llama/llama-3.3-70b-instruct:free",
+      thinking: "off",
+    },
+  },
+}
+```
+
+- 配置后，Gateway 网关会在启动时自动启动 `gog gmail watch serve`。设置 `OPENCLAW_SKIP_GMAIL_WATCHER=1` 可禁用。
+- 不要与 Gateway 网关同时单独运行 `gog gmail watch serve`。
+
+---
+
+## Canvas host
+
+```json5
+{
+  canvasHost: {
+    root: "~/.openclaw/workspace/canvas",
+    liveReload: true,
+    // enabled: false, // 或 OPENCLAW_SKIP_CANVAS_HOST=1
+  },
+}
+```
+
+- 在 Gateway 网关端口下，通过 HTTP 提供可由智能体编辑的 HTML/CSS/JS 和 A2UI：
+  - `http://<gateway-host>:<gateway.port>/__openclaw__/canvas/`
+  - `http://<gateway-host>:<gateway.port>/__openclaw__/a2ui/`
+- 仅限本地：保持 `gateway.bind: "loopback"`（默认）。
+- 非 loopback bind：canvas 路由需要 Gateway 网关认证（token/password/trusted-proxy），与其他 Gateway 网关 HTTP 界面一致。
+- Node WebView 通常不会发送认证头；在某个节点完成配对并连接后，Gateway 网关会为 canvas/A2UI 访问通告带节点作用域的 capability URL。
+- Capability URL 绑定到活动节点 WS 会话，并且很快过期。不使用基于 IP 的回退。
+- 会向所服务的 HTML 中注入 live-reload 客户端。
+- 空目录时会自动创建起始 `index.html`。
+- 也会在 `/__openclaw__/a2ui/` 提供 A2UI。
+- 更改需要重启 Gateway 网关。
+- 对于大型目录或 `EMFILE` 错误，请禁用 live reload。
+
+---
+
+## 设备发现
+
+### mDNS（Bonjour）
+
+```json5
+{
+  discovery: {
+    mdns: {
+      mode: "minimal", // minimal | full | off
+    },
+  },
+}
+```
+
+- `minimal`（默认）：从 TXT 记录中省略 `cliPath` + `sshPort`。
+- `full`：包含 `cliPath` + `sshPort`。
+- 主机名默认为 `openclaw`。可使用 `OPENCLAW_MDNS_HOSTNAME` 覆盖。
+
+### 广域（DNS-SD）
+
+```json5
+{
+  discovery: {
+    wideArea: { enabled: true },
+  },
+}
+```
+
+在 `~/.openclaw/dns/` 下写入一个单播 DNS-SD 区域。对于跨网络设备发现，可与 DNS 服务器（推荐 CoreDNS）+ Tailscale split DNS 搭配使用。
+
+设置：`openclaw dns setup --apply`。
+
+---
+
+## 环境
+
+### `env`（内联环境变量）
+
+```json5
+{
+  env: {
+    OPENROUTER_API_KEY: "sk-or-...",
+    vars: {
+      GROQ_API_KEY: "gsk-...",
+    },
+    shellEnv: {
+      enabled: true,
+      timeoutMs: 15000,
+    },
+  },
+}
+```
+
+- 仅当进程环境中缺少该键时，才会应用内联环境变量。
+- `.env` 文件：当前工作目录 `.env` + `~/.openclaw/.env`（两者都不会覆盖现有变量）。
+- `shellEnv`：从你的登录 shell 配置文件导入缺失的预期键名。
+- 完整优先级见 [Environment](/help/environment)。
+
+### 环境变量替换
+
+可在任意配置字符串中使用 `${VAR_NAME}` 引用环境变量：
+
+```json5
+{
+  gateway: {
+    auth: { token: "${OPENCLAW_GATEWAY_TOKEN}" },
+  },
+}
+```
+
+- 仅匹配大写名称：`[A-Z_][A-Z0-9_]*`。
+- 缺失/为空的变量会在配置加载时抛出错误。
+- 使用 `$${VAR}` 可转义为字面量 `${VAR}`。
+- 适用于 `$include`。
+
+---
+
+## 密钥
+
+Secret refs 是增量能力：明文值仍然可用。
+
+### `SecretRef`
+
+使用以下对象形式之一：
+
+```json5
+{ source: "env" | "file" | "exec", provider: "default", id: "..." }
+```
+
+校验：
+
+- `provider` 模式：`^[a-z][a-z0-9_-]{0,63}$`
+- `source: "env"` 的 id 模式：`^[A-Z][A-Z0-9_]{0,127}$`
+- `source: "file"` 的 id：绝对 JSON pointer（例如 `"/providers/openai/apiKey"`）
+- `source: "exec"` 的 id 模式：`^[A-Za-z0-9][A-Za-z0-9._:/-]{0,255}$`
+- `source: "exec"` 的 id 不能包含以斜杠分隔的 `.` 或 `..` 路径段（例如 `a/../b` 会被拒绝）
+
+### 支持的凭证表面
+
+- 规范矩阵：[SecretRef Credential Surface](/reference/secretref-credential-surface)
+- `secrets apply` 会定位受支持的 `openclaw.json` 凭证路径。
+- `auth-profiles.json` 中的 ref 也包含在运行时解析和审计覆盖范围内。
+
+### Secret providers 配置
+
+```json5
+{
+  secrets: {
+    providers: {
+      default: { source: "env" }, // 可选的显式环境变量提供商
+      filemain: {
+        source: "file",
+        path: "~/.openclaw/secrets.json",
+        mode: "json",
+        timeoutMs: 5000,
+      },
+      vault: {
+        source: "exec",
+        command: "/usr/local/bin/openclaw-vault-resolver",
+        passEnv: ["PATH", "VAULT_ADDR"],
+      },
+    },
+    defaults: {
+      env: "default",
+      file: "filemain",
+      exec: "vault",
+    },
+  },
+}
+```
+
+说明：
+
+- `file` 提供商支持 `mode: "json"` 和 `mode: "singleValue"`（在 singleValue 模式下，`id` 必须是 `"value"`）。
+- `exec` 提供商要求绝对 `command` 路径，并通过 stdin/stdout 使用协议负载。
+- 默认会拒绝符号链接命令路径。设置 `allowSymlinkCommand: true` 可允许符号链接路径，同时校验解析后的目标路径。
+- 如果配置了 `trustedDirs`，则受信任目录检查会应用到解析后的目标路径。
+- `exec` 子进程环境默认最小化；请通过 `passEnv` 显式传递所需变量。
+- Secret refs 会在激活时解析为内存快照，之后请求路径只读取该快照。
+- 激活期间会应用活动表面过滤：已启用表面上的未解析 ref 会导致启动/重载失败，而非活动表面会被跳过并记录诊断信息。
+
+---
+
+## 认证存储
+
+```json5
+{
+  auth: {
+    profiles: {
+      "anthropic:me@example.com": { provider: "anthropic", mode: "oauth", email: "me@example.com" },
+      "anthropic:work": { provider: "anthropic", mode: "api_key" },
+    },
+    order: {
+      anthropic: ["anthropic:me@example.com", "anthropic:work"],
+    },
+  },
+}
+```
+
+- 每个智能体的配置文件存储在 `<agentDir>/auth-profiles.json`。
+- `auth-profiles.json` 支持值级 ref（`api_key` 使用 `keyRef`，`token` 使用 `tokenRef`）。
+- 静态运行时凭证来自内存中的已解析快照；发现旧版静态 `auth.json` 条目时会进行清理。
+- 旧版 OAuth 会从 `~/.openclaw/credentials/oauth.json` 导入。
+- 见 [OAuth](/concepts/oauth)。
+- Secrets 运行时行为以及 `audit/configure/apply` 工具：见 [Secrets Management](/gateway/secrets)。
+
+---
+
+## 日志
+
+```json5
+{
+  logging: {
+    level: "info",
+    file: "/tmp/openclaw/openclaw.log",
+    consoleLevel: "info",
+    consoleStyle: "pretty", // pretty | compact | json
+    redactSensitive: "tools", // off | tools
+    redactPatterns: ["\\bTOKEN\\b\\s*[=:]\\s*([\"']?)([^\\s\"']+)\\1"],
+  },
+}
+```
+
+- 默认日志文件：`/tmp/openclaw/openclaw-YYYY-MM-DD.log`。
+- 设置 `logging.file` 以获得稳定路径。
+- 使用 `--verbose` 时，`consoleLevel` 会提升为 `debug`。
+
+---
+
+## CLI
+
+```json5
+{
+  cli: {
+    banner: {
+      taglineMode: "off", // random | default | off
+    },
+  },
+}
+```
+
+- `cli.banner.taglineMode` 控制横幅标语样式：
+  - `"random"`（默认）：轮换的有趣/季节性标语。
+  - `"default"`：固定的中性标语（`All your chats, one OpenClaw.`）。
+  - `"off"`：不显示标语文本（仍显示横幅标题/版本）。
+- 若要隐藏整个横幅（而不仅是标语），请设置环境变量 `OPENCLAW_HIDE_BANNER=1`。
+
+---
+
+## 向导
+
+由 CLI 向导（`onboard`、`configure`、`doctor`）写入的元数据：
+
+```json5
+{
+  wizard: {
+    lastRunAt: "2026-01-01T00:00:00.000Z",
+    lastRunVersion: "2026.1.4",
+    lastRunCommit: "abc1234",
+    lastRunCommand: "configure",
+    lastRunMode: "local",
+  },
+}
+```
+
+---
+
+## 身份
+
+```json5
+{
+  agents: {
+    list: [
+      {
+        id: "main",
+        identity: {
+          name: "Samantha",
+          theme: "helpful sloth",
+          emoji: "🦥",
+          avatar: "avatars/samantha.png",
+        },
+      },
+    ],
+  },
+}
+```
+
+由 macOS 新手引导助手写入。会派生默认值：
+
+- 从 `identity.emoji` 派生 `messages.ackReaction`（回退为 👀）
+- 从 `identity.name`/`identity.emoji` 派生 `mentionPatterns`
+- `avatar` 接受：工作区相对路径、`http(s)` URL 或 `data:` URI
+
+---
+
+## Bridge（旧版，已移除）
+
+当前版本不再包含 TCP bridge。节点通过 Gateway 网关 WebSocket 连接。`bridge.*` 键已不再属于配置 schema 的一部分（在移除前校验会失败；`openclaw doctor --fix` 可清除未知键）。
+
+<Accordion title="旧版 bridge 配置（历史参考）">
+
+```json
+{
+  "bridge": {
+    "enabled": true,
+    "port": 18790,
+    "bind": "tailnet",
+    "tls": {
+      "enabled": true,
+      "autoGenerate": true
+    }
+  }
+}
+```
+
+</Accordion>
+
+---
+
+## Cron
+
+```json5
+{
+  cron: {
+    enabled: true,
+    maxConcurrentRuns: 2,
+    webhook: "https://example.invalid/legacy", // 旧版回退，仅用于已存储的 notify:true 作业
+    webhookToken: "replace-with-dedicated-token", // 可选，用于出站 webhook 认证的 bearer token
+    sessionRetention: "24h", // 时长字符串或 false
+    runLog: {
+      maxBytes: "2mb", // 默认 2_000_000 字节
+      keepLines: 2000, // 默认 2000
+    },
+  },
+}
+```
+
+- `sessionRetention`：已完成的隔离 Cron 运行会话在从 `sessions.json` 清理前保留多久。也控制已归档、已删除的 Cron 记录清理。默认：`24h`；设为 `false` 可禁用。
+- `runLog.maxBytes`：每个运行日志文件（`cron/runs/<jobId>.jsonl`）在清理前的最大大小。默认：`2_000_000` 字节。
+- `runLog.keepLines`：触发运行日志清理时保留的最新行数。默认：`2000`。
+- `webhookToken`：用于 Cron webhook POST 投递（`delivery.mode = "webhook"`）的 bearer token；若省略则不发送认证头。
+- `webhook`：已弃用的旧版回退 webhook URL（http/https），仅用于仍然具有 `notify: true` 的已存储作业。
+
+见 [Cron Jobs](/automation/cron-jobs)。
+
+---
+
+## 媒体模型模板变量
+
+会在 `tools.media.models[].args` 中展开的模板占位符：
+
+| Variable           | Description                                  |
+| ------------------ | -------------------------------------------- |
+| `{{Body}}`         | 完整入站消息正文                             |
+| `{{RawBody}}`      | 原始正文（无历史/发送者包装）                |
+| `{{BodyStripped}}` | 去除群组提及后的正文                         |
+| `{{From}}`         | 发送者标识符                                 |
+| `{{To}}`           | 目标标识符                                   |
+| `{{MessageSid}}`   | 渠道消息 ID                                  |
+| `{{SessionId}}`    | 当前会话 UUID                                |
+| `{{IsNewSession}}` | 新建会话时为 `"true"`                        |
+| `{{MediaUrl}}`     | 入站媒体伪 URL                               |
+| `{{MediaPath}}`    | 本地媒体路径                                 |
+| `{{MediaType}}`    | 媒体类型（image/audio/document/…）           |
+| `{{Transcript}}`   | 音频转录                                     |
+| `{{Prompt}}`       | 为 CLI 条目解析后的媒体提示                  |
+| `{{MaxChars}}`     | 为 CLI 条目解析后的最大输出字符数            |
+| `{{ChatType}}`     | `"direct"` 或 `"group"`                      |
+| `{{GroupSubject}}` | 群组主题（尽力而为）                         |
+| `{{GroupMembers}}` | 群组成员预览（尽力而为）                     |
+| `{{SenderName}}`   | 发送者显示名（尽力而为）                     |
+| `{{SenderE164}}`   | 发送者电话号码（尽力而为）                   |
+| `{{Provider}}`     | 提供商提示（whatsapp、telegram、discord 等） |
+
+---
+
+## 配置 includes（`$include`）
+
+将配置拆分为多个文件：
+
+```json5
+// ~/.openclaw/openclaw.json
+{
+  gateway: { port: 18789 },
+  agents: { $include: "./agents.json5" },
+  broadcast: {
+    $include: ["./clients/mueller.json5", "./clients/schmidt.json5"],
+  },
+}
+```
+
+**合并行为：**
+
+- 单个文件：替换包含它的对象。
+- 文件数组：按顺序深度合并（后者覆盖前者）。
+- 同级键：在 include 之后再合并（覆盖被包含的值）。
+- 嵌套 include：最多 10 层。
+- 路径：相对于包含它的文件解析，但必须保持在顶层配置目录（`openclaw.json` 的 `dirname`）内。只有在最终解析结果仍位于该边界内时，才允许使用绝对路径/`../` 形式。
+- 错误：缺失文件、解析错误和循环 include 都会给出清晰错误信息。
+
+---
+
+_相关内容：[Configuration](/gateway/configuration) · [Configuration Examples](/gateway/configuration-examples) · [Doctor](/gateway/doctor)_
diff --git a/docs/zh-CN/gateway/configuration.md b/docs/zh-CN/gateway/configuration.md
index cd269cef3b8..49c62eea4c9 100644
--- a/docs/zh-CN/gateway/configuration.md
+++ b/docs/zh-CN/gateway/configuration.md
@@ -1,3332 +1,640 @@
 ---
 read_when:
-  - 添加或修改配置字段时
-summary: ~/.openclaw/openclaw.json 的所有配置选项及示例
+  - 首次设置 OpenClaw
+  - 查找常见配置模式
+  - 导航到特定配置部分
+summary: 配置概览：常见任务、快速设置，以及完整参考的链接
 title: 配置
 x-i18n:
-  generated_at: "2026-02-01T21:29:41Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: b5e51290bbc755acb259ad455878625aa894c115e5c0ac6a1a3397e10fff8b4b
+  generated_at: "2026-03-16T06:23:15Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 0047a255e8d3b6d280634437167486e2a81bf98b2d367071259b4b5c85b5ba9f
   source_path: gateway/configuration.md
   workflow: 15
 ---
 
-# 配置 🔧
+# 配置
 
-OpenClaw 从 `~/.openclaw/openclaw.json` 读取可选的 **JSON5** 配置（支持注释和尾逗号）。
+OpenClaw 会从 `~/.openclaw/openclaw.json` 读取可选的 <Tooltip tip="JSON5 supports comments and trailing commas">**JSON5**</Tooltip> 配置。
 
-如果文件不存在，OpenClaw 使用安全的默认值（内置 Pi 智能体 + 按发送者分会话 + 工作区 `~/.openclaw/workspace`）。通常只在以下情况需要配置：
+如果该文件缺失，OpenClaw 会使用安全的默认值。添加配置的常见原因包括：
 
-- 限制谁可以触发机器人（`channels.whatsapp.allowFrom`、`channels.telegram.allowFrom` 等）
-- 控制群组白名单 + 提及行为（`channels.whatsapp.groups`、`channels.telegram.groups`、`channels.discord.guilds`、`agents.list[].groupChat`）
-- 自定义消息前缀（`messages`）
-- 设置智能体工作区（`agents.defaults.workspace` 或 `agents.list[].workspace`）
-- 调整内置智能体默认值（`agents.defaults`）和会话行为（`session`）
-- 设置每个智能体的身份标识（`agents.list[].identity`）
+- 连接渠道并控制谁可以向 bot 发消息
+- 设置模型、工具、沙箱隔离或自动化（cron、hooks）
+- 调整会话、媒体、网络或 UI
 
-> **初次接触配置？** 请查阅[配置示例](/gateway/configuration-examples)指南，获取带有详细说明的完整示例！
+所有可用字段请参阅 [完整参考](/gateway/configuration-reference)。
 
-## 严格配置验证
+<Tip>
+**刚接触配置？** 从 `openclaw onboard` 开始进行交互式设置，或者查看 [Configuration Examples](/gateway/configuration-examples) 指南，获取完整的可复制粘贴配置。
+</Tip>
 
-OpenClaw 只接受完全匹配 schema 的配置。
-未知键、类型错误或无效值会导致 Gateway 网关 **拒绝启动**以确保安全。
-
-验证失败时：
-
-- Gateway 网关不会启动。
-- 只允许诊断命令（例如：`openclaw doctor`、`openclaw logs`、`openclaw health`、`openclaw status`、`openclaw service`、`openclaw help`）。
-- 运行 `openclaw doctor` 查看具体问题。
-- 运行 `openclaw doctor --fix`（或 `--yes`）应用迁移/修复。
-
-Doctor 不会写入任何更改，除非你明确选择了 `--fix`/`--yes`。
-
-## Schema + UI 提示
-
-Gateway 网关通过 `config.schema` 暴露配置的 JSON Schema 表示，供 UI 编辑器使用。
-控制台 UI 根据此 schema 渲染表单，并提供 **Raw JSON** 编辑器作为应急手段。
-
-渠道插件和扩展可以为其配置注册 schema + UI 提示，因此渠道设置
-在各应用间保持 schema 驱动，无需硬编码表单。
-
-提示信息（标签、分组、敏感字段）随 schema 一起提供，客户端无需硬编码配置知识即可渲染更好的表单。
-
-## 应用 + 重启（RPC）
-
-使用 `config.apply` 在一步中验证 + 写入完整配置并重启 Gateway 网关。
-它会写入重启哨兵文件，并在 Gateway 网关恢复后 ping 最后活跃的会话。
-
-警告：`config.apply` 会替换**整个配置**。如果你只想更改部分键，
-请使用 `config.patch` 或 `openclaw config set`。请备份 `~/.openclaw/openclaw.json`。
-
-参数：
-
-- `raw`（字符串）— 整个配置的 JSON5 负载
-- `baseHash`（可选）— 来自 `config.get` 的配置哈希（当配置已存在时为必需）
-- `sessionKey`（可选）— 最后活跃会话的键，用于唤醒 ping
-- `note`（可选）— 包含在重启哨兵中的备注
-- `restartDelayMs`（可选）— 重启前的延迟（默认 2000）
-
-示例（通过 `gateway call`）：
-
-```bash
-openclaw gateway call config.get --params '{}' # capture payload.hash
-openclaw gateway call config.apply --params '{
-  "raw": "{\\n  agents: { defaults: { workspace: \\"~/.openclaw/workspace\\" } }\\n}\\n",
-  "baseHash": "<hash-from-config.get>",
-  "sessionKey": "agent:main:whatsapp:dm:+15555550123",
-  "restartDelayMs": 1000
-}'
-```
-
-## 部分更新（RPC）
-
-使用 `config.patch` 将部分更新合并到现有配置中，而不会覆盖
-无关的键。它采用 JSON merge patch 语义：
-
-- 对象递归合并
-- `null` 删除键
-- 数组替换
-  与 `config.apply` 类似，它会验证、写入配置、存储重启哨兵，并调度
-  Gateway 网关重启（当提供 `sessionKey` 时可选择唤醒）。
-
-参数：
-
-- `raw`（字符串）— 仅包含要更改的键的 JSON5 负载
-- `baseHash`（必需）— 来自 `config.get` 的配置哈希
-- `sessionKey`（可选）— 最后活跃会话的键，用于唤醒 ping
-- `note`（可选）— 包含在重启哨兵中的备注
-- `restartDelayMs`（可选）— 重启前的延迟（默认 2000）
-
-示例：
-
-```bash
-openclaw gateway call config.get --params '{}' # capture payload.hash
-openclaw gateway call config.patch --params '{
-  "raw": "{\\n  channels: { telegram: { groups: { \\"*\\": { requireMention: false } } } }\\n}\\n",
-  "baseHash": "<hash-from-config.get>",
-  "sessionKey": "agent:main:whatsapp:dm:+15555550123",
-  "restartDelayMs": 1000
-}'
-```
-
-## 最小配置（推荐起点）
+## 最小配置
 
 ```json5
+// ~/.openclaw/openclaw.json
 {
   agents: { defaults: { workspace: "~/.openclaw/workspace" } },
   channels: { whatsapp: { allowFrom: ["+15555550123"] } },
 }
 ```
 
-首次构建默认镜像：
+## 编辑配置
 
-```bash
-scripts/sandbox-setup.sh
-```
+<Tabs>
+  <Tab title="Interactive wizard">
+    ```bash
+    openclaw onboard       # 完整设置向导
+    openclaw configure     # 配置向导
+    ```
+  </Tab>
+  <Tab title="CLI (one-liners)">
+    ```bash
+    openclaw config get agents.defaults.workspace
+    openclaw config set agents.defaults.heartbeat.every "2h"
+    openclaw config unset tools.web.search.apiKey
+    ```
+  </Tab>
+  <Tab title="Control UI">
+    打开 [http://127.0.0.1:18789](http://127.0.0.1:18789) 并使用 **Config** 标签页。
+    Control UI 会根据配置 schema 渲染表单，并提供 **Raw JSON** 编辑器作为后备方式。
+  </Tab>
+  <Tab title="Direct edit">
+    直接编辑 `~/.openclaw/openclaw.json`。Gateway 网关会监视该文件并自动应用更改（参见[热重载](#config-hot-reload)）。
+  </Tab>
+</Tabs>
 
-## 自聊天模式（推荐用于群组控制）
+## 严格校验
 
-防止机器人在群组中响应 WhatsApp @提及（仅响应特定文本触发器）：
+<Warning>
+OpenClaw 只接受完全符合 schema 的配置。未知键、类型格式错误或无效值都会导致 Gateway 网关**拒绝启动**。唯一的根级例外是 `$schema`（字符串），这样编辑器就可以附加 JSON Schema 元数据。
+</Warning>
 
-```json5
-{
-  agents: {
-    defaults: { workspace: "~/.openclaw/workspace" },
-    list: [
-      {
-        id: "main",
-        groupChat: { mentionPatterns: ["@openclaw", "reisponde"] },
+当校验失败时：
+
+- Gateway 网关不会启动
+- 只有诊断命令可用（`openclaw doctor`、`openclaw logs`、`openclaw health`、`openclaw status`）
+- 运行 `openclaw doctor` 以查看具体问题
+- 运行 `openclaw doctor --fix`（或 `--yes`）以应用修复
+
+## 常见任务
+
+<AccordionGroup>
+  <Accordion title="设置一个渠道（WhatsApp、Telegram、Discord 等）">
+    每个渠道在 `channels.<provider>` 下都有各自的配置部分。设置步骤请参阅对应的渠道页面：
+
+    - [WhatsApp](/channels/whatsapp) — `channels.whatsapp`
+    - [Telegram](/channels/telegram) — `channels.telegram`
+    - [Discord](/channels/discord) — `channels.discord`
+    - [Slack](/channels/slack) — `channels.slack`
+    - [Signal](/channels/signal) — `channels.signal`
+    - [iMessage](/channels/imessage) — `channels.imessage`
+    - [Google Chat](/channels/googlechat) — `channels.googlechat`
+    - [Mattermost](/channels/mattermost) — `channels.mattermost`
+    - [MS Teams](/channels/msteams) — `channels.msteams`
+
+    所有渠道都共享同一种私信策略模式：
+
+    ```json5
+    {
+      channels: {
+        telegram: {
+          enabled: true,
+          botToken: "123:abc",
+          dmPolicy: "pairing",   // pairing | allowlist | open | disabled
+          allowFrom: ["tg:123"], // 仅用于 allowlist/open
+        },
       },
-    ],
-  },
-  channels: {
-    whatsapp: {
-      // 白名单仅适用于私聊；包含你自己的号码可启用自聊天模式。
-      allowFrom: ["+15555550123"],
-      groups: { "*": { requireMention: true } },
-    },
+    }
+    ```
+
+  </Accordion>
+
+  <Accordion title="选择并配置模型">
+    设置主模型和可选回退模型：
+
+    ```json5
+    {
+      agents: {
+        defaults: {
+          model: {
+            primary: "anthropic/claude-sonnet-4-5",
+            fallbacks: ["openai/gpt-5.2"],
+          },
+          models: {
+            "anthropic/claude-sonnet-4-5": { alias: "Sonnet" },
+            "openai/gpt-5.2": { alias: "GPT" },
+          },
+        },
+      },
+    }
+    ```
+
+    - `agents.defaults.models` 定义模型目录，并充当 `/model` 的允许列表。
+    - 模型引用使用 `provider/model` 格式（例如 `anthropic/claude-opus-4-6`）。
+    - `agents.defaults.imageMaxDimensionPx` 控制转录/工具图像的缩放下限（默认 `1200`）；在截图较多的运行中，较低的值通常会减少视觉 token 使用量。
+    - 关于在聊天中切换模型，请参阅 [Models CLI](/concepts/models)；关于凭证轮换和回退行为，请参阅 [Model Failover](/concepts/model-failover)。
+    - 关于自定义/自托管提供商，请参阅参考中的 [Custom providers](/gateway/configuration-reference#custom-providers-and-base-urls)。
+
+  </Accordion>
+
+  <Accordion title="控制谁可以向 bot 发消息">
+    私信访问通过每个渠道的 `dmPolicy` 控制：
+
+    - `"pairing"`（默认）：未知发送者会收到一次性配对码以供批准
+    - `"allowlist"`：仅允许 `allowFrom`（或已配对允许存储）中的发送者
+    - `"open"`：允许所有入站私信（需要 `allowFrom: ["*"]`）
+    - `"disabled"`：忽略所有私信
+
+    对于群组，请使用 `groupPolicy` + `groupAllowFrom` 或特定渠道的允许列表。
+
+    有关每个渠道的详细信息，请参阅 [完整参考](/gateway/configuration-reference#dm-and-group-access)。
+
+  </Accordion>
+
+  <Accordion title="设置群聊提及门控">
+    群组消息默认设置为**需要提及**。可按智能体配置模式：
+
+    ```json5
+    {
+      agents: {
+        list: [
+          {
+            id: "main",
+            groupChat: {
+              mentionPatterns: ["@openclaw", "openclaw"],
+            },
+          },
+        ],
+      },
+      channels: {
+        whatsapp: {
+          groups: { "*": { requireMention: true } },
+        },
+      },
+    }
+    ```
+
+    - **元数据提及**：原生 @ 提及（WhatsApp 点按提及、Telegram @bot 等）
+    - **文本模式**：`mentionPatterns` 中的安全正则模式
+    - 关于每个渠道的覆盖和自聊模式，请参阅 [完整参考](/gateway/configuration-reference#group-chat-mention-gating)。
+
+  </Accordion>
+
+  <Accordion title="调整 Gateway 网关渠道健康监控">
+    控制 Gateway 网关对看起来失活的渠道执行重启的积极程度：
+
+    ```json5
+    {
+      gateway: {
+        channelHealthCheckMinutes: 5,
+        channelStaleEventThresholdMinutes: 30,
+        channelMaxRestartsPerHour: 10,
+      },
+      channels: {
+        telegram: {
+          healthMonitor: { enabled: false },
+          accounts: {
+            alerts: {
+              healthMonitor: { enabled: true },
+            },
+          },
+        },
+      },
+    }
+    ```
+
+    - 设置 `gateway.channelHealthCheckMinutes: 0` 可全局禁用健康监控重启。
+    - `channelStaleEventThresholdMinutes` 应大于或等于检查间隔。
+    - 使用 `channels.<provider>.healthMonitor.enabled` 或 `channels.<provider>.accounts.<id>.healthMonitor.enabled`，可为单个渠道或账号禁用自动重启，而无需禁用全局监控。
+    - 有关运维调试，请参阅 [Health Checks](/gateway/health)；所有字段请参阅 [完整参考](/gateway/configuration-reference#gateway)。
+
+  </Accordion>
+
+  <Accordion title="配置会话和重置">
+    会话控制对话的连续性和隔离性：
+
+    ```json5
+    {
+      session: {
+        dmScope: "per-channel-peer",  // 推荐用于多用户
+        threadBindings: {
+          enabled: true,
+          idleHours: 24,
+          maxAgeHours: 0,
+        },
+        reset: {
+          mode: "daily",
+          atHour: 4,
+          idleMinutes: 120,
+        },
+      },
+    }
+    ```
+
+    - `dmScope`：`main`（共享）| `per-peer` | `per-channel-peer` | `per-account-channel-peer`
+    - `threadBindings`：线程绑定会话路由的全局默认值（Discord 支持 `/focus`、`/unfocus`、`/agents`、`/session idle` 和 `/session max-age`）。
+    - 关于作用域、身份链接和发送策略，请参阅 [Session Management](/concepts/session)。
+    - 所有字段请参阅 [完整参考](/gateway/configuration-reference#session)。
+
+  </Accordion>
+
+  <Accordion title="启用沙箱隔离">
+    在隔离的 Docker 容器中运行智能体会话：
+
+    ```json5
+    {
+      agents: {
+        defaults: {
+          sandbox: {
+            mode: "non-main",  // off | non-main | all
+            scope: "agent",    // session | agent | shared
+          },
+        },
+      },
+    }
+    ```
+
+    先构建镜像：`scripts/sandbox-setup.sh`
+
+    完整指南请参阅 [Sandboxing](/gateway/sandboxing)，所有选项请参阅 [完整参考](/gateway/configuration-reference#sandbox)。
+
+  </Accordion>
+
+  <Accordion title="为官方 iOS 构建启用基于 relay 的推送">
+    基于 relay 的推送在 `openclaw.json` 中配置。
+
+    在 Gateway 网关配置中设置：
+
+    ```json5
+    {
+      gateway: {
+        push: {
+          apns: {
+            relay: {
+              baseUrl: "https://relay.example.com",
+              // 可选。默认值：10000
+              timeoutMs: 10000,
+            },
+          },
+        },
+      },
+    }
+    ```
+
+    等价 CLI：
+
+    ```bash
+    openclaw config set gateway.push.apns.relay.baseUrl https://relay.example.com
+    ```
+
+    这会带来以下效果：
+
+    - 让 Gateway 网关通过外部 relay 发送 `push.test`、唤醒提示和重连唤醒。
+    - 使用由已配对 iOS 应用转发的、以注册为范围的发送授权。Gateway 网关不需要部署范围的 relay token。
+    - 将每个基于 relay 的注册绑定到 iOS 应用配对的 Gateway 网关身份，因此其他 Gateway 网关无法复用已存储的注册。
+    - 保持本地/手动 iOS 构建继续使用直接 APNs。基于 relay 的发送仅适用于通过 relay 注册的官方分发构建。
+    - 必须与官方/TestFlight iOS 构建中固化的 relay 基础 URL 一致，这样注册和发送流量才能到达同一个 relay 部署。
+
+    端到端流程：
+
+    1. 安装一个使用相同 relay 基础 URL 编译的官方/TestFlight iOS 构建。
+    2. 在 Gateway 网关上配置 `gateway.push.apns.relay.baseUrl`。
+    3. 将 iOS 应用与 Gateway 网关配对，并让节点会话和操作员会话都连接。
+    4. iOS 应用获取 Gateway 网关身份，使用 App Attest 加上应用回执向 relay 注册，然后将基于 relay 的 `push.apns.register` 负载发布到已配对的 Gateway 网关。
+    5. Gateway 网关存储 relay handle 和发送授权，然后将它们用于 `push.test`、唤醒提示和重连唤醒。
+
+    运维说明：
+
+    - 如果你将 iOS 应用切换到另一个 Gateway 网关，请重新连接应用，以便它发布绑定到该 Gateway 网关的新 relay 注册。
+    - 如果你发布了一个指向不同 relay 部署的新 iOS 构建，应用会刷新其缓存的 relay 注册，而不是复用旧的 relay 来源。
+
+    兼容性说明：
+
+    - `OPENCLAW_APNS_RELAY_BASE_URL` 和 `OPENCLAW_APNS_RELAY_TIMEOUT_MS` 仍可作为临时环境变量覆盖使用。
+    - `OPENCLAW_APNS_RELAY_ALLOW_HTTP=true` 仍是仅限 loopback 的开发逃生口；不要在配置中持久化 HTTP relay URL。
+
+    关于端到端流程，请参阅 [iOS App](/platforms/ios#relay-backed-push-for-official-builds)；关于 relay 安全模型，请参阅 [Authentication and trust flow](/platforms/ios#authentication-and-trust-flow)。
+
+  </Accordion>
+
+  <Accordion title="设置 heartbeat（周期性报到）">
+    ```json5
+    {
+      agents: {
+        defaults: {
+          heartbeat: {
+            every: "30m",
+            target: "last",
+          },
+        },
+      },
+    }
+    ```
+
+    - `every`：时长字符串（`30m`、`2h`）。设置为 `0m` 可禁用。
+    - `target`：`last` | `whatsapp` | `telegram` | `discord` | `none`
+    - `directPolicy`：用于私信风格 heartbeat 目标时，设为 `allow`（默认）或 `block`
+    - 完整指南请参阅 [Heartbeat](/gateway/heartbeat)。
+
+  </Accordion>
+
+  <Accordion title="配置 cron 作业">
+    ```json5
+    {
+      cron: {
+        enabled: true,
+        maxConcurrentRuns: 2,
+        sessionRetention: "24h",
+        runLog: {
+          maxBytes: "2mb",
+          keepLines: 2000,
+        },
+      },
+    }
+    ```
+
+    - `sessionRetention`：从 `sessions.json` 中清理已完成的隔离运行会话（默认 `24h`；设置为 `false` 可禁用）。
+    - `runLog`：按大小和保留行数清理 `cron/runs/<jobId>.jsonl`。
+    - 功能概览和 CLI 示例请参阅 [Cron jobs](/automation/cron-jobs)。
+
+  </Accordion>
+
+  <Accordion title="设置 webhooks（hooks）">
+    在 Gateway 网关上启用 HTTP webhook 端点：
+
+    ```json5
+    {
+      hooks: {
+        enabled: true,
+        token: "shared-secret",
+        path: "/hooks",
+        defaultSessionKey: "hook:ingress",
+        allowRequestSessionKey: false,
+        allowedSessionKeyPrefixes: ["hook:"],
+        mappings: [
+          {
+            match: { path: "gmail" },
+            action: "agent",
+            agentId: "main",
+            deliver: true,
+          },
+        ],
+      },
+    }
+    ```
+
+    安全说明：
+    - 将所有 hook/webhook 负载内容都视为不受信任输入。
+    - 保持不安全内容绕过标志处于禁用状态（`hooks.gmail.allowUnsafeExternalContent`、`hooks.mappings[].allowUnsafeExternalContent`），除非是在进行严格限定的调试。
+    - 对于由 hook 驱动的智能体，优先使用强大的现代模型层级和严格的工具策略（例如尽可能仅允许消息传递并启用沙箱隔离）。
+
+    所有映射选项和 Gmail 集成请参阅 [完整参考](/gateway/configuration-reference#hooks)。
+
+  </Accordion>
+
+  <Accordion title="配置多智能体路由">
+    运行多个彼此隔离的智能体，并使用独立的工作区和会话：
+
+    ```json5
+    {
+      agents: {
+        list: [
+          { id: "home", default: true, workspace: "~/.openclaw/workspace-home" },
+          { id: "work", workspace: "~/.openclaw/workspace-work" },
+        ],
+      },
+      bindings: [
+        { agentId: "home", match: { channel: "whatsapp", accountId: "personal" } },
+        { agentId: "work", match: { channel: "whatsapp", accountId: "biz" } },
+      ],
+    }
+    ```
+
+    关于绑定规则和每个智能体的访问配置文件，请参阅 [Multi-Agent](/concepts/multi-agent) 和 [完整参考](/gateway/configuration-reference#multi-agent-routing)。
+
+  </Accordion>
+
+  <Accordion title="将配置拆分到多个文件中（$include）">
+    使用 `$include` 组织大型配置：
+
+    ```json5
+    // ~/.openclaw/openclaw.json
+    {
+      gateway: { port: 18789 },
+      agents: { $include: "./agents.json5" },
+      broadcast: {
+        $include: ["./clients/a.json5", "./clients/b.json5"],
+      },
+    }
+    ```
+
+    - **单个文件**：替换所在对象
+    - **文件数组**：按顺序深度合并（后者优先）
+    - **同级键**：在 include 之后合并（覆盖已包含的值）
+    - **嵌套 include**：支持，最多 10 层深
+    - **相对路径**：相对于包含它的文件解析
+    - **错误处理**：对于缺失文件、解析错误和循环 include，会提供清晰错误
+
+  </Accordion>
+</AccordionGroup>
+
+## 配置热重载
+
+Gateway 网关会监视 `~/.openclaw/openclaw.json` 并自动应用更改 —— 对于大多数设置，无需手动重启。
+
+### 重载模式
+
+| 模式                 | 行为                                                     |
+| -------------------- | -------------------------------------------------------- |
+| **`hybrid`**（默认） | 立即热应用安全更改。对关键更改会自动重启。               |
+| **`hot`**            | 仅热应用安全更改。需要重启时会记录警告 —— 由你自行处理。 |
+| **`restart`**        | 任何配置更改都会重启 Gateway 网关，无论是否安全。        |
+| **`off`**            | 禁用文件监视。更改会在下一次手动重启时生效。             |
+
+```json5
+{
+  gateway: {
+    reload: { mode: "hybrid", debounceMs: 300 },
   },
 }
 ```
 
-## 配置包含（`$include`）
+### 哪些可以热应用，哪些需要重启
 
-使用 `$include` 指令将配置拆分为多个文件。适用于：
+大多数字段都可以无停机热应用。在 `hybrid` 模式下，需要重启的更改会自动处理。
 
-- 组织大型配置（例如按客户定义智能体）
-- 跨环境共享通用设置
-- 将敏感配置单独存放
+| 类别               | 字段                                                  | 需要重启？ |
+| ------------------ | ----------------------------------------------------- | ---------- |
+| 渠道               | `channels.*`、`web`（WhatsApp）— 所有内置和扩展渠道   | 否         |
+| 智能体和模型       | `agent`、`agents`、`models`、`routing`                | 否         |
+| 自动化             | `hooks`、`cron`、`agent.heartbeat`                    | 否         |
+| 会话和消息         | `session`、`messages`                                 | 否         |
+| 工具和媒体         | `tools`、`browser`、`skills`、`audio`、`talk`         | 否         |
+| UI 和杂项          | `ui`、`logging`、`identity`、`bindings`               | 否         |
+| Gateway 网关服务器 | `gateway.*`（port、bind、auth、tailscale、TLS、HTTP） | **是**     |
+| 基础设施           | `discovery`、`canvasHost`、`plugins`                  | **是**     |
 
-### 基本用法
+<Note>
+`gateway.reload` 和 `gateway.remote` 是例外 —— 更改它们**不会**触发重启。
+</Note>
 
-```json5
-// ~/.openclaw/openclaw.json
-{
-  gateway: { port: 18789 },
+## 配置 RPC（程序化更新）
 
-  // 包含单个文件（替换该键的值）
-  agents: { $include: "./agents.json5" },
+<Note>
+控制平面写入 RPC（`config.apply`、`config.patch`、`update.run`）按每个 `deviceId+clientIp` 限制为**每 60 秒 3 个请求**。当触发限制时，RPC 会返回 `UNAVAILABLE` 和 `retryAfterMs`。
+</Note>
 
-  // 包含多个文件（按顺序深度合并）
-  broadcast: {
-    $include: ["./clients/mueller.json5", "./clients/schmidt.json5"],
-  },
-}
-```
+<AccordionGroup>
+  <Accordion title="config.apply（完整替换）">
+    校验 + 写入完整配置，并在一步中重启 Gateway 网关。
 
-```json5
-// ~/.openclaw/agents.json5
-{
-  defaults: { sandbox: { mode: "all", scope: "session" } },
-  list: [{ id: "main", workspace: "~/.openclaw/workspace" }],
-}
-```
+    <Warning>
+    `config.apply` 会替换**整个配置**。部分更新请使用 `config.patch`，单个键请使用 `openclaw config set`。
+    </Warning>
 
-### 合并行为
+    参数：
 
-- **单个文件**：替换包含 `$include` 的对象
-- **文件数组**：按顺序深度合并（后面的文件覆盖前面的）
-- **带兄弟键**：兄弟键在包含之后合并（覆盖被包含的值）
-- **兄弟键 + 数组/原始值**：不支持（被包含的内容必须是对象）
+    - `raw`（string）— 整个配置的 JSON5 负载
+    - `baseHash`（可选）— 来自 `config.get` 的配置 hash（配置已存在时必需）
+    - `sessionKey`（可选）— 重启后唤醒 ping 使用的会话键
+    - `note`（可选）— 重启哨兵的说明
+    - `restartDelayMs`（可选）— 重启前延迟（默认 2000）
 
-```json5
-// 兄弟键覆盖被包含的值
-{
-  $include: "./base.json5", // { a: 1, b: 2 }
-  b: 99, // 结果：{ a: 1, b: 99 }
-}
-```
+    当已有重启处于待处理/进行中时，重启请求会被合并，并且两次重启周期之间会应用 30 秒冷却。
 
-### 嵌套包含
+    ```bash
+    openclaw gateway call config.get --params '{}'  # 捕获 payload.hash
+    openclaw gateway call config.apply --params '{
+      "raw": "{ agents: { defaults: { workspace: \"~/.openclaw/workspace\" } } }",
+      "baseHash": "<hash>",
+      "sessionKey": "agent:main:whatsapp:direct:+15555550123"
+    }'
+    ```
 
-被包含的文件本身可以包含 `$include` 指令（最多 10 层深度）：
+  </Accordion>
 
-```json5
-// clients/mueller.json5
-{
-  agents: { $include: "./mueller/agents.json5" },
-  broadcast: { $include: "./mueller/broadcast.json5" },
-}
-```
+  <Accordion title="config.patch（部分更新）">
+    将部分更新合并到现有配置中（JSON merge patch 语义）：
 
-### 路径解析
+    - 对象递归合并
+    - `null` 删除键
+    - 数组整体替换
 
-- **相对路径**：相对于包含文件解析
-- **绝对路径**：直接使用
-- **父目录**：`../` 引用按预期工作
+    参数：
 
-```json5
-{ "$include": "./sub/config.json5" }      // 相对路径
-{ "$include": "/etc/openclaw/base.json5" } // 绝对路径
-{ "$include": "../shared/common.json5" }   // 父目录
-```
+    - `raw`（string）— 仅包含要更改键的 JSON5
+    - `baseHash`（必需）— 来自 `config.get` 的配置 hash
+    - `sessionKey`、`note`、`restartDelayMs` — 与 `config.apply` 相同
 
-### 错误处理
+    重启行为与 `config.apply` 一致：合并待处理重启，并在两次重启周期之间应用 30 秒冷却。
 
-- **文件缺失**：显示清晰的错误及解析后的路径
-- **解析错误**：显示哪个被包含的文件出错
-- **循环包含**：检测并报告包含链
+    ```bash
+    openclaw gateway call config.patch --params '{
+      "raw": "{ channels: { telegram: { groups: { \"*\": { requireMention: false } } } } }",
+      "baseHash": "<hash>"
+    }'
+    ```
 
-### 示例：多客户法律事务设置
+  </Accordion>
+</AccordionGroup>
 
-```json5
-// ~/.openclaw/openclaw.json
-{
-  gateway: { port: 18789, auth: { token: "secret" } },
+## 环境变量
 
-  // 通用智能体默认值
-  agents: {
-    defaults: {
-      sandbox: { mode: "all", scope: "session" },
-    },
-    // 合并所有客户的智能体列表
-    list: { $include: ["./clients/mueller/agents.json5", "./clients/schmidt/agents.json5"] },
-  },
-
-  // 合并广播配置
-  broadcast: {
-    $include: ["./clients/mueller/broadcast.json5", "./clients/schmidt/broadcast.json5"],
-  },
-
-  channels: { whatsapp: { groupPolicy: "allowlist" } },
-}
-```
-
-```json5
-// ~/.openclaw/clients/mueller/agents.json5
-[
-  { id: "mueller-transcribe", workspace: "~/clients/mueller/transcribe" },
-  { id: "mueller-docs", workspace: "~/clients/mueller/docs" },
-]
-```
-
-```json5
-// ~/.openclaw/clients/mueller/broadcast.json5
-{
-  "120363403215116621@g.us": ["mueller-transcribe", "mueller-docs"],
-}
-```
-
-## 常用选项
-
-### 环境变量 + `.env`
-
-OpenClaw 从父进程（shell、launchd/systemd、CI 等）读取环境变量。
-
-此外，它还会加载：
+OpenClaw 会从父进程读取环境变量，另外还会读取：
 
 - 当前工作目录中的 `.env`（如果存在）
-- `~/.openclaw/.env`（即 `$OPENCLAW_STATE_DIR/.env`）作为全局回退 `.env`
+- `~/.openclaw/.env`（全局回退）
 
-两个 `.env` 文件都不会覆盖已有的环境变量。
-
-你也可以在配置中提供内联环境变量。这些仅在进程环境中缺少该键时应用（相同的不覆盖规则）：
+这两个文件都不会覆盖现有环境变量。你也可以在配置中设置内联环境变量：
 
 ```json5
 {
   env: {
     OPENROUTER_API_KEY: "sk-or-...",
-    vars: {
-      GROQ_API_KEY: "gsk-...",
-    },
+    vars: { GROQ_API_KEY: "gsk-..." },
   },
 }
 ```
 
-参见 [/environment](/help/environment) 了解优先级和来源详情。
-
-### `env.shellEnv`（可选）
-
-可选便利功能：如果启用且预期键均未设置，OpenClaw 会运行你的登录 shell 并仅导入缺失的预期键（不会覆盖）。
-这实际上会 source 你的 shell 配置文件。
+<Accordion title="Shell 环境变量导入（可选）">
+  如果启用，并且预期键名尚未设置，OpenClaw 会运行你的登录 shell，并且只导入缺失的键：
 
 ```json5
 {
   env: {
-    shellEnv: {
-      enabled: true,
-      timeoutMs: 15000,
-    },
+    shellEnv: { enabled: true, timeoutMs: 15000 },
   },
 }
 ```
 
-等效环境变量：
+环境变量等价项：`OPENCLAW_LOAD_SHELL_ENV=1`
+</Accordion>
 
-- `OPENCLAW_LOAD_SHELL_ENV=1`
-- `OPENCLAW_SHELL_ENV_TIMEOUT_MS=15000`
+<Accordion title="在配置值中替换环境变量">
+  你可以在任何配置字符串值中使用 `${VAR_NAME}` 引用环境变量：
 
-### 配置中的环境变量替换
+```json5
+{
+  gateway: { auth: { token: "${OPENCLAW_GATEWAY_TOKEN}" } },
+  models: { providers: { custom: { apiKey: "${CUSTOM_API_KEY}" } } },
+}
+```
 
-你可以在任何配置字符串值中使用 `${VAR_NAME}` 语法直接引用环境变量。变量在配置加载时、验证之前进行替换。
+规则：
+
+- 仅匹配大写名称：`[A-Z_][A-Z0-9_]*`
+- 缺失/为空的变量会在加载时抛出错误
+- 使用 `$${VAR}` 进行转义，以输出字面值
+- 在 `$include` 文件中也可用
+- 内联替换：`"${BASE}/v1"` → `"https://api.example.com/v1"`
+
+</Accordion>
+
+<Accordion title="Secret refs（env、file、exec）">
+  对于支持 SecretRef 对象的字段，你可以使用：
 
 ```json5
 {
   models: {
     providers: {
-      "vercel-gateway": {
-        apiKey: "${VERCEL_GATEWAY_API_KEY}",
-      },
+      openai: { apiKey: { source: "env", provider: "default", id: "OPENAI_API_KEY" } },
     },
   },
-  gateway: {
-    auth: {
-      token: "${OPENCLAW_GATEWAY_TOKEN}",
-    },
-  },
-}
-```
-
-**规则：**
-
-- 仅匹配大写环境变量名：`[A-Z_][A-Z0-9_]*`
-- 缺失或为空的环境变量在配置加载时会抛出错误
-- 使用 `$${VAR}` 转义以输出字面量 `${VAR}`
-- 与 `$include` 配合使用（被包含的文件也会进行替换）
-
-**内联替换：**
-
-```json5
-{
-  models: {
-    providers: {
-      custom: {
-        baseUrl: "${CUSTOM_API_BASE}/v1", // → "https://api.example.com/v1"
-      },
-    },
-  },
-}
-```
-
-### 认证存储（OAuth + API 密钥）
-
-OpenClaw 在以下位置存储**每个智能体的**认证配置文件（OAuth + API 密钥）：
-
-- `<agentDir>/auth-profiles.json`（默认：`~/.openclaw/agents/<agentId>/agent/auth-profiles.json`）
-
-另请参阅：[/concepts/oauth](/concepts/oauth)
-
-旧版 OAuth 导入：
-
-- `~/.openclaw/credentials/oauth.json`（或 `$OPENCLAW_STATE_DIR/credentials/oauth.json`）
-
-内置 Pi 智能体在以下位置维护运行时缓存：
-
-- `<agentDir>/auth.json`（自动管理；请勿手动编辑）
-
-旧版智能体目录（多智能体之前）：
-
-- `~/.openclaw/agent/*`（由 `openclaw doctor` 迁移到 `~/.openclaw/agents/<defaultAgentId>/agent/*`）
-
-覆盖：
-
-- OAuth 目录（仅旧版导入）：`OPENCLAW_OAUTH_DIR`
-- 智能体目录（默认智能体根目录覆盖）：`OPENCLAW_AGENT_DIR`（推荐）、`PI_CODING_AGENT_DIR`（旧版）
-
-首次使用时，OpenClaw 会将 `oauth.json` 条目导入到 `auth-profiles.json` 中。
-
-### `auth`
-
-认证配置文件的可选元数据。这**不**存储密钥；它将配置文件 ID 映射到提供商 + 模式（以及可选的邮箱），并定义用于故障转移的提供商轮换顺序。
-
-```json5
-{
-  auth: {
-    profiles: {
-      "anthropic:me@example.com": { provider: "anthropic", mode: "oauth", email: "me@example.com" },
-      "anthropic:work": { provider: "anthropic", mode: "api_key" },
-    },
-    order: {
-      anthropic: ["anthropic:me@example.com", "anthropic:work"],
-    },
-  },
-}
-```
-
-### `agents.list[].identity`
-
-用于默认值和用户体验的可选每智能体身份标识。由 macOS 新手引导助手写入。
-
-如果设置了，OpenClaw 会推导默认值（仅在你未明确设置时）：
-
-- `messages.ackReaction` 来自**活跃智能体**的 `identity.emoji`（回退到 👀）
-- `agents.list[].groupChat.mentionPatterns` 来自智能体的 `identity.name`/`identity.emoji`（因此 "@Samantha" 在 Telegram/Slack/Discord/Google Chat/iMessage/WhatsApp 的群组中均可使用）
-- `identity.avatar` 接受工作区相对图片路径或远程 URL/data URL。本地文件必须位于智能体工作区内。
-
-`identity.avatar` 接受：
-
-- 工作区相对路径（必须在智能体工作区内）
-- `http(s)` URL
-- `data:` URI
-
-```json5
-{
-  agents: {
-    list: [
-      {
-        id: "main",
-        identity: {
-          name: "Samantha",
-          theme: "helpful sloth",
-          emoji: "🦥",
-          avatar: "avatars/samantha.png",
-        },
-      },
-    ],
-  },
-}
-```
-
-### `wizard`
-
-由 CLI 向导（`onboard`、`configure`、`doctor`）写入的元数据。
-
-```json5
-{
-  wizard: {
-    lastRunAt: "2026-01-01T00:00:00.000Z",
-    lastRunVersion: "2026.1.4",
-    lastRunCommit: "abc1234",
-    lastRunCommand: "configure",
-    lastRunMode: "local",
-  },
-}
-```
-
-### `logging`
-
-- 默认日志文件：`/tmp/openclaw/openclaw-YYYY-MM-DD.log`
-- 如需稳定路径，将 `logging.file` 设为 `/tmp/openclaw/openclaw.log`。
-- 控制台输出可通过以下方式单独调整：
-  - `logging.consoleLevel`（默认 `info`，使用 `--verbose` 时提升为 `debug`）
-  - `logging.consoleStyle`（`pretty` | `compact` | `json`）
-- 工具摘要可以脱敏以避免泄露密钥：
-  - `logging.redactSensitive`（`off` | `tools`，默认：`tools`）
-  - `logging.redactPatterns`（正则表达式字符串数组；覆盖默认值）
-
-```json5
-{
-  logging: {
-    level: "info",
-    file: "/tmp/openclaw/openclaw.log",
-    consoleLevel: "info",
-    consoleStyle: "pretty",
-    redactSensitive: "tools",
-    redactPatterns: [
-      // 示例：用自定义规则覆盖默认值。
-      "\\bTOKEN\\b\\s*[=:]\\s*([\"']?)([^\\s\"']+)\\1",
-      "/\\bsk-[A-Za-z0-9_-]{8,}\\b/gi",
-    ],
-  },
-}
-```
-
-### `channels.whatsapp.dmPolicy`
-
-控制 WhatsApp 私聊（私信）的处理方式：
-
-- `"pairing"`（默认）：未知发送者会收到配对码；所有者必须批准
-- `"allowlist"`：仅允许 `channels.whatsapp.allowFrom`（或已配对的允许存储）中的发送者
-- `"open"`：允许所有入站私聊（**需要** `channels.whatsapp.allowFrom` 包含 `"*"`）
-- `"disabled"`：忽略所有入站私聊
-
-配对码在 1 小时后过期；机器人仅在创建新请求时发送配对码。待处理的私聊配对请求默认每个渠道上限为 **3 个**。
-
-配对批准：
-
-- `openclaw pairing list whatsapp`
-- `openclaw pairing approve whatsapp <code>`
-
-### `channels.whatsapp.allowFrom`
-
-允许触发 WhatsApp 自动回复的 E.164 电话号码白名单（**仅限私聊**）。
-如果为空且 `channels.whatsapp.dmPolicy="pairing"`，未知发送者将收到配对码。
-对于群组，使用 `channels.whatsapp.groupPolicy` + `channels.whatsapp.groupAllowFrom`。
-
-```json5
-{
-  channels: {
-    whatsapp: {
-      dmPolicy: "pairing", // pairing | allowlist | open | disabled
-      allowFrom: ["+15555550123", "+447700900123"],
-      textChunkLimit: 4000, // 可选的出站分块大小（字符数）
-      chunkMode: "length", // 可选的分块模式（length | newline）
-      mediaMaxMb: 50, // 可选的入站媒体上限（MB）
-    },
-  },
-}
-```
-
-### `channels.whatsapp.sendReadReceipts`
-
-控制入站 WhatsApp 消息是否标记为已读（蓝色双勾）。默认：`true`。
-
-自聊天模式始终跳过已读回执，即使已启用。
-
-每账号覆盖：`channels.whatsapp.accounts.<id>.sendReadReceipts`。
-
-```json5
-{
-  channels: {
-    whatsapp: { sendReadReceipts: false },
-  },
-}
-```
-
-### `channels.whatsapp.accounts`（多账号）
-
-在一个 Gateway 网关中运行多个 WhatsApp 账号：
-
-```json5
-{
-  channels: {
-    whatsapp: {
-      accounts: {
-        default: {}, // 可选；保持默认 id 稳定
-        personal: {},
-        biz: {
-          // 可选覆盖。默认：~/.openclaw/credentials/whatsapp/biz
-          // authDir: "~/.openclaw/credentials/whatsapp/biz",
-        },
-      },
-    },
-  },
-}
-```
-
-说明：
-
-- 出站命令默认使用 `default` 账号（如果存在）；否则使用第一个配置的账号 id（排序后）。
-- 旧版单账号 Baileys 认证目录由 `openclaw doctor` 迁移到 `whatsapp/default`。
-
-### `channels.telegram.accounts` / `channels.discord.accounts` / `channels.googlechat.accounts` / `channels.slack.accounts` / `channels.mattermost.accounts` / `channels.signal.accounts` / `channels.imessage.accounts`
-
-每个渠道运行多个账号（每个账号有自己的 `accountId` 和可选的 `name`）：
-
-```json5
-{
-  channels: {
-    telegram: {
-      accounts: {
-        default: {
-          name: "Primary bot",
-          botToken: "123456:ABC...",
-        },
-        alerts: {
-          name: "Alerts bot",
-          botToken: "987654:XYZ...",
-        },
-      },
-    },
-  },
-}
-```
-
-说明：
-
-- 省略 `accountId` 时使用 `default`（CLI + 路由）。
-- 环境变量 token 仅适用于**默认**账号。
-- 基础渠道设置（群组策略、提及门控等）适用于所有账号，除非在每个账号中单独覆盖。
-- 使用 `bindings[].match.accountId` 将每个账号路由到不同的 agents.defaults。
-
-### 群聊提及门控（`agents.list[].groupChat` + `messages.groupChat`）
-
-群消息默认**需要提及**（元数据提及或正则模式）。适用于 WhatsApp、Telegram、Discord、Google Chat 和 iMessage 群聊。
-
-**提及类型：**
-
-- **元数据提及**：原生平台 @提及（例如 WhatsApp 点按提及）。在 WhatsApp 自聊天模式中被忽略（参见 `channels.whatsapp.allowFrom`）。
-- **文本模式**：在 `agents.list[].groupChat.mentionPatterns` 中定义的正则模式。无论自聊天模式如何始终检查。
-- 提及门控仅在可以检测提及时执行（原生提及或至少一个 `mentionPattern`）。
-
-```json5
-{
-  messages: {
-    groupChat: { historyLimit: 50 },
-  },
-  agents: {
-    list: [{ id: "main", groupChat: { mentionPatterns: ["@openclaw", "openclaw"] } }],
-  },
-}
-```
-
-`messages.groupChat.historyLimit` 设置群组历史上下文的全局默认值。渠道可以通过 `channels.<channel>.historyLimit`（或多账号的 `channels.<channel>.accounts.*.historyLimit`）覆盖。设为 `0` 禁用历史包装。
-
-#### 私聊历史限制
-
-私聊对话使用由智能体管理的基于会话的历史。你可以限制每个私聊会话保留的用户轮次数：
-
-```json5
-{
-  channels: {
-    telegram: {
-      dmHistoryLimit: 30, // 将私聊会话限制为 30 个用户轮次
-      dms: {
-        "123456789": { historyLimit: 50 }, // 每用户覆盖（用户 ID）
-      },
-    },
-  },
-}
-```
-
-解析顺序：
-
-1. 每私聊覆盖：`channels.<provider>.dms[userId].historyLimit`
-2. 提供商默认值：`channels.<provider>.dmHistoryLimit`
-3. 无限制（保留所有历史）
-
-支持的提供商：`telegram`、`whatsapp`、`discord`、`slack`、`signal`、`imessage`、`msteams`。
-
-每智能体覆盖（设置后优先，即使为 `[]`）：
-
-```json5
-{
-  agents: {
-    list: [
-      { id: "work", groupChat: { mentionPatterns: ["@workbot", "\\+15555550123"] } },
-      { id: "personal", groupChat: { mentionPatterns: ["@homebot", "\\+15555550999"] } },
-    ],
-  },
-}
-```
-
-提及门控默认值按渠道设置（`channels.whatsapp.groups`、`channels.telegram.groups`、`channels.imessage.groups`、`channels.discord.guilds`）。当设置了 `*.groups` 时，它也充当群组白名单；包含 `"*"` 以允许所有群组。
-
-仅响应特定文本触发器（忽略原生 @提及）：
-
-```json5
-{
-  channels: {
-    whatsapp: {
-      // 包含你自己的号码以启用自聊天模式（忽略原生 @提及）。
-      allowFrom: ["+15555550123"],
-      groups: { "*": { requireMention: true } },
-    },
-  },
-  agents: {
-    list: [
-      {
-        id: "main",
-        groupChat: {
-          // 仅这些文本模式会触发响应
-          mentionPatterns: ["reisponde", "@openclaw"],
-        },
-      },
-    ],
-  },
-}
-```
-
-### 群组策略（按渠道）
-
-使用 `channels.*.groupPolicy` 控制是否接受群组/房间消息：
-
-```json5
-{
-  channels: {
-    whatsapp: {
-      groupPolicy: "allowlist",
-      groupAllowFrom: ["+15551234567"],
-    },
-    telegram: {
-      groupPolicy: "allowlist",
-      groupAllowFrom: ["tg:123456789", "@alice"],
-    },
-    signal: {
-      groupPolicy: "allowlist",
-      groupAllowFrom: ["+15551234567"],
-    },
-    imessage: {
-      groupPolicy: "allowlist",
-      groupAllowFrom: ["chat_id:123"],
-    },
-    msteams: {
-      groupPolicy: "allowlist",
-      groupAllowFrom: ["user@org.com"],
-    },
-    discord: {
-      groupPolicy: "allowlist",
-      guilds: {
-        GUILD_ID: {
-          channels: { help: { allow: true } },
-        },
-      },
-    },
-    slack: {
-      groupPolicy: "allowlist",
-      channels: { "#general": { allow: true } },
-    },
-  },
-}
-```
-
-说明：
-
-- `"open"`：群组绕过白名单；提及门控仍然适用。
-- `"disabled"`：阻止所有群组/房间消息。
-- `"allowlist"`：仅允许匹配配置白名单的群组/房间。
-- `channels.defaults.groupPolicy` 设置提供商的 `groupPolicy` 未设置时的默认值。
-- WhatsApp/Telegram/Signal/iMessage/Microsoft Teams 使用 `groupAllowFrom`（回退：显式 `allowFrom`）。
-- Discord/Slack 使用渠道白名单（`channels.discord.guilds.*.channels`、`channels.slack.channels`）。
-- 群组私聊（Discord/Slack）仍由 `dm.groupEnabled` + `dm.groupChannels` 控制。
-- 默认为 `groupPolicy: "allowlist"`（除非被 `channels.defaults.groupPolicy` 覆盖）；如果未配置白名单，群组消息将被阻止。
-
-### 多智能体路由（`agents.list` + `bindings`）
-
-在一个 Gateway 网关中运行多个隔离的智能体（独立的工作区、`agentDir`、会话）。
-入站消息通过绑定路由到智能体。
-
-- `agents.list[]`：每智能体覆盖。
-  - `id`：稳定的智能体 id（必需）。
-  - `default`：可选；当设置多个时，第一个获胜并记录警告。
-    如果未设置，列表中的**第一个条目**为默认智能体。
-  - `name`：智能体的显示名称。
-  - `workspace`：默认 `~/.openclaw/workspace-<agentId>`（对于 `main`，回退到 `agents.defaults.workspace`）。
-  - `agentDir`：默认 `~/.openclaw/agents/<agentId>/agent`。
-  - `model`：每智能体默认模型，覆盖该智能体的 `agents.defaults.model`。
-    - 字符串形式：`"provider/model"`，仅覆盖 `agents.defaults.model.primary`
-    - 对象形式：`{ primary, fallbacks }`（fallbacks 覆盖 `agents.defaults.model.fallbacks`；`[]` 为该智能体禁用全局回退）
-  - `identity`：每智能体的名称/主题/表情（用于提及模式 + 确认反应）。
-  - `groupChat`：每智能体的提及门控（`mentionPatterns`）。
-  - `sandbox`：每智能体的沙箱配置（覆盖 `agents.defaults.sandbox`）。
-    - `mode`：`"off"` | `"non-main"` | `"all"`
-    - `workspaceAccess`：`"none"` | `"ro"` | `"rw"`
-    - `scope`：`"session"` | `"agent"` | `"shared"`
-    - `workspaceRoot`：自定义沙箱工作区根目录
-    - `docker`：每智能体 docker 覆盖（例如 `image`、`network`、`env`、`setupCommand`、限制；`scope: "shared"` 时忽略）
-    - `browser`：每智能体沙箱浏览器覆盖（`scope: "shared"` 时忽略）
-    - `prune`：每智能体沙箱清理覆盖（`scope: "shared"` 时忽略）
-  - `subagents`：每智能体子智能体默认值。
-    - `allowAgents`：允许从此智能体执行 `sessions_spawn` 的智能体 id 白名单（`["*"]` = 允许任何；默认：仅同一智能体）
-  - `tools`：每智能体工具限制（在沙箱工具策略之前应用）。
-    - `profile`：基础工具配置文件（在 allow/deny 之前应用）
-    - `allow`：允许的工具名称数组
-    - `deny`：拒绝的工具名称数组（deny 优先）
-- `agents.defaults`：共享的智能体默认值（模型、工作区、沙箱等）。
-- `bindings[]`：将入站消息路由到 `agentId`。
-  - `match.channel`（必需）
-  - `match.accountId`（可选；`*` = 任何账号；省略 = 默认账号）
-  - `match.peer`（可选；`{ kind: dm|group|channel, id }`）
-  - `match.guildId` / `match.teamId`（可选；渠道特定）
-
-确定性匹配顺序：
-
-1. `match.peer`
-2. `match.guildId`
-3. `match.teamId`
-4. `match.accountId`（精确匹配，无 peer/guild/team）
-5. `match.accountId: "*"`（渠道范围，无 peer/guild/team）
-6. 默认智能体（`agents.list[].default`，否则第一个列表条目，否则 `"main"`）
-
-在每个匹配层级内，`bindings` 中的第一个匹配条目获胜。
-
-#### 每智能体访问配置（多智能体）
-
-每个智能体可以携带自己的沙箱 + 工具策略。用于在一个 Gateway 网关中混合访问级别：
-
-- **完全访问**（个人智能体）
-- **只读**工具 + 工作区
-- **无文件系统访问**（仅消息/会话工具）
-
-参见[多智能体沙箱与工具](/tools/multi-agent-sandbox-tools)了解优先级和更多示例。
-
-完全访问（无沙箱）：
-
-```json5
-{
-  agents: {
-    list: [
-      {
-        id: "personal",
-        workspace: "~/.openclaw/workspace-personal",
-        sandbox: { mode: "off" },
-      },
-    ],
-  },
-}
-```
-
-只读工具 + 只读工作区：
-
-```json5
-{
-  agents: {
-    list: [
-      {
-        id: "family",
-        workspace: "~/.openclaw/workspace-family",
-        sandbox: {
-          mode: "all",
-          scope: "agent",
-          workspaceAccess: "ro",
-        },
-        tools: {
-          allow: [
-            "read",
-            "sessions_list",
-            "sessions_history",
-            "sessions_send",
-            "sessions_spawn",
-            "session_status",
-          ],
-          deny: ["write", "edit", "apply_patch", "exec", "process", "browser"],
-        },
-      },
-    ],
-  },
-}
-```
-
-无文件系统访问（启用消息/会话工具）：
-
-```json5
-{
-  agents: {
-    list: [
-      {
-        id: "public",
-        workspace: "~/.openclaw/workspace-public",
-        sandbox: {
-          mode: "all",
-          scope: "agent",
-          workspaceAccess: "none",
-        },
-        tools: {
-          allow: [
-            "sessions_list",
-            "sessions_history",
-            "sessions_send",
-            "sessions_spawn",
-            "session_status",
-            "whatsapp",
-            "telegram",
-            "slack",
-            "discord",
-            "gateway",
-          ],
-          deny: [
-            "read",
-            "write",
-            "edit",
-            "apply_patch",
-            "exec",
-            "process",
-            "browser",
-            "canvas",
-            "nodes",
-            "cron",
-            "gateway",
-            "image",
-          ],
-        },
-      },
-    ],
-  },
-}
-```
-
-示例：两个 WhatsApp 账号 → 两个智能体：
-
-```json5
-{
-  agents: {
-    list: [
-      { id: "home", default: true, workspace: "~/.openclaw/workspace-home" },
-      { id: "work", workspace: "~/.openclaw/workspace-work" },
-    ],
-  },
-  bindings: [
-    { agentId: "home", match: { channel: "whatsapp", accountId: "personal" } },
-    { agentId: "work", match: { channel: "whatsapp", accountId: "biz" } },
-  ],
-  channels: {
-    whatsapp: {
-      accounts: {
-        personal: {},
-        biz: {},
-      },
-    },
-  },
-}
-```
-
-### `tools.agentToAgent`（可选）
-
-智能体间消息传递为可选功能：
-
-```json5
-{
-  tools: {
-    agentToAgent: {
-      enabled: false,
-      allow: ["home", "work"],
-    },
-  },
-}
-```
-
-### `messages.queue`
-
-控制智能体运行已在执行时入站消息的行为。
-
-```json5
-{
-  messages: {
-    queue: {
-      mode: "collect", // steer | followup | collect | steer-backlog (steer+backlog ok) | interrupt (queue=steer legacy)
-      debounceMs: 1000,
-      cap: 20,
-      drop: "summarize", // old | new | summarize
-      byChannel: {
-        whatsapp: "collect",
-        telegram: "collect",
-        discord: "collect",
-        imessage: "collect",
-        webchat: "collect",
-      },
-    },
-  },
-}
-```
-
-### `messages.inbound`
-
-防抖**同一发送者**的快速入站消息，使多条连续消息合并为一个智能体轮次。防抖按渠道 + 对话进行范围限定，并使用最新消息进行回复线程/ID。
-
-```json5
-{
-  messages: {
-    inbound: {
-      debounceMs: 2000, // 0 禁用
-      byChannel: {
-        whatsapp: 5000,
-        slack: 1500,
-        discord: 1500,
-      },
-    },
-  },
-}
-```
-
-说明：
-
-- 防抖仅批量处理**纯文本**消息；媒体/附件立即刷新。
-- 控制命令（例如 `/queue`、`/new`）绕过防抖，保持独立。
-
-### `commands`（聊天命令处理）
-
-控制跨连接器的聊天命令启用方式。
-
-```json5
-{
-  commands: {
-    native: "auto", // 在支持的平台上注册原生命令（auto）
-    text: true, // 解析聊天消息中的斜杠命令
-    bash: false, // 允许 !（别名：/bash）（仅限主机；需要 tools.elevated 白名单）
-    bashForegroundMs: 2000, // bash 前台窗口（0 立即后台运行）
-    config: false, // 允许 /config（写入磁盘）
-    debug: false, // 允许 /debug（仅运行时覆盖）
-    restart: false, // 允许 /restart + gateway 重启工具
-    useAccessGroups: true, // 对命令执行访问组白名单/策略
-  },
-}
-```
-
-说明：
-
-- 文本命令必须作为**独立**消息发送，并使用前导 `/`（无纯文本别名）。
-- `commands.text: false` 禁用解析聊天消息中的命令。
-- `commands.native: "auto"`（默认）为 Discord/Telegram 启用原生命令，Slack 保持关闭；不支持的渠道保持纯文本。
-- 设为 `commands.native: true|false` 强制全部开启或关闭，或按渠道覆盖 `channels.discord.commands.native`、`channels.telegram.commands.native`、`channels.slack.commands.native`（bool 或 `"auto"`）。`false` 在启动时清除 Discord/Telegram 上先前注册的命令；Slack 命令在 Slack 应用中管理。
-- `channels.telegram.customCommands` 添加额外的 Telegram 机器人菜单项。名称会被规范化；与原生命令冲突的会被忽略。
-- `commands.bash: true` 启用 `! <cmd>` 运行主机 shell 命令（`/bash <cmd>` 也可作为别名）。需要 `tools.elevated.enabled` 并在 `tools.elevated.allowFrom.<channel>` 中添加发送者白名单。
-- `commands.bashForegroundMs` 控制 bash 在后台运行前等待的时间。当 bash 任务正在运行时，新的 `! <cmd>` 请求会被拒绝（一次一个）。
-- `commands.config: true` 启用 `/config`（读写 `openclaw.json`）。
-- `channels.<provider>.configWrites` 控制由该渠道发起的配置变更（默认：true）。适用于 `/config set|unset` 以及提供商特定的自动迁移（Telegram 超级群组 ID 变更、Slack 频道 ID 变更）。
-- `commands.debug: true` 启用 `/debug`（仅运行时覆盖）。
-- `commands.restart: true` 启用 `/restart` 和 gateway 工具重启动作。
-- `commands.useAccessGroups: false` 允许命令绕过访问组白名单/策略。
-- 斜杠命令和指令仅对**已授权发送者**有效。授权来自渠道白名单/配对以及 `commands.useAccessGroups`。
-
-### `web`（WhatsApp Web 渠道运行时）
-
-WhatsApp 通过 Gateway 网关的 Web 渠道（Baileys Web）运行。当存在已链接的会话时自动启动。
-设置 `web.enabled: false` 使其默认关闭。
-
-```json5
-{
-  web: {
-    enabled: true,
-    heartbeatSeconds: 60,
-    reconnect: {
-      initialMs: 2000,
-      maxMs: 120000,
-      factor: 1.4,
-      jitter: 0.2,
-      maxAttempts: 0,
-    },
-  },
-}
-```
-
-### `channels.telegram`（机器人传输）
-
-OpenClaw 仅在存在 `channels.telegram` 配置段时启动 Telegram。机器人 token 从 `channels.telegram.botToken`（或 `channels.telegram.tokenFile`）解析，`TELEGRAM_BOT_TOKEN` 作为默认账号的回退。
-设置 `channels.telegram.enabled: false` 禁用自动启动。
-多账号支持在 `channels.telegram.accounts` 下（参见上方多账号部分）。环境变量 token 仅适用于默认账号。
-设置 `channels.telegram.configWrites: false` 阻止 Telegram 发起的配置写入（包括超级群组 ID 迁移和 `/config set|unset`）。
-
-```json5
-{
-  channels: {
-    telegram: {
-      enabled: true,
-      botToken: "your-bot-token",
-      dmPolicy: "pairing", // pairing | allowlist | open | disabled
-      allowFrom: ["tg:123456789"], // 可选；"open" 需要 ["*"]
-      groups: {
-        "*": { requireMention: true },
-        "-1001234567890": {
-          allowFrom: ["@admin"],
-          systemPrompt: "Keep answers brief.",
-          topics: {
-            "99": {
-              requireMention: false,
-              skills: ["search"],
-              systemPrompt: "Stay on topic.",
-            },
-          },
-        },
-      },
-      customCommands: [
-        { command: "backup", description: "Git backup" },
-        { command: "generate", description: "Create an image" },
-      ],
-      historyLimit: 50, // 包含最近 N 条群消息作为上下文（0 禁用）
-      replyToMode: "first", // off | first | all
-      linkPreview: true, // 切换出站链接预览
-      streamMode: "partial", // off | partial | block（草稿流式传输；与分块流式传输分开）
-      draftChunk: {
-        // 可选；仅用于 streamMode=block
-        minChars: 200,
-        maxChars: 800,
-        breakPreference: "paragraph", // paragraph | newline | sentence
-      },
-      actions: { reactions: true, sendMessage: true }, // 工具动作开关（false 禁用）
-      reactionNotifications: "own", // off | own | all
-      mediaMaxMb: 5,
-      retry: {
-        // 出站重试策略
-        attempts: 3,
-        minDelayMs: 400,
-        maxDelayMs: 30000,
-        jitter: 0.1,
-      },
-      network: {
-        // 传输覆盖
-        autoSelectFamily: false,
-      },
-      proxy: "socks5://localhost:9050",
-      webhookUrl: "https://example.com/telegram-webhook", // 需要 webhookSecret
-      webhookSecret: "secret",
-      webhookPath: "/telegram-webhook",
-    },
-  },
-}
-```
-
-草稿流式传输说明：
-
-- 使用 Telegram `sendMessageDraft`（草稿气泡，不是真正的消息）。
-- 需要**私聊话题**（私信 中的 message_thread_id；机器人已启用话题）。
-- `/reasoning stream` 将推理过程流式传输到草稿中，然后发送最终答案。
-  重试策略默认值和行为记录在[重试策略](/concepts/retry)中。
-
-### `channels.discord`（机器人传输）
-
-通过设置机器人 token 和可选的门控配置 Discord 机器人：
-多账号支持在 `channels.discord.accounts` 下（参见上方多账号部分）。环境变量 token 仅适用于默认账号。
-
-```json5
-{
-  channels: {
-    discord: {
-      enabled: true,
-      token: "your-bot-token",
-      mediaMaxMb: 8, // 限制入站媒体大小
-      allowBots: false, // 允许机器人发送的消息
-      actions: {
-        // 工具动作开关（false 禁用）
-        reactions: true,
-        stickers: true,
-        polls: true,
-        permissions: true,
-        messages: true,
-        threads: true,
-        pins: true,
-        search: true,
-        memberInfo: true,
-        roleInfo: true,
-        roles: false,
-        channelInfo: true,
-        voiceStatus: true,
-        events: true,
-        moderation: false,
-      },
-      replyToMode: "off", // off | first | all
-      dm: {
-        enabled: true, // 设为 false 时禁用所有私聊
-        policy: "pairing", // pairing | allowlist | open | disabled
-        allowFrom: ["1234567890", "steipete"], // 可选私聊白名单（"open" 需要 ["*"]）
-        groupEnabled: false, // 启用群组私聊
-        groupChannels: ["openclaw-dm"], // 可选群组私聊白名单
-      },
-      guilds: {
-        "123456789012345678": {
-          // 服务器 id（推荐）或 slug
-          slug: "friends-of-openclaw",
-          requireMention: false, // 每服务器默认值
-          reactionNotifications: "own", // off | own | all | allowlist
-          users: ["987654321098765432"], // 可选的每服务器用户白名单
-          channels: {
-            general: { allow: true },
-            help: {
-              allow: true,
-              requireMention: true,
-              users: ["987654321098765432"],
-              skills: ["docs"],
-              systemPrompt: "Short answers only.",
-            },
-          },
-        },
-      },
-      historyLimit: 20, // 包含最近 N 条服务器消息作为上下文
-      textChunkLimit: 2000, // 可选出站文本分块大小（字符数）
-      chunkMode: "length", // 可选分块模式（length | newline）
-      maxLinesPerMessage: 17, // 每条消息的软最大行数（Discord UI 裁剪）
-      retry: {
-        // 出站重试策略
-        attempts: 3,
-        minDelayMs: 500,
-        maxDelayMs: 30000,
-        jitter: 0.1,
-      },
-    },
-  },
-}
-```
-
-OpenClaw 仅在存在 `channels.discord` 配置段时启动 Discord。token 从 `channels.discord.token` 解析，`DISCORD_BOT_TOKEN` 作为默认账号的回退（除非 `channels.discord.enabled` 为 `false`）。在为 cron/CLI 命令指定投递目标时，使用 `user:<id>`（私聊）或 `channel:<id>`（服务器频道）；裸数字 ID 有歧义会被拒绝。
-服务器 slug 为小写，空格替换为 `-`；频道键使用 slug 化的频道名称（无前导 `#`）。建议使用服务器 id 作为键以避免重命名歧义。
-机器人发送的消息默认被忽略。通过 `channels.discord.allowBots` 启用（自身消息仍会被过滤以防止自回复循环）。
-反应通知模式：
-
-- `off`：无反应事件。
-- `own`：机器人自身消息上的反应（默认）。
-- `all`：所有消息上的所有反应。
-- `allowlist`：`guilds.<id>.users` 中的用户在所有消息上的反应（空列表禁用）。
-  出站文本按 `channels.discord.textChunkLimit`（默认 2000）分块。设置 `channels.discord.chunkMode="newline"` 在长度分块前按空行（段落边界）分割。Discord 客户端可能裁剪过高的消息，因此 `channels.discord.maxLinesPerMessage`（默认 17）即使在 2000 字符以内也会分割长多行回复。
-  重试策略默认值和行为记录在[重试策略](/concepts/retry)中。
-
-### `channels.googlechat`（Chat API webhook）
-
-Google Chat 通过 HTTP webhook 运行，使用应用级认证（服务账号）。
-多账号支持在 `channels.googlechat.accounts` 下（参见上方多账号部分）。环境变量仅适用于默认账号。
-
-```json5
-{
-  channels: {
-    googlechat: {
-      enabled: true,
-      serviceAccountFile: "/path/to/service-account.json",
-      audienceType: "app-url", // app-url | project-number
-      audience: "https://gateway.example.com/googlechat",
-      webhookPath: "/googlechat",
-      botUser: "users/1234567890", // 可选；改善提及检测
-      dm: {
-        enabled: true,
-        policy: "pairing", // pairing | allowlist | open | disabled
-        allowFrom: ["users/1234567890"], // 可选；"open" 需要 ["*"]
-      },
-      groupPolicy: "allowlist",
-      groups: {
-        "spaces/AAAA": { allow: true, requireMention: true },
-      },
-      actions: { reactions: true },
-      typingIndicator: "message",
-      mediaMaxMb: 20,
-    },
-  },
-}
-```
-
-说明：
-
-- 服务账号 JSON 可以内联（`serviceAccount`）或基于文件（`serviceAccountFile`）。
-- 默认账号的环境变量回退：`GOOGLE_CHAT_SERVICE_ACCOUNT` 或 `GOOGLE_CHAT_SERVICE_ACCOUNT_FILE`。
-- `audienceType` + `audience` 必须与 Chat 应用的 webhook 认证配置匹配。
-- 设置投递目标时使用 `spaces/<spaceId>` 或 `users/<userId|email>`。
-
-### `channels.slack`（socket 模式）
-
-Slack 以 Socket Mode 运行，需要机器人 token 和应用 token：
-
-```json5
-{
-  channels: {
-    slack: {
-      enabled: true,
-      botToken: "xoxb-...",
-      appToken: "xapp-...",
-      dm: {
-        enabled: true,
-        policy: "pairing", // pairing | allowlist | open | disabled
-        allowFrom: ["U123", "U456", "*"], // 可选；"open" 需要 ["*"]
-        groupEnabled: false,
-        groupChannels: ["G123"],
-      },
-      channels: {
-        C123: { allow: true, requireMention: true, allowBots: false },
-        "#general": {
-          allow: true,
-          requireMention: true,
-          allowBots: false,
-          users: ["U123"],
-          skills: ["docs"],
-          systemPrompt: "Short answers only.",
-        },
-      },
-      historyLimit: 50, // 包含最近 N 条频道/群组消息作为上下文（0 禁用）
-      allowBots: false,
-      reactionNotifications: "own", // off | own | all | allowlist
-      reactionAllowlist: ["U123"],
-      replyToMode: "off", // off | first | all
-      thread: {
-        historyScope: "thread", // thread | channel
-        inheritParent: false,
-      },
-      actions: {
-        reactions: true,
-        messages: true,
-        pins: true,
-        memberInfo: true,
-        emojiList: true,
-      },
-      slashCommand: {
-        enabled: true,
-        name: "openclaw",
-        sessionPrefix: "slack:slash",
-        ephemeral: true,
-      },
-      textChunkLimit: 4000,
-      chunkMode: "length",
-      mediaMaxMb: 20,
-    },
-  },
-}
-```
-
-多账号支持在 `channels.slack.accounts` 下（参见上方多账号部分）。环境变量 token 仅适用于默认账号。
-
-OpenClaw 在提供商启用且两个 token 都已设置时启动 Slack（通过配置或 `SLACK_BOT_TOKEN` + `SLACK_APP_TOKEN`）。在为 cron/CLI 命令指定投递目标时使用 `user:<id>`（私聊）或 `channel:<id>`。
-设置 `channels.slack.configWrites: false` 阻止 Slack 发起的配置写入（包括频道 ID 迁移和 `/config set|unset`）。
-
-机器人发送的消息默认被忽略。通过 `channels.slack.allowBots` 或 `channels.slack.channels.<id>.allowBots` 启用。
-
-反应通知模式：
-
-- `off`：无反应事件。
-- `own`：机器人自身消息上的反应（默认）。
-- `all`：所有消息上的所有反应。
-- `allowlist`：`channels.slack.reactionAllowlist` 中的用户在所有消息上的反应（空列表禁用）。
-
-线程会话隔离：
-
-- `channels.slack.thread.historyScope` 控制线程历史是按线程（`thread`，默认）还是跨频道共享（`channel`）。
-- `channels.slack.thread.inheritParent` 控制新线程会话是否继承父频道的记录（默认：false）。
-
-Slack 动作组（控制 `slack` 工具动作）：
-| 动作组 | 默认 | 说明 |
-| --- | --- | --- |
-| reactions | 已启用 | 反应 + 列出反应 |
-| messages | 已启用 | 读取/发送/编辑/删除 |
-| pins | 已启用 | 固定/取消固定/列出 |
-| memberInfo | 已启用 | 成员信息 |
-| emojiList | 已启用 | 自定义表情列表 |
-
-### `channels.mattermost`（机器人 token）
-
-Mattermost 作为插件提供，不包含在核心安装中。
-请先安装：`openclaw plugins install @openclaw/mattermost`（或从 git checkout 使用 `./extensions/mattermost`）。
-
-Mattermost 需要机器人 token 加上服务器的基础 URL：
-
-```json5
-{
-  channels: {
-    mattermost: {
-      enabled: true,
-      botToken: "mm-token",
-      baseUrl: "https://chat.example.com",
-      dmPolicy: "pairing",
-      chatmode: "oncall", // oncall | onmessage | onchar
-      oncharPrefixes: [">", "!"],
-      textChunkLimit: 4000,
-      chunkMode: "length",
-    },
-  },
-}
-```
-
-OpenClaw 在账号已配置（机器人 token + 基础 URL）且已启用时启动 Mattermost。token + 基础 URL 从 `channels.mattermost.botToken` + `channels.mattermost.baseUrl` 或默认账号的 `MATTERMOST_BOT_TOKEN` + `MATTERMOST_URL` 解析（除非 `channels.mattermost.enabled` 为 `false`）。
-
-聊天模式：
-
-- `oncall`（默认）：仅在被 @提及时响应频道消息。
-- `onmessage`：响应每条频道消息。
-- `onchar`：当消息以触发前缀开头时响应（`channels.mattermost.oncharPrefixes`，默认 `[">", "!"]`）。
-
-访问控制：
-
-- 默认私聊：`channels.mattermost.dmPolicy="pairing"`（未知发送者收到配对码）。
-- 公开私聊：`channels.mattermost.dmPolicy="open"` 加上 `channels.mattermost.allowFrom=["*"]`。
-- 群组：`channels.mattermost.groupPolicy="allowlist"` 为默认值（提及门控）。使用 `channels.mattermost.groupAllowFrom` 限制发送者。
-
-多账号支持在 `channels.mattermost.accounts` 下（参见上方多账号部分）。环境变量仅适用于默认账号。
-指定投递目标时使用 `channel:<id>` 或 `user:<id>`（或 `@username`）；裸 id 被视为频道 id。
-
-### `channels.signal`（signal-cli）
-
-Signal 反应可以发出系统事件（共享反应工具）：
-
-```json5
-{
-  channels: {
-    signal: {
-      reactionNotifications: "own", // off | own | all | allowlist
-      reactionAllowlist: ["+15551234567", "uuid:123e4567-e89b-12d3-a456-426614174000"],
-      historyLimit: 50, // 包含最近 N 条群消息作为上下文（0 禁用）
-    },
-  },
-}
-```
-
-反应通知模式：
-
-- `off`：无反应事件。
-- `own`：机器人自身消息上的反应（默认）。
-- `all`：所有消息上的所有反应。
-- `allowlist`：`channels.signal.reactionAllowlist` 中的用户在所有消息上的反应（空列表禁用）。
-
-### `channels.imessage`（imsg CLI）
-
-OpenClaw 会生成 `imsg rpc`（通过 stdio 的 JSON-RPC）。无需守护进程或端口。
-
-```json5
-{
-  channels: {
-    imessage: {
-      enabled: true,
-      cliPath: "imsg",
-      dbPath: "~/Library/Messages/chat.db",
-      remoteHost: "user@gateway-host", // 使用 SSH 包装器时通过 SCP 获取远程附件
-      dmPolicy: "pairing", // pairing | allowlist | open | disabled
-      allowFrom: ["+15555550123", "user@example.com", "chat_id:123"],
-      historyLimit: 50, // 包含最近 N 条群消息作为上下文（0 禁用）
-      includeAttachments: false,
-      mediaMaxMb: 16,
-      service: "auto",
-      region: "US",
-    },
-  },
-}
-```
-
-多账号支持在 `channels.imessage.accounts` 下（参见上方多账号部分）。
-
-说明：
-
-- 需要对消息数据库的完全磁盘访问权限。
-- 首次发送时会提示请求消息自动化权限。
-- 建议使用 `chat_id:<id>` 目标。使用 `imsg chats --limit 20` 列出聊天。
-- `channels.imessage.cliPath` 可以指向包装脚本（例如 `ssh` 到另一台运行 `imsg rpc` 的 Mac）；使用 SSH 密钥避免密码提示。
-- 对于远程 SSH 包装器，设置 `channels.imessage.remoteHost` 以便在启用 `includeAttachments` 时通过 SCP 获取附件。
-
-示例包装器：
-
-```bash
-#!/usr/bin/env bash
-exec ssh -T gateway-host imsg "$@"
-```
-
-### `agents.defaults.workspace`
-
-设置智能体用于文件操作的**单一全局工作区目录**。
-
-默认：`~/.openclaw/workspace`。
-
-```json5
-{
-  agents: { defaults: { workspace: "~/.openclaw/workspace" } },
-}
-```
-
-如果启用了 `agents.defaults.sandbox`，非主会话可以在 `agents.defaults.sandbox.workspaceRoot` 下使用各自的每范围工作区来覆盖此设置。
-
-### `agents.defaults.repoRoot`
-
-在系统提示的 Runtime 行中显示的可选仓库根目录。如果未设置，OpenClaw 会从工作区（和当前工作目录）向上查找 `.git` 目录进行检测。路径必须存在才能使用。
-
-```json5
-{
-  agents: { defaults: { repoRoot: "~/Projects/openclaw" } },
-}
-```
-
-### `agents.defaults.skipBootstrap`
-
-禁用自动创建工作区引导文件（`AGENTS.md`、`SOUL.md`、`TOOLS.md`、`IDENTITY.md`、`USER.md` 和 `BOOTSTRAP.md`）。
-
-适用于工作区文件来自仓库的预置部署。
-
-```json5
-{
-  agents: { defaults: { skipBootstrap: true } },
-}
-```
-
-### `agents.defaults.bootstrapMaxChars`
-
-注入系统提示前每个工作区引导文件截断前的最大字符数。默认：`20000`。
-
-当文件超过此限制时，OpenClaw 会记录警告并注入带标记的头尾截断内容。
-
-```json5
-{
-  agents: { defaults: { bootstrapMaxChars: 20000 } },
-}
-```
-
-### `agents.defaults.userTimezone`
-
-设置用户时区用于**系统提示上下文**（不用于消息信封中的时间戳）。如果未设置，OpenClaw 在运行时使用主机时区。
-
-```json5
-{
-  agents: { defaults: { userTimezone: "America/Chicago" } },
-}
-```
-
-### `agents.defaults.timeFormat`
-
-控制系统提示中"当前日期和时间"部分显示的**时间格式**。
-默认：`auto`（操作系统偏好）。
-
-```json5
-{
-  agents: { defaults: { timeFormat: "auto" } }, // auto | 12 | 24
-}
-```
-
-### `messages`
-
-控制入站/出站前缀和可选的确认反应。
-参见[消息](/concepts/messages)了解排队、会话和流式上下文。
-
-```json5
-{
-  messages: {
-    responsePrefix: "🦞", // 或 "auto"
-    ackReaction: "👀",
-    ackReactionScope: "group-mentions",
-    removeAckAfterReply: false,
-  },
-}
-```
-
-`responsePrefix` 应用于跨渠道的**所有出站回复**（工具摘要、分块流式传输、最终回复），除非已存在。
-
-如果未设置 `messages.responsePrefix`，默认不应用前缀。WhatsApp 自聊天回复是例外：它们在设置时默认为 `[{identity.name}]`，否则为 `[openclaw]`，以保持同一手机上的对话可读性。
-设为 `"auto"` 可为路由的智能体推导 `[{identity.name}]`（当设置时）。
-
-#### 模板变量
-
-`responsePrefix` 字符串可以包含动态解析的模板变量：
-
-| 变量              | 描述           | 示例                        |
-| ----------------- | -------------- | --------------------------- |
-| `{model}`         | 短模型名称     | `claude-opus-4-5`、`gpt-4o` |
-| `{modelFull}`     | 完整模型标识符 | `anthropic/claude-opus-4-5` |
-| `{provider}`      | 提供商名称     | `anthropic`、`openai`       |
-| `{thinkingLevel}` | 当前思考级别   | `high`、`low`、`off`        |
-| `{identity.name}` | 智能体身份名称 | （与 `"auto"` 模式相同）    |
-
-变量不区分大小写（`{MODEL}` = `{model}`）。`{think}` 是 `{thinkingLevel}` 的别名。
-未解析的变量保持为字面文本。
-
-```json5
-{
-  messages: {
-    responsePrefix: "[{model} | think:{thinkingLevel}]",
-  },
-}
-```
-
-输出示例：`[claude-opus-4-5 | think:high] Here's my response...`
-
-WhatsApp 入站前缀通过 `channels.whatsapp.messagePrefix` 配置（已弃用：`messages.messagePrefix`）。默认保持**不变**：当 `channels.whatsapp.allowFrom` 为空时为 `"[openclaw]"`，否则为 `""`（无前缀）。使用 `"[openclaw]"` 时，如果路由的智能体设置了 `identity.name`，OpenClaw 会改用 `[{identity.name}]`。
-
-`ackReaction` 在支持反应的渠道（Slack/Discord/Telegram/Google Chat）上发送尽力而为的表情反应来确认入站消息。设置时默认为活跃智能体的 `identity.emoji`，否则为 `"👀"`。设为 `""` 禁用。
-
-`ackReactionScope` 控制反应触发时机：
-
-- `group-mentions`（默认）：仅在群组/房间要求提及**且**机器人被提及时
-- `group-all`：所有群组/房间消息
-- `direct`：仅私聊消息
-- `all`：所有消息
-
-`removeAckAfterReply` 在发送回复后移除机器人的确认反应（仅 Slack/Discord/Telegram/Google Chat）。默认：`false`。
-
-#### `messages.tts`
-
-为出站回复启用文字转语音。开启后，OpenClaw 使用 ElevenLabs 或 OpenAI 生成音频并附加到回复中。Telegram 使用 Opus 语音消息；其他渠道发送 MP3 音频。
-
-```json5
-{
-  messages: {
-    tts: {
-      auto: "always", // off | always | inbound | tagged
-      mode: "final", // final | all（包含工具/块回复）
-      provider: "elevenlabs",
-      summaryModel: "openai/gpt-4.1-mini",
-      modelOverrides: {
-        enabled: true,
-      },
-      maxTextLength: 4000,
-      timeoutMs: 30000,
-      prefsPath: "~/.openclaw/settings/tts.json",
-      elevenlabs: {
-        apiKey: "elevenlabs_api_key",
-        baseUrl: "https://api.elevenlabs.io",
-        voiceId: "voice_id",
-        modelId: "eleven_multilingual_v2",
-        seed: 42,
-        applyTextNormalization: "auto",
-        languageCode: "en",
-        voiceSettings: {
-          stability: 0.5,
-          similarityBoost: 0.75,
-          style: 0.0,
-          useSpeakerBoost: true,
-          speed: 1.0,
-        },
-      },
-      openai: {
-        apiKey: "openai_api_key",
-        model: "gpt-4o-mini-tts",
-        voice: "alloy",
-      },
-    },
-  },
-}
-```
-
-说明：
-
-- `messages.tts.auto` 控制自动 TTS（`off`、`always`、`inbound`、`tagged`）。
-- `/tts off|always|inbound|tagged` 设置每会话的自动模式（覆盖配置）。
-- `messages.tts.enabled` 为旧版；doctor 会将其迁移为 `messages.tts.auto`。
-- `prefsPath` 存储本地覆盖（提供商/限制/摘要）。
-- `maxTextLength` 是 TTS 输入的硬上限；摘要会被截断以适应。
-- `summaryModel` 覆盖自动摘要的 `agents.defaults.model.primary`。
-  - 接受 `provider/model` 或来自 `agents.defaults.models` 的别名。
-- `modelOverrides` 启用模型驱动的覆盖如 `[[tts:...]]` 标签（默认开启）。
-- `/tts limit` 和 `/tts summary` 控制每用户的摘要设置。
-- `apiKey` 值回退到 `ELEVENLABS_API_KEY`/`XI_API_KEY` 和 `OPENAI_API_KEY`。
-- `elevenlabs.baseUrl` 覆盖 ElevenLabs API 基础 URL。
-- `elevenlabs.voiceSettings` 支持 `stability`/`similarityBoost`/`style`（0..1）、
-  `useSpeakerBoost` 和 `speed`（0.5..2.0）。
-
-### `talk`
-
-Talk 模式（macOS/iOS/Android）的默认值。语音 ID 在未设置时回退到 `ELEVENLABS_VOICE_ID` 或 `SAG_VOICE_ID`。
-`apiKey` 在未设置时回退到 `ELEVENLABS_API_KEY`（或 Gateway 网关的 shell 配置文件）。
-`voiceAliases` 允许 Talk 指令使用友好名称（例如 `"voice":"Clawd"`）。
-
-```json5
-{
-  talk: {
-    voiceId: "elevenlabs_voice_id",
-    voiceAliases: {
-      Clawd: "EXAVITQu4vr4xnSDxMaL",
-      Roger: "CwhRBWXzGAHq8TQ4Fs17",
-    },
-    modelId: "eleven_v3",
-    outputFormat: "mp3_44100_128",
-    apiKey: "elevenlabs_api_key",
-    interruptOnSpeech: true,
-  },
-}
-```
-
-### `agents.defaults`
-
-控制内置智能体运行时（模型/思考/详细/超时）。
-`agents.defaults.models` 定义已配置的模型目录（也充当 `/model` 的白名单）。
-`agents.defaults.model.primary` 设置默认模型；`agents.defaults.model.fallbacks` 是全局故障转移。
-`agents.defaults.imageModel` 是可选的，**仅在主模型缺少图像输入时使用**。
-每个 `agents.defaults.models` 条目可以包含：
-
-- `alias`（可选的模型快捷方式，例如 `/opus`）。
-- `params`（可选的提供商特定 API 参数，传递给模型请求）。
-
-`params` 也应用于流式运行（内置智能体 + 压缩）。目前支持的键：`temperature`、`maxTokens`。这些与调用时选项合并；调用方提供的值优先。`temperature` 是高级旋钮——除非你了解模型的默认值且需要更改，否则不要设置。
-
-示例：
-
-```json5
-{
-  agents: {
-    defaults: {
-      models: {
-        "anthropic/claude-sonnet-4-5-20250929": {
-          params: { temperature: 0.6 },
-        },
-        "openai/gpt-5.2": {
-          params: { maxTokens: 8192 },
-        },
-      },
-    },
-  },
-}
-```
-
-Z.AI GLM-4.x 模型会自动启用思考模式，除非你：
-
-- 设置 `--thinking off`，或
-- 自行定义 `agents.defaults.models["zai/<model>"].params.thinking`。
-
-OpenClaw 还内置了一些别名快捷方式。默认值仅在模型已存在于 `agents.defaults.models` 中时才应用：
-
-- `opus` -> `anthropic/claude-opus-4-5`
-- `sonnet` -> `anthropic/claude-sonnet-4-5`
-- `gpt` -> `openai/gpt-5.2`
-- `gpt-mini` -> `openai/gpt-5-mini`
-- `gemini` -> `google/gemini-3-pro-preview`
-- `gemini-flash` -> `google/gemini-3-flash-preview`
-
-如果你配置了相同的别名（不区分大小写），你的值优先（默认值不会覆盖）。
-
-示例：Opus 4.5 主模型，MiniMax M2.1 回退（托管 MiniMax）：
-
-```json5
-{
-  agents: {
-    defaults: {
-      models: {
-        "anthropic/claude-opus-4-5": { alias: "opus" },
-        "minimax/MiniMax-M2.1": { alias: "minimax" },
-      },
-      model: {
-        primary: "anthropic/claude-opus-4-5",
-        fallbacks: ["minimax/MiniMax-M2.1"],
-      },
-    },
-  },
-}
-```
-
-MiniMax 认证：设置 `MINIMAX_API_KEY`（环境变量）或配置 `models.providers.minimax`。
-
-#### `agents.defaults.cliBackends`（CLI 回退）
-
-可选的 CLI 后端用于纯文本回退运行（无工具调用）。当 API 提供商失败时可作为备用路径。当你配置了接受文件路径的 `imageArg` 时支持图像透传。
-
-说明：
-
-- CLI 后端**以文本为主**；工具始终禁用。
-- 设置 `sessionArg` 时支持会话；会话 id 按后端持久化。
-- 对于 `claude-cli`，默认值已内置。如果 PATH 不完整（launchd/systemd），请覆盖命令路径。
-
-示例：
-
-```json5
-{
-  agents: {
-    defaults: {
-      cliBackends: {
-        "claude-cli": {
-          command: "/opt/homebrew/bin/claude",
-        },
-        "my-cli": {
-          command: "my-cli",
-          args: ["--json"],
-          output: "json",
-          modelArg: "--model",
-          sessionArg: "--session",
-          sessionMode: "existing",
-          systemPromptArg: "--system",
-          systemPromptWhen: "first",
-          imageArg: "--image",
-          imageMode: "repeat",
-        },
-      },
-    },
-  },
-}
-```
-
-```json5
-{
-  agents: {
-    defaults: {
-      models: {
-        "anthropic/claude-opus-4-5": { alias: "Opus" },
-        "anthropic/claude-sonnet-4-1": { alias: "Sonnet" },
-        "openrouter/deepseek/deepseek-r1:free": {},
-        "zai/glm-4.7": {
-          alias: "GLM",
-          params: {
-            thinking: {
-              type: "enabled",
-              clear_thinking: false,
-            },
-          },
-        },
-      },
-      model: {
-        primary: "anthropic/claude-opus-4-5",
-        fallbacks: [
-          "openrouter/deepseek/deepseek-r1:free",
-          "openrouter/meta-llama/llama-3.3-70b-instruct:free",
-        ],
-      },
-      imageModel: {
-        primary: "openrouter/qwen/qwen-2.5-vl-72b-instruct:free",
-        fallbacks: ["openrouter/google/gemini-2.0-flash-vision:free"],
-      },
-      thinkingDefault: "low",
-      verboseDefault: "off",
-      elevatedDefault: "on",
-      timeoutSeconds: 600,
-      mediaMaxMb: 5,
-      heartbeat: {
-        every: "30m",
-        target: "last",
-      },
-      maxConcurrent: 3,
-      subagents: {
-        model: "minimax/MiniMax-M2.1",
-        maxConcurrent: 1,
-        archiveAfterMinutes: 60,
-      },
-      exec: {
-        backgroundMs: 10000,
-        timeoutSec: 1800,
-        cleanupMs: 1800000,
-      },
-      contextTokens: 200000,
-    },
-  },
-}
-```
-
-#### `agents.defaults.contextPruning`（工具结果裁剪）
-
-`agents.defaults.contextPruning` 在请求发送到 LLM 之前裁剪内存上下文中的**旧工具结果**。
-它**不会**修改磁盘上的会话历史（`*.jsonl` 保持完整）。
-
-这旨在减少随时间积累大量工具输出的智能体的 token 消耗。
-
-概述：
-
-- 不触及用户/助手消息。
-- 保护最后 `keepLastAssistants` 条助手消息（该点之后的工具结果不会被裁剪）。
-- 保护引导前缀（第一条用户消息之前的内容不会被裁剪）。
-- 模式：
-  - `adaptive`：当估计的上下文比率超过 `softTrimRatio` 时，软裁剪过大的工具结果（保留头尾）。
-    然后当估计的上下文比率超过 `hardClearRatio` **且**有足够的可裁剪工具结果量（`minPrunableToolChars`）时，硬清除最旧的符合条件的工具结果。
-  - `aggressive`：始终用 `hardClear.placeholder` 替换截止点之前符合条件的工具结果（不做比率检查）。
-
-软裁剪 vs 硬裁剪（发送给 LLM 的上下文中的变化）：
-
-- **软裁剪**：仅针对*过大*的工具结果。保留开头 + 结尾，在中间插入 `...`。
-  - 之前：`toolResult("…很长的输出…")`
-  - 之后：`toolResult("HEAD…\n...\n…TAIL\n\n[Tool result trimmed: …]")`
-- **硬清除**：用占位符替换整个工具结果。
-  - 之前：`toolResult("…很长的输出…")`
-  - 之后：`toolResult("[Old tool result content cleared]")`
-
-说明 / 当前限制：
-
-- 目前包含**图像块的工具结果会被跳过**（不会被裁剪/清除）。
-- 估计的"上下文比率"基于**字符**（近似值），不是精确的 token 数。
-- 如果会话尚未包含至少 `keepLastAssistants` 条助手消息，则跳过裁剪。
-- 在 `aggressive` 模式下，`hardClear.enabled` 被忽略（符合条件的工具结果始终被替换为 `hardClear.placeholder`）。
-
-默认值（adaptive）：
-
-```json5
-{
-  agents: { defaults: { contextPruning: { mode: "adaptive" } } },
-}
-```
-
-禁用：
-
-```json5
-{
-  agents: { defaults: { contextPruning: { mode: "off" } } },
-}
-```
-
-默认值（当 `mode` 为 `"adaptive"` 或 `"aggressive"` 时）：
-
-- `keepLastAssistants`：`3`
-- `softTrimRatio`：`0.3`（仅 adaptive）
-- `hardClearRatio`：`0.5`（仅 adaptive）
-- `minPrunableToolChars`：`50000`（仅 adaptive）
-- `softTrim`：`{ maxChars: 4000, headChars: 1500, tailChars: 1500 }`（仅 adaptive）
-- `hardClear`：`{ enabled: true, placeholder: "[Old tool result content cleared]" }`
-
-示例（aggressive，最小化）：
-
-```json5
-{
-  agents: { defaults: { contextPruning: { mode: "aggressive" } } },
-}
-```
-
-示例（调优的 adaptive）：
-
-```json5
-{
-  agents: {
-    defaults: {
-      contextPruning: {
-        mode: "adaptive",
-        keepLastAssistants: 3,
-        softTrimRatio: 0.3,
-        hardClearRatio: 0.5,
-        minPrunableToolChars: 50000,
-        softTrim: { maxChars: 4000, headChars: 1500, tailChars: 1500 },
-        hardClear: { enabled: true, placeholder: "[Old tool result content cleared]" },
-        // 可选：限制裁剪仅针对特定工具（deny 优先；支持 "*" 通配符）
-        tools: { deny: ["browser", "canvas"] },
-      },
-    },
-  },
-}
-```
-
-参见 [/concepts/session-pruning](/concepts/session-pruning) 了解行为细节。
-
-#### `agents.defaults.compaction`（预留空间 + 记忆刷新）
-
-`agents.defaults.compaction.mode` 选择压缩摘要策略。默认为 `default`；设为 `safeguard` 可为超长历史启用分块摘要。参见 [/concepts/compaction](/concepts/compaction)。
-
-`agents.defaults.compaction.reserveTokensFloor` 为 Pi 压缩强制一个最小 `reserveTokens` 值（默认：`20000`）。设为 `0` 禁用此底线。
-
-`agents.defaults.compaction.memoryFlush` 在自动压缩前运行一个**静默**智能体轮次，指示模型将持久记忆存储到磁盘（例如 `memory/YYYY-MM-DD.md`）。当会话 token 估计值超过压缩限制以下的软阈值时触发。
-
-旧版默认值：
-
-- `memoryFlush.enabled`：`true`
-- `memoryFlush.softThresholdTokens`：`4000`
-- `memoryFlush.prompt` / `memoryFlush.systemPrompt`：带 `NO_REPLY` 的内置默认值
-- 注意：当会话工作区为只读时跳过记忆刷新（`agents.defaults.sandbox.workspaceAccess: "ro"` 或 `"none"`）。
-
-示例（调优）：
-
-```json5
-{
-  agents: {
-    defaults: {
-      compaction: {
-        mode: "safeguard",
-        reserveTokensFloor: 24000,
-        memoryFlush: {
-          enabled: true,
-          softThresholdTokens: 6000,
-          systemPrompt: "Session nearing compaction. Store durable memories now.",
-          prompt: "Write any lasting notes to memory/YYYY-MM-DD.md; reply with NO_REPLY if nothing to store.",
-        },
-      },
-    },
-  },
-}
-```
-
-分块流式传输：
-
-- `agents.defaults.blockStreamingDefault`：`"on"`/`"off"`（默认 off）。
-- 渠道覆盖：`*.blockStreaming`（及每账号变体）强制分块流式传输开/关。
-  非 Telegram 渠道需要显式设置 `*.blockStreaming: true` 来启用块回复。
-- `agents.defaults.blockStreamingBreak`：`"text_end"` 或 `"message_end"`（默认：text_end）。
-- `agents.defaults.blockStreamingChunk`：流式块的软分块。默认 800–1200 字符，优先段落分隔（`\n\n`），然后换行，然后句子。
-  示例：
-  ```json5
-  {
-    agents: { defaults: { blockStreamingChunk: { minChars: 800, maxChars: 1200 } } },
-  }
-  ```
-- `agents.defaults.blockStreamingCoalesce`：发送前合并流式块。
-  默认为 `{ idleMs: 1000 }`，从 `blockStreamingChunk` 继承 `minChars`，
-  `maxChars` 上限为渠道文本限制。Signal/Slack/Discord/Google Chat 默认
-  `minChars: 1500`，除非被覆盖。
-  渠道覆盖：`channels.whatsapp.blockStreamingCoalesce`、`channels.telegram.blockStreamingCoalesce`、
-  `channels.discord.blockStreamingCoalesce`、`channels.slack.blockStreamingCoalesce`、`channels.mattermost.blockStreamingCoalesce`、
-  `channels.signal.blockStreamingCoalesce`、`channels.imessage.blockStreamingCoalesce`、`channels.msteams.blockStreamingCoalesce`、
-  `channels.googlechat.blockStreamingCoalesce`
-  （及每账号变体）。
-- `agents.defaults.humanDelay`：第一条之后**块回复**之间的随机延迟。
-  模式：`off`（默认）、`natural`（800–2500ms）、`custom`（使用 `minMs`/`maxMs`）。
-  每智能体覆盖：`agents.list[].humanDelay`。
-  示例：
-  ```json5
-  {
-    agents: { defaults: { humanDelay: { mode: "natural" } } },
-  }
-  ```
-  参见 [/concepts/streaming](/concepts/streaming) 了解行为 + 分块细节。
-
-输入指示器：
-
-- `agents.defaults.typingMode`：`"never" | "instant" | "thinking" | "message"`。私聊/提及默认为
-  `instant`，未被提及的群聊默认为 `message`。
-- `session.typingMode`：每会话的模式覆盖。
-- `agents.defaults.typingIntervalSeconds`：输入信号刷新频率（默认：6s）。
-- `session.typingIntervalSeconds`：每会话的刷新间隔覆盖。
-  参见 [/concepts/typing-indicators](/concepts/typing-indicators) 了解行为细节。
-
-`agents.defaults.model.primary` 应设为 `provider/model`（例如 `anthropic/claude-opus-4-5`）。
-别名来自 `agents.defaults.models.*.alias`（例如 `Opus`）。
-如果省略提供商，OpenClaw 目前假定 `anthropic` 作为临时弃用回退。
-Z.AI 模型可通过 `zai/<model>` 使用（例如 `zai/glm-4.7`），需要环境中设置
-`ZAI_API_KEY`（或旧版 `Z_AI_API_KEY`）。
-
-`agents.defaults.heartbeat` 配置定期心跳运行：
-
-- `every`：持续时间字符串（`ms`、`s`、`m`、`h`）；默认单位分钟。默认：
-  `30m`。设为 `0m` 禁用。
-- `model`：可选的心跳运行覆盖模型（`provider/model`）。
-- `includeReasoning`：为 `true` 时，心跳也会传递单独的 `Reasoning:` 消息（与 `/reasoning on` 相同形式）。默认：`false`。
-- `session`：可选的会话键，控制心跳在哪个会话中运行。默认：`main`。
-- `to`：可选的收件人覆盖（渠道特定 id，例如 WhatsApp 的 E.164，Telegram 的聊天 id）。
-- `target`：可选的投递渠道（`last`、`whatsapp`、`telegram`、`discord`、`slack`、`msteams`、`signal`、`imessage`、`none`）。默认：`last`。
-- `prompt`：可选的心跳内容覆盖（默认：`Read HEARTBEAT.md if it exists (workspace context). Follow it strictly. Do not infer or repeat old tasks from prior chats. If nothing needs attention, reply HEARTBEAT_OK.`）。覆盖值按原样发送；如果仍需读取文件，请包含 `Read HEARTBEAT.md` 行。
-- `ackMaxChars`：`HEARTBEAT_OK` 之后投递前允许的最大字符数（默认：300）。
-
-每智能体心跳：
-
-- 设置 `agents.list[].heartbeat` 为特定智能体启用或覆盖心跳设置。
-- 如果任何智能体条目定义了 `heartbeat`，**仅那些智能体**运行心跳；默认值
-  成为那些智能体的共享基线。
-
-心跳运行完整的智能体轮次。较短的间隔消耗更多 token；请注意
-`every`，保持 `HEARTBEAT.md` 精简，和/或选择更便宜的 `model`。
-
-`tools.exec` 配置后台执行默认值：
-
-- `backgroundMs`：自动后台化前的时间（ms，默认 10000）
-- `timeoutSec`：超过此运行时间后自动终止（秒，默认 1800）
-- `cleanupMs`：完成的会话在内存中保留多久（ms，默认 1800000）
-- `notifyOnExit`：后台执行退出时加入系统事件 + 请求心跳（默认 true）
-- `applyPatch.enabled`：启用实验性 `apply_patch`（仅 OpenAI/OpenAI Codex；默认 false）
-- `applyPatch.allowModels`：可选的模型 id 白名单（例如 `gpt-5.2` 或 `openai/gpt-5.2`）
-  注意：`applyPatch` 仅在 `tools.exec` 下。
-
-`tools.web` 配置 Web 搜索 + 获取工具：
-
-- `tools.web.search.enabled`（默认：有密钥时为 true）
-- `tools.web.search.apiKey`（推荐：通过 `openclaw configure --section web` 设置，或使用 `BRAVE_API_KEY` 环境变量）
-- `tools.web.search.maxResults`（1–10，默认 5）
-- `tools.web.search.timeoutSeconds`（默认 30）
-- `tools.web.search.cacheTtlMinutes`（默认 15）
-- `tools.web.fetch.enabled`（默认 true）
-- `tools.web.fetch.maxChars`（默认 50000）
-- `tools.web.fetch.timeoutSeconds`（默认 30）
-- `tools.web.fetch.cacheTtlMinutes`（默认 15）
-- `tools.web.fetch.userAgent`（可选覆盖）
-- `tools.web.fetch.readability`（默认 true；禁用后仅使用基本 HTML 清理）
-- `tools.web.fetch.firecrawl.enabled`（默认：设置了 API 密钥时为 true）
-- `tools.web.fetch.firecrawl.apiKey`（可选；默认为 `FIRECRAWL_API_KEY`）
-- `tools.web.fetch.firecrawl.baseUrl`（默认 https://api.firecrawl.dev）
-- `tools.web.fetch.firecrawl.onlyMainContent`（默认 true）
-- `tools.web.fetch.firecrawl.maxAgeMs`（可选）
-- `tools.web.fetch.firecrawl.timeoutSeconds`（可选）
-
-`tools.media` 配置入站媒体理解（图片/音频/视频）：
-
-- `tools.media.models`：共享模型列表（按能力标记；在每能力列表之后使用）。
-- `tools.media.concurrency`：最大并发能力运行数（默认 2）。
-- `tools.media.image` / `tools.media.audio` / `tools.media.video`：
-  - `enabled`：选择退出开关（配置了模型时默认为 true）。
-  - `prompt`：可选的提示覆盖（图片/视频自动附加 `maxChars` 提示）。
-  - `maxChars`：最大输出字符数（图片/视频默认 500；音频未设置）。
-  - `maxBytes`：发送的最大媒体大小（默认：图片 10MB，音频 20MB，视频 50MB）。
-  - `timeoutSeconds`：请求超时（默认：图片 60s，音频 60s，视频 120s）。
-  - `language`：可选的音频提示。
-  - `attachments`：附件策略（`mode`、`maxAttachments`、`prefer`）。
-  - `scope`：可选的门控（第一个匹配获胜），带 `match.channel`、`match.chatType` 或 `match.keyPrefix`。
-  - `models`：有序的模型条目列表；失败或超大媒体回退到下一个条目。
-- 每个 `models[]` 条目：
-  - 提供商条目（`type: "provider"` 或省略）：
-    - `provider`：API 提供商 id（`openai`、`anthropic`、`google`/`gemini`、`groq` 等）。
-    - `model`：模型 id 覆盖（图片必需；音频提供商默认为 `gpt-4o-mini-transcribe`/`whisper-large-v3-turbo`，视频默认为 `gemini-3-flash-preview`）。
-    - `profile` / `preferredProfile`：认证配置文件选择。
-  - CLI 条目（`type: "cli"`）：
-    - `command`：要运行的可执行文件。
-    - `args`：模板化参数（支持 `{{MediaPath}}`、`{{Prompt}}`、`{{MaxChars}}` 等）。
-  - `capabilities`：可选的能力列表（`image`、`audio`、`video`）用于门控共享条目。省略时的默认值：`openai`/`anthropic`/`minimax` → image，`google` → image+audio+video，`groq` → audio。
-  - `prompt`、`maxChars`、`maxBytes`、`timeoutSeconds`、`language` 可在每个条目中覆盖。
-
-如果未配置模型（或 `enabled: false`），理解将被跳过；模型仍会接收原始附件。
-
-提供商认证遵循标准模型认证顺序（认证配置文件、环境变量如 `OPENAI_API_KEY`/`GROQ_API_KEY`/`GEMINI_API_KEY`，或 `models.providers.*.apiKey`）。
-
-示例：
-
-```json5
-{
-  tools: {
-    media: {
-      audio: {
-        enabled: true,
-        maxBytes: 20971520,
-        scope: {
-          default: "deny",
-          rules: [{ action: "allow", match: { chatType: "direct" } }],
-        },
-        models: [
-          { provider: "openai", model: "gpt-4o-mini-transcribe" },
-          { type: "cli", command: "whisper", args: ["--model", "base", "{{MediaPath}}"] },
-        ],
-      },
-      video: {
-        enabled: true,
-        maxBytes: 52428800,
-        models: [{ provider: "google", model: "gemini-3-flash-preview" }],
-      },
-    },
-  },
-}
-```
-
-`agents.defaults.subagents` 配置子智能体默认值：
-
-- `model`：生成的子智能体的默认模型（字符串或 `{ primary, fallbacks }`）。如果省略，子智能体继承调用者的模型，除非按智能体或按调用覆盖。
-- `maxConcurrent`：最大并发子智能体运行数（默认 1）
-- `archiveAfterMinutes`：N 分钟后自动归档子智能体会话（默认 60；设为 `0` 禁用）
-- 每子智能体工具策略：`tools.subagents.tools.allow` / `tools.subagents.tools.deny`（deny 优先）
-
-`tools.profile` 设置 `tools.allow`/`tools.deny` 之前的**基础工具白名单**：
-
-- `minimal`：仅 `session_status`
-- `coding`：`group:fs`、`group:runtime`、`group:sessions`、`group:memory`、`image`
-- `messaging`：`group:messaging`、`sessions_list`、`sessions_history`、`sessions_send`、`session_status`
-- `full`：无限制（与未设置相同）
-
-每智能体覆盖：`agents.list[].tools.profile`。
-
-示例（默认仅消息传递，另外允许 Slack + Discord 工具）：
-
-```json5
-{
-  tools: {
-    profile: "messaging",
-    allow: ["slack", "discord"],
-  },
-}
-```
-
-示例（编码配置文件，但全局拒绝 exec/process）：
-
-```json5
-{
-  tools: {
-    profile: "coding",
-    deny: ["group:runtime"],
-  },
-}
-```
-
-`tools.byProvider` 允许你为特定提供商（或单个 `provider/model`）**进一步限制**工具。
-每智能体覆盖：`agents.list[].tools.byProvider`。
-
-顺序：基础配置文件 → 提供商配置文件 → allow/deny 策略。
-提供商键接受 `provider`（例如 `google-antigravity`）或 `provider/model`
-（例如 `openai/gpt-5.2`）。
-
-示例（保持全局编码配置文件，但为 Google Antigravity 使用最小工具）：
-
-```json5
-{
-  tools: {
-    profile: "coding",
-    byProvider: {
-      "google-antigravity": { profile: "minimal" },
-    },
-  },
-}
-```
-
-示例（提供商/模型特定白名单）：
-
-```json5
-{
-  tools: {
-    allow: ["group:fs", "group:runtime", "sessions_list"],
-    byProvider: {
-      "openai/gpt-5.2": { allow: ["group:fs", "sessions_list"] },
-    },
-  },
-}
-```
-
-`tools.allow` / `tools.deny` 配置全局工具允许/拒绝策略（deny 优先）。
-匹配不区分大小写并支持 `*` 通配符（`"*"` 表示所有工具）。
-即使 Docker 沙箱**关闭**，此策略也会应用。
-
-示例（全局禁用 browser/canvas）：
-
-```json5
-{
-  tools: { deny: ["browser", "canvas"] },
-}
-```
-
-工具组（简写）在**全局**和**每智能体**工具策略中可用：
-
-- `group:runtime`：`exec`、`bash`、`process`
-- `group:fs`：`read`、`write`、`edit`、`apply_patch`
-- `group:sessions`：`sessions_list`、`sessions_history`、`sessions_send`、`sessions_spawn`、`session_status`
-- `group:memory`：`memory_search`、`memory_get`
-- `group:web`：`web_search`、`web_fetch`
-- `group:ui`：`browser`、`canvas`
-- `group:automation`：`cron`、`gateway`
-- `group:messaging`：`message`
-- `group:nodes`：`nodes`
-- `group:openclaw`：所有内置 OpenClaw 工具（不包含提供商插件）
-
-`tools.elevated` 控制提升（主机）执行访问：
-
-- `enabled`：允许提升模式（默认 true）
-- `allowFrom`：每渠道白名单（空 = 禁用）
-  - `whatsapp`：E.164 号码
-  - `telegram`：聊天 id 或用户名
-  - `discord`：用户 id 或用户名（省略时回退到 `channels.discord.dm.allowFrom`）
-  - `signal`：E.164 号码
-  - `imessage`：句柄/聊天 id
-  - `webchat`：会话 id 或用户名
-
-示例：
-
-```json5
-{
-  tools: {
-    elevated: {
-      enabled: true,
-      allowFrom: {
-        whatsapp: ["+15555550123"],
-        discord: ["steipete", "1234567890123"],
-      },
-    },
-  },
-}
-```
-
-每智能体覆盖（进一步限制）：
-
-```json5
-{
-  agents: {
-    list: [
-      {
-        id: "family",
-        tools: {
-          elevated: { enabled: false },
-        },
-      },
-    ],
-  },
-}
-```
-
-说明：
-
-- `tools.elevated` 是全局基线。`agents.list[].tools.elevated` 只能进一步限制（两者都必须允许）。
-- `/elevated on|off|ask|full` 按会话键存储状态；内联指令仅应用于单条消息。
-- 提升的 `exec` 在主机上运行并绕过沙箱。
-- 工具策略仍然适用；如果 `exec` 被拒绝，则无法使用提升。
-
-`agents.defaults.maxConcurrent` 设置跨会话可并行执行的内置智能体运行的最大数量。每个会话仍然是串行的（每个会话键同时只有一个运行）。默认：1。
-
-### `agents.defaults.sandbox`
-
-为内置智能体提供可选的 **Docker 沙箱**。适用于非主会话，使其无法访问你的主机系统。
-
-详情：[沙箱](/gateway/sandboxing)
-
-默认值（如果启用）：
-
-- scope：`"agent"`（每个智能体一个容器 + 工作区）
-- 基于 Debian bookworm-slim 的镜像
-- 智能体工作区访问：`workspaceAccess: "none"`（默认）
-  - `"none"`：在 `~/.openclaw/sandboxes` 下使用每范围的沙箱工作区
-- `"ro"`：将沙箱工作区保持在 `/workspace`，智能体工作区以只读方式挂载到 `/agent`（禁用 `write`/`edit`/`apply_patch`）
-  - `"rw"`：将智能体工作区以读写方式挂载到 `/workspace`
-- 自动清理：空闲超过 24h 或存在超过 7d
-- 工具策略：仅允许 `exec`、`process`、`read`、`write`、`edit`、`apply_patch`、`sessions_list`、`sessions_history`、`sessions_send`、`sessions_spawn`、`session_status`（deny 优先）
-  - 通过 `tools.sandbox.tools` 配置，通过 `agents.list[].tools.sandbox.tools` 进行每智能体覆盖
-  - 沙箱策略中支持工具组简写：`group:runtime`、`group:fs`、`group:sessions`、`group:memory`（参见[沙箱 vs 工具策略 vs 提升](/gateway/sandbox-vs-tool-policy-vs-elevated#tool-groups-shorthands)）
-- 可选的沙箱浏览器（Chromium + CDP，noVNC 观察器）
-- 加固旋钮：`network`、`user`、`pidsLimit`、`memory`、`cpus`、`ulimits`、`seccompProfile`、`apparmorProfile`
-
-警告：`scope: "shared"` 意味着共享容器和共享工作区。无跨会话隔离。使用 `scope: "session"` 获得每会话隔离。
-
-旧版：`perSession` 仍然支持（`true` → `scope: "session"`，`false` → `scope: "shared"`）。
-
-`setupCommand` 在容器创建后**运行一次**（在容器内通过 `sh -lc` 执行）。
-对于包安装，确保网络出口、可写根文件系统和 root 用户。
-
-```json5
-{
-  agents: {
-    defaults: {
-      sandbox: {
-        mode: "non-main", // off | non-main | all
-        scope: "agent", // session | agent | shared（agent 为默认）
-        workspaceAccess: "none", // none | ro | rw
-        workspaceRoot: "~/.openclaw/sandboxes",
-        docker: {
-          image: "openclaw-sandbox:bookworm-slim",
-          containerPrefix: "openclaw-sbx-",
-          workdir: "/workspace",
-          readOnlyRoot: true,
-          tmpfs: ["/tmp", "/var/tmp", "/run"],
-          network: "none",
-          user: "1000:1000",
-          capDrop: ["ALL"],
-          env: { LANG: "C.UTF-8" },
-          setupCommand: "apt-get update && apt-get install -y git curl jq",
-          // 每智能体覆盖（多智能体）：agents.list[].sandbox.docker.*
-          pidsLimit: 256,
-          memory: "1g",
-          memorySwap: "2g",
-          cpus: 1,
-          ulimits: {
-            nofile: { soft: 1024, hard: 2048 },
-            nproc: 256,
-          },
-          seccompProfile: "/path/to/seccomp.json",
-          apparmorProfile: "openclaw-sandbox",
-          dns: ["1.1.1.1", "8.8.8.8"],
-          extraHosts: ["internal.service:10.0.0.5"],
-          binds: ["/var/run/docker.sock:/var/run/docker.sock", "/home/user/source:/source:rw"],
-        },
-        browser: {
-          enabled: false,
-          image: "openclaw-sandbox-browser:bookworm-slim",
-          containerPrefix: "openclaw-sbx-browser-",
-          cdpPort: 9222,
-          vncPort: 5900,
-          noVncPort: 6080,
-          headless: false,
-          enableNoVnc: true,
-          allowHostControl: false,
-          allowedControlUrls: ["http://10.0.0.42:18791"],
-          allowedControlHosts: ["browser.lab.local", "10.0.0.42"],
-          allowedControlPorts: [18791],
-          autoStart: true,
-          autoStartTimeoutMs: 12000,
-        },
-        prune: {
-          idleHours: 24, // 0 禁用空闲清理
-          maxAgeDays: 7, // 0 禁用最大存活时间清理
-        },
-      },
-    },
-  },
-  tools: {
-    sandbox: {
-      tools: {
-        allow: [
-          "exec",
-          "process",
-          "read",
-          "write",
-          "edit",
-          "apply_patch",
-          "sessions_list",
-          "sessions_history",
-          "sessions_send",
-          "sessions_spawn",
-          "session_status",
-        ],
-        deny: ["browser", "canvas", "nodes", "cron", "discord", "gateway"],
-      },
-    },
-  },
-}
-```
-
-首次构建默认沙箱镜像：
-
-```bash
-scripts/sandbox-setup.sh
-```
-
-注意：沙箱容器默认为 `network: "none"`；如果智能体需要出站访问，请将 `agents.defaults.sandbox.docker.network` 设为 `"bridge"`（或你的自定义网络）。
-
-注意：入站附件会暂存到活跃工作区的 `media/inbound/*` 中。使用 `workspaceAccess: "rw"` 时，文件会写入智能体工作区。
-
-注意：`docker.binds` 挂载额外的主机目录；全局和每智能体的 binds 会合并。
-
-构建可选的浏览器镜像：
-
-```bash
-scripts/sandbox-browser-setup.sh
-```
-
-当 `agents.defaults.sandbox.browser.enabled=true` 时，浏览器工具使用沙箱化的
-Chromium 实例（CDP）。如果启用了 noVNC（headless=false 时默认启用），
-noVNC URL 会注入系统提示中，以便智能体可以引用它。
-这不需要主配置中的 `browser.enabled`；沙箱控制 URL 按会话注入。
-
-`agents.defaults.sandbox.browser.allowHostControl`（默认：false）允许
-沙箱会话通过浏览器工具显式访问**主机**浏览器控制服务器
-（`target: "host"`）。如果你需要严格的沙箱隔离，请保持关闭。
-
-远程控制白名单：
-
-- `allowedControlUrls`：`target: "custom"` 允许的精确控制 URL。
-- `allowedControlHosts`：允许的主机名（仅主机名，无端口）。
-- `allowedControlPorts`：允许的端口（默认：http=80，https=443）。
-  默认：所有白名单未设置（无限制）。`allowHostControl` 默认为 false。
-
-### `models`（自定义提供商 + 基础 URL）
-
-OpenClaw 使用 **pi-coding-agent** 模型目录。你可以通过编写
-`~/.openclaw/agents/<agentId>/agent/models.json` 或在 OpenClaw 配置中的 `models.providers` 下定义相同的 schema 来添加自定义提供商（LiteLLM、本地 OpenAI 兼容服务器、Anthropic 代理等）。
-按提供商的概述 + 示例：[/concepts/model-providers](/concepts/model-providers)。
-
-当存在 `models.providers` 时，OpenClaw 在启动时将 `models.json` 写入/合并到
-`~/.openclaw/agents/<agentId>/agent/`：
-
-- 默认行为：**合并**（保留现有提供商，按名称覆盖）
-- 设为 `models.mode: "replace"` 覆盖文件内容
-
-通过 `agents.defaults.model.primary`（provider/model）选择模型。
-
-```json5
-{
-  agents: {
-    defaults: {
-      model: { primary: "custom-proxy/llama-3.1-8b" },
-      models: {
-        "custom-proxy/llama-3.1-8b": {},
-      },
-    },
-  },
-  models: {
-    mode: "merge",
-    providers: {
-      "custom-proxy": {
-        baseUrl: "http://localhost:4000/v1",
-        apiKey: "LITELLM_KEY",
-        api: "openai-completions",
-        models: [
-          {
-            id: "llama-3.1-8b",
-            name: "Llama 3.1 8B",
-            reasoning: false,
-            input: ["text"],
-            cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
-            contextWindow: 128000,
-            maxTokens: 32000,
-          },
-        ],
-      },
-    },
-  },
-}
-```
-
-### OpenCode Zen（多模型代理）
-
-OpenCode Zen 是一个具有每模型端点的多模型网关。OpenClaw 使用
-pi-ai 内置的 `opencode` 提供商；从 https://opencode.ai/auth 设置 `OPENCODE_API_KEY`（或
-`OPENCODE_ZEN_API_KEY`）。
-
-说明：
-
-- 模型引用使用 `opencode/<modelId>`（示例：`opencode/claude-opus-4-5`）。
-- 如果你通过 `agents.defaults.models` 启用白名单，请添加你计划使用的每个模型。
-- 快捷方式：`openclaw onboard --auth-choice opencode-zen`。
-
-```json5
-{
-  agents: {
-    defaults: {
-      model: { primary: "opencode/claude-opus-4-5" },
-      models: { "opencode/claude-opus-4-5": { alias: "Opus" } },
-    },
-  },
-}
-```
-
-### Z.AI（GLM-4.7）— 提供商别名支持
-
-Z.AI 模型通过内置的 `zai` 提供商提供。在环境中设置 `ZAI_API_KEY`
-并通过 provider/model 引用模型。
-
-快捷方式：`openclaw onboard --auth-choice zai-api-key`。
-
-```json5
-{
-  agents: {
-    defaults: {
-      model: { primary: "zai/glm-4.7" },
-      models: { "zai/glm-4.7": {} },
-    },
-  },
-}
-```
-
-说明：
-
-- `z.ai/*` 和 `z-ai/*` 是接受的别名，规范化为 `zai/*`。
-- 如果缺少 `ZAI_API_KEY`，对 `zai/*` 的请求将在运行时因认证错误失败。
-- 示例错误：`No API key found for provider "zai".`
-- Z.AI 的通用 API 端点是 `https://api.z.ai/api/paas/v4`。GLM 编码
-  请求使用专用编码端点 `https://api.z.ai/api/coding/paas/v4`。
-  内置的 `zai` 提供商使用编码端点。如果你需要通用
-  端点，请在 `models.providers` 中定义自定义提供商并覆盖基础 URL
-  （参见上方自定义提供商部分）。
-- 在文档/配置中使用假占位符；切勿提交真实 API 密钥。
-
-### Moonshot AI（Kimi）
-
-使用 Moonshot 的 OpenAI 兼容端点：
-
-```json5
-{
-  env: { MOONSHOT_API_KEY: "sk-..." },
-  agents: {
-    defaults: {
-      model: { primary: "moonshot/kimi-k2.5" },
-      models: { "moonshot/kimi-k2.5": { alias: "Kimi K2.5" } },
-    },
-  },
-  models: {
-    mode: "merge",
-    providers: {
-      moonshot: {
-        baseUrl: "https://api.moonshot.ai/v1",
-        apiKey: "${MOONSHOT_API_KEY}",
-        api: "openai-completions",
-        models: [
-          {
-            id: "kimi-k2.5",
-            name: "Kimi K2.5",
-            reasoning: false,
-            input: ["text"],
-            cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
-            contextWindow: 256000,
-            maxTokens: 8192,
-          },
-        ],
-      },
-    },
-  },
-}
-```
-
-说明：
-
-- 在环境中设置 `MOONSHOT_API_KEY` 或使用 `openclaw onboard --auth-choice moonshot-api-key`。
-- 模型引用：`moonshot/kimi-k2.5`。
-- 如需中国端点，使用 `https://api.moonshot.cn/v1`。
-
-### Kimi Coding
-
-使用 Moonshot AI 的 Kimi Coding 端点（Anthropic 兼容，内置提供商）：
-
-```json5
-{
-  env: { KIMI_API_KEY: "sk-..." },
-  agents: {
-    defaults: {
-      model: { primary: "kimi-coding/k2p5" },
-      models: { "kimi-coding/k2p5": { alias: "Kimi K2.5" } },
-    },
-  },
-}
-```
-
-说明：
-
-- 在环境中设置 `KIMI_API_KEY` 或使用 `openclaw onboard --auth-choice kimi-code-api-key`。
-- 模型引用：`kimi-coding/k2p5`。
-
-### Synthetic（Anthropic 兼容）
-
-使用 Synthetic 的 Anthropic 兼容端点：
-
-```json5
-{
-  env: { SYNTHETIC_API_KEY: "sk-..." },
-  agents: {
-    defaults: {
-      model: { primary: "synthetic/hf:MiniMaxAI/MiniMax-M2.1" },
-      models: { "synthetic/hf:MiniMaxAI/MiniMax-M2.1": { alias: "MiniMax M2.1" } },
-    },
-  },
-  models: {
-    mode: "merge",
-    providers: {
-      synthetic: {
-        baseUrl: "https://api.synthetic.new/anthropic",
-        apiKey: "${SYNTHETIC_API_KEY}",
-        api: "anthropic-messages",
-        models: [
-          {
-            id: "hf:MiniMaxAI/MiniMax-M2.1",
-            name: "MiniMax M2.1",
-            reasoning: false,
-            input: ["text"],
-            cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
-            contextWindow: 192000,
-            maxTokens: 65536,
-          },
-        ],
-      },
-    },
-  },
-}
-```
-
-说明：
-
-- 设置 `SYNTHETIC_API_KEY` 或使用 `openclaw onboard --auth-choice synthetic-api-key`。
-- 模型引用：`synthetic/hf:MiniMaxAI/MiniMax-M2.1`。
-- 基础 URL 应省略 `/v1`，因为 Anthropic 客户端会自动附加。
-
-### 本地模型（LM Studio）— 推荐设置
-
-参见 [/gateway/local-models](/gateway/local-models) 了解当前本地指南。简而言之：在高性能硬件上通过 LM Studio Responses API 运行 MiniMax M2.1；保留托管模型合并作为回退。
-
-### MiniMax M2.1
-
-不通过 LM Studio 直接使用 MiniMax M2.1：
-
-```json5
-{
-  agent: {
-    model: { primary: "minimax/MiniMax-M2.1" },
-    models: {
-      "anthropic/claude-opus-4-5": { alias: "Opus" },
-      "minimax/MiniMax-M2.1": { alias: "Minimax" },
-    },
-  },
-  models: {
-    mode: "merge",
-    providers: {
-      minimax: {
-        baseUrl: "https://api.minimax.io/anthropic",
-        apiKey: "${MINIMAX_API_KEY}",
-        api: "anthropic-messages",
-        models: [
-          {
-            id: "MiniMax-M2.1",
-            name: "MiniMax M2.1",
-            reasoning: false,
-            input: ["text"],
-            // 定价：如需精确费用跟踪，请在 models.json 中更新。
-            cost: { input: 15, output: 60, cacheRead: 2, cacheWrite: 10 },
-            contextWindow: 200000,
-            maxTokens: 8192,
-          },
-        ],
-      },
-    },
-  },
-}
-```
-
-说明：
-
-- 设置 `MINIMAX_API_KEY` 环境变量或使用 `openclaw onboard --auth-choice minimax-api`。
-- 可用模型：`MiniMax-M2.1`（默认）。
-- 如需精确费用跟踪，请在 `models.json` 中更新定价。
-
-### Cerebras（GLM 4.6 / 4.7）
-
-通过 Cerebras 的 OpenAI 兼容端点使用：
-
-```json5
-{
-  env: { CEREBRAS_API_KEY: "sk-..." },
-  agents: {
-    defaults: {
-      model: {
-        primary: "cerebras/zai-glm-4.7",
-        fallbacks: ["cerebras/zai-glm-4.6"],
-      },
-      models: {
-        "cerebras/zai-glm-4.7": { alias: "GLM 4.7 (Cerebras)" },
-        "cerebras/zai-glm-4.6": { alias: "GLM 4.6 (Cerebras)" },
-      },
-    },
-  },
-  models: {
-    mode: "merge",
-    providers: {
-      cerebras: {
-        baseUrl: "https://api.cerebras.ai/v1",
-        apiKey: "${CEREBRAS_API_KEY}",
-        api: "openai-completions",
-        models: [
-          { id: "zai-glm-4.7", name: "GLM 4.7 (Cerebras)" },
-          { id: "zai-glm-4.6", name: "GLM 4.6 (Cerebras)" },
-        ],
-      },
-    },
-  },
-}
-```
-
-说明：
-
-- Cerebras 使用 `cerebras/zai-glm-4.7`；Z.AI 直连使用 `zai/glm-4.7`。
-- 在环境或配置中设置 `CEREBRAS_API_KEY`。
-
-说明：
-
-- 支持的 API：`openai-completions`、`openai-responses`、`anthropic-messages`、
-  `google-generative-ai`
-- 对于自定义认证需求使用 `authHeader: true` + `headers`。
-- 如果你希望 `models.json` 存储在其他位置，请使用 `OPENCLAW_AGENT_DIR`（或 `PI_CODING_AGENT_DIR`）覆盖智能体配置根目录（默认：`~/.openclaw/agents/main/agent`）。
-
-### `session`
-
-控制会话作用域、重置策略、重置触发器以及会话存储的写入位置。
-
-```json5
-{
-  session: {
-    scope: "per-sender",
-    dmScope: "main",
-    identityLinks: {
-      alice: ["telegram:123456789", "discord:987654321012345678"],
-    },
-    reset: {
-      mode: "daily",
-      atHour: 4,
-      idleMinutes: 60,
-    },
-    resetByType: {
-      thread: { mode: "daily", atHour: 4 },
-      dm: { mode: "idle", idleMinutes: 240 },
-      group: { mode: "idle", idleMinutes: 120 },
-    },
-    resetTriggers: ["/new", "/reset"],
-    // 默认已按智能体存储在 ~/.openclaw/agents/<agentId>/sessions/sessions.json
-    // 你可以使用 {agentId} 模板进行覆盖：
-    store: "~/.openclaw/agents/{agentId}/sessions/sessions.json",
-    // 私聊折叠到 agent:<agentId>:<mainKey>（默认："main"）。
-    mainKey: "main",
-    agentToAgent: {
-      // 请求者/目标之间的最大乒乓回复轮次（0–5）。
-      maxPingPongTurns: 5,
-    },
-    sendPolicy: {
-      rules: [{ action: "deny", match: { channel: "discord", chatType: "group" } }],
-      default: "allow",
-    },
-  },
-}
-```
-
-字段：
-
-- `mainKey`：私聊桶键（默认：`"main"`）。当你想"重命名"主私聊线程而不更改 `agentId` 时有用。
-  - 沙箱说明：`agents.defaults.sandbox.mode: "non-main"` 使用此键检测主会话。任何不匹配 `mainKey` 的会话键（群组/频道）都会被沙箱化。
-- `dmScope`：私聊会话如何分组（默认：`"main"`）。
-  - `main`：所有私聊共享主会话以保持连续性。
-  - `per-peer`：按发送者 id 跨渠道隔离私聊。
-  - `per-channel-peer`：按渠道 + 发送者隔离私聊（推荐用于多用户收件箱）。
-  - `per-account-channel-peer`：按账号 + 渠道 + 发送者隔离私聊（推荐用于多账号收件箱）。
-- `identityLinks`：将规范 id 映射到提供商前缀的对等方，以便在使用 `per-peer`、`per-channel-peer` 或 `per-account-channel-peer` 时同一人跨渠道共享私聊会话。
-  - 示例：`alice: ["telegram:123456789", "discord:987654321012345678"]`。
-- `reset`：主重置策略。默认为 Gateway 网关主机上本地时间凌晨 4:00 每日重置。
-  - `mode`：`daily` 或 `idle`（当存在 `reset` 时默认：`daily`）。
-  - `atHour`：本地小时（0-23）作为每日重置边界。
-  - `idleMinutes`：滑动空闲窗口（分钟）。当 daily + idle 都配置时，先到期的获胜。
-- `resetByType`：`dm`、`group` 和 `thread` 的每会话覆盖。
-  - 如果你只设置了旧版 `session.idleMinutes` 而没有任何 `reset`/`resetByType`，OpenClaw 保持仅空闲模式以向后兼容。
-- `heartbeatIdleMinutes`：可选的心跳检查空闲覆盖（启用时每日重置仍然适用）。
-- `agentToAgent.maxPingPongTurns`：请求者/目标之间的最大回复轮次（0–5，默认 5）。
-- `sendPolicy.default`：无规则匹配时的 `allow` 或 `deny` 回退。
-- `sendPolicy.rules[]`：按 `channel`、`chatType`（`direct|group|room`）或 `keyPrefix`（例如 `cron:`）匹配。第一个 deny 获胜；否则 allow。
-
-### `skills`（Skills 配置）
-
-控制内置白名单、安装偏好、额外 Skills 文件夹和每 Skills 覆盖。适用于**内置**Skills 和 `~/.openclaw/skills`（工作区 Skills 在名称冲突时仍然优先）。
-
-字段：
-
-- `allowBundled`：可选的**仅内置**Skills 白名单。如果设置，仅那些内置 Skills 符合条件（管理/工作区 Skills 不受影响）。
-- `load.extraDirs`：额外要扫描的 Skills 目录（最低优先级）。
-- `install.preferBrew`：可用时优先使用 brew 安装程序（默认：true）。
-- `install.nodeManager`：node 安装偏好（`npm` | `pnpm` | `yarn`，默认：npm）。
-- `entries.<skillKey>`：每 Skills 配置覆盖。
-
-每 Skills 字段：
-
-- `enabled`：设为 `false` 禁用 Skills，即使它是内置/已安装的。
-- `env`：为智能体运行注入的环境变量（仅在尚未设置时）。
-- `apiKey`：对于声明了主环境变量的 Skills 的可选便利字段（例如 `nano-banana-pro` → `GEMINI_API_KEY`）。
-
-示例：
-
-```json5
-{
   skills: {
-    allowBundled: ["gemini", "peekaboo"],
-    load: {
-      extraDirs: ["~/Projects/agent-scripts/skills", "~/Projects/oss/some-skill-pack/skills"],
-    },
-    install: {
-      preferBrew: true,
-      nodeManager: "npm",
-    },
     entries: {
       "nano-banana-pro": {
-        apiKey: "GEMINI_KEY_HERE",
-        env: {
-          GEMINI_API_KEY: "GEMINI_KEY_HERE",
-        },
-      },
-      peekaboo: { enabled: true },
-      sag: { enabled: false },
-    },
-  },
-}
-```
-
-### `plugins`（扩展）
-
-控制插件发现、允许/拒绝和每插件配置。插件从 `~/.openclaw/extensions`、`<workspace>/.openclaw/extensions` 以及任何 `plugins.load.paths` 条目加载。**配置更改需要重启 Gateway 网关。**
-参见 [/plugin](/tools/plugin) 了解详情。
-
-字段：
-
-- `enabled`：插件加载的主开关（默认：true）。
-- `allow`：可选的插件 id 白名单；设置后仅加载列出的插件。
-- `deny`：可选的插件 id 拒绝列表（deny 优先）。
-- `load.paths`：要加载的额外插件文件或目录（绝对路径或 `~`）。
-- `entries.<pluginId>`：每插件覆盖。
-  - `enabled`：设为 `false` 禁用。
-  - `config`：插件特定的配置对象（如果提供，由插件验证）。
-
-示例：
-
-```json5
-{
-  plugins: {
-    enabled: true,
-    allow: ["voice-call"],
-    load: {
-      paths: ["~/Projects/oss/voice-call-extension"],
-    },
-    entries: {
-      "voice-call": {
-        enabled: true,
-        config: {
-          provider: "twilio",
+        apiKey: {
+          source: "file",
+          provider: "filemain",
+          id: "/skills/entries/nano-banana-pro/apiKey",
         },
       },
     },
   },
-}
-```
-
-### `browser`（OpenClaw 管理的浏览器）
-
-OpenClaw 可以为 OpenClaw 启动一个**专用、隔离的** Chrome/Brave/Edge/Chromium 实例并暴露一个小型 local loopback 控制服务。
-配置文件可以通过 `profiles.<name>.cdpUrl` 指向**远程** Chromium 浏览器。远程配置文件为仅附加模式（start/stop/reset 被禁用）。
-
-`browser.cdpUrl` 保留用于旧版单配置文件配置，以及作为仅设置 `cdpPort` 的配置文件的基础 scheme/host。
-
-默认值：
-
-- enabled：`true`
-- evaluateEnabled：`true`（设为 `false` 禁用 `act:evaluate` 和 `wait --fn`）
-- 控制服务：仅 local loopback（端口从 `gateway.port` 派生，默认 `18791`）
-- CDP URL：`http://127.0.0.1:18792`（控制服务 + 1，旧版单配置文件）
-- 配置文件颜色：`#FF4500`（龙虾橙）
-- 注意：控制服务器由运行中的 Gateway 网关（OpenClaw.app 菜单栏或 `openclaw gateway`）启动。
-- 自动检测顺序：如果为 Chromium 内核则使用默认浏览器；否则 Chrome → Brave → Edge → Chromium → Chrome Canary。
-
-```json5
-{
-  browser: {
-    enabled: true,
-    evaluateEnabled: true,
-    // cdpUrl: "http://127.0.0.1:18792", // 旧版单配置文件覆盖
-    defaultProfile: "chrome",
-    profiles: {
-      openclaw: { cdpPort: 18800, color: "#FF4500" },
-      work: { cdpPort: 18801, color: "#0066CC" },
-      remote: { cdpUrl: "http://10.0.0.42:9222", color: "#00AA00" },
-    },
-    color: "#FF4500",
-    // 高级：
-    // headless: false,
-    // noSandbox: false,
-    // executablePath: "/Applications/Brave Browser.app/Contents/MacOS/Brave Browser",
-    // attachOnly: false, // 将远程 CDP 隧道到 localhost 时设为 true
-  },
-}
-```
-
-### `ui`（外观）
-
-原生应用用于 UI 外观的可选强调色（例如 Talk 模式气泡着色）。
-
-如果未设置，客户端回退到柔和的浅蓝色。
-
-```json5
-{
-  ui: {
-    seamColor: "#FF4500", // 十六进制（RRGGBB 或 #RRGGBB）
-    // 可选：控制台 UI 助手身份覆盖。
-    // 如果未设置，控制台 UI 使用活跃智能体的身份（配置或 IDENTITY.md）。
-    assistant: {
-      name: "OpenClaw",
-      avatar: "CB", // 表情、短文本，或图片 URL/data URI
-    },
-  },
-}
-```
-
-### `gateway`（Gateway 网关服务器模式 + 绑定）
-
-使用 `gateway.mode` 明确声明此机器是否应运行 Gateway 网关。
-
-默认值：
-
-- mode：**未设置**（视为"不自动启动"）
-- bind：`loopback`
-- port：`18789`（WS + HTTP 单端口）
-
-```json5
-{
-  gateway: {
-    mode: "local", // 或 "remote"
-    port: 18789, // WS + HTTP 多路复用
-    bind: "loopback",
-    // controlUi: { enabled: true, basePath: "/openclaw" }
-    // auth: { mode: "token", token: "your-token" } // token 控制 WS + 控制台 UI 访问
-    // tailscale: { mode: "off" | "serve" | "funnel" }
-  },
-}
-```
-
-控制台 UI 基础路径：
-
-- `gateway.controlUi.basePath` 设置控制台 UI 提供服务的 URL 前缀。
-- 示例：`"/ui"`、`"/openclaw"`、`"/apps/openclaw"`。
-- 默认：根路径（`/`）（不变）。
-- `gateway.controlUi.root` 设置控制台 UI 资产的文件系统根目录（默认：`dist/control-ui`）。
-- `gateway.controlUi.allowInsecureAuth` 允许在省略设备身份时对控制台 UI 进行仅 token 认证（通常通过 HTTP）。默认：`false`。建议使用 HTTPS（Tailscale Serve）或 `127.0.0.1`。
-- `gateway.controlUi.dangerouslyDisableDeviceAuth` 禁用控制台 UI 的设备身份检查（仅 token/密码）。默认：`false`。仅用于紧急情况。
-
-相关文档：
-
-- [控制台 UI](/web/control-ui)
-- [Web 概述](/web)
-- [Tailscale](/gateway/tailscale)
-- [远程访问](/gateway/remote)
-
-信任的代理：
-
-- `gateway.trustedProxies`：在 Gateway 网关前面终止 TLS 的反向代理 IP 列表。
-- 当连接来自这些 IP 之一时，OpenClaw 使用 `x-forwarded-for`（或 `x-real-ip`）来确定客户端 IP，用于本地配对检查和 HTTP 认证/本地检查。
-- 仅列出你完全控制的代理，并确保它们**覆盖**传入的 `x-forwarded-for`。
-
-说明：
-
-- `openclaw gateway` 拒绝启动，除非 `gateway.mode` 设为 `local`（或你传递了覆盖标志）。
-- `gateway.port` 控制用于 WebSocket + HTTP（控制台 UI、hooks、A2UI）的单一多路复用端口。
-- OpenAI Chat Completions 端点：**默认禁用**；通过 `gateway.http.endpoints.chatCompletions.enabled: true` 启用。
-- 优先级：`--port` > `OPENCLAW_GATEWAY_PORT` > `gateway.port` > 默认 `18789`。
-- 默认需要 Gateway 网关认证（token/密码或 Tailscale Serve 身份）。非 local loopback 绑定需要共享 token/密码。
-- 新手引导向导默认生成 gateway token（即使在 local loopback 上）。
-- `gateway.remote.token` **仅**用于远程 CLI 调用；它不启用本地 gateway 认证。`gateway.token` 被忽略。
-
-认证和 Tailscale：
-
-- `gateway.auth.mode` 设置握手要求（`token` 或 `password`）。未设置时，假定 token 认证。
-- `gateway.auth.token` 存储 token 认证的共享 token（同一机器上的 CLI 使用）。
-- 当设置了 `gateway.auth.mode` 时，仅接受该方法（加上可选的 Tailscale 头部）。
-- `gateway.auth.password` 可在此设置，或通过 `OPENCLAW_GATEWAY_PASSWORD`（推荐）。
-- `gateway.auth.allowTailscale` 允许 Tailscale Serve 身份头部
-  （`tailscale-user-login`）在请求通过 local loopback 到达且带有 `x-forwarded-for`、
-  `x-forwarded-proto` 和 `x-forwarded-host` 时满足认证。OpenClaw 在接受之前
-  通过 `tailscale whois` 解析 `x-forwarded-for` 地址来验证身份。为 `true` 时，
-  Serve 请求不需要 token/密码；设为 `false` 要求显式凭据。当
-  `tailscale.mode = "serve"` 且认证模式不是 `password` 时默认为 `true`。
-- `gateway.tailscale.mode: "serve"` 使用 Tailscale Serve（仅 tailnet，local loopback 绑定）。
-- `gateway.tailscale.mode: "funnel"` 公开暴露仪表板；需要认证。
-- `gateway.tailscale.resetOnExit` 在关闭时重置 Serve/Funnel 配置。
-
-远程客户端默认值（CLI）：
-
-- `gateway.remote.url` 设置 `gateway.mode = "remote"` 时 CLI 调用的默认 Gateway 网关 WebSocket URL。
-- `gateway.remote.transport` 选择 macOS 远程传输（`ssh` 默认，`direct` 用于 ws/wss）。使用 `direct` 时，`gateway.remote.url` 必须为 `ws://` 或 `wss://`。`ws://host` 默认端口 `18789`。
-- `gateway.remote.token` 提供远程调用的 token（不需要认证时留空）。
-- `gateway.remote.password` 提供远程调用的密码（不需要认证时留空）。
-
-macOS 应用行为：
-
-- OpenClaw.app 监视 `~/.openclaw/openclaw.json`，当 `gateway.mode` 或 `gateway.remote.url` 变更时实时切换模式。
-- 如果 `gateway.mode` 未设置但 `gateway.remote.url` 已设置，macOS 应用将其视为远程模式。
-- 当你在 macOS 应用中更改连接模式时，它会将 `gateway.mode`（以及远程模式下的 `gateway.remote.url` + `gateway.remote.transport`）写回配置文件。
-
-```json5
-{
-  gateway: {
-    mode: "remote",
-    remote: {
-      url: "ws://gateway.tailnet:18789",
-      token: "your-token",
-      password: "your-password",
-    },
-  },
-}
-```
-
-直连传输示例（macOS 应用）：
-
-```json5
-{
-  gateway: {
-    mode: "remote",
-    remote: {
-      transport: "direct",
-      url: "wss://gateway.example.ts.net",
-      token: "your-token",
-    },
-  },
-}
-```
-
-### `gateway.reload`（配置热重载）
-
-Gateway 网关监视 `~/.openclaw/openclaw.json`（或 `OPENCLAW_CONFIG_PATH`）并自动应用更改。
-
-模式：
-
-- `hybrid`（默认）：安全更改热应用；关键更改重启 Gateway 网关。
-- `hot`：仅应用热安全更改；需要重启时记录日志。
-- `restart`：任何配置更改都重启 Gateway 网关。
-- `off`：禁用热重载。
-
-```json5
-{
-  gateway: {
-    reload: {
-      mode: "hybrid",
-      debounceMs: 300,
-    },
-  },
-}
-```
-
-#### 热重载矩阵（文件 + 影响）
-
-监视的文件：
-
-- `~/.openclaw/openclaw.json`（或 `OPENCLAW_CONFIG_PATH`）
-
-热应用（无需完全重启 Gateway 网关）：
-
-- `hooks`（webhook 认证/路径/映射）+ `hooks.gmail`（Gmail 监视器重启）
-- `browser`（浏览器控制服务器重启）
-- `cron`（cron 服务重启 + 并发更新）
-- `agents.defaults.heartbeat`（心跳运行器重启）
-- `web`（WhatsApp Web 渠道重启）
-- `telegram`、`discord`、`signal`、`imessage`（渠道重启）
-- `agent`、`models`、`routing`、`messages`、`session`、`whatsapp`、`logging`、`skills`、`ui`、`talk`、`identity`、`wizard`（动态读取）
-
-需要完全重启 Gateway 网关：
-
-- `gateway`（端口/绑定/认证/控制台 UI/tailscale）
-- `bridge`（旧版）
-- `discovery`
-- `canvasHost`
-- `plugins`
-- 任何未知/不支持的配置路径（为安全默认重启）
-
-### 多实例隔离
-
-要在一台主机上运行多个 Gateway 网关（用于冗余或救援机器人），请隔离每个实例的状态 + 配置并使用唯一端口：
-
-- `OPENCLAW_CONFIG_PATH`（每实例配置）
-- `OPENCLAW_STATE_DIR`（会话/凭据）
-- `agents.defaults.workspace`（记忆）
-- `gateway.port`（每实例唯一）
-
-便利标志（CLI）：
-
-- `openclaw --dev …` → 使用 `~/.openclaw-dev` + 端口从基础 `19001` 偏移
-- `openclaw --profile <name> …` → 使用 `~/.openclaw-<name>`（端口通过配置/环境变量/标志）
-
-参见 [Gateway 网关运维手册](/gateway) 了解派生的端口映射（gateway/browser/canvas）。
-参见[多 Gateway 网关](/gateway/multiple-gateways) 了解浏览器/CDP 端口隔离细节。
-
-示例：
-
-```bash
-OPENCLAW_CONFIG_PATH=~/.openclaw/a.json \
-OPENCLAW_STATE_DIR=~/.openclaw-a \
-openclaw gateway --port 19001
-```
-
-### `hooks`（Gateway 网关 webhook）
-
-在 Gateway 网关 HTTP 服务器上启用简单的 HTTP webhook 端点。
-
-默认值：
-
-- enabled：`false`
-- path：`/hooks`
-- maxBodyBytes：`262144`（256 KB）
-
-```json5
-{
-  hooks: {
-    enabled: true,
-    token: "shared-secret",
-    path: "/hooks",
-    presets: ["gmail"],
-    transformsDir: "~/.openclaw/hooks",
-    mappings: [
-      {
-        match: { path: "gmail" },
-        action: "agent",
-        wakeMode: "now",
-        name: "Gmail",
-        sessionKey: "hook:gmail:{{messages[0].id}}",
-        messageTemplate: "From: {{messages[0].from}}\nSubject: {{messages[0].subject}}\n{{messages[0].snippet}}",
-        deliver: true,
-        channel: "last",
-        model: "openai/gpt-5.2-mini",
+  channels: {
+    googlechat: {
+      serviceAccountRef: {
+        source: "exec",
+        provider: "vault",
+        id: "channels/googlechat/serviceAccount",
       },
-    ],
-  },
-}
-```
-
-请求必须包含 hook token：
-
-- `Authorization: Bearer <token>` **或**
-- `x-openclaw-token: <token>` **或**
-- `?token=<token>`
-
-端点：
-
-- `POST /hooks/wake` → `{ text, mode?: "now"|"next-heartbeat" }`
-- `POST /hooks/agent` → `{ message, name?, sessionKey?, wakeMode?, deliver?, channel?, to?, model?, thinking?, timeoutSeconds? }`
-- `POST /hooks/<name>` → 通过 `hooks.mappings` 解析
-
-`/hooks/agent` 始终将摘要发布到主会话（并可通过 `wakeMode: "now"` 可选地触发即时心跳）。
-
-映射说明：
-
-- `match.path` 匹配 `/hooks` 之后的子路径（例如 `/hooks/gmail` → `gmail`）。
-- `match.source` 匹配负载字段（例如 `{ source: "gmail" }`），以便使用通用的 `/hooks/ingest` 路径。
-- `{{messages[0].subject}}` 等模板从负载中读取。
-- `transform` 可以指向返回 hook 动作的 JS/TS 模块。
-- `deliver: true` 将最终回复发送到渠道；`channel` 默认为 `last`（回退到 WhatsApp）。
-- 如果没有先前的投递路由，请显式设置 `channel` + `to`（Telegram/Discord/Google Chat/Slack/Signal/iMessage/MS Teams 必需）。
-- `model` 覆盖此 hook 运行的 LLM（`provider/model` 或别名；如果设置了 `agents.defaults.models` 则必须被允许）。
-
-Gmail 辅助配置（由 `openclaw webhooks gmail setup` / `run` 使用）：
-
-```json5
-{
-  hooks: {
-    gmail: {
-      account: "openclaw@gmail.com",
-      topic: "projects/<project-id>/topics/gog-gmail-watch",
-      subscription: "gog-gmail-watch-push",
-      pushToken: "shared-push-token",
-      hookUrl: "http://127.0.0.1:18789/hooks/gmail",
-      includeBody: true,
-      maxBytes: 20000,
-      renewEveryMinutes: 720,
-      serve: { bind: "127.0.0.1", port: 8788, path: "/" },
-      tailscale: { mode: "funnel", path: "/gmail-pubsub" },
-
-      // 可选：为 Gmail hook 处理使用更便宜的模型
-      // 在认证/速率限制/超时时回退到 agents.defaults.model.fallbacks，然后 primary
-      model: "openrouter/meta-llama/llama-3.3-70b-instruct:free",
-      // 可选：Gmail hook 的默认思考级别
-      thinking: "off",
     },
   },
 }
 ```
 
-Gmail hook 的模型覆盖：
+SecretRef 详情（包括 `env`/`file`/`exec` 的 `secrets.providers`）请参阅 [Secrets Management](/gateway/secrets)。
+支持的凭证路径列在 [SecretRef Credential Surface](/reference/secretref-credential-surface) 中。
+</Accordion>
 
-- `hooks.gmail.model` 指定用于 Gmail hook 处理的模型（默认为会话主模型）。
-- 接受 `provider/model` 引用或来自 `agents.defaults.models` 的别名。
-- 在认证/速率限制/超时时回退到 `agents.defaults.model.fallbacks`，然后 `agents.defaults.model.primary`。
-- 如果设置了 `agents.defaults.models`，请将 hooks 模型包含在白名单中。
-- 启动时，如果配置的模型不在模型目录或白名单中，会发出警告。
-- `hooks.gmail.thinking` 设置 Gmail hook 的默认思考级别，被每 hook 的 `thinking` 覆盖。
+有关完整优先级和来源，请参阅 [Environment](/help/environment)。
 
-Gateway 网关自动启动：
+## 完整参考
 
-- 如果 `hooks.enabled=true` 且 `hooks.gmail.account` 已设置，Gateway 网关在启动时
-  启动 `gog gmail watch serve` 并自动续期监视。
-- 设置 `OPENCLAW_SKIP_GMAIL_WATCHER=1` 禁用自动启动（用于手动运行）。
-- 避免在 Gateway 网关旁边单独运行 `gog gmail watch serve`；它会
-  因 `listen tcp 127.0.0.1:8788: bind: address already in use` 而失败。
-
-注意：当 `tailscale.mode` 开启时，OpenClaw 将 `serve.path` 默认为 `/`，以便
-Tailscale 可以正确代理 `/gmail-pubsub`（它会去除设置的路径前缀）。
-如果你需要后端接收带前缀的路径，请将
-`hooks.gmail.tailscale.target` 设为完整 URL（并对齐 `serve.path`）。
-
-### `canvasHost`（LAN/tailnet Canvas 文件服务器 + 实时重载）
-
-Gateway 网关通过 HTTP 提供 HTML/CSS/JS 目录服务，以便 iOS/Android 节点可以简单地 `canvas.navigate` 到它。
-
-默认根目录：`~/.openclaw/workspace/canvas`
-默认端口：`18793`（选择此端口以避免 OpenClaw 浏览器 CDP 端口 `18792`）
-服务器监听 **Gateway 网关绑定主机**（LAN 或 Tailnet），以便节点可以访问。
-
-服务器：
-
-- 提供 `canvasHost.root` 下的文件
-- 向提供的 HTML 注入微型实时重载客户端
-- 监视目录并通过 `/__openclaw__/ws` 的 WebSocket 端点广播重载
-- 目录为空时自动创建起始 `index.html`（以便你立即看到内容）
-- 同时在 `/__openclaw__/a2ui/` 提供 A2UI，并作为 `canvasHostUrl` 通告给节点
-  （节点始终使用它来访问 Canvas/A2UI）
-
-如果目录很大或遇到 `EMFILE`，请禁用实时重载（和文件监视）：
-
-- 配置：`canvasHost: { liveReload: false }`
-
-```json5
-{
-  canvasHost: {
-    root: "~/.openclaw/workspace/canvas",
-    port: 18793,
-    liveReload: true,
-  },
-}
-```
-
-`canvasHost.*` 的更改需要重启 Gateway 网关（配置重载会触发重启）。
-
-禁用方式：
-
-- 配置：`canvasHost: { enabled: false }`
-- 环境变量：`OPENCLAW_SKIP_CANVAS_HOST=1`
-
-### `bridge`（旧版 TCP 桥接，已移除）
-
-当前版本不再包含 TCP 桥接监听器；`bridge.*` 配置键会被忽略。
-节点通过 Gateway 网关 WebSocket 连接。此部分仅保留供历史参考。
-
-旧版行为：
-
-- Gateway 网关可以为节点（iOS/Android）暴露简单的 TCP 桥接，通常在端口 `18790`。
-
-默认值：
-
-- enabled：`true`
-- port：`18790`
-- bind：`lan`（绑定到 `0.0.0.0`）
-
-绑定模式：
-
-- `lan`：`0.0.0.0`（可通过任何接口访问，包括 LAN/Wi‑Fi 和 Tailscale）
-- `tailnet`：仅绑定到机器的 Tailscale IP（推荐用于跨地域访问）
-- `loopback`：`127.0.0.1`（仅本地）
-- `auto`：如果存在 tailnet IP 则优先使用，否则 `lan`
-
-TLS：
-
-- `bridge.tls.enabled`：为桥接连接启用 TLS（启用时仅 TLS）。
-- `bridge.tls.autoGenerate`：当无证书/密钥时生成自签名证书（默认：true）。
-- `bridge.tls.certPath` / `bridge.tls.keyPath`：桥接证书 + 私钥的 PEM 路径。
-- `bridge.tls.caPath`：可选的 PEM CA 捆绑包（自定义根证书或未来的 mTLS）。
-
-启用 TLS 后，Gateway 网关在发现 TXT 记录中通告 `bridgeTls=1` 和 `bridgeTlsSha256`，以便节点可以固定证书。如果尚未存储指纹，手动连接使用首次信任。
-自动生成的证书需要 PATH 中有 `openssl`；如果生成失败，桥接不会启动。
-
-```json5
-{
-  bridge: {
-    enabled: true,
-    port: 18790,
-    bind: "tailnet",
-    tls: {
-      enabled: true,
-      // 省略时使用 ~/.openclaw/bridge/tls/bridge-{cert,key}.pem。
-      // certPath: "~/.openclaw/bridge/tls/bridge-cert.pem",
-      // keyPath: "~/.openclaw/bridge/tls/bridge-key.pem"
-    },
-  },
-}
-```
-
-### `discovery.mdns`（Bonjour / mDNS 广播模式）
-
-控制 LAN mDNS 发现广播（`_openclaw-gw._tcp`）。
-
-- `minimal`（默认）：从 TXT 记录中省略 `cliPath` + `sshPort`
-- `full`：在 TXT 记录中包含 `cliPath` + `sshPort`
-- `off`：完全禁用 mDNS 广播
-- 主机名：默认为 `openclaw`（通告 `openclaw.local`）。通过 `OPENCLAW_MDNS_HOSTNAME` 覆盖。
-
-```json5
-{
-  discovery: { mdns: { mode: "minimal" } },
-}
-```
-
-### `discovery.wideArea`（广域 Bonjour / 单播 DNS‑SD）
-
-启用后，Gateway 网关在 `~/.openclaw/dns/` 下使用配置的发现域（示例：`openclaw.internal.`）为 `_openclaw-gw._tcp` 写入单播 DNS-SD 区域。
-
-要使 iOS/Android 跨网络发现（跨地域访问），请配合以下使用：
-
-- 在 Gateway 网关主机上运行 DNS 服务器，为你选择的域名提供服务（推荐 CoreDNS）
-- Tailscale **split DNS**，使客户端通过 Gateway 网关 DNS 服务器解析该域名
-
-一次性设置助手（Gateway 网关主机）：
-
-```bash
-openclaw dns setup --apply
-```
-
-```json5
-{
-  discovery: { wideArea: { enabled: true } },
-}
-```
-
-## 模板变量
-
-模板占位符在 `tools.media.*.models[].args` 和 `tools.media.models[].args`（以及未来任何模板化参数字段）中展开。
-
-| 变量               | 描述                                                  |
-| ------------------ | ----------------------------------------------------- | -------- | ------- | ---------- | ----- | ------ | -------- | ------- | ------- | --- |
-| `{{Body}}`         | 完整的入站消息正文                                    |
-| `{{RawBody}}`      | 原始入站消息正文（无历史/发送者包装；最适合命令解析） |
-| `{{BodyStripped}}` | 去除群组提及的正文（最适合智能体的默认值）            |
-| `{{From}}`         | 发送者标识符（WhatsApp 为 E.164；按渠道可能不同）     |
-| `{{To}}`           | 目标标识符                                            |
-| `{{MessageSid}}`   | 渠道消息 id（如果可用）                               |
-| `{{SessionId}}`    | 当前会话 UUID                                         |
-| `{{IsNewSession}}` | 创建新会话时为 `"true"`                               |
-| `{{MediaUrl}}`     | 入站媒体伪 URL（如果存在）                            |
-| `{{MediaPath}}`    | 本地媒体路径（如果已下载）                            |
-| `{{MediaType}}`    | 媒体类型（image/audio/document/…）                    |
-| `{{Transcript}}`   | 音频转录（启用时）                                    |
-| `{{Prompt}}`       | CLI 条目的已解析媒体提示                              |
-| `{{MaxChars}}`     | CLI 条目的已解析最大输出字符数                        |
-| `{{ChatType}}`     | `"direct"` 或 `"group"`                               |
-| `{{GroupSubject}}` | 群组主题（尽力而为）                                  |
-| `{{GroupMembers}}` | 群组成员预览（尽力而为）                              |
-| `{{SenderName}}`   | 发送者显示名称（尽力而为）                            |
-| `{{SenderE164}}`   | 发送者电话号码（尽力而为）                            |
-| `{{Provider}}`     | 提供商提示（whatsapp                                  | telegram | discord | googlechat | slack | signal | imessage | msteams | webchat | …） |
-
-## Cron（Gateway 网关调度器）
-
-Cron 是 Gateway 网关自有的唤醒和定时任务调度器。参见 [Cron 任务](/automation/cron-jobs) 了解功能概述和 CLI 示例。
-
-```json5
-{
-  cron: {
-    enabled: true,
-    maxConcurrentRuns: 2,
-  },
-}
-```
+有关逐字段的完整参考，请参阅 **[Configuration Reference](/gateway/configuration-reference)**。
 
 ---
 
-_下一步：[智能体运行时](/concepts/agent)_ 🦞
+_相关内容：[Configuration Examples](/gateway/configuration-examples) · [Configuration Reference](/gateway/configuration-reference) · [Doctor](/gateway/doctor)_
diff --git a/docs/zh-CN/gateway/local-models.md b/docs/zh-CN/gateway/local-models.md
index c1cd9e3c29e..0f740aeef2e 100644
--- a/docs/zh-CN/gateway/local-models.md
+++ b/docs/zh-CN/gateway/local-models.md
@@ -1,35 +1,37 @@
 ---
 read_when:
-  - 你想从自己的 GPU 机器提供模型服务
-  - 你正在配置 LM Studio 或 OpenAI 兼容代理
+  - 你想从自己的 GPU 主机提供模型服务
+  - 你正在接入 LM Studio 或兼容 OpenAI 的代理
   - 你需要最安全的本地模型指南
 summary: 在本地 LLM 上运行 OpenClaw（LM Studio、vLLM、LiteLLM、自定义 OpenAI 端点）
 title: 本地模型
 x-i18n:
-  generated_at: "2026-02-03T07:48:15Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: f72b424c3d8986319868dc4c552596bcd599cc79fab5a57c14bf4f0695c39690
+  generated_at: "2026-03-16T06:22:54Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 43ad6b91216e12be4d0c9395c981e0b5d8bd16ba4952efd02b7261052304a4ce
   source_path: gateway/local-models.md
   workflow: 15
 ---
 
 # 本地模型
 
-本地运行是可行的，但 OpenClaw 期望大上下文 + 强大的提示注入防御。小显存会截断上下文并泄露安全性。目标要高：**≥2 台满配 Mac Studio 或同等 GPU 配置（约 $30k+）**。单张 **24 GB** GPU 仅适用于较轻的提示，且延迟更高。使用**你能运行的最大/完整尺寸模型变体**；激进量化或"小型"检查点会增加提示注入风险（参见[安全](/gateway/security)）。
+本地部署是可行的，但 OpenClaw 需要大上下文和对提示注入的强防御能力。小显卡会截断上下文并削弱安全性。目标要高：**至少 2 台满配 Mac Studio 或同等 GPU 设备（约 3 万美元以上）**。单张 **24 GB** GPU 仅适用于较轻的提示，且延迟更高。请使用**你能运行的最大 / 完整尺寸模型变体**；激进量化或“small”检查点会提高提示注入风险（见 [安全](/gateway/security)）。
 
-## 推荐：LM Studio + MiniMax M2.1（Responses API，完整尺寸）
+如果你想要摩擦最小的本地设置，请从 [Ollama](/providers/ollama) 和 `openclaw onboard` 开始。本页是面向更高端本地栈和自定义兼容 OpenAI 的本地服务器的偏好型指南。
 
-当前最佳本地堆栈。在 LM Studio 中加载 MiniMax M2.1，启用本地服务器（默认 `http://127.0.0.1:1234`），并使用 Responses API 将推理与最终文本分开。
+## 推荐：LM Studio + MiniMax M2.5（Responses API，完整尺寸）
+
+当前最佳的本地栈。先在 LM Studio 中加载 MiniMax M2.5，启用本地服务器（默认 `http://127.0.0.1:1234`），然后使用 Responses API 将推理与最终文本分离。
 
 ```json5
 {
   agents: {
     defaults: {
-      model: { primary: "lmstudio/minimax-m2.1-gs32" },
+      model: { primary: "lmstudio/minimax-m2.5-gs32" },
       models: {
-        "anthropic/claude-opus-4-5": { alias: "Opus" },
-        "lmstudio/minimax-m2.1-gs32": { alias: "Minimax" },
+        "anthropic/claude-opus-4-6": { alias: "Opus" },
+        "lmstudio/minimax-m2.5-gs32": { alias: "Minimax" },
       },
     },
   },
@@ -42,8 +44,8 @@ x-i18n:
         api: "openai-responses",
         models: [
           {
-            id: "minimax-m2.1-gs32",
-            name: "MiniMax M2.1 GS32",
+            id: "minimax-m2.5-gs32",
+            name: "MiniMax M2.5 GS32",
             reasoning: false,
             input: ["text"],
             cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
@@ -59,15 +61,15 @@ x-i18n:
 
 **设置清单**
 
-- 安装 LM Studio：https://lmstudio.ai
-- 在 LM Studio 中，下载**可用的最大 MiniMax M2.1 构建**（避免"小型"/重度量化变体），启动服务器，确认 `http://127.0.0.1:1234/v1/models` 列出了它。
-- 保持模型加载；冷加载会增加启动延迟。
-- 如果你的 LM Studio 构建不同，调整 `contextWindow`/`maxTokens`。
-- 对于 WhatsApp，坚持使用 Responses API，这样只发送最终文本。
+- 安装 LM Studio：[https://lmstudio.ai](https://lmstudio.ai)
+- 在 LM Studio 中，下载**可用的最大 MiniMax M2.5 构建版本**（避免 “small” / 重度量化变体），启动服务器，并确认 `http://127.0.0.1:1234/v1/models` 中列出了它。
+- 保持模型处于已加载状态；冷加载会增加启动延迟。
+- 如果你的 LM Studio 构建不同，请调整 `contextWindow` / `maxTokens`。
+- 对于 WhatsApp，请坚持使用 Responses API，这样只会发送最终文本。
 
-即使运行本地模型也要保持托管模型的配置；使用 `models.mode: "merge"` 以便备用方案保持可用。
+即使在本地运行时，也要保留托管模型配置；使用 `models.mode: "merge"`，以便回退模型始终可用。
 
-### 混合配置：托管为主，本地备用
+### 混合配置：托管主模型，本地回退
 
 ```json5
 {
@@ -75,12 +77,12 @@ x-i18n:
     defaults: {
       model: {
         primary: "anthropic/claude-sonnet-4-5",
-        fallbacks: ["lmstudio/minimax-m2.1-gs32", "anthropic/claude-opus-4-5"],
+        fallbacks: ["lmstudio/minimax-m2.5-gs32", "anthropic/claude-opus-4-6"],
       },
       models: {
         "anthropic/claude-sonnet-4-5": { alias: "Sonnet" },
-        "lmstudio/minimax-m2.1-gs32": { alias: "MiniMax Local" },
-        "anthropic/claude-opus-4-5": { alias: "Opus" },
+        "lmstudio/minimax-m2.5-gs32": { alias: "MiniMax Local" },
+        "anthropic/claude-opus-4-6": { alias: "Opus" },
       },
     },
   },
@@ -93,8 +95,8 @@ x-i18n:
         api: "openai-responses",
         models: [
           {
-            id: "minimax-m2.1-gs32",
-            name: "MiniMax M2.1 GS32",
+            id: "minimax-m2.5-gs32",
+            name: "MiniMax M2.5 GS32",
             reasoning: false,
             input: ["text"],
             cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
@@ -108,18 +110,18 @@ x-i18n:
 }
 ```
 
-### 本地优先，托管作为安全网
+### 本地优先，并保留托管安全网
 
-交换主要和备用的顺序；保持相同的 providers 块和 `models.mode: "merge"`，这样当本地机器宕机时可以回退到 Sonnet 或 Opus。
+交换主模型与回退模型的顺序；保留相同的 providers 块和 `models.mode: "merge"`，这样当本地主机不可用时，你仍然可以回退到 Sonnet 或 Opus。
 
-### 区域托管/数据路由
+### 区域托管 / 数据路由
 
-- 托管的 MiniMax/Kimi/GLM 变体也存在于 OpenRouter 上，带有区域固定端点（例如，美国托管）。在那里选择区域变体以将流量保持在你选择的管辖区内，同时仍使用 `models.mode: "merge"` 作为 Anthropic/OpenAI 备用。
-- 纯本地仍然是最强的隐私路径；当你需要提供商功能但又想控制数据流时，托管区域路由是折中方案。
+- OpenRouter 上也提供托管版 MiniMax / Kimi / GLM 变体，并带有区域固定端点（例如托管在美国）。可以在那里选择区域变体，将流量保留在你选定的司法辖区内，同时继续使用 `models.mode: "merge"` 作为 Anthropic / OpenAI 回退。
+- 纯本地仍然是最强的隐私方案；当你需要提供商功能但又想控制数据流向时，托管区域路由是折中方案。
 
-## 其他 OpenAI 兼容本地代理
+## 其他兼容 OpenAI 的本地代理
 
-vLLM、LiteLLM、OAI-proxy 或自定义网关都可以工作，只要它们暴露 OpenAI 风格的 `/v1` 端点。用你的端点和模型 ID 替换上面的 provider 块：
+只要暴露兼容 OpenAI 风格的 `/v1` 端点，vLLM、LiteLLM、OAI-proxy 或自定义网关都可以工作。将上面的 provider 块替换为你的端点和模型 ID：
 
 ```json5
 {
@@ -147,11 +149,11 @@ vLLM、LiteLLM、OAI-proxy 或自定义网关都可以工作，只要它们暴
 }
 ```
 
-保持 `models.mode: "merge"` 以便托管模型作为备用保持可用。
+保留 `models.mode: "merge"`，这样托管模型仍可作为回退使用。
 
 ## 故障排除
 
-- Gateway 网关能访问代理吗？`curl http://127.0.0.1:1234/v1/models`。
-- LM Studio 模型卸载了？重新加载；冷启动是常见的"卡住"原因。
-- 上下文错误？降低 `contextWindow` 或提高服务器限制。
-- 安全：本地模型跳过提供商端过滤器；保持智能体范围窄并开启压缩以限制提示注入的影响范围。
+- Gateway 网关能连接到代理吗？`curl http://127.0.0.1:1234/v1/models`
+- LM Studio 模型已卸载？重新加载；冷启动是常见的“卡住”原因。
+- 上下文错误？降低 `contextWindow` 或提高你的服务器限制。
+- 安全性：本地模型会跳过提供商侧过滤；请保持智能体职责范围狭窄，并开启压缩，以限制提示注入的影响范围。
diff --git a/docs/zh-CN/gateway/multiple-gateways.md b/docs/zh-CN/gateway/multiple-gateways.md
index f6efb6bfea3..36123ff7269 100644
--- a/docs/zh-CN/gateway/multiple-gateways.md
+++ b/docs/zh-CN/gateway/multiple-gateways.md
@@ -1,35 +1,35 @@
 ---
 read_when:
   - 在同一台机器上运行多个 Gateway 网关
-  - 你需要每个 Gateway 网关有隔离的配置/状态/端口
-summary: 在同一主机上运行多个 OpenClaw Gateway 网关（隔离、端口和配置文件）
-title: 多 Gateway 网关
+  - 你需要为每个 Gateway 网关隔离配置/状态/端口
+summary: 在一台主机上运行多个 OpenClaw Gateway 网关（隔离、端口和配置档案）
+title: 多个 Gateway 网关
 x-i18n:
-  generated_at: "2026-02-03T07:48:13Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 09b5035d4e5fb97c8d4596f7e23dea67224dad3b6d9e2c37ecb99840f28bd77d
+  generated_at: "2026-03-16T06:23:07Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 98c14bed7b7447481325d60ac379846ae379326400c4b0ed7f8d320ad8c50080
   source_path: gateway/multiple-gateways.md
   workflow: 15
 ---
 
-# 多 Gateway 网关（同一主机）
+# 多个 Gateway 网关（同一主机）
 
-大多数设置应该使用单个 Gateway 网关，因为一个 Gateway 网关可以处理多个消息连接和智能体。如果你需要更强的隔离或冗余（例如，救援机器人），请使用隔离的配置文件/端口运行多个 Gateway 网关。
+大多数设置应使用一个 Gateway 网关，因为单个 Gateway 网关可以处理多个消息连接和智能体。如果你需要更强的隔离或冗余（例如救援机器人），请运行使用隔离配置档案/端口的独立 Gateway 网关。
 
 ## 隔离检查清单（必需）
 
-- `OPENCLAW_CONFIG_PATH` — 每个实例的配置文件
-- `OPENCLAW_STATE_DIR` — 每个实例的会话、凭证、缓存
-- `agents.defaults.workspace` — 每个实例的工作区根目录
+- `OPENCLAW_CONFIG_PATH` — 每个实例单独的配置文件
+- `OPENCLAW_STATE_DIR` — 每个实例单独的会话、凭证、缓存
+- `agents.defaults.workspace` — 每个实例单独的工作区根目录
 - `gateway.port`（或 `--port`）— 每个实例唯一
-- 派生端口（浏览器/画布）不得重叠
+- 派生端口（browser/canvas）不得重叠
 
-如果这些是共享的，你将遇到配置竞争和端口冲突。
+如果这些被共享，你会遇到配置竞争和端口冲突。
 
-## 推荐：配置文件（`--profile`）
+## 推荐：配置档案（`--profile`）
 
-配置文件自动限定 `OPENCLAW_STATE_DIR` + `OPENCLAW_CONFIG_PATH` 范围并为服务名称添加后缀。
+配置档案会自动限定 `OPENCLAW_STATE_DIR` + `OPENCLAW_CONFIG_PATH`，并为服务名称添加后缀。
 
 ```bash
 # main
@@ -41,7 +41,7 @@ openclaw --profile rescue setup
 openclaw --profile rescue gateway --port 19001
 ```
 
-按配置文件的服务：
+每个配置档案的服务：
 
 ```bash
 openclaw --profile main gateway install
@@ -50,34 +50,34 @@ openclaw --profile rescue gateway install
 
 ## 救援机器人指南
 
-在同一主机上运行第二个 Gateway 网关，使用独立的：
+在同一主机上运行第二个 Gateway 网关，并为它单独设置：
 
-- 配置文件/配置
+- 配置档案/配置
 - 状态目录
 - 工作区
-- 基础端口（加上派生端口）
+- 基础端口（以及派生端口）
 
-这使救援机器人与主机器人隔离，以便在主机器人宕机时可以调试或应用配置更改。
+这样可以将救援机器人与主机器人隔离，因此当主机器人宕机时，它仍可用于调试或应用配置更改。
 
-端口间距：在基础端口之间至少留出 20 个端口，这样派生的浏览器/画布/CDP 端口永远不会冲突。
+端口间距：基础端口之间至少保留 20 个端口，以确保派生的 browser/canvas/CDP 端口永不冲突。
 
 ### 如何安装（救援机器人）
 
 ```bash
-# 主机器人（现有或新建，不带 --profile 参数）
+# Main bot（现有或全新，不带 --profile 参数）
 # 运行在端口 18789 + Chrome CDC/Canvas/... 端口
 openclaw onboard
 openclaw gateway install
 
-# 救援机器人（隔离的配置文件 + 端口）
+# Rescue bot（隔离的配置档案 + 端口）
 openclaw --profile rescue onboard
-# 注意：
-# - 工作区名称默认会添加 -rescue 后缀
-# - 端口应至少为 18789 + 20 个端口，
-#   最好选择完全不同的基础端口，如 19789，
-# - 其余的新手引导与正常相同
+# 说明：
+# - 工作区名称默认会追加 -rescue 后缀
+# - 端口至少应为 18789 + 20 个端口，
+#   最好选择完全不同的基础端口，例如 19789，
+# - 其余新手引导与正常情况相同
 
-# 安装服务（如果在新手引导期间没有自动完成）
+# 安装服务（如果设置期间未自动完成）
 openclaw --profile rescue gateway install
 ```
 
@@ -85,18 +85,18 @@ openclaw --profile rescue gateway install
 
 基础端口 = `gateway.port`（或 `OPENCLAW_GATEWAY_PORT` / `--port`）。
 
-- 浏览器控制服务端口 = 基础 + 2（仅 loopback）
-- `canvasHost.port = 基础 + 4`
-- 浏览器配置文件 CDP 端口从 `browser.controlPort + 9 .. + 108` 自动分配
+- browser 控制服务端口 = 基础端口 + 2（仅 loopback）
+- canvas host 由 Gateway 网关 HTTP 服务器提供（与 `gateway.port` 使用相同端口）
+- Browser profile CDP 端口会从 `browser.controlPort + 9 .. + 108` 自动分配
 
-如果你在配置或环境变量中覆盖了这些，必须确保每个实例都唯一。
+如果你在配置或环境变量中覆盖了其中任何一个，必须确保它们在每个实例之间保持唯一。
 
-## 浏览器/CDP 注意事项（常见陷阱）
+## Browser/CDP 说明（常见陷阱）
 
-- **不要**在多个实例上将 `browser.cdpUrl` 固定为相同的值。
-- 每个实例需要自己的浏览器控制端口和 CDP 范围（从其 Gateway 网关端口派生）。
-- 如果你需要显式的 CDP 端口，请为每个实例设置 `browser.profiles.<name>.cdpPort`。
-- 远程 Chrome：使用 `browser.profiles.<name>.cdpUrl`（每个配置文件，每个实例）。
+- **不要**在多个实例上将 `browser.cdpUrl` 固定为相同值。
+- 每个实例都需要自己的 browser 控制端口和 CDP 范围（从其 Gateway 网关端口派生）。
+- 如果你需要显式 CDP 端口，请为每个实例设置 `browser.profiles.<name>.cdpPort`。
+- 远程 Chrome：使用 `browser.profiles.<name>.cdpUrl`（按配置档案、按实例设置）。
 
 ## 手动环境变量示例
 
diff --git a/docs/zh-CN/help/faq.md b/docs/zh-CN/help/faq.md
index feb6aea4341..8543ea01f22 100644
--- a/docs/zh-CN/help/faq.md
+++ b/docs/zh-CN/help/faq.md
@@ -2,10 +2,10 @@
 summary: 关于 OpenClaw 安装、配置和使用的常见问题
 title: 常见问题
 x-i18n:
-  generated_at: "2026-03-16T01:39:16Z"
+  generated_at: "2026-03-16T06:52:18Z"
   model: claude-opus-4-5
   provider: pi
-  source_hash: 6e6a4a63fb73dca24dbe77928b51c6b2e5d51ec883fb36c64e2e40ef027050e9
+  source_hash: 94f7c6ea1024d5606379ce80d65a006b3acc12a963d57ca2333fcee3e5a31872
   source_path: help/faq.md
   workflow: 15
 ---
diff --git a/docs/zh-CN/install/exe-dev.md b/docs/zh-CN/install/exe-dev.md
index 14e576218f8..5e0028cce79 100644
--- a/docs/zh-CN/install/exe-dev.md
+++ b/docs/zh-CN/install/exe-dev.md
@@ -1,50 +1,51 @@
 ---
 read_when:
-  - 你想要一个便宜的常驻 Linux 主机来运行 Gateway 网关
-  - 你想要远程控制 UI 访问而无需运行自己的 VPS
+  - 你想为 Gateway 网关使用一台便宜且始终在线的 Linux 主机
+  - 你想在不自行运行 VPS 的情况下远程访问控制 UI
 summary: 在 exe.dev 上运行 OpenClaw Gateway 网关（VM + HTTPS 代理）以实现远程访问
 title: exe.dev
 x-i18n:
-  generated_at: "2026-02-03T07:51:36Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 8d57ee7dd6029f0b778465c147092b824a0f1b0680af13032aaf116ff3d4d671
-  source_path: platforms/exe-dev.md
+  generated_at: "2026-03-16T06:23:23Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 3c90f57e37145333429328477a3e12306586aa53283127daec75e065dbb85e39
+  source_path: install/exe-dev.md
   workflow: 15
 ---
 
 # exe.dev
 
-目标：OpenClaw Gateway 网关运行在 exe.dev VM 上，可从你的笔记本电脑通过以下地址访问：`https://<vm-name>.exe.xyz`
+目标：让 OpenClaw Gateway 网关运行在 exe.dev VM 上，并且可通过你的笔记本电脑访问：`https://<vm-name>.exe.xyz`
 
-本页假设使用 exe.dev 的默认 **exeuntu** 镜像。如果你选择了不同的发行版，请相应地映射软件包。
+本页假设你使用的是 exe.dev 默认的 **exeuntu** 镜像。如果你选择了不同的发行版，请相应调整软件包。
 
-## 新手快速路径
+## 面向初学者的快速路径
 
 1. [https://exe.new/openclaw](https://exe.new/openclaw)
-2. 根据需要填写你的认证密钥/令牌
-3. 点击 VM 旁边的"Agent"，然后等待...
+2. 根据需要填写你的身份验证密钥/令牌
+3. 点击你的 VM 旁边的 “Agent”，然后等待……
 4. ???
-5. 完成
+5. 成功
 
-## 你需要什么
+## 你需要准备的内容
 
 - exe.dev 账户
-- `ssh exe.dev` 访问 [exe.dev](https://exe.dev) 虚拟机（可选）
+- 对 [exe.dev](https://exe.dev) 虚拟机的 `ssh exe.dev` 访问权限（可选）
 
 ## 使用 Shelley 自动安装
 
-Shelley，[exe.dev](https://exe.dev) 的智能体，可以使用我们的提示立即安装 OpenClaw。使用的提示如下：
+Shelley 是 [exe.dev](https://exe.dev) 的智能体，可以使用我们的提示词立即安装 OpenClaw。
+使用的提示词如下：
 
 ```
-Set up OpenClaw (https://docs.openclaw.ai/install) on this VM. Use the non-interactive and accept-risk flags for openclaw onboarding. Add the supplied auth or token as needed. Configure nginx to forward from the default port 18789 to the root location on the default enabled site config, making sure to enable Websocket support. Pairing is done by "openclaw devices list" and "openclaw device approve <request id>". Make sure the dashboard shows that OpenClaw's health is OK. exe.dev handles forwarding from port 8000 to port 80/443 and HTTPS for us, so the final "reachable" should be <vm-name>.exe.xyz, without port specification.
+Set up OpenClaw (https://docs.openclaw.ai/install) on this VM. Use the non-interactive and accept-risk flags for openclaw onboarding. Add the supplied auth or token as needed. Configure nginx to forward from the default port 18789 to the root location on the default enabled site config, making sure to enable Websocket support. Pairing is done by "openclaw devices list" and "openclaw devices approve <request id>". Make sure the dashboard shows that OpenClaw's health is OK. exe.dev handles forwarding from port 8000 to port 80/443 and HTTPS for us, so the final "reachable" should be <vm-name>.exe.xyz, without port specification.
 ```
 
 ## 手动安装
 
-## 1) 创建 VM
+## 1）创建 VM
 
-从你的设备：
+在你的设备上运行：
 
 ```bash
 ssh exe.dev new
@@ -56,16 +57,16 @@ ssh exe.dev new
 ssh <vm-name>.exe.xyz
 ```
 
-提示：保持此 VM **有状态**。OpenClaw 在 `~/.openclaw/` 和 `~/.openclaw/workspace/` 下存储状态。
+提示：请让这个 VM 保持**有状态**。OpenClaw 会将状态存储在 `~/.openclaw/` 和 `~/.openclaw/workspace/` 下。
 
-## 2) 安装先决条件（在 VM 上）
+## 2）安装前置依赖（在 VM 上）
 
 ```bash
 sudo apt-get update
 sudo apt-get install -y git curl jq ca-certificates openssl
 ```
 
-## 3) 安装 OpenClaw
+## 3）安装 OpenClaw
 
 运行 OpenClaw 安装脚本：
 
@@ -73,9 +74,9 @@ sudo apt-get install -y git curl jq ca-certificates openssl
 curl -fsSL https://openclaw.ai/install.sh | bash
 ```
 
-## 4) 设置 nginx 将 OpenClaw 代理到端口 8000
+## 4）设置 nginx，将 OpenClaw 代理到端口 8000
 
-编辑 `/etc/nginx/sites-enabled/default`：
+编辑 `/etc/nginx/sites-enabled/default`，内容如下：
 
 ```
 server {
@@ -90,30 +91,35 @@ server {
         proxy_pass http://127.0.0.1:18789;
         proxy_http_version 1.1;
 
-        # WebSocket 支持
+        # WebSocket support
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
 
-        # 标准代理头
+        # Standard proxy headers
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
 
-        # 长连接超时设置
+        # Timeout settings for long-lived connections
         proxy_read_timeout 86400s;
         proxy_send_timeout 86400s;
     }
 }
 ```
 
-## 5) 访问 OpenClaw 并授予权限
+## 5）访问 OpenClaw 并授予权限
 
-访问 `https://<vm-name>.exe.xyz/?token=YOUR-TOKEN-FROM-TERMINAL`（参阅新手引导中的控制 UI 输出）。使用 `openclaw devices list` 和 `openclaw devices approve <requestId>` 批准设备。如有疑问，从浏览器使用 Shelley！
+访问 `https://<vm-name>.exe.xyz/`（请查看新手引导输出中的控制 UI）。如果提示进行身份验证，请粘贴 VM 上的
+`gateway.auth.token` 中的令牌（可通过 `openclaw config get gateway.auth.token` 获取，或使用
+`openclaw doctor --generate-gateway-token` 生成）。使用 `openclaw devices list` 和
+`openclaw devices approve <requestId>` 批准设备。如果拿不准，请在浏览器中使用 Shelley！
 
 ## 远程访问
 
-远程访问由 [exe.dev](https://exe.dev) 的认证处理。默认情况下，来自端口 8000 的 HTTP 流量通过电子邮件认证转发到 `https://<vm-name>.exe.xyz`。
+远程访问由 [exe.dev](https://exe.dev) 的身份验证处理。默认情况下，
+来自端口 8000 的 HTTP 流量会被转发到 `https://<vm-name>.exe.xyz`，
+并使用电子邮件身份验证。
 
 ## 更新
 
@@ -124,4 +130,4 @@ openclaw gateway restart
 openclaw health
 ```
 
-指南：[更新](/install/updating)
+指南：[Updating](/install/updating)
diff --git a/docs/zh-CN/install/index.md b/docs/zh-CN/install/index.md
index b008633b8dd..701256cb62e 100644
--- a/docs/zh-CN/install/index.md
+++ b/docs/zh-CN/install/index.md
@@ -1,170 +1,204 @@
 ---
 read_when:
-  - 安装 OpenClaw
-  - 你想从 GitHub 安装
-summary: 安装 OpenClaw（推荐安装器、全局安装或从源代码安装）
+  - 你需要一种不同于“入门指南”快速开始的安装方式
+  - 你想部署到云平台
+  - 你需要更新、迁移或卸载
+summary: 安装 OpenClaw —— 安装脚本、npm/pnpm、从源码、Docker 等
 title: 安装
 x-i18n:
-  generated_at: "2026-02-03T10:07:43Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: b26f48c116c26c163ee0090fb4c3e29622951bd427ecaeccba7641d97cfdf17a
+  generated_at: "2026-03-16T06:23:36Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 14b80b6176b2a4ff5c60aad2db88460d8d980bd416faaa3103b38d90521496af
   source_path: install/index.md
   workflow: 15
 ---
 
 # 安装
 
-除非有特殊原因，否则请使用安装器。它会设置 CLI 并运行新手引导。
-
-## 快速安装（推荐）
-
-```bash
-curl -fsSL https://openclaw.ai/install.sh | bash
-```
-
-Windows（PowerShell）：
-
-```powershell
-iwr -useb https://openclaw.ai/install.ps1 | iex
-```
-
-下一步（如果你跳过了新手引导）：
-
-```bash
-openclaw onboard --install-daemon
-```
+已经按照 [入门指南](/start/getting-started) 操作过了吗？那你已经准备好了 —— 本页适用于其他安装方法、特定平台说明以及维护操作。
 
 ## 系统要求
 
-- **Node >=22**
-- macOS、Linux 或通过 WSL2 的 Windows
-- `pnpm` 仅在从源代码构建时需要
+- **[Node 24（推荐）](/install/node)**（出于兼容性考虑，仍支持 Node 22 LTS，目前为 `22.16+`；如果缺失，[安装脚本](#install-methods) 会安装 Node 24）
+- macOS、Linux 或 Windows
+- 仅当你从源码构建时需要 `pnpm`
 
-## 选择安装路径
+<Note>
+在 Windows 上，我们强烈建议你在 [WSL2](https://learn.microsoft.com/en-us/windows/wsl/install) 下运行 OpenClaw。
+</Note>
 
-### 1）安装器脚本（推荐）
+## 安装方法
 
-通过 npm 全局安装 `openclaw` 并运行新手引导。
+<Tip>
+**安装脚本** 是安装 OpenClaw 的推荐方式。它会一步完成 Node 检测、安装和新手引导。
+</Tip>
 
-```bash
-curl -fsSL https://openclaw.ai/install.sh | bash
-```
+<Warning>
+对于 VPS/云主机，尽量避免使用第三方“一键式”市场镜像。优先选择干净的基础 OS 镜像（例如 Ubuntu LTS），然后使用安装脚本自行安装 OpenClaw。
+</Warning>
 
-安装器标志：
+<AccordionGroup>
+  <Accordion title="安装脚本" icon="rocket" defaultOpen>
+    下载 CLI，通过 npm 全局安装，并启动设置向导。
 
-```bash
-curl -fsSL https://openclaw.ai/install.sh | bash -s -- --help
-```
+    <Tabs>
+      <Tab title="macOS / Linux / WSL2">
+        ```bash
+        curl -fsSL https://openclaw.ai/install.sh | bash
+        ```
+      </Tab>
+      <Tab title="Windows (PowerShell)">
+        ```powershell
+        iwr -useb https://openclaw.ai/install.ps1 | iex
+        ```
+      </Tab>
+    </Tabs>
 
-详情：[安装器内部原理](/install/installer)。
+    就这样 —— 脚本会处理 Node 检测、安装和新手引导。
 
-非交互式（跳过新手引导）：
+    如果要跳过新手引导，只安装二进制文件：
 
-```bash
-curl -fsSL https://openclaw.ai/install.sh | bash -s -- --no-onboard
-```
+    <Tabs>
+      <Tab title="macOS / Linux / WSL2">
+        ```bash
+        curl -fsSL https://openclaw.ai/install.sh | bash -s -- --no-onboard
+        ```
+      </Tab>
+      <Tab title="Windows (PowerShell)">
+        ```powershell
+        & ([scriptblock]::Create((iwr -useb https://openclaw.ai/install.ps1))) -NoOnboard
+        ```
+      </Tab>
+    </Tabs>
 
-### 2）全局安装（手动）
+    所有标志、环境变量以及 CI/自动化选项，请参阅 [Installer internals](/install/installer)。
 
-如果你已经有 Node：
+  </Accordion>
 
-```bash
-npm install -g openclaw@latest
-```
+  <Accordion title="npm / pnpm" icon="package">
+    如果你已经自行管理 Node，我们推荐使用 Node 24。出于兼容性考虑，OpenClaw 仍支持 Node 22 LTS，目前为 `22.16+`：
 
-如果你全局安装了 libvips（macOS 上通过 Homebrew 安装很常见）且 `sharp` 安装失败，请强制使用预构建二进制文件：
+    <Tabs>
+      <Tab title="npm">
+        ```bash
+        npm install -g openclaw@latest
+        openclaw onboard --install-daemon
+        ```
 
-```bash
-SHARP_IGNORE_GLOBAL_LIBVIPS=1 npm install -g openclaw@latest
-```
+        <Accordion title="sharp 构建错误？">
+          如果你全局安装了 libvips（在 macOS 上通过 Homebrew 很常见），并且 `sharp` 失败，请强制使用预构建二进制文件：
 
-如果你看到 `sharp: Please add node-gyp to your dependencies`，要么安装构建工具（macOS：Xcode CLT + `npm install -g node-gyp`），要么使用上面的 `SHARP_IGNORE_GLOBAL_LIBVIPS=1` 变通方法来跳过原生构建。
+          ```bash
+          SHARP_IGNORE_GLOBAL_LIBVIPS=1 npm install -g openclaw@latest
+          ```
 
-或使用 pnpm：
+          如果你看到 `sharp: Please add node-gyp to your dependencies`，请安装构建工具链（macOS：Xcode CLT + `npm install -g node-gyp`），或者使用上面的环境变量。
+        </Accordion>
+      </Tab>
+      <Tab title="pnpm">
+        ```bash
+        pnpm add -g openclaw@latest
+        pnpm approve-builds -g        # 批准 openclaw、node-llama-cpp、sharp 等
+        openclaw onboard --install-daemon
+        ```
 
-```bash
-pnpm add -g openclaw@latest
-pnpm approve-builds -g                # 批准 openclaw、node-llama-cpp、sharp 等
-pnpm add -g openclaw@latest           # 重新运行以执行 postinstall 脚本
-```
+        <Note>
+        `pnpm` 要求对带有构建脚本的包进行显式批准。首次安装出现 “Ignored build scripts” 警告后，运行 `pnpm approve-builds -g` 并选择列出的包。
+        </Note>
+      </Tab>
+    </Tabs>
 
-pnpm 需要显式批准带有构建脚本的包。在首次安装显示"Ignored build scripts"警告后，运行 `pnpm approve-builds -g` 并选择列出的包，然后重新运行安装以执行 postinstall 脚本。
+    想通过包管理器安装当前 GitHub `main` 分支最新版本？
 
-然后：
+    ```bash
+    npm install -g github:openclaw/openclaw#main
+    ```
 
-```bash
-openclaw onboard --install-daemon
-```
+    ```bash
+    pnpm add -g github:openclaw/openclaw#main
+    ```
 
-### 3）从源代码（贡献者/开发）
+  </Accordion>
 
-```bash
-git clone https://github.com/openclaw/openclaw.git
-cd openclaw
-pnpm install
-pnpm ui:build # 首次运行时自动安装 UI 依赖
-pnpm build
-openclaw onboard --install-daemon
-```
+  <Accordion title="从源码" icon="github">
+    适用于贡献者或任何想从本地检出运行的人。
 
-提示：如果你还没有全局安装，请通过 `pnpm openclaw ...` 运行仓库命令。
+    <Steps>
+      <Step title="克隆并构建">
+        克隆 [OpenClaw 仓库](https://github.com/openclaw/openclaw) 并构建：
 
-### 4）其他安装选项
+        ```bash
+        git clone https://github.com/openclaw/openclaw.git
+        cd openclaw
+        pnpm install
+        pnpm ui:build
+        pnpm build
+        ```
+      </Step>
+      <Step title="链接 CLI">
+        让 `openclaw` 命令在全局可用：
 
-- Docker：[Docker](/install/docker)
-- Nix：[Nix](/install/nix)
-- Ansible：[Ansible](/install/ansible)
-- Bun（仅 CLI）：[Bun](/install/bun)
+        ```bash
+        pnpm link --global
+        ```
+
+        或者，你也可以跳过链接，直接在仓库内通过 `pnpm openclaw ...` 运行命令。
+      </Step>
+      <Step title="运行新手引导">
+        ```bash
+        openclaw onboard --install-daemon
+        ```
+      </Step>
+    </Steps>
+
+    更深入的开发工作流请参阅 [Setup](/start/setup)。
+
+  </Accordion>
+</AccordionGroup>
+
+## 其他安装方法
+
+<CardGroup cols={2}>
+  <Card title="Docker" href="/install/docker" icon="container">
+    容器化或无头部署。
+  </Card>
+  <Card title="Podman" href="/install/podman" icon="container">
+    无 root 容器：先运行一次 `setup-podman.sh`，然后运行启动脚本。
+  </Card>
+  <Card title="Nix" href="/install/nix" icon="snowflake">
+    通过 Nix 进行声明式安装。
+  </Card>
+  <Card title="Ansible" href="/install/ansible" icon="server">
+    自动化批量配置。
+  </Card>
+  <Card title="Bun" href="/install/bun" icon="zap">
+    通过 Bun 运行时进行仅 CLI 使用。
+  </Card>
+</CardGroup>
 
 ## 安装后
 
-- 运行新手引导：`openclaw onboard --install-daemon`
-- 快速检查：`openclaw doctor`
-- 检查 Gateway 网关健康状态：`openclaw status` + `openclaw health`
-- 打开仪表板：`openclaw dashboard`
-
-## 安装方式：npm vs git（安装器）
-
-安装器支持两种方式：
-
-- `npm`（默认）：`npm install -g openclaw@latest`
-- `git`：从 GitHub 克隆/构建并从源代码 checkout 运行
-
-### CLI 标志
+验证一切是否正常工作：
 
 ```bash
-# 显式 npm
-curl -fsSL https://openclaw.ai/install.sh | bash -s -- --install-method npm
-
-# 从 GitHub 安装（源代码 checkout）
-curl -fsSL https://openclaw.ai/install.sh | bash -s -- --install-method git
+openclaw doctor         # 检查配置问题
+openclaw status         # Gateway 网关状态
+openclaw dashboard      # 打开浏览器 UI
 ```
 
-常用标志：
+如果你需要自定义运行时路径，请使用：
 
-- `--install-method npm|git`
-- `--git-dir <path>`（默认：`~/openclaw`）
-- `--no-git-update`（使用现有 checkout 时跳过 `git pull`）
-- `--no-prompt`（禁用提示；CI/自动化中必需）
-- `--dry-run`（打印将要执行的操作；不做任何更改）
-- `--no-onboard`（跳过新手引导）
+- `OPENCLAW_HOME` 用于基于主目录的内部路径
+- `OPENCLAW_STATE_DIR` 用于可变状态位置
+- `OPENCLAW_CONFIG_PATH` 用于配置文件位置
 
-### 环境变量
+有关优先级和完整细节，请参阅 [Environment vars](/help/environment)。
 
-等效的环境变量（对自动化有用）：
+## 故障排除：找不到 `openclaw`
 
-- `OPENCLAW_INSTALL_METHOD=git|npm`
-- `OPENCLAW_GIT_DIR=...`
-- `OPENCLAW_GIT_UPDATE=0|1`
-- `OPENCLAW_NO_PROMPT=1`
-- `OPENCLAW_DRY_RUN=1`
-- `OPENCLAW_NO_ONBOARD=1`
-- `SHARP_IGNORE_GLOBAL_LIBVIPS=0|1`（默认：`1`；避免 `sharp` 针对系统 libvips 构建）
-
-## 故障排除：找不到 `openclaw`（PATH）
-
-快速诊断：
+<Accordion title="PATH 诊断与修复">
+  快速诊断：
 
 ```bash
 node -v
@@ -173,21 +207,29 @@ npm prefix -g
 echo "$PATH"
 ```
 
-如果 `$(npm prefix -g)/bin`（macOS/Linux）或 `$(npm prefix -g)`（Windows）**不**在 `echo "$PATH"` 的输出中，你的 shell 无法找到全局 npm 二进制文件（包括 `openclaw`）。
+如果 `$(npm prefix -g)/bin`（macOS/Linux）或 `$(npm prefix -g)`（Windows）**不在**你的 `$PATH` 中，那么你的 shell 就找不到全局 npm 二进制文件（包括 `openclaw`）。
 
-修复：将其添加到你的 shell 启动文件（zsh：`~/.zshrc`，bash：`~/.bashrc`）：
+修复方法 —— 将其添加到你的 shell 启动文件（`~/.zshrc` 或 `~/.bashrc`）中：
 
 ```bash
-# macOS / Linux
 export PATH="$(npm prefix -g)/bin:$PATH"
 ```
 
-在 Windows 上，将 `npm prefix -g` 的输出添加到你的 PATH。
+在 Windows 上，将 `npm prefix -g` 的输出添加到你的 PATH 中。
 
-然后打开新终端（或在 zsh 中执行 `rehash` / 在 bash 中执行 `hash -r`）。
+然后打开一个新的终端（或者在 zsh 中运行 `rehash`，在 bash 中运行 `hash -r`）。
+</Accordion>
 
-## 更新/卸载
+## 更新 / 卸载
 
-- 更新：[更新](/install/updating)
-- 迁移到新机器：[迁移](/install/migrating)
-- 卸载：[卸载](/install/uninstall)
+<CardGroup cols={3}>
+  <Card title="更新" href="/install/updating" icon="refresh-cw">
+    让 OpenClaw 保持最新。
+  </Card>
+  <Card title="迁移" href="/install/migrating" icon="arrow-right">
+    迁移到新机器。
+  </Card>
+  <Card title="卸载" href="/install/uninstall" icon="trash-2">
+    完全移除 OpenClaw。
+  </Card>
+</CardGroup>
diff --git a/docs/zh-CN/install/installer.md b/docs/zh-CN/install/installer.md
index bdfe14e49e8..76ef469b3e5 100644
--- a/docs/zh-CN/install/installer.md
+++ b/docs/zh-CN/install/installer.md
@@ -1,128 +1,422 @@
 ---
 read_when:
-  - 你想了解 `openclaw.ai/install.sh` 的工作机制
-  - 你想自动化安装（CI / 无头环境）
+  - 你想了解 `openclaw.ai/install.sh`
+  - 你想自动化安装（CI / 无头）
   - 你想从 GitHub 检出安装
-summary: 安装器脚本的工作原理（install.sh + install-cli.sh）、参数和自动化
+summary: 安装脚本的工作原理（install.sh、install-cli.sh、install.ps1）、标志和自动化
 title: 安装器内部机制
 x-i18n:
-  generated_at: "2026-02-01T21:07:55Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 9e0a19ecb5da0a395030e1ccf0d4bedf16b83946b3432c5399d448fe5d298391
+  generated_at: "2026-03-16T06:24:11Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: e389fa04140ecc98b7e83330d0d467165b23bd22e31807bbd36963c87394ddc4
   source_path: install/installer.md
-  workflow: 14
+  workflow: 15
 ---
 
 # 安装器内部机制
 
-OpenClaw 提供两个安装器脚本（托管在 `openclaw.ai`）：
+OpenClaw 提供三个安装脚本，由 `openclaw.ai` 提供。
 
-- `https://openclaw.ai/install.sh` — "推荐"安装器（默认全局 npm 安装；也可从 GitHub 检出安装）
-- `https://openclaw.ai/install-cli.sh` — 无需 root 权限的 CLI 安装器（安装到带有独立 Node 的前缀目录）
-- `https://openclaw.ai/install.ps1` — Windows PowerShell 安装器（默认 npm；可选 git 安装）
+| 脚本                               | 平台                  | 功能                                                                          |
+| ---------------------------------- | --------------------- | ----------------------------------------------------------------------------- |
+| [`install.sh`](#installsh)         | macOS / Linux / WSL   | 如有需要则安装 Node，通过 npm（默认）或 git 安装 OpenClaw，并可运行新手引导。 |
+| [`install-cli.sh`](#install-clish) | macOS / Linux / WSL   | 将 Node + OpenClaw 安装到本地前缀（`~/.openclaw`）中。无需 root。             |
+| [`install.ps1`](#installps1)       | Windows（PowerShell） | 如有需要则安装 Node，通过 npm（默认）或 git 安装 OpenClaw，并可运行新手引导。 |
 
-查看当前参数/行为，运行：
+## 快速命令
 
-```bash
-curl -fsSL https://openclaw.ai/install.sh | bash -s -- --help
-```
+<Tabs>
+  <Tab title="install.sh">
+    ```bash
+    curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash
+    ```
 
-Windows (PowerShell) 帮助：
+    ```bash
+    curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash -s -- --help
+    ```
 
-```powershell
-& ([scriptblock]::Create((iwr -useb https://openclaw.ai/install.ps1))) -?
-```
+  </Tab>
+  <Tab title="install-cli.sh">
+    ```bash
+    curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install-cli.sh | bash
+    ```
 
-如果安装器完成但在新终端中找不到 `openclaw`，通常是 Node/npm PATH 问题。参见：[安装](/install#nodejs--npm-path-sanity)。
+    ```bash
+    curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install-cli.sh | bash -s -- --help
+    ```
 
-## install.sh（推荐）
+  </Tab>
+  <Tab title="install.ps1">
+    ```powershell
+    iwr -useb https://openclaw.ai/install.ps1 | iex
+    ```
 
-功能概述：
+    ```powershell
+    & ([scriptblock]::Create((iwr -useb https://openclaw.ai/install.ps1))) -Tag beta -NoOnboard -DryRun
+    ```
 
-- 检测操作系统（macOS / Linux / WSL）。
-- 确保 Node.js **22+**（macOS 通过 Homebrew；Linux 通过 NodeSource）。
-- 选择安装方式：
-  - `npm`（默认）：`npm install -g openclaw@latest`
-  - `git`：克隆/构建源码检出并安装包装脚本
-- 在 Linux 上：必要时将 npm 前缀切换到 `~/.npm-global`，以避免全局 npm 权限错误。
-- 如果是升级现有安装：运行 `openclaw doctor --non-interactive`（尽力执行）。
-- 对于 git 安装：安装/更新后运行 `openclaw doctor --non-interactive`（尽力执行）。
-- 通过默认设置 `SHARP_IGNORE_GLOBAL_LIBVIPS=1` 来缓解 `sharp` 原生安装问题（避免使用系统 libvips 编译）。
+  </Tab>
+</Tabs>
 
-如果你*希望* `sharp` 链接到全局安装的 libvips（或你正在调试），请设置：
+<Note>
+如果安装成功但在新终端中找不到 `openclaw`，请参见 [Node.js 故障排除](/install/node#troubleshooting)。
+</Note>
 
-```bash
-SHARP_IGNORE_GLOBAL_LIBVIPS=0 curl -fsSL https://openclaw.ai/install.sh | bash
-```
+---
 
-### 可发现性 / "git 安装"提示
+## install.sh
 
-如果你在**已有的 OpenClaw 源码检出目录中**运行安装器（通过 `package.json` + `pnpm-workspace.yaml` 检测），它会提示：
+<Tip>
+推荐用于大多数 macOS/Linux/WSL 上的交互式安装。
+</Tip>
 
-- 更新并使用此检出（`git`）
-- 或迁移到全局 npm 安装（`npm`）
+### 流程（install.sh）
 
-在非交互式上下文中（无 TTY / `--no-prompt`），你必须传入 `--install-method git|npm`（或设置 `OPENCLAW_INSTALL_METHOD`），否则脚本将以退出码 `2` 退出。
+<Steps>
+  <Step title="检测操作系统">
+    支持 macOS 和 Linux（包括 WSL）。如果检测到 macOS，则会在缺少 Homebrew 时安装它。
+  </Step>
+  <Step title="默认确保使用 Node.js 24">
+    检查 Node 版本，并在需要时安装 Node 24（macOS 上使用 Homebrew，Linux apt/dnf/yum 上使用 NodeSource 设置脚本）。为了兼容性，OpenClaw 仍支持 Node 22 LTS，目前为 `22.16+`。
+  </Step>
+  <Step title="确保安装 Git">
+    如果缺少 Git，则安装它。
+  </Step>
+  <Step title="安装 OpenClaw">
+    - `npm` 方法（默认）：全局 npm 安装
+    - `git` 方法：克隆/更新仓库，使用 pnpm 安装依赖，构建，然后将包装器安装到 `~/.local/bin/openclaw`
+  </Step>
+  <Step title="安装后任务">
+    - 在升级和 git 安装时运行 `openclaw doctor --non-interactive`（尽力而为）
+    - 在适当情况下尝试运行新手引导（有 TTY、未禁用新手引导，并且 bootstrap/配置检查通过）
+    - 默认设置 `SHARP_IGNORE_GLOBAL_LIBVIPS=1`
+  </Step>
+</Steps>
 
-### 为什么需要 Git
+### 源码检出检测
 
-`--install-method git` 路径（克隆 / 拉取）需要 Git。
+如果在 OpenClaw 检出目录中运行（`package.json` + `pnpm-workspace.yaml`），脚本会提供：
 
-对于 `npm` 安装，Git *通常*不是必需的，但某些环境仍然需要它（例如通过 git URL 获取软件包或依赖时）。安装器目前会确保 Git 存在，以避免在全新发行版上出现 `spawn git ENOENT` 错误。
+- 使用检出目录（`git`），或
+- 使用全局安装（`npm`）
 
-### 为什么在全新 Linux 上 npm 会报 `EACCES`
+如果没有可用 TTY 且未设置安装方法，它将默认使用 `npm` 并发出警告。
 
-在某些 Linux 设置中（尤其是通过系统包管理器或 NodeSource 安装 Node 后），npm 的全局前缀指向 root 拥有的位置。此时 `npm install -g ...` 会报 `EACCES` / `mkdir` 权限错误。
+对于无效的方法选择或无效的 `--install-method` 值，脚本会以退出码 `2` 退出。
 
-`install.sh` 通过将前缀切换到以下位置来缓解此问题：
+### 示例（install.sh）
 
-- `~/.npm-global`（并在存在时将其添加到 `~/.bashrc` / `~/.zshrc` 的 `PATH` 中）
+<Tabs>
+  <Tab title="默认">
+    ```bash
+    curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash
+    ```
+  </Tab>
+  <Tab title="跳过新手引导">
+    ```bash
+    curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash -s -- --no-onboard
+    ```
+  </Tab>
+  <Tab title="Git 安装">
+    ```bash
+    curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash -s -- --install-method git
+    ```
+  </Tab>
+  <Tab title="通过 npm 安装 GitHub main">
+    ```bash
+    curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash -s -- --version main
+    ```
+  </Tab>
+  <Tab title="试运行">
+    ```bash
+    curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash -s -- --dry-run
+    ```
+  </Tab>
+</Tabs>
 
-## install-cli.sh（无需 root 权限的 CLI 安装器）
+<AccordionGroup>
+  <Accordion title="标志参考">
 
-此脚本将 `openclaw` 安装到前缀目录（默认：`~/.openclaw`），同时在该前缀下安装专用的 Node 运行时，因此可以在不想改动系统 Node/npm 的机器上使用。
+| 标志                                  | 说明                                              |
+| ------------------------------------- | ------------------------------------------------- |
+| `--install-method npm\|git`           | 选择安装方法（默认：`npm`）。别名：`--method`     |
+| `--npm`                               | npm 方法快捷方式                                  |
+| `--git`                               | git 方法快捷方式。别名：`--github`                |
+| `--version <version\|dist-tag\|spec>` | npm 版本、dist-tag 或包规范（默认：`latest`）     |
+| `--beta`                              | 如有可用则使用 beta dist-tag，否则回退到 `latest` |
+| `--git-dir <path>`                    | 检出目录（默认：`~/openclaw`）。别名：`--dir`     |
+| `--no-git-update`                     | 对现有检出跳过 `git pull`                         |
+| `--no-prompt`                         | 禁用提示                                          |
+| `--no-onboard`                        | 跳过新手引导                                      |
+| `--onboard`                           | 启用新手引导                                      |
+| `--dry-run`                           | 打印操作但不应用更改                              |
+| `--verbose`                           | 启用调试输出（`set -x`、npm notice 级别日志）     |
+| `--help`                              | 显示用法（`-h`）                                  |
 
-帮助：
+  </Accordion>
 
-```bash
-curl -fsSL https://openclaw.ai/install-cli.sh | bash -s -- --help
-```
+  <Accordion title="环境变量参考">
 
-## install.ps1（Windows PowerShell）
+| 变量                                                    | 说明                                 |
+| ------------------------------------------------------- | ------------------------------------ |
+| `OPENCLAW_INSTALL_METHOD=git\|npm`                      | 安装方法                             |
+| `OPENCLAW_VERSION=latest\|next\|main\|<semver>\|<spec>` | npm 版本、dist-tag 或包规范          |
+| `OPENCLAW_BETA=0\|1`                                    | 如有可用则使用 beta                  |
+| `OPENCLAW_GIT_DIR=<path>`                               | 检出目录                             |
+| `OPENCLAW_GIT_UPDATE=0\|1`                              | 切换 git 更新                        |
+| `OPENCLAW_NO_PROMPT=1`                                  | 禁用提示                             |
+| `OPENCLAW_NO_ONBOARD=1`                                 | 跳过新手引导                         |
+| `OPENCLAW_DRY_RUN=1`                                    | 试运行模式                           |
+| `OPENCLAW_VERBOSE=1`                                    | 调试模式                             |
+| `OPENCLAW_NPM_LOGLEVEL=error\|warn\|notice`             | npm 日志级别                         |
+| `SHARP_IGNORE_GLOBAL_LIBVIPS=0\|1`                      | 控制 sharp/libvips 行为（默认：`1`） |
 
-功能概述：
+  </Accordion>
+</AccordionGroup>
 
-- 确保 Node.js **22+**（winget/Chocolatey/Scoop 或手动安装）。
-- 选择安装方式：
-  - `npm`（默认）：`npm install -g openclaw@latest`
-  - `git`：克隆/构建源码检出并安装包装脚本
-- 在升级和 git 安装时运行 `openclaw doctor --non-interactive`（尽力执行）。
+---
 
-示例：
+## install-cli.sh
 
-```powershell
-iwr -useb https://openclaw.ai/install.ps1 | iex
-```
+<Info>
+适用于你希望所有内容都放在本地前缀（默认 `~/.openclaw`）下，并且不依赖系统 Node 的环境。
+</Info>
 
-```powershell
-iwr -useb https://openclaw.ai/install.ps1 | iex -InstallMethod git
-```
+### 流程（install-cli.sh）
 
-```powershell
-iwr -useb https://openclaw.ai/install.ps1 | iex -InstallMethod git -GitDir "C:\\openclaw"
-```
+<Steps>
+  <Step title="安装本地 Node 运行时">
+    将固定的受支持 Node tarball（当前默认 `22.22.0`）下载到 `<prefix>/tools/node-v<version>`，并验证 SHA-256。
+  </Step>
+  <Step title="确保安装 Git">
+    如果缺少 Git，则尝试在 Linux 上通过 apt/dnf/yum 安装，或在 macOS 上通过 Homebrew 安装。
+  </Step>
+  <Step title="在前缀下安装 OpenClaw">
+    使用 `--prefix <prefix>` 通过 npm 安装，然后将包装器写入 `<prefix>/bin/openclaw`。
+  </Step>
+</Steps>
 
-环境变量：
+### 示例（install-cli.sh）
 
-- `OPENCLAW_INSTALL_METHOD=git|npm`
-- `OPENCLAW_GIT_DIR=...`
+<Tabs>
+  <Tab title="默认">
+    ```bash
+    curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install-cli.sh | bash
+    ```
+  </Tab>
+  <Tab title="自定义前缀 + 版本">
+    ```bash
+    curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install-cli.sh | bash -s -- --prefix /opt/openclaw --version latest
+    ```
+  </Tab>
+  <Tab title="自动化 JSON 输出">
+    ```bash
+    curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install-cli.sh | bash -s -- --json --prefix /opt/openclaw
+    ```
+  </Tab>
+  <Tab title="运行新手引导">
+    ```bash
+    curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install-cli.sh | bash -s -- --onboard
+    ```
+  </Tab>
+</Tabs>
 
-Git 要求：
+<AccordionGroup>
+  <Accordion title="标志参考">
 
-如果你选择 `-InstallMethod git` 但未安装 Git，安装器会打印 Git for Windows 的链接（`https://git-scm.com/download/win`）并退出。
+| 标志                   | 说明                                                                   |
+| ---------------------- | ---------------------------------------------------------------------- |
+| `--prefix <path>`      | 安装前缀（默认：`~/.openclaw`）                                        |
+| `--version <ver>`      | OpenClaw 版本或 dist-tag（默认：`latest`）                             |
+| `--node-version <ver>` | Node 版本（默认：`22.22.0`）                                           |
+| `--json`               | 输出 NDJSON 事件                                                       |
+| `--onboard`            | 安装后运行 `openclaw onboard`                                          |
+| `--no-onboard`         | 跳过新手引导（默认）                                                   |
+| `--set-npm-prefix`     | 在 Linux 上，如果当前前缀不可写，则强制将 npm 前缀设为 `~/.npm-global` |
+| `--help`               | 显示用法（`-h`）                                                       |
 
-常见 Windows 问题：
+  </Accordion>
 
-- **npm error spawn git / ENOENT**：安装 Git for Windows 并重新打开 PowerShell，然后重新运行安装器。
-- **"openclaw" 不是可识别的命令**：你的 npm 全局 bin 文件夹不在 PATH 中。大多数系统使用 `%AppData%\\npm`。你也可以运行 `npm config get prefix` 并将 `\\bin` 添加到 PATH，然后重新打开 PowerShell。
+  <Accordion title="环境变量参考">
+
+| 变量                                        | 说明                                                   |
+| ------------------------------------------- | ------------------------------------------------------ |
+| `OPENCLAW_PREFIX=<path>`                    | 安装前缀                                               |
+| `OPENCLAW_VERSION=<ver>`                    | OpenClaw 版本或 dist-tag                               |
+| `OPENCLAW_NODE_VERSION=<ver>`               | Node 版本                                              |
+| `OPENCLAW_NO_ONBOARD=1`                     | 跳过新手引导                                           |
+| `OPENCLAW_NPM_LOGLEVEL=error\|warn\|notice` | npm 日志级别                                           |
+| `OPENCLAW_GIT_DIR=<path>`                   | 旧版清理查找路径（用于删除旧的 `Peekaboo` 子模块检出） |
+| `SHARP_IGNORE_GLOBAL_LIBVIPS=0\|1`          | 控制 sharp/libvips 行为（默认：`1`）                   |
+
+  </Accordion>
+</AccordionGroup>
+
+---
+
+## install.ps1
+
+### 流程（install.ps1）
+
+<Steps>
+  <Step title="确保 PowerShell + Windows 环境">
+    需要 PowerShell 5+。
+  </Step>
+  <Step title="默认确保使用 Node.js 24">
+    如果缺少，则依次尝试通过 winget、Chocolatey、Scoop 安装。为了兼容性，Node 22 LTS（当前为 `22.16+`）仍然受支持。
+  </Step>
+  <Step title="安装 OpenClaw">
+    - `npm` 方法（默认）：使用所选 `-Tag` 进行全局 npm 安装
+    - `git` 方法：克隆/更新仓库，使用 pnpm 安装/构建，并将包装器安装到 `%USERPROFILE%\.local\bin\openclaw.cmd`
+  </Step>
+  <Step title="安装后任务">
+    在可能情况下将所需 bin 目录添加到用户 PATH，然后在升级和 git 安装时运行 `openclaw doctor --non-interactive`（尽力而为）。
+  </Step>
+</Steps>
+
+### 示例（install.ps1）
+
+<Tabs>
+  <Tab title="默认">
+    ```powershell
+    iwr -useb https://openclaw.ai/install.ps1 | iex
+    ```
+  </Tab>
+  <Tab title="Git 安装">
+    ```powershell
+    & ([scriptblock]::Create((iwr -useb https://openclaw.ai/install.ps1))) -InstallMethod git
+    ```
+  </Tab>
+  <Tab title="通过 npm 安装 GitHub main">
+    ```powershell
+    & ([scriptblock]::Create((iwr -useb https://openclaw.ai/install.ps1))) -Tag main
+    ```
+  </Tab>
+  <Tab title="自定义 git 目录">
+    ```powershell
+    & ([scriptblock]::Create((iwr -useb https://openclaw.ai/install.ps1))) -InstallMethod git -GitDir "C:\openclaw"
+    ```
+  </Tab>
+  <Tab title="试运行">
+    ```powershell
+    & ([scriptblock]::Create((iwr -useb https://openclaw.ai/install.ps1))) -DryRun
+    ```
+  </Tab>
+  <Tab title="调试跟踪">
+    ```powershell
+    # install.ps1 目前还没有专门的 -Verbose 标志。
+    Set-PSDebug -Trace 1
+    & ([scriptblock]::Create((iwr -useb https://openclaw.ai/install.ps1))) -NoOnboard
+    Set-PSDebug -Trace 0
+    ```
+  </Tab>
+</Tabs>
+
+<AccordionGroup>
+  <Accordion title="标志参考">
+
+| 标志                        | 说明                                         |
+| --------------------------- | -------------------------------------------- |
+| `-InstallMethod npm\|git`   | 安装方法（默认：`npm`）                      |
+| `-Tag <tag\|version\|spec>` | npm dist-tag、版本或包规范（默认：`latest`） |
+| `-GitDir <path>`            | 检出目录（默认：`%USERPROFILE%\openclaw`）   |
+| `-NoOnboard`                | 跳过新手引导                                 |
+| `-NoGitUpdate`              | 跳过 `git pull`                              |
+| `-DryRun`                   | 仅打印操作                                   |
+
+  </Accordion>
+
+  <Accordion title="环境变量参考">
+
+| 变量                               | 说明          |
+| ---------------------------------- | ------------- |
+| `OPENCLAW_INSTALL_METHOD=git\|npm` | 安装方法      |
+| `OPENCLAW_GIT_DIR=<path>`          | 检出目录      |
+| `OPENCLAW_NO_ONBOARD=1`            | 跳过新手引导  |
+| `OPENCLAW_GIT_UPDATE=0`            | 禁用 git pull |
+| `OPENCLAW_DRY_RUN=1`               | 试运行模式    |
+
+  </Accordion>
+</AccordionGroup>
+
+<Note>
+如果使用 `-InstallMethod git` 且缺少 Git，脚本会退出并打印 Git for Windows 链接。
+</Note>
+
+---
+
+## CI 和自动化
+
+使用非交互式标志/环境变量以实现可预测的运行。
+
+<Tabs>
+  <Tab title="install.sh（非交互式 npm）">
+    ```bash
+    curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash -s -- --no-prompt --no-onboard
+    ```
+  </Tab>
+  <Tab title="install.sh（非交互式 git）">
+    ```bash
+    OPENCLAW_INSTALL_METHOD=git OPENCLAW_NO_PROMPT=1 \
+      curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash
+    ```
+  </Tab>
+  <Tab title="install-cli.sh（JSON）">
+    ```bash
+    curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install-cli.sh | bash -s -- --json --prefix /opt/openclaw
+    ```
+  </Tab>
+  <Tab title="install.ps1（跳过新手引导）">
+    ```powershell
+    & ([scriptblock]::Create((iwr -useb https://openclaw.ai/install.ps1))) -NoOnboard
+    ```
+  </Tab>
+</Tabs>
+
+---
+
+## 故障排除
+
+<AccordionGroup>
+  <Accordion title="为什么需要 Git？">
+    `git` 安装方法需要 Git。对于 `npm` 安装，仍然会检查/安装 Git，以避免当依赖使用 git URL 时出现 `spawn git ENOENT` 失败。
+  </Accordion>
+
+  <Accordion title="为什么 npm 在 Linux 上会遇到 EACCES？">
+    某些 Linux 设置会将 npm 全局前缀指向 root 拥有的路径。`install.sh` 可以将前缀切换到 `~/.npm-global`，并将 PATH 导出追加到 shell rc 文件中（如果这些文件存在）。
+  </Accordion>
+
+  <Accordion title="sharp/libvips 问题">
+    这些脚本默认设置 `SHARP_IGNORE_GLOBAL_LIBVIPS=1`，以避免 sharp 针对系统 libvips 进行构建。若要覆盖：
+
+    ```bash
+    SHARP_IGNORE_GLOBAL_LIBVIPS=0 curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash
+    ```
+
+  </Accordion>
+
+  <Accordion title='Windows：“npm error spawn git / ENOENT”'>
+    安装 Git for Windows，重新打开 PowerShell，然后重新运行安装器。
+  </Accordion>
+
+  <Accordion title='Windows：“openclaw is not recognized”'>
+    运行 `npm config get prefix`，并将该目录添加到你的用户 PATH（Windows 上不需要 `\bin` 后缀），然后重新打开 PowerShell。
+  </Accordion>
+
+  <Accordion title="Windows：如何获取详细安装器输出">
+    `install.ps1` 目前没有提供 `-Verbose` 开关。
+    对于脚本级诊断，请使用 PowerShell 跟踪：
+
+    ```powershell
+    Set-PSDebug -Trace 1
+    & ([scriptblock]::Create((iwr -useb https://openclaw.ai/install.ps1))) -NoOnboard
+    Set-PSDebug -Trace 0
+    ```
+
+  </Accordion>
+
+  <Accordion title="安装后找不到 openclaw">
+    通常是 PATH 问题。请参见 [Node.js 故障排除](/install/node#troubleshooting)。
+  </Accordion>
+</AccordionGroup>
diff --git a/docs/zh-CN/install/macos-vm.md b/docs/zh-CN/install/macos-vm.md
index 94b106dab39..e532c1718ef 100644
--- a/docs/zh-CN/install/macos-vm.md
+++ b/docs/zh-CN/install/macos-vm.md
@@ -1,75 +1,75 @@
 ---
 read_when:
-  - 你想让 OpenClaw 与你的主 macOS 环境隔离
-  - 你想在沙箱中集成 iMessage（BlueBubbles）
-  - 你想要一个可重置、可克隆的 macOS 环境
-  - 你想比较本地与托管 macOS VM 选项
-summary: 在沙箱隔离的 macOS VM（本地或托管）中运行 OpenClaw，当你需要隔离或 iMessage 时
-title: macOS 虚拟机
+  - 你希望 OpenClaw 与你的主 macOS 环境隔离
+  - 你希望在沙箱中集成 iMessage（BlueBubbles）
+  - 你希望拥有一个可重置且可克隆的 macOS 环境
+  - 你希望比较本地与托管 macOS VM 选项
+summary: 在沙箱化的 macOS VM（本地或托管）中运行 OpenClaw，适用于你需要隔离或 iMessage 的场景
+title: macOS VM
 x-i18n:
-  generated_at: "2026-02-03T07:53:09Z"
-  model: claude-opus-4-5
-  provider: pi
+  generated_at: "2026-03-16T06:23:59Z"
+  model: gpt-5.4
+  provider: openai
   source_hash: 4d1c85a5e4945f9f0796038cd5960edecb71ec4dffb6f9686be50adb75180716
-  source_path: platforms/macos-vm.md
+  source_path: install/macos-vm.md
   workflow: 15
 ---
 
-# 在 macOS 虚拟机上运行 OpenClaw（沙箱隔离）
+# 在 macOS VM 上运行 OpenClaw（沙箱隔离）
 
-## 推荐默认方案（大多数用户）
+## 推荐默认方案（适用于大多数用户）
 
-- **小型 Linux VPS** 用于永久在线的 Gateway 网关，成本低。参见 [VPS 托管](/vps)。
-- **专用硬件**（Mac mini 或 Linux 机器）如果你想要完全控制和**住宅 IP** 用于浏览器自动化。许多网站会屏蔽数据中心 IP，所以本地浏览通常效果更好。
-- **混合方案：** 将 Gateway 网关保持在廉价 VPS 上，当你需要浏览器/UI 自动化时，将你的 Mac 作为**节点**连接。参见[节点](/nodes)和 [Gateway 网关远程](/gateway/remote)。
+- **小型 Linux VPS**：适合始终在线的 Gateway 网关，且成本较低。参见 [VPS hosting](/vps)。
+- **专用硬件**（Mac mini 或 Linux 主机）：如果你希望完全控制，并为浏览器自动化获得一个**住宅 IP**。许多网站会屏蔽数据中心 IP，因此本地浏览通常效果更好。
+- **混合方案：** 将 Gateway 网关放在便宜的 VPS 上，当你需要浏览器/UI 自动化时，再将你的 Mac 作为一个 **node** 连接进来。参见 [Nodes](/nodes) 和 [Gateway remote](/gateway/remote)。
 
-当你特别需要 macOS 独有功能（iMessage/BlueBubbles）或想要与日常 Mac 严格隔离时，使用 macOS VM。
+当你明确需要 macOS 独有能力（iMessage/BlueBubbles），或希望与你的日常 Mac 严格隔离时，再使用 macOS VM。
 
 ## macOS VM 选项
 
 ### 在你的 Apple Silicon Mac 上运行本地 VM（Lume）
 
-使用 [Lume](https://cua.ai/docs/lume) 在你现有的 Apple Silicon Mac 上的沙箱 macOS VM 中运行 OpenClaw。
+使用 [Lume](https://cua.ai/docs/lume) 在你现有的 Apple Silicon Mac 上的沙箱化 macOS VM 中运行 OpenClaw。
 
-这为你提供：
+这样你将获得：
 
-- 隔离的完整 macOS 环境（你的主机保持干净）
-- 通过 BlueBubbles 支持 iMessage（在 Linux/Windows 上不可能）
-- 通过克隆 VM 即时重置
+- 完全隔离的 macOS 环境（你的宿主机保持干净）
+- 通过 BlueBubbles 获得 iMessage 支持（在 Linux/Windows 上无法实现）
+- 通过克隆 VM 实现即时重置
 - 无需额外硬件或云成本
 
-### 托管 Mac 提供商（云）
+### 托管 Mac 提供商（云端）
 
-如果你想要云端的 macOS，托管 Mac 提供商也可以：
+如果你希望在云中使用 macOS，托管 Mac 提供商同样可行：
 
 - [MacStadium](https://www.macstadium.com/)（托管 Mac）
-- 其他托管 Mac 供应商也可以；按照他们的 VM + SSH 文档操作
+- 其他托管 Mac 供应商也可以；请遵循它们的 VM + SSH 文档
 
-一旦你有了 macOS VM 的 SSH 访问权限，继续下面的步骤 6。
+一旦你获得了对 macOS VM 的 SSH 访问权限，就继续执行下面的第 6 步。
 
 ---
 
-## 快速路径（Lume，有经验的用户）
+## 快速路径（Lume，适合有经验的用户）
 
 1. 安装 Lume
 2. `lume create openclaw --os macos --ipsw latest`
-3. 完成设置助手，启用远程登录（SSH）
+3. 完成设置助理，启用远程登录（SSH）
 4. `lume run openclaw --no-display`
-5. SSH 进入，安装 OpenClaw，配置渠道
+5. SSH 登录，安装 OpenClaw，配置渠道
 6. 完成
 
 ---
 
-## 你需要什么（Lume）
+## 你需要准备的内容（Lume）
 
 - Apple Silicon Mac（M1/M2/M3/M4）
-- 主机上安装 macOS Sequoia 或更高版本
-- 每个 VM 约 60 GB 可用磁盘空间
+- 宿主机运行 macOS Sequoia 或更高版本
+- 每个 VM 大约 60 GB 可用磁盘空间
 - 约 20 分钟
 
 ---
 
-## 1) 安装 Lume
+## 1）安装 Lume
 
 ```bash
 /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/trycua/cua/main/libs/lume/scripts/install.sh)"
@@ -87,11 +87,11 @@ echo 'export PATH="$PATH:$HOME/.local/bin"' >> ~/.zshrc && source ~/.zshrc
 lume --version
 ```
 
-文档：[Lume 安装](https://cua.ai/docs/lume/guide/getting-started/installation)
+文档： [Lume Installation](https://cua.ai/docs/lume/guide/getting-started/installation)
 
 ---
 
-## 2) 创建 macOS VM
+## 2）创建 macOS VM
 
 ```bash
 lume create openclaw --os macos --ipsw latest
@@ -99,47 +99,47 @@ lume create openclaw --os macos --ipsw latest
 
 这会下载 macOS 并创建 VM。VNC 窗口会自动打开。
 
-注意：下载可能需要一段时间，取决于你的网络连接。
+注意：下载可能需要一些时间，具体取决于你的网络连接。
 
 ---
 
-## 3) 完成设置助手
+## 3）完成设置助理
 
 在 VNC 窗口中：
 
 1. 选择语言和地区
-2. 跳过 Apple ID（或者如果你以后想要 iMessage 就登录）
-3. 创建用户账户（记住用户名和密码）
+2. 跳过 Apple ID（或者如果你之后想使用 iMessage，也可以登录）
+3. 创建一个用户账号（记住用户名和密码）
 4. 跳过所有可选功能
 
 设置完成后，启用 SSH：
 
-1. 打开系统设置 → 通用 → 共享
-2. 启用"远程登录"
+1. 打开“系统设置”→“通用”→“共享”
+2. 启用“远程登录”
 
 ---
 
-## 4) 获取 VM 的 IP 地址
+## 4）获取 VM 的 IP 地址
 
 ```bash
 lume get openclaw
 ```
 
-查找 IP 地址（通常是 `192.168.64.x`）。
+查找 IP 地址（通常为 `192.168.64.x`）。
 
 ---
 
-## 5) SSH 进入 VM
+## 5）通过 SSH 连接到 VM
 
 ```bash
 ssh youruser@192.168.64.X
 ```
 
-将 `youruser` 替换为你创建的账户，IP 替换为你 VM 的 IP。
+将 `youruser` 替换为你创建的账号，并将 IP 替换为你的 VM IP。
 
 ---
 
-## 6) 安装 OpenClaw
+## 6）安装 OpenClaw
 
 在 VM 内：
 
@@ -152,7 +152,7 @@ openclaw onboard --install-daemon
 
 ---
 
-## 7) 配置渠道
+## 7）配置渠道
 
 编辑配置文件：
 
@@ -176,7 +176,7 @@ nano ~/.openclaw/openclaw.json
 }
 ```
 
-然后登录 WhatsApp（扫描二维码）：
+然后登录 WhatsApp（扫描 QR 码）：
 
 ```bash
 openclaw channels login
@@ -184,16 +184,16 @@ openclaw channels login
 
 ---
 
-## 8) 无头运行 VM
+## 8）以无界面方式运行 VM
 
-停止 VM 并在无显示器模式下重启：
+停止 VM，然后在无显示模式下重启：
 
 ```bash
 lume stop openclaw
 lume run openclaw --no-display
 ```
 
-VM 在后台运行。OpenClaw 的守护进程保持 Gateway 网关运行。
+VM 会在后台运行。OpenClaw 的守护进程会保持 Gateway 网关持续运行。
 
 检查状态：
 
@@ -203,18 +203,18 @@ ssh youruser@192.168.64.X "openclaw status"
 
 ---
 
-## 额外：iMessage 集成
+## 加分项：iMessage 集成
 
-这是在 macOS 上运行的杀手级功能。使用 [BlueBubbles](https://bluebubbles.app) 将 iMessage 添加到 OpenClaw。
+这是在 macOS 上运行的杀手级特性。使用 [BlueBubbles](https://bluebubbles.app) 将 iMessage 添加到 OpenClaw。
 
 在 VM 内：
 
 1. 从 bluebubbles.app 下载 BlueBubbles
-2. 用你的 Apple ID 登录
-3. 启用 Web API 并设置密码
-4. 将 BlueBubbles webhooks 指向你的 Gateway 网关（示例：`https://your-gateway-host:3000/bluebubbles-webhook?password=<password>`）
+2. 使用你的 Apple ID 登录
+3. 启用 Web API 并设置一个密码
+4. 将 BlueBubbles webhook 指向你的 gateway（示例：`https://your-gateway-host:3000/bluebubbles-webhook?password=<password>`）
 
-添加到你的 OpenClaw 配置：
+添加到你的 OpenClaw 配置中：
 
 ```json
 {
@@ -228,15 +228,15 @@ ssh youruser@192.168.64.X "openclaw status"
 }
 ```
 
-重启 Gateway 网关。现在你的智能体可以发送和接收 iMessage 了。
+重启 Gateway 网关。现在你的智能体就可以发送和接收 iMessage 了。
 
-完整设置详情：[BlueBubbles 渠道](/channels/bluebubbles)
+完整设置细节： [BlueBubbles channel](/channels/bluebubbles)
 
 ---
 
 ## 保存黄金镜像
 
-在进一步自定义之前，快照你的干净状态：
+在进一步自定义之前，为你的干净状态创建快照：
 
 ```bash
 lume stop openclaw
@@ -253,36 +253,36 @@ lume run openclaw --no-display
 
 ---
 
-## 24/7 运行
+## 7×24 运行
 
-通过以下方式保持 VM 运行：
+通过以下方式保持 VM 持续运行：
 
-- 保持你的 Mac 插电
-- 在系统设置 → 节能中禁用睡眠
-- 如需要使用 `caffeinate`
+- 让你的 Mac 保持通电
+- 在“系统设置”→“节能”中禁用睡眠
+- 如有需要，使用 `caffeinate`
 
-对于真正的永久在线，考虑专用 Mac mini 或小型 VPS。参见 [VPS 托管](/vps)。
+如果你需要真正始终在线，请考虑使用专用 Mac mini 或小型 VPS。参见 [VPS hosting](/vps)。
 
 ---
 
 ## 故障排除
 
-| 问题                    | 解决方案                                                         |
-| ----------------------- | ---------------------------------------------------------------- |
-| 无法 SSH 进入 VM        | 检查 VM 的系统设置中是否启用了"远程登录"                         |
-| VM IP 未显示            | 等待 VM 完全启动，再次运行 `lume get openclaw`                   |
-| 找不到 Lume 命令        | 将 `~/.local/bin` 添加到你的 PATH                                |
-| WhatsApp 二维码扫描失败 | 确保运行 `openclaw channels login` 时你是登录到 VM（而不是主机） |
+| 问题                    | 解决方案                                                          |
+| ----------------------- | ----------------------------------------------------------------- |
+| 无法通过 SSH 连接到 VM  | 检查 VM 的“系统设置”中是否已启用“远程登录”                        |
+| 未显示 VM IP            | 等待 VM 完全启动后，再次运行 `lume get openclaw`                  |
+| 找不到 `lume` 命令      | 将 `~/.local/bin` 添加到你的 PATH                                 |
+| 无法扫描 WhatsApp QR 码 | 运行 `openclaw channels login` 时，确保你登录的是 VM 而不是宿主机 |
 
 ---
 
 ## 相关文档
 
-- [VPS 托管](/vps)
-- [节点](/nodes)
-- [Gateway 网关远程](/gateway/remote)
-- [BlueBubbles 渠道](/channels/bluebubbles)
-- [Lume 快速入门](https://cua.ai/docs/lume/guide/getting-started/quickstart)
-- [Lume CLI 参考](https://cua.ai/docs/lume/reference/cli-reference)
-- [无人值守 VM 设置](https://cua.ai/docs/lume/guide/fundamentals/unattended-setup)（高级）
-- [Docker 沙箱隔离](/install/docker)（替代隔离方案）
+- [VPS hosting](/vps)
+- [Nodes](/nodes)
+- [Gateway remote](/gateway/remote)
+- [BlueBubbles channel](/channels/bluebubbles)
+- [Lume Quickstart](https://cua.ai/docs/lume/guide/getting-started/quickstart)
+- [Lume CLI Reference](https://cua.ai/docs/lume/reference/cli-reference)
+- [Unattended VM Setup](https://cua.ai/docs/lume/guide/fundamentals/unattended-setup)（高级）
+- [Docker Sandboxing](/install/docker)（另一种隔离方案）
diff --git a/docs/zh-CN/platforms/digitalocean.md b/docs/zh-CN/platforms/digitalocean.md
index 2c6576e66fd..f96d11cdf1c 100644
--- a/docs/zh-CN/platforms/digitalocean.md
+++ b/docs/zh-CN/platforms/digitalocean.md
@@ -1,14 +1,14 @@
 ---
 read_when:
   - 在 DigitalOcean 上设置 OpenClaw
-  - 寻找便宜的 VPS 托管来运行 OpenClaw
+  - 寻找适合 OpenClaw 的低价 VPS 托管
 summary: 在 DigitalOcean 上运行 OpenClaw（简单的付费 VPS 选项）
 title: DigitalOcean
 x-i18n:
-  generated_at: "2026-02-03T07:51:55Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: d60559b8751da37413e5364e83c88254b476b2283386a0b07b2ca6b4e16157fc
+  generated_at: "2026-03-16T06:24:23Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: f7cbbee2bdc2df08d2c255ee55fdf822c27924b41c4f4717cafb7e6e015d0966
   source_path: platforms/digitalocean.md
   workflow: 15
 ---
@@ -17,137 +17,141 @@ x-i18n:
 
 ## 目标
 
-以 **$6/月**（或使用预留定价 $4/月）在 DigitalOcean 上运行持久的 OpenClaw Gateway 网关。
+在 DigitalOcean 上以 **每月 6 美元**（或预留定价时每月 4 美元）运行一个持久化的 OpenClaw Gateway 网关。
 
-如果你想要 $0/月的选项且不介意 ARM + 特定提供商的设置，请参阅 [Oracle Cloud 指南](/platforms/oracle)。
+如果你想要每月 0 美元的方案，并且不介意 ARM + 提供商特定设置，请参阅 [Oracle Cloud 指南](/platforms/oracle)。
 
-## 成本比较（2026）
+## 成本对比（2026）
 
-| 提供商       | 方案            | 配置                  | 价格/月     | 备注                     |
-| ------------ | --------------- | --------------------- | ----------- | ------------------------ |
-| Oracle Cloud | Always Free ARM | 最高 4 OCPU、24GB RAM | $0          | ARM，容量有限 / 注册有坑 |
-| Hetzner      | CX22            | 2 vCPU、4GB RAM       | €3.79 (~$4) | 最便宜的付费选项         |
-| DigitalOcean | Basic           | 1 vCPU、1GB RAM       | $6          | 界面简单，文档完善       |
-| Vultr        | Cloud Compute   | 1 vCPU、1GB RAM       | $6          | 多地区可选               |
-| Linode       | Nanode          | 1 vCPU、1GB RAM       | $5          | 现为 Akamai 旗下         |
+| 提供商       | 套餐            | 规格                   | 每月价格       | 说明                             |
+| ------------ | --------------- | ---------------------- | -------------- | -------------------------------- |
+| Oracle Cloud | Always Free ARM | 最多 4 OCPU，24 GB RAM | $0             | ARM，容量有限 / 注册流程有些麻烦 |
+| Hetzner      | CX22            | 2 vCPU，4 GB RAM       | €3.79（约 $4） | 最便宜的付费选项                 |
+| DigitalOcean | Basic           | 1 vCPU，1 GB RAM       | $6             | UI 简单，文档完善                |
+| Vultr        | Cloud Compute   | 1 vCPU，1 GB RAM       | $6             | 机房位置多                       |
+| Linode       | Nanode          | 1 vCPU，1 GB RAM       | $5             | 现已并入 Akamai                  |
 
-**选择提供商：**
+**如何选择提供商：**
 
-- DigitalOcean：最简单的用户体验 + 可预测的设置（本指南）
-- Hetzner：性价比高（参见 [Hetzner 指南](/install/hetzner)）
-- Oracle Cloud：可以 $0/月，但更麻烦且仅限 ARM（参见 [Oracle 指南](/platforms/oracle)）
+- DigitalOcean：最简单的 UX + 可预测的设置（本指南）
+- Hetzner：性价比不错（见 [Hetzner guide](/install/hetzner)）
+- Oracle Cloud：可能做到每月 0 美元，但更挑环境且仅支持 ARM（见 [Oracle guide](/platforms/oracle)）
 
 ---
 
 ## 前提条件
 
-- DigitalOcean 账户（[注册可获 $200 免费额度](https://m.do.co/c/signup)）
+- DigitalOcean 账号（[注册可获 200 美元免费额度](https://m.do.co/c/signup)）
 - SSH 密钥对（或愿意使用密码认证）
 - 约 20 分钟
 
-## 1) 创建 Droplet
+## 1）创建 Droplet
+
+<Warning>
+请使用干净的基础镜像（Ubuntu 24.04 LTS）。除非你已经检查过其启动脚本和防火墙默认设置，否则请避免使用第三方 Marketplace 一键镜像。
+</Warning>
 
 1. 登录 [DigitalOcean](https://cloud.digitalocean.com/)
 2. 点击 **Create → Droplets**
 3. 选择：
-   - **Region：** 离你（或你的用户）最近的地区
+   - **Region：** 离你（或你的用户）最近
    - **Image：** Ubuntu 24.04 LTS
-   - **Size：** Basic → Regular → **$6/mo**（1 vCPU、1GB RAM、25GB SSD）
-   - **Authentication：** SSH 密钥（推荐）或密码
+   - **Size：** Basic → Regular → **$6/mo**（1 vCPU、1 GB RAM、25 GB SSD）
+   - **Authentication：** SSH key（推荐）或密码
 4. 点击 **Create Droplet**
 5. 记下 IP 地址
 
-## 2) 通过 SSH 连接
+## 2）通过 SSH 连接
 
 ```bash
 ssh root@YOUR_DROPLET_IP
 ```
 
-## 3) 安装 OpenClaw
+## 3）安装 OpenClaw
 
 ```bash
-# Update system
+# 更新系统
 apt update && apt upgrade -y
 
-# Install Node.js 22
-curl -fsSL https://deb.nodesource.com/setup_22.x | bash -
+# 安装 Node.js 24
+curl -fsSL https://deb.nodesource.com/setup_24.x | bash -
 apt install -y nodejs
 
-# Install OpenClaw
+# 安装 OpenClaw
 curl -fsSL https://openclaw.ai/install.sh | bash
 
-# Verify
+# 验证
 openclaw --version
 ```
 
-## 4) 运行新手引导
+## 4）运行新手引导
 
 ```bash
 openclaw onboard --install-daemon
 ```
 
-向导将引导你完成：
+向导会带你完成以下设置：
 
-- 模型认证（API 密钥或 OAuth）
+- 模型认证（API key 或 OAuth）
 - 渠道设置（Telegram、WhatsApp、Discord 等）
-- Gateway 网关令牌（自动生成）
+- Gateway 网关 token（自动生成）
 - 守护进程安装（systemd）
 
-## 5) 验证 Gateway 网关
+## 5）验证 Gateway 网关
 
 ```bash
-# Check status
+# 检查状态
 openclaw status
 
-# Check service
+# 检查服务
 systemctl --user status openclaw-gateway.service
 
-# View logs
+# 查看日志
 journalctl --user -u openclaw-gateway.service -f
 ```
 
-## 6) 访问控制面板
+## 6）访问 Dashboard
 
-Gateway 网关默认绑定到 loopback。要访问控制界面：
+Gateway 网关默认绑定到 loopback。要访问 Control UI：
 
 **选项 A：SSH 隧道（推荐）**
 
 ```bash
-# From your local machine
+# 在你的本地机器上
 ssh -L 18789:localhost:18789 root@YOUR_DROPLET_IP
 
-# Then open: http://localhost:18789
+# 然后打开：http://localhost:18789
 ```
 
 **选项 B：Tailscale Serve（HTTPS，仅 loopback）**
 
 ```bash
-# On the droplet
+# 在 droplet 上
 curl -fsSL https://tailscale.com/install.sh | sh
 tailscale up
 
-# Configure Gateway to use Tailscale Serve
+# 将 Gateway 网关配置为使用 Tailscale Serve
 openclaw config set gateway.tailscale.mode serve
 openclaw gateway restart
 ```
 
 打开：`https://<magicdns>/`
 
-注意事项：
+说明：
 
-- Serve 保持 Gateway 网关仅 loopback 并通过 Tailscale 身份头进行认证。
-- 要改为需要令牌/密码，请设置 `gateway.auth.allowTailscale: false` 或使用 `gateway.auth.mode: "password"`。
+- Serve 会让 Gateway 网关保持仅 loopback，并通过 Tailscale 身份头对 Control UI/WebSocket 流量进行认证（无 token 认证假定 Gateway 网关主机可信；HTTP API 仍然需要 token/password）。
+- 如果你想强制要求 token/password，请设置 `gateway.auth.allowTailscale: false` 或使用 `gateway.auth.mode: "password"`。
 
-**选项 C：Tailnet 绑定（不使用 Serve）**
+**选项 C：绑定到 tailnet（不使用 Serve）**
 
 ```bash
 openclaw config set gateway.bind tailnet
 openclaw gateway restart
 ```
 
-打开：`http://<tailscale-ip>:18789`（需要令牌）。
+打开：`http://<tailscale-ip>:18789`（需要 token）。
 
-## 7) 连接你的渠道
+## 7）连接你的渠道
 
 ### Telegram
 
@@ -160,16 +164,16 @@ openclaw pairing approve telegram <CODE>
 
 ```bash
 openclaw channels login whatsapp
-# Scan QR code
+# 扫描 QR 码
 ```
 
-参见[渠道](/channels)了解其他提供商。
+其他提供商请参阅 [Channels](/channels)。
 
 ---
 
-## 1GB RAM 的优化
+## 针对 1 GB RAM 的优化
 
-$6 的 droplet 只有 1GB RAM。为了保持运行流畅：
+6 美元的 droplet 只有 1 GB RAM。为了保持运行顺畅：
 
 ### 添加 swap（推荐）
 
@@ -183,9 +187,9 @@ echo '/swapfile none swap sw 0 0' >> /etc/fstab
 
 ### 使用更轻量的模型
 
-如果遇到 OOM，考虑：
+如果你遇到 OOM，可以考虑：
 
-- 使用基于 API 的模型（Claude、GPT）而不是本地模型
+- 使用基于 API 的模型（Claude、GPT），而不是本地模型
 - 将 `agents.defaults.model.primary` 设置为更小的模型
 
 ### 监控内存
@@ -199,12 +203,12 @@ htop
 
 ## 持久化
 
-所有状态存储在：
+所有状态都存储在：
 
 - `~/.openclaw/` — 配置、凭证、会话数据
-- `~/.openclaw/workspace/` — 工作区（SOUL.md、记忆等）
+- `~/.openclaw/workspace/` — 工作区（`SOUL.md`、memory 等）
 
-这些在重启后保留。定期备份：
+这些内容在重启后仍会保留。请定期备份：
 
 ```bash
 tar -czvf openclaw-backup.tar.gz ~/.openclaw ~/.openclaw/workspace
@@ -214,21 +218,21 @@ tar -czvf openclaw-backup.tar.gz ~/.openclaw ~/.openclaw/workspace
 
 ## Oracle Cloud 免费替代方案
 
-Oracle Cloud 提供 **Always Free** ARM 实例，比这里任何付费选项都强大得多 — 每月 $0。
+Oracle Cloud 提供 **Always Free** ARM 实例，性能显著强于这里列出的任何付费选项 —— 且每月 0 美元。
 
-| 你将获得       | 配置             |
-| -------------- | ---------------- |
-| **4 OCPUs**    | ARM Ampere A1    |
-| **24GB RAM**   | 绰绰有余         |
-| **200GB 存储** | 块存储卷         |
-| **永久免费**   | 不收取信用卡费用 |
+| 你将获得        | 规格               |
+| --------------- | ------------------ |
+| **4 OCPU**      | ARM Ampere A1      |
+| **24 GB RAM**   | 完全足够           |
+| **200 GB 存储** | 块存储卷           |
+| **永久免费**    | 不会产生信用卡费用 |
 
 **注意事项：**
 
-- 注册可能有点麻烦（失败了就重试）
-- ARM 架构 — 大多数东西都能工作，但有些二进制文件需要 ARM 构建
+- 注册过程可能比较挑剔（如果失败请重试）
+- ARM 架构 —— 大多数东西都能运行，但某些二进制文件需要 ARM 构建版本
 
-完整设置指南请参阅 [Oracle Cloud](/platforms/oracle)。关于注册技巧和注册流程故障排除，请参阅此[社区指南](https://gist.github.com/rssnyder/51e3cfedd730e7dd5f4a816143b25dbd)。
+完整设置指南请参阅 [Oracle Cloud](/platforms/oracle)。关于注册技巧和注册流程故障排除，请参阅这篇[社区指南](https://gist.github.com/rssnyder/51e3cfedd730e7dd5f4a816143b25dbd)。
 
 ---
 
@@ -242,7 +246,7 @@ openclaw doctor --non-interactive
 journalctl -u openclaw --no-pager -n 50
 ```
 
-### 端口已被使用
+### 端口已被占用
 
 ```bash
 lsof -i :18789
@@ -252,18 +256,18 @@ kill <PID>
 ### 内存不足
 
 ```bash
-# Check memory
+# 检查内存
 free -h
 
-# Add more swap
-# Or upgrade to $12/mo droplet (2GB RAM)
+# 添加更多 swap
+# 或升级到每月 12 美元的 droplet（2 GB RAM）
 ```
 
 ---
 
 ## 另请参阅
 
-- [Hetzner 指南](/install/hetzner) — 更便宜、更强大
-- [Docker 安装](/install/docker) — 容器化设置
-- [Tailscale](/gateway/tailscale) — 安全远程访问
-- [配置](/gateway/configuration) — 完整配置参考
+- [Hetzner guide](/install/hetzner) — 更便宜、性能更强
+- [Docker install](/install/docker) — 容器化设置
+- [Tailscale](/gateway/tailscale) — 安全的远程访问
+- [Configuration](/gateway/configuration) — 完整配置参考
diff --git a/docs/zh-CN/platforms/index.md b/docs/zh-CN/platforms/index.md
index 6609ed34aa3..c8d72360140 100644
--- a/docs/zh-CN/platforms/index.md
+++ b/docs/zh-CN/platforms/index.md
@@ -1,14 +1,14 @@
 ---
 read_when:
-  - 查找操作系统支持或安装路径时
-  - 决定在哪里运行 Gateway 网关时
-summary: 平台支持概述（Gateway 网关 + 配套应用）
+  - 查找操作系统支持或安装路径
+  - 决定在哪里运行 Gateway 网关
+summary: 平台支持概览（Gateway 网关 + 配套应用）
 title: 平台
 x-i18n:
-  generated_at: "2026-02-03T07:52:07Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 254852a5ed1996982a52eed4a72659477609e08d340c625d24ef6d99c21eece6
+  generated_at: "2026-03-16T06:24:20Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 653f395598b9558cb15b58ab42ed931dba47c70780be1c803d33dd795bad6503
   source_path: platforms/index.md
   workflow: 15
 ---
@@ -16,11 +16,11 @@ x-i18n:
 # 平台
 
 OpenClaw 核心使用 TypeScript 编写。**Node 是推荐的运行时**。
-不推荐 Bun 用于 Gateway 网关（WhatsApp/Telegram 存在 bug）。
+不建议将 Bun 用于 Gateway 网关（存在 WhatsApp/Telegram bug）。
 
-配套应用适用于 macOS（菜单栏应用）和移动节点（iOS/Android）。Windows 和
-Linux 配套应用已在计划中，但 Gateway 网关目前已完全支持。
-Windows 原生配套应用也在计划中；推荐通过 WSL2 使用 Gateway 网关。
+已提供适用于 macOS（菜单栏应用）和移动节点（iOS/Android）的配套应用。Windows 和
+Linux 配套应用已在规划中，但 Gateway 网关目前已得到完全支持。
+适用于 Windows 的原生配套应用也在规划中；推荐通过 WSL2 运行 Gateway 网关。
 
 ## 选择你的操作系统
 
@@ -30,7 +30,7 @@ Windows 原生配套应用也在计划中；推荐通过 WSL2 使用 Gateway 网
 - Windows：[Windows](/platforms/windows)
 - Linux：[Linux](/platforms/linux)
 
-## VPS 和托管
+## VPS 与托管
 
 - VPS 中心：[VPS 托管](/vps)
 - Fly.io：[Fly.io](/install/fly)
@@ -47,14 +47,14 @@ Windows 原生配套应用也在计划中；推荐通过 WSL2 使用 Gateway 网
 
 ## Gateway 网关服务安装（CLI）
 
-使用以下任一方式（均支持）：
+使用以下任一方式（均受支持）：
 
 - 向导（推荐）：`openclaw onboard --install-daemon`
 - 直接安装：`openclaw gateway install`
-- 配置流程：`openclaw configure` → 选择 **Gateway service**
-- 修复/迁移：`openclaw doctor`（提供安装或修复服务）
+- 配置流程：`openclaw configure` → 选择 **Gateway 服务**
+- 修复/迁移：`openclaw doctor`（会提供安装或修复服务的选项）
 
 服务目标取决于操作系统：
 
-- macOS：LaunchAgent（`bot.molt.gateway` 或 `bot.molt.<profile>`；旧版 `com.openclaw.*`）
+- macOS：LaunchAgent（`ai.openclaw.gateway` 或 `ai.openclaw.<profile>`；旧版为 `com.openclaw.*`）
 - Linux/WSL2：systemd 用户服务（`openclaw-gateway[-<profile>].service`）
diff --git a/docs/zh-CN/platforms/linux.md b/docs/zh-CN/platforms/linux.md
index 3634f6c9d44..4c836960f94 100644
--- a/docs/zh-CN/platforms/linux.md
+++ b/docs/zh-CN/platforms/linux.md
@@ -1,31 +1,31 @@
 ---
 read_when:
-  - 查找 Linux 配套应用状态时
-  - 规划平台覆盖或贡献时
+  - 查找 Linux 配套应用状态
+  - 规划平台覆盖范围或贡献
 summary: Linux 支持 + 配套应用状态
 title: Linux 应用
 x-i18n:
-  generated_at: "2026-02-03T07:52:18Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: a9bbbcecf2fd522a2f5ac8f3b9068febbc43658465bfb9276bff6c3e946789d2
+  generated_at: "2026-03-16T06:24:30Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 12f2a28ec8fc17769210bda97af11fda332355956d41bba69ac51cc523be6178
   source_path: platforms/linux.md
   workflow: 15
 ---
 
 # Linux 应用
 
-Gateway 网关在 Linux 上完全支持。**Node 是推荐的运行时**。
-不推荐 Bun 用于 Gateway 网关（WhatsApp/Telegram 存在 bug）。
+Gateway 网关在 Linux 上得到完全支持。**Node 是推荐的运行时**。
+不建议将 Bun 用于 Gateway 网关（存在 WhatsApp/Telegram bug）。
 
-原生 Linux 配套应用已在计划中。如果你想帮助构建，欢迎贡献。
+原生 Linux 配套应用已在规划中。如果你想帮助构建一个，欢迎贡献。
 
-## 新手快速路径（VPS）
+## 面向初学者的快速路径（VPS）
 
-1. 安装 Node 22+
+1. 安装 Node 24（推荐；Node 22 LTS，目前 `22.16+`，为了兼容性仍然可用）
 2. `npm i -g openclaw@latest`
 3. `openclaw onboard --install-daemon`
-4. 从你的笔记本电脑：`ssh -N -L 18789:127.0.0.1:18789 <user>@<host>`
+4. 在你的笔记本电脑上运行：`ssh -N -L 18789:127.0.0.1:18789 <user>@<host>`
 5. 打开 `http://127.0.0.1:18789/` 并粘贴你的令牌
 
 分步 VPS 指南：[exe.dev](/install/exe-dev)
@@ -49,19 +49,19 @@ Gateway 网关在 Linux 上完全支持。**Node 是推荐的运行时**。
 openclaw onboard --install-daemon
 ```
 
-或：
+或者：
 
 ```
 openclaw gateway install
 ```
 
-或：
+或者：
 
 ```
 openclaw configure
 ```
 
-出现提示时选择 **Gateway service**。
+出现提示时，选择 **Gateway 服务**。
 
 修复/迁移：
 
@@ -71,9 +71,8 @@ openclaw doctor
 
 ## 系统控制（systemd 用户单元）
 
-OpenClaw 默认安装 systemd **用户**服务。对于共享或常驻服务器使用**系统**
-服务。完整的单元示例和指南
-在 [Gateway 网关运行手册](/gateway) 中。
+OpenClaw 默认安装 systemd **用户**服务。对于共享或始终在线的服务器，请使用 **系统** 服务。完整的单元示例和指导
+请参见 [Gateway 网关运行手册](/gateway)。
 
 最小设置：
 
diff --git a/docs/zh-CN/platforms/raspberry-pi.md b/docs/zh-CN/platforms/raspberry-pi.md
index edffc432ed1..54459e1f251 100644
--- a/docs/zh-CN/platforms/raspberry-pi.md
+++ b/docs/zh-CN/platforms/raspberry-pi.md
@@ -1,15 +1,15 @@
 ---
 read_when:
-  - 在 Raspberry Pi 上设置 OpenClaw 时
-  - 在 ARM 设备上运行 OpenClaw 时
-  - 构建低成本常驻个人 AI 时
-summary: 在 Raspberry Pi 上运行 OpenClaw（低成本自托管设置）
+  - 在 Raspberry Pi 上设置 OpenClaw
+  - 在 ARM 设备上运行 OpenClaw
+  - 构建一个低成本、始终在线的个人 AI
+summary: 在 Raspberry Pi 上运行 OpenClaw（低预算自托管方案）
 title: Raspberry Pi
 x-i18n:
-  generated_at: "2026-02-03T07:53:30Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 6741eaf0115a4fa0efd6599a99e0526a20ceb30eda1d9b04cba9dd5dec84bee2
+  generated_at: "2026-03-16T06:24:58Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 3106dea63b5a548622b82e3090e7fdb7f748b96bf0e23893496f1b60c095334a
   source_path: platforms/raspberry-pi.md
   workflow: 15
 ---
@@ -18,51 +18,51 @@ x-i18n:
 
 ## 目标
 
-在 Raspberry Pi 上运行持久、常驻的 OpenClaw Gateway 网关，**一次性成本约 $35-80**（无月费）。
+在 Raspberry Pi 上以 **约 35–80 美元**的一次性成本（无月费）运行一个持久化、始终在线的 OpenClaw Gateway 网关。
 
-适用于：
+非常适合：
 
-- 24/7 个人 AI 助手
-- 家庭自动化中心
-- 低功耗、随时可用的 Telegram/WhatsApp 机器人
+- 7×24 个人 AI 助手
+- 家庭自动化中枢
+- 低功耗、始终可用的 Telegram/WhatsApp bot
 
 ## 硬件要求
 
-| Pi 型号         | 内存    | 是否可用？ | 说明                       |
-| --------------- | ------- | ---------- | -------------------------- |
-| **Pi 5**        | 4GB/8GB | ✅ 最佳    | 最快，推荐                 |
-| **Pi 4**        | 4GB     | ✅ 良好    | 大多数用户的最佳选择       |
-| **Pi 4**        | 2GB     | ✅ 可以    | 可用，添加交换空间         |
-| **Pi 4**        | 1GB     | ⚠️ 紧张    | 使用交换空间可行，最小配置 |
-| **Pi 3B+**      | 1GB     | ⚠️ 慢      | 可用但较慢                 |
-| **Pi Zero 2 W** | 512MB   | ❌         | 不推荐                     |
+| Pi 型号         | RAM     | 可用？  | 说明                       |
+| --------------- | ------- | ------- | -------------------------- |
+| **Pi 5**        | 4GB/8GB | ✅ 最佳 | 最快，推荐                 |
+| **Pi 4**        | 4GB     | ✅ 良好 | 适合大多数用户的最佳平衡点 |
+| **Pi 4**        | 2GB     | ✅ 可以 | 可用，建议加 swap          |
+| **Pi 4**        | 1GB     | ⚠️ 紧张 | 配合 swap 和最小化配置可行 |
+| **Pi 3B+**      | 1GB     | ⚠️ 较慢 | 可用，但反应迟缓           |
+| **Pi Zero 2 W** | 512MB   | ❌      | 不推荐                     |
 
-**最低配置：** 1GB 内存，1 核，500MB 磁盘  
-**推荐：** 2GB+ 内存，64 位系统，16GB+ SD 卡（或 USB SSD）
+**最低规格：** 1 GB RAM、1 核、500 MB 磁盘  
+**推荐规格：** 2 GB 以上 RAM、64 位 OS、16 GB 以上 SD 卡（或 USB SSD）
 
-## 你需要准备
+## 你需要准备的内容
 
-- Raspberry Pi 4 或 5（推荐 2GB+）
-- MicroSD 卡（16GB+）或 USB SSD（性能更好）
-- 电源（推荐官方 Pi 电源）
-- 网络连接（以太网或 WiFi）
+- Raspberry Pi 4 或 5（推荐 2 GB 以上）
+- MicroSD 卡（16 GB 以上）或 USB SSD（性能更好）
+- 电源（推荐使用官方 Pi 电源）
+- 网络连接（以太网或 Wi‑Fi）
 - 约 30 分钟
 
-## 1) 刷写系统
+## 1）刷写 OS
 
-使用 **Raspberry Pi OS Lite (64-bit)** — 无头服务器不需要桌面。
+使用 **Raspberry Pi OS Lite（64 位）** —— 对于无头服务器，不需要桌面环境。
 
 1. 下载 [Raspberry Pi Imager](https://www.raspberrypi.com/software/)
-2. 选择系统：**Raspberry Pi OS Lite (64-bit)**
-3. 点击齿轮图标（⚙️）预配置：
+2. 选择 OS：**Raspberry Pi OS Lite（64 位）**
+3. 点击齿轮图标（⚙️）进行预配置：
    - 设置主机名：`gateway-host`
    - 启用 SSH
    - 设置用户名/密码
-   - 配置 WiFi（如果不使用以太网）
-4. 刷写到你的 SD 卡 / USB 驱动器
+   - 配置 Wi‑Fi（如果不使用以太网）
+4. 将系统写入你的 SD 卡 / USB 驱动器
 5. 插入并启动 Pi
 
-## 2) 通过 SSH 连接
+## 2）通过 SSH 连接
 
 ```bash
 ssh user@gateway-host
@@ -70,37 +70,37 @@ ssh user@gateway-host
 ssh user@192.168.x.x
 ```
 
-## 3) 系统设置
+## 3）系统设置
 
 ```bash
 # 更新系统
 sudo apt update && sudo apt upgrade -y
 
-# 安装必要软件包
+# 安装基础软件包
 sudo apt install -y git curl build-essential
 
 # 设置时区（对 cron/提醒很重要）
 sudo timedatectl set-timezone America/Chicago  # 改成你的时区
 ```
 
-## 4) 安装 Node.js 22（ARM64）
+## 4）安装 Node.js 24（ARM64）
 
 ```bash
 # 通过 NodeSource 安装 Node.js
-curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
+curl -fsSL https://deb.nodesource.com/setup_24.x | sudo -E bash -
 sudo apt install -y nodejs
 
 # 验证
-node --version  # 应显示 v22.x.x
+node --version  # 应显示 v24.x.x
 npm --version
 ```
 
-## 5) 添加交换空间（2GB 或更少内存时很重要）
+## 5）添加 swap（对于 2 GB 或更低内存很重要）
 
-交换空间可防止内存不足崩溃：
+swap 可以防止内存不足崩溃：
 
 ```bash
-# 创建 2GB 交换文件
+# 创建 2 GB swap 文件
 sudo fallocate -l 2G /swapfile
 sudo chmod 600 /swapfile
 sudo mkswap /swapfile
@@ -109,12 +109,12 @@ sudo swapon /swapfile
 # 永久生效
 echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
 
-# 优化低内存（降低 swappiness）
+# 针对低内存优化（降低 swappiness）
 echo 'vm.swappiness=10' | sudo tee -a /etc/sysctl.conf
 sudo sysctl -p
 ```
 
-## 6) 安装 OpenClaw
+## 6）安装 OpenClaw
 
 ### 选项 A：标准安装（推荐）
 
@@ -122,7 +122,7 @@ sudo sysctl -p
 curl -fsSL https://openclaw.ai/install.sh | bash
 ```
 
-### 选项 B：可修改安装（用于调试）
+### 选项 B：可修改安装（适合折腾）
 
 ```bash
 git clone https://github.com/openclaw/openclaw.git
@@ -132,22 +132,22 @@ npm run build
 npm link
 ```
 
-可修改安装让你可以直接访问日志和代码 — 对调试 ARM 特定问题很有用。
+可修改安装会让你直接访问日志和代码 —— 这对于调试 ARM 特定问题很有帮助。
 
-## 7) 运行新手引导
+## 7）运行新手引导
 
 ```bash
 openclaw onboard --install-daemon
 ```
 
-按照向导操作：
+按向导完成设置：
 
 1. **Gateway 网关模式：** Local
-2. **认证：** 推荐 API 密钥（OAuth 在无头 Pi 上可能不稳定）
-3. **渠道：** Telegram 最容易上手
+2. **认证：** 推荐 API key（在无头 Pi 上 OAuth 可能比较挑环境）
+3. **渠道：** 最容易上手的是 Telegram
 4. **守护进程：** 是（systemd）
 
-## 8) 验证安装
+## 8）验证安装
 
 ```bash
 # 检查状态
@@ -160,52 +160,103 @@ sudo systemctl status openclaw
 journalctl -u openclaw -f
 ```
 
-## 9) 访问仪表板
+## 9）访问 OpenClaw Dashboard
 
-由于 Pi 是无头的，使用 SSH 隧道：
+将 `user@gateway-host` 替换为你的 Pi 用户名，以及主机名或 IP 地址。
+
+在你的电脑上，让 Pi 打印一个新的 Dashboard URL：
 
 ```bash
-# 从你的笔记本电脑/台式机
-ssh -L 18789:localhost:18789 user@gateway-host
-
-# 然后在浏览器中打开
-open http://localhost:18789
+ssh user@gateway-host 'openclaw dashboard --no-open'
 ```
 
-或使用 Tailscale 实现常驻访问：
+该命令会打印 `Dashboard URL:`。根据 `gateway.auth.token`
+的配置方式，URL 可能是普通的 `http://127.0.0.1:18789/` 链接，也可能是包含 `#token=...` 的链接。
+
+在你电脑上的另一个终端中，创建 SSH 隧道：
 
 ```bash
-# 在 Pi 上
-curl -fsSL https://tailscale.com/install.sh | sh
-sudo tailscale up
-
-# 更新配置
-openclaw config set gateway.bind tailnet
-sudo systemctl restart openclaw
+ssh -N -L 18789:127.0.0.1:18789 user@gateway-host
 ```
 
+然后在本地浏览器中打开打印出的 Dashboard URL。
+
+如果 UI 要求认证，请将 `gateway.auth.token`
+（或 `OPENCLAW_GATEWAY_TOKEN`）中的 token 粘贴到 Control UI 设置中。
+
+如需始终在线的远程访问，请参阅 [Tailscale](/gateway/tailscale)。
+
 ---
 
 ## 性能优化
 
-### 使用 USB SSD（巨大改进）
+### 使用 USB SSD（显著提升）
 
-SD 卡速度慢且会磨损。USB SSD 可大幅提升性能：
+SD 卡速度慢且易磨损。USB SSD 会显著提升性能：
 
 ```bash
 # 检查是否从 USB 启动
 lsblk
 ```
 
-设置请参见 [Pi USB 启动指南](https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#usb-mass-storage-boot)。
+设置方法请参阅 [Pi USB boot guide](https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#usb-mass-storage-boot)。
 
-### 减少内存使用
+### 加快 CLI 启动速度（模块编译缓存）
+
+在性能较弱的 Pi 主机上，启用 Node 的模块编译缓存可以加快重复 CLI 运行速度：
 
 ```bash
-# 禁用 GPU 内存分配（无头模式）
+grep -q 'NODE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache' ~/.bashrc || cat >> ~/.bashrc <<'EOF' # pragma: allowlist secret
+export NODE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache
+mkdir -p /var/tmp/openclaw-compile-cache
+export OPENCLAW_NO_RESPAWN=1
+EOF
+source ~/.bashrc
+```
+
+说明：
+
+- `NODE_COMPILE_CACHE` 会加快后续运行（`status`、`health`、`--help`）。
+- `/var/tmp` 比 `/tmp` 更能在重启后保留内容。
+- `OPENCLAW_NO_RESPAWN=1` 可避免 CLI 自重启带来的额外启动开销。
+- 第一次运行会预热缓存；之后的运行收益最大。
+
+### systemd 启动调优（可选）
+
+如果这台 Pi 主要运行 OpenClaw，可以添加一个服务 drop-in，以减少重启抖动并保持稳定的启动环境：
+
+```bash
+sudo systemctl edit openclaw
+```
+
+```ini
+[Service]
+Environment=OPENCLAW_NO_RESPAWN=1
+Environment=NODE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache
+Restart=always
+RestartSec=2
+TimeoutStartSec=90
+```
+
+然后应用：
+
+```bash
+sudo systemctl daemon-reload
+sudo systemctl restart openclaw
+```
+
+如果可能，请将 OpenClaw 状态/缓存放在 SSD 支持的存储上，以避免冷启动期间 SD 卡随机 I/O 成为瓶颈。
+
+关于 `Restart=` 策略如何帮助自动恢复：
+[systemd can automate service recovery](https://www.redhat.com/en/blog/systemd-automate-recovery)。
+
+### 减少内存占用
+
+```bash
+# 禁用 GPU 内存分配（无头）
 echo 'gpu_mem=16' | sudo tee -a /boot/config.txt
 
-# 如不需要则禁用蓝牙
+# 如果不需要，禁用蓝牙
 sudo systemctl disable bluetooth
 ```
 
@@ -228,32 +279,32 @@ htop
 
 ### 二进制兼容性
 
-大多数 OpenClaw 功能在 ARM64 上可用，但某些外部二进制文件可能需要 ARM 构建：
+OpenClaw 的大多数功能都可在 ARM64 上运行，但某些外部二进制文件可能需要 ARM 构建版本：
 
 | 工具               | ARM64 状态 | 说明                                |
 | ------------------ | ---------- | ----------------------------------- |
 | Node.js            | ✅         | 运行良好                            |
 | WhatsApp (Baileys) | ✅         | 纯 JS，无问题                       |
 | Telegram           | ✅         | 纯 JS，无问题                       |
-| gog (Gmail CLI)    | ⚠️         | 检查是否有 ARM 版本                 |
+| gog (Gmail CLI)    | ⚠️         | 请检查是否有 ARM 发布版本           |
 | Chromium (browser) | ✅         | `sudo apt install chromium-browser` |
 
-如果某个 skill 失败，检查其二进制文件是否有 ARM 构建。许多 Go/Rust 工具有；有些没有。
+如果某个 skill 失败，请检查其二进制文件是否有 ARM 构建版本。许多 Go/Rust 工具都有；有些则没有。
 
-### 32 位 vs 64 位
+### 32 位与 64 位
 
-**始终使用 64 位系统。** Node.js 和许多现代工具需要它。使用以下命令检查：
+**务必使用 64 位 OS。** Node.js 和许多现代工具都要求如此。使用以下命令检查：
 
 ```bash
 uname -m
-# 应显示：aarch64（64 位）而不是 armv7l（32 位）
+# 应显示：aarch64（64 位），而不是 armv7l（32 位）
 ```
 
 ---
 
 ## 推荐的模型设置
 
-由于 Pi 只是 Gateway 网关（模型在云端运行），使用基于 API 的模型：
+由于 Pi 只是 Gateway 网关（模型在云中运行），请使用基于 API 的模型：
 
 ```json
 {
@@ -268,19 +319,19 @@ uname -m
 }
 ```
 
-**不要尝试在 Pi 上运行本地 LLM** — 即使是小模型也太慢了。让 Claude/GPT 来做繁重的工作。
+**不要尝试在 Pi 上运行本地 LLM** —— 即使是小模型也太慢了。让 Claude/GPT 负责主要计算工作。
 
 ---
 
-## 开机自启
+## 开机自动启动
 
-新手引导向导会设置这个，但要验证：
+设置向导会帮你配置这个，但你也可以这样验证：
 
 ```bash
 # 检查服务是否已启用
 sudo systemctl is-enabled openclaw
 
-# 如果没有则启用
+# 如果没有，则启用
 sudo systemctl enable openclaw
 
 # 开机启动
@@ -297,15 +348,15 @@ sudo systemctl start openclaw
 # 检查内存
 free -h
 
-# 添加更多交换空间（见步骤 5）
+# 添加更多 swap（见第 5 步）
 # 或减少 Pi 上运行的服务
 ```
 
-### 性能慢
+### 性能缓慢
 
-- 使用 USB SSD 代替 SD 卡
+- 使用 USB SSD 替代 SD 卡
 - 禁用未使用的服务：`sudo systemctl disable cups bluetooth avahi-daemon`
-- 检查 CPU 降频：`vcgencmd get_throttled`（应返回 `0x0`）
+- 检查 CPU 限频：`vcgencmd get_throttled`（应返回 `0x0`）
 
 ### 服务无法启动
 
@@ -314,25 +365,25 @@ free -h
 journalctl -u openclaw --no-pager -n 100
 
 # 常见修复：重新构建
-cd ~/openclaw  # 如果使用可修改安装
+cd ~/openclaw  # 如果使用的是可修改安装
 npm run build
 sudo systemctl restart openclaw
 ```
 
 ### ARM 二进制问题
 
-如果某个 skill 失败并显示"exec format error"：
+如果某个 skill 因 “exec format error” 失败：
 
-1. 检查该二进制文件是否有 ARM64 构建
-2. 尝试从源代码构建
+1. 检查该二进制文件是否有 ARM64 构建版本
+2. 尝试从源码构建
 3. 或使用支持 ARM 的 Docker 容器
 
-### WiFi 断开
+### Wi‑Fi 掉线
 
-对于使用 WiFi 的无头 Pi：
+对于通过 Wi‑Fi 运行的无头 Pi：
 
 ```bash
-# 禁用 WiFi 电源管理
+# 禁用 Wi‑Fi 省电
 sudo iwconfig wlan0 power off
 
 # 永久生效
@@ -343,23 +394,23 @@ echo 'wireless-power off' | sudo tee -a /etc/network/interfaces
 
 ## 成本对比
 
-| 设置           | 一次性成本 | 月费     | 说明               |
-| -------------- | ---------- | -------- | ------------------ |
-| **Pi 4 (2GB)** | ~$45       | $0       | + 电费（约 $5/年） |
-| **Pi 4 (4GB)** | ~$55       | $0       | 推荐               |
-| **Pi 5 (4GB)** | ~$60       | $0       | 最佳性能           |
-| **Pi 5 (8GB)** | ~$80       | $0       | 过剩但面向未来     |
-| DigitalOcean   | $0         | $6/月    | $72/年             |
-| Hetzner        | $0         | €3.79/月 | 约 $50/年          |
+| 方案            | 一次性成本 | 月成本   | 说明                     |
+| --------------- | ---------- | -------- | ------------------------ |
+| **Pi 4（2GB）** | ~$45       | $0       | + 电费（约 $5/年）       |
+| **Pi 4（4GB）** | ~$55       | $0       | 推荐                     |
+| **Pi 5（4GB）** | ~$60       | $0       | 最佳性能                 |
+| **Pi 5（8GB）** | ~$80       | $0       | 有些超配，但更有未来余量 |
+| DigitalOcean    | $0         | $6/月    | $72/年                   |
+| Hetzner         | $0         | €3.79/月 | 约 $50/年                |
 
-**回本期：** 与云 VPS 相比，Pi 约 6-12 个月内回本。
+**回本周期：** 与云 VPS 相比，一台 Pi 大约 6–12 个月即可回本。
 
 ---
 
 ## 另请参阅
 
-- [Linux 指南](/platforms/linux) — 通用 Linux 设置
-- [DigitalOcean 指南](/platforms/digitalocean) — 云替代方案
-- [Hetzner 指南](/install/hetzner) — Docker 设置
+- [Linux guide](/platforms/linux) — 通用 Linux 设置
+- [DigitalOcean guide](/platforms/digitalocean) — 云端替代方案
+- [Hetzner guide](/install/hetzner) — Docker 设置
 - [Tailscale](/gateway/tailscale) — 远程访问
-- [节点](/nodes) — 将你的笔记本电脑/手机与 Pi Gateway 网关配对
+- [Nodes](/nodes) — 将你的笔记本电脑/手机与 Pi Gateway 网关配对
diff --git a/docs/zh-CN/platforms/windows.md b/docs/zh-CN/platforms/windows.md
index e51ca23c6f4..a2ec7e14de3 100644
--- a/docs/zh-CN/platforms/windows.md
+++ b/docs/zh-CN/platforms/windows.md
@@ -3,31 +3,72 @@ read_when:
   - 在 Windows 上安装 OpenClaw
   - 查找 Windows 配套应用状态
 summary: Windows（WSL2）支持 + 配套应用状态
-title: Windows (WSL2)
+title: Windows（WSL2）
 x-i18n:
-  generated_at: "2026-02-03T07:53:19Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: c93d2263b4e5b60cb6fbe9adcb1a0ca95b70cd6feb6e63cfc4459cb18b229da0
+  generated_at: "2026-03-16T06:24:52Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 2e905b129f34ac31e30d5767504233411b306b5985252f1a285e09f1ece19962
   source_path: platforms/windows.md
   workflow: 15
 ---
 
-# Windows (WSL2)
+# Windows（WSL2）
 
-Windows 上的 OpenClaw 推荐**通过 WSL2**（推荐 Ubuntu）。CLI + Gateway 网关在 Linux 内运行，这保持了运行时的一致性并使工具兼容性大大提高（Node/Bun/pnpm、Linux 二进制文件、Skills）。原生 Windows 可能更棘手。WSL2 给你完整的 Linux 体验——一条命令安装：`wsl --install`。
+推荐在 Windows 上**通过 WSL2** 运行 OpenClaw（推荐 Ubuntu）。CLI + Gateway 网关在 Linux 内运行，这能保持运行时一致，并使
+工具链兼容性高得多（Node/Bun/pnpm、Linux 二进制文件、Skills）。原生
+Windows 可能会更棘手。WSL2 可提供完整的 Linux 体验 —— 只需一条命令
+即可安装：`wsl --install`。
 
-原生 Windows 配套应用已在计划中。
+原生 Windows 配套应用已在规划中。
 
 ## 安装（WSL2）
 
-- [入门指南](/start/getting-started)（在 WSL 内使用）
-- [安装和更新](/install/updating)
-- 官方 WSL2 指南（Microsoft）：https://learn.microsoft.com/windows/wsl/install
+- [入门指南](/start/getting-started)（请在 WSL 内使用）
+- [安装与更新](/install/updating)
+- 官方 WSL2 指南（Microsoft）：[https://learn.microsoft.com/windows/wsl/install](https://learn.microsoft.com/windows/wsl/install)
+
+## 原生 Windows 状态
+
+原生 Windows CLI 流程正在改进，但 WSL2 仍然是推荐路径。
+
+当前在原生 Windows 上运行良好的内容：
+
+- 通过 `install.ps1` 使用网站安装器
+- 本地 CLI 用法，例如 `openclaw --version`、`openclaw doctor` 和 `openclaw plugins list --json`
+- 嵌入式 local-agent/provider 冒烟测试，例如：
+
+```powershell
+openclaw agent --local --agent main --thinking low -m "Reply with exactly WINDOWS-HATCH-OK."
+```
+
+当前注意事项：
+
+- 除非你传递 `--skip-health`，否则 `openclaw onboard --non-interactive` 仍然要求本地 Gateway 网关可访问
+- `openclaw onboard --non-interactive --install-daemon` 和 `openclaw gateway install` 会优先尝试 Windows Scheduled Tasks
+- 如果拒绝创建 Scheduled Task，OpenClaw 会回退到每用户 Startup 文件夹登录项，并立即启动 Gateway 网关
+- 如果 `schtasks` 本身卡住或停止响应，OpenClaw 现在会快速中止该路径并回退，而不是无限挂起
+- 在可用时仍优先使用 Scheduled Tasks，因为它们能提供更好的 supervisor 状态
+
+如果你只想使用原生 CLI，而不安装 Gateway 网关服务，可使用以下任一方式：
+
+```powershell
+openclaw onboard --non-interactive --skip-health
+openclaw gateway run
+```
+
+如果你确实想在原生 Windows 上使用受管启动：
+
+```powershell
+openclaw gateway install
+openclaw gateway status --json
+```
+
+如果无法创建 Scheduled Task，回退服务模式仍会通过当前用户的 Startup 文件夹在登录后自动启动。
 
 ## Gateway 网关
 
-- [Gateway 网关操作手册](/gateway)
+- [Gateway 网关运行手册](/gateway)
 - [配置](/gateway/configuration)
 
 ## Gateway 网关服务安装（CLI）
@@ -38,19 +79,19 @@ Windows 上的 OpenClaw 推荐**通过 WSL2**（推荐 Ubuntu）。CLI + Gateway
 openclaw onboard --install-daemon
 ```
 
-或：
+或者：
 
 ```
 openclaw gateway install
 ```
 
-或：
+或者：
 
 ```
 openclaw configure
 ```
 
-出现提示时选择 **Gateway service**。
+出现提示时，选择 **Gateway 服务**。
 
 修复/迁移：
 
@@ -58,11 +99,58 @@ openclaw configure
 openclaw doctor
 ```
 
-## 高级：通过 LAN 暴露 WSL 服务（portproxy）
+## 在 Windows 登录前自动启动 Gateway 网关
 
-WSL 有自己的虚拟网络。如果另一台机器需要访问**在 WSL 内**运行的服务（SSH、本地 TTS 服务器或 Gateway 网关），你必须将 Windows 端口转发到当前的 WSL IP。WSL IP 在重启后会改变，因此你可能需要刷新转发规则。
+对于无头设置，请确保完整的启动链即使在无人登录
+Windows 时也能运行。
 
-示例（以**管理员身份**运行 PowerShell）：
+### 1）在未登录时保持用户服务运行
+
+在 WSL 内：
+
+```bash
+sudo loginctl enable-linger "$(whoami)"
+```
+
+### 2）安装 OpenClaw Gateway 网关用户服务
+
+在 WSL 内：
+
+```bash
+openclaw gateway install
+```
+
+### 3）在 Windows 启动时自动启动 WSL
+
+以管理员身份打开 PowerShell：
+
+```powershell
+schtasks /create /tn "WSL Boot" /tr "wsl.exe -d Ubuntu --exec /bin/true" /sc onstart /ru SYSTEM
+```
+
+将 `Ubuntu` 替换为以下命令输出中的发行版名称：
+
+```powershell
+wsl --list --verbose
+```
+
+### 验证启动链
+
+重启后（在 Windows 登录前），在 WSL 中检查：
+
+```bash
+systemctl --user is-enabled openclaw-gateway
+systemctl --user status openclaw-gateway --no-pager
+```
+
+## 高级：通过局域网暴露 WSL 服务（portproxy）
+
+WSL 有自己的虚拟网络。如果另一台机器需要访问
+**在 WSL 内运行**的服务（SSH、本地 TTS 服务器或 Gateway 网关），你必须
+将 Windows 端口转发到当前的 WSL IP。WSL IP 会在重启后变化，
+因此你可能需要刷新转发规则。
+
+示例（**以管理员身份**打开 PowerShell）：
 
 ```powershell
 $Distro = "Ubuntu-24.04"
@@ -76,7 +164,7 @@ netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=$ListenPor
   connectaddress=$WslIp connectport=$TargetPort
 ```
 
-允许端口通过 Windows 防火墙（一次性）：
+允许该端口通过 Windows 防火墙（一次性）：
 
 ```powershell
 New-NetFirewallRule -DisplayName "WSL SSH $ListenPort" -Direction Inbound `
@@ -91,14 +179,16 @@ netsh interface portproxy add v4tov4 listenport=$ListenPort listenaddress=0.0.0.
   connectaddress=$WslIp connectport=$TargetPort | Out-Null
 ```
 
-注意事项：
+说明：
 
-- 从另一台机器 SSH 目标是 **Windows 主机 IP**（示例：`ssh user@windows-host -p 2222`）。
-- 远程节点必须指向**可访问的** Gateway 网关 URL（不是 `127.0.0.1`）；使用 `openclaw status --all` 确认。
-- 使用 `listenaddress=0.0.0.0` 进行 LAN 访问；`127.0.0.1` 仅保持本地访问。
-- 如果你想自动化，注册一个计划任务在登录时运行刷新步骤。
+- 来自另一台机器的 SSH 应指向**Windows 主机 IP**（例如：`ssh user@windows-host -p 2222`）。
+- 远程节点必须指向**可访问的** Gateway 网关 URL（而不是 `127.0.0.1`）；请使用
+  `openclaw status --all` 进行确认。
+- 使用 `listenaddress=0.0.0.0` 可供局域网访问；`127.0.0.1` 则仅限本地。
+- 如果你希望自动执行此操作，请注册一个 Scheduled Task，在登录时运行刷新
+  步骤。
 
-## WSL2 分步安装
+## 分步 WSL2 安装
 
 ### 1）安装 WSL2 + Ubuntu
 
@@ -106,14 +196,14 @@ netsh interface portproxy add v4tov4 listenport=$ListenPort listenaddress=0.0.0.
 
 ```powershell
 wsl --install
-# Or pick a distro explicitly:
+# 或显式选择一个发行版：
 wsl --list --online
 wsl --install -d Ubuntu-24.04
 ```
 
-如果 Windows 要求则重启。
+如果 Windows 提示，请重启。
 
-### 2）启用 systemd（Gateway 网关安装所需）
+### 2）启用 systemd（Gateway 网关安装所必需）
 
 在你的 WSL 终端中：
 
@@ -124,7 +214,7 @@ systemd=true
 EOF
 ```
 
-然后从 PowerShell：
+然后在 PowerShell 中运行：
 
 ```powershell
 wsl --shutdown
@@ -138,13 +228,13 @@ systemctl --user status
 
 ### 3）安装 OpenClaw（在 WSL 内）
 
-在 WSL 内按照 Linux 入门指南流程：
+在 WSL 内按照 Linux 入门指南流程操作：
 
 ```bash
 git clone https://github.com/openclaw/openclaw.git
 cd openclaw
 pnpm install
-pnpm ui:build # auto-installs UI deps on first run
+pnpm ui:build # 首次运行时会自动安装 UI 依赖
 pnpm build
 openclaw onboard
 ```
@@ -153,4 +243,5 @@ openclaw onboard
 
 ## Windows 配套应用
 
-我们还没有 Windows 配套应用。如果你想让它实现，欢迎贡献。
+我们还没有 Windows 配套应用。如果你想推动这件事发生，欢迎
+贡献。
diff --git a/docs/zh-CN/providers/anthropic.md b/docs/zh-CN/providers/anthropic.md
index dfd99aefb9b..3c826b2bed5 100644
--- a/docs/zh-CN/providers/anthropic.md
+++ b/docs/zh-CN/providers/anthropic.md
@@ -5,31 +5,31 @@ read_when:
 summary: 在 OpenClaw 中通过 API 密钥或 setup-token 使用 Anthropic Claude
 title: Anthropic
 x-i18n:
-  generated_at: "2026-02-03T10:08:33Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: a78ccd855810a93e71d7138af4d3fc7d66e877349815c4a3207cf2214b0150b3
+  generated_at: "2026-03-16T06:25:19Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: b18eff35b652d8dc4b6d55e9051d35682511909b3168be868fa172038294d20b
   source_path: providers/anthropic.md
   workflow: 15
 ---
 
 # Anthropic（Claude）
 
-Anthropic 构建了 **Claude** 模型系列，并通过 API 提供访问。
-在 OpenClaw 中，你可以使用 API 密钥或 **setup-token** 进行认证。
+Anthropic 构建了 **Claude** 模型家族，并通过 API 提供访问。
+在 OpenClaw 中，你可以使用 API 密钥或 **setup-token** 进行身份验证。
 
 ## 选项 A：Anthropic API 密钥
 
-**适用于：** 标准 API 访问和按用量计费。
-在 Anthropic Console 中创建你的 API 密钥。
+**最适合：** 标准 API 访问和按使用量计费。
+请在 Anthropic Console 中创建你的 API 密钥。
 
 ### CLI 设置
 
 ```bash
 openclaw onboard
-# 选择：Anthropic API key
+# choose: Anthropic API key
 
-# 或非交互式
+# or non-interactive
 openclaw onboard --anthropic-api-key "$ANTHROPIC_API_KEY"
 ```
 
@@ -38,22 +38,59 @@ openclaw onboard --anthropic-api-key "$ANTHROPIC_API_KEY"
 ```json5
 {
   env: { ANTHROPIC_API_KEY: "sk-ant-..." },
-  agents: { defaults: { model: { primary: "anthropic/claude-opus-4-5" } } },
+  agents: { defaults: { model: { primary: "anthropic/claude-opus-4-6" } } },
 }
 ```
 
-## 提示缓存（Anthropic API）
+## Thinking 默认值（Claude 4.6）
 
-OpenClaw 支持 Anthropic 的提示缓存功能。这是**仅限 API**；订阅认证不支持缓存设置。
+- 当未设置显式 thinking 级别时，Anthropic Claude 4.6 模型在 OpenClaw 中默认使用 `adaptive` thinking。
+- 你可以按消息覆盖（`/think:<level>`），或在模型参数中覆盖：
+  `agents.defaults.models["anthropic/<model>"].params.thinking`。
+- 相关 Anthropic 文档：
+  - [Adaptive thinking](https://platform.claude.com/docs/en/build-with-claude/adaptive-thinking)
+  - [Extended thinking](https://platform.claude.com/docs/en/build-with-claude/extended-thinking)
+
+## 快速模式（Anthropic API）
+
+OpenClaw 的共享 `/fast` 开关也支持直接 Anthropic API 密钥流量。
+
+- `/fast on` 映射到 `service_tier: "auto"`
+- `/fast off` 映射到 `service_tier: "standard_only"`
+- 配置默认值：
+
+```json5
+{
+  agents: {
+    defaults: {
+      models: {
+        "anthropic/claude-sonnet-4-5": {
+          params: { fastMode: true },
+        },
+      },
+    },
+  },
+}
+```
+
+重要限制：
+
+- 这**仅适用于 API 密钥**。Anthropic setup-token / OAuth 身份验证不会遵循 OpenClaw 的快速模式层级注入。
+- OpenClaw 仅对直接发往 `api.anthropic.com` 的请求注入 Anthropic 服务层级。如果你通过代理或网关路由 `anthropic/*`，`/fast` 不会修改 `service_tier`。
+- Anthropic 会在响应中的 `usage.service_tier` 下报告实际生效的层级。对于没有 Priority Tier 容量的账户，`service_tier: "auto"` 仍可能解析为 `standard`。
+
+## Prompt 缓存（Anthropic API）
+
+OpenClaw 支持 Anthropic 的 prompt 缓存功能。这**仅适用于 API**；订阅身份验证不会遵循缓存设置。
 
 ### 配置
 
-在模型配置中使用 `cacheRetention` 参数：
+在你的模型配置中使用 `cacheRetention` 参数：
 
-| 值      | 缓存时长 | 描述                       |
+| 值      | 缓存时长 | 说明                       |
 | ------- | -------- | -------------------------- |
-| `none`  | 无缓存   | 禁用提示缓存               |
-| `short` | 5 分钟   | API 密钥认证的默认值       |
+| `none`  | 不缓存   | 禁用 prompt 缓存           |
+| `short` | 5 分钟   | API 密钥身份验证的默认值   |
 | `long`  | 1 小时   | 扩展缓存（需要 beta 标志） |
 
 ```json5
@@ -61,7 +98,7 @@ OpenClaw 支持 Anthropic 的提示缓存功能。这是**仅限 API**；订阅
   agents: {
     defaults: {
       models: {
-        "anthropic/claude-opus-4-5": {
+        "anthropic/claude-opus-4-6": {
           params: { cacheRetention: "long" },
         },
       },
@@ -72,88 +109,157 @@ OpenClaw 支持 Anthropic 的提示缓存功能。这是**仅限 API**；订阅
 
 ### 默认值
 
-使用 Anthropic API 密钥认证时，OpenClaw 会自动为所有 Anthropic 模型应用 `cacheRetention: "short"`（5 分钟缓存）。你可以通过在配置中显式设置 `cacheRetention` 来覆盖此设置。
+当使用 Anthropic API 密钥身份验证时，OpenClaw 会自动对所有 Anthropic 模型应用 `cacheRetention: "short"`（5 分钟缓存）。你可以通过在配置中显式设置 `cacheRetention` 来覆盖此行为。
+
+### 每个智能体的 cacheRetention 覆盖
+
+将模型级参数用作基线，然后通过 `agents.list[].params` 覆盖特定智能体。
+
+```json5
+{
+  agents: {
+    defaults: {
+      model: { primary: "anthropic/claude-opus-4-6" },
+      models: {
+        "anthropic/claude-opus-4-6": {
+          params: { cacheRetention: "long" }, // 大多数智能体的基线
+        },
+      },
+    },
+    list: [
+      { id: "research", default: true },
+      { id: "alerts", params: { cacheRetention: "none" } }, // 仅对该智能体覆盖
+    ],
+  },
+}
+```
+
+与缓存相关参数的配置合并顺序：
+
+1. `agents.defaults.models["provider/model"].params`
+2. `agents.list[].params`（匹配 `id`，按键覆盖）
+
+这使得一个智能体可以保留长生命周期缓存，而同一模型上的另一个智能体可以禁用缓存，以避免在突发/低复用流量上产生写入成本。
+
+### Bedrock Claude 说明
+
+- 当已配置时，Bedrock 上的 Anthropic Claude 模型（`amazon-bedrock/*anthropic.claude*`）接受透传的 `cacheRetention`。
+- 非 Anthropic 的 Bedrock 模型会在运行时被强制设置为 `cacheRetention: "none"`。
+- 当未设置显式值时，Anthropic API 密钥的智能默认值也会为 Bedrock 上的 Claude 模型引用填入 `cacheRetention: "short"`。
 
 ### 旧版参数
 
-为了向后兼容，仍支持旧版 `cacheControlTtl` 参数：
+旧的 `cacheControlTtl` 参数仍受支持，以保持向后兼容：
 
-- `"5m"` 映射到 `short`
-- `"1h"` 映射到 `long`
+- `"5m"` 映射为 `short`
+- `"1h"` 映射为 `long`
 
 我们建议迁移到新的 `cacheRetention` 参数。
 
-OpenClaw 在 Anthropic API 请求中包含 `extended-cache-ttl-2025-04-11` beta 标志；
-如果你覆盖提供商头信息，请保留它（参见 [/gateway/configuration](/gateway/configuration)）。
+OpenClaw 会在 Anthropic API 请求中包含 `extended-cache-ttl-2025-04-11` beta 标志；
+如果你覆盖了提供商请求头，请保留它（参见 [/gateway/configuration](/gateway/configuration)）。
+
+## 1M 上下文窗口（Anthropic beta）
+
+Anthropic 的 1M 上下文窗口受 beta 门控。在 OpenClaw 中，可通过为受支持的 Opus/Sonnet 模型
+设置 `params.context1m: true` 按模型启用。
+
+```json5
+{
+  agents: {
+    defaults: {
+      models: {
+        "anthropic/claude-opus-4-6": {
+          params: { context1m: true },
+        },
+      },
+    },
+  },
+}
+```
+
+OpenClaw 会将其映射为 Anthropic 请求上的 `anthropic-beta: context-1m-2025-08-07`。
+
+仅当该模型的 `params.context1m` 被显式设置为 `true` 时，
+此功能才会激活。
+
+要求：Anthropic 必须允许该凭证使用长上下文
+（通常是 API 密钥计费，或启用了 Extra Usage 的订阅账户）。
+否则 Anthropic 会返回：
+`HTTP 429: rate_limit_error: Extra usage is required for long context requests`。
+
+注意：Anthropic 当前在使用
+OAuth/订阅令牌（`sk-ant-oat-*`）时会拒绝 `context-1m-*` beta 请求。OpenClaw 会自动跳过
+OAuth 身份验证的 `context1m` beta 请求头，并保留所需的 OAuth beta 标志。
 
 ## 选项 B：Claude setup-token
 
-**适用于：** 使用你的 Claude 订阅。
+**最适合：** 使用你的 Claude 订阅。
 
-### 在哪里获取 setup-token
+### 如何获取 setup-token
 
-setup-token 由 **Claude Code CLI** 创建，而不是 Anthropic Console。你可以在**任何机器**上运行：
+setup-token 由 **Claude Code CLI** 创建，而不是在 Anthropic Console 中创建。你可以在**任何机器**上运行：
 
 ```bash
 claude setup-token
 ```
 
-将令牌粘贴到 OpenClaw（向导：**Anthropic token (paste setup-token)**），或在 Gateway 网关主机上运行：
+将该令牌粘贴到 OpenClaw 中（向导：**Anthropic token（粘贴 setup-token）**），或在 Gateway 网关主机上运行：
 
 ```bash
 openclaw models auth setup-token --provider anthropic
 ```
 
-如果你在不同的机器上生成了令牌，请粘贴它：
+如果你是在另一台机器上生成该令牌，请粘贴它：
 
 ```bash
 openclaw models auth paste-token --provider anthropic
 ```
 
-### CLI 设置
+### CLI 设置（setup-token）
 
 ```bash
-# 在新手引导期间粘贴 setup-token
+# Paste a setup-token during setup
 openclaw onboard --auth-choice setup-token
 ```
 
-### 配置片段
+### 配置片段（setup-token）
 
 ```json5
 {
-  agents: { defaults: { model: { primary: "anthropic/claude-opus-4-5" } } },
+  agents: { defaults: { model: { primary: "anthropic/claude-opus-4-6" } } },
 }
 ```
 
-## 注意事项
+## 说明
 
-- 使用 `claude setup-token` 生成 setup-token 并粘贴，或在 Gateway 网关主机上运行 `openclaw models auth setup-token`。
-- 如果你在 Claude 订阅上看到"OAuth token refresh failed …"，请使用 setup-token 重新认证。参见 [/gateway/troubleshooting#oauth-token-refresh-failed-anthropic-claude-subscription](/gateway/troubleshooting#oauth-token-refresh-failed-anthropic-claude-subscription)。
-- 认证详情 + 重用规则在 [/concepts/oauth](/concepts/oauth)。
+- 使用 `claude setup-token` 生成 setup-token 并粘贴它，或者在 Gateway 网关主机上运行 `openclaw models auth setup-token`。
+- 如果你在 Claude 订阅上看到 “OAuth token refresh failed …”，请使用 setup-token 重新进行身份验证。请参见 [/gateway/troubleshooting#oauth-token-refresh-failed-anthropic-claude-subscription](/gateway/troubleshooting#oauth-token-refresh-failed-anthropic-claude-subscription)。
+- 身份验证详情和复用规则见 [/concepts/oauth](/concepts/oauth)。
 
 ## 故障排除
 
-**401 错误/令牌突然失效**
+**401 错误 / 令牌突然无效**
 
-- Claude 订阅认证可能过期或被撤销。重新运行 `claude setup-token`
-  并将其粘贴到 **Gateway 网关主机**。
-- 如果 Claude CLI 登录在不同的机器上，在 Gateway 网关主机上使用
+- Claude 订阅身份验证可能会过期或被撤销。请重新运行 `claude setup-token`，
+  并将其粘贴到 **Gateway 网关主机** 上。
+- 如果 Claude CLI 登录位于另一台机器上，请在 Gateway 网关主机上使用
   `openclaw models auth paste-token --provider anthropic`。
 
 **No API key found for provider "anthropic"**
 
-- 认证是**按智能体**的。新智能体不会继承主智能体的密钥。
-- 为该智能体重新运行新手引导，或在 Gateway 网关主机上粘贴 setup-token / API 密钥，
-  然后使用 `openclaw models status` 验证。
+- 身份验证是**按智能体**区分的。新智能体不会继承主智能体的密钥。
+- 请为该智能体重新运行新手引导，或在
+  Gateway 网关主机上粘贴 setup-token / API 密钥，然后使用 `openclaw models status` 验证。
 
 **No credentials found for profile `anthropic:default`**
 
-- 运行 `openclaw models status` 查看哪个认证配置文件处于活动状态。
-- 重新运行新手引导，或为该配置文件粘贴 setup-token / API 密钥。
+- 运行 `openclaw models status` 查看当前活动的 auth profile。
+- 重新运行新手引导，或为该配置档案粘贴 setup-token / API 密钥。
 
 **No available auth profile (all in cooldown/unavailable)**
 
 - 检查 `openclaw models status --json` 中的 `auth.unusableProfiles`。
-- 添加另一个 Anthropic 配置文件或等待冷却期结束。
+- 添加另一个 Anthropic 配置档案，或等待冷却结束。
 
 更多信息：[/gateway/troubleshooting](/gateway/troubleshooting) 和 [/help/faq](/help/faq)。
diff --git a/docs/zh-CN/providers/cloudflare-ai-gateway.md b/docs/zh-CN/providers/cloudflare-ai-gateway.md
new file mode 100644
index 00000000000..350e995158f
--- /dev/null
+++ b/docs/zh-CN/providers/cloudflare-ai-gateway.md
@@ -0,0 +1,78 @@
+---
+read_when:
+  - 你想将 Cloudflare AI Gateway 与 OpenClaw 一起使用
+  - 你需要 account ID、gateway ID 或 API key 环境变量
+summary: Cloudflare AI Gateway 设置（认证 + 模型选择）
+title: Cloudflare AI Gateway
+x-i18n:
+  generated_at: "2026-03-16T06:25:05Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: db77652c37652ca20f7c50f32382dbaeaeb50ea5bdeaf1d4fd17dc394e58950c
+  source_path: providers/cloudflare-ai-gateway.md
+  workflow: 15
+---
+
+# Cloudflare AI Gateway
+
+Cloudflare AI Gateway 位于提供商 API 前方，让你能够添加分析、缓存和控制功能。对于 Anthropic，OpenClaw 会通过你的 Gateway 端点使用 Anthropic Messages API。
+
+- 提供商：`cloudflare-ai-gateway`
+- Base URL：`https://gateway.ai.cloudflare.com/v1/<account_id>/<gateway_id>/anthropic`
+- 默认模型：`cloudflare-ai-gateway/claude-sonnet-4-5`
+- API key：`CLOUDFLARE_AI_GATEWAY_API_KEY`（你用于通过 Gateway 发起请求的提供商 API key）
+
+对于 Anthropic 模型，请使用你的 Anthropic API key。
+
+## 快速开始
+
+1. 设置提供商 API key 和 Gateway 详细信息：
+
+```bash
+openclaw onboard --auth-choice cloudflare-ai-gateway-api-key
+```
+
+2. 设置默认模型：
+
+```json5
+{
+  agents: {
+    defaults: {
+      model: { primary: "cloudflare-ai-gateway/claude-sonnet-4-5" },
+    },
+  },
+}
+```
+
+## 非交互式示例
+
+```bash
+openclaw onboard --non-interactive \
+  --mode local \
+  --auth-choice cloudflare-ai-gateway-api-key \
+  --cloudflare-ai-gateway-account-id "your-account-id" \
+  --cloudflare-ai-gateway-gateway-id "your-gateway-id" \
+  --cloudflare-ai-gateway-api-key "$CLOUDFLARE_AI_GATEWAY_API_KEY"
+```
+
+## 已认证的 Gateway
+
+如果你在 Cloudflare 中启用了 Gateway 认证，请添加 `cf-aig-authorization` header（这是在你的提供商 API key 之外额外添加的）。
+
+```json5
+{
+  models: {
+    providers: {
+      "cloudflare-ai-gateway": {
+        headers: {
+          "cf-aig-authorization": "Bearer <cloudflare-ai-gateway-token>",
+        },
+      },
+    },
+  },
+}
+```
+
+## 环境说明
+
+如果 Gateway 作为守护进程运行（launchd/systemd），请确保 `CLOUDFLARE_AI_GATEWAY_API_KEY` 对该进程可用（例如放在 `~/.openclaw/.env` 中，或通过 `env.shellEnv` 提供）。
diff --git a/docs/zh-CN/providers/glm.md b/docs/zh-CN/providers/glm.md
index 77bce2c6643..f39631ca09f 100644
--- a/docs/zh-CN/providers/glm.md
+++ b/docs/zh-CN/providers/glm.md
@@ -1,26 +1,37 @@
 ---
 read_when:
   - 你想在 OpenClaw 中使用 GLM 模型
-  - 你需要了解模型命名规范和设置方法
-summary: GLM 模型系列概述 + 如何在 OpenClaw 中使用
-title: GLM 模型
+  - 你需要了解模型命名约定和设置方法
+summary: GLM 模型家族概览 + 如何在 OpenClaw 中使用
+title: GLM Models
 x-i18n:
-  generated_at: "2026-02-01T21:34:53Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 2d7b457f033f26f28c230a9cd2310151f825fc52c3ee4fb814d08fd2d022d041
+  generated_at: "2026-03-16T06:25:10Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 061254ebeedec7285d9c0c6e88145f89184ad4ab8d8d6132f1d692c7d3ca03a2
   source_path: providers/glm.md
   workflow: 15
 ---
 
 # GLM 模型
 
-GLM 是一个**模型系列**（而非公司），通过 Z.AI 平台提供。在 OpenClaw 中，GLM 模型通过 `zai` 提供商访问，模型 ID 格式如 `zai/glm-4.7`。
+GLM 是一个**模型家族**（不是公司），可通过 Z.AI 平台使用。在 OpenClaw 中，GLM
+模型通过 `zai` 提供商访问，模型 ID 形式如 `zai/glm-5`。
 
 ## CLI 设置
 
 ```bash
-openclaw onboard --auth-choice zai-api-key
+# Coding Plan Global，推荐给 Coding Plan 用户
+openclaw onboard --auth-choice zai-coding-global
+
+# Coding Plan CN（中国区域），推荐给 Coding Plan 用户
+openclaw onboard --auth-choice zai-coding-cn
+
+# 通用 API
+openclaw onboard --auth-choice zai-global
+
+# 通用 API CN（中国区域）
+openclaw onboard --auth-choice zai-cn
 ```
 
 ## 配置片段
@@ -28,12 +39,12 @@ openclaw onboard --auth-choice zai-api-key
 ```json5
 {
   env: { ZAI_API_KEY: "sk-..." },
-  agents: { defaults: { model: { primary: "zai/glm-4.7" } } },
+  agents: { defaults: { model: { primary: "zai/glm-5" } } },
 }
 ```
 
-## 注意事项
+## 说明
 
-- GLM 版本和可用性可能会变化；请查阅 Z.AI 的文档获取最新信息。
-- 示例模型 ID 包括 `glm-4.7` 和 `glm-4.6`。
-- 有关提供商的详细信息，请参阅 [/providers/zai](/providers/zai)。
+- GLM 版本和可用性可能会变化；请查看 Z.AI 的文档以获取最新信息。
+- 示例模型 ID 包括 `glm-5`、`glm-4.7` 和 `glm-4.6`。
+- 关于提供商详情，请参阅 [/providers/zai](/providers/zai)。
diff --git a/docs/zh-CN/providers/huggingface.md b/docs/zh-CN/providers/huggingface.md
new file mode 100644
index 00000000000..3028ae63d79
--- /dev/null
+++ b/docs/zh-CN/providers/huggingface.md
@@ -0,0 +1,216 @@
+---
+read_when:
+  - 你想将 Hugging Face Inference 与 OpenClaw 一起使用
+  - 你需要 HF token 环境变量或 CLI 认证选项
+summary: Hugging Face Inference 设置（认证 + 模型选择）
+title: Hugging Face（Inference）
+x-i18n:
+  generated_at: "2026-03-16T06:25:40Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: e62b74915c9a26ab21954abcd9c03442cdd2133fba3371ddb9bcfc3a3458a002
+  source_path: providers/huggingface.md
+  workflow: 15
+---
+
+# Hugging Face（Inference）
+
+[Hugging Face Inference Providers](https://huggingface.co/docs/inference-providers) 通过单一路由器 API 提供与 OpenAI 兼容的 chat completions。你只需一个 token，即可访问许多模型（DeepSeek、Llama 等）。OpenClaw 使用 **OpenAI 兼容端点**（仅 chat completions）；如果要使用 text-to-image、embeddings 或 speech，请直接使用 [HF inference clients](https://huggingface.co/docs/api-inference/quicktour)。
+
+- 提供商：`huggingface`
+- 认证：`HUGGINGFACE_HUB_TOKEN` 或 `HF_TOKEN`（带有 **Make calls to Inference Providers** 权限的细粒度 token）
+- API：OpenAI 兼容（`https://router.huggingface.co/v1`）
+- 计费：单个 HF token；[定价](https://huggingface.co/docs/inference-providers/pricing) 按提供商费率执行，并带有免费层。
+
+## 快速开始
+
+1. 在 [Hugging Face → Settings → Tokens](https://huggingface.co/settings/tokens/new?ownUserPermissions=inference.serverless.write&tokenType=fineGrained) 创建一个细粒度 token，并授予 **Make calls to Inference Providers** 权限。
+2. 运行新手引导，并在提供商下拉菜单中选择 **Hugging Face**，然后在提示时输入你的 API key：
+
+```bash
+openclaw onboard --auth-choice huggingface-api-key
+```
+
+3. 在 **Default Hugging Face model** 下拉菜单中，选择你想使用的模型（当你有有效 token 时，列表会从 Inference API 加载；否则会显示内置列表）。你的选择会保存为默认模型。
+4. 你也可以稍后在配置中设置或更改默认模型：
+
+```json5
+{
+  agents: {
+    defaults: {
+      model: { primary: "huggingface/deepseek-ai/DeepSeek-R1" },
+    },
+  },
+}
+```
+
+## 非交互式示例
+
+```bash
+openclaw onboard --non-interactive \
+  --mode local \
+  --auth-choice huggingface-api-key \
+  --huggingface-api-key "$HF_TOKEN"
+```
+
+这会将 `huggingface/deepseek-ai/DeepSeek-R1` 设置为默认模型。
+
+## 环境说明
+
+如果 Gateway 网关作为守护进程运行（launchd/systemd），请确保 `HUGGINGFACE_HUB_TOKEN` 或 `HF_TOKEN`
+对此进程可用（例如放在 `~/.openclaw/.env` 中，或通过
+`env.shellEnv` 提供）。
+
+## 模型发现和新手引导下拉菜单
+
+OpenClaw 通过直接调用 **Inference 端点** 来发现模型：
+
+```bash
+GET https://router.huggingface.co/v1/models
+```
+
+（可选：发送 `Authorization: Bearer $HUGGINGFACE_HUB_TOKEN` 或 `$HF_TOKEN` 以获取完整列表；某些端点在未认证时只返回子集。）响应采用 OpenAI 风格：`{ "object": "list", "data": [ { "id": "Qwen/Qwen3-8B", "owned_by": "Qwen", ... }, ... ] }`。
+
+当你配置 Hugging Face API key 时（通过新手引导、`HUGGINGFACE_HUB_TOKEN` 或 `HF_TOKEN`），OpenClaw 会使用这个 GET 请求来发现可用的 chat-completion 模型。在**交互式设置**期间，你输入 token 后会看到一个 **Default Hugging Face model** 下拉菜单，其内容来自该列表（如果请求失败，则使用内置目录）。在运行时（例如 Gateway 网关启动时），只要存在 key，OpenClaw 就会再次调用 **GET** `https://router.huggingface.co/v1/models` 来刷新目录。该列表会与内置目录合并（以补充上下文窗口和成本等元数据）。如果请求失败或未设置 key，则只使用内置目录。
+
+## 模型名称和可编辑选项
+
+- **来自 API 的名称：** 当 API 返回 `name`、`title` 或 `display_name` 时，模型显示名称会从 **GET /v1/models** 中补全；否则会从模型 id 推导（例如 `deepseek-ai/DeepSeek-R1` → “DeepSeek R1”）。
+- **覆盖显示名称：** 你可以在配置中为每个模型设置自定义标签，使其在 CLI 和 UI 中按你希望的方式显示：
+
+```json5
+{
+  agents: {
+    defaults: {
+      models: {
+        "huggingface/deepseek-ai/DeepSeek-R1": { alias: "DeepSeek R1 (fast)" },
+        "huggingface/deepseek-ai/DeepSeek-R1:cheapest": { alias: "DeepSeek R1 (cheap)" },
+      },
+    },
+  },
+}
+```
+
+- **提供商 / 策略选择：** 在**模型 id** 后附加后缀，以选择路由器如何挑选后端：
+  - **`:fastest`** — 最高吞吐量（由路由器选择；提供商选择会被**锁定** —— 不会显示交互式后端选择器）。
+  - **`:cheapest`** — 每输出 token 成本最低（由路由器选择；提供商选择会被**锁定**）。
+  - **`:provider`** — 强制使用特定后端（例如 `:sambanova`、`:together`）。
+
+  当你选择 **:cheapest** 或 **:fastest** 时（例如在新手引导的模型下拉菜单中），提供商会被锁定：路由器会按成本或速度决定，不会显示可选的“偏好特定后端”步骤。你可以将这些作为单独条目添加到 `models.providers.huggingface.models` 中，或为 `model.primary` 设置带后缀的值。你也可以在 [Inference Provider settings](https://hf.co/settings/inference-providers) 中设置默认顺序（无后缀 = 使用该顺序）。
+
+- **配置合并：** 当配置被合并时，`models.providers.huggingface.models` 中已有的条目（例如在 `models.json` 中）会被保留。因此，你在其中设置的任何自定义 `name`、`alias` 或模型选项都会保留。
+
+## 模型 ID 和配置示例
+
+模型引用使用 `huggingface/<org>/<model>` 形式（Hub 风格 ID）。下面的列表来自 **GET** `https://router.huggingface.co/v1/models`；你的目录中可能包含更多内容。
+
+**示例 ID（来自 inference 端点）：**
+
+| 模型                   | 引用（加上 `huggingface/` 前缀）    |
+| ---------------------- | ----------------------------------- |
+| DeepSeek R1            | `deepseek-ai/DeepSeek-R1`           |
+| DeepSeek V3.2          | `deepseek-ai/DeepSeek-V3.2`         |
+| Qwen3 8B               | `Qwen/Qwen3-8B`                     |
+| Qwen2.5 7B Instruct    | `Qwen/Qwen2.5-7B-Instruct`          |
+| Qwen3 32B              | `Qwen/Qwen3-32B`                    |
+| Llama 3.3 70B Instruct | `meta-llama/Llama-3.3-70B-Instruct` |
+| Llama 3.1 8B Instruct  | `meta-llama/Llama-3.1-8B-Instruct`  |
+| GPT-OSS 120B           | `openai/gpt-oss-120b`               |
+| GLM 4.7                | `zai-org/GLM-4.7`                   |
+| Kimi K2.5              | `moonshotai/Kimi-K2.5`              |
+
+你可以在模型 id 后附加 `:fastest`、`:cheapest` 或 `:provider`（例如 `:together`、`:sambanova`）。请在 [Inference Provider settings](https://hf.co/settings/inference-providers) 中设置默认顺序；完整列表请参阅 [Inference Providers](https://huggingface.co/docs/inference-providers) 和 **GET** `https://router.huggingface.co/v1/models`。
+
+### 完整配置示例
+
+**以 DeepSeek R1 为主模型，Qwen 作为回退：**
+
+```json5
+{
+  agents: {
+    defaults: {
+      model: {
+        primary: "huggingface/deepseek-ai/DeepSeek-R1",
+        fallbacks: ["huggingface/Qwen/Qwen3-8B"],
+      },
+      models: {
+        "huggingface/deepseek-ai/DeepSeek-R1": { alias: "DeepSeek R1" },
+        "huggingface/Qwen/Qwen3-8B": { alias: "Qwen3 8B" },
+      },
+    },
+  },
+}
+```
+
+**以 Qwen 为默认模型，并包含 `:cheapest` 和 `:fastest` 变体：**
+
+```json5
+{
+  agents: {
+    defaults: {
+      model: { primary: "huggingface/Qwen/Qwen3-8B" },
+      models: {
+        "huggingface/Qwen/Qwen3-8B": { alias: "Qwen3 8B" },
+        "huggingface/Qwen/Qwen3-8B:cheapest": { alias: "Qwen3 8B（最便宜）" },
+        "huggingface/Qwen/Qwen3-8B:fastest": { alias: "Qwen3 8B（最快）" },
+      },
+    },
+  },
+}
+```
+
+**带有别名的 DeepSeek + Llama + GPT-OSS：**
+
+```json5
+{
+  agents: {
+    defaults: {
+      model: {
+        primary: "huggingface/deepseek-ai/DeepSeek-V3.2",
+        fallbacks: [
+          "huggingface/meta-llama/Llama-3.3-70B-Instruct",
+          "huggingface/openai/gpt-oss-120b",
+        ],
+      },
+      models: {
+        "huggingface/deepseek-ai/DeepSeek-V3.2": { alias: "DeepSeek V3.2" },
+        "huggingface/meta-llama/Llama-3.3-70B-Instruct": { alias: "Llama 3.3 70B" },
+        "huggingface/openai/gpt-oss-120b": { alias: "GPT-OSS 120B" },
+      },
+    },
+  },
+}
+```
+
+**使用 `:provider` 强制指定特定后端：**
+
+```json5
+{
+  agents: {
+    defaults: {
+      model: { primary: "huggingface/deepseek-ai/DeepSeek-R1:together" },
+      models: {
+        "huggingface/deepseek-ai/DeepSeek-R1:together": { alias: "DeepSeek R1 (Together)" },
+      },
+    },
+  },
+}
+```
+
+**多个 Qwen 和 DeepSeek 模型，带策略后缀：**
+
+```json5
+{
+  agents: {
+    defaults: {
+      model: { primary: "huggingface/Qwen/Qwen2.5-7B-Instruct:cheapest" },
+      models: {
+        "huggingface/Qwen/Qwen2.5-7B-Instruct": { alias: "Qwen2.5 7B" },
+        "huggingface/Qwen/Qwen2.5-7B-Instruct:cheapest": { alias: "Qwen2.5 7B（便宜）" },
+        "huggingface/deepseek-ai/DeepSeek-R1:fastest": { alias: "DeepSeek R1（快速）" },
+        "huggingface/meta-llama/Llama-3.1-8B-Instruct": { alias: "Llama 3.1 8B" },
+      },
+    },
+  },
+}
+```
diff --git a/docs/zh-CN/providers/index.md b/docs/zh-CN/providers/index.md
index 89ce5b27777..dbfabe119ea 100644
--- a/docs/zh-CN/providers/index.md
+++ b/docs/zh-CN/providers/index.md
@@ -1,41 +1,33 @@
 ---
 read_when:
   - 你想选择一个模型提供商
-  - 你需要快速了解支持的 LLM 后端
+  - 你需要支持的 LLM 后端的快速概览
 summary: OpenClaw 支持的模型提供商（LLM）
 title: 模型提供商
 x-i18n:
-  generated_at: "2026-02-03T07:53:32Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: eb4a97438adcf610499253afcf8b2af6624f4be098df389a6c3746f14c4a901b
+  generated_at: "2026-03-16T06:25:28Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 1d7ba79fd152a978e6eb3b8f8d5dfc44cebba77d2c74dc3892aae917d32ad2ee
   source_path: providers/index.md
   workflow: 15
 ---
 
 # 模型提供商
 
-OpenClaw 可以使用许多 LLM 提供商。选择一个提供商，进行认证，然后将默认模型设置为 `provider/model`。
+OpenClaw 可以使用许多 LLM 提供商。选择一个提供商，完成身份验证，然后将
+默认模型设置为 `provider/model`。
 
-正在寻找聊天渠道文档（WhatsApp/Telegram/Discord/Slack/Mattermost（插件）等）？参见[渠道](/channels)。
-
-## 亮点：Venice（Venice AI）
-
-Venice 是我们推荐的 Venice AI 设置，用于隐私优先的推理，并可选择使用 Opus 处理困难任务。
-
-- 默认：`venice/llama-3.3-70b`
-- 最佳综合：`venice/claude-opus-45`（Opus 仍然是最强的）
-
-参见 [Venice AI](/providers/venice)。
+在找聊天渠道文档（WhatsApp/Telegram/Discord/Slack/Mattermost（插件）/等）？请参见 [Channels](/channels)。
 
 ## 快速开始
 
-1. 与提供商进行认证（通常通过 `openclaw onboard`）。
+1. 使用该提供商进行身份验证（通常通过 `openclaw onboard`）。
 2. 设置默认模型：
 
 ```json5
 {
-  agents: { defaults: { model: { primary: "anthropic/claude-opus-4-5" } } },
+  agents: { defaults: { model: { primary: "anthropic/claude-opus-4-6" } } },
 }
 ```
 
@@ -43,15 +35,25 @@ Venice 是我们推荐的 Venice AI 设置，用于隐私优先的推理，并
 
 - [Amazon Bedrock](/providers/bedrock)
 - [Anthropic（API + Claude Code CLI）](/providers/anthropic)
+- [Cloudflare AI Gateway](/providers/cloudflare-ai-gateway)
 - [GLM 模型](/providers/glm)
+- [Hugging Face（Inference）](/providers/huggingface)
+- [Kilocode](/providers/kilocode)
+- [LiteLLM（统一网关）](/providers/litellm)
 - [MiniMax](/providers/minimax)
+- [Mistral](/providers/mistral)
 - [Moonshot AI（Kimi + Kimi Coding）](/providers/moonshot)
-- [Ollama（本地模型）](/providers/ollama)
+- [NVIDIA](/providers/nvidia)
+- [Ollama（云端 + 本地模型）](/providers/ollama)
 - [OpenAI（API + Codex）](/providers/openai)
-- [OpenCode Zen](/providers/opencode)
+- [OpenCode（Zen + Go）](/providers/opencode)
 - [OpenRouter](/providers/openrouter)
+- [Qianfan](/providers/qianfan)
 - [Qwen（OAuth）](/providers/qwen)
+- [Together AI](/providers/together)
+- [Vercel AI Gateway](/providers/vercel-ai-gateway)
 - [Venice（Venice AI，注重隐私）](/providers/venice)
+- [vLLM（本地模型）](/providers/vllm)
 - [Xiaomi](/providers/xiaomi)
 - [Z.AI](/providers/zai)
 
@@ -61,7 +63,7 @@ Venice 是我们推荐的 Venice AI 设置，用于隐私优先的推理，并
 
 ## 社区工具
 
-- [Claude Max API Proxy](/providers/claude-max-api-proxy) - 将 Claude Max/Pro 订阅作为 OpenAI 兼容的 API 端点使用
+- [Claude Max API Proxy](/providers/claude-max-api-proxy) - 面向 Claude 订阅凭证的社区代理（使用前请核实 Anthropic 政策/条款）
 
 有关完整的提供商目录（xAI、Groq、Mistral 等）和高级配置，
-参见[模型提供商](/concepts/model-providers)。
+请参见 [模型提供商](/concepts/model-providers)。
diff --git a/docs/zh-CN/providers/kilocode.md b/docs/zh-CN/providers/kilocode.md
new file mode 100644
index 00000000000..0f541ca1d47
--- /dev/null
+++ b/docs/zh-CN/providers/kilocode.md
@@ -0,0 +1,80 @@
+---
+read_when:
+  - 你想用一个 API 密钥访问多种 LLM
+  - 你想在 OpenClaw 中通过 Kilo Gateway 运行模型
+summary: 使用 Kilo Gateway 的统一 API 在 OpenClaw 中访问多种模型
+x-i18n:
+  generated_at: "2026-03-16T06:25:35Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: acd4c29496abc1ef8d4da6c48575763dfe3b4c1319874f900532223ac3775257
+  source_path: providers/kilocode.md
+  workflow: 15
+---
+
+# Kilo Gateway
+
+Kilo Gateway 提供一个**统一 API**，可通过单一
+端点和 API 密钥将请求路由到多种模型。它兼容 OpenAI，因此大多数 OpenAI SDK 只需切换基础 URL 即可使用。
+
+## 获取 API 密钥
+
+1. 前往 [app.kilo.ai](https://app.kilo.ai)
+2. 登录或创建账户
+3. 进入 API Keys 并生成一个新密钥
+
+## CLI 设置
+
+```bash
+openclaw onboard --kilocode-api-key <key>
+```
+
+或者设置环境变量：
+
+```bash
+export KILOCODE_API_KEY="<your-kilocode-api-key>" # pragma: allowlist secret
+```
+
+## 配置片段
+
+```json5
+{
+  env: { KILOCODE_API_KEY: "<your-kilocode-api-key>" }, // pragma: allowlist secret
+  agents: {
+    defaults: {
+      model: { primary: "kilocode/kilo/auto" },
+    },
+  },
+}
+```
+
+## 默认模型
+
+默认模型是 `kilocode/kilo/auto`，这是一个智能路由模型，会根据任务自动选择
+最佳的底层模型：
+
+- 规划、调试和编排任务会路由到 Claude Opus
+- 代码编写和探索任务会路由到 Claude Sonnet
+
+## 可用模型
+
+OpenClaw 会在启动时从 Kilo Gateway 动态发现可用模型。使用
+`/models kilocode` 查看你的账户可用的完整模型列表。
+
+Gateway 网关上任何可用的模型都可以使用 `kilocode/` 前缀：
+
+```
+kilocode/kilo/auto              (default - smart routing)
+kilocode/anthropic/claude-sonnet-4
+kilocode/openai/gpt-5.2
+kilocode/google/gemini-3-pro-preview
+...and many more
+```
+
+## 说明
+
+- 模型引用格式为 `kilocode/<model-id>`（例如 `kilocode/anthropic/claude-sonnet-4`）。
+- 默认模型：`kilocode/kilo/auto`
+- 基础 URL：`https://api.kilo.ai/api/gateway/`
+- 更多模型/提供商选项，请参见 [/concepts/model-providers](/concepts/model-providers)。
+- Kilo Gateway 在底层使用带有你的 API 密钥的 Bearer token。
diff --git a/docs/zh-CN/providers/litellm.md b/docs/zh-CN/providers/litellm.md
new file mode 100644
index 00000000000..769cbbce78f
--- /dev/null
+++ b/docs/zh-CN/providers/litellm.md
@@ -0,0 +1,160 @@
+---
+read_when:
+  - 你想通过 LiteLLM 代理路由 OpenClaw
+  - 你需要通过 LiteLLM 进行成本跟踪、日志记录或模型路由
+summary: 通过 LiteLLM Proxy 运行 OpenClaw，以实现统一模型访问和成本跟踪
+x-i18n:
+  generated_at: "2026-03-16T06:25:50Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 269529671c60864972441606c730b5ca327546a45d3b264dbd03204c4401936f
+  source_path: providers/litellm.md
+  workflow: 15
+---
+
+# LiteLLM
+
+[LiteLLM](https://litellm.ai) 是一个开源 LLM 网关，可为 100+ 模型提供商提供统一 API。通过 LiteLLM 路由 OpenClaw，你可以获得集中式成本跟踪、日志记录，以及在不更改 OpenClaw 配置的情况下切换后端的灵活性。
+
+## 为什么要将 LiteLLM 与 OpenClaw 搭配使用？
+
+- **成本跟踪** —— 精确查看 OpenClaw 在所有模型上的花费
+- **模型路由** —— 无需更改配置，即可在 Claude、GPT-4、Gemini、Bedrock 之间切换
+- **虚拟密钥** —— 为 OpenClaw 创建带有支出限制的密钥
+- **日志记录** —— 提供完整的请求/响应日志，便于调试
+- **回退** —— 如果你的主要提供商宕机，可自动故障切换
+
+## 快速开始
+
+### 通过新手引导
+
+```bash
+openclaw onboard --auth-choice litellm-api-key
+```
+
+### 手动设置
+
+1. 启动 LiteLLM Proxy：
+
+```bash
+pip install 'litellm[proxy]'
+litellm --model claude-opus-4-6
+```
+
+2. 将 OpenClaw 指向 LiteLLM：
+
+```bash
+export LITELLM_API_KEY="your-litellm-key"
+
+openclaw
+```
+
+就是这样。OpenClaw 现在会通过 LiteLLM 进行路由。
+
+## 配置
+
+### 环境变量
+
+```bash
+export LITELLM_API_KEY="sk-litellm-key"
+```
+
+### 配置文件
+
+```json5
+{
+  models: {
+    providers: {
+      litellm: {
+        baseUrl: "http://localhost:4000",
+        apiKey: "${LITELLM_API_KEY}",
+        api: "openai-completions",
+        models: [
+          {
+            id: "claude-opus-4-6",
+            name: "Claude Opus 4.6",
+            reasoning: true,
+            input: ["text", "image"],
+            contextWindow: 200000,
+            maxTokens: 64000,
+          },
+          {
+            id: "gpt-4o",
+            name: "GPT-4o",
+            reasoning: false,
+            input: ["text", "image"],
+            contextWindow: 128000,
+            maxTokens: 8192,
+          },
+        ],
+      },
+    },
+  },
+  agents: {
+    defaults: {
+      model: { primary: "litellm/claude-opus-4-6" },
+    },
+  },
+}
+```
+
+## 虚拟密钥
+
+为 OpenClaw 创建一个带支出限制的专用密钥：
+
+```bash
+curl -X POST "http://localhost:4000/key/generate" \
+  -H "Authorization: Bearer $LITELLM_MASTER_KEY" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "key_alias": "openclaw",
+    "max_budget": 50.00,
+    "budget_duration": "monthly"
+  }'
+```
+
+将生成的密钥用作 `LITELLM_API_KEY`。
+
+## 模型路由
+
+LiteLLM 可以将模型请求路由到不同后端。在你的 LiteLLM `config.yaml` 中进行配置：
+
+```yaml
+model_list:
+  - model_name: claude-opus-4-6
+    litellm_params:
+      model: claude-opus-4-6
+      api_key: os.environ/ANTHROPIC_API_KEY
+
+  - model_name: gpt-4o
+    litellm_params:
+      model: gpt-4o
+      api_key: os.environ/OPENAI_API_KEY
+```
+
+OpenClaw 会继续请求 `claude-opus-4-6` —— 路由由 LiteLLM 处理。
+
+## 查看使用情况
+
+检查 LiteLLM 的仪表板或 API：
+
+```bash
+# 密钥信息
+curl "http://localhost:4000/key/info" \
+  -H "Authorization: Bearer sk-litellm-key"
+
+# 支出日志
+curl "http://localhost:4000/spend/logs" \
+  -H "Authorization: Bearer $LITELLM_MASTER_KEY"
+```
+
+## 说明
+
+- LiteLLM 默认运行在 `http://localhost:4000`
+- OpenClaw 通过兼容 OpenAI 的 `/v1/chat/completions` 端点连接
+- 所有 OpenClaw 功能都可通过 LiteLLM 使用 —— 没有限制
+
+## 另请参见
+
+- [LiteLLM 文档](https://docs.litellm.ai)
+- [模型提供商](/concepts/model-providers)
diff --git a/docs/zh-CN/providers/minimax.md b/docs/zh-CN/providers/minimax.md
index acaa6f8fe55..5a55e8ef7e4 100644
--- a/docs/zh-CN/providers/minimax.md
+++ b/docs/zh-CN/providers/minimax.md
@@ -2,75 +2,78 @@
 read_when:
   - 你想在 OpenClaw 中使用 MiniMax 模型
   - 你需要 MiniMax 设置指南
-summary: 在 OpenClaw 中使用 MiniMax M2.1
+summary: 在 OpenClaw 中使用 MiniMax M2.5
 title: MiniMax
 x-i18n:
-  generated_at: "2026-02-03T10:08:52Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 861e1ddc3c24be88f716bfb72d6015d62875a9087f8e89ea4ba3a35f548c7fae
+  generated_at: "2026-03-16T06:26:04Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: ffed28de9ecc5a1d2ad9f18adc08dd9cf39df40674b14c7ef078b16c92faacf2
   source_path: providers/minimax.md
   workflow: 15
 ---
 
 # MiniMax
 
-MiniMax 是一家构建 **M2/M2.1** 模型系列的 AI 公司。当前面向编程的版本是 **MiniMax M2.1**（2025 年 12 月 23 日），专为现实世界的复杂任务而构建。
+MiniMax 是一家 AI 公司，构建了 **M2/M2.5** 模型家族。当前
+面向编码的版本是 **MiniMax M2.5**（2025 年 12 月 23 日），专为
+现实世界中的复杂任务打造。
 
-来源：[MiniMax M2.1 发布说明](https://www.minimax.io/news/minimax-m21)
+来源：[MiniMax M2.5 发布说明](https://www.minimax.io/news/minimax-m25)
 
-## 模型概述（M2.1）
+## 模型概览（M2.5）
 
-MiniMax 强调 M2.1 的以下改进：
+MiniMax 在 M2.5 中重点强调了以下改进：
 
-- 更强的**多语言编程**能力（Rust、Java、Go、C++、Kotlin、Objective-C、TS/JS）。
-- 更好的 **Web/应用开发**和美观输出质量（包括原生移动端）。
-- 改进的**复合指令**处理，适用于办公风格的工作流程，基于交错思考和集成约束执行。
-- **更简洁的响应**，更低的 token 使用量和更快的迭代循环。
-- 更强的**工具/智能体框架**兼容性和上下文管理（Claude Code、Droid/Factory AI、Cline、Kilo Code、Roo Code、BlackBox）。
+- 更强的**多语言编码**能力（Rust、Java、Go、C++、Kotlin、Objective-C、TS/JS）。
+- 更好的**Web/应用开发**和美学输出质量（包括原生移动端）。
+- 在交错思考和集成约束执行的基础上，改进了面向办公类工作流的**复合指令**处理。
+- **更简洁的响应**，token 使用量更低，迭代循环更快。
+- 更强的**工具/智能体框架**兼容性和上下文管理能力（Claude Code、
+  Droid/Factory AI、Cline、Kilo Code、Roo Code、BlackBox）。
 - 更高质量的**对话和技术写作**输出。
 
-## MiniMax M2.1 vs MiniMax M2.1 Lightning
+## MiniMax M2.5 与 MiniMax M2.5 Highspeed
 
-- **速度：** Lightning 是 MiniMax 定价文档中的"快速"变体。
-- **成本：** 定价显示相同的输入成本，但 Lightning 的输出成本更高。
-- **编程计划路由：** Lightning 后端在 MiniMax 编程计划中不能直接使用。MiniMax 自动将大多数请求路由到 Lightning，但在流量高峰期会回退到常规 M2.1 后端。
+- **速度：** `MiniMax-M2.5-highspeed` 是 MiniMax 文档中的官方高速层级。
+- **成本：** MiniMax 定价显示，高速版的输入成本相同，而输出成本更高。
+- **当前模型 ID：** 使用 `MiniMax-M2.5` 或 `MiniMax-M2.5-highspeed`。
 
-## 选择设置方式
+## 选择一种设置方式
 
-### MiniMax OAuth（编程计划）— 推荐
+### MiniMax OAuth（Coding Plan）—— 推荐
 
-**适用于：** 通过 OAuth 快速设置 MiniMax 编程计划，无需 API 密钥。
+**最适合：** 通过 OAuth 使用 MiniMax Coding Plan 快速设置，无需 API key。
 
-启用内置 OAuth 插件并进行认证：
+启用内置 OAuth 插件并完成认证：
 
 ```bash
-openclaw plugins enable minimax-portal-auth  # 如果已加载则跳过
-openclaw gateway restart  # 如果 Gateway 网关已在运行则重启
+openclaw plugins enable minimax  # 如果已加载则跳过。
+openclaw gateway restart  # 如果 gateway 已在运行，则重启
 openclaw onboard --auth-choice minimax-portal
 ```
 
-系统会提示你选择端点：
+系统会提示你选择一个端点：
 
 - **Global** - 国际用户（`api.minimax.io`）
 - **CN** - 中国用户（`api.minimaxi.com`）
 
-详情参见 [MiniMax OAuth 插件 README](https://github.com/openclaw/openclaw/tree/main/extensions/minimax-portal-auth)。
+详情请参阅 [MiniMax plugin README](https://github.com/openclaw/openclaw/tree/main/extensions/minimax)。
 
-### MiniMax M2.1（API 密钥）
+### MiniMax M2.5（API key）
 
-**适用于：** 使用 Anthropic 兼容 API 的托管 MiniMax。
+**最适合：** 使用与 Anthropic 兼容 API 的托管 MiniMax。
 
 通过 CLI 配置：
 
 - 运行 `openclaw configure`
 - 选择 **Model/auth**
-- 选择 **MiniMax M2.1**
+- 选择 **MiniMax M2.5**
 
 ```json5
 {
   env: { MINIMAX_API_KEY: "sk-..." },
-  agents: { defaults: { model: { primary: "minimax/MiniMax-M2.1" } } },
+  agents: { defaults: { model: { primary: "minimax/MiniMax-M2.5" } } },
   models: {
     mode: "merge",
     providers: {
@@ -80,11 +83,20 @@ openclaw onboard --auth-choice minimax-portal
         api: "anthropic-messages",
         models: [
           {
-            id: "MiniMax-M2.1",
-            name: "MiniMax M2.1",
-            reasoning: false,
+            id: "MiniMax-M2.5",
+            name: "MiniMax M2.5",
+            reasoning: true,
             input: ["text"],
-            cost: { input: 15, output: 60, cacheRead: 2, cacheWrite: 10 },
+            cost: { input: 0.3, output: 1.2, cacheRead: 0.03, cacheWrite: 0.12 },
+            contextWindow: 200000,
+            maxTokens: 8192,
+          },
+          {
+            id: "MiniMax-M2.5-highspeed",
+            name: "MiniMax M2.5 Highspeed",
+            reasoning: true,
+            input: ["text"],
+            cost: { input: 0.3, output: 1.2, cacheRead: 0.03, cacheWrite: 0.12 },
             contextWindow: 200000,
             maxTokens: 8192,
           },
@@ -95,9 +107,10 @@ openclaw onboard --auth-choice minimax-portal
 }
 ```
 
-### MiniMax M2.1 作为备用（Opus 为主）
+### 将 MiniMax M2.5 作为回退模型（示例）
 
-**适用于：** 保持 Opus 4.5 为主模型，故障时切换到 MiniMax M2.1。
+**最适合：** 保持你最强的最新一代模型作为主模型，并在失败时回退到 MiniMax M2.5。
+下面的示例使用 Opus 作为具体主模型；你可以替换成自己偏好的最新一代主模型。
 
 ```json5
 {
@@ -105,12 +118,12 @@ openclaw onboard --auth-choice minimax-portal
   agents: {
     defaults: {
       models: {
-        "anthropic/claude-opus-4-5": { alias: "opus" },
-        "minimax/MiniMax-M2.1": { alias: "minimax" },
+        "anthropic/claude-opus-4-6": { alias: "primary" },
+        "minimax/MiniMax-M2.5": { alias: "minimax" },
       },
       model: {
-        primary: "anthropic/claude-opus-4-5",
-        fallbacks: ["minimax/MiniMax-M2.1"],
+        primary: "anthropic/claude-opus-4-6",
+        fallbacks: ["minimax/MiniMax-M2.5"],
       },
     },
   },
@@ -119,8 +132,8 @@ openclaw onboard --auth-choice minimax-portal
 
 ### 可选：通过 LM Studio 本地运行（手动）
 
-**适用于：** 使用 LM Studio 进行本地推理。
-我们在强大硬件（例如台式机/服务器）上使用 LM Studio 的本地服务器运行 MiniMax M2.1 时看到了出色的效果。
+**最适合：** 通过 LM Studio 进行本地推理。
+我们已经看到，在强力硬件上（例如台式机/服务器）使用 LM Studio 的本地服务器运行 MiniMax M2.5 时，效果非常强。
 
 通过 `openclaw.json` 手动配置：
 
@@ -128,8 +141,8 @@ openclaw onboard --auth-choice minimax-portal
 {
   agents: {
     defaults: {
-      model: { primary: "lmstudio/minimax-m2.1-gs32" },
-      models: { "lmstudio/minimax-m2.1-gs32": { alias: "Minimax" } },
+      model: { primary: "lmstudio/minimax-m2.5-gs32" },
+      models: { "lmstudio/minimax-m2.5-gs32": { alias: "Minimax" } },
     },
   },
   models: {
@@ -141,9 +154,9 @@ openclaw onboard --auth-choice minimax-portal
         api: "openai-responses",
         models: [
           {
-            id: "minimax-m2.1-gs32",
-            name: "MiniMax M2.1 GS32",
-            reasoning: false,
+            id: "minimax-m2.5-gs32",
+            name: "MiniMax M2.5 GS32",
+            reasoning: true,
             input: ["text"],
             cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
             contextWindow: 196608,
@@ -158,48 +171,51 @@ openclaw onboard --auth-choice minimax-portal
 
 ## 通过 `openclaw configure` 配置
 
-使用交互式配置向导设置 MiniMax，无需编辑 JSON：
+使用交互式配置向导设置 MiniMax，而无需编辑 JSON：
 
 1. 运行 `openclaw configure`。
 2. 选择 **Model/auth**。
-3. 选择 **MiniMax M2.1**。
+3. 选择 **MiniMax M2.5**。
 4. 在提示时选择你的默认模型。
 
 ## 配置选项
 
-- `models.providers.minimax.baseUrl`：推荐使用 `https://api.minimax.io/anthropic`（Anthropic 兼容）；`https://api.minimax.io/v1` 可选用于 OpenAI 兼容的负载。
-- `models.providers.minimax.api`：推荐使用 `anthropic-messages`；`openai-completions` 可选用于 OpenAI 兼容的负载。
-- `models.providers.minimax.apiKey`：MiniMax API 密钥（`MINIMAX_API_KEY`）。
+- `models.providers.minimax.baseUrl`：优先使用 `https://api.minimax.io/anthropic`（与 Anthropic 兼容）；`https://api.minimax.io/v1` 可选，用于与 OpenAI 兼容的负载。
+- `models.providers.minimax.api`：优先使用 `anthropic-messages`；`openai-completions` 可选，用于与 OpenAI 兼容的负载。
+- `models.providers.minimax.apiKey`：MiniMax API key（`MINIMAX_API_KEY`）。
 - `models.providers.minimax.models`：定义 `id`、`name`、`reasoning`、`contextWindow`、`maxTokens`、`cost`。
-- `agents.defaults.models`：为你想要在允许列表中的模型设置别名。
-- `models.mode`：如果你想将 MiniMax 与内置模型一起添加，保持 `merge`。
+- `agents.defaults.models`：为你希望放入允许列表的模型设置别名。
+- `models.mode`：如果你希望在内置模型之外添加 MiniMax，请保持为 `merge`。
 
-## 注意事项
+## 说明
 
 - 模型引用格式为 `minimax/<model>`。
-- 编程计划使用量 API：`https://api.minimaxi.com/v1/api/openplatform/coding_plan/remains`（需要编程计划密钥）。
-- 如果需要精确的成本跟踪，请更新 `models.json` 中的定价值。
-- MiniMax 编程计划推荐链接（9 折优惠）：https://platform.minimax.io/subscribe/coding-plan?code=DbXJTRClnb&source=link
-- 参见 [/concepts/model-providers](/concepts/model-providers) 了解提供商规则。
-- 使用 `openclaw models list` 和 `openclaw models set minimax/MiniMax-M2.1` 切换模型。
+- 推荐模型 ID：`MiniMax-M2.5` 和 `MiniMax-M2.5-highspeed`。
+- Coding Plan 用量 API：`https://api.minimaxi.com/v1/api/openplatform/coding_plan/remains`（需要 coding plan key）。
+- 如果你需要精确成本跟踪，请更新 `models.json` 中的定价值。
+- MiniMax Coding Plan 推荐链接（九折）：[https://platform.minimax.io/subscribe/coding-plan?code=DbXJTRClnb&source=link](https://platform.minimax.io/subscribe/coding-plan?code=DbXJTRClnb&source=link)
+- 关于提供商规则，请参阅 [/concepts/model-providers](/concepts/model-providers)。
+- 使用 `openclaw models list` 和 `openclaw models set minimax/MiniMax-M2.5` 进行切换。
 
 ## 故障排除
 
-### "Unknown model: minimax/MiniMax-M2.1"
+### “Unknown model: minimax/MiniMax-M2.5”
 
-这通常意味着 **MiniMax 提供商未配置**（没有提供商条目，也没有找到 MiniMax 认证配置文件/环境变量密钥）。此检测的修复在 **2026.1.12** 中（撰写本文时尚未发布）。修复方法：
+这通常意味着 **MiniMax 提供商未配置**（没有提供商条目，
+并且也未找到 MiniMax 凭证配置文件/环境变量 key）。对此检测问题的修复已包含在
+**2026.1.12** 中（在撰写本文时尚未发布）。修复方法：
 
-- 升级到 **2026.1.12**（或从源码 `main` 分支运行），然后重启 Gateway 网关。
-- 运行 `openclaw configure` 并选择 **MiniMax M2.1**，或
-- 手动添加 `models.providers.minimax` 块，或
-- 设置 `MINIMAX_API_KEY`（或 MiniMax 认证配置文件）以便注入提供商。
+- 升级到 **2026.1.12**（或从源码运行 `main`），然后重启 gateway。
+- 运行 `openclaw configure` 并选择 **MiniMax M2.5**，或者
+- 手动添加 `models.providers.minimax` 配置块，或者
+- 设置 `MINIMAX_API_KEY`（或 MiniMax 凭证配置文件），以便注入该提供商。
 
-确保模型 id **区分大小写**：
+请确保模型 id **区分大小写**：
 
-- `minimax/MiniMax-M2.1`
-- `minimax/MiniMax-M2.1-lightning`
+- `minimax/MiniMax-M2.5`
+- `minimax/MiniMax-M2.5-highspeed`
 
-然后重新检查：
+然后使用以下命令重新检查：
 
 ```bash
 openclaw models list
diff --git a/docs/zh-CN/providers/mistral.md b/docs/zh-CN/providers/mistral.md
new file mode 100644
index 00000000000..96f6a277ff9
--- /dev/null
+++ b/docs/zh-CN/providers/mistral.md
@@ -0,0 +1,61 @@
+---
+read_when:
+  - 你想在 OpenClaw 中使用 Mistral 模型
+  - 你需要 Mistral API 密钥新手引导和模型引用
+summary: 在 OpenClaw 中使用 Mistral 模型和 Voxtral 转录
+title: Mistral
+x-i18n:
+  generated_at: "2026-03-16T06:25:57Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 4f3efe060cbaeb14e20439ade040e57d27e7d98fb9dd06e657f6a69ae808f24f
+  source_path: providers/mistral.md
+  workflow: 15
+---
+
+# Mistral
+
+OpenClaw 支持 Mistral，用于文本/图像模型路由（`mistral/...`）以及
+通过媒体理解中的 Voxtral 进行音频转录。
+Mistral 还可用于记忆嵌入（`memorySearch.provider = "mistral"`）。
+
+## CLI 设置
+
+```bash
+openclaw onboard --auth-choice mistral-api-key
+# or non-interactive
+openclaw onboard --mistral-api-key "$MISTRAL_API_KEY"
+```
+
+## 配置片段（LLM 提供商）
+
+```json5
+{
+  env: { MISTRAL_API_KEY: "sk-..." },
+  agents: { defaults: { model: { primary: "mistral/mistral-large-latest" } } },
+}
+```
+
+## 配置片段（使用 Voxtral 进行音频转录）
+
+```json5
+{
+  tools: {
+    media: {
+      audio: {
+        enabled: true,
+        models: [{ provider: "mistral", model: "voxtral-mini-latest" }],
+      },
+    },
+  },
+}
+```
+
+## 说明
+
+- Mistral 身份验证使用 `MISTRAL_API_KEY`。
+- 提供商基础 URL 默认为 `https://api.mistral.ai/v1`。
+- 新手引导默认模型为 `mistral/mistral-large-latest`。
+- Mistral 的媒体理解默认音频模型为 `voxtral-mini-latest`。
+- 媒体转录路径使用 `/v1/audio/transcriptions`。
+- 记忆嵌入路径使用 `/v1/embeddings`（默认模型：`mistral-embed`）。
diff --git a/docs/zh-CN/providers/models.md b/docs/zh-CN/providers/models.md
index dc5210b128b..872ad902351 100644
--- a/docs/zh-CN/providers/models.md
+++ b/docs/zh-CN/providers/models.md
@@ -1,55 +1,51 @@
 ---
 read_when:
   - 你想选择一个模型提供商
-  - 你想要 LLM 认证 + 模型选择的快速设置示例
+  - 你想要 LLM 身份验证 + 模型选择的快速设置示例
 summary: OpenClaw 支持的模型提供商（LLM）
-title: 模型提供商快速入门
+title: 模型提供商快速开始
 x-i18n:
-  generated_at: "2026-02-03T07:53:35Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 2f5b99207dc7860e0a7b541b61e984791f5d7ab1953b3e917365a248a09b025b
+  generated_at: "2026-03-16T06:26:02Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 7a868ba56e93e6332f0e9dd3d3e2c79a08f369dbc96c400dfba141f347d40e8f
   source_path: providers/models.md
   workflow: 15
 ---
 
 # 模型提供商
 
-OpenClaw 可以使用许多 LLM 提供商。选择一个，进行认证，然后将默认模型设置为 `provider/model`。
+OpenClaw 可以使用许多 LLM 提供商。选择一个，完成身份验证，然后将默认
+模型设置为 `provider/model`。
 
-## 推荐：Venice（Venice AI）
+## 快速开始（两步）
 
-Venice 是我们推荐的 Venice AI 设置，用于隐私优先的推理，并可选择使用 Opus 处理最困难的任务。
-
-- 默认：`venice/llama-3.3-70b`
-- 最佳综合：`venice/claude-opus-45`（Opus 仍然是最强的）
-
-参见 [Venice AI](/providers/venice)。
-
-## 快速开始（两个步骤）
-
-1. 与提供商认证（通常通过 `openclaw onboard`）。
+1. 使用该提供商进行身份验证（通常通过 `openclaw onboard`）。
 2. 设置默认模型：
 
 ```json5
 {
-  agents: { defaults: { model: { primary: "anthropic/claude-opus-4-5" } } },
+  agents: { defaults: { model: { primary: "anthropic/claude-opus-4-6" } } },
 }
 ```
 
-## 支持的提供商（入门集）
+## 支持的提供商（入门集合）
 
 - [OpenAI（API + Codex）](/providers/openai)
 - [Anthropic（API + Claude Code CLI）](/providers/anthropic)
 - [OpenRouter](/providers/openrouter)
 - [Vercel AI Gateway](/providers/vercel-ai-gateway)
+- [Cloudflare AI Gateway](/providers/cloudflare-ai-gateway)
 - [Moonshot AI（Kimi + Kimi Coding）](/providers/moonshot)
+- [Mistral](/providers/mistral)
 - [Synthetic](/providers/synthetic)
-- [OpenCode Zen](/providers/opencode)
+- [OpenCode（Zen + Go）](/providers/opencode)
 - [Z.AI](/providers/zai)
 - [GLM 模型](/providers/glm)
 - [MiniMax](/providers/minimax)
 - [Venice（Venice AI）](/providers/venice)
 - [Amazon Bedrock](/providers/bedrock)
+- [Qianfan](/providers/qianfan)
 
-有关完整的提供商目录（xAI、Groq、Mistral 等）和高级配置，请参阅[模型提供商](/concepts/model-providers)。
+有关完整的提供商目录（xAI、Groq、Mistral 等）和高级配置，
+请参见 [模型提供商](/concepts/model-providers)。
diff --git a/docs/zh-CN/providers/moonshot.md b/docs/zh-CN/providers/moonshot.md
index 1970c7d7266..28642b6952e 100644
--- a/docs/zh-CN/providers/moonshot.md
+++ b/docs/zh-CN/providers/moonshot.md
@@ -1,32 +1,36 @@
 ---
 read_when:
-  - 你想了解 Moonshot K2（Moonshot 开放平台）与 Kimi Coding 的配置
-  - 你需要了解独立的端点、密钥和模型引用
-  - 你想获取任一提供商的可复制粘贴配置
-summary: 配置 Moonshot K2 与 Kimi Coding（独立提供商和密钥）
+  - 你想了解 Moonshot K2（Moonshot Open Platform）与 Kimi Coding 的设置方式
+  - 你需要理解独立的端点、密钥和模型引用
+  - 你想要任一提供商的可直接复制粘贴配置
+summary: 配置 Moonshot K2 与 Kimi Coding（独立提供商 + 密钥）
 title: Moonshot AI
 x-i18n:
-  generated_at: "2026-02-01T21:35:13Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 2de81b1a37a0e6e61e0e142fcd36760ecd00834e107dc9b5e38bbf971b27e18e
+  generated_at: "2026-03-16T06:26:20Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: f95e6ffa9397e0c2bdbc247e6fb6f2892ca6a34b276ca9b773e6b875233539e3
   source_path: providers/moonshot.md
   workflow: 15
 ---
 
-# Moonshot AI (Kimi)
+# Moonshot AI（Kimi）
 
-Moonshot 提供兼容 OpenAI 端点的 Kimi API。配置提供商并将默认模型设置为 `moonshot/kimi-k2.5`，或使用 Kimi Coding 的 `kimi-coding/k2p5`。
+Moonshot 提供带有 OpenAI 兼容端点的 Kimi API。配置该
+提供商，并将默认模型设置为 `moonshot/kimi-k2.5`，或者使用
+`kimi-coding/k2p5` 作为 Kimi Coding。
 
 当前 Kimi K2 模型 ID：
-{/_ moonshot-kimi-k2-ids:start _/}
+
+[//]: # "moonshot-kimi-k2-ids:start"
 
 - `kimi-k2.5`
 - `kimi-k2-0905-preview`
 - `kimi-k2-turbo-preview`
 - `kimi-k2-thinking`
 - `kimi-k2-thinking-turbo`
-  {/_ moonshot-kimi-k2-ids:end _/}
+
+[//]: # "moonshot-kimi-k2-ids:end"
 
 ```bash
 openclaw onboard --auth-choice moonshot-api-key
@@ -38,7 +42,7 @@ Kimi Coding：
 openclaw onboard --auth-choice kimi-code-api-key
 ```
 
-注意：Moonshot 和 Kimi Coding 是独立的提供商。密钥不可互换，端点不同，模型引用也不同（Moonshot 使用 `moonshot/...`，Kimi Coding 使用 `kimi-coding/...`）。
+注意：Moonshot 和 Kimi Coding 是独立提供商。密钥不可互换，端点不同，模型引用也不同（Moonshot 使用 `moonshot/...`，Kimi Coding 使用 `kimi-coding/...`）。
 
 ## 配置片段（Moonshot API）
 
@@ -137,9 +141,42 @@ openclaw onboard --auth-choice kimi-code-api-key
 }
 ```
 
-## 注意事项
+## 说明
 
 - Moonshot 模型引用使用 `moonshot/<modelId>`。Kimi Coding 模型引用使用 `kimi-coding/<modelId>`。
 - 如有需要，可在 `models.providers` 中覆盖定价和上下文元数据。
-- 如果 Moonshot 发布了某个模型的不同上下文限制，请相应调整 `contextWindow`。
-- 如需使用中国端点，请使用 `https://api.moonshot.cn/v1`。
+- 如果 Moonshot 为某个模型发布了不同的上下文限制，请相应调整
+  `contextWindow`。
+- 国际端点使用 `https://api.moonshot.ai/v1`，中国端点使用 `https://api.moonshot.cn/v1`。
+
+## 原生 thinking 模式（Moonshot）
+
+Moonshot Kimi 支持二元原生 thinking：
+
+- `thinking: { type: "enabled" }`
+- `thinking: { type: "disabled" }`
+
+通过 `agents.defaults.models.<provider/model>.params` 为每个模型进行配置：
+
+```json5
+{
+  agents: {
+    defaults: {
+      models: {
+        "moonshot/kimi-k2.5": {
+          params: {
+            thinking: { type: "disabled" },
+          },
+        },
+      },
+    },
+  },
+}
+```
+
+OpenClaw 还会为 Moonshot 映射运行时 `/think` 级别：
+
+- `/think off` -> `thinking.type=disabled`
+- 任何非 off 的 thinking 级别 -> `thinking.type=enabled`
+
+当启用 Moonshot thinking 时，`tool_choice` 必须为 `auto` 或 `none`。为保持兼容性，OpenClaw 会将不兼容的 `tool_choice` 值标准化为 `auto`。
diff --git a/docs/zh-CN/providers/nvidia.md b/docs/zh-CN/providers/nvidia.md
new file mode 100644
index 00000000000..7d186540f23
--- /dev/null
+++ b/docs/zh-CN/providers/nvidia.md
@@ -0,0 +1,62 @@
+---
+read_when:
+  - 你想在 OpenClaw 中使用 NVIDIA 模型
+  - 你需要设置 `NVIDIA_API_KEY`
+summary: 在 OpenClaw 中使用 NVIDIA 的 OpenAI 兼容 API
+title: NVIDIA
+x-i18n:
+  generated_at: "2026-03-16T06:26:11Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 81e7a1b6cd6821b68db9c71b864d36023b1ccfad1641bf88e2bc2957782edf8b
+  source_path: providers/nvidia.md
+  workflow: 15
+---
+
+# NVIDIA
+
+NVIDIA 在 `https://integrate.api.nvidia.com/v1` 提供一个与 OpenAI 兼容的 API，用于 Nemotron 和 NeMo 模型。请使用来自 [NVIDIA NGC](https://catalog.ngc.nvidia.com/) 的 API key 进行认证。
+
+## CLI 设置
+
+先导出 key，然后运行新手引导并设置一个 NVIDIA 模型：
+
+```bash
+export NVIDIA_API_KEY="nvapi-..."
+openclaw onboard --auth-choice skip
+openclaw models set nvidia/nvidia/llama-3.1-nemotron-70b-instruct
+```
+
+如果你仍然使用 `--token`，请记住它会出现在 shell 历史记录和 `ps` 输出中；如果可能，优先使用环境变量。
+
+## 配置片段
+
+```json5
+{
+  env: { NVIDIA_API_KEY: "nvapi-..." },
+  models: {
+    providers: {
+      nvidia: {
+        baseUrl: "https://integrate.api.nvidia.com/v1",
+        api: "openai-completions",
+      },
+    },
+  },
+  agents: {
+    defaults: {
+      model: { primary: "nvidia/nvidia/llama-3.1-nemotron-70b-instruct" },
+    },
+  },
+}
+```
+
+## 模型 ID
+
+- `nvidia/llama-3.1-nemotron-70b-instruct`（默认）
+- `meta/llama-3.3-70b-instruct`
+- `nvidia/mistral-nemo-minitron-8b-8k-instruct`
+
+## 说明
+
+- 使用与 OpenAI 兼容的 `/v1` 端点；请使用来自 NVIDIA NGC 的 API key。
+- 当设置了 `NVIDIA_API_KEY` 时，提供商会自动启用；使用静态默认值（131,072-token 上下文窗口，4,096 最大 tokens）。
diff --git a/docs/zh-CN/providers/ollama.md b/docs/zh-CN/providers/ollama.md
index b4ceb777f60..da1ce2274a5 100644
--- a/docs/zh-CN/providers/ollama.md
+++ b/docs/zh-CN/providers/ollama.md
@@ -1,37 +1,98 @@
 ---
 read_when:
-  - 你想通过 Ollama 使用本地模型运行 OpenClaw
-  - 你需要 Ollama 的安装和配置指导
-summary: 通过 Ollama（本地 LLM 运行时）运行 OpenClaw
+  - 你想通过 Ollama 在 OpenClaw 中运行云端或本地模型
+  - 你需要 Ollama 设置和配置指南
+summary: 通过 Ollama 运行 OpenClaw（云端和本地模型）
 title: Ollama
 x-i18n:
-  generated_at: "2026-02-01T21:35:22Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 157080ad90f449f622260a5f5bd293f79c15800527d36b15596e8ca232e3c957
+  generated_at: "2026-03-16T06:26:42Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 226b71bfd59614552f0b9cf1c9b1d18d82121a5fb05f6c71b11cc3cf4c23fd4e
   source_path: providers/ollama.md
   workflow: 15
 ---
 
 # Ollama
 
-Ollama 是一个本地 LLM 运行时，可以轻松在你的机器上运行开源模型。OpenClaw 通过 Ollama 的 OpenAI 兼容 API 进行集成，并且当你通过 `OLLAMA_API_KEY`（或认证配置）启用且未定义显式的 `models.providers.ollama` 条目时，可以**自动发现支持工具调用的模型**。
+Ollama 是一个本地 LLM 运行时，可以让你轻松在自己的机器上运行开源模型。OpenClaw 集成了 Ollama 的原生 API（`/api/chat`），支持流式传输和工具调用，并且在你选择使用 `OLLAMA_API_KEY`（或凭证配置文件）且未定义显式 `models.providers.ollama` 条目时，可以自动发现本地 Ollama 模型。
+
+<Warning>
+**远程 Ollama 用户：** 不要在 OpenClaw 中使用 `/v1` 的 OpenAI 兼容 URL（`http://host:11434/v1`）。这会破坏工具调用，而且模型可能会把原始工具 JSON 当作纯文本输出。请改用原生 Ollama API URL：`baseUrl: "http://host:11434"`（不要加 `/v1`）。
+</Warning>
 
 ## 快速开始
 
-1. 安装 Ollama：https://ollama.ai
+### 新手引导向导（推荐）
 
-2. 拉取模型：
+通过设置向导配置 Ollama 是最快的方法：
 
 ```bash
-ollama pull llama3.3
-# 或
-ollama pull qwen2.5-coder:32b
-# 或
-ollama pull deepseek-r1:32b
+openclaw onboard
 ```
 
-3. 为 OpenClaw 启用 Ollama（任意值即可；Ollama 不需要真实密钥）：
+从提供商列表中选择 **Ollama**。向导将会：
+
+1. 询问你的 Ollama base URL，也就是可以访问你的实例的地址（默认 `http://127.0.0.1:11434`）。
+2. 让你选择 **Cloud + Local**（云端模型和本地模型）或 **Local**（仅本地模型）。
+3. 如果你选择 **Cloud + Local** 且尚未登录 ollama.com，则打开浏览器登录流程。
+4. 发现可用模型并建议默认值。
+5. 如果所选模型本地不可用，则自动拉取它。
+
+也支持非交互模式：
+
+```bash
+openclaw onboard --non-interactive \
+  --auth-choice ollama \
+  --accept-risk
+```
+
+也可以选择指定自定义 base URL 或模型：
+
+```bash
+openclaw onboard --non-interactive \
+  --auth-choice ollama \
+  --custom-base-url "http://ollama-host:11434" \
+  --custom-model-id "qwen3.5:27b" \
+  --accept-risk
+```
+
+### 手动设置
+
+1. 安装 Ollama：[https://ollama.com/download](https://ollama.com/download)
+
+2. 如果你想进行本地推理，先拉取一个本地模型：
+
+```bash
+ollama pull glm-4.7-flash
+# 或
+ollama pull gpt-oss:20b
+# 或
+ollama pull llama3.3
+```
+
+3. 如果你也想使用云端模型，请先登录：
+
+```bash
+ollama signin
+```
+
+4. 运行新手引导并选择 `Ollama`：
+
+```bash
+openclaw onboard
+```
+
+- `Local`：仅本地模型
+- `Cloud + Local`：本地模型加云端模型
+- 云端模型如 `kimi-k2.5:cloud`、`minimax-m2.5:cloud` 和 `glm-5:cloud` **不需要** 本地执行 `ollama pull`
+
+OpenClaw 当前建议：
+
+- 本地默认：`glm-4.7-flash`
+- 云端默认：`kimi-k2.5:cloud`、`minimax-m2.5:cloud`、`glm-5:cloud`
+
+5. 如果你更喜欢手动设置，也可以直接为 OpenClaw 启用 Ollama（任意值都可以；Ollama 不需要真实 key）：
 
 ```bash
 # 设置环境变量
@@ -41,13 +102,20 @@ export OLLAMA_API_KEY="ollama-local"
 openclaw config set models.providers.ollama.apiKey "ollama-local"
 ```
 
-4. 使用 Ollama 模型：
+6. 查看或切换模型：
+
+```bash
+openclaw models list
+openclaw models set ollama/glm-4.7-flash
+```
+
+7. 或者在配置中设置默认值：
 
 ```json5
 {
   agents: {
     defaults: {
-      model: { primary: "ollama/llama3.3" },
+      model: { primary: "ollama/glm-4.7-flash" },
     },
   },
 }
@@ -55,39 +123,38 @@ openclaw config set models.providers.ollama.apiKey "ollama-local"
 
 ## 模型发现（隐式提供商）
 
-当你设置了 `OLLAMA_API_KEY`（或认证配置）且**未**定义 `models.providers.ollama` 时，OpenClaw 会从本地 Ollama 实例 `http://127.0.0.1:11434` 发现模型：
+当你设置 `OLLAMA_API_KEY`（或凭证配置文件），并且**未**定义 `models.providers.ollama` 时，OpenClaw 会从 `http://127.0.0.1:11434` 上的本地 Ollama 实例发现模型：
 
-- 查询 `/api/tags` 和 `/api/show`
-- 仅保留报告了 `tools` 能力的模型
-- 当模型报告 `thinking` 时标记为 `reasoning`
-- 在可用时从 `model_info["<arch>.context_length"]` 读取 `contextWindow`
-- 将 `maxTokens` 设置为上下文窗口的 10 倍
-- 所有费用设置为 `0`
+- 查询 `/api/tags`
+- 在可用时，尽力通过 `/api/show` 查找 `contextWindow`
+- 通过模型名称启发式规则标记 `reasoning`（`r1`、`reasoning`、`think`）
+- 将 `maxTokens` 设置为 OpenClaw 使用的默认 Ollama 最大 token 上限
+- 将所有成本设置为 `0`
 
-这样无需手动配置模型条目，同时保持目录与 Ollama 的能力对齐。
+这样无需手动维护模型条目，同时又能让目录与本地 Ollama 实例保持一致。
 
-查看可用模型：
+查看有哪些可用模型：
 
 ```bash
 ollama list
 openclaw models list
 ```
 
-要添加新模型，只需通过 Ollama 拉取：
+添加新模型时，只需通过 Ollama 拉取它：
 
 ```bash
 ollama pull mistral
 ```
 
-新模型将被自动发现并可供使用。
+新模型会被自动发现，并可立即使用。
 
-如果你显式设置了 `models.providers.ollama`，自动发现将被跳过，你必须手动定义模型（见下文）。
+如果你显式设置了 `models.providers.ollama`，则会跳过自动发现，你必须手动定义模型（见下文）。
 
 ## 配置
 
 ### 基本设置（隐式发现）
 
-启用 Ollama 最简单的方式是通过环境变量：
+启用 Ollama 的最简单方式是通过环境变量：
 
 ```bash
 export OLLAMA_API_KEY="ollama-local"
@@ -95,25 +162,24 @@ export OLLAMA_API_KEY="ollama-local"
 
 ### 显式设置（手动模型）
 
-在以下情况使用显式配置：
+以下情况适合使用显式配置：
 
 - Ollama 运行在其他主机/端口上。
-- 你想强制指定上下文窗口或模型列表。
-- 你想包含未报告工具支持的模型。
+- 你想强制指定特定的上下文窗口或模型列表。
+- 你希望完全手动定义模型。
 
 ```json5
 {
   models: {
     providers: {
       ollama: {
-        // 使用包含 /v1 的主机地址以兼容 OpenAI API
-        baseUrl: "http://ollama-host:11434/v1",
+        baseUrl: "http://ollama-host:11434",
         apiKey: "ollama-local",
-        api: "openai-completions",
+        api: "ollama",
         models: [
           {
-            id: "llama3.3",
-            name: "Llama 3.3",
+            id: "gpt-oss:20b",
+            name: "GPT-OSS 20B",
             reasoning: false,
             input: ["text"],
             cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
@@ -127,11 +193,11 @@ export OLLAMA_API_KEY="ollama-local"
 }
 ```
 
-如果设置了 `OLLAMA_API_KEY`，你可以在提供商条目中省略 `apiKey`，OpenClaw 会自动填充以进行可用性检查。
+如果设置了 `OLLAMA_API_KEY`，你可以在提供商条目中省略 `apiKey`，OpenClaw 会在可用性检查时自动填充它。
 
-### 自定义基础 URL（显式配置）
+### 自定义 base URL（显式配置）
 
-如果 Ollama 运行在不同的主机或端口上（显式配置会禁用自动发现，因此需要手动定义模型）：
+如果 Ollama 运行在不同的主机或端口上（显式配置会禁用自动发现，因此你需要手动定义模型）：
 
 ```json5
 {
@@ -139,59 +205,120 @@ export OLLAMA_API_KEY="ollama-local"
     providers: {
       ollama: {
         apiKey: "ollama-local",
-        baseUrl: "http://ollama-host:11434/v1",
+        baseUrl: "http://ollama-host:11434", // 不要加 /v1 - 使用原生 Ollama API URL
+        api: "ollama", // 显式设置，以确保原生工具调用行为
       },
     },
   },
 }
 ```
 
+<Warning>
+不要在 URL 中添加 `/v1`。`/v1` 路径会启用 OpenAI 兼容模式，而在该模式下工具调用并不可靠。请使用不带路径后缀的基础 Ollama URL。
+</Warning>
+
 ### 模型选择
 
-配置完成后，所有 Ollama 模型即可使用：
+配置完成后，你的所有 Ollama 模型都可用：
 
 ```json5
 {
   agents: {
     defaults: {
       model: {
-        primary: "ollama/llama3.3",
-        fallbacks: ["ollama/qwen2.5-coder:32b"],
+        primary: "ollama/gpt-oss:20b",
+        fallbacks: ["ollama/llama3.3", "ollama/qwen2.5-coder:32b"],
       },
     },
   },
 }
 ```
 
+## 云端模型
+
+云端模型让你可以将云托管模型（例如 `kimi-k2.5:cloud`、`minimax-m2.5:cloud`、`glm-5:cloud`）与本地模型一起使用。
+
+要使用云端模型，请在设置期间选择 **Cloud + Local** 模式。向导会检查你是否已登录，并在需要时打开浏览器登录流程。如果无法验证认证状态，向导会回退到本地模型默认值。
+
+你也可以直接在 [ollama.com/signin](https://ollama.com/signin) 登录。
+
 ## 高级用法
 
 ### 推理模型
 
-当 Ollama 在 `/api/show` 中报告 `thinking` 时，OpenClaw 会将模型标记为具有推理能力：
+OpenClaw 默认会将名称中包含 `deepseek-r1`、`reasoning` 或 `think` 的模型视为支持推理的模型：
 
 ```bash
 ollama pull deepseek-r1:32b
 ```
 
-### 模型费用
+### 模型成本
 
-Ollama 免费且在本地运行，因此所有模型费用均设置为 $0。
+Ollama 是免费的，并且在本地运行，因此所有模型成本都设置为 $0。
+
+### 流式传输配置
+
+OpenClaw 的 Ollama 集成默认使用 **原生 Ollama API**（`/api/chat`），它完全支持同时进行流式传输和工具调用。无需任何特殊配置。
+
+#### 旧版 OpenAI 兼容模式
+
+<Warning>
+**在 OpenAI 兼容模式下，工具调用并不可靠。** 只有当你需要为代理使用 OpenAI 格式，并且不依赖原生工具调用行为时，才使用这种模式。
+</Warning>
+
+如果你确实需要改用 OpenAI 兼容端点（例如，在只支持 OpenAI 格式的代理之后），请显式设置 `api: "openai-completions"`：
+
+```json5
+{
+  models: {
+    providers: {
+      ollama: {
+        baseUrl: "http://ollama-host:11434/v1",
+        api: "openai-completions",
+        injectNumCtxForOpenAICompat: true, // 默认：true
+        apiKey: "ollama-local",
+        models: [...]
+      }
+    }
+  }
+}
+```
+
+这种模式可能不支持同时进行流式传输 + 工具调用。你可能需要在模型配置中通过 `params: { streaming: false }` 禁用流式传输。
+
+当 Ollama 使用 `api: "openai-completions"` 时，OpenClaw 默认会注入 `options.num_ctx`，这样 Ollama 就不会静默回退到 4096 上下文窗口。如果你的代理/上游拒绝未知的 `options` 字段，请禁用此行为：
+
+```json5
+{
+  models: {
+    providers: {
+      ollama: {
+        baseUrl: "http://ollama-host:11434/v1",
+        api: "openai-completions",
+        injectNumCtxForOpenAICompat: false,
+        apiKey: "ollama-local",
+        models: [...]
+      }
+    }
+  }
+}
+```
 
 ### 上下文窗口
 
-对于自动发现的模型，OpenClaw 会使用 Ollama 报告的上下文窗口（如果可用），否则默认为 `8192`。你可以在显式提供商配置中覆盖 `contextWindow` 和 `maxTokens`。
+对于自动发现的模型，OpenClaw 会在 Ollama 提供时使用其报告的上下文窗口，否则回退到 OpenClaw 使用的默认 Ollama 上下文窗口。你可以在显式提供商配置中覆盖 `contextWindow` 和 `maxTokens`。
 
 ## 故障排除
 
-### Ollama 未被检测到
+### 未检测到 Ollama
 
-确保 Ollama 正在运行，且你已设置 `OLLAMA_API_KEY`（或认证配置），并且**未**定义显式的 `models.providers.ollama` 条目：
+请确认 Ollama 正在运行，并且你已设置 `OLLAMA_API_KEY`（或凭证配置文件），而且**没有**定义显式的 `models.providers.ollama` 条目：
 
 ```bash
 ollama serve
 ```
 
-同时确认 API 可访问：
+并确认 API 可访问：
 
 ```bash
 curl http://localhost:11434/api/tags
@@ -199,24 +326,26 @@ curl http://localhost:11434/api/tags
 
 ### 没有可用模型
 
-OpenClaw 仅自动发现报告了工具支持的模型。如果你的模型未列出，可以：
+如果没有列出你的模型，可以：
 
-- 拉取一个支持工具调用的模型，或
+- 在本地拉取该模型，或者
 - 在 `models.providers.ollama` 中显式定义该模型。
 
 添加模型：
 
 ```bash
 ollama list  # 查看已安装的模型
-ollama pull llama3.3  # 拉取模型
+ollama pull glm-4.7-flash
+ollama pull gpt-oss:20b
+ollama pull llama3.3     # 或其他模型
 ```
 
 ### 连接被拒绝
 
-检查 Ollama 是否在正确的端口上运行：
+检查 Ollama 是否正在正确的端口上运行：
 
 ```bash
-# 检查 Ollama 是否在运行
+# 检查 Ollama 是否正在运行
 ps aux | grep ollama
 
 # 或重启 Ollama
@@ -225,6 +354,6 @@ ollama serve
 
 ## 另请参阅
 
-- [模型提供商](/concepts/model-providers) - 所有提供商概览
-- [模型选择](/concepts/models) - 如何选择模型
-- [配置](/gateway/configuration) - 完整配置参考
+- [Model Providers](/concepts/model-providers) - 所有提供商的概览
+- [Model Selection](/concepts/models) - 如何选择模型
+- [Configuration](/gateway/configuration) - 完整配置参考
diff --git a/docs/zh-CN/providers/openai.md b/docs/zh-CN/providers/openai.md
index 72c86e63a0a..74833aa1cfb 100644
--- a/docs/zh-CN/providers/openai.md
+++ b/docs/zh-CN/providers/openai.md
@@ -1,32 +1,34 @@
 ---
 read_when:
   - 你想在 OpenClaw 中使用 OpenAI 模型
-  - 你想使用 Codex 订阅认证而非 API 密钥
+  - 你想使用 Codex 订阅身份验证而不是 API 密钥
 summary: 在 OpenClaw 中通过 API 密钥或 Codex 订阅使用 OpenAI
 title: OpenAI
 x-i18n:
-  generated_at: "2026-02-01T21:35:10Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: f15365d5d616258f6035b986d80fe6acd1be5836a07e5bb68236688ef2952ef7
+  generated_at: "2026-03-16T06:26:45Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: a348d8fca7b809f84c6b90bf6a799e0a070a6e7b98a78b2cd2d747bb3d2b2212
   source_path: providers/openai.md
   workflow: 15
 ---
 
 # OpenAI
 
-OpenAI 提供 GPT 模型的开发者 API。Codex 支持**ChatGPT 登录**进行订阅访问，或**API 密钥**登录进行按量计费访问。Codex 云端需要 ChatGPT 登录。
+OpenAI 为 GPT 模型提供开发者 API。Codex 支持**ChatGPT 登录**以进行订阅
+访问，也支持**API 密钥**登录以进行按使用量计费的访问。Codex cloud 需要 ChatGPT 登录。
+OpenAI 明确支持在 OpenClaw 这样的外部工具/工作流中使用订阅 OAuth。
 
-## 方式 A：OpenAI API 密钥（OpenAI Platform）
+## 选项 A：OpenAI API 密钥（OpenAI Platform）
 
-**适用于：**直接 API 访问和按量计费。
+**最适合：** 直接 API 访问和按使用量计费。
 从 OpenAI 控制台获取你的 API 密钥。
 
 ### CLI 设置
 
 ```bash
 openclaw onboard --auth-choice openai-api-key
-# 或非交互式
+# or non-interactive
 openclaw onboard --openai-api-key "$OPENAI_API_KEY"
 ```
 
@@ -35,34 +37,272 @@ openclaw onboard --openai-api-key "$OPENAI_API_KEY"
 ```json5
 {
   env: { OPENAI_API_KEY: "sk-..." },
-  agents: { defaults: { model: { primary: "openai/gpt-5.2" } } },
+  agents: { defaults: { model: { primary: "openai/gpt-5.4" } } },
 }
 ```
 
-## 方式 B：OpenAI Code（Codex）订阅
+OpenAI 当前的 API 模型文档将 `gpt-5.4` 和 `gpt-5.4-pro` 列为直接
+OpenAI API 用法的模型。OpenClaw 会通过 `openai/*` Responses 路径转发这两者。
+OpenClaw 会有意隐藏过时的 `openai/gpt-5.3-codex-spark` 条目，
+因为直接 OpenAI API 调用会在实际流量中拒绝它。
 
-**适用于：**使用 ChatGPT/Codex 订阅访问而非 API 密钥。
-Codex 云端需要 ChatGPT 登录，而 Codex CLI 支持 ChatGPT 或 API 密钥登录。
+OpenClaw **不会**在直接 OpenAI
+API 路径上暴露 `openai/gpt-5.3-codex-spark`。`pi-ai` 仍然为该模型提供内置条目，但当前实际 OpenAI API
+请求会拒绝它。在 OpenClaw 中，Spark 被视为仅限 Codex。
 
-### CLI 设置
+## 选项 B：OpenAI Code（Codex）订阅
+
+**最适合：** 使用 ChatGPT/Codex 订阅访问，而不是 API 密钥。
+Codex cloud 需要 ChatGPT 登录，而 Codex CLI 支持 ChatGPT 或 API 密钥登录。
+
+### CLI 设置（Codex OAuth）
 
 ```bash
-# 在向导中运行 Codex OAuth
+# Run Codex OAuth in the wizard
 openclaw onboard --auth-choice openai-codex
 
-# 或直接运行 OAuth
+# Or run OAuth directly
 openclaw models auth login --provider openai-codex
 ```
 
-### 配置片段
+### 配置片段（Codex 订阅）
 
 ```json5
 {
-  agents: { defaults: { model: { primary: "openai-codex/gpt-5.2" } } },
+  agents: { defaults: { model: { primary: "openai-codex/gpt-5.4" } } },
 }
 ```
 
-## 注意事项
+OpenAI 当前的 Codex 文档将 `gpt-5.4` 列为当前 Codex 模型。OpenClaw
+会将其映射为 `openai-codex/gpt-5.4`，用于 ChatGPT/Codex OAuth。
 
-- 模型引用始终使用 `provider/model` 格式（参见 [/concepts/models](/concepts/models)）。
-- 认证详情和复用规则请参阅 [/concepts/oauth](/concepts/oauth)。
+如果你的 Codex 账户有权使用 Codex Spark，OpenClaw 也支持：
+
+- `openai-codex/gpt-5.3-codex-spark`
+
+OpenClaw 将 Codex Spark 视为仅限 Codex。它不会暴露直接的
+`openai/gpt-5.3-codex-spark` API 密钥路径。
+
+当 `pi-ai`
+发现 `openai-codex/gpt-5.3-codex-spark` 时，OpenClaw 也会保留它。请将其视为依赖 entitlement 且处于实验阶段：Codex Spark 与 GPT-5.4 `/fast` 分开，是否可用取决于已登录的 Codex /
+ChatGPT 账户。
+
+### 默认传输
+
+OpenClaw 使用 `pi-ai` 进行模型流式传输。对于 `openai/*` 和
+`openai-codex/*`，默认传输都是 `"auto"`（优先 WebSocket，然后回退到 SSE）。
+
+你可以设置 `agents.defaults.models.<provider/model>.params.transport`：
+
+- `"sse"`：强制使用 SSE
+- `"websocket"`：强制使用 WebSocket
+- `"auto"`：尝试 WebSocket，然后回退到 SSE
+
+对于 `openai/*`（Responses API），当使用 WebSocket 传输时，
+OpenClaw 还会默认启用 WebSocket 预热
+（`openaiWsWarmup: true`）。
+
+相关 OpenAI 文档：
+
+- [Realtime API with WebSocket](https://platform.openai.com/docs/guides/realtime-websocket)
+- [Streaming API responses (SSE)](https://platform.openai.com/docs/guides/streaming-responses)
+
+```json5
+{
+  agents: {
+    defaults: {
+      model: { primary: "openai-codex/gpt-5.4" },
+      models: {
+        "openai-codex/gpt-5.4": {
+          params: {
+            transport: "auto",
+          },
+        },
+      },
+    },
+  },
+}
+```
+
+### OpenAI WebSocket 预热
+
+OpenAI 文档将预热描述为可选。OpenClaw 对
+`openai/*` 默认启用它，以在使用 WebSocket 传输时减少首次响应延迟。
+
+### 禁用预热
+
+```json5
+{
+  agents: {
+    defaults: {
+      models: {
+        "openai/gpt-5.4": {
+          params: {
+            openaiWsWarmup: false,
+          },
+        },
+      },
+    },
+  },
+}
+```
+
+### 显式启用预热
+
+```json5
+{
+  agents: {
+    defaults: {
+      models: {
+        "openai/gpt-5.4": {
+          params: {
+            openaiWsWarmup: true,
+          },
+        },
+      },
+    },
+  },
+}
+```
+
+### OpenAI 优先处理
+
+OpenAI 的 API 通过 `service_tier=priority` 暴露优先处理。在
+OpenClaw 中，设置 `agents.defaults.models["openai/<model>"].params.serviceTier`，即可
+在直接 `openai/*` Responses 请求中透传该字段。
+
+```json5
+{
+  agents: {
+    defaults: {
+      models: {
+        "openai/gpt-5.4": {
+          params: {
+            serviceTier: "priority",
+          },
+        },
+      },
+    },
+  },
+}
+```
+
+支持的值为 `auto`、`default`、`flex` 和 `priority`。
+
+### OpenAI 快速模式
+
+OpenClaw 为 `openai/*` 和
+`openai-codex/*` 会话公开了共享快速模式开关：
+
+- 聊天/UI：`/fast status|on|off`
+- 配置：`agents.defaults.models["<provider>/<model>"].params.fastMode`
+
+启用快速模式后，OpenClaw 会应用低延迟 OpenAI 配置：
+
+- 当负载未明确指定 reasoning 时，设置 `reasoning.effort = "low"`
+- 当负载未明确指定 verbosity 时，设置 `text.verbosity = "low"`
+- 对直接发往 `api.openai.com` 的 `openai/*` Responses 调用设置 `service_tier = "priority"`
+
+示例：
+
+```json5
+{
+  agents: {
+    defaults: {
+      models: {
+        "openai/gpt-5.4": {
+          params: {
+            fastMode: true,
+          },
+        },
+        "openai-codex/gpt-5.4": {
+          params: {
+            fastMode: true,
+          },
+        },
+      },
+    },
+  },
+}
+```
+
+会话覆盖优先于配置。在会话 UI 中清除会话覆盖后，
+该会话会恢复为配置的默认值。
+
+### OpenAI Responses 服务端压缩
+
+对于直接 OpenAI Responses 模型（使用 `api: "openai-responses"` 的 `openai/*`，
+且 `baseUrl` 指向 `api.openai.com`），OpenClaw 现在会自动启用 OpenAI 服务端
+压缩负载提示：
+
+- 强制设置 `store: true`（除非模型兼容性设置 `supportsStore: false`）
+- 注入 `context_management: [{ type: "compaction", compact_threshold: ... }]`
+
+默认情况下，`compact_threshold` 为模型 `contextWindow` 的 `70%`（或在不可用时为 `80000`）。
+
+### 显式启用服务端压缩
+
+当你想在兼容的
+Responses 模型上强制注入 `context_management` 时使用此设置（例如 Azure OpenAI Responses）：
+
+```json5
+{
+  agents: {
+    defaults: {
+      models: {
+        "azure-openai-responses/gpt-5.4": {
+          params: {
+            responsesServerCompaction: true,
+          },
+        },
+      },
+    },
+  },
+}
+```
+
+### 使用自定义阈值启用
+
+```json5
+{
+  agents: {
+    defaults: {
+      models: {
+        "openai/gpt-5.4": {
+          params: {
+            responsesServerCompaction: true,
+            responsesCompactThreshold: 120000,
+          },
+        },
+      },
+    },
+  },
+}
+```
+
+### 禁用服务端压缩
+
+```json5
+{
+  agents: {
+    defaults: {
+      models: {
+        "openai/gpt-5.4": {
+          params: {
+            responsesServerCompaction: false,
+          },
+        },
+      },
+    },
+  },
+}
+```
+
+`responsesServerCompaction` 仅控制 `context_management` 注入。
+直接 OpenAI Responses 模型仍会强制设置 `store: true`，除非兼容性设置
+了 `supportsStore: false`。
+
+## 说明
+
+- 模型引用始终使用 `provider/model`（参见 [/concepts/models](/concepts/models)）。
+- 身份验证详情和复用规则见 [/concepts/oauth](/concepts/oauth)。
diff --git a/docs/zh-CN/providers/opencode-go.md b/docs/zh-CN/providers/opencode-go.md
new file mode 100644
index 00000000000..2b916d057ff
--- /dev/null
+++ b/docs/zh-CN/providers/opencode-go.md
@@ -0,0 +1,52 @@
+---
+read_when:
+  - 你想使用 OpenCode Go 目录
+  - 你需要了解 Go 托管模型的运行时模型引用
+summary: 使用共享的 OpenCode 设置来使用 OpenCode Go 目录
+title: OpenCode Go
+x-i18n:
+  generated_at: "2026-03-16T06:26:48Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 8650af7c64220c14bab8c22472fff8bebd7abde253e972b6a11784ad833d321c
+  source_path: providers/opencode-go.md
+  workflow: 15
+---
+
+# OpenCode Go
+
+OpenCode Go 是 [OpenCode](/providers/opencode) 中的 Go 目录。
+它使用与 Zen 目录相同的 `OPENCODE_API_KEY`，但保留运行时
+提供商 id `opencode-go`，以便上游按模型路由保持正确。
+
+## 支持的模型
+
+- `opencode-go/kimi-k2.5`
+- `opencode-go/glm-5`
+- `opencode-go/minimax-m2.5`
+
+## CLI 设置
+
+```bash
+openclaw onboard --auth-choice opencode-go
+# 或非交互式
+openclaw onboard --opencode-go-api-key "$OPENCODE_API_KEY"
+```
+
+## 配置片段
+
+```json5
+{
+  env: { OPENCODE_API_KEY: "YOUR_API_KEY_HERE" }, // pragma: allowlist secret
+  agents: { defaults: { model: { primary: "opencode-go/kimi-k2.5" } } },
+}
+```
+
+## 路由行为
+
+当模型引用使用 `opencode-go/...` 时，OpenClaw 会自动处理按模型路由。
+
+## 说明
+
+- 共享的新手引导和目录概览请使用 [OpenCode](/providers/opencode)。
+- 运行时引用保持显式：Zen 使用 `opencode/...`，Go 使用 `opencode-go/...`。
diff --git a/docs/zh-CN/providers/opencode.md b/docs/zh-CN/providers/opencode.md
index 06b0c6b61fc..18056c43751 100644
--- a/docs/zh-CN/providers/opencode.md
+++ b/docs/zh-CN/providers/opencode.md
@@ -1,41 +1,71 @@
 ---
 read_when:
-  - 你想通过 OpenCode Zen 访问模型
-  - 你想要一个适合编程的精选模型列表
-summary: 在 OpenClaw 中使用 OpenCode Zen（精选模型）
-title: OpenCode Zen
+  - 你想使用 OpenCode 托管的模型访问
+  - 你想在 Zen 和 Go 目录之间进行选择
+summary: 在 OpenClaw 中使用 OpenCode Zen 和 Go 目录
+title: OpenCode
 x-i18n:
-  generated_at: "2026-02-01T21:35:16Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 1390f9803a3cac48cb40694dd69267e3ddccd203a4ce8babda3198b926b5f6a3
+  generated_at: "2026-03-16T06:26:52Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 9ffe65d152d1835163f9f5ae4cc966e29bd01a9dbb88187c24d149c960c8225d
   source_path: providers/opencode.md
   workflow: 15
 ---
 
-# OpenCode Zen
+# OpenCode
 
-OpenCode Zen 是由 OpenCode 团队推荐的一组**精选模型列表**，适用于编程智能体。它是一个可选的托管模型访问路径，使用 API 密钥和 `opencode` 提供商。Zen 目前处于测试阶段。
+OpenCode 在 OpenClaw 中提供两个托管目录：
+
+- `opencode/...` 用于 **Zen** 目录
+- `opencode-go/...` 用于 **Go** 目录
+
+两个目录都使用相同的 OpenCode API 密钥。OpenClaw 会将运行时提供商 ID
+保持拆分，以便上游按模型路由保持正确，但新手引导和文档将它们视为
+同一个 OpenCode 设置。
 
 ## CLI 设置
 
+### Zen 目录
+
 ```bash
 openclaw onboard --auth-choice opencode-zen
-# 或非交互式
 openclaw onboard --opencode-zen-api-key "$OPENCODE_API_KEY"
 ```
 
+### Go 目录
+
+```bash
+openclaw onboard --auth-choice opencode-go
+openclaw onboard --opencode-go-api-key "$OPENCODE_API_KEY"
+```
+
 ## 配置片段
 
 ```json5
 {
   env: { OPENCODE_API_KEY: "sk-..." },
-  agents: { defaults: { model: { primary: "opencode/claude-opus-4-5" } } },
+  agents: { defaults: { model: { primary: "opencode/claude-opus-4-6" } } },
 }
 ```
 
-## 注意事项
+## 目录
+
+### Zen
+
+- 运行时提供商：`opencode`
+- 示例模型：`opencode/claude-opus-4-6`、`opencode/gpt-5.2`、`opencode/gemini-3-pro`
+- 适合你想使用精选的 OpenCode 多模型代理时
+
+### Go
+
+- 运行时提供商：`opencode-go`
+- 示例模型：`opencode-go/kimi-k2.5`、`opencode-go/glm-5`、`opencode-go/minimax-m2.5`
+- 适合你想使用 OpenCode 托管的 Kimi/GLM/MiniMax 产品线时
+
+## 说明
 
 - 也支持 `OPENCODE_ZEN_API_KEY`。
-- 你需要登录 Zen，添加账单信息，然后复制你的 API 密钥。
-- OpenCode Zen 按请求计费；详情请查看 OpenCode 控制台。
+- 在设置期间输入一个 OpenCode 密钥，会为两个运行时提供商都存储凭证。
+- 你需要登录 OpenCode、添加计费信息，然后复制你的 API 密钥。
+- 计费和目录可用性由 OpenCode 仪表板管理。
diff --git a/docs/zh-CN/providers/openrouter.md b/docs/zh-CN/providers/openrouter.md
index 25e57f190b2..1f79bd9299d 100644
--- a/docs/zh-CN/providers/openrouter.md
+++ b/docs/zh-CN/providers/openrouter.md
@@ -1,13 +1,13 @@
 ---
 read_when:
-  - 你想用一个 API 密钥访问多种 LLM
-  - 你想在 OpenClaw 中通过 OpenRouter 运行模型
-summary: 使用 OpenRouter 的统一 API 在 OpenClaw 中访问多种模型
+  - 你想用一个 API key 访问许多 LLM
+  - 你想通过 OpenRouter 在 OpenClaw 中运行模型
+summary: 使用 OpenRouter 的统一 API 在 OpenClaw 中访问许多模型
 title: OpenRouter
 x-i18n:
-  generated_at: "2026-02-01T21:35:19Z"
-  model: claude-opus-4-5
-  provider: pi
+  generated_at: "2026-03-16T06:26:52Z"
+  model: gpt-5.4
+  provider: openai
   source_hash: b7e29fc9c456c64d567dd909a85166e6dea8388ebd22155a31e69c970e081586
   source_path: providers/openrouter.md
   workflow: 15
@@ -15,7 +15,8 @@ x-i18n:
 
 # OpenRouter
 
-OpenRouter 提供了一个**统一 API**，通过单一端点和 API 密钥将请求路由到多种模型。它兼容 OpenAI，因此大多数 OpenAI SDK 只需切换 base URL 即可使用。
+OpenRouter 提供一个**统一 API**，可通过单个
+端点和 API key 将请求路由到许多模型。它与 OpenAI 兼容，因此大多数 OpenAI SDK 只需切换 base URL 即可使用。
 
 ## CLI 设置
 
@@ -36,8 +37,8 @@ openclaw onboard --auth-choice apiKey --token-provider openrouter --token "$OPEN
 }
 ```
 
-## 注意事项
+## 说明
 
 - 模型引用格式为 `openrouter/<provider>/<model>`。
-- 更多模型/提供商选项，请参阅[模型提供商](/concepts/model-providers)。
-- OpenRouter 底层使用 Bearer 令牌和你的 API 密钥进行认证。
+- 关于更多模型/提供商选项，请参阅 [/concepts/model-providers](/concepts/model-providers)。
+- OpenRouter 在底层使用带有你的 API key 的 Bearer token。
diff --git a/docs/zh-CN/providers/qianfan.md b/docs/zh-CN/providers/qianfan.md
index 4bb17cee5c8..67a438a2a69 100644
--- a/docs/zh-CN/providers/qianfan.md
+++ b/docs/zh-CN/providers/qianfan.md
@@ -1,8 +1,45 @@
 ---
-summary: 使用千帆统一 API 在 OpenClaw 中接入多种模型
-title: 千帆（Qianfan）
+read_when:
+  - 你想用一个 API key 访问许多 LLM
+  - 你需要 Baidu Qianfan 设置指南
+summary: 使用 Qianfan 的统一 API 在 OpenClaw 中访问许多模型
+title: Qianfan
+x-i18n:
+  generated_at: "2026-03-16T06:26:58Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 2ca710b422f190b65d23db51a3219f0abd67074fb385251efeca6eae095d02e0
+  source_path: providers/qianfan.md
+  workflow: 15
 ---
 
-# 千帆（Qianfan）
+# Qianfan 提供商指南
 
-该页面是英文文档的中文占位版本，完整内容请先参考英文版：[Qianfan](/providers/qianfan)。
+Qianfan 是 Baidu 的 MaaS 平台，提供一个**统一 API**，可通过单个
+端点和 API key 将请求路由到许多模型。它与 OpenAI 兼容，因此大多数 OpenAI SDK 只需切换 base URL 即可使用。
+
+## 前提条件
+
+1. 一个已开通 Qianfan API 访问权限的 Baidu Cloud 账号
+2. 一个来自 Qianfan 控制台的 API key
+3. 已在你的系统上安装 OpenClaw
+
+## 获取 API key
+
+1. 访问 [Qianfan Console](https://console.bce.baidu.com/qianfan/ais/console/apiKey)
+2. 创建一个新应用，或选择一个现有应用
+3. 生成一个 API key（格式：`bce-v3/ALTAK-...`）
+4. 复制该 API key 以在 OpenClaw 中使用
+
+## CLI 设置
+
+```bash
+openclaw onboard --auth-choice qianfan-api-key
+```
+
+## 相关文档
+
+- [OpenClaw Configuration](/gateway/configuration)
+- [Model Providers](/concepts/model-providers)
+- [Agent Setup](/concepts/agent)
+- [Qianfan API Documentation](https://cloud.baidu.com/doc/qianfan-api/s/3m7of64lb)
diff --git a/docs/zh-CN/providers/sglang.md b/docs/zh-CN/providers/sglang.md
new file mode 100644
index 00000000000..6fb29dc94b9
--- /dev/null
+++ b/docs/zh-CN/providers/sglang.md
@@ -0,0 +1,111 @@
+---
+read_when:
+  - 你想让 OpenClaw 连接本地 SGLang 服务器运行
+  - 你想通过自己的模型使用兼容 OpenAI 的 `/v1` 端点
+summary: 让 OpenClaw 与 SGLang 一起运行（兼容 OpenAI 的自托管服务器）
+title: SGLang
+x-i18n:
+  generated_at: "2026-03-16T06:27:01Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 26ba858c46bc2b82088274c62270500ffc243e5fb505b8aaaffc096d835187b0
+  source_path: providers/sglang.md
+  workflow: 15
+---
+
+# SGLang
+
+SGLang 可以通过**兼容 OpenAI** 的 HTTP API 提供开源模型服务。
+OpenClaw 可以使用 `openai-completions` API 连接到 SGLang。
+
+当你通过 `SGLANG_API_KEY` 选择加入时，OpenClaw 还可以**自动发现**
+SGLang 提供的可用模型（如果你的服务器不强制身份验证，任意值都可）
+并且你没有定义显式的 `models.providers.sglang` 条目。
+
+## 快速开始
+
+1. 使用兼容 OpenAI 的服务器启动 SGLang。
+
+你的基础 URL 应暴露 `/v1` 端点（例如 `/v1/models`、
+`/v1/chat/completions`）。SGLang 通常运行在：
+
+- `http://127.0.0.1:30000/v1`
+
+2. 选择加入（如果未配置身份验证，任意值都可）：
+
+```bash
+export SGLANG_API_KEY="sglang-local"
+```
+
+3. 运行新手引导并选择 `SGLang`，或直接设置模型：
+
+```bash
+openclaw onboard
+```
+
+```json5
+{
+  agents: {
+    defaults: {
+      model: { primary: "sglang/your-model-id" },
+    },
+  },
+}
+```
+
+## 模型发现（隐式提供商）
+
+当设置了 `SGLANG_API_KEY`（或存在 auth profile），并且你**没有**
+定义 `models.providers.sglang` 时，OpenClaw 将查询：
+
+- `GET http://127.0.0.1:30000/v1/models`
+
+并将返回的 ID 转换为模型条目。
+
+如果你显式设置了 `models.providers.sglang`，则会跳过自动发现，
+你必须手动定义模型。
+
+## 显式配置（手动模型）
+
+在以下情况下使用显式配置：
+
+- SGLang 运行在不同的主机/端口上。
+- 你想固定 `contextWindow`/`maxTokens` 值。
+- 你的服务器需要真实 API 密钥（或者你想控制请求头）。
+
+```json5
+{
+  models: {
+    providers: {
+      sglang: {
+        baseUrl: "http://127.0.0.1:30000/v1",
+        apiKey: "${SGLANG_API_KEY}",
+        api: "openai-completions",
+        models: [
+          {
+            id: "your-model-id",
+            name: "本地 SGLang 模型",
+            reasoning: false,
+            input: ["text"],
+            cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
+            contextWindow: 128000,
+            maxTokens: 8192,
+          },
+        ],
+      },
+    },
+  },
+}
+```
+
+## 故障排除
+
+- 检查服务器是否可访问：
+
+```bash
+curl http://127.0.0.1:30000/v1/models
+```
+
+- 如果请求因身份验证错误而失败，请设置与
+  你的服务器配置匹配的真实 `SGLANG_API_KEY`，或者在
+  `models.providers.sglang` 下显式配置该提供商。
diff --git a/docs/zh-CN/providers/synthetic.md b/docs/zh-CN/providers/synthetic.md
index 168cb440c38..ddb4498153e 100644
--- a/docs/zh-CN/providers/synthetic.md
+++ b/docs/zh-CN/providers/synthetic.md
@@ -1,35 +1,36 @@
 ---
 read_when:
-  - 你想使用 Synthetic 作为模型提供商
-  - 你需要配置 Synthetic API 密钥或 base URL
+  - 你想将 Synthetic 用作模型提供商
+  - 你需要 Synthetic API key 或 base URL 设置
 summary: 在 OpenClaw 中使用 Synthetic 的 Anthropic 兼容 API
 title: Synthetic
 x-i18n:
-  generated_at: "2026-02-01T21:35:34Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: f3f6e3eb864661754cbe2276783c5bc96ae01cb85ee4a19c92bed7863a35a4f7
+  generated_at: "2026-03-16T06:27:11Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 3a2adb0b831babe3e88b027772167748764d85ee72d402ff759571420a91757f
   source_path: providers/synthetic.md
   workflow: 15
 ---
 
 # Synthetic
 
-Synthetic 提供兼容 Anthropic 的端点。OpenClaw 将其注册为 `synthetic` 提供商，并使用 Anthropic Messages API。
+Synthetic 提供与 Anthropic 兼容的端点。OpenClaw 将其注册为
+`synthetic` 提供商，并使用 Anthropic Messages API。
 
 ## 快速设置
 
-1. 设置 `SYNTHETIC_API_KEY`（或运行以下向导）。
+1. 设置 `SYNTHETIC_API_KEY`（或运行下面的向导）。
 2. 运行新手引导：
 
 ```bash
 openclaw onboard --auth-choice synthetic-api-key
 ```
 
-默认模型设置为：
+默认模型会设置为：
 
 ```
-synthetic/hf:MiniMaxAI/MiniMax-M2.1
+synthetic/hf:MiniMaxAI/MiniMax-M2.5
 ```
 
 ## 配置示例
@@ -39,8 +40,8 @@ synthetic/hf:MiniMaxAI/MiniMax-M2.1
   env: { SYNTHETIC_API_KEY: "sk-..." },
   agents: {
     defaults: {
-      model: { primary: "synthetic/hf:MiniMaxAI/MiniMax-M2.1" },
-      models: { "synthetic/hf:MiniMaxAI/MiniMax-M2.1": { alias: "MiniMax M2.1" } },
+      model: { primary: "synthetic/hf:MiniMaxAI/MiniMax-M2.5" },
+      models: { "synthetic/hf:MiniMaxAI/MiniMax-M2.5": { alias: "MiniMax M2.5" } },
     },
   },
   models: {
@@ -52,8 +53,8 @@ synthetic/hf:MiniMaxAI/MiniMax-M2.1
         api: "anthropic-messages",
         models: [
           {
-            id: "hf:MiniMaxAI/MiniMax-M2.1",
-            name: "MiniMax M2.1",
+            id: "hf:MiniMaxAI/MiniMax-M2.5",
+            name: "MiniMax M2.5",
             reasoning: false,
             input: ["text"],
             cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
@@ -67,36 +68,39 @@ synthetic/hf:MiniMaxAI/MiniMax-M2.1
 }
 ```
 
-注意：OpenClaw 的 Anthropic 客户端会自动在 base URL 后追加 `/v1`，因此请使用 `https://api.synthetic.new/anthropic`（而非 `/anthropic/v1`）。如果 Synthetic 更改了其 base URL，请覆盖 `models.providers.synthetic.baseUrl`。
+注意：OpenClaw 的 Anthropic 客户端会将 `/v1` 追加到 base URL 后面，因此请使用
+`https://api.synthetic.new/anthropic`（而不是 `/anthropic/v1`）。如果 Synthetic 更改了
+其 base URL，请覆盖 `models.providers.synthetic.baseUrl`。
 
 ## 模型目录
 
-以下所有模型的费用均为 `0`（输入/输出/缓存）。
+下面所有模型的成本都为 `0`（输入/输出/缓存）。
 
-| 模型 ID                                                | 上下文窗口 | 最大令牌数 | 推理  | 输入         |
-| ------------------------------------------------------ | ---------- | ---------- | ----- | ------------ |
-| `hf:MiniMaxAI/MiniMax-M2.1`                            | 192000     | 65536      | false | text         |
-| `hf:moonshotai/Kimi-K2-Thinking`                       | 256000     | 8192       | true  | text         |
-| `hf:zai-org/GLM-4.7`                                   | 198000     | 128000     | false | text         |
-| `hf:deepseek-ai/DeepSeek-R1-0528`                      | 128000     | 8192       | false | text         |
-| `hf:deepseek-ai/DeepSeek-V3-0324`                      | 128000     | 8192       | false | text         |
-| `hf:deepseek-ai/DeepSeek-V3.1`                         | 128000     | 8192       | false | text         |
-| `hf:deepseek-ai/DeepSeek-V3.1-Terminus`                | 128000     | 8192       | false | text         |
-| `hf:deepseek-ai/DeepSeek-V3.2`                         | 159000     | 8192       | false | text         |
-| `hf:meta-llama/Llama-3.3-70B-Instruct`                 | 128000     | 8192       | false | text         |
-| `hf:meta-llama/Llama-4-Maverick-17B-128E-Instruct-FP8` | 524000     | 8192       | false | text         |
-| `hf:moonshotai/Kimi-K2-Instruct-0905`                  | 256000     | 8192       | false | text         |
-| `hf:openai/gpt-oss-120b`                               | 128000     | 8192       | false | text         |
-| `hf:Qwen/Qwen3-235B-A22B-Instruct-2507`                | 256000     | 8192       | false | text         |
-| `hf:Qwen/Qwen3-Coder-480B-A35B-Instruct`               | 256000     | 8192       | false | text         |
-| `hf:Qwen/Qwen3-VL-235B-A22B-Instruct`                  | 250000     | 8192       | false | text + image |
-| `hf:zai-org/GLM-4.5`                                   | 128000     | 128000     | false | text         |
-| `hf:zai-org/GLM-4.6`                                   | 198000     | 128000     | false | text         |
-| `hf:deepseek-ai/DeepSeek-V3`                           | 128000     | 8192       | false | text         |
-| `hf:Qwen/Qwen3-235B-A22B-Thinking-2507`                | 256000     | 8192       | true  | text         |
+| 模型 ID                                                | 上下文窗口 | 最大 tokens | 推理  | 输入         |
+| ------------------------------------------------------ | ---------- | ----------- | ----- | ------------ |
+| `hf:MiniMaxAI/MiniMax-M2.5`                            | 192000     | 65536       | false | text         |
+| `hf:moonshotai/Kimi-K2-Thinking`                       | 256000     | 8192        | true  | text         |
+| `hf:zai-org/GLM-4.7`                                   | 198000     | 128000      | false | text         |
+| `hf:deepseek-ai/DeepSeek-R1-0528`                      | 128000     | 8192        | false | text         |
+| `hf:deepseek-ai/DeepSeek-V3-0324`                      | 128000     | 8192        | false | text         |
+| `hf:deepseek-ai/DeepSeek-V3.1`                         | 128000     | 8192        | false | text         |
+| `hf:deepseek-ai/DeepSeek-V3.1-Terminus`                | 128000     | 8192        | false | text         |
+| `hf:deepseek-ai/DeepSeek-V3.2`                         | 159000     | 8192        | false | text         |
+| `hf:meta-llama/Llama-3.3-70B-Instruct`                 | 128000     | 8192        | false | text         |
+| `hf:meta-llama/Llama-4-Maverick-17B-128E-Instruct-FP8` | 524000     | 8192        | false | text         |
+| `hf:moonshotai/Kimi-K2-Instruct-0905`                  | 256000     | 8192        | false | text         |
+| `hf:openai/gpt-oss-120b`                               | 128000     | 8192        | false | text         |
+| `hf:Qwen/Qwen3-235B-A22B-Instruct-2507`                | 256000     | 8192        | false | text         |
+| `hf:Qwen/Qwen3-Coder-480B-A35B-Instruct`               | 256000     | 8192        | false | text         |
+| `hf:Qwen/Qwen3-VL-235B-A22B-Instruct`                  | 250000     | 8192        | false | text + image |
+| `hf:zai-org/GLM-4.5`                                   | 128000     | 128000      | false | text         |
+| `hf:zai-org/GLM-4.6`                                   | 198000     | 128000      | false | text         |
+| `hf:deepseek-ai/DeepSeek-V3`                           | 128000     | 8192        | false | text         |
+| `hf:Qwen/Qwen3-235B-A22B-Thinking-2507`                | 256000     | 8192        | true  | text         |
 
-## 注意事项
+## 说明
 
-- 模型引用格式为 `synthetic/<modelId>`。
-- 如果启用了模型允许列表（`agents.defaults.models`），请添加你计划使用的所有模型。
-- 参阅[模型提供商](/concepts/model-providers)了解提供商规则。
+- 模型引用使用 `synthetic/<modelId>`。
+- 如果你启用了模型允许列表（`agents.defaults.models`），请添加你
+  计划使用的每个模型。
+- 有关提供商规则，请参阅 [Model providers](/concepts/model-providers)。
diff --git a/docs/zh-CN/providers/together.md b/docs/zh-CN/providers/together.md
new file mode 100644
index 00000000000..c3d2bf533ef
--- /dev/null
+++ b/docs/zh-CN/providers/together.md
@@ -0,0 +1,72 @@
+---
+read_when:
+  - 你想在 OpenClaw 中使用 Together AI
+  - 你需要 API 密钥环境变量或 CLI 身份验证选项
+summary: Together AI 设置（身份验证 + 模型选择）
+x-i18n:
+  generated_at: "2026-03-16T06:27:08Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 4f2ba5a12b03d0140feba4f54e0540bb57237cd131c8f1d826bc3629fde2d111
+  source_path: providers/together.md
+  workflow: 15
+---
+
+# Together AI
+
+[Together AI](https://together.ai) 通过统一 API 提供对领先开源模型的访问，包括 Llama、DeepSeek、Kimi 等。
+
+- 提供商：`together`
+- 身份验证：`TOGETHER_API_KEY`
+- API：兼容 OpenAI
+
+## 快速开始
+
+1. 设置 API 密钥（推荐：为 Gateway 网关存储它）：
+
+```bash
+openclaw onboard --auth-choice together-api-key
+```
+
+2. 设置默认模型：
+
+```json5
+{
+  agents: {
+    defaults: {
+      model: { primary: "together/moonshotai/Kimi-K2.5" },
+    },
+  },
+}
+```
+
+## 非交互式示例
+
+```bash
+openclaw onboard --non-interactive \
+  --mode local \
+  --auth-choice together-api-key \
+  --together-api-key "$TOGETHER_API_KEY"
+```
+
+这会将 `together/moonshotai/Kimi-K2.5` 设置为默认模型。
+
+## 环境说明
+
+如果 Gateway 网关作为守护进程运行（launchd/systemd），请确保 `TOGETHER_API_KEY`
+对该进程可用（例如在 `~/.openclaw/.env` 中，或通过
+`env.shellEnv`）。
+
+## 可用模型
+
+Together AI 提供对许多热门开源模型的访问：
+
+- **GLM 4.7 Fp8** - 具有 200K 上下文窗口的默认模型
+- **Llama 3.3 70B Instruct Turbo** - 快速、高效的指令跟随模型
+- **Llama 4 Scout** - 具备图像理解能力的视觉模型
+- **Llama 4 Maverick** - 高级视觉和推理模型
+- **DeepSeek V3.1** - 强大的编码和推理模型
+- **DeepSeek R1** - 高级推理模型
+- **Kimi K2 Instruct** - 具有 262K 上下文窗口的高性能模型
+
+所有模型都支持标准聊天补全，并兼容 OpenAI API。
diff --git a/docs/zh-CN/providers/venice.md b/docs/zh-CN/providers/venice.md
index cbc25ad8ad9..2cabcb88a40 100644
--- a/docs/zh-CN/providers/venice.md
+++ b/docs/zh-CN/providers/venice.md
@@ -1,50 +1,50 @@
 ---
 read_when:
-  - 你想在 OpenClaw 中使用注重隐私的推理服务
-  - 你需要 Venice AI 设置指导
+  - 你想在 OpenClaw 中使用注重隐私的推理
+  - 你想获得 Venice AI 设置指引
 summary: 在 OpenClaw 中使用 Venice AI 注重隐私的模型
 title: Venice AI
 x-i18n:
-  generated_at: "2026-02-01T21:36:03Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 2453a6ec3a715c24c460f902dec1755edcad40328de2ef895e35a614a25624cf
+  generated_at: "2026-03-16T06:27:49Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: e72c7ad24b045e9695530bee80ab7213986742354b7553b72bb230b75edf76e8
   source_path: providers/venice.md
   workflow: 15
 ---
 
-# Venice AI（Venice 精选）
+# Venice AI（Venice 亮点）
 
-**Venice** 是我们精选的 Venice 隐私优先推理配置，支持可选的匿名化访问专有模型。
+**Venice** 是我们重点推荐的 Venice 设置，适用于隐私优先的推理，并可选择通过匿名访问专有模型。
 
-Venice AI 提供注重隐私的 AI 推理服务，支持无审查模型，并可通过其匿名代理访问主流专有模型。所有推理默认私密——不会用你的数据训练，不会记录日志。
+Venice AI 提供注重隐私的 AI 推理，支持未审查模型，并可通过其匿名代理访问主要专有模型。所有推理默认都是私密的——不会使用你的数据进行训练，也不会记录日志。
 
 ## 为什么在 OpenClaw 中使用 Venice
 
-- **私密推理**，适用于开源模型（无日志记录）。
-- 需要时可使用**无审查模型**。
-- 在质量重要时，可**匿名访问**专有模型（Opus/GPT/Gemini）。
+- **私密推理**，适用于开源模型（不记录日志）。
+- 当你需要时可使用**未审查模型**。
+- 当质量更重要时，可**匿名访问**专有模型（Opus/GPT/Gemini）。
 - 兼容 OpenAI 的 `/v1` 端点。
 
 ## 隐私模式
 
-Venice 提供两种隐私级别——理解这一点是选择模型的关键：
+Venice 提供两个隐私级别 —— 理解这一点对于选择你的模型至关重要：
 
-| 模式       | 描述                                                                                  | 模型                                        |
-| ---------- | ------------------------------------------------------------------------------------- | ------------------------------------------- |
-| **私密**   | 完全私密。提示词/回复**从不存储或记录**。临时性处理。                                 | Llama、Qwen、DeepSeek、Venice Uncensored 等 |
-| **匿名化** | 通过 Venice 代理转发并剥离元数据。底层提供商（OpenAI、Anthropic）收到的是匿名化请求。 | Claude、GPT、Gemini、Grok、Kimi、MiniMax    |
+| 模式     | 说明                                                                                         | 模型                                                         |
+| -------- | -------------------------------------------------------------------------------------------- | ------------------------------------------------------------ |
+| **私密** | 完全私密。提示词/响应**绝不会被存储或记录**。临时性。                                        | Llama、Qwen、DeepSeek、Kimi、MiniMax、Venice Uncensored 等。 |
+| **匿名** | 通过 Venice 代理并剥离元数据。底层提供商（OpenAI、Anthropic、Google、xAI）看到的是匿名请求。 | Claude、GPT、Gemini、Grok                                    |
 
-## 功能特性
+## 功能
 
-- **注重隐私**：可选择"私密"（完全私密）和"匿名化"（代理转发）模式
-- **无审查模型**：访问无内容限制的模型
-- **主流模型访问**：通过 Venice 匿名代理使用 Claude、GPT-5.2、Gemini、Grok
-- **兼容 OpenAI API**：标准 `/v1` 端点，易于集成
-- **流式输出**：✅ 所有模型均支持
-- **函数调用**：✅ 部分模型支持（请检查模型能力）
-- **视觉**：✅ 具有视觉能力的模型支持
-- **无硬性速率限制**：极端使用情况下可能触发公平使用限流
+- **注重隐私**：可在 “private”（完全私密）和 “anonymized”（代理）模式之间选择
+- **未审查模型**：访问不受内容限制的模型
+- **主流模型访问**：通过 Venice 的匿名代理使用 Claude、GPT、Gemini 和 Grok
+- **兼容 OpenAI 的 API**：标准 `/v1` 端点，易于集成
+- **流式传输**：✅ 所有模型都支持
+- **函数调用**：✅ 选定模型支持（请检查模型能力）
+- **视觉**：✅ 具备视觉能力的模型支持
+- **无硬性速率限制**：极端使用情况下可能会应用公平使用节流
 
 ## 设置
 
@@ -56,26 +56,26 @@ Venice 提供两种隐私级别——理解这一点是选择模型的关键：
 
 ### 2. 配置 OpenClaw
 
-**方案 A：环境变量**
+**选项 A：环境变量**
 
 ```bash
 export VENICE_API_KEY="vapi_xxxxxxxxxxxx"
 ```
 
-**方案 B：交互式设置（推荐）**
+**选项 B：交互式设置（推荐）**
 
 ```bash
 openclaw onboard --auth-choice venice-api-key
 ```
 
-这将：
+这将会：
 
-1. 提示输入你的 API 密钥（或使用已有的 `VENICE_API_KEY`）
+1. 提示输入你的 API 密钥（或使用现有的 `VENICE_API_KEY`）
 2. 显示所有可用的 Venice 模型
 3. 让你选择默认模型
-4. 自动配置提供商
+4. 自动配置该提供商
 
-**方案 C：非交互式**
+**选项 C：非交互式**
 
 ```bash
 openclaw onboard --non-interactive \
@@ -86,23 +86,23 @@ openclaw onboard --non-interactive \
 ### 3. 验证设置
 
 ```bash
-openclaw chat --model venice/llama-3.3-70b "Hello, are you working?"
+openclaw agent --model venice/kimi-k2-5 --message "Hello, are you working?"
 ```
 
 ## 模型选择
 
-设置完成后，OpenClaw 会显示所有可用的 Venice 模型。根据你的需求选择：
+设置完成后，OpenClaw 会显示所有可用的 Venice 模型。请根据你的需要进行选择：
 
-- **默认（我们的推荐）**：`venice/llama-3.3-70b`，私密且性能均衡。
-- **最佳整体质量**：`venice/claude-opus-45`，适合复杂任务（Opus 仍然是最强的）。
-- **隐私**：选择"私密"模型以获得完全私密的推理。
-- **能力**：选择"匿名化"模型以通过 Venice 代理访问 Claude、GPT、Gemini。
+- **默认模型**：`venice/kimi-k2-5`，适合强大的私密推理 + 视觉。
+- **高能力选项**：`venice/claude-opus-4-6`，适合最强的匿名 Venice 路径。
+- **隐私**：选择 “private” 模型以获得完全私密的推理。
+- **能力**：选择 “anonymized” 模型，以通过 Venice 的代理访问 Claude、GPT、Gemini。
 
-随时更改默认模型：
+你可以随时更改默认模型：
 
 ```bash
-openclaw models set venice/claude-opus-45
-openclaw models set venice/llama-3.3-70b
+openclaw models set venice/kimi-k2-5
+openclaw models set venice/claude-opus-4-6
 ```
 
 列出所有可用模型：
@@ -117,104 +117,119 @@ openclaw models list | grep venice
 2. 选择 **Model/auth**
 3. 选择 **Venice AI**
 
-## 应该使用哪个模型？
+## 我应该使用哪个模型？
 
-| 使用场景               | 推荐模型                         | 原因                         |
-| ---------------------- | -------------------------------- | ---------------------------- |
-| **通用对话**           | `llama-3.3-70b`                  | 综合表现好，完全私密         |
-| **最佳整体质量**       | `claude-opus-45`                 | Opus 在复杂任务上仍然最强    |
-| **隐私 + Claude 品质** | `claude-opus-45`                 | 通过匿名代理获得最佳推理能力 |
-| **编程**               | `qwen3-coder-480b-a35b-instruct` | 代码优化，262k 上下文        |
-| **视觉任务**           | `qwen3-vl-235b-a22b`             | 最佳私密视觉模型             |
-| **无审查**             | `venice-uncensored`              | 无内容限制                   |
-| **快速 + 低成本**      | `qwen3-4b`                       | 轻量级，仍有不错能力         |
-| **复杂推理**           | `deepseek-v3.2`                  | 推理能力强，私密             |
+| 使用场景             | 推荐模型                         | 原因                             |
+| -------------------- | -------------------------------- | -------------------------------- |
+| **通用聊天（默认）** | `kimi-k2-5`                      | 强大的私密推理 + 视觉            |
+| **整体最佳质量**     | `claude-opus-4-6`                | 最强的匿名 Venice 选项           |
+| **隐私 + 编码**      | `qwen3-coder-480b-a35b-instruct` | 具有大上下文的私密编码模型       |
+| **私密视觉**         | `kimi-k2-5`                      | 无需离开私密模式即可支持视觉     |
+| **快速 + 便宜**      | `qwen3-4b`                       | 轻量级推理模型                   |
+| **复杂私密任务**     | `deepseek-v3.2`                  | 推理能力强，但不支持 Venice 工具 |
+| **未审查**           | `venice-uncensored`              | 无内容限制                       |
 
-## 可用模型（共 25 个）
+## 可用模型（共 41 个）
 
-### 私密模型（15 个）— 完全私密，无日志记录
+### 私密模型（26 个）—— 完全私密，不记录日志
 
-| 模型 ID                          | 名称                    | 上下文（token） | 特性         |
-| -------------------------------- | ----------------------- | --------------- | ------------ |
-| `llama-3.3-70b`                  | Llama 3.3 70B           | 131k            | 通用         |
-| `llama-3.2-3b`                   | Llama 3.2 3B            | 131k            | 快速，轻量   |
-| `hermes-3-llama-3.1-405b`        | Hermes 3 Llama 3.1 405B | 131k            | 复杂任务     |
-| `qwen3-235b-a22b-thinking-2507`  | Qwen3 235B Thinking     | 131k            | 推理         |
-| `qwen3-235b-a22b-instruct-2507`  | Qwen3 235B Instruct     | 131k            | 通用         |
-| `qwen3-coder-480b-a35b-instruct` | Qwen3 Coder 480B        | 262k            | 编程         |
-| `qwen3-next-80b`                 | Qwen3 Next 80B          | 262k            | 通用         |
-| `qwen3-vl-235b-a22b`             | Qwen3 VL 235B           | 262k            | 视觉         |
-| `qwen3-4b`                       | Venice Small (Qwen3 4B) | 32k             | 快速，推理   |
-| `deepseek-v3.2`                  | DeepSeek V3.2           | 163k            | 推理         |
-| `venice-uncensored`              | Venice Uncensored       | 32k             | 无审查       |
-| `mistral-31-24b`                 | Venice Medium (Mistral) | 131k            | 视觉         |
-| `google-gemma-3-27b-it`          | Gemma 3 27B Instruct    | 202k            | 视觉         |
-| `openai-gpt-oss-120b`            | OpenAI GPT OSS 120B     | 131k            | 通用         |
-| `zai-org-glm-4.7`                | GLM 4.7                 | 202k            | 推理，多语言 |
+| 模型 ID                                | 名称                                 | 上下文 | 功能               |
+| -------------------------------------- | ------------------------------------ | ------ | ------------------ |
+| `kimi-k2-5`                            | Kimi K2.5                            | 256k   | 默认、推理、视觉   |
+| `kimi-k2-thinking`                     | Kimi K2 Thinking                     | 256k   | 推理               |
+| `llama-3.3-70b`                        | Llama 3.3 70B                        | 128k   | 通用               |
+| `llama-3.2-3b`                         | Llama 3.2 3B                         | 128k   | 通用               |
+| `hermes-3-llama-3.1-405b`              | Hermes 3 Llama 3.1 405B              | 128k   | 通用，工具已禁用   |
+| `qwen3-235b-a22b-thinking-2507`        | Qwen3 235B Thinking                  | 128k   | 推理               |
+| `qwen3-235b-a22b-instruct-2507`        | Qwen3 235B Instruct                  | 128k   | 通用               |
+| `qwen3-coder-480b-a35b-instruct`       | Qwen3 Coder 480B                     | 256k   | 编码               |
+| `qwen3-coder-480b-a35b-instruct-turbo` | Qwen3 Coder 480B Turbo               | 256k   | 编码               |
+| `qwen3-5-35b-a3b`                      | Qwen3.5 35B A3B                      | 256k   | 推理、视觉         |
+| `qwen3-next-80b`                       | Qwen3 Next 80B                       | 256k   | 通用               |
+| `qwen3-vl-235b-a22b`                   | Qwen3 VL 235B（视觉）                | 256k   | 视觉               |
+| `qwen3-4b`                             | Venice Small（Qwen3 4B）             | 32k    | 快速、推理         |
+| `deepseek-v3.2`                        | DeepSeek V3.2                        | 160k   | 推理，工具已禁用   |
+| `venice-uncensored`                    | Venice Uncensored（Dolphin-Mistral） | 32k    | 未审查，工具已禁用 |
+| `mistral-31-24b`                       | Venice Medium（Mistral）             | 128k   | 视觉               |
+| `google-gemma-3-27b-it`                | Google Gemma 3 27B Instruct          | 198k   | 视觉               |
+| `openai-gpt-oss-120b`                  | OpenAI GPT OSS 120B                  | 128k   | 通用               |
+| `nvidia-nemotron-3-nano-30b-a3b`       | NVIDIA Nemotron 3 Nano 30B           | 128k   | 通用               |
+| `olafangensan-glm-4.7-flash-heretic`   | GLM 4.7 Flash Heretic                | 128k   | 推理               |
+| `zai-org-glm-4.6`                      | GLM 4.6                              | 198k   | 通用               |
+| `zai-org-glm-4.7`                      | GLM 4.7                              | 198k   | 推理               |
+| `zai-org-glm-4.7-flash`                | GLM 4.7 Flash                        | 128k   | 推理               |
+| `zai-org-glm-5`                        | GLM 5                                | 198k   | 推理               |
+| `minimax-m21`                          | MiniMax M2.1                         | 198k   | 推理               |
+| `minimax-m25`                          | MiniMax M2.5                         | 198k   | 推理               |
 
-### 匿名化模型（10 个）— 通过 Venice 代理
+### 匿名模型（15 个）—— 通过 Venice 代理
 
-| 模型 ID                  | 原始模型          | 上下文（token） | 特性       |
-| ------------------------ | ----------------- | --------------- | ---------- |
-| `claude-opus-45`         | Claude Opus 4.5   | 202k            | 推理，视觉 |
-| `claude-sonnet-45`       | Claude Sonnet 4.5 | 202k            | 推理，视觉 |
-| `openai-gpt-52`          | GPT-5.2           | 262k            | 推理       |
-| `openai-gpt-52-codex`    | GPT-5.2 Codex     | 262k            | 推理，视觉 |
-| `gemini-3-pro-preview`   | Gemini 3 Pro      | 202k            | 推理，视觉 |
-| `gemini-3-flash-preview` | Gemini 3 Flash    | 262k            | 推理，视觉 |
-| `grok-41-fast`           | Grok 4.1 Fast     | 262k            | 推理，视觉 |
-| `grok-code-fast-1`       | Grok Code Fast 1  | 262k            | 推理，编程 |
-| `kimi-k2-thinking`       | Kimi K2 Thinking  | 262k            | 推理       |
-| `minimax-m21`            | MiniMax M2.1      | 202k            | 推理       |
+| 模型 ID                         | 名称                             | 上下文 | 功能             |
+| ------------------------------- | -------------------------------- | ------ | ---------------- |
+| `claude-opus-4-6`               | Claude Opus 4.6（通过 Venice）   | 1M     | 推理、视觉       |
+| `claude-opus-4-5`               | Claude Opus 4.5（通过 Venice）   | 198k   | 推理、视觉       |
+| `claude-sonnet-4-6`             | Claude Sonnet 4.6（通过 Venice） | 1M     | 推理、视觉       |
+| `claude-sonnet-4-5`             | Claude Sonnet 4.5（通过 Venice） | 198k   | 推理、视觉       |
+| `openai-gpt-54`                 | GPT-5.4（通过 Venice）           | 1M     | 推理、视觉       |
+| `openai-gpt-53-codex`           | GPT-5.3 Codex（通过 Venice）     | 400k   | 推理、视觉、编码 |
+| `openai-gpt-52`                 | GPT-5.2（通过 Venice）           | 256k   | 推理             |
+| `openai-gpt-52-codex`           | GPT-5.2 Codex（通过 Venice）     | 256k   | 推理、视觉、编码 |
+| `openai-gpt-4o-2024-11-20`      | GPT-4o（通过 Venice）            | 128k   | 视觉             |
+| `openai-gpt-4o-mini-2024-07-18` | GPT-4o Mini（通过 Venice）       | 128k   | 视觉             |
+| `gemini-3-1-pro-preview`        | Gemini 3.1 Pro（通过 Venice）    | 1M     | 推理、视觉       |
+| `gemini-3-pro-preview`          | Gemini 3 Pro（通过 Venice）      | 198k   | 推理、视觉       |
+| `gemini-3-flash-preview`        | Gemini 3 Flash（通过 Venice）    | 256k   | 推理、视觉       |
+| `grok-41-fast`                  | Grok 4.1 Fast（通过 Venice）     | 1M     | 推理、视觉       |
+| `grok-code-fast-1`              | Grok Code Fast 1（通过 Venice）  | 256k   | 推理、编码       |
 
 ## 模型发现
 
-当设置了 `VENICE_API_KEY` 时，OpenClaw 会自动从 Venice API 发现模型。如果 API 不可达，则回退到静态目录。
+当设置了 `VENICE_API_KEY` 时，OpenClaw 会自动从 Venice API 发现模型。如果 API 不可访问，则会回退到静态目录。
 
-`/models` 端点是公开的（列出模型无需认证），但推理需要有效的 API 密钥。
+`/models` 端点是公开的（列出模型无需身份验证），但推理需要有效的 API 密钥。
 
-## 流式输出与工具支持
+## 流式传输与工具支持
 
 | 功能          | 支持情况                                                   |
 | ------------- | ---------------------------------------------------------- |
-| **流式输出**  | ✅ 所有模型                                                |
+| **流式传输**  | ✅ 所有模型                                                |
 | **函数调用**  | ✅ 大多数模型（请检查 API 中的 `supportsFunctionCalling`） |
-| **视觉/图像** | ✅ 标记为"视觉"特性的模型                                  |
+| **视觉/图像** | ✅ 标有 “Vision” 功能的模型                                |
 | **JSON 模式** | ✅ 通过 `response_format` 支持                             |
 
 ## 定价
 
-Venice 使用积分制。请查看 [venice.ai/pricing](https://venice.ai/pricing) 了解当前费率：
+Venice 使用基于积分的系统。当前费率请查看 [venice.ai/pricing](https://venice.ai/pricing)：
 
-- **私密模型**：通常成本较低
-- **匿名化模型**：与直接 API 定价相近 + 少量 Venice 费用
+- **私密模型**：通常成本更低
+- **匿名模型**：与直接 API 定价相近，外加少量 Venice 费用
 
 ## 对比：Venice 与直接 API
 
-| 方面     | Venice（匿名化）   | 直接 API     |
-| -------- | ------------------ | ------------ |
-| **隐私** | 剥离元数据，匿名化 | 关联你的账户 |
-| **延迟** | +10-50ms（代理）   | 直连         |
-| **功能** | 支持大部分功能     | 完整功能     |
-| **计费** | Venice 积分        | 提供商计费   |
+| 方面     | Venice（匿名）       | 直接 API       |
+| -------- | -------------------- | -------------- |
+| **隐私** | 元数据被剥离，匿名化 | 关联到你的账户 |
+| **延迟** | +10-50ms（代理）     | 直接           |
+| **功能** | 支持大多数功能       | 完整功能       |
+| **计费** | Venice 积分          | 提供商计费     |
 
 ## 使用示例
 
 ```bash
 # 使用默认私密模型
-openclaw chat --model venice/llama-3.3-70b
+openclaw agent --model venice/kimi-k2-5 --message "Quick health check"
 
-# 通过 Venice 使用 Claude（匿名化）
-openclaw chat --model venice/claude-opus-45
+# 通过 Venice 使用 Claude Opus（匿名）
+openclaw agent --model venice/claude-opus-4-6 --message "Summarize this task"
 
-# 使用无审查模型
-openclaw chat --model venice/venice-uncensored
+# 使用未审查模型
+openclaw agent --model venice/venice-uncensored --message "Draft options"
 
-# 使用视觉模型处理图像
-openclaw chat --model venice/qwen3-vl-235b-a22b
+# 使用带图像的视觉模型
+openclaw agent --model venice/qwen3-vl-235b-a22b --message "Review attached image"
 
-# 使用编程模型
-openclaw chat --model venice/qwen3-coder-480b-a35b-instruct
+# 使用编码模型
+openclaw agent --model venice/qwen3-coder-480b-a35b-instruct --message "Refactor this function"
 ```
 
 ## 故障排除
@@ -226,22 +241,22 @@ echo $VENICE_API_KEY
 openclaw models list | grep venice
 ```
 
-确保密钥以 `vapi_` 开头。
+请确保该密钥以 `vapi_` 开头。
 
 ### 模型不可用
 
-Venice 模型目录会动态更新。运行 `openclaw models list` 查看当前可用的模型。部分模型可能暂时离线。
+Venice 模型目录会动态更新。运行 `openclaw models list` 以查看当前可用的模型。某些模型可能暂时离线。
 
 ### 连接问题
 
-Venice API 地址为 `https://api.venice.ai/api/v1`。确保你的网络允许 HTTPS 连接。
+Venice API 地址为 `https://api.venice.ai/api/v1`。请确保你的网络允许 HTTPS 连接。
 
 ## 配置文件示例
 
 ```json5
 {
   env: { VENICE_API_KEY: "vapi_..." },
-  agents: { defaults: { model: { primary: "venice/llama-3.3-70b" } } },
+  agents: { defaults: { model: { primary: "venice/kimi-k2-5" } } },
   models: {
     mode: "merge",
     providers: {
@@ -251,13 +266,13 @@ Venice API 地址为 `https://api.venice.ai/api/v1`。确保你的网络允许 H
         api: "openai-completions",
         models: [
           {
-            id: "llama-3.3-70b",
-            name: "Llama 3.3 70B",
-            reasoning: false,
-            input: ["text"],
+            id: "kimi-k2-5",
+            name: "Kimi K2.5",
+            reasoning: true,
+            input: ["text", "image"],
             cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
-            contextWindow: 131072,
-            maxTokens: 8192,
+            contextWindow: 256000,
+            maxTokens: 65536,
           },
         ],
       },
@@ -269,6 +284,6 @@ Venice API 地址为 `https://api.venice.ai/api/v1`。确保你的网络允许 H
 ## 链接
 
 - [Venice AI](https://venice.ai)
-- [API 文档](https://docs.venice.ai)
-- [定价](https://venice.ai/pricing)
-- [状态页](https://status.venice.ai)
+- [API Documentation](https://docs.venice.ai)
+- [Pricing](https://venice.ai/pricing)
+- [Status](https://status.venice.ai)
diff --git a/docs/zh-CN/providers/vercel-ai-gateway.md b/docs/zh-CN/providers/vercel-ai-gateway.md
index 633fc8eb0f0..919573c9778 100644
--- a/docs/zh-CN/providers/vercel-ai-gateway.md
+++ b/docs/zh-CN/providers/vercel-ai-gateway.md
@@ -1,29 +1,31 @@
 ---
 read_when:
-  - 你想将 Vercel AI Gateway 与 OpenClaw 配合使用
-  - 你需要 API 密钥环境变量或 CLI 认证选择
+  - 你想将 Vercel AI Gateway 与 OpenClaw 一起使用
+  - 你需要 API key 环境变量或 CLI 认证选项
 summary: Vercel AI Gateway 设置（认证 + 模型选择）
 title: Vercel AI Gateway
 x-i18n:
-  generated_at: "2026-02-03T07:53:39Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: c6482f047a31b09c7a691d40babbd1f9fb3aa2042b61cc42956ad9b791da8285
+  generated_at: "2026-03-16T06:27:18Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: f30768dc3db49708b25042d317906f7ad9a2c72b0fa03263bc04f5eefbf7a507
   source_path: providers/vercel-ai-gateway.md
   workflow: 15
 ---
 
 # Vercel AI Gateway
 
-[Vercel AI Gateway](https://vercel.com/ai-gateway) 提供了一个统一的 API，通过单一端点访问数百个模型。
+[Vercel AI Gateway](https://vercel.com/ai-gateway) 提供统一 API，可通过单个端点访问数百个模型。
 
 - 提供商：`vercel-ai-gateway`
 - 认证：`AI_GATEWAY_API_KEY`
 - API：兼容 Anthropic Messages
+- OpenClaw 会自动发现 Gateway 的 `/v1/models` 目录，因此 `/models vercel-ai-gateway`
+  会包含当前模型引用，例如 `vercel-ai-gateway/openai/gpt-5.4`。
 
 ## 快速开始
 
-1. 设置 API 密钥（推荐：为 Gateway 网关存储它）：
+1. 设置 API key（推荐：为 Gateway 网关持久保存它）：
 
 ```bash
 openclaw onboard --auth-choice ai-gateway-api-key
@@ -35,7 +37,7 @@ openclaw onboard --auth-choice ai-gateway-api-key
 {
   agents: {
     defaults: {
-      model: { primary: "vercel-ai-gateway/anthropic/claude-opus-4.5" },
+      model: { primary: "vercel-ai-gateway/anthropic/claude-opus-4.6" },
     },
   },
 }
@@ -50,8 +52,15 @@ openclaw onboard --non-interactive \
   --ai-gateway-api-key "$AI_GATEWAY_API_KEY"
 ```
 
-## 环境变量说明
+## 环境说明
 
-如果 Gateway 网关作为守护进程运行（launchd/systemd），请确保 `AI_GATEWAY_API_KEY`
-对该进程可用（例如，在 `~/.openclaw/.env` 中或通过
-`env.shellEnv`）。
+如果 Gateway 作为守护进程运行（launchd/systemd），请确保 `AI_GATEWAY_API_KEY`
+对此进程可用（例如放在 `~/.openclaw/.env` 中，或通过
+`env.shellEnv` 提供）。
+
+## 模型 ID 简写
+
+OpenClaw 接受 Vercel Claude 简写模型引用，并会在运行时将其规范化：
+
+- `vercel-ai-gateway/claude-opus-4.6` -> `vercel-ai-gateway/anthropic/claude-opus-4.6`
+- `vercel-ai-gateway/opus-4.6` -> `vercel-ai-gateway/anthropic/claude-opus-4-6`
diff --git a/docs/zh-CN/providers/xiaomi.md b/docs/zh-CN/providers/xiaomi.md
index 29a02427cf9..0670f99fa2a 100644
--- a/docs/zh-CN/providers/xiaomi.md
+++ b/docs/zh-CN/providers/xiaomi.md
@@ -1,13 +1,13 @@
 ---
 read_when:
   - 你想在 OpenClaw 中使用 Xiaomi MiMo 模型
-  - 你需要设置 XIAOMI_API_KEY
-summary: 在 OpenClaw 中使用 Xiaomi MiMo (mimo-v2-flash)
+  - 你需要设置 `XIAOMI_API_KEY`
+summary: 在 OpenClaw 中使用 Xiaomi MiMo（`mimo-v2-flash`）
 title: Xiaomi MiMo
 x-i18n:
-  generated_at: "2026-02-01T21:36:15Z"
-  model: claude-opus-4-5
-  provider: pi
+  generated_at: "2026-03-16T06:27:26Z"
+  model: gpt-5.4
+  provider: openai
   source_hash: 366fd2297b2caf8c5ad944d7f1b6d233b248fe43aedd22a28352ae7f370d2435
   source_path: providers/xiaomi.md
   workflow: 15
@@ -15,13 +15,16 @@ x-i18n:
 
 # Xiaomi MiMo
 
-Xiaomi MiMo 是 **MiMo** 模型的 API 平台。它提供与 OpenAI 和 Anthropic 格式兼容的 REST API，并使用 API 密钥进行身份验证。请在 [Xiaomi MiMo 控制台](https://platform.xiaomimimo.com/#/console/api-keys) 中创建你的 API 密钥。OpenClaw 使用 `xiaomi` 提供商配合 Xiaomi MiMo API 密钥。
+Xiaomi MiMo 是 **MiMo** 模型的 API 平台。它提供与
+OpenAI 和 Anthropic 格式兼容的 REST API，并使用 API key 进行认证。请在
+[Xiaomi MiMo console](https://platform.xiaomimimo.com/#/console/api-keys) 中创建你的 API key。OpenClaw 使用
+`xiaomi` 提供商配合 Xiaomi MiMo API key。
 
 ## 模型概览
 
-- **mimo-v2-flash**：262144 token 上下文窗口，兼容 Anthropic Messages API。
-- 基础 URL：`https://api.xiaomimimo.com/anthropic`
-- 授权方式：`Bearer $XIAOMI_API_KEY`
+- **mimo-v2-flash**：262144-token 上下文窗口，兼容 Anthropic Messages API。
+- Base URL：`https://api.xiaomimimo.com/anthropic`
+- 认证方式：`Bearer $XIAOMI_API_KEY`
 
 ## CLI 设置
 
@@ -61,8 +64,8 @@ openclaw onboard --auth-choice xiaomi-api-key --xiaomi-api-key "$XIAOMI_API_KEY"
 }
 ```
 
-## 备注
+## 说明
 
 - 模型引用：`xiaomi/mimo-v2-flash`。
-- 当设置了 `XIAOMI_API_KEY`（或存在身份验证配置文件）时，该提供商会自动注入。
+- 当设置了 `XIAOMI_API_KEY`（或存在凭证配置文件）时，提供商会自动注入。
 - 有关提供商规则，请参阅 [/concepts/model-providers](/concepts/model-providers)。
diff --git a/docs/zh-CN/providers/zai.md b/docs/zh-CN/providers/zai.md
index 4585b96abf6..3e8f19af06a 100644
--- a/docs/zh-CN/providers/zai.md
+++ b/docs/zh-CN/providers/zai.md
@@ -1,28 +1,38 @@
 ---
 read_when:
   - 你想在 OpenClaw 中使用 Z.AI / GLM 模型
-  - 你需要简单的 ZAI_API_KEY 配置
-summary: 在 OpenClaw 中使用智谱 AI（GLM 模型）
+  - 你需要简单的 `ZAI_API_KEY` 设置
+summary: 在 OpenClaw 中使用 Z.AI（GLM 模型）
 title: Z.AI
 x-i18n:
-  generated_at: "2026-02-01T21:36:13Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 2c24bbad86cf86c38675a58e22f9e1b494f78a18fdc3051c1be80d2d9a800711
+  generated_at: "2026-03-16T06:27:34Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 79ea8f3d6c286b5fef090e54257eb7c60c82b29630cee3f54e96161e55349bf5
   source_path: providers/zai.md
   workflow: 15
 ---
 
 # Z.AI
 
-Z.AI 是 **GLM** 模型的 API 平台。它为 GLM 提供 REST API，并使用 API 密钥进行身份验证。请在 Z.AI 控制台中创建你的 API 密钥。OpenClaw 通过 `zai` 提供商配合 Z.AI API 密钥使用。
+Z.AI 是 **GLM** 模型的 API 平台。它为 GLM 提供 REST API，并使用 API key
+进行认证。请在 Z.AI 控制台中创建你的 API key。OpenClaw 使用 `zai` 提供商
+配合 Z.AI API key。
 
 ## CLI 设置
 
 ```bash
-openclaw onboard --auth-choice zai-api-key
-# 或非交互式
-openclaw onboard --zai-api-key "$ZAI_API_KEY"
+# Coding Plan Global，推荐给 Coding Plan 用户
+openclaw onboard --auth-choice zai-coding-global
+
+# Coding Plan CN（中国区域），推荐给 Coding Plan 用户
+openclaw onboard --auth-choice zai-coding-cn
+
+# 通用 API
+openclaw onboard --auth-choice zai-global
+
+# 通用 API CN（中国区域）
+openclaw onboard --auth-choice zai-cn
 ```
 
 ## 配置片段
@@ -30,12 +40,14 @@ openclaw onboard --zai-api-key "$ZAI_API_KEY"
 ```json5
 {
   env: { ZAI_API_KEY: "sk-..." },
-  agents: { defaults: { model: { primary: "zai/glm-4.7" } } },
+  agents: { defaults: { model: { primary: "zai/glm-5" } } },
 }
 ```
 
-## 注意事项
+## 说明
 
-- GLM 模型以 `zai/<model>` 的形式提供（例如：`zai/glm-4.7`）。
-- 参阅 [/providers/glm](/providers/glm) 了解模型系列概览。
-- Z.AI 使用 Bearer 认证方式配合你的 API 密钥。
+- GLM 模型可用作 `zai/<model>`（例如：`zai/glm-5`）。
+- `tool_stream` 默认启用，用于 Z.AI 工具调用流式传输。若要禁用，请设置
+  `agents.defaults.models["zai/<model>"].params.tool_stream` 为 `false`。
+- 关于模型家族概览，请参阅 [/providers/glm](/providers/glm)。
+- Z.AI 使用带有你的 API key 的 Bearer 认证。
diff --git a/docs/zh-CN/reference/wizard.md b/docs/zh-CN/reference/wizard.md
index 766c6899946..1bf988de3c9 100644
--- a/docs/zh-CN/reference/wizard.md
+++ b/docs/zh-CN/reference/wizard.md
@@ -1,9 +1,242 @@
 ---
-summary: Onboarding 向导参考：完整步骤、参数与配置字段
-title: 向导参考
-sidebarTitle: 向导参考
+read_when:
+  - 查找特定的向导步骤或标志
+  - 使用非交互模式自动执行新手引导
+  - 调试向导行为
+sidebarTitle: Wizard Reference
+summary: CLI 设置向导的完整参考：每个步骤、标志和配置字段
+title: 设置向导参考
+x-i18n:
+  generated_at: "2026-03-16T06:28:28Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: f6560ef9921e58e4fe7f9b23872c0f8bbf3a0a3c4449d686752fc5b5b50bb216
+  source_path: reference/wizard.md
+  workflow: 15
 ---
 
-# 向导参考
+# 设置向导参考
 
-该页面是英文文档的中文占位版本，完整内容请先参考英文版：[Onboarding Wizard Reference](/reference/wizard)。
+这是 `openclaw onboard` CLI 向导的完整参考。
+有关高层概览，请参阅 [设置向导](/start/wizard)。
+
+## 流程详情（本地模式）
+
+<Steps>
+  <Step title="现有配置检测">
+    - 如果 `~/.openclaw/openclaw.json` 存在，请选择 **Keep / Modify / Reset**。
+    - 重新运行向导**不会**清除任何内容，除非你明确选择 **Reset**
+      （或传入 `--reset`）。
+    - CLI `--reset` 默认值为 `config+creds+sessions`；使用 `--reset-scope full`
+      可额外移除工作区。
+    - 如果配置无效或包含旧版键，向导会停止，并要求
+      你先运行 `openclaw doctor` 再继续。
+    - 重置会使用 `trash`（绝不使用 `rm`），并提供以下范围：
+      - 仅配置
+      - 配置 + 凭证 + 会话
+      - 完整重置（也会移除工作区）
+  </Step>
+  <Step title="模型/认证">
+    - **Anthropic API key**：如果存在则使用 `ANTHROPIC_API_KEY`，否则提示输入 key，然后保存以供守护进程使用。
+    - **Anthropic OAuth（Claude Code CLI）**：在 macOS 上，向导会检查钥匙串项目 “Claude Code-credentials”（请选择 “Always Allow”，这样 launchd 启动时就不会被阻塞）；在 Linux/Windows 上，如果存在，则会重用 `~/.claude/.credentials.json`。
+    - **Anthropic token（粘贴 setup-token）**：在任意机器上运行 `claude setup-token`，然后粘贴该 token（你可以为其命名；留空 = default）。
+    - **OpenAI Code (Codex) 订阅（Codex CLI）**：如果 `~/.codex/auth.json` 存在，向导可以重用它。
+    - **OpenAI Code (Codex) 订阅（OAuth）**：浏览器流程；粘贴 `code#state`。
+      - 当模型未设置或为 `openai/*` 时，将 `agents.defaults.model` 设置为 `openai-codex/gpt-5.2`。
+    - **OpenAI API key**：如果存在则使用 `OPENAI_API_KEY`，否则提示输入 key，然后将其存储到凭证配置文件中。
+    - **xAI（Grok）API key**：提示输入 `XAI_API_KEY`，并将 xAI 配置为模型提供商。
+    - **OpenCode**：提示输入 `OPENCODE_API_KEY`（或 `OPENCODE_ZEN_API_KEY`，可从 https://opencode.ai/auth 获取），并让你选择 Zen 或 Go 目录。
+    - **Ollama**：提示输入 Ollama base URL，提供 **Cloud + Local** 或 **Local** 模式，发现可用模型，并在需要时自动拉取所选本地模型。
+    - 更多细节： [Ollama](/providers/ollama)
+    - **API key**：为你存储该 key。
+    - **Vercel AI Gateway（多模型代理）**：提示输入 `AI_GATEWAY_API_KEY`。
+    - 更多细节： [Vercel AI Gateway](/providers/vercel-ai-gateway)
+    - **Cloudflare AI Gateway**：提示输入 Account ID、Gateway ID 和 `CLOUDFLARE_AI_GATEWAY_API_KEY`。
+    - 更多细节： [Cloudflare AI Gateway](/providers/cloudflare-ai-gateway)
+    - **MiniMax M2.5**：自动写入配置。
+    - 更多细节： [MiniMax](/providers/minimax)
+    - **Synthetic（Anthropic 兼容）**：提示输入 `SYNTHETIC_API_KEY`。
+    - 更多细节： [Synthetic](/providers/synthetic)
+    - **Moonshot（Kimi K2）**：自动写入配置。
+    - **Kimi Coding**：自动写入配置。
+    - 更多细节： [Moonshot AI (Kimi + Kimi Coding)](/providers/moonshot)
+    - **Skip**：暂不配置认证。
+    - 从已检测到的选项中选择默认模型（或手动输入 `provider/model`）。为了获得最佳质量并降低 prompt injection 风险，请选择你在提供商栈中可用的最强最新一代模型。
+    - 向导会运行模型检查，并在所配置模型未知或缺少认证时发出警告。
+    - API key 存储模式默认为明文 auth-profile 值。使用 `--secret-input-mode ref` 可改为存储基于环境变量的引用（例如 `keyRef: { source: "env", provider: "default", id: "OPENAI_API_KEY" }`）。
+    - OAuth 凭证保存在 `~/.openclaw/credentials/oauth.json`；auth-profile 保存在 `~/.openclaw/agents/<agentId>/agent/auth-profiles.json`（API key + OAuth）。
+    - 更多细节： [/concepts/oauth](/concepts/oauth)
+    <Note>
+    无头/服务器提示：在有浏览器的机器上完成 OAuth，然后将
+    `~/.openclaw/credentials/oauth.json`（或 `$OPENCLAW_STATE_DIR/credentials/oauth.json`）复制到
+    Gateway 网关主机上。
+    </Note>
+  </Step>
+  <Step title="工作区">
+    - 默认为 `~/.openclaw/workspace`（可配置）。
+    - 为工作区植入智能体引导仪式所需的文件。
+    - 完整工作区布局 + 备份指南： [智能体工作区](/concepts/agent-workspace)
+  </Step>
+  <Step title="Gateway 网关">
+    - Port、bind、auth mode、tailscale 暴露方式。
+    - 认证建议：即使是 loopback，也保留 **Token**，这样本地 WS 客户端也必须进行认证。
+    - 在 token 模式下，交互式设置提供：
+      - **生成/存储明文 token**（默认）
+      - **使用 SecretRef**（可选启用）
+      - 快速开始会在新手引导探测/dashboard 引导期间，跨 `env`、`file` 和 `exec` 提供商重用现有的 `gateway.auth.token` SecretRef。
+      - 如果该 SecretRef 已配置但无法解析，则新手引导会提前失败，并给出明确修复信息，而不是静默降级运行时认证。
+    - 在 password 模式下，交互式设置也支持明文或 SecretRef 存储。
+    - 非交互式 token SecretRef 路径：`--gateway-token-ref-env <ENV_VAR>`。
+      - 要求新手引导进程环境中存在非空环境变量。
+      - 不能与 `--gateway-token` 组合使用。
+    - 仅当你完全信任每个本地进程时，才禁用认证。
+    - 非 loopback 绑定仍然需要认证。
+  </Step>
+  <Step title="渠道">
+    - [WhatsApp](/channels/whatsapp)：可选 QR 登录。
+    - [Telegram](/channels/telegram)：bot token。
+    - [Discord](/channels/discord)：bot token。
+    - [Google Chat](/channels/googlechat)：服务账号 JSON + webhook audience。
+    - [Mattermost](/channels/mattermost)（插件）：bot token + base URL。
+    - [Signal](/channels/signal)：可选安装 `signal-cli` + 账号配置。
+    - [BlueBubbles](/channels/bluebubbles)：**iMessage 推荐方案**；server URL + password + webhook。
+    - [iMessage](/channels/imessage)：旧版 `imsg` CLI 路径 + 数据库访问。
+    - 私信安全：默认为 pairing。首次私信会发送一个代码；通过 `openclaw pairing approve <channel> <code>` 批准，或使用允许列表。
+  </Step>
+  <Step title="Web 搜索">
+    - 选择一个提供商：Perplexity、Brave、Gemini、Grok 或 Kimi（也可跳过）。
+    - 粘贴你的 API key（QuickStart 会自动从环境变量或现有配置中检测 key）。
+    - 使用 `--skip-search` 跳过。
+    - 之后再配置：`openclaw configure --section web`。
+  </Step>
+  <Step title="守护进程安装">
+    - macOS：LaunchAgent
+      - 需要已登录的用户会话；无头场景请使用自定义 LaunchDaemon（未随产品提供）。
+    - Linux（以及通过 WSL2 的 Windows）：systemd 用户单元
+      - 向导会尝试启用 lingering：`loginctl enable-linger <user>`，以便 Gateway 网关在注销后仍保持运行。
+      - 可能会提示输入 sudo（会写入 `/var/lib/systemd/linger`）；它会先尝试不使用 sudo。
+    - **运行时选择：** Node（推荐；WhatsApp/Telegram 必需）。**不推荐** Bun。
+    - 如果 token 认证需要 token，并且 `gateway.auth.token` 由 SecretRef 管理，则守护进程安装会验证它，但不会将解析出的明文 token 值持久化到 supervisor 服务环境元数据中。
+    - 如果 token 认证需要 token，但配置的 token SecretRef 尚未解析，则会阻止守护进程安装，并给出可执行指导。
+    - 如果同时配置了 `gateway.auth.token` 和 `gateway.auth.password`，且 `gateway.auth.mode` 未设置，则会阻止守护进程安装，直到显式设置 mode。
+  </Step>
+  <Step title="健康检查">
+    - 启动 Gateway 网关（如果需要）并运行 `openclaw health`。
+    - 提示：`openclaw status --deep` 会在状态输出中添加 Gateway 网关健康探测（需要能访问到 Gateway 网关）。
+  </Step>
+  <Step title="Skills（推荐）">
+    - 读取可用的 Skills 并检查要求。
+    - 让你选择一个 node manager：**npm / pnpm**（不推荐 bun）。
+    - 安装可选依赖（某些在 macOS 上使用 Homebrew）。
+  </Step>
+  <Step title="完成">
+    - 摘要 + 后续步骤，包括可提供额外功能的 iOS/Android/macOS 应用。
+  </Step>
+</Steps>
+
+<Note>
+如果未检测到 GUI，向导会打印用于访问 Control UI 的 SSH 端口转发说明，而不是打开浏览器。
+如果缺少 Control UI 资源，向导会尝试构建它们；回退方式是 `pnpm ui:build`（会自动安装 UI 依赖）。
+</Note>
+
+## 非交互模式
+
+使用 `--non-interactive` 自动化或脚本化新手引导：
+
+```bash
+openclaw onboard --non-interactive \
+  --mode local \
+  --auth-choice apiKey \
+  --anthropic-api-key "$ANTHROPIC_API_KEY" \
+  --gateway-port 18789 \
+  --gateway-bind loopback \
+  --install-daemon \
+  --daemon-runtime node \
+  --skip-skills
+```
+
+添加 `--json` 可获得机器可读摘要。
+
+在非交互模式中使用 Gateway token SecretRef：
+
+```bash
+export OPENCLAW_GATEWAY_TOKEN="your-token"
+openclaw onboard --non-interactive \
+  --mode local \
+  --auth-choice skip \
+  --gateway-auth token \
+  --gateway-token-ref-env OPENCLAW_GATEWAY_TOKEN
+```
+
+`--gateway-token` 和 `--gateway-token-ref-env` 互斥。
+
+<Note>
+`--json` **并不**意味着非交互模式。脚本中请使用 `--non-interactive`（以及 `--workspace`）。
+</Note>
+
+特定提供商的命令示例位于 [CLI Automation](/start/wizard-cli-automation#provider-specific-examples)。
+本参考页用于说明标志语义和步骤顺序。
+
+### 添加智能体（非交互）
+
+```bash
+openclaw agents add work \
+  --workspace ~/.openclaw/workspace-work \
+  --model openai/gpt-5.2 \
+  --bind whatsapp:biz \
+  --non-interactive \
+  --json
+```
+
+## Gateway 网关向导 RPC
+
+Gateway 网关通过 RPC 暴露向导流程（`wizard.start`、`wizard.next`、`wizard.cancel`、`wizard.status`）。
+客户端（macOS 应用、Control UI）可以渲染这些步骤，而无需重新实现新手引导逻辑。
+
+## Signal 设置（signal-cli）
+
+向导可以从 GitHub releases 安装 `signal-cli`：
+
+- 下载适合的发布资源。
+- 将其存储到 `~/.openclaw/tools/signal-cli/<version>/` 下。
+- 将 `channels.signal.cliPath` 写入你的配置。
+
+说明：
+
+- JVM 构建需要 **Java 21**。
+- 在可用时会使用原生构建。
+- Windows 使用 WSL2；`signal-cli` 安装会在 WSL 中遵循 Linux 流程。
+
+## 向导会写入的内容
+
+`~/.openclaw/openclaw.json` 中的典型字段：
+
+- `agents.defaults.workspace`
+- `agents.defaults.model` / `models.providers`（如果选择了 Minimax）
+- `tools.profile`（本地新手引导在未设置时默认为 `"coding"`；已有的显式值会被保留）
+- `gateway.*`（mode、bind、auth、tailscale）
+- `session.dmScope`（行为细节： [CLI 设置参考](/start/wizard-cli-reference#outputs-and-internals)）
+- `channels.telegram.botToken`、`channels.discord.token`、`channels.signal.*`、`channels.imessage.*`
+- 当你在提示中选择启用时，渠道允许列表（Slack/Discord/Matrix/Microsoft Teams）（名称会在可能时解析为 ID）。
+- `skills.install.nodeManager`
+- `wizard.lastRunAt`
+- `wizard.lastRunVersion`
+- `wizard.lastRunCommit`
+- `wizard.lastRunCommand`
+- `wizard.lastRunMode`
+
+`openclaw agents add` 会写入 `agents.list[]` 和可选的 `bindings`。
+
+WhatsApp 凭证位于 `~/.openclaw/credentials/whatsapp/<accountId>/` 下。
+会话存储在 `~/.openclaw/agents/<agentId>/sessions/` 下。
+
+某些渠道以插件形式提供。当你在设置期间选择其中一个时，向导
+会提示先安装它（npm 或本地路径），然后才能配置。
+
+## 相关文档
+
+- 向导概览： [设置向导](/start/wizard)
+- macOS 应用新手引导： [新手引导](/start/onboarding)
+- 配置参考： [Gateway 配置](/gateway/configuration)
+- 提供商： [WhatsApp](/channels/whatsapp)、[Telegram](/channels/telegram)、[Discord](/channels/discord)、[Google Chat](/channels/googlechat)、[Signal](/channels/signal)、[BlueBubbles](/channels/bluebubbles)（iMessage）、[iMessage](/channels/imessage)（旧版）
+- Skills： [Skills](/tools/skills)、[Skills 配置](/tools/skills-config)
diff --git a/docs/zh-CN/start/getting-started.md b/docs/zh-CN/start/getting-started.md
index c144bd053bc..39e3fb3829f 100644
--- a/docs/zh-CN/start/getting-started.md
+++ b/docs/zh-CN/start/getting-started.md
@@ -1,206 +1,143 @@
 ---
 read_when:
-  - 从零开始首次设置
-  - 你想要从安装 → 新手引导 → 第一条消息的最快路径
-summary: 新手指南：从零到第一条消息（向导、认证、渠道、配对）
+  - 从零开始进行首次设置
+  - 你想用最快的路径开始可用聊天
+summary: 在几分钟内安装 OpenClaw 并开始你的第一次聊天。
 title: 入门指南
 x-i18n:
-  generated_at: "2026-02-03T07:54:14Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 78cfa02eb2e4ea1a83e18edd99d142dbae707ec063e8d74c9a54f94581aa067f
+  generated_at: "2026-03-16T06:27:55Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 47583047c1a603c1254d2540846452ad321d12bc7fc3f24e5def9282ee96f415
   source_path: start/getting-started.md
   workflow: 15
 ---
 
 # 入门指南
 
-目标：尽快从**零**到**第一个可用聊天**（使用合理的默认值）。
+目标：以最少的设置，从零开始到完成第一次可用聊天。
 
-最快聊天：打开 Control UI（无需渠道设置）。运行 `openclaw dashboard` 并在浏览器中聊天，或在 Gateway 网关主机上打开 `http://127.0.0.1:18789/`。文档：[Dashboard](/web/dashboard) 和 [Control UI](/web/control-ui)。
+<Info>
+最快的聊天方式：打开 Control UI（无需设置渠道）。运行 `openclaw dashboard`
+并在浏览器中聊天，或在
+<Tooltip headline="Gateway host" tip="运行 OpenClaw Gateway 网关服务的机器。">网关主机</Tooltip>
+上打开 `http://127.0.0.1:18789/`。
+文档：[Dashboard](/web/dashboard) 和 [Control UI](/web/control-ui)。
+</Info>
 
-推荐路径：使用 **CLI 新手引导向导**（`openclaw onboard`）。它设置：
+## 前置条件
 
-- 模型/认证（推荐 OAuth）
-- Gateway 网关设置
-- 渠道（WhatsApp/Telegram/Discord/Mattermost（插件）/...）
-- 配对默认值（安全私信）
-- 工作区引导 + Skills
-- 可选的后台服务
+- 推荐使用 Node 24（Node 22 LTS，目前为 `22.16+`，仍因兼容性而受支持）
 
-如果你想要更深入的参考页面，跳转到：[向导](/start/wizard)、[设置](/start/setup)、[配对](/channels/pairing)、[安全](/gateway/security)。
+<Tip>
+如果你不确定，请使用 `node --version` 检查你的 Node 版本。
+</Tip>
 
-沙箱注意事项：`agents.defaults.sandbox.mode: "non-main"` 使用 `session.mainKey`（默认 `"main"`），因此群组/渠道会话会被沙箱隔离。如果你想要主智能体始终在主机上运行，设置显式的每智能体覆盖：
+## 快速设置（CLI）
 
-```json
-{
-  "routing": {
-    "agents": {
-      "main": {
-        "workspace": "~/.openclaw/workspace",
-        "sandbox": { "mode": "off" }
-      }
-    }
-  }
-}
-```
+<Steps>
+  <Step title="安装 OpenClaw（推荐）">
+    <Tabs>
+      <Tab title="macOS/Linux">
+        ```bash
+        curl -fsSL https://openclaw.ai/install.sh | bash
+        ```
+        <img
+  src="/assets/install-script.svg"
+  alt="安装脚本流程"
+  className="rounded-lg"
+/>
+      </Tab>
+      <Tab title="Windows（PowerShell）">
+        ```powershell
+        iwr -useb https://openclaw.ai/install.ps1 | iex
+        ```
+      </Tab>
+    </Tabs>
 
-## 0) 前置条件
+    <Note>
+    其他安装方式和要求： [Install](/install)。
+    </Note>
 
-- Node `>=22`
-- `pnpm`（可选；如果从源代码构建则推荐）
-- **推荐：**Brave Search API 密钥用于网页搜索。最简单的方式：`openclaw configure --section web`（存储 `tools.web.search.apiKey`）。参见 [Web 工具](/tools/web)。
+  </Step>
+  <Step title="运行设置向导">
+    ```bash
+    openclaw onboard --install-daemon
+    ```
 
-macOS：如果你计划构建应用，安装 Xcode / CLT。仅用于 CLI + Gateway 网关的话，Node 就足够了。
-Windows：使用 **WSL2**（推荐 Ubuntu）。强烈推荐 WSL2；原生 Windows 未经测试，问题更多，工具兼容性更差。先安装 WSL2，然后在 WSL 内运行 Linux 步骤。参见 [Windows (WSL2)](/platforms/windows)。
+    向导会配置认证、Gateway 网关设置和可选渠道。
+    详情请参见 [Setup Wizard](/start/wizard)。
 
-## 1) 安装 CLI（推荐）
+  </Step>
+  <Step title="检查 Gateway 网关">
+    如果你已安装服务，它应该已经在运行：
 
-```bash
-curl -fsSL https://openclaw.ai/install.sh | bash
-```
+    ```bash
+    openclaw gateway status
+    ```
 
-安装程序选项（安装方法、非交互式、从 GitHub）：[安装](/install)。
+  </Step>
+  <Step title="打开 Control UI">
+    ```bash
+    openclaw dashboard
+    ```
+  </Step>
+</Steps>
 
-Windows (PowerShell)：
+<Check>
+如果 Control UI 能加载，你的 Gateway 网关就已准备就绪，可以使用。
+</Check>
 
-```powershell
-iwr -useb https://openclaw.ai/install.ps1 | iex
-```
+## 可选检查和附加内容
 
-替代方案（全局安装）：
+<AccordionGroup>
+  <Accordion title="在前台运行 Gateway 网关">
+    适合快速测试或故障排除。
 
-```bash
-npm install -g openclaw@latest
-```
+    ```bash
+    openclaw gateway --port 18789
+    ```
 
-```bash
-pnpm add -g openclaw@latest
-```
+  </Accordion>
+  <Accordion title="发送一条测试消息">
+    需要已配置的渠道。
 
-## 2) 运行新手引导向导（并安装服务）
+    ```bash
+    openclaw message send --target +15555550123 --message "Hello from OpenClaw"
+    ```
 
-```bash
-openclaw onboard --install-daemon
-```
+  </Accordion>
+</AccordionGroup>
 
-你将选择：
+## 常用环境变量
 
-- **本地 vs 远程** Gateway 网关
-- **认证**：OpenAI Code (Codex) 订阅（OAuth）或 API 密钥。对于 Anthropic 我们推荐 API 密钥；也支持 `claude setup-token`。
-- **提供商**：WhatsApp QR 登录、Telegram/Discord 机器人令牌、Mattermost 插件令牌等。
-- **守护进程**：后台安装（launchd/systemd；WSL2 使用 systemd）
-  - **运行时**：Node（推荐；WhatsApp/Telegram 必需）。**不推荐** Bun。
-- **Gateway 网关令牌**：向导默认生成一个（即使在 loopback 上）并存储在 `gateway.auth.token`。
+如果你将 OpenClaw 作为服务账户运行，或想使用自定义配置/状态位置：
 
-向导文档：[向导](/start/wizard)
+- `OPENCLAW_HOME` 设置用于内部路径解析的主目录。
+- `OPENCLAW_STATE_DIR` 覆盖状态目录。
+- `OPENCLAW_CONFIG_PATH` 覆盖配置文件路径。
 
-### 凭证：存储位置（重要）
+完整的环境变量参考： [环境变量](/help/environment)。
 
-- **推荐的 Anthropic 路径：**设置 API 密钥（向导可以为服务使用存储它）。如果你想复用 Claude Code 凭证，也支持 `claude setup-token`。
+## 深入了解
 
-- OAuth 凭证（旧版导入）：`~/.openclaw/credentials/oauth.json`
-- 认证配置文件（OAuth + API 密钥）：`~/.openclaw/agents/<agentId>/agent/auth-profiles.json`
+<Columns>
+  <Card title="设置向导（详情）" href="/start/wizard">
+    完整的 CLI 向导参考和高级选项。
+  </Card>
+  <Card title="macOS 应用新手引导" href="/start/onboarding">
+    macOS 应用的首次运行流程。
+  </Card>
+</Columns>
 
-无头/服务器提示：先在普通机器上完成 OAuth，然后将 `oauth.json` 复制到 Gateway 网关主机。
+## 你将获得什么
 
-## 3) 启动 Gateway 网关
+- 一个正在运行的 Gateway 网关
+- 已配置好的认证
+- Control UI 访问权限或一个已连接的渠道
 
-如果你在新手引导期间安装了服务，Gateway 网关应该已经在运行：
+## 后续步骤
 
-```bash
-openclaw gateway status
-```
-
-手动运行（前台）：
-
-```bash
-openclaw gateway --port 18789 --verbose
-```
-
-Dashboard（local loopback）：`http://127.0.0.1:18789/`
-如果配置了令牌，将其粘贴到 Control UI 设置中（存储为 `connect.params.auth.token`）。
-
-⚠️ **Bun 警告（WhatsApp + Telegram）：**Bun 与这些渠道存在已知问题。如果你使用 WhatsApp 或 Telegram，请使用 **Node** 运行 Gateway 网关。
-
-## 3.5) 快速验证（2 分钟）
-
-```bash
-openclaw status
-openclaw health
-openclaw security audit --deep
-```
-
-## 4) 配对 + 连接你的第一个聊天界面
-
-### WhatsApp（QR 登录）
-
-```bash
-openclaw channels login
-```
-
-通过 WhatsApp → 设置 → 链接设备扫描。
-
-WhatsApp 文档：[WhatsApp](/channels/whatsapp)
-
-### Telegram / Discord / 其他
-
-向导可以为你写入令牌/配置。如果你更喜欢手动配置，从这里开始：
-
-- Telegram：[Telegram](/channels/telegram)
-- Discord：[Discord](/channels/discord)
-- Mattermost（插件）：[Mattermost](/channels/mattermost)
-
-**Telegram 私信提示：**你的第一条私信会返回配对码。批准它（见下一步），否则机器人不会响应。
-
-## 5) 私信安全（配对审批）
-
-默认姿态：未知私信会获得一个短代码，消息在批准之前不会被处理。如果你的第一条私信没有收到回复，批准配对：
-
-```bash
-openclaw pairing list whatsapp
-openclaw pairing approve whatsapp <code>
-```
-
-配对文档：[配对](/channels/pairing)
-
-## 从源代码（开发）
-
-如果你正在开发 OpenClaw 本身，从源代码运行：
-
-```bash
-git clone https://github.com/openclaw/openclaw.git
-cd openclaw
-pnpm install
-pnpm ui:build # 首次运行时自动安装 UI 依赖
-pnpm build
-openclaw onboard --install-daemon
-```
-
-如果你还没有全局安装，从仓库通过 `pnpm openclaw ...` 运行新手引导步骤。`pnpm build` 也会打包 A2UI 资源；如果你只需要运行那个步骤，使用 `pnpm canvas:a2ui:bundle`。
-
-Gateway 网关（从此仓库）：
-
-```bash
-node openclaw.mjs gateway --port 18789 --verbose
-```
-
-## 7) 验证端到端
-
-在新终端中，发送测试消息：
-
-```bash
-openclaw message send --target +15555550123 --message "Hello from OpenClaw"
-```
-
-如果 `openclaw health` 显示"未配置认证"，回到向导设置 OAuth/密钥认证——没有它智能体将无法响应。
-
-提示：`openclaw status --all` 是最佳的可粘贴、只读调试报告。
-健康探测：`openclaw health`（或 `openclaw status --deep`）向运行中的 Gateway 网关请求健康快照。
-
-## 下一步（可选，但很棒）
-
-- macOS 菜单栏应用 + 语音唤醒：[macOS 应用](/platforms/macos)
-- iOS/Android 节点（Canvas/相机/语音）：[节点](/nodes)
-- 远程访问（SSH 隧道 / Tailscale Serve）：[远程访问](/gateway/remote) 和 [Tailscale](/gateway/tailscale)
-- 常开 / VPN 设置：[远程访问](/gateway/remote)、[exe.dev](/install/exe-dev)、[Hetzner](/install/hetzner)、[macOS 远程](/platforms/mac/remote)
+- 私信安全和批准：[Pairing](/channels/pairing)
+- 连接更多渠道：[Channels](/channels)
+- 高级工作流和源码安装：[Setup](/start/setup)
diff --git a/docs/zh-CN/start/onboarding-overview.md b/docs/zh-CN/start/onboarding-overview.md
new file mode 100644
index 00000000000..524bd8b33f5
--- /dev/null
+++ b/docs/zh-CN/start/onboarding-overview.md
@@ -0,0 +1,58 @@
+---
+read_when:
+  - 选择一种新手引导路径
+  - 设置新环境
+sidebarTitle: Onboarding Overview
+summary: OpenClaw 新手引导选项与流程概览
+title: 新手引导概览
+x-i18n:
+  generated_at: "2026-03-16T06:27:56Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 8a22945f0780515be7ec1b94b5ff486828cf9b8f060ab598a31eb17ee0a5c60b
+  source_path: start/onboarding-overview.md
+  workflow: 15
+---
+
+# 新手引导概览
+
+OpenClaw 支持多种新手引导路径，具体取决于 Gateway 网关运行的位置
+以及你偏好的提供商配置方式。
+
+## 选择你的新手引导路径
+
+- 适用于 macOS、Linux 和 Windows（通过 WSL2）的 **CLI 向导**。
+- 适用于 Apple silicon 或 Intel Mac 的 **macOS 应用**，提供引导式首次运行体验。
+
+## CLI 设置向导
+
+在终端中运行向导：
+
+```bash
+openclaw onboard
+```
+
+当你希望完全控制 Gateway 网关、工作区、
+渠道和 Skills 时，请使用 CLI 向导。文档：
+
+- [设置向导（CLI）](/start/wizard)
+- [`openclaw onboard` 命令](/cli/onboard)
+
+## macOS 应用新手引导
+
+如果你希望在 macOS 上使用完全引导式设置，请使用 OpenClaw 应用。文档：
+
+- [新手引导（macOS 应用）](/start/onboarding)
+
+## 自定义提供商
+
+如果你需要一个未列出的端点，包括那些
+公开标准 OpenAI 或 Anthropic API 的托管提供商，请在
+CLI 向导中选择 **Custom Provider**。系统会要求你：
+
+- 选择兼容 OpenAI、兼容 Anthropic，或 **Unknown**（自动检测）。
+- 输入基础 URL 和 API 密钥（如果提供商需要）。
+- 提供模型 ID 和可选别名。
+- 选择一个 Endpoint ID，以便多个自定义端点可以共存。
+
+如需详细步骤，请按照上面的 CLI 新手引导文档操作。
diff --git a/docs/zh-CN/start/wizard-cli-automation.md b/docs/zh-CN/start/wizard-cli-automation.md
new file mode 100644
index 00000000000..7a13cd2a10e
--- /dev/null
+++ b/docs/zh-CN/start/wizard-cli-automation.md
@@ -0,0 +1,222 @@
+---
+read_when:
+  - 你正在脚本或 CI 中自动化新手引导
+  - 你需要特定提供商的非交互式示例
+sidebarTitle: CLI automation
+summary: 用于 OpenClaw CLI 的脚本化新手引导和智能体设置
+title: CLI 自动化
+x-i18n:
+  generated_at: "2026-03-16T06:28:19Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 2a82c491616e8c1c2aa6ef5e19bde80b8cccd1e5f7684838b9ce704c33e41b0e
+  source_path: start/wizard-cli-automation.md
+  workflow: 15
+---
+
+# CLI 自动化
+
+使用 `--non-interactive` 自动化 `openclaw onboard`。
+
+<Note>
+`--json` 并不意味着非交互模式。对于脚本，请使用 `--non-interactive`（以及 `--workspace`）。
+</Note>
+
+## 基础非交互式示例
+
+```bash
+openclaw onboard --non-interactive \
+  --mode local \
+  --auth-choice apiKey \
+  --anthropic-api-key "$ANTHROPIC_API_KEY" \
+  --secret-input-mode plaintext \
+  --gateway-port 18789 \
+  --gateway-bind loopback \
+  --install-daemon \
+  --daemon-runtime node \
+  --skip-skills
+```
+
+添加 `--json` 可获得机器可读的摘要。
+
+使用 `--secret-input-mode ref` 可在认证配置文件中存储基于环境变量的引用，而不是明文值。
+在设置向导流程中，支持在环境变量引用与已配置的提供商引用（`file` 或 `exec`）之间进行交互式选择。
+
+在非交互式 `ref` 模式下，必须在进程环境中设置提供商环境变量。
+如果传入了内联密钥标志，但缺少匹配的环境变量，现在会快速失败。
+
+示例：
+
+```bash
+openclaw onboard --non-interactive \
+  --mode local \
+  --auth-choice openai-api-key \
+  --secret-input-mode ref \
+  --accept-risk
+```
+
+## 提供商专用示例
+
+<AccordionGroup>
+  <Accordion title="Gemini 示例">
+    ```bash
+    openclaw onboard --non-interactive \
+      --mode local \
+      --auth-choice gemini-api-key \
+      --gemini-api-key "$GEMINI_API_KEY" \
+      --gateway-port 18789 \
+      --gateway-bind loopback
+    ```
+  </Accordion>
+  <Accordion title="Z.AI 示例">
+    ```bash
+    openclaw onboard --non-interactive \
+      --mode local \
+      --auth-choice zai-api-key \
+      --zai-api-key "$ZAI_API_KEY" \
+      --gateway-port 18789 \
+      --gateway-bind loopback
+    ```
+  </Accordion>
+  <Accordion title="Vercel AI Gateway 示例">
+    ```bash
+    openclaw onboard --non-interactive \
+      --mode local \
+      --auth-choice ai-gateway-api-key \
+      --ai-gateway-api-key "$AI_GATEWAY_API_KEY" \
+      --gateway-port 18789 \
+      --gateway-bind loopback
+    ```
+  </Accordion>
+  <Accordion title="Cloudflare AI Gateway 示例">
+    ```bash
+    openclaw onboard --non-interactive \
+      --mode local \
+      --auth-choice cloudflare-ai-gateway-api-key \
+      --cloudflare-ai-gateway-account-id "your-account-id" \
+      --cloudflare-ai-gateway-gateway-id "your-gateway-id" \
+      --cloudflare-ai-gateway-api-key "$CLOUDFLARE_AI_GATEWAY_API_KEY" \
+      --gateway-port 18789 \
+      --gateway-bind loopback
+    ```
+  </Accordion>
+  <Accordion title="Moonshot 示例">
+    ```bash
+    openclaw onboard --non-interactive \
+      --mode local \
+      --auth-choice moonshot-api-key \
+      --moonshot-api-key "$MOONSHOT_API_KEY" \
+      --gateway-port 18789 \
+      --gateway-bind loopback
+    ```
+  </Accordion>
+  <Accordion title="Mistral 示例">
+    ```bash
+    openclaw onboard --non-interactive \
+      --mode local \
+      --auth-choice mistral-api-key \
+      --mistral-api-key "$MISTRAL_API_KEY" \
+      --gateway-port 18789 \
+      --gateway-bind loopback
+    ```
+  </Accordion>
+  <Accordion title="Synthetic 示例">
+    ```bash
+    openclaw onboard --non-interactive \
+      --mode local \
+      --auth-choice synthetic-api-key \
+      --synthetic-api-key "$SYNTHETIC_API_KEY" \
+      --gateway-port 18789 \
+      --gateway-bind loopback
+    ```
+  </Accordion>
+  <Accordion title="OpenCode 示例">
+    ```bash
+    openclaw onboard --non-interactive \
+      --mode local \
+      --auth-choice opencode-zen \
+      --opencode-zen-api-key "$OPENCODE_API_KEY" \
+      --gateway-port 18789 \
+      --gateway-bind loopback
+    ```
+    对 Go 目录，可改用 `--auth-choice opencode-go --opencode-go-api-key "$OPENCODE_API_KEY"`。
+  </Accordion>
+  <Accordion title="Ollama 示例">
+    ```bash
+    openclaw onboard --non-interactive \
+      --mode local \
+      --auth-choice ollama \
+      --custom-model-id "qwen3.5:27b" \
+      --accept-risk \
+      --gateway-port 18789 \
+      --gateway-bind loopback
+    ```
+  </Accordion>
+  <Accordion title="自定义提供商示例">
+    ```bash
+    openclaw onboard --non-interactive \
+      --mode local \
+      --auth-choice custom-api-key \
+      --custom-base-url "https://llm.example.com/v1" \
+      --custom-model-id "foo-large" \
+      --custom-api-key "$CUSTOM_API_KEY" \
+      --custom-provider-id "my-custom" \
+      --custom-compatibility anthropic \
+      --gateway-port 18789 \
+      --gateway-bind loopback
+    ```
+
+    `--custom-api-key` 是可选的。如果省略，新手引导会检查 `CUSTOM_API_KEY`。
+
+    `ref` 模式变体：
+
+    ```bash
+    export CUSTOM_API_KEY="your-key"
+    openclaw onboard --non-interactive \
+      --mode local \
+      --auth-choice custom-api-key \
+      --custom-base-url "https://llm.example.com/v1" \
+      --custom-model-id "foo-large" \
+      --secret-input-mode ref \
+      --custom-provider-id "my-custom" \
+      --custom-compatibility anthropic \
+      --gateway-port 18789 \
+      --gateway-bind loopback
+    ```
+
+    在此模式下，新手引导会将 `apiKey` 存储为 `{ source: "env", provider: "default", id: "CUSTOM_API_KEY" }`。
+
+  </Accordion>
+</AccordionGroup>
+
+## 添加另一个智能体
+
+使用 `openclaw agents add <name>` 创建一个单独的智能体，它拥有自己的工作区、
+会话和认证配置文件。不带 `--workspace` 运行会启动向导。
+
+```bash
+openclaw agents add work \
+  --workspace ~/.openclaw/workspace-work \
+  --model openai/gpt-5.2 \
+  --bind whatsapp:biz \
+  --non-interactive \
+  --json
+```
+
+它会设置：
+
+- `agents.list[].name`
+- `agents.list[].workspace`
+- `agents.list[].agentDir`
+
+说明：
+
+- 默认工作区遵循 `~/.openclaw/workspace-<agentId>`。
+- 添加 `bindings` 以路由入站消息（向导可以完成这项操作）。
+- 非交互式标志：`--model`、`--agent-dir`、`--bind`、`--non-interactive`。
+
+## 相关文档
+
+- 新手引导中心：[设置向导（CLI）](/start/wizard)
+- 完整参考：[CLI 设置参考](/start/wizard-cli-reference)
+- 命令参考：[`openclaw onboard`](/cli/onboard)
diff --git a/docs/zh-CN/start/wizard-cli-reference.md b/docs/zh-CN/start/wizard-cli-reference.md
new file mode 100644
index 00000000000..16d69e9b896
--- /dev/null
+++ b/docs/zh-CN/start/wizard-cli-reference.md
@@ -0,0 +1,306 @@
+---
+read_when:
+  - 你需要了解 `openclaw onboard` 的详细行为
+  - 你正在调试新手引导结果或集成新手引导客户端
+sidebarTitle: CLI reference
+summary: CLI 设置流程、身份验证/模型设置、输出和内部机制的完整参考
+title: CLI 设置参考
+x-i18n:
+  generated_at: "2026-03-16T06:28:34Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 6b9460013b6a0fbd59f639ade6b255c8d7f7412238495e78b942859ade695e86
+  source_path: start/wizard-cli-reference.md
+  workflow: 15
+---
+
+# CLI 设置参考
+
+本页是 `openclaw onboard` 的完整参考。
+简短指南请参见 [设置向导（CLI）](/start/wizard)。
+
+## 向导会执行什么
+
+本地模式（默认）会引导你完成以下内容：
+
+- 模型和身份验证设置（OpenAI Code 订阅 OAuth、Anthropic API 密钥或 setup token，以及 MiniMax、GLM、Ollama、Moonshot 和 AI Gateway 选项）
+- 工作区位置和 bootstrap 文件
+- Gateway 网关设置（端口、绑定、身份验证、tailscale）
+- 渠道和提供商（Telegram、WhatsApp、Discord、Google Chat、Mattermost 插件、Signal）
+- 守护进程安装（LaunchAgent 或 systemd 用户单元）
+- 健康检查
+- Skills 设置
+
+远程模式会将此机器配置为连接到其他位置的网关。
+它不会在远程主机上安装或修改任何内容。
+
+## 本地流程详情
+
+<Steps>
+  <Step title="现有配置检测">
+    - 如果 `~/.openclaw/openclaw.json` 存在，可选择 Keep、Modify 或 Reset。
+    - 重新运行向导不会清除任何内容，除非你明确选择 Reset（或传递 `--reset`）。
+    - CLI `--reset` 默认作用于 `config+creds+sessions`；使用 `--reset-scope full` 还会删除工作区。
+    - 如果配置无效或包含旧版键，向导会停止，并要求你先运行 `openclaw doctor` 再继续。
+    - Reset 使用 `trash`，并提供以下范围：
+      - 仅配置
+      - 配置 + 凭证 + 会话
+      - 完全重置（也会删除工作区）
+  </Step>
+  <Step title="模型和身份验证">
+    - 完整选项矩阵见 [身份验证和模型选项](#auth-and-model-options)。
+  </Step>
+  <Step title="工作区">
+    - 默认值为 `~/.openclaw/workspace`（可配置）。
+    - 会植入首次运行 bootstrap 仪式所需的工作区文件。
+    - 工作区布局：[智能体工作区](/concepts/agent-workspace)。
+  </Step>
+  <Step title="Gateway 网关">
+    - 会提示你输入端口、绑定、身份验证模式和 tailscale 暴露设置。
+    - 建议：即使仅用于 loopback，也保持启用令牌身份验证，这样本地 WS 客户端也必须进行身份验证。
+    - 在令牌模式下，交互式设置提供：
+      - **生成/存储明文令牌**（默认）
+      - **使用 SecretRef**（可选）
+    - 在密码模式下，交互式设置也支持明文或 SecretRef 存储。
+    - 非交互式令牌 SecretRef 路径：`--gateway-token-ref-env <ENV_VAR>`。
+      - 要求在新手引导进程环境中存在一个非空环境变量。
+      - 不能与 `--gateway-token` 组合使用。
+    - 仅当你完全信任每个本地进程时才禁用身份验证。
+    - 非 loopback 绑定仍然需要身份验证。
+  </Step>
+  <Step title="渠道">
+    - [WhatsApp](/channels/whatsapp)：可选 QR 登录
+    - [Telegram](/channels/telegram)：bot 令牌
+    - [Discord](/channels/discord)：bot 令牌
+    - [Google Chat](/channels/googlechat)：服务账号 JSON + webhook audience
+    - [Mattermost](/channels/mattermost) 插件：bot 令牌 + 基础 URL
+    - [Signal](/channels/signal)：可选 `signal-cli` 安装 + 账户配置
+    - [BlueBubbles](/channels/bluebubbles)：推荐用于 iMessage；服务器 URL + 密码 + webhook
+    - [iMessage](/channels/imessage)：旧版 `imsg` CLI 路径 + 数据库访问
+    - 私信安全：默认是配对。首次私信会发送一个代码；通过
+      `openclaw pairing approve <channel> <code>` 批准，或使用 allowlist。
+  </Step>
+  <Step title="守护进程安装">
+    - macOS：LaunchAgent
+      - 需要已登录的用户会话；对于无头环境，请使用自定义 LaunchDaemon（未随附）。
+    - Linux 和通过 WSL2 的 Windows：systemd 用户单元
+      - 向导会尝试执行 `loginctl enable-linger <user>`，使网关在注销后仍保持运行。
+      - 可能会提示输入 sudo（写入 `/var/lib/systemd/linger`）；会先尝试不使用 sudo。
+    - 运行时选择：Node（推荐；WhatsApp 和 Telegram 必需）。不建议使用 Bun。
+  </Step>
+  <Step title="健康检查">
+    - 启动 Gateway 网关（如有需要），并运行 `openclaw health`。
+    - `openclaw status --deep` 会在状态输出中添加 Gateway 网关健康探测。
+  </Step>
+  <Step title="Skills">
+    - 读取可用的 Skills 并检查要求。
+    - 让你选择 node 管理器：npm 或 pnpm（不建议使用 bun）。
+    - 安装可选依赖（部分依赖在 macOS 上使用 Homebrew）。
+  </Step>
+  <Step title="完成">
+    - 显示摘要和后续步骤，包括 iOS、Android 和 macOS 应用选项。
+  </Step>
+</Steps>
+
+<Note>
+如果未检测到 GUI，向导会打印用于控制 UI 的 SSH 端口转发说明，而不是打开浏览器。
+如果缺少控制 UI 资源，向导会尝试构建它们；回退命令为 `pnpm ui:build`（首次运行会自动安装 UI 依赖）。
+</Note>
+
+## 远程模式详情
+
+远程模式会将此机器配置为连接到其他位置的网关。
+
+<Info>
+远程模式不会在远程主机上安装或修改任何内容。
+</Info>
+
+你需要设置的内容：
+
+- 远程 Gateway 网关 URL（`ws://...`）
+- 如果远程 Gateway 网关需要身份验证，则设置令牌（推荐）
+
+<Note>
+- 如果网关仅绑定到 loopback，请使用 SSH 隧道或 tailnet。
+- 发现提示：
+  - macOS：Bonjour（`dns-sd`）
+  - Linux：Avahi（`avahi-browse`）
+</Note>
+
+## 身份验证和模型选项
+
+<AccordionGroup>
+  <Accordion title="Anthropic API 密钥">
+    如果存在 `ANTHROPIC_API_KEY` 则使用它，否则提示输入密钥，然后保存以供守护进程使用。
+  </Accordion>
+  <Accordion title="Anthropic OAuth（Claude Code CLI）">
+    - macOS：检查 Keychain 条目 “Claude Code-credentials”
+    - Linux 和 Windows：如果存在，则复用 `~/.claude/.credentials.json`
+
+    在 macOS 上，请选择 “Always Allow”，以免 launchd 启动被阻塞。
+
+  </Accordion>
+  <Accordion title="Anthropic token（粘贴 setup token）">
+    在任意机器上运行 `claude setup-token`，然后粘贴该令牌。
+    你可以为其命名；留空则使用默认值。
+  </Accordion>
+  <Accordion title="OpenAI Code 订阅（复用 Codex CLI）">
+    如果存在 `~/.codex/auth.json`，向导可以复用它。
+  </Accordion>
+  <Accordion title="OpenAI Code 订阅（OAuth）">
+    浏览器流程；粘贴 `code#state`。
+
+    当模型未设置或为 `openai/*` 时，将 `agents.defaults.model` 设置为 `openai-codex/gpt-5.4`。
+
+  </Accordion>
+  <Accordion title="OpenAI API 密钥">
+    如果存在 `OPENAI_API_KEY` 则使用它，否则提示输入密钥，然后将该凭证存储在 auth profile 中。
+
+    当模型未设置、为 `openai/*` 或 `openai-codex/*` 时，将 `agents.defaults.model` 设置为 `openai/gpt-5.1-codex`。
+
+  </Accordion>
+  <Accordion title="xAI（Grok）API 密钥">
+    提示输入 `XAI_API_KEY`，并将 xAI 配置为模型提供商。
+  </Accordion>
+  <Accordion title="OpenCode">
+    提示输入 `OPENCODE_API_KEY`（或 `OPENCODE_ZEN_API_KEY`），并让你选择 Zen 或 Go 目录。
+    设置 URL：[opencode.ai/auth](https://opencode.ai/auth)。
+  </Accordion>
+  <Accordion title="API 密钥（通用）">
+    会为你存储该密钥。
+  </Accordion>
+  <Accordion title="Vercel AI Gateway">
+    提示输入 `AI_GATEWAY_API_KEY`。
+    更多详情：[Vercel AI Gateway](/providers/vercel-ai-gateway)。
+  </Accordion>
+  <Accordion title="Cloudflare AI Gateway">
+    提示输入账户 ID、Gateway ID 和 `CLOUDFLARE_AI_GATEWAY_API_KEY`。
+    更多详情：[Cloudflare AI Gateway](/providers/cloudflare-ai-gateway)。
+  </Accordion>
+  <Accordion title="MiniMax M2.5">
+    配置会自动写入。
+    更多详情：[MiniMax](/providers/minimax)。
+  </Accordion>
+  <Accordion title="Synthetic（兼容 Anthropic）">
+    提示输入 `SYNTHETIC_API_KEY`。
+    更多详情：[Synthetic](/providers/synthetic)。
+  </Accordion>
+  <Accordion title="Ollama（Cloud 和本地开放模型）">
+    提示输入基础 URL（默认 `http://127.0.0.1:11434`），然后提供 Cloud + Local 或 Local 模式。
+    会发现可用模型并建议默认值。
+    更多详情：[Ollama](/providers/ollama)。
+  </Accordion>
+  <Accordion title="Moonshot 和 Kimi Coding">
+    Moonshot（Kimi K2）和 Kimi Coding 配置会自动写入。
+    更多详情：[Moonshot AI（Kimi + Kimi Coding）](/providers/moonshot)。
+  </Accordion>
+  <Accordion title="自定义提供商">
+    适用于兼容 OpenAI 和兼容 Anthropic 的端点。
+
+    交互式新手引导支持与其他提供商 API 密钥流程相同的 API 密钥存储选项：
+    - **现在粘贴 API 密钥**（明文）
+    - **使用密钥引用**（环境变量引用或已配置提供商引用，并带有预检验证）
+
+    非交互式标志：
+    - `--auth-choice custom-api-key`
+    - `--custom-base-url`
+    - `--custom-model-id`
+    - `--custom-api-key`（可选；回退到 `CUSTOM_API_KEY`）
+    - `--custom-provider-id`（可选）
+    - `--custom-compatibility <openai|anthropic>`（可选；默认 `openai`）
+
+  </Accordion>
+  <Accordion title="跳过">
+    保持身份验证未配置。
+  </Accordion>
+</AccordionGroup>
+
+模型行为：
+
+- 从检测到的选项中选择默认模型，或手动输入提供商和模型。
+- 向导会执行模型检查，并在配置的模型未知或缺少身份验证时发出警告。
+
+凭证和配置档案路径：
+
+- OAuth 凭证：`~/.openclaw/credentials/oauth.json`
+- Auth profile（API 密钥 + OAuth）：`~/.openclaw/agents/<agentId>/agent/auth-profiles.json`
+
+凭证存储模式：
+
+- 默认新手引导行为会将 API 密钥作为明文值持久化到 auth profile 中。
+- `--secret-input-mode ref` 会启用引用模式，而不是明文密钥存储。
+  在交互式设置中，你可以选择：
+  - 环境变量引用（例如 `keyRef: { source: "env", provider: "default", id: "OPENAI_API_KEY" }`）
+  - 已配置提供商引用（`file` 或 `exec`），带提供商别名 + id
+- 交互式引用模式会在保存前运行快速预检验证。
+  - 环境变量引用：验证变量名 + 当前新手引导环境中的非空值。
+  - 提供商引用：验证提供商配置并解析所请求的 id。
+  - 如果预检失败，新手引导会显示错误并让你重试。
+- 在非交互式模式下，`--secret-input-mode ref` 仅支持由环境变量支持的引用。
+  - 在新手引导进程环境中设置提供商环境变量。
+  - 内联密钥标志（例如 `--openai-api-key`）要求设置该环境变量；否则新手引导会快速失败。
+  - 对于自定义提供商，非交互式 `ref` 模式会将 `models.providers.<id>.apiKey` 存储为 `{ source: "env", provider: "default", id: "CUSTOM_API_KEY" }`。
+  - 在这种自定义提供商场景下，`--custom-api-key` 要求设置 `CUSTOM_API_KEY`；否则新手引导会快速失败。
+- Gateway 网关身份验证凭证在交互式设置中支持明文和 SecretRef 选项：
+  - 令牌模式：**生成/存储明文令牌**（默认）或 **使用 SecretRef**。
+  - 密码模式：明文或 SecretRef。
+- 非交互式令牌 SecretRef 路径：`--gateway-token-ref-env <ENV_VAR>`。
+- 现有的明文设置会继续保持不变并正常工作。
+
+<Note>
+无头和服务器提示：在有浏览器的机器上完成 OAuth，然后复制
+`~/.openclaw/credentials/oauth.json`（或 `$OPENCLAW_STATE_DIR/credentials/oauth.json`）
+到 Gateway 网关主机。
+</Note>
+
+## 输出和内部机制
+
+`~/.openclaw/openclaw.json` 中的典型字段：
+
+- `agents.defaults.workspace`
+- `agents.defaults.model` / `models.providers`（如果选择了 Minimax）
+- `tools.profile`（本地新手引导在未设置时默认设为 `"coding"`；现有显式值会保留）
+- `gateway.*`（模式、绑定、身份验证、tailscale）
+- `session.dmScope`（本地新手引导在未设置时默认设为 `per-channel-peer`；现有显式值会保留）
+- `channels.telegram.botToken`、`channels.discord.token`、`channels.signal.*`、`channels.imessage.*`
+- 当你在提示中选择加入时的渠道 allowlist（Slack、Discord、Matrix、Microsoft Teams）（如果可能，名称会解析为 ID）
+- `skills.install.nodeManager`
+- `wizard.lastRunAt`
+- `wizard.lastRunVersion`
+- `wizard.lastRunCommit`
+- `wizard.lastRunCommand`
+- `wizard.lastRunMode`
+
+`openclaw agents add` 会写入 `agents.list[]` 和可选的 `bindings`。
+
+WhatsApp 凭证位于 `~/.openclaw/credentials/whatsapp/<accountId>/`。
+会话存储在 `~/.openclaw/agents/<agentId>/sessions/` 下。
+
+<Note>
+某些渠道以插件形式交付。在设置期间选择这些渠道时，向导
+会先提示安装插件（npm 或本地路径），然后再进行渠道配置。
+</Note>
+
+Gateway 网关向导 RPC：
+
+- `wizard.start`
+- `wizard.next`
+- `wizard.cancel`
+- `wizard.status`
+
+客户端（macOS 应用和控制 UI）可以在不重新实现新手引导逻辑的情况下渲染步骤。
+
+Signal 设置行为：
+
+- 下载适当的发布资源
+- 将其存储在 `~/.openclaw/tools/signal-cli/<version>/`
+- 在配置中写入 `channels.signal.cliPath`
+- JVM 构建需要 Java 21
+- 在可用时使用原生构建
+- Windows 使用 WSL2，并在 WSL 内遵循 Linux 的 signal-cli 流程
+
+## 相关文档
+
+- 新手引导中心：[设置向导（CLI）](/start/wizard)
+- 自动化和脚本：[CLI 自动化](/start/wizard-cli-automation)
+- 命令参考：[`openclaw onboard`](/cli/onboard)
diff --git a/docs/zh-CN/start/wizard.md b/docs/zh-CN/start/wizard.md
index 80569b671dd..0be36f3cdfb 100644
--- a/docs/zh-CN/start/wizard.md
+++ b/docs/zh-CN/start/wizard.md
@@ -1,331 +1,132 @@
 ---
 read_when:
-  - 运行或配置新手引导向导
-  - 设置新机器
-summary: CLI 新手引导向导：引导式配置 Gateway 网关、工作区、渠道和 Skills
-title: 新手引导向导
+  - 运行或配置设置向导
+  - 设置一台新机器
+sidebarTitle: "Onboarding: CLI"
+summary: CLI 设置向导：用于 Gateway 网关、工作区、渠道和 Skills 的引导式设置
+title: 设置向导（CLI）
 x-i18n:
-  generated_at: "2026-02-03T09:20:27Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 45e10d31048d927ee6546e35b050914f0e6e21a4dee298b3b277eebe7c133732
+  generated_at: "2026-03-16T06:28:38Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: 99fd87dddd78798eb0087ad9433e5a32de2af110b6e65ee351b1a194a11c7df3
   source_path: start/wizard.md
   workflow: 15
 ---
 
-# 新手引导向导（CLI）
+# 设置向导（CLI）
 
-新手引导向导是在 macOS、Linux 或 Windows（通过 WSL2；强烈推荐）上设置 OpenClaw 的**推荐**方式。
-它可以在一个引导式流程中配置本地 Gateway 网关或远程 Gateway 网关连接，以及渠道、Skills 和工作区默认值。
-
-主要入口：
+设置向导是在 macOS、
+Linux 或 Windows（通过 WSL2；强烈推荐）上设置 OpenClaw 的**推荐**方式。
+它可在一次引导式流程中配置本地 Gateway 网关或远程 Gateway 网关连接，以及渠道、Skills
+和工作区默认值。
 
 ```bash
 openclaw onboard
 ```
 
-最快开始聊天的方式：打开控制界面（无需设置渠道）。运行 `openclaw dashboard` 并在浏览器中聊天。文档：[控制面板](/web/dashboard)。
+<Info>
+最快的首次聊天方式：打开 Control UI（无需设置渠道）。运行
+`openclaw dashboard` 并在浏览器中聊天。文档：[Dashboard](/web/dashboard)。
+</Info>
 
-后续重新配置：
+若要稍后重新配置：
 
 ```bash
 openclaw configure
-```
-
-推荐：设置 Brave Search API 密钥，以便智能体可以使用 `web_search`（`web_fetch` 无需密钥即可使用）。最简单的方式：`openclaw configure --section web`，它会存储 `tools.web.search.apiKey`。文档：[Web 工具](/tools/web)。
-
-## 快速开始 vs 高级
-
-向导从**快速开始**（默认值）vs **高级**（完全控制）开始。
-
-**快速开始**保持默认值：
-
-- 本地 Gateway 网关（loopback）
-- 默认工作区（或现有工作区）
-- Gateway 网关端口 **18789**
-- Gateway 网关认证 **Token**（自动生成，即使在 loopback 上）
-- Tailscale 暴露 **关闭**
-- Telegram + WhatsApp 私信默认使用**允许列表**（系统会提示你输入电话号码）
-
-**高级**暴露每个步骤（模式、工作区、Gateway 网关、渠道、守护进程、Skills）。
-
-## 向导做了什么
-
-**本地模式（默认）**引导你完成：
-
-- 模型/认证（OpenAI Code (Codex) 订阅 OAuth、Anthropic API 密钥（推荐）或 setup-token（粘贴），以及 MiniMax/GLM/Moonshot/AI Gateway 选项）
-- 工作区位置 + 引导文件
-- Gateway 网关设置（端口/绑定/认证/tailscale）
-- 提供商（Telegram、WhatsApp、Discord、Google Chat、Mattermost（插件）、Signal）
-- 守护进程安装（LaunchAgent / systemd 用户单元）
-- 健康检查
-- Skills（推荐）
-
-**远程模式**仅配置本地客户端连接到其他位置的 Gateway 网关。
-它**不会**在远程主机上安装或更改任何内容。
-
-要添加更多隔离的智能体（独立的工作区 + 会话 + 认证），使用：
-
-```bash
 openclaw agents add <name>
 ```
 
-提示：`--json` **不**意味着非交互模式。脚本中请使用 `--non-interactive`（和 `--workspace`）。
+<Note>
+`--json` 并不意味着非交互模式。对于脚本，请使用 `--non-interactive`。
+</Note>
 
-## 流程详情（本地）
+<Tip>
+设置向导包含一个 web search 步骤，你可以选择一个提供商
+（Perplexity、Brave、Gemini、Grok 或 Kimi），并粘贴你的 API 密钥，以便智能体
+可以使用 `web_search`。你也可以稍后通过
+`openclaw configure --section web` 进行配置。文档：[Web 工具](/tools/web)。
+</Tip>
 
-1. **现有配置检测**
-   - 如果 `~/.openclaw/openclaw.json` 存在，选择**保留 / 修改 / 重置**。
-   - 重新运行向导**不会**清除任何内容，除非你明确选择**重置**（或传递 `--reset`）。
-   - 如果配置无效或包含遗留键名，向导会停止并要求你在继续之前运行 `openclaw doctor`。
-   - 重置使用 `trash`（永不使用 `rm`）并提供范围选项：
-     - 仅配置
-     - 配置 + 凭证 + 会话
-     - 完全重置（同时删除工作区）
+## 快速开始与高级模式
 
-2. **模型/认证**
-   - **Anthropic API 密钥（推荐）**：如果存在则使用 `ANTHROPIC_API_KEY`，否则提示输入密钥，然后保存供守护进程使用。
-   - **Anthropic OAuth（Claude Code CLI）**：在 macOS 上，向导检查钥匙串项目"Claude Code-credentials"（选择"始终允许"以便 launchd 启动不会阻塞）；在 Linux/Windows 上，如果存在则复用 `~/.claude/.credentials.json`。
-   - **Anthropic 令牌（粘贴 setup-token）**：在任何机器上运行 `claude setup-token`，然后粘贴令牌（你可以命名它；空白 = 默认）。
-   - **OpenAI Code (Codex) 订阅（Codex CLI）**：如果 `~/.codex/auth.json` 存在，向导可以复用它。
-   - **OpenAI Code (Codex) 订阅（OAuth）**：浏览器流程；粘贴 `code#state`。
-     - 当模型未设置或为 `openai/*` 时，将 `agents.defaults.model` 设置为 `openai-codex/gpt-5.2`。
-   - **OpenAI API 密钥**：如果存在则使用 `OPENAI_API_KEY`，否则提示输入密钥，然后保存到 `~/.openclaw/.env` 以便 launchd 可以读取。
-   - **OpenCode Zen（多模型代理）**：提示输入 `OPENCODE_API_KEY`（或 `OPENCODE_ZEN_API_KEY`，在 https://opencode.ai/auth 获取）。
-   - **API 密钥**：为你存储密钥。
-   - **Vercel AI Gateway（多模型代理）**：提示输入 `AI_GATEWAY_API_KEY`。
-   - 更多详情：[Vercel AI Gateway](/providers/vercel-ai-gateway)
-   - **MiniMax M2.1**：自动写入配置。
-   - 更多详情：[MiniMax](/providers/minimax)
-   - **Synthetic（Anthropic 兼容）**：提示输入 `SYNTHETIC_API_KEY`。
-   - 更多详情：[Synthetic](/providers/synthetic)
-   - **Moonshot（Kimi K2）**：自动写入配置。
-   - **Kimi Coding**：自动写入配置。
-   - 更多详情：[Moonshot AI（Kimi + Kimi Coding）](/providers/moonshot)
-   - **跳过**：尚未配置认证。
-   - 从检测到的选项中选择默认模型（或手动输入提供商/模型）。
-   - 向导运行模型检查，如果配置的模型未知或缺少认证则发出警告。
+向导开始时会让你选择**快速开始**（默认值）或**高级模式**（完全控制）。
 
-- OAuth 凭证存储在 `~/.openclaw/credentials/oauth.json`；认证配置文件存储在 `~/.openclaw/agents/<agentId>/agent/auth-profiles.json`（API 密钥 + OAuth）。
-- 更多详情：[/concepts/oauth](/concepts/oauth)
+<Tabs>
+  <Tab title="快速开始（默认值）">
+    - 本地网关（loopback）
+    - 默认工作区（或现有工作区）
+    - Gateway 网关端口 **18789**
+    - Gateway 网关认证 **Token**（即使在 loopback 上也会自动生成）
+    - 新本地设置的默认工具策略：`tools.profile: "coding"`（会保留现有显式配置文件）
+    - 私信隔离默认值：本地新手引导会在未设置时写入 `session.dmScope: "per-channel-peer"`。详情见：[CLI 设置参考](/start/wizard-cli-reference#outputs-and-internals)
+    - Tailscale 暴露 **关闭**
+    - Telegram + WhatsApp 私信默认使用 **allowlist**（系统会提示你输入电话号码）
+  </Tab>
+  <Tab title="高级模式（完全控制）">
+    - 暴露每一个步骤（模式、工作区、Gateway 网关、渠道、守护进程、Skills）。
+  </Tab>
+</Tabs>
 
-3. **工作区**
-   - 默认 `~/.openclaw/workspace`（可配置）。
-   - 为智能体引导仪式播种所需的工作区文件。
-   - 完整的工作区布局 + 备份指南：[智能体工作区](/concepts/agent-workspace)
+## 向导会配置什么
 
-4. **Gateway 网关**
-   - 端口、绑定、认证模式、tailscale 暴露。
-   - 认证建议：即使对于 loopback 也保持 **Token**，以便本地 WS 客户端必须进行认证。
-   - 仅当你完全信任每个本地进程时才禁用认证。
-   - 非 loopback 绑定仍需要认证。
+**本地模式（默认）**会引导你完成以下步骤：
 
-5. **渠道**
-   - [WhatsApp](/channels/whatsapp)：可选的二维码登录。
-   - [Telegram](/channels/telegram)：机器人令牌。
-   - [Discord](/channels/discord)：机器人令牌。
-   - [Google Chat](/channels/googlechat)：服务账户 JSON + webhook 受众。
-   - [Mattermost](/channels/mattermost)（插件）：机器人令牌 + 基础 URL。
-   - [Signal](/channels/signal)：可选的 `signal-cli` 安装 + 账户配置。
-   - [iMessage](/channels/imessage)：本地 `imsg` CLI 路径 + 数据库访问。
-   - 私信安全：默认为配对。第一条私信发送验证码；通过 `openclaw pairing approve <channel> <code>` 批准或使用允许列表。
+1. **模型/认证** —— 选择任意受支持的提供商/认证流程（API 密钥、OAuth 或 setup-token），包括自定义提供商
+   （兼容 OpenAI、兼容 Anthropic，或未知自动检测）。选择一个默认模型。
+   安全说明：如果这个智能体将运行工具或处理 webhook/hooks 内容，请优先选择当前可用的最强最新一代模型，并保持严格的工具策略。较弱/较旧的层级更容易被 prompt 注入。
+   对于非交互式运行，`--secret-input-mode ref` 会在认证配置文件中存储基于环境变量的引用，而不是明文 API 密钥值。
+   在非交互式 `ref` 模式下，必须设置提供商环境变量；如果传入内联密钥标志但缺少该环境变量，则会快速失败。
+   在交互式运行中，选择 secret reference 模式后，你可以指向环境变量或已配置的 provider ref（`file` 或 `exec`），并在保存前进行快速预检校验。
+2. **工作区** —— 智能体文件的位置（默认 `~/.openclaw/workspace`）。会植入引导文件。
+3. **Gateway 网关** —— 端口、绑定地址、认证模式、Tailscale 暴露。
+   在交互式 token 模式中，你可以选择默认的明文 token 存储，或选择启用 SecretRef。
+   非交互式 token SecretRef 路径：`--gateway-token-ref-env <ENV_VAR>`。
+4. **渠道** —— WhatsApp、Telegram、Discord、Google Chat、Mattermost、Signal、BlueBubbles 或 iMessage。
+5. **守护进程** —— 安装 LaunchAgent（macOS）或 systemd 用户单元（Linux/WSL2）。
+   如果 token 认证需要 token，且 `gateway.auth.token` 由 SecretRef 管理，守护进程安装会验证它，但不会将已解析的 token 持久化到监督服务的环境元数据中。
+   如果 token 认证需要 token，而已配置的 token SecretRef 无法解析，守护进程安装会被阻止，并提供可执行的指导。
+   如果同时配置了 `gateway.auth.token` 和 `gateway.auth.password`，而 `gateway.auth.mode` 未设置，守护进程安装会被阻止，直到显式设置 mode。
+6. **健康检查** —— 启动 Gateway 网关并验证其正在运行。
+7. **Skills** —— 安装推荐的 Skills 和可选依赖项。
 
-6. **守护进程安装**
-   - macOS：LaunchAgent
-     - 需要已登录的用户会话；对于无头环境，使用自定义 LaunchDaemon（未提供）。
-   - Linux（和通过 WSL2 的 Windows）：systemd 用户单元
-     - 向导尝试通过 `loginctl enable-linger <user>` 启用 lingering，以便 Gateway 网关在注销后保持运行。
-     - 可能提示 sudo（写入 `/var/lib/systemd/linger`）；它首先尝试不使用 sudo。
-   - **运行时选择：**Node（推荐；WhatsApp/Telegram 需要）。**不推荐** Bun。
+<Note>
+重新运行向导**不会**清除任何内容，除非你显式选择 **Reset**（或传入 `--reset`）。
+CLI `--reset` 默认会重置配置、凭证和会话；如需包含工作区，请使用 `--reset-scope full`。
+如果配置无效或包含旧版键，向导会先要求你运行 `openclaw doctor`。
+</Note>
 
-7. **健康检查**
-   - 启动 Gateway 网关（如果需要）并运行 `openclaw health`。
-   - 提示：`openclaw status --deep` 在状态输出中添加 Gateway 网关健康探测（需要可达的 Gateway 网关）。
-
-8. **Skills（推荐）**
-   - 读取可用的 Skills 并检查要求。
-   - 让你选择节点管理器：**npm / pnpm**（不推荐 bun）。
-   - 安装可选依赖项（某些在 macOS 上使用 Homebrew）。
-
-9. **完成**
-   - 总结 + 后续步骤，包括用于额外功能的 iOS/Android/macOS 应用。
-
-- 如果未检测到 GUI，向导会打印控制界面的 SSH 端口转发说明，而不是打开浏览器。
-- 如果控制界面资源缺失，向导会尝试构建它们；回退方案是 `pnpm ui:build`（自动安装 UI 依赖）。
-
-## 远程模式
-
-远程模式配置本地客户端连接到其他位置的 Gateway 网关。
-
-你将设置的内容：
-
-- 远程 Gateway 网关 URL（`ws://...`）
-- 如果远程 Gateway 网关需要认证则需要令牌（推荐）
-
-注意事项：
-
-- 不执行远程安装或守护进程更改。
-- 如果 Gateway 网关仅限 loopback，使用 SSH 隧道或 tailnet。
-- 发现提示：
-  - macOS：Bonjour（`dns-sd`）
-  - Linux：Avahi（`avahi-browse`）
+**远程模式**只会配置本地客户端以连接到其他地方的 Gateway 网关。
+它**不会**在远程主机上安装或更改任何内容。
 
 ## 添加另一个智能体
 
-使用 `openclaw agents add <name>` 创建一个具有独立工作区、会话和认证配置文件的单独智能体。不带 `--workspace` 运行会启动向导。
+使用 `openclaw agents add <name>` 创建一个单独的智能体，它拥有自己的工作区、
+会话和认证配置文件。不带 `--workspace` 运行会启动向导。
 
-它设置的内容：
+它会设置：
 
 - `agents.list[].name`
 - `agents.list[].workspace`
 - `agents.list[].agentDir`
 
-注意事项：
+说明：
 
 - 默认工作区遵循 `~/.openclaw/workspace-<agentId>`。
-- 添加 `bindings` 以路由入站消息（向导可以执行此操作）。
-- 非交互标志：`--model`、`--agent-dir`、`--bind`、`--non-interactive`。
+- 添加 `bindings` 以路由入站消息（向导可以完成这项操作）。
+- 非交互式标志：`--model`、`--agent-dir`、`--bind`、`--non-interactive`。
 
-## 非交互模式
+## 完整参考
 
-使用 `--non-interactive` 自动化或脚本化新手引导：
-
-```bash
-openclaw onboard --non-interactive \
-  --mode local \
-  --auth-choice apiKey \
-  --anthropic-api-key "$ANTHROPIC_API_KEY" \
-  --gateway-port 18789 \
-  --gateway-bind loopback \
-  --install-daemon \
-  --daemon-runtime node \
-  --skip-skills
-```
-
-添加 `--json` 以获取机器可读的摘要。
-
-Gemini 示例：
-
-```bash
-openclaw onboard --non-interactive \
-  --mode local \
-  --auth-choice gemini-api-key \
-  --gemini-api-key "$GEMINI_API_KEY" \
-  --gateway-port 18789 \
-  --gateway-bind loopback
-```
-
-Z.AI 示例：
-
-```bash
-openclaw onboard --non-interactive \
-  --mode local \
-  --auth-choice zai-api-key \
-  --zai-api-key "$ZAI_API_KEY" \
-  --gateway-port 18789 \
-  --gateway-bind loopback
-```
-
-Vercel AI Gateway 示例：
-
-```bash
-openclaw onboard --non-interactive \
-  --mode local \
-  --auth-choice ai-gateway-api-key \
-  --ai-gateway-api-key "$AI_GATEWAY_API_KEY" \
-  --gateway-port 18789 \
-  --gateway-bind loopback
-```
-
-Moonshot 示例：
-
-```bash
-openclaw onboard --non-interactive \
-  --mode local \
-  --auth-choice moonshot-api-key \
-  --moonshot-api-key "$MOONSHOT_API_KEY" \
-  --gateway-port 18789 \
-  --gateway-bind loopback
-```
-
-Synthetic 示例：
-
-```bash
-openclaw onboard --non-interactive \
-  --mode local \
-  --auth-choice synthetic-api-key \
-  --synthetic-api-key "$SYNTHETIC_API_KEY" \
-  --gateway-port 18789 \
-  --gateway-bind loopback
-```
-
-OpenCode Zen 示例：
-
-```bash
-openclaw onboard --non-interactive \
-  --mode local \
-  --auth-choice opencode-zen \
-  --opencode-zen-api-key "$OPENCODE_API_KEY" \
-  --gateway-port 18789 \
-  --gateway-bind loopback
-```
-
-添加智能体（非交互）示例：
-
-```bash
-openclaw agents add work \
-  --workspace ~/.openclaw/workspace-work \
-  --model openai/gpt-5.2 \
-  --bind whatsapp:biz \
-  --non-interactive \
-  --json
-```
-
-## Gateway 网关向导 RPC
-
-Gateway 网关通过 RPC 暴露向导流程（`wizard.start`、`wizard.next`、`wizard.cancel`、`wizard.status`）。
-客户端（macOS 应用、控制界面）可以渲染步骤而无需重新实现新手引导逻辑。
-
-## Signal 设置（signal-cli）
-
-向导可以从 GitHub releases 安装 `signal-cli`：
-
-- 下载适当的发布资源。
-- 存储在 `~/.openclaw/tools/signal-cli/<version>/` 下。
-- 将 `channels.signal.cliPath` 写入你的配置。
-
-注意事项：
-
-- JVM 构建需要 **Java 21**。
-- 可用时使用原生构建。
-- Windows 使用 WSL2；signal-cli 安装在 WSL 内遵循 Linux 流程。
-
-## 向导写入的内容
-
-`~/.openclaw/openclaw.json` 中的典型字段：
-
-- `agents.defaults.workspace`
-- `agents.defaults.model` / `models.providers`（如果选择了 Minimax）
-- `gateway.*`（模式、绑定、认证、tailscale）
-- `channels.telegram.botToken`、`channels.discord.token`、`channels.signal.*`、`channels.imessage.*`
-- 当你在提示中选择加入时的渠道允许列表（Slack/Discord/Matrix/Microsoft Teams）（名称在可能时解析为 ID）。
-- `skills.install.nodeManager`
-- `wizard.lastRunAt`
-- `wizard.lastRunVersion`
-- `wizard.lastRunCommit`
-- `wizard.lastRunCommand`
-- `wizard.lastRunMode`
-
-`openclaw agents add` 写入 `agents.list[]` 和可选的 `bindings`。
-
-WhatsApp 凭证存储在 `~/.openclaw/credentials/whatsapp/<accountId>/` 下。
-会话存储在 `~/.openclaw/agents/<agentId>/sessions/` 下。
-
-某些渠道以插件形式提供。当你在新手引导期间选择一个时，向导会在配置之前提示安装它（npm 或本地路径）。
+有关详细的分步骤拆解和配置输出，请参见
+[CLI 设置参考](/start/wizard-cli-reference)。
+有关非交互式示例，请参见 [CLI 自动化](/start/wizard-cli-automation)。
+有关更深入的技术参考（包括 RPC 细节），请参见
+[向导参考](/reference/wizard)。
 
 ## 相关文档
 
+- CLI 命令参考：[`openclaw onboard`](/cli/onboard)
+- 新手引导概览：[Onboarding Overview](/start/onboarding-overview)
 - macOS 应用新手引导：[新手引导](/start/onboarding)
-- 配置参考：[Gateway 网关配置](/gateway/configuration)
-- 提供商：[WhatsApp](/channels/whatsapp)、[Telegram](/channels/telegram)、[Discord](/channels/discord)、[Google Chat](/channels/googlechat)、[Signal](/channels/signal)、[iMessage](/channels/imessage)
-- Skills：[Skills](/tools/skills)、[Skills 配置](/tools/skills-config)
+- 智能体首次运行仪式：[智能体引导](/start/bootstrapping)
diff --git a/docs/zh-CN/tools/plugin.md b/docs/zh-CN/tools/plugin.md
index 5ec0b9707ff..a2ade46ffbc 100644
--- a/docs/zh-CN/tools/plugin.md
+++ b/docs/zh-CN/tools/plugin.md
@@ -1,78 +1,414 @@
 ---
 read_when:
-  - 添加或修改插件/扩展
-  - 记录插件安装或加载规则
-summary: OpenClaw 插件/扩展：发现、配置和安全
+  - 添加或修改插件/扩展时
+  - 记录插件安装或加载规则时
+  - 使用与 Codex/Claude 兼容的插件包时
+summary: OpenClaw 插件/扩展：发现、配置与安全
 title: 插件
 x-i18n:
-  generated_at: "2026-03-16T01:39:16Z"
-  model: claude-opus-4-5
-  provider: pi
-  source_hash: 3c79de31bf50147bdfa6cfc5ed55185e91bb55a8db986df0596b24d5529c7798
+  generated_at: "2026-03-16T06:36:16Z"
+  model: gpt-5.4
+  provider: openai
+  source_hash: d84a98f113817836c829b6e6f8a1cae441d2f0ee284fdd7194d193fd1aa34ff9
   source_path: tools/plugin.md
   workflow: 15
 ---
 
 # 插件（扩展）
 
-## 快速开始（插件新手？）
+## 快速开始（刚接触插件？）
 
-插件只是一个**小型代码模块**，用额外功能（命令、工具和 Gateway 网关 RPC）扩展 OpenClaw。
+插件可以是以下两种之一：
 
-大多数时候，当你想要一个尚未内置到核心 OpenClaw 的功能（或你想将可选功能排除在主安装之外）时，你会使用插件。
+- 原生 **OpenClaw 插件**（`openclaw.plugin.json` + 运行时模块），或
+- 兼容的 **bundle**（`.codex-plugin/plugin.json` 或 `.claude-plugin/plugin.json`）
 
-快速路径：
+两者都会显示在 `openclaw plugins` 下，但只有原生 OpenClaw 插件会在进程内执行运行时代码。
 
-1. 查看已加载的内容：
+大多数情况下，当你想要某项核心 OpenClaw 尚未内置的功能时，就会使用插件（或者你希望将可选功能保留在主安装之外）。
+
+快捷路径：
+
+1. 查看当前已加载的内容：
 
 ```bash
 openclaw plugins list
 ```
 
-2. 安装官方插件（例如：Voice Call）：
+2. 安装官方插件（示例：Voice Call）：
 
 ```bash
 openclaw plugins install @openclaw/voice-call
 ```
 
-3. 重启 Gateway 网关，然后在 `plugins.entries.<id>.config` 下配置。
+Npm 规格仅支持 **registry-only**（包名 + 可选的 **精确版本** 或 **dist-tag**）。
 
-参见 [Voice Call](/plugins/voice-call) 了解具体的插件示例。
+Git/URL/file 规格和 semver 范围都会被拒绝。
+
+裸规格和 `@latest` 会停留在稳定通道。如果 npm 将其中任一解析为预发布版本，OpenClaw 会停止并要求你通过预发布标签（例如 `@beta`/`@rc`）或精确的预发布版本显式选择加入。
+
+3. 重启 Gateway 网关，然后在 `plugins.entries.<id>.config` 下进行配置。
+
+查看 [Voice Call](/plugins/voice-call) 获取一个具体的插件示例。
+想找第三方列表？请查看 [Community plugins](/plugins/community)。
+需要了解 bundle 兼容性细节？请查看 [Plugin bundles](/plugins/bundles)。
+
+对于兼容的 bundle，可从本地目录或归档文件安装：
+
+```bash
+openclaw plugins install ./my-bundle
+openclaw plugins install ./my-bundle.tgz
+```
+
+## 架构
+
+OpenClaw 的插件系统有四层：
+
+1. **清单 + 发现**
+   OpenClaw 会从已配置路径、工作区根目录、全局扩展根目录以及随附扩展中查找候选插件。发现过程会先读取原生 `openclaw.plugin.json` 清单以及受支持的 bundle 清单。
+2. **启用 + 验证**
+   核心会决定某个已发现插件是启用、禁用、阻止，还是被选用于某个独占插槽（例如内存）。
+3. **运行时加载**
+   原生 OpenClaw 插件通过 jiti 在进程内加载，并将功能注册到一个中央注册表中。兼容的 bundle 会被规范化为注册表记录，而不会导入运行时代码。
+4. **表面消费**
+   OpenClaw 的其余部分会读取注册表，以公开工具、渠道、提供商设置、hooks、HTTP 路由、CLI 命令和服务。
+
+重要的设计边界：
+
+- 发现 + 配置验证应基于 **manifest/schema 元数据** 运行，而不执行插件代码
+- 原生运行时行为来自插件模块的 `register(api)` 路径
+
+这种拆分让 OpenClaw 能够在完整运行时激活之前，就验证配置、解释缺失/被禁用的插件，并构建 UI/schema 提示。
+
+## 兼容的 bundle
+
+OpenClaw 还识别两种兼容的外部 bundle 布局：
+
+- Codex 风格 bundle：`.codex-plugin/plugin.json`
+- Claude 风格 bundle：`.claude-plugin/plugin.json`，或者没有清单的默认 Claude 组件布局
+- Cursor 风格 bundle：`.cursor-plugin/plugin.json`
+
+它们会在插件列表中显示为 `format=bundle`，并在详细/info 输出中显示 `codex` 或 `claude` 子类型。
+
+有关精确的检测规则、映射行为和当前支持矩阵，请参阅 [Plugin bundles](/plugins/bundles)。
+
+目前，OpenClaw 将这些内容视为 **能力包**，而不是原生运行时插件：
+
+- 当前支持：捆绑的 `skills`
+- 当前支持：Claude `commands/` markdown 根目录，映射到常规 OpenClaw 技能加载器
+- 当前支持：Claude bundle `settings.json` 默认值，用于嵌入式 Pi 智能体设置（会清理 shell override 键）
+- 当前支持：Cursor `.cursor/commands/*.md` 根目录，映射到常规 OpenClaw 技能加载器
+- 当前支持：使用 OpenClaw hook-pack 布局的 Codex bundle hook 目录（`HOOK.md` + `handler.ts`/`handler.js`）
+- 已检测但尚未接线：其他已声明的 bundle 能力，例如 agents、Claude hook 自动化、Cursor rules/hooks/MCP 元数据、MCP/app/LSP 元数据、输出样式
+
+这意味着 bundle 的安装/发现/列表/info/启用都可正常工作，并且当 bundle 被启用时，bundle skills、Claude command-skills、Claude bundle settings 默认值以及兼容的 Codex hook 目录都会被加载，但 bundle 运行时代码不会在进程内执行。
+
+Bundle hook 支持仅限于常规 OpenClaw hook 目录格式（在声明的 hook 根目录下使用 `HOOK.md` 加上 `handler.ts`/`handler.js`）。
+供应商特定的 shell/JSON hook 运行时，包括 Claude `hooks.json`，当前仅会被检测，不会被直接执行。
+
+## 执行模型
+
+原生 OpenClaw 插件与 Gateway 网关 **在同一进程内** 运行。它们不会进行沙箱隔离。已加载的原生插件与核心代码处于相同的进程级信任边界。
+
+这意味着：
+
+- 原生插件可以注册工具、网络处理器、hooks 和服务
+- 原生插件中的 bug 可能导致 gateway 崩溃或不稳定
+- 恶意原生插件等同于在 OpenClaw 进程内部执行任意代码
+
+兼容的 bundle 默认更安全，因为 OpenClaw 目前将它们视为元数据/内容包。在当前版本中，这主要意味着捆绑的技能。
+
+对于非捆绑插件，请使用 allowlist 和显式安装/加载路径。将工作区插件视为开发期代码，而不是生产默认项。
+
+重要信任说明：
+
+- `plugins.allow` 信任的是 **plugin id**，而不是来源出处。
+- 如果某个工作区插件与某个捆绑插件具有相同 id，那么启用/加入 allowlist 后，工作区插件会有意覆盖捆绑副本。
+- 这是一种正常且有用的行为，适合本地开发、补丁测试和热修复。
 
 ## 可用插件（官方）
 
-- 从 2026.1.15 起 Microsoft Teams 仅作为插件提供；如果使用 Teams，请安装 `@openclaw/msteams`。
-- Memory (Core) — 捆绑的记忆搜索插件（通过 `plugins.slots.memory` 默认启用）
-- Memory (LanceDB) — 捆绑的长期记忆插件（自动召回/捕获；设置 `plugins.slots.memory = "memory-lancedb"`）
+- Microsoft Teams 自 `2026.1.15` 起仅以插件形式提供；如果你使用 Teams，请安装 `@openclaw/msteams`。
+- Memory（Core）— 捆绑的内存搜索插件（默认通过 `plugins.slots.memory` 启用）
+- Memory（LanceDB）— 捆绑的长期记忆插件（自动召回/捕获；设置 `plugins.slots.memory = "memory-lancedb"`）
 - [Voice Call](/plugins/voice-call) — `@openclaw/voice-call`
 - [Zalo Personal](/plugins/zalouser) — `@openclaw/zalouser`
 - [Matrix](/channels/matrix) — `@openclaw/matrix`
 - [Nostr](/channels/nostr) — `@openclaw/nostr`
 - [Zalo](/channels/zalo) — `@openclaw/zalo`
 - [Microsoft Teams](/channels/msteams) — `@openclaw/msteams`
-- Google 网页搜索 + Gemini CLI OAuth — 作为 `google` 捆绑（网页搜索会自动加载；提供商认证仍需手动启用）
-- Qwen OAuth（提供商认证）— 作为 `qwen-portal-auth` 捆绑（默认禁用）
-- Copilot Proxy（提供商认证）— 本地 VS Code Copilot Proxy 桥接；与内置 `github-copilot` 设备登录不同（捆绑，默认禁用）
+- Anthropic provider 运行时 — 以 `anthropic` 形式捆绑（默认启用）
+- BytePlus provider catalog — 以 `byteplus` 形式捆绑（默认启用）
+- Cloudflare AI Gateway provider catalog — 以 `cloudflare-ai-gateway` 形式捆绑（默认启用）
+- Google 网络搜索 + Gemini CLI OAuth — 以 `google` 形式捆绑（网页搜索会自动加载；provider 身份验证仍需选择启用）
+- GitHub Copilot provider 运行时 — 以 `github-copilot` 形式捆绑（默认启用）
+- Hugging Face provider catalog — 以 `huggingface` 形式捆绑（默认启用）
+- Kilo Gateway provider 运行时 — 以 `kilocode` 形式捆绑（默认启用）
+- Kimi Coding provider catalog — 以 `kimi-coding` 形式捆绑（默认启用）
+- MiniMax provider catalog + usage + OAuth — 以 `minimax` 形式捆绑（默认启用；拥有 `minimax` 和 `minimax-portal`）
+- Mistral provider 能力 — 以 `mistral` 形式捆绑（默认启用）
+- Model Studio provider catalog — 以 `modelstudio` 形式捆绑（默认启用）
+- Moonshot provider 运行时 — 以 `moonshot` 形式捆绑（默认启用）
+- NVIDIA provider catalog — 以 `nvidia` 形式捆绑（默认启用）
+- OpenAI provider 运行时 — 以 `openai` 形式捆绑（默认启用；同时拥有 `openai` 和 `openai-codex`）
+- OpenCode Go provider 能力 — 以 `opencode-go` 形式捆绑（默认启用）
+- OpenCode Zen provider 能力 — 以 `opencode` 形式捆绑（默认启用）
+- OpenRouter provider 运行时 — 以 `openrouter` 形式捆绑（默认启用）
+- Qianfan provider catalog — 以 `qianfan` 形式捆绑（默认启用）
+- Qwen OAuth（provider 身份验证 + catalog）— 以 `qwen-portal-auth` 形式捆绑（默认启用）
+- Synthetic provider catalog — 以 `synthetic` 形式捆绑（默认启用）
+- Together provider catalog — 以 `together` 形式捆绑（默认启用）
+- Venice provider catalog — 以 `venice` 形式捆绑（默认启用）
+- Vercel AI Gateway provider catalog — 以 `vercel-ai-gateway` 形式捆绑（默认启用）
+- Volcengine provider catalog — 以 `volcengine` 形式捆绑（默认启用）
+- Xiaomi provider catalog + usage — 以 `xiaomi` 形式捆绑（默认启用）
+- Z.AI provider 运行时 — 以 `zai` 形式捆绑（默认启用）
+- Copilot Proxy（provider 身份验证）— 本地 VS Code Copilot Proxy 桥接；不同于内置的 `github-copilot` 设备登录（已捆绑，默认禁用）
 
-OpenClaw 插件是通过 jiti 在运行时加载的 **TypeScript 模块**。**配置验证不会执行插件代码**；它使用插件清单和 JSON Schema。参见 [插件清单](/plugins/manifest)。
+原生 OpenClaw 插件是通过 jiti 在运行时加载的 **TypeScript 模块**。
+**配置验证不会执行插件代码**；它使用的是插件 manifest 和 JSON Schema。请参阅 [Plugin manifest](/plugins/manifest)。
 
-插件可以注册：
+原生 OpenClaw 插件可以注册：
 
-- Gateway 网关 RPC 方法
-- Gateway 网关 HTTP 处理程序
+- Gateway RPC 方法
+- Gateway HTTP 路由
 - 智能体工具
 - CLI 命令
 - 后台服务
-- 可选的配置验证
-- **Skills**（通过在插件清单中列出 `skills` 目录）
-- **自动回复命令**（不调用 AI 智能体即可执行）
+- 上下文引擎
+- provider 身份验证流程和模型目录
+- 用于动态模型 id、传输规范化、能力元数据、流包装、缓存 TTL 策略、缺失身份验证提示、内置模型抑制、目录增强、运行时身份验证交换以及 usage/billing 身份验证 + 快照解析的 provider 运行时 hooks
+- 可选配置验证
+- **Skills**（通过在插件 manifest 中列出 `skills` 目录）
+- **自动回复命令**（无需调用 AI 智能体即可执行）
 
-插件与 Gateway 网关**在同一进程中**运行，因此将它们视为受信任的代码。
-工具编写指南：[插件智能体工具](/plugins/agent-tools)。
+原生 OpenClaw 插件与 Gateway 网关 **在同一进程内** 运行，因此应将其视为受信任代码。
+工具编写指南：[Plugin agent tools](/plugins/agent-tools)。
+
+## Provider 运行时 hooks
+
+Provider 插件现在有两层：
+
+- manifest 元数据：`providerAuthEnvVars`，用于在运行时加载前进行低成本的环境身份验证查找
+- 配置时 hooks：`catalog` / 旧版 `discovery`
+- 运行时 hooks：`resolveDynamicModel`、`prepareDynamicModel`、`normalizeResolvedModel`、`capabilities`、`prepareExtraParams`、`wrapStreamFn`、`formatApiKey`、`refreshOAuth`、`buildAuthDoctorHint`、`isCacheTtlEligible`、`buildMissingAuthMessage`、`suppressBuiltInModel`、`augmentModelCatalog`、`isBinaryThinking`、`supportsXHighThinking`、`resolveDefaultThinkingLevel`、`isModernModelRef`、`prepareRuntimeAuth`、`resolveUsageAuth`、`fetchUsageSnapshot`
+
+OpenClaw 仍然负责通用的智能体循环、故障切换、转录处理和工具策略。这些 hooks 是 provider 特定行为的接缝，而无需整个自定义推理传输层。
+
+当 provider 具有基于环境变量的凭据，并且你希望通用 auth/status/model-picker 路径在不加载插件运行时的情况下就能看到这些凭据时，请使用 manifest `providerAuthEnvVars`。
+保留 provider 运行时 `envVars` 用于面向操作员的提示，例如新手引导标签或 OAuth client-id/client-secret 设置环境变量。
+
+### Hook 顺序
+
+对于 model/provider 插件，OpenClaw 大致按以下顺序使用 hooks：
+
+1. `catalog`
+   在生成 `models.json` 期间，将 provider 配置发布到 `models.providers` 中。
+2. 内置/已发现模型查找
+   OpenClaw 会先尝试常规注册表/目录路径。
+3. `resolveDynamicModel`
+   对于本地注册表中尚不存在的 provider 自有 model id，进行同步后备解析。
+4. `prepareDynamicModel`
+   仅在异步模型解析路径上执行异步预热，然后再次运行 `resolveDynamicModel`。
+5. `normalizeResolvedModel`
+   在嵌入式运行器使用已解析模型之前进行最终重写。
+6. `capabilities`
+   由共享核心逻辑使用的 provider 自有转录/工具元数据。
+7. `prepareExtraParams`
+   在通用流选项包装器之前执行 provider 自有请求参数规范化。
+8. `wrapStreamFn`
+   在应用通用包装器之后执行 provider 自有流包装器。
+9. `formatApiKey`
+   当存储的 auth profile 需要转换为运行时 `apiKey` 字符串时，使用 provider 自有身份验证配置器。
+10. `refreshOAuth`
+    对自定义刷新端点或刷新失败策略执行 provider 自有 OAuth 刷新覆盖。
+11. `buildAuthDoctorHint`
+    当 OAuth 刷新失败时，追加 provider 自有修复提示。
+12. `isCacheTtlEligible`
+    为代理/backhaul provider 提供 provider 自有提示词缓存策略。
+13. `buildMissingAuthMessage`
+    用 provider 自有内容替换通用的缺失身份验证恢复消息。
+14. `suppressBuiltInModel`
+    执行 provider 自有的过时上游模型抑制，并可返回面向用户的错误提示。
+15. `augmentModelCatalog`
+    在发现后附加 provider 自有的合成/最终目录行。
+16. `isBinaryThinking`
+    为二元 thinking provider 提供 provider 自有的开/关推理切换。
+17. `supportsXHighThinking`
+    为选定模型提供 provider 自有的 `xhigh` 推理支持。
+18. `resolveDefaultThinkingLevel`
+    为特定模型家族提供 provider 自有的默认 `/think` 级别。
+19. `isModernModelRef`
+    提供 provider 自有的现代模型匹配器，用于 live profile 过滤器和 smoke 选择。
+20. `prepareRuntimeAuth`
+    在推理前将已配置的凭据交换为实际的运行时令牌/密钥。
+21. `resolveUsageAuth`
+    为 `/usage` 及相关状态表面解析 usage/billing 凭据。
+22. `fetchUsageSnapshot`
+    在身份验证解析完成后，抓取并规范化 provider 特定的 usage/quota 快照。
+
+### 应该使用哪个 hook
+
+- `catalog`：将 provider 配置和模型目录发布到 `models.providers`
+- `resolveDynamicModel`：处理本地注册表中尚未存在的透传或前向兼容 model id
+- `prepareDynamicModel`：在重试动态解析之前执行异步预热（例如刷新 provider 元数据缓存）
+- `normalizeResolvedModel`：在推理前重写已解析模型的传输/base URL/兼容性
+- `capabilities`：发布 provider 家族和转录/工具差异，而不在核心中硬编码 provider id
+- `prepareExtraParams`：在通用流包装之前设置 provider 默认值或规范化 provider 特定的每模型参数
+- `wrapStreamFn`：在仍使用常规 `pi-ai` 执行路径时，添加 provider 特定的 header/payload/model 兼容补丁
+- `formatApiKey`：将存储的 auth profile 转换为运行时 `apiKey` 字符串，而不在核心中硬编码 provider 令牌 blob
+- `refreshOAuth`：为不适配共享 `pi-ai` 刷新器的 provider 自主管理 OAuth 刷新
+- `buildAuthDoctorHint`：在刷新失败时追加 provider 自有的身份验证修复指导
+- `isCacheTtlEligible`：决定 provider/模型组合是否应使用 cache TTL 元数据
+- `buildMissingAuthMessage`：用 provider 特定恢复提示替换通用 auth-store 错误
+- `suppressBuiltInModel`：隐藏过时上游条目，并可在直接解析失败时返回 provider 自有错误
+- `augmentModelCatalog`：在发现和配置合并后附加合成/最终目录行
+- `isBinaryThinking`：在 `/think` 中公开二元开/关推理 UX，而不硬编码 provider id
+- `supportsXHighThinking`：让特定模型启用 `xhigh` 推理级别
+- `resolveDefaultThinkingLevel`：将 provider/模型默认推理策略移出核心
+- `isModernModelRef`：将 live/smoke 模型家族包含规则保留在 provider 中
+- `prepareRuntimeAuth`：将已配置凭据交换为请求所用的实际短期运行时令牌/密钥
+- `resolveUsageAuth`：为 usage/billing 端点解析 provider 自有凭据，而不在核心中硬编码令牌解析
+- `fetchUsageSnapshot`：由 provider 自主管理 usage 端点抓取/解析，而核心继续负责摘要扇出和格式化
+
+经验法则：
+
+- provider 拥有目录或 base URL 默认值：使用 `catalog`
+- provider 接受任意上游 model id：使用 `resolveDynamicModel`
+- provider 在解析未知 id 前需要网络元数据：添加 `prepareDynamicModel`
+- provider 需要传输重写但仍使用核心传输：使用 `normalizeResolvedModel`
+- provider 需要转录/provider 家族差异：使用 `capabilities`
+- provider 需要默认请求参数或按 provider 清理参数：使用 `prepareExtraParams`
+- provider 需要请求 header/body/model 兼容包装而不使用自定义传输：使用 `wrapStreamFn`
+- provider 在 auth profile 中存储额外元数据并需要自定义运行时令牌格式：使用 `formatApiKey`
+- provider 需要自定义 OAuth 刷新端点或刷新失败策略：使用 `refreshOAuth`
+- provider 在刷新失败后需要 provider 自有身份验证修复指导：使用 `buildAuthDoctorHint`
+- provider 需要特定于代理的 cache TTL 门控：使用 `isCacheTtlEligible`
+- provider 需要 provider 特定的缺失身份验证恢复提示：使用 `buildMissingAuthMessage`
+- provider 需要隐藏过时上游条目或用厂商提示替换它们：使用 `suppressBuiltInModel`
+- provider 需要在 `models list` 和选择器中添加合成的前向兼容条目：使用 `augmentModelCatalog`
+- provider 仅提供二元 thinking 开/关：使用 `isBinaryThinking`
+- provider 只希望部分模型启用 `xhigh`：使用 `supportsXHighThinking`
+- provider 拥有某个模型家族默认 `/think` 策略：使用 `resolveDefaultThinkingLevel`
+- provider 拥有 live/smoke 首选模型匹配：使用 `isModernModelRef`
+- provider 需要令牌交换或短期请求凭据：使用 `prepareRuntimeAuth`
+- provider 需要自定义 usage/quota 令牌解析或不同的 usage 凭据：使用 `resolveUsageAuth`
+- provider 需要 provider 特定的 usage 端点或负载解析器：使用 `fetchUsageSnapshot`
+
+如果 provider 需要完全自定义的线协议或自定义请求执行器，那属于另一类扩展。这些 hooks 适用于仍运行在 OpenClaw 常规推理循环上的 provider 行为。
+
+### Provider 示例
+
+```ts
+api.registerProvider({
+  id: "example-proxy",
+  label: "Example Proxy",
+  auth: [],
+  catalog: {
+    order: "simple",
+    run: async (ctx) => {
+      const apiKey = ctx.resolveProviderApiKey("example-proxy").apiKey;
+      if (!apiKey) {
+        return null;
+      }
+      return {
+        provider: {
+          baseUrl: "https://proxy.example.com/v1",
+          apiKey,
+          api: "openai-completions",
+          models: [{ id: "auto", name: "Auto" }],
+        },
+      };
+    },
+  },
+  resolveDynamicModel: (ctx) => ({
+    id: ctx.modelId,
+    name: ctx.modelId,
+    provider: "example-proxy",
+    api: "openai-completions",
+    baseUrl: "https://proxy.example.com/v1",
+    reasoning: false,
+    input: ["text"],
+    cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
+    contextWindow: 128000,
+    maxTokens: 8192,
+  }),
+  prepareRuntimeAuth: async (ctx) => {
+    const exchanged = await exchangeToken(ctx.apiKey);
+    return {
+      apiKey: exchanged.token,
+      baseUrl: exchanged.baseUrl,
+      expiresAt: exchanged.expiresAt,
+    };
+  },
+  resolveUsageAuth: async (ctx) => {
+    const auth = await ctx.resolveOAuthToken();
+    return auth ? { token: auth.token } : null;
+  },
+  fetchUsageSnapshot: async (ctx) => {
+    return await fetchExampleProxyUsage(ctx.token, ctx.timeoutMs, ctx.fetchFn);
+  },
+});
+```
+
+### 内置示例
+
+- Anthropic 使用 `resolveDynamicModel`、`capabilities`、`buildAuthDoctorHint`、`resolveUsageAuth`、`fetchUsageSnapshot`、`isCacheTtlEligible`、`resolveDefaultThinkingLevel` 和 `isModernModelRef`，因为它拥有 Claude 4.6 前向兼容、provider 家族提示、身份验证修复指导、usage 端点集成、提示词缓存资格以及 Claude 默认/自适应 thinking 策略。
+- OpenAI 使用 `resolveDynamicModel`、`normalizeResolvedModel` 和 `capabilities`，以及 `buildMissingAuthMessage`、`suppressBuiltInModel`、`augmentModelCatalog`、`supportsXHighThinking` 和 `isModernModelRef`，因为它拥有 GPT-5.4 前向兼容、直接 OpenAI `openai-completions` -> `openai-responses` 规范化、支持 Codex 的身份验证提示、Spark 抑制、合成 OpenAI 列表行以及 GPT-5 thinking / live-model 策略。
+- OpenRouter 使用 `catalog` 以及 `resolveDynamicModel` 和 `prepareDynamicModel`，因为该 provider 是透传型的，可能会在 OpenClaw 静态目录更新之前暴露新的 model id。
+- GitHub Copilot 使用 `catalog`、`auth`、`resolveDynamicModel` 和 `capabilities`，以及 `prepareRuntimeAuth` 和 `fetchUsageSnapshot`，因为它需要 provider 自有设备登录、模型回退行为、Claude 转录差异、GitHub token -> Copilot token 交换，以及 provider 自有 usage 端点。
+- OpenAI Codex 使用 `catalog`、`resolveDynamicModel`、`normalizeResolvedModel`、`refreshOAuth` 和 `augmentModelCatalog`，以及 `prepareExtraParams`、`resolveUsageAuth` 和 `fetchUsageSnapshot`，因为它仍运行在核心 OpenAI 传输之上，但拥有自己的传输/base URL 规范化、OAuth 刷新后备策略、默认传输选择、合成 Codex 目录行以及 ChatGPT usage 端点集成。
+- Google AI Studio 和 Gemini CLI OAuth 使用 `resolveDynamicModel` 和 `isModernModelRef`，因为它们拥有 Gemini 3.1 前向兼容后备和现代模型匹配；Gemini CLI OAuth 还使用 `formatApiKey`、`resolveUsageAuth` 和 `fetchUsageSnapshot` 来处理令牌格式化、令牌解析和 quota 端点接线。
+- OpenRouter 使用 `capabilities`、`wrapStreamFn` 和 `isCacheTtlEligible`，以便将 provider 特定的请求头、路由元数据、reasoning 补丁和提示词缓存策略从核心中移出。
+- Moonshot 使用 `catalog` 和 `wrapStreamFn`，因为它仍使用共享 OpenAI 传输，但需要 provider 自有 thinking 负载规范化。
+- Kilocode 使用 `catalog`、`capabilities`、`wrapStreamFn` 和 `isCacheTtlEligible`，因为它需要 provider 自有请求头、reasoning 负载规范化、Gemini 转录提示和 Anthropic cache-TTL 门控。
+- Z.AI 使用 `resolveDynamicModel`、`prepareExtraParams`、`wrapStreamFn`、`isCacheTtlEligible`、`isBinaryThinking`、`isModernModelRef`、`resolveUsageAuth` 和 `fetchUsageSnapshot`，因为它拥有 GLM-5 后备、`tool_stream` 默认值、二元 thinking UX、现代模型匹配，以及 usage 身份验证 + quota 抓取。
+- Mistral、OpenCode Zen 和 OpenCode Go 仅使用 `capabilities`，以便将转录/工具差异移出核心。
+- 仅目录型的捆绑 provider，例如 `byteplus`、`cloudflare-ai-gateway`、`huggingface`、`kimi-coding`、`modelstudio`、`nvidia`、`qianfan`、`synthetic`、`together`、`venice`、`vercel-ai-gateway` 和 `volcengine`，仅使用 `catalog`。
+- Qwen portal 使用 `catalog`、`auth` 和 `refreshOAuth`。
+- MiniMax 和 Xiaomi 使用 `catalog` 加 usage hooks，因为尽管推理仍通过共享传输运行，但它们的 `/usage` 行为由插件拥有。
+
+## 加载流水线
+
+启动时，OpenClaw 大致会执行以下步骤：
+
+1. 发现候选插件根目录
+2. 读取原生或兼容 bundle 的 manifest 和包元数据
+3. 拒绝不安全的候选项
+4. 规范化插件配置（`plugins.enabled`、`allow`、`deny`、`entries`、`slots`、`load.paths`）
+5. 决定每个候选项的启用状态
+6. 通过 jiti 加载已启用的原生模块
+7. 调用原生 `register(api)` hooks，并将注册内容收集到插件注册表中
+8. 将注册表暴露给命令/运行时表面
+
+安全门会在运行时执行 **之前** 发生。
+当条目逃逸出插件根目录、路径对所有人可写，或对于非捆绑插件来说路径所有权看起来可疑时，候选项会被阻止。
+
+### 清单优先行为
+
+Manifest 是控制面的事实来源。OpenClaw 用它来：
+
+- 识别插件
+- 发现声明的渠道/skills/配置 schema 或 bundle 能力
+- 验证 `plugins.entries.<id>.config`
+- 增强 Control UI 标签/占位符
+- 显示安装/目录元数据
+
+对于原生插件，运行时模块是数据面部分。它注册实际行为，例如 hooks、工具、命令或 provider 流程。
+
+### 加载器缓存了什么
+
+OpenClaw 会保留短期进程内缓存，用于：
+
+- 发现结果
+- manifest 注册表数据
+- 已加载的插件注册表
+
+这些缓存可以减少突发启动和重复命令开销。你可以将它们理解为短生命周期的性能缓存，而不是持久化存储。
 
 ## 运行时辅助工具
 
-插件可以通过 `api.runtime` 访问选定的核心辅助工具。对于电话 TTS：
+插件可以通过 `api.runtime` 访问部分核心辅助工具。对于电话 TTS：
 
 ```ts
 const result = await api.runtime.tts.textToSpeechTelephony({
@@ -81,15 +417,161 @@ const result = await api.runtime.tts.textToSpeechTelephony({
 });
 ```
 
-注意事项：
+说明：
 
 - 使用核心 `messages.tts` 配置（OpenAI 或 ElevenLabs）。
-- 返回 PCM 音频缓冲区 + 采样率。插件必须为提供商重新采样/编码。
-- Edge TTS 不支持电话。
+- 返回 PCM 音频缓冲区 + 采样率。插件必须为 provider 重新采样/编码。
+- Edge TTS 不支持电话场景。
 
-## 发现和优先级
+对于 STT/转录，插件可以调用：
 
-OpenClaw 按顺序扫描：
+```ts
+const { text } = await api.runtime.stt.transcribeAudioFile({
+  filePath: "/tmp/inbound-audio.ogg",
+  cfg: api.config,
+  // 当无法可靠推断 MIME 时可选：
+  mime: "audio/ogg",
+});
+```
+
+说明：
+
+- 使用核心媒体理解音频配置（`tools.media.audio`）和 provider 后备顺序。
+- 当没有生成转录输出时（例如输入被跳过/不受支持），返回 `{ text: undefined }`。
+
+## Gateway HTTP 路由
+
+插件可以使用 `api.registerHttpRoute(...)` 公开 HTTP 端点。
+
+```ts
+api.registerHttpRoute({
+  path: "/acme/webhook",
+  auth: "plugin",
+  match: "exact",
+  handler: async (_req, res) => {
+    res.statusCode = 200;
+    res.end("ok");
+    return true;
+  },
+});
+```
+
+路由字段：
+
+- `path`：Gateway 网关 HTTP 服务器下的路由路径。
+- `auth`：必填。使用 `"gateway"` 以要求常规 gateway 身份验证，或使用 `"plugin"` 以进行插件管理的身份验证/webhook 验证。
+- `match`：可选。`"exact"`（默认）或 `"prefix"`。
+- `replaceExisting`：可选。允许同一插件替换自身现有的路由注册。
+- `handler`：当路由处理了请求时返回 `true`。
+
+说明：
+
+- `api.registerHttpHandler(...)` 已过时。请使用 `api.registerHttpRoute(...)`。
+- 插件路由必须显式声明 `auth`。
+- 除非设置 `replaceExisting: true`，否则精确 `path + match` 冲突会被拒绝，而且一个插件不能替换另一个插件的路由。
+- 具有不同 `auth` 级别的重叠路由会被拒绝。请仅在相同 auth 级别上保留 `exact`/`prefix` 贯穿链。
+
+## Plugin SDK 导入路径
+
+编写插件时，请使用 SDK 子路径，而不是单体式 `openclaw/plugin-sdk` 导入：
+
+- `openclaw/plugin-sdk/core` 用于通用插件 API、provider 身份验证类型和共享辅助工具。
+- `openclaw/plugin-sdk/compat` 用于比 `core` 需要更广泛共享运行时辅助工具的捆绑/内部插件代码。
+- `openclaw/plugin-sdk/telegram` 用于 Telegram 渠道插件。
+- `openclaw/plugin-sdk/discord` 用于 Discord 渠道插件。
+- `openclaw/plugin-sdk/slack` 用于 Slack 渠道插件。
+- `openclaw/plugin-sdk/signal` 用于 Signal 渠道插件。
+- `openclaw/plugin-sdk/imessage` 用于 iMessage 渠道插件。
+- `openclaw/plugin-sdk/whatsapp` 用于 WhatsApp 渠道插件。
+- `openclaw/plugin-sdk/line` 用于 LINE 渠道插件。
+- `openclaw/plugin-sdk/msteams` 用于捆绑的 Microsoft Teams 插件表面。
+- 也提供捆绑扩展专用子路径：
+  `openclaw/plugin-sdk/acpx`、`openclaw/plugin-sdk/bluebubbles`、
+  `openclaw/plugin-sdk/copilot-proxy`、`openclaw/plugin-sdk/device-pair`、
+  `openclaw/plugin-sdk/diagnostics-otel`、`openclaw/plugin-sdk/diffs`、
+  `openclaw/plugin-sdk/feishu`、`openclaw/plugin-sdk/googlechat`、
+  `openclaw/plugin-sdk/irc`、`openclaw/plugin-sdk/llm-task`、
+  `openclaw/plugin-sdk/lobster`、`openclaw/plugin-sdk/matrix`、
+  `openclaw/plugin-sdk/mattermost`、`openclaw/plugin-sdk/memory-core`、
+  `openclaw/plugin-sdk/memory-lancedb`、
+  `openclaw/plugin-sdk/minimax-portal-auth`、
+  `openclaw/plugin-sdk/nextcloud-talk`、`openclaw/plugin-sdk/nostr`、
+  `openclaw/plugin-sdk/open-prose`、`openclaw/plugin-sdk/phone-control`、
+  `openclaw/plugin-sdk/qwen-portal-auth`、`openclaw/plugin-sdk/synology-chat`、
+  `openclaw/plugin-sdk/talk-voice`、`openclaw/plugin-sdk/test-utils`、
+  `openclaw/plugin-sdk/thread-ownership`、`openclaw/plugin-sdk/tlon`、
+  `openclaw/plugin-sdk/twitch`、`openclaw/plugin-sdk/voice-call`、
+  `openclaw/plugin-sdk/zalo` 和 `openclaw/plugin-sdk/zalouser`。
+
+## Provider 目录
+
+Provider 插件可以使用
+`registerProvider({ catalog: { run(...) { ... } } })`
+定义用于推理的模型目录。
+
+`catalog.run(...)` 返回与 OpenClaw 写入
+`models.providers` 相同的结构：
+
+- `{ provider }` 表示一个 provider 条目
+- `{ providers }` 表示多个 provider 条目
+
+当插件拥有 provider 特定的 model id、base URL 默认值或由身份验证控制的模型元数据时，请使用 `catalog`。
+
+`catalog.order` 控制插件目录相对于 OpenClaw 内置隐式 provider 的合并时机：
+
+- `simple`：纯 API 密钥或环境变量驱动的 provider
+- `profile`：当存在 auth profile 时出现的 provider
+- `paired`：会合成多个相关 provider 条目的 provider
+- `late`：最后一轮，在其他隐式 provider 之后
+
+后出现的 provider 会在键冲突时胜出，因此插件可以有意用相同 provider id 覆盖内置 provider 条目。
+
+兼容性：
+
+- `discovery` 仍可作为旧版别名使用
+- 如果同时注册了 `catalog` 和 `discovery`，OpenClaw 会使用 `catalog`
+
+兼容性说明：
+
+- `openclaw/plugin-sdk` 仍支持现有外部插件。
+- 新的和已迁移的捆绑插件应使用渠道或扩展专用子路径；通用表面使用 `core`，只有在确实需要更广泛共享辅助工具时才使用 `compat`。
+
+## 只读渠道检查
+
+如果你的插件注册了一个渠道，建议与 `resolveAccount(...)` 一起实现
+`plugin.config.inspectAccount(cfg, accountId)`。
+
+原因：
+
+- `resolveAccount(...)` 是运行时路径。它可以假定凭据已完全实体化，并在缺少所需 secret 时快速失败。
+- 只读命令路径，例如 `openclaw status`、`openclaw status --all`、
+  `openclaw channels status`、`openclaw channels resolve` 以及 Doctor/配置修复流程，不应仅为了描述配置就必须实体化运行时凭据。
+
+推荐的 `inspectAccount(...)` 行为：
+
+- 仅返回描述性的账户状态。
+- 保留 `enabled` 和 `configured`。
+- 在相关时包含凭据来源/状态字段，例如：
+  - `tokenSource`、`tokenStatus`
+  - `botTokenSource`、`botTokenStatus`
+  - `appTokenSource`、`appTokenStatus`
+  - `signingSecretSource`、`signingSecretStatus`
+- 你无需为了报告只读可用性而返回原始令牌值。返回 `tokenStatus: "available"`（以及匹配的 source 字段）就足够支持状态类命令。
+- 当凭据通过 SecretRef 配置，但在当前命令路径中不可用时，请使用 `configured_unavailable`。
+
+这使得只读命令可以报告“已配置，但在此命令路径中不可用”，而不是崩溃或错误地将账户报告为未配置。
+
+性能说明：
+
+- 插件发现和 manifest 元数据使用短期进程内缓存，以减少突发启动/重载工作。
+- 设置 `OPENCLAW_DISABLE_PLUGIN_DISCOVERY_CACHE=1` 或
+  `OPENCLAW_DISABLE_PLUGIN_MANIFEST_CACHE=1` 可禁用这些缓存。
+- 使用 `OPENCLAW_PLUGIN_DISCOVERY_CACHE_MS` 和
+  `OPENCLAW_PLUGIN_MANIFEST_CACHE_MS` 调整缓存窗口。
+
+## 设备发现 + 传输协议优先级
+
+OpenClaw 按以下顺序扫描：
 
 1. 配置路径
 
@@ -105,15 +587,92 @@ OpenClaw 按顺序扫描：
 - `~/.openclaw/extensions/*.ts`
 - `~/.openclaw/extensions/*/index.ts`
 
-4. 捆绑扩展（随 OpenClaw 一起发布，**默认禁用**）
+4. 捆绑扩展（随 OpenClaw 一起提供；默认开启/关闭混合）
 
 - `<openclaw>/extensions/*`
 
-捆绑插件必须通过 `plugins.entries.<id>.enabled` 或 `openclaw plugins enable <id>` 显式启用。已安装的插件默认启用，但可以用相同方式禁用。
+许多捆绑的 provider 插件默认启用，这样模型目录/运行时 hooks 无需额外设置即可使用。其他插件仍需要通过 `plugins.entries.<id>.enabled` 或
+`openclaw plugins enable <id>` 显式启用。
 
-每个插件必须在其根目录中包含 `openclaw.plugin.json` 文件。如果路径指向文件，则插件根目录是文件的目录，必须包含清单。
+默认开启的捆绑插件示例：
 
-如果多个插件解析到相同的 id，上述顺序中的第一个匹配项获胜，较低优先级的副本被忽略。
+- `byteplus`
+- `cloudflare-ai-gateway`
+- `device-pair`
+- `github-copilot`
+- `huggingface`
+- `kilocode`
+- `kimi-coding`
+- `minimax`
+- `minimax`
+- `modelstudio`
+- `moonshot`
+- `nvidia`
+- `ollama`
+- `openai`
+- `openrouter`
+- `phone-control`
+- `qianfan`
+- `qwen-portal-auth`
+- `sglang`
+- `synthetic`
+- `talk-voice`
+- `together`
+- `venice`
+- `vercel-ai-gateway`
+- `vllm`
+- `volcengine`
+- `xiaomi`
+- 活跃的 memory 插槽插件（默认插槽：`memory-core`）
+
+已安装的插件默认启用，但也可以用同样方式禁用。
+
+工作区插件 **默认禁用**，除非你显式启用它们或将其加入 allowlist。这是有意设计的：已检出的仓库不应悄悄变成生产 gateway 代码。
+
+加固说明：
+
+- 如果 `plugins.allow` 为空且可发现非捆绑插件，OpenClaw 会在启动时记录一条警告，其中包含 plugin id 和来源。
+- 候选路径在被接受进入发现流程前会经过安全检查。当出现以下情况时，OpenClaw 会阻止候选项：
+  - 扩展条目解析到插件根目录之外（包括符号链接/路径遍历逃逸），
+  - 插件根目录/来源路径对所有人可写，
+  - 对于非捆绑插件来说，路径所有权可疑（POSIX owner 既不是当前 uid 也不是 root）。
+- 对于缺少安装/加载路径来源信息的已加载非捆绑插件，会发出警告，以便你固定信任（`plugins.allow`）或安装跟踪（`plugins.installs`）。
+
+每个原生 OpenClaw 插件都必须在其根目录中包含一个 `openclaw.plugin.json` 文件。
+如果某条路径指向一个文件，则插件根目录是该文件所在目录，并且该目录必须包含该 manifest。
+
+兼容的 bundle 可以改为提供以下之一：
+
+- `.codex-plugin/plugin.json`
+- `.claude-plugin/plugin.json`
+
+Bundle 目录会从与原生插件相同的根目录中被发现。
+
+如果多个插件解析为同一个 id，则以上顺序中的第一个匹配项胜出，优先级更低的副本会被忽略。
+
+这意味着：
+
+- 工作区插件会有意覆盖具有相同 id 的捆绑插件
+- `plugins.allow: ["foo"]` 按 id 授权活动的 `foo` 插件，即使活动副本来自工作区而非捆绑扩展根目录
+- 如果你需要更严格的来源控制，请使用显式安装/加载路径，并在启用前检查解析后的插件来源
+
+### 启用规则
+
+启用状态在发现后解析：
+
+- `plugins.enabled: false` 会禁用所有插件
+- `plugins.deny` 总是优先
+- `plugins.entries.<id>.enabled: false` 会禁用该插件
+- 来源于工作区的插件默认禁用
+- 当 `plugins.allow` 非空时，allowlist 会限制活动集合
+- allowlist 是 **基于 id** 的，而不是基于来源
+- 捆绑插件默认禁用，除非：
+  - 捆绑 id 位于内置默认开启集合中，或
+  - 你显式启用了它，或
+  - 渠道配置隐式启用了捆绑渠道插件
+- 独占插槽可强制启用为该插槽选择的插件
+
+在当前核心中，默认开启的捆绑 id 包括上面的本地/provider 辅助工具以及当前活跃的 memory 插槽插件。
 
 ### 包集合
 
@@ -123,18 +682,29 @@ OpenClaw 按顺序扫描：
 {
   "name": "my-pack",
   "openclaw": {
-    "extensions": ["./src/safety.ts", "./src/tools.ts"]
+    "extensions": ["./src/safety.ts", "./src/tools.ts"],
+    "setupEntry": "./src/setup-entry.ts"
   }
 }
 ```
 
-每个条目成为一个插件。如果包列出多个扩展，插件 id 变为 `name/<fileBase>`。
+每个条目都会成为一个插件。如果该集合列出多个扩展，则插件 id 将变为 `name/<fileBase>`。
 
-如果你的插件导入 npm 依赖，请在该目录中安装它们以便 `node_modules` 可用（`npm install` / `pnpm install`）。
+如果你的插件导入 npm 依赖，请在该目录中安装它们，以便 `node_modules` 可用（`npm install` / `pnpm install`）。
+
+安全护栏：每个 `openclaw.extensions` 条目在解析符号链接后都必须保持在插件目录内。逃逸出包目录的条目会被拒绝。
+
+安全说明：`openclaw plugins install` 会使用
+`npm install --ignore-scripts` 安装插件依赖（不会运行生命周期脚本）。
+请保持插件依赖树为“纯 JS/TS”，并避免需要 `postinstall` 构建的包。
+
+可选项：`openclaw.setupEntry` 可以指向一个轻量级、仅用于 setup 的模块。
+当 OpenClaw 需要为一个已禁用的渠道插件提供 setup 表面，或某个渠道插件虽然已启用但仍未配置时，它会加载 `setupEntry`，而不是完整插件入口。
+当你的主插件入口还连接了工具、hooks 或其他仅运行时代码时，这能让启动和 setup 更轻量。
 
 ### 渠道目录元数据
 
-渠道插件可以通过 `openclaw.channel` 广播新手引导元数据，通过 `openclaw.install` 广播安装提示。这使核心目录保持无数据。
+渠道插件可以通过 `openclaw.channel` 公布 setup/discovery 元数据，并通过 `openclaw.install` 公布安装提示。这使核心目录保持无数据化。
 
 示例：
 
@@ -149,7 +719,7 @@ OpenClaw 按顺序扫描：
       "selectionLabel": "Nextcloud Talk (self-hosted)",
       "docsPath": "/channels/nextcloud-talk",
       "docsLabel": "nextcloud-talk",
-      "blurb": "Self-hosted chat via Nextcloud Talk webhook bots.",
+      "blurb": "通过 Nextcloud Talk webhook bot 提供的自托管聊天。",
       "order": 65,
       "aliases": ["nc-talk", "nc"]
     },
@@ -162,22 +732,49 @@ OpenClaw 按顺序扫描：
 }
 ```
 
-OpenClaw 还可以合并**外部渠道目录**（例如，MPM 注册表导出）。将 JSON 文件放在以下位置之一：
+OpenClaw 还可以合并 **外部渠道目录**（例如 MPM registry 导出）。
+将 JSON 文件放到以下任一位置：
 
 - `~/.openclaw/mpm/plugins.json`
 - `~/.openclaw/mpm/catalog.json`
 - `~/.openclaw/plugins/catalog.json`
 
-或将 `OPENCLAW_PLUGIN_CATALOG_PATHS`（或 `OPENCLAW_MPM_CATALOG_PATHS`）指向一个或多个 JSON 文件（逗号/分号/`PATH` 分隔）。每个文件应包含 `{ "entries": [ { "name": "@scope/pkg", "openclaw": { "channel": {...}, "install": {...} } } ] }`。
+或者将 `OPENCLAW_PLUGIN_CATALOG_PATHS`（或 `OPENCLAW_MPM_CATALOG_PATHS`）指向一个或多个 JSON 文件（用逗号/分号/`PATH` 分隔）。
+每个文件应包含
+`{ "entries": [ { "name": "@scope/pkg", "openclaw": { "channel": {...}, "install": {...} } } ] }`。
 
-## 插件 ID
+## Plugin ID
 
-默认插件 id：
+默认 plugin id：
 
-- 包集合：`package.json` 的 `name`
-- 独立文件：文件基本名称（`~/.../voice-call.ts` → `voice-call`）
+- 包集合：`package.json` 中的 `name`
+- 独立文件：文件基础名（`~/.../voice-call.ts` → `voice-call`）
 
-如果插件导出 `id`，OpenClaw 会使用它，但当它与配置的 id 不匹配时会发出警告。
+如果插件导出 `id`，OpenClaw 会使用它，但如果它与配置的 id 不匹配，则会发出警告。
+
+## 注册表模型
+
+已加载的插件不会直接修改任意核心全局对象。它们会注册到一个中央插件注册表中。
+
+该注册表跟踪：
+
+- 插件记录（身份、来源、出处、状态、诊断）
+- 工具
+- 旧版 hooks 和类型化 hooks
+- 渠道
+- providers
+- Gateway RPC 处理器
+- HTTP 路由
+- CLI 注册器
+- 后台服务
+- 插件自有命令
+
+然后，核心功能会从这个注册表中读取，而不是直接与插件模块交互。这样可以保持单向加载：
+
+- 插件模块 -> 注册表注册
+- 核心运行时 -> 注册表消费
+
+这种分离对可维护性非常重要。这意味着大多数核心表面只需要一个集成点：“读取注册表”，而不是“为每个插件模块做特殊处理”。
 
 ## 配置
 
@@ -197,48 +794,75 @@ OpenClaw 还可以合并**外部渠道目录**（例如，MPM 注册表导出）
 
 字段：
 
-- `enabled`：主开关（默认：true）
-- `allow`：允许列表（可选）
-- `deny`：拒绝列表（可选；deny 优先）
+- `enabled`：总开关（默认：true）
+- `allow`：allowlist（可选）
+- `deny`：denylist（可选；deny 优先）
 - `load.paths`：额外的插件文件/目录
-- `entries.<id>`：每个插件的开关 + 配置
+- `slots`：独占插槽选择器，例如 `memory` 和 `contextEngine`
+- `entries.<id>`：每插件开关 + 配置
 
-配置更改**需要重启 Gateway 网关**。
+配置更改 **需要重启 gateway**。
 
 验证规则（严格）：
 
-- `entries`、`allow`、`deny` 或 `slots` 中的未知插件 id 是**错误**。
-- 未知的 `channels.<id>` 键是**错误**，除非插件清单声明了渠道 id。
-- 插件配置使用嵌入在 `openclaw.plugin.json`（`configSchema`）中的 JSON Schema 进行验证。
-- 如果插件被禁用，其配置会保留并发出**警告**。
+- `entries`、`allow`、`deny` 或 `slots` 中出现未知 plugin id 都是 **错误**。
+- 未知的 `channels.<id>` 键都是 **错误**，除非某个插件 manifest 声明了该渠道 id。
+- 原生插件配置使用嵌入在 `openclaw.plugin.json` 中的 JSON Schema（`configSchema`）进行验证。
+- 兼容的 bundle 当前不公开原生 OpenClaw 配置 schema。
+- 如果某个插件被禁用，其配置会被保留，并发出 **警告**。
 
-## 插件槽位（独占类别）
+### 禁用 vs 缺失 vs 无效
 
-某些插件类别是**独占的**（一次只有一个活跃）。使用 `plugins.slots` 选择哪个插件拥有该槽位：
+这些状态有意区分：
+
+- **disabled**：插件存在，但启用规则将其关闭
+- **missing**：配置引用了某个 plugin id，但发现过程没有找到它
+- **invalid**：插件存在，但其配置与声明的 schema 不匹配
+
+OpenClaw 会保留已禁用插件的配置，因此重新启用它们不会造成破坏。
+
+## Plugin 插槽（独占类别）
+
+某些插件类别是 **独占的**（一次只能有一个处于活动状态）。使用
+`plugins.slots` 选择由哪个插件拥有该插槽：
 
 ```json5
 {
   plugins: {
     slots: {
-      memory: "memory-core", // or "none" to disable memory plugins
+      memory: "memory-core", // 或 "none" 以禁用 memory 插件
+      contextEngine: "legacy", // 或某个 plugin id，例如 "lossless-claw"
     },
   },
 }
 ```
 
-如果多个插件声明 `kind: "memory"`，只有选定的那个加载。其他的被禁用并带有诊断信息。
+支持的独占插槽：
 
-## 控制界面（schema + 标签）
+- `memory`：活动 memory 插件（`"none"` 会禁用 memory 插件）
+- `contextEngine`：活动上下文引擎插件（`"legacy"` 是内置默认值）
 
-控制界面使用 `config.schema`（JSON Schema + `uiHints`）来渲染更好的表单。
+如果多个插件声明了 `kind: "memory"` 或 `kind: "context-engine"`，则只有为该插槽选中的插件会加载。其他插件会被禁用并附带诊断信息。
 
-OpenClaw 在运行时根据发现的插件增强 `uiHints`：
+### 上下文引擎插件
+
+上下文引擎插件拥有会话上下文编排能力，包括摄取、组装和压缩。
+通过插件中的 `api.registerContextEngine(id, factory)` 注册它们，然后使用
+`plugins.slots.contextEngine` 选择活动引擎。
+
+当你的插件需要替换或扩展默认上下文流水线，而不是仅添加内存搜索或 hooks 时，请使用此方式。
+
+## Control UI（schema + 标签）
+
+Control UI 使用 `config.schema`（JSON Schema + `uiHints`）来渲染更好的表单。
+
+OpenClaw 会在运行时根据已发现的插件增强 `uiHints`：
 
 - 为 `plugins.entries.<id>` / `.enabled` / `.config` 添加每插件标签
-- 在以下位置合并可选的插件提供的配置字段提示：
+- 合并可选的插件提供配置字段提示，路径为：
   `plugins.entries.<id>.config.<field>`
 
-如果你希望插件配置字段显示良好的标签/占位符（并将密钥标记为敏感），请在插件清单中提供 `uiHints` 和 JSON Schema。
+如果你希望插件配置字段显示更好的标签/占位符（并将 secret 标记为敏感），请在插件 manifest 中连同 JSON Schema 一起提供 `uiHints`。
 
 示例：
 
@@ -265,12 +889,13 @@ OpenClaw 在运行时根据发现的插件增强 `uiHints`：
 ```bash
 openclaw plugins list
 openclaw plugins info <id>
-openclaw plugins install <path>                 # copy a local file/dir into ~/.openclaw/extensions/<id>
-openclaw plugins install ./extensions/voice-call # relative path ok
-openclaw plugins install ./plugin.tgz           # install from a local tarball
-openclaw plugins install ./plugin.zip           # install from a local zip
-openclaw plugins install -l ./extensions/voice-call # link (no copy) for dev
-openclaw plugins install @openclaw/voice-call # install from npm
+openclaw plugins install <path>                 # 将本地文件/目录复制到 ~/.openclaw/extensions/<id>
+openclaw plugins install ./extensions/voice-call # 支持相对路径
+openclaw plugins install ./plugin.tgz           # 从本地 tarball 安装
+openclaw plugins install ./plugin.zip           # 从本地 zip 安装
+openclaw plugins install -l ./extensions/voice-call # link（不复制），用于开发
+openclaw plugins install @openclaw/voice-call # 从 npm 安装
+openclaw plugins install @openclaw/voice-call --pin # 存储精确解析后的 name@version
 openclaw plugins update <id>
 openclaw plugins update --all
 openclaw plugins enable <id>
@@ -278,45 +903,307 @@ openclaw plugins disable <id>
 openclaw plugins doctor
 ```
 
+`openclaw plugins list` 会将顶层格式显示为 `openclaw` 或 `bundle`。
+详细列表/info 输出还会显示 bundle 子类型（`codex` 或 `claude`）以及已检测到的 bundle 能力。
+
 `plugins update` 仅适用于在 `plugins.installs` 下跟踪的 npm 安装。
+如果更新之间存储的完整性元数据发生变化，OpenClaw 会发出警告并要求确认（使用全局 `--yes` 可绕过提示）。
 
-插件也可以注册自己的顶级命令（例如：`openclaw voicecall`）。
+插件也可以注册自己的顶层命令（例如：`openclaw voicecall`）。
 
-## 插件 API（概述）
+## Plugin API（概览）
 
-插件导出以下之一：
+插件导出形式可以是：
 
-- 函数：`(api) => { ... }`
-- 对象：`{ id, name, configSchema, register(api) { ... } }`
+- 一个函数：`(api) => { ... }`
+- 一个对象：`{ id, name, configSchema, register(api) { ... } }`
 
-## 插件钩子
+`register(api)` 是插件挂接行为的地方。常见注册包括：
 
-插件可以附带钩子并在运行时注册它们。这让插件可以捆绑事件驱动的自动化，而无需单独安装钩子包。
+- `registerTool`
+- `registerHook`
+- `on(...)` 用于类型化生命周期 hooks
+- `registerChannel`
+- `registerProvider`
+- `registerHttpRoute`
+- `registerCommand`
+- `registerCli`
+- `registerContextEngine`
+- `registerService`
 
-### 示例
+上下文引擎插件还可以注册一个由运行时拥有的上下文管理器：
 
-```
-import { registerPluginHooksFromDir } from "openclaw/plugin-sdk";
-
-export default function register(api) {
-  registerPluginHooksFromDir(api, "./hooks");
+```ts
+export default function (api) {
+  api.registerContextEngine("lossless-claw", () => ({
+    info: { id: "lossless-claw", name: "Lossless Claw", ownsCompaction: true },
+    async ingest() {
+      return { ingested: true };
+    },
+    async assemble({ messages }) {
+      return { messages, estimatedTokens: 0 };
+    },
+    async compact() {
+      return { ok: true, compacted: false };
+    },
+  }));
 }
 ```
 
-注意事项：
+然后在配置中启用它：
 
-- 钩子目录遵循正常的钩子结构（`HOOK.md` + `handler.ts`）。
-- 钩子资格规则仍然适用（操作系统/二进制文件/环境/配置要求）。
-- 插件管理的钩子在 `openclaw hooks list` 中显示为 `plugin:<id>`。
-- 你不能通过 `openclaw hooks` 启用/禁用插件管理的钩子；而是启用/禁用插件。
+```json5
+{
+  plugins: {
+    slots: {
+      contextEngine: "lossless-claw",
+    },
+  },
+}
+```
 
-## 提供商插件（模型认证）
+## Plugin hooks
 
-插件可以注册**模型提供商认证**流程，以便用户可以在 OpenClaw 内运行 OAuth 或 API 密钥设置（无需外部脚本）。
+插件可以在运行时注册 hooks。这让插件能够打包事件驱动自动化，而无需单独安装 hook pack。
 
-通过 `api.registerProvider(...)` 注册提供商。每个提供商暴露一个或多个认证方法（OAuth、API 密钥、设备码等）。这些方法驱动：
+### 示例
+
+```ts
+export default function register(api) {
+  api.registerHook(
+    "command:new",
+    async () => {
+      // Hook 逻辑写在这里。
+    },
+    {
+      name: "my-plugin.command-new",
+      description: "当 /new 被调用时运行",
+    },
+  );
+}
+```
+
+说明：
+
+- 通过 `api.registerHook(...)` 显式注册 hooks。
+- Hook 资格规则仍然适用（OS/bins/env/config 要求）。
+- 插件管理的 hooks 会在 `openclaw hooks list` 中显示为 `plugin:<id>`。
+- 你不能通过 `openclaw hooks` 启用/禁用插件管理的 hooks；应改为启用/禁用插件本身。
+
+### 智能体生命周期 hooks（`api.on`）
+
+对于类型化运行时生命周期 hooks，请使用 `api.on(...)`：
+
+```ts
+export default function register(api) {
+  api.on(
+    "before_prompt_build",
+    (event, ctx) => {
+      return {
+        prependSystemContext: "Follow company style guide.",
+      };
+    },
+    { priority: 10 },
+  );
+}
+```
+
+用于提示词构建的重要 hooks：
+
+- `before_model_resolve`：在加载会话之前运行（`messages` 不可用）。用它来确定性地覆盖 `modelOverride` 或 `providerOverride`。
+- `before_prompt_build`：在加载会话之后运行（`messages` 可用）。用它来塑造提示词输入。
+- `before_agent_start`：旧版兼容 hook。优先使用上面两个更明确的 hooks。
+
+核心强制执行的 hook 策略：
+
+- 操作员可以通过 `plugins.entries.<id>.hooks.allowPromptInjection: false` 按插件禁用提示词变更 hooks。
+- 禁用后，OpenClaw 会阻止 `before_prompt_build`，并忽略旧版 `before_agent_start` 返回的提示词变更字段，同时保留旧版 `modelOverride` 和 `providerOverride`。
+
+`before_prompt_build` 结果字段：
+
+- `prependContext`：为本次运行在用户提示词前插入文本。最适合按轮次变化或动态内容。
+- `systemPrompt`：完整的系统提示词覆盖。
+- `prependSystemContext`：在当前系统提示词前插入文本。
+- `appendSystemContext`：在当前系统提示词后追加文本。
+
+嵌入式运行时中的提示词构建顺序：
+
+1. 将 `prependContext` 应用到用户提示词。
+2. 如果提供了 `systemPrompt`，则应用其覆盖。
+3. 应用 `prependSystemContext + 当前系统提示词 + appendSystemContext`。
+
+合并与优先级说明：
+
+- Hook 处理器按优先级运行（高者优先）。
+- 对于合并型上下文字段，值会按执行顺序拼接。
+- `before_prompt_build` 的值会在旧版 `before_agent_start` 后备值之前应用。
+
+迁移指导：
+
+- 将静态指导从 `prependContext` 移到 `prependSystemContext`（或 `appendSystemContext`），这样 provider 就可以缓存稳定的系统前缀内容。
+- 将 `prependContext` 保留给每轮动态上下文，这类内容应继续与用户消息绑定。
+
+## Provider 插件（模型身份验证）
+
+插件可以注册 **模型 providers**，从而让用户能够在 OpenClaw 内完成 OAuth 或 API 密钥设置、在新手引导/模型选择器中显示 provider 设置，并参与隐式 provider 发现。
+
+Provider 插件现在是模型 provider 设置的模块化扩展接缝。它们不再只是“OAuth 辅助工具”。
+
+### Provider 插件生命周期
+
+一个 provider 插件可以参与五个不同阶段：
+
+1. **身份验证**
+   `auth[].run(ctx)` 执行 OAuth、API 密钥采集、设备码或自定义设置，并返回 auth profile 以及可选的配置补丁。
+2. **非交互式设置**
+   `auth[].runNonInteractive(ctx)` 处理 `openclaw onboard --non-interactive`，且不进行提示。当 provider 需要超出内置简单 API 密钥路径之外的自定义无头设置时，请使用它。
+3. **向导集成**
+   `wizard.setup` 会向 `openclaw onboard` 添加一个条目。
+   `wizard.modelPicker` 会向模型选择器添加一个 setup 条目。
+4. **隐式发现**
+   `discovery.run(ctx)` 可以在模型解析/列出期间自动贡献 provider 配置。
+5. **选择后跟进**
+   `onModelSelected(ctx)` 会在模型被选中后运行。可用于 provider 特定的后续工作，例如下载本地模型。
+
+这是推荐的拆分方式，因为这些阶段具有不同的生命周期要求：
+
+- auth 是交互式的，并会写入凭据/配置
+- 非交互式设置由 flag/env 驱动，且不能提示
+- 向导元数据是静态且面向 UI 的
+- discovery 应安全、快速且能容忍失败
+- 选择后 hooks 是与所选模型绑定的副作用
+
+### Provider 身份验证契约
+
+`auth[].run(ctx)` 返回：
+
+- `profiles`：要写入的 auth profile
+- `configPatch`：可选的 `openclaw.json` 变更
+- `defaultModel`：可选的 `provider/model` 引用
+- `notes`：可选的面向用户备注
+
+然后核心会：
+
+1. 写入返回的 auth profile
+2. 应用 auth-profile 配置接线
+3. 合并配置补丁
+4. 可选地应用默认模型
+5. 在适当时运行 provider 的 `onModelSelected` hook
+
+这意味着 provider 插件拥有 provider 特定的设置逻辑，而核心拥有通用的持久化和配置合并路径。
+
+### Provider 非交互式契约
+
+`auth[].runNonInteractive(ctx)` 是可选的。当 provider 需要无法通过内置通用 API 密钥流表达的无头设置时，请实现它。
+
+非交互式上下文包括：
+
+- 当前配置和基础配置
+- 解析后的 onboarding CLI 选项
+- 运行时日志/错误辅助工具
+- 智能体/工作区目录，以便 provider 将 auth 持久化到与其余 onboarding 相同的作用域存储中
+- `resolveApiKey(...)`：在遵守 `--secret-input-mode` 的同时，从 flags、环境变量或现有 auth profile 中读取 provider 密钥
+- `toApiKeyCredential(...)`：将解析后的密钥转换为 auth-profile 凭据，并使用正确的明文或 secret-ref 存储方式
+
+适合使用此表面的 provider 包括：
+
+- 需要 `--custom-base-url` + `--custom-model-id` 的自托管 OpenAI 兼容运行时
+- 需要 provider 特定非交互式验证或配置合成的场景
+
+不要从 `runNonInteractive` 中发出提示。对于缺失输入，请改为返回可操作的错误。
+
+### Provider 向导元数据
+
+`wizard.setup` 控制 provider 在分组新手引导中的显示方式：
+
+- `choiceId`：auth-choice 值
+- `choiceLabel`：选项标签
+- `choiceHint`：简短提示
+- `groupId`：分组桶 id
+- `groupLabel`：分组标签
+- `groupHint`：分组提示
+- `methodId`：要运行的身份验证方法
+
+`wizard.modelPicker` 控制 provider 在模型选择中作为“现在设置它”条目的显示方式：
+
+- `label`
+- `hint`
+- `methodId`
+
+当 provider 具有多种身份验证方法时，向导可以显式指向其中一种方法，也可以让 OpenClaw 为每种方法自动生成选择项。
+
+在插件注册时，OpenClaw 会验证 provider 向导元数据：
+
+- 重复或空白的 auth-method id 会被拒绝
+- 当 provider 没有身份验证方法时，向导元数据会被忽略
+- 无效的 `methodId` 绑定会降级为警告，并回退到 provider 剩余的身份验证方法
+
+### Provider discovery 契约
+
+`discovery.run(ctx)` 返回以下之一：
+
+- `{ provider }`
+- `{ providers }`
+- `null`
+
+当插件拥有一个 provider id 时，请使用 `{ provider }` 这一常见情况。
+当插件发现多个 provider 条目时，请使用 `{ providers }`。
+
+Discovery 上下文包括：
+
+- 当前配置
+- 智能体/工作区目录
+- 进程环境变量
+- 一个用于解析 provider API 密钥以及发现安全 API 密钥值的辅助工具
+
+Discovery 应该：
+
+- 快速
+- 尽力而为
+- 在失败时可安全跳过
+- 谨慎处理副作用
+
+它不应依赖提示或长时间运行的设置。
+
+### 发现顺序
+
+Provider discovery 按有序阶段运行：
+
+- `simple`
+- `profile`
+- `paired`
+- `late`
+
+使用建议：
+
+- `simple`：用于廉价的纯环境变量发现
+- `profile`：当发现依赖 auth profile 时使用
+- `paired`：用于需要与另一步发现协作的 provider
+- `late`：用于昂贵或本地网络探测
+
+大多数自托管 provider 应使用 `late`。
+
+### 良好的 provider-plugin 边界
+
+适合做成 provider 插件的情况：
+
+- 具有自定义设置流程的本地/自托管 providers
+- provider 特定的 OAuth/设备码登录
+- 对本地模型服务器的隐式发现
+- 选择后的副作用，例如拉取模型
+
+不太有说服力的情况：
+
+- 仅在 env var、base URL 和一个默认模型上不同的简单 API 密钥型 provider
+
+这些仍然可以做成插件，但最大的模块化收益来自先抽离那些行为丰富的 providers。
+
+通过 `api.registerProvider(...)` 注册 provider。每个 provider 暴露一个或多个身份验证方法（OAuth、API key、device code 等）。这些方法可以驱动：
 
 - `openclaw models auth login --provider <id> [--method <id>]`
+- `openclaw onboard`
+- 模型选择器中的“自定义 provider”设置条目
+- 模型解析/列出期间的隐式 provider 发现
 
 示例：
 
@@ -330,7 +1217,7 @@ api.registerProvider({
       label: "OAuth",
       kind: "oauth",
       run: async (ctx) => {
-        // Run OAuth flow and return auth profiles.
+        // 运行 OAuth 流并返回 auth profile。
         return {
           profiles: [
             {
@@ -349,18 +1236,53 @@ api.registerProvider({
       },
     },
   ],
+  wizard: {
+    setup: {
+      choiceId: "acme",
+      choiceLabel: "AcmeAI",
+      groupId: "acme",
+      groupLabel: "AcmeAI",
+      methodId: "oauth",
+    },
+    modelPicker: {
+      label: "AcmeAI（自定义）",
+      hint: "连接一个自托管 AcmeAI 端点",
+      methodId: "oauth",
+    },
+  },
+  discovery: {
+    order: "late",
+    run: async () => ({
+      provider: {
+        baseUrl: "https://acme.example/v1",
+        api: "openai-completions",
+        apiKey: "${ACME_API_KEY}",
+        models: [],
+      },
+    }),
+  },
 });
 ```
 
-注意事项：
+说明：
 
-- `run` 接收带有 `prompter`、`runtime`、`openUrl` 和 `oauth.createVpsAwareHandlers` 辅助工具的 `ProviderAuthContext`。
-- 当需要添加默认模型或提供商配置时返回 `configPatch`。
-- 返回 `defaultModel` 以便 `--set-default` 可以更新智能体默认值。
+- `run` 会接收一个 `ProviderAuthContext`，其中包含 `prompter`、`runtime`、
+  `openUrl`、`oauth.createVpsAwareHandlers`、`secretInputMode` 和
+  `allowSecretRefPrompt` 辅助工具/状态。新手引导/配置流程可以用它们来遵守 `--secret-input-mode`，或提供 env/file/exec secret-ref 采集，而 `openclaw models auth` 会保持更严格的提示表面。
+- `runNonInteractive` 会接收一个 `ProviderAuthMethodNonInteractiveContext`，
+  其中包含 `opts`、`agentDir`、`resolveApiKey` 和 `toApiKeyCredential` 辅助工具，用于无头 onboarding。
+- 当你需要添加默认模型或 provider 配置时，请返回 `configPatch`。
+- 返回 `defaultModel`，这样 `--set-default` 就能更新智能体默认值。
+- `wizard.setup` 会向 `openclaw onboard` 添加一个 provider 选项。
+- `wizard.modelPicker` 会向模型选择器添加一个“设置此 provider”条目。
+- `discovery.run` 对于插件自有 provider id 返回 `{ provider }`，对于多 provider 发现返回 `{ providers }`。
+- `discovery.order` 控制该 provider 相对于内置发现阶段的运行时机：`simple`、`profile`、`paired` 或 `late`。
+- `onModelSelected` 是选择后的 hook，用于 provider 特定的后续工作，例如拉取本地模型。
 
-### 注册消息渠道
+### 注册一个消息渠道
 
-插件可以注册**渠道插件**，其行为类似于内置渠道（WhatsApp、Telegram 等）。渠道配置位于 `channels.<id>` 下，由你的渠道插件代码验证。
+插件可以注册 **渠道插件**，其行为类似内置渠道
+（WhatsApp、Telegram 等）。渠道配置位于 `channels.<id>` 下，并由你的渠道插件代码进行验证。
 
 ```ts
 const myChannel = {
@@ -370,7 +1292,7 @@ const myChannel = {
     label: "AcmeChat",
     selectionLabel: "AcmeChat (API)",
     docsPath: "/channels/acmechat",
-    blurb: "demo channel plugin.",
+    blurb: "演示渠道插件。",
     aliases: ["acme"],
   },
   capabilities: { chatTypes: ["direct"] },
@@ -392,44 +1314,62 @@ export default function (api) {
 }
 ```
 
-注意事项：
+说明：
 
 - 将配置放在 `channels.<id>` 下（而不是 `plugins.entries`）。
 - `meta.label` 用于 CLI/UI 列表中的标签。
-- `meta.aliases` 添加用于规范化和 CLI 输入的备用 id。
-- `meta.preferOver` 列出当两者都配置时要跳过自动启用的渠道 id。
-- `meta.detailLabel` 和 `meta.systemImage` 让 UI 显示更丰富的渠道标签/图标。
+- `meta.aliases` 会为规范化和 CLI 输入添加备用 id。
+- `meta.preferOver` 列出当两者都已配置时应跳过自动启用的渠道 id。
+- `meta.detailLabel` 和 `meta.systemImage` 让 UI 能显示更丰富的渠道标签/图标。
 
-### 编写新的消息渠道（分步指南）
+### 渠道 setup hooks
 
-当你想要一个**新的聊天界面**（"消息渠道"）而不是模型提供商时使用此方法。
-模型提供商文档位于 `/providers/*` 下。
+推荐的 setup 拆分：
 
-1. 选择 id + 配置结构
+- `plugin.setup` 负责账户 id 规范化、验证和配置写入。
+- `plugin.setupWizard` 让宿主运行通用向导流程，而渠道只提供状态、凭据、私信 allowlist 和渠道访问描述符。
 
-- 所有渠道配置位于 `channels.<id>` 下。
+`plugin.setupWizard` 最适合符合共享模式的渠道：
+
+- 一个由 `plugin.config.listAccountIds` 驱动的账户选择器
+- 在提示前执行可选的预检/准备步骤（例如安装器/引导工作）
+- 为捆绑凭据集提供可选的环境变量快捷提示（例如成对 bot/app token）
+- 一个或多个凭据提示，每一步要么通过 `plugin.setup.applyAccountConfig` 写入，要么通过渠道自有部分补丁写入
+- 可选的非 secret 文本提示（例如 CLI 路径、base URL、账户 id）
+- 可选的由宿主解析的渠道/群组访问 allowlist 提示
+- 可选的私信 allowlist 解析（例如 `@username` -> 数字 id）
+- setup 完成后的可选完成说明
+
+### 编写一个新的消息渠道（分步说明）
+
+当你想要一个 **新的聊天表面**（即“消息渠道”），而不是模型 provider 时，请使用本节。
+模型 provider 文档位于 `/providers/*`。
+
+1. 选择一个 id + 配置结构
+
+- 所有渠道配置都位于 `channels.<id>` 下。
 - 对于多账户设置，优先使用 `channels.<id>.accounts.<accountId>`。
 
 2. 定义渠道元数据
 
 - `meta.label`、`meta.selectionLabel`、`meta.docsPath`、`meta.blurb` 控制 CLI/UI 列表。
-- `meta.docsPath` 应指向像 `/channels/<id>` 这样的文档页面。
-- `meta.preferOver` 让插件替换另一个渠道（自动启用优先选择它）。
-- `meta.detailLabel` 和 `meta.systemImage` 被 UI 用于详细文本/图标。
+- `meta.docsPath` 应指向类似 `/channels/<id>` 的文档页面。
+- `meta.preferOver` 允许一个插件替换另一个渠道（自动启用时优先它）。
+- `meta.detailLabel` 和 `meta.systemImage` 供 UI 用于详情文字/图标。
 
-3. 实现必需的适配器
+3. 实现所需适配器
 
 - `config.listAccountIds` + `config.resolveAccount`
 - `capabilities`（聊天类型、媒体、线程等）
-- `outbound.deliveryMode` + `outbound.sendText`（用于基本发送）
+- `outbound.deliveryMode` + `outbound.sendText`（基础发送）
 
-4. 根据需要添加可选适配器
+4. 视需要添加可选适配器
 
-- `setup`（向导）、`security`（私信策略）、`status`（健康/诊断）
+- `setup`（验证 + 配置写入）、`setupWizard`（宿主拥有的向导）、`security`（私信策略）、`status`（健康/诊断）
 - `gateway`（启动/停止/登录）、`mentions`、`threading`、`streaming`
-- `actions`（消息操作）、`commands`（原生命令行为）
+- `actions`（消息动作）、`commands`（原生命令行为）
 
-5. 在插件中注册渠道
+5. 在你的插件中注册该渠道
 
 - `api.registerChannel({ plugin })`
 
@@ -457,7 +1397,7 @@ const plugin = {
     label: "AcmeChat",
     selectionLabel: "AcmeChat (API)",
     docsPath: "/channels/acmechat",
-    blurb: "AcmeChat messaging channel.",
+    blurb: "AcmeChat 消息渠道。",
     aliases: ["acme"],
   },
   capabilities: { chatTypes: ["direct"] },
@@ -471,7 +1411,7 @@ const plugin = {
   outbound: {
     deliveryMode: "direct",
     sendText: async ({ text }) => {
-      // deliver `text` to your channel here
+      // 在这里将 `text` 发送到你的渠道
       return { ok: true };
     },
   },
@@ -482,13 +1422,14 @@ export default function (api) {
 }
 ```
 
-加载插件（扩展目录或 `plugins.load.paths`），重启 Gateway 网关，然后在配置中配置 `channels.<id>`。
+加载插件（扩展目录或 `plugins.load.paths`），重启 gateway，
+然后在配置中设置 `channels.<id>`。
 
 ### 智能体工具
 
-参见专门指南：[插件智能体工具](/plugins/agent-tools)。
+请参阅专门指南：[Plugin agent tools](/plugins/agent-tools)。
 
-### 注册 Gateway 网关 RPC 方法
+### 注册一个 Gateway RPC 方法
 
 ```ts
 export default function (api) {
@@ -515,61 +1456,63 @@ export default function (api) {
 
 ### 注册自动回复命令
 
-插件可以注册自定义斜杠命令，**无需调用 AI 智能体**即可执行。这对于切换命令、状态检查或不需要 LLM 处理的快速操作很有用。
+插件可以注册自定义 slash 命令，这些命令 **无需调用 AI 智能体** 即可执行。
+这对开关命令、状态检查或不需要 LLM 处理的快捷操作非常有用。
 
 ```ts
 export default function (api) {
   api.registerCommand({
     name: "mystatus",
-    description: "Show plugin status",
+    description: "显示插件状态",
     handler: (ctx) => ({
-      text: `Plugin is running! Channel: ${ctx.channel}`,
+      text: `插件正在运行！渠道：${ctx.channel}`,
     }),
   });
 }
 ```
 
-命令处理程序上下文：
+命令处理器上下文：
 
-- `senderId`：发送者的 ID（如可用）
+- `senderId`：发送者的 ID（如果可用）
 - `channel`：发送命令的渠道
-- `isAuthorizedSender`：发送者是否是授权用户
-- `args`：命令后传递的参数（如果 `acceptsArgs: true`）
-- `commandBody`：完整的命令文本
+- `isAuthorizedSender`：发送者是否为已授权用户
+- `args`：命令后的参数（如果 `acceptsArgs: true`）
+- `commandBody`：完整命令文本
 - `config`：当前 OpenClaw 配置
 
 命令选项：
 
-- `name`：命令名称（不带前导 `/`）
-- `description`：命令列表中显示的帮助文本
-- `acceptsArgs`：命令是否接受参数（默认：false）。如果为 false 且提供了参数，命令不会匹配，消息会传递给其他处理程序
-- `requireAuth`：是否需要授权发送者（默认：true）
-- `handler`：返回 `{ text: string }` 的函数（可以是异步的）
+- `name`：命令名（不含前导 `/`）
+- `nativeNames`：可选的原生命令别名，用于 slash/menu 表面。对所有原生 provider 使用 `default`，或使用如 `discord` 这样的 provider 特定键
+- `description`：在命令列表中显示的帮助文本
+- `acceptsArgs`：命令是否接受参数（默认：false）。如果为 false 且提供了参数，则命令不会匹配，消息会继续传递给其他处理器
+- `requireAuth`：是否要求发送者已授权（默认：true）
+- `handler`：返回 `{ text: string }` 的函数（可以是异步）
 
 带授权和参数的示例：
 
 ```ts
 api.registerCommand({
   name: "setmode",
-  description: "Set plugin mode",
+  description: "设置插件模式",
   acceptsArgs: true,
   requireAuth: true,
   handler: async (ctx) => {
     const mode = ctx.args?.trim() || "default";
     await saveMode(mode);
-    return { text: `Mode set to: ${mode}` };
+    return { text: `模式已设置为：${mode}` };
   },
 });
 ```
 
-注意事项：
+说明：
 
-- 插件命令在内置命令和 AI 智能体**之前**处理
-- 命令全局注册，适用于所有渠道
-- 命令名称不区分大小写（`/MyStatus` 匹配 `/mystatus`）
-- 命令名称必须以字母开头，只能包含字母、数字、连字符和下划线
-- 保留的命令名称（如 `help`、`status`、`reset` 等）不能被插件覆盖
-- 跨插件的重复命令注册将失败并显示诊断错误
+- 插件命令会在内置命令和 AI 智能体 **之前** 处理
+- 命令是全局注册的，适用于所有渠道
+- 命令名不区分大小写（`/MyStatus` 可匹配 `/mystatus`）
+- 命令名必须以字母开头，并且只能包含字母、数字、连字符和下划线
+- 保留命令名（如 `help`、`status`、`reset` 等）不能被插件覆盖
+- 插件间重复注册命令会因诊断错误而失败
 
 ### 注册后台服务
 
@@ -585,54 +1528,56 @@ export default function (api) {
 
 ## 命名约定
 
-- Gateway 网关方法：`pluginId.action`（例如：`voicecall.status`）
+- Gateway 方法：`pluginId.action`（例如：`voicecall.status`）
 - 工具：`snake_case`（例如：`voice_call`）
 - CLI 命令：kebab 或 camel，但避免与核心命令冲突
 
 ## Skills
 
-插件可以在仓库中附带 Skills（`skills/<name>/SKILL.md`）。
-使用 `plugins.entries.<id>.enabled`（或其他配置门控）启用它，并确保它存在于你的工作区/托管 Skills 位置。
+插件可以在仓库中附带一个 skill（`skills/<name>/SKILL.md`）。
+通过 `plugins.entries.<id>.enabled`（或其他配置门控）启用它，并确保它存在于你的工作区/托管 skills 位置中。
 
 ## 分发（npm）
 
-推荐的打包方式：
+推荐打包方式：
 
 - 主包：`openclaw`（本仓库）
-- 插件：`@openclaw/*` 下的独立 npm 包（例如：`@openclaw/voice-call`）
+- 插件：位于 `@openclaw/*` 下的独立 npm 包（例如：`@openclaw/voice-call`）
 
 发布契约：
 
-- 插件 `package.json` 必须包含带有一个或多个入口文件的 `openclaw.extensions`。
-- 入口文件可以是 `.js` 或 `.ts`（jiti 在运行时加载 TS）。
-- `openclaw plugins install <npm-spec>` 使用 `npm pack`，提取到 `~/.openclaw/extensions/<id>/`，并在配置中启用它。
-- 配置键稳定性：作用域包被规范化为 `plugins.entries.*` 的**无作用域** id。
+- 插件 `package.json` 必须包含 `openclaw.extensions`，并指向一个或多个入口文件。
+- 可选：`openclaw.setupEntry` 可指向一个轻量级的仅 setup 入口，用于已禁用或尚未配置完成的渠道 setup。
+- 入口文件可以是 `.js` 或 `.ts`（jiti 会在运行时加载 TS）。
+- `openclaw plugins install <npm-spec>` 会使用 `npm pack`，提取到 `~/.openclaw/extensions/<id>/`，并在配置中启用它。
+- 配置键稳定性：带 scope 的包会被规范化为 **无 scope** 的 id，用于 `plugins.entries.*`。
 
 ## 示例插件：Voice Call
 
-本仓库包含一个语音通话插件（Twilio 或 log 回退）：
+本仓库包含一个 voice-call 插件（Twilio 或日志回退）：
 
 - 源码：`extensions/voice-call`
-- Skills：`skills/voice-call`
+- Skill：`skills/voice-call`
 - CLI：`openclaw voicecall start|status`
 - 工具：`voice_call`
 - RPC：`voicecall.start`、`voicecall.status`
 - 配置（twilio）：`provider: "twilio"` + `twilio.accountSid/authToken/from`（可选 `statusCallbackUrl`、`twimlUrl`）
-- 配置（dev）：`provider: "log"`（无网络）
+- 配置（开发）：`provider: "log"`（无网络）
 
-参见 [Voice Call](/plugins/voice-call) 和 `extensions/voice-call/README.md` 了解设置和用法。
+有关设置和用法，请参阅 [Voice Call](/plugins/voice-call) 和 `extensions/voice-call/README.md`。
 
-## 安全注意事项
+## 安全说明
 
-插件与 Gateway 网关在同一进程中运行。将它们视为受信任的代码：
+插件与 Gateway 网关在同一进程内运行。请将它们视为受信任代码：
 
 - 只安装你信任的插件。
-- 优先使用 `plugins.allow` 允许列表。
-- 更改后重启 Gateway 网关。
+- 优先使用 `plugins.allow` allowlist。
+- 请记住，`plugins.allow` 是基于 id 的，因此已启用的工作区插件可以有意覆盖具有相同 id 的捆绑插件。
+- 更改后请重启 Gateway 网关。
 
 ## 测试插件
 
 插件可以（也应该）附带测试：
 
-- 仓库内插件可以在 `src/**` 下保留 Vitest 测试（例如：`src/plugins/voice-call.plugin.test.ts`）。
-- 单独发布的插件应运行自己的 CI（lint/构建/测试）并验证 `openclaw.extensions` 指向构建的入口点（`dist/index.js`）。
+- 仓库内插件可以将 Vitest 测试放在 `src/**` 下（例如：`src/plugins/voice-call.plugin.test.ts`）。
+- 单独发布的插件应运行自己的 CI（lint/build/test），并验证 `openclaw.extensions` 指向构建后的入口点（`dist/index.js`）。

From c59e2dde47248f17baa9b87b1ae684d71b04e865 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 16 Mar 2026 00:04:33 -0700
Subject: [PATCH 074/133] Tests: tighten provider wizard contracts

---
 src/plugins/contracts/suites.ts | 49 ++++++++++++++++++++++++++++++++-
 1 file changed, 48 insertions(+), 1 deletion(-)

diff --git a/src/plugins/contracts/suites.ts b/src/plugins/contracts/suites.ts
index 9bc0d8ff8f6..25798dd8439 100644
--- a/src/plugins/contracts/suites.ts
+++ b/src/plugins/contracts/suites.ts
@@ -5,6 +5,8 @@ import type { ProviderPlugin, WebSearchProviderPlugin } from "../types.js";
 export function installProviderPluginContractSuite(params: { provider: ProviderPlugin }) {
   it("satisfies the base provider plugin contract", () => {
     const { provider } = params;
+    const authIds = provider.auth.map((method) => method.id);
+    const wizardChoiceIds = new Set<string>();
 
     expect(provider.id).toMatch(/^[a-z0-9][a-z0-9-]*$/);
     expect(provider.label.trim()).not.toBe("");
@@ -21,7 +23,6 @@ export function installProviderPluginContractSuite(params: { provider: ProviderP
     }
 
     expect(Array.isArray(provider.auth)).toBe(true);
-    const authIds = provider.auth.map((method) => method.id);
     expect(authIds).toEqual([...new Set(authIds)]);
     for (const method of provider.auth) {
       expect(method.id.trim()).not.toBe("");
@@ -29,8 +30,54 @@ export function installProviderPluginContractSuite(params: { provider: ProviderP
       if (method.hint !== undefined) {
         expect(method.hint.trim()).not.toBe("");
       }
+      if (method.wizard) {
+        if (method.wizard.choiceId) {
+          expect(method.wizard.choiceId.trim()).not.toBe("");
+          expect(wizardChoiceIds.has(method.wizard.choiceId)).toBe(false);
+          wizardChoiceIds.add(method.wizard.choiceId);
+        }
+        if (method.wizard.methodId) {
+          expect(authIds).toContain(method.wizard.methodId);
+        }
+        if (method.wizard.modelAllowlist?.allowedKeys) {
+          expect(method.wizard.modelAllowlist.allowedKeys).toEqual([
+            ...new Set(method.wizard.modelAllowlist.allowedKeys),
+          ]);
+        }
+        if (method.wizard.modelAllowlist?.initialSelections) {
+          expect(method.wizard.modelAllowlist.initialSelections).toEqual([
+            ...new Set(method.wizard.modelAllowlist.initialSelections),
+          ]);
+        }
+      }
       expect(typeof method.run).toBe("function");
     }
+
+    if (provider.wizard?.setup || provider.wizard?.modelPicker) {
+      expect(provider.auth.length).toBeGreaterThan(0);
+    }
+    if (provider.wizard?.setup) {
+      if (provider.wizard.setup.choiceId) {
+        expect(provider.wizard.setup.choiceId.trim()).not.toBe("");
+        expect(wizardChoiceIds.has(provider.wizard.setup.choiceId)).toBe(false);
+      }
+      if (provider.wizard.setup.methodId) {
+        expect(authIds).toContain(provider.wizard.setup.methodId);
+      }
+      if (provider.wizard.setup.modelAllowlist?.allowedKeys) {
+        expect(provider.wizard.setup.modelAllowlist.allowedKeys).toEqual([
+          ...new Set(provider.wizard.setup.modelAllowlist.allowedKeys),
+        ]);
+      }
+      if (provider.wizard.setup.modelAllowlist?.initialSelections) {
+        expect(provider.wizard.setup.modelAllowlist.initialSelections).toEqual([
+          ...new Set(provider.wizard.setup.modelAllowlist.initialSelections),
+        ]);
+      }
+    }
+    if (provider.wizard?.modelPicker?.methodId) {
+      expect(authIds).toContain(provider.wizard.modelPicker.methodId);
+    }
   });
 }
 

From 5ca26bcae0d5d2035ef8d1f1ca017a9155149919 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 16 Mar 2026 00:04:47 -0700
Subject: [PATCH 075/133] Tests: add plugin loader contract suite

---
 src/plugins/contracts/loader.contract.test.ts | 114 ++++++++++++++++++
 1 file changed, 114 insertions(+)
 create mode 100644 src/plugins/contracts/loader.contract.test.ts

diff --git a/src/plugins/contracts/loader.contract.test.ts b/src/plugins/contracts/loader.contract.test.ts
new file mode 100644
index 00000000000..a1f82f56fda
--- /dev/null
+++ b/src/plugins/contracts/loader.contract.test.ts
@@ -0,0 +1,114 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { providerContractRegistry, webSearchProviderContractRegistry } from "./registry.js";
+
+const loadOpenClawPluginsMock = vi.fn();
+
+vi.mock("../loader.js", () => ({
+  loadOpenClawPlugins: (...args: unknown[]) => loadOpenClawPluginsMock(...args),
+}));
+
+const { resolvePluginProviders } = await import("../providers.js");
+const { resolvePluginWebSearchProviders } = await import("../web-search-providers.js");
+
+function uniqueSortedPluginIds(values: string[]) {
+  return [...new Set(values)].toSorted((left, right) => left.localeCompare(right));
+}
+
+describe("plugin loader contract", () => {
+  beforeEach(() => {
+    loadOpenClawPluginsMock.mockReset();
+    loadOpenClawPluginsMock.mockReturnValue({
+      providers: [],
+      webSearchProviders: [],
+    });
+  });
+
+  it("keeps bundled provider compatibility wired to the provider registry", () => {
+    const providerPluginIds = uniqueSortedPluginIds(
+      providerContractRegistry.map((entry) => entry.pluginId),
+    );
+
+    resolvePluginProviders({
+      bundledProviderAllowlistCompat: true,
+      config: {
+        plugins: {
+          allow: ["openrouter"],
+        },
+      },
+    });
+
+    expect(loadOpenClawPluginsMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        config: expect.objectContaining({
+          plugins: expect.objectContaining({
+            allow: expect.arrayContaining(providerPluginIds),
+          }),
+        }),
+      }),
+    );
+  });
+
+  it("keeps vitest bundled provider enablement wired to the provider registry", () => {
+    const providerPluginIds = uniqueSortedPluginIds(
+      providerContractRegistry.map((entry) => entry.pluginId),
+    );
+
+    resolvePluginProviders({
+      bundledProviderVitestCompat: true,
+      env: { VITEST: "1" } as NodeJS.ProcessEnv,
+    });
+
+    expect(loadOpenClawPluginsMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        config: expect.objectContaining({
+          plugins: expect.objectContaining({
+            enabled: true,
+            allow: expect.arrayContaining(providerPluginIds),
+          }),
+        }),
+      }),
+    );
+  });
+
+  it("keeps bundled web search loading scoped to the web search registry", () => {
+    const webSearchPluginIds = uniqueSortedPluginIds(
+      webSearchProviderContractRegistry.map((entry) => entry.pluginId),
+    );
+
+    resolvePluginWebSearchProviders({});
+
+    expect(loadOpenClawPluginsMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        onlyPluginIds: webSearchPluginIds,
+        activate: false,
+        cache: false,
+      }),
+    );
+  });
+
+  it("keeps bundled web search allowlist compatibility wired to the web search registry", () => {
+    const webSearchPluginIds = uniqueSortedPluginIds(
+      webSearchProviderContractRegistry.map((entry) => entry.pluginId),
+    );
+
+    resolvePluginWebSearchProviders({
+      bundledAllowlistCompat: true,
+      config: {
+        plugins: {
+          allow: ["openrouter"],
+        },
+      },
+    });
+
+    expect(loadOpenClawPluginsMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        config: expect.objectContaining({
+          plugins: expect.objectContaining({
+            allow: expect.arrayContaining(webSearchPluginIds),
+          }),
+        }),
+        onlyPluginIds: webSearchPluginIds,
+      }),
+    );
+  });
+});

From 85b7bc7edf2884c0b1d3866adfd9218c1001a7f1 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 00:09:28 -0700
Subject: [PATCH 076/133] refactor: remove dock shim and move session routing
 into plugins

---
 extensions/discord/src/channel.ts           | 102 ++++
 extensions/discord/src/draft-chunking.ts    |   5 +-
 extensions/discord/src/outbound-adapter.ts  |   4 +-
 extensions/googlechat/index.ts              |   4 +-
 extensions/googlechat/setup-entry.ts        |   3 +-
 extensions/googlechat/src/channel.ts        |  28 -
 extensions/imessage/src/channel.ts          |  80 +++
 extensions/signal/src/channel.ts            |  90 +++
 extensions/slack/src/channel.ts             | 161 +++++
 extensions/telegram/src/channel.ts          |  88 +++
 extensions/telegram/src/draft-chunking.ts   |   5 +-
 extensions/telegram/src/outbound-adapter.ts |   4 +-
 extensions/zalo/index.ts                    |   4 +-
 extensions/zalo/src/channel.ts              |  23 -
 extensions/zalouser/index.ts                |   4 +-
 extensions/zalouser/src/channel.ts          |  28 +-
 src/channels/dock.test.ts                   | 194 ------
 src/channels/dock.ts                        | 636 --------------------
 src/channels/plugins/contracts/suites.ts    |   8 +-
 src/channels/plugins/index.ts               |   4 +-
 src/infra/outbound/outbound-session.test.ts |   7 +-
 src/infra/outbound/outbound-session.ts      | 387 ------------
 src/infra/outbound/outbound.test.ts         |   9 +
 src/plugin-sdk/googlechat.ts                |   1 -
 src/plugin-sdk/index.ts                     |   2 +-
 src/plugin-sdk/zalo.ts                      |   1 -
 src/plugin-sdk/zalouser.ts                  |   1 -
 src/plugins/loader.ts                       |   9 +-
 src/plugins/registry.ts                     |   3 -
 src/plugins/types.ts                        |   2 -
 30 files changed, 565 insertions(+), 1332 deletions(-)
 delete mode 100644 src/channels/dock.test.ts
 delete mode 100644 src/channels/dock.ts

diff --git a/extensions/discord/src/channel.ts b/extensions/discord/src/channel.ts
index 3c0da68a06a..f83be6bbe41 100644
--- a/extensions/discord/src/channel.ts
+++ b/extensions/discord/src/channel.ts
@@ -1,4 +1,9 @@
 import { Separator, TextDisplay } from "@buape/carbon";
+import {
+  buildAgentSessionKey,
+  resolveThreadSessionKeys,
+  type RoutePeer,
+} from "openclaw/plugin-sdk";
 import { createScopedChannelConfigBase } from "openclaw/plugin-sdk/compat";
 import {
   buildAccountScopedAllowlistConfigEditor,
@@ -196,6 +201,102 @@ function parseDiscordExplicitTarget(raw: string) {
   }
 }
 
+function normalizeOutboundThreadId(value?: string | number | null): string | undefined {
+  if (value == null) {
+    return undefined;
+  }
+  if (typeof value === "number") {
+    if (!Number.isFinite(value)) {
+      return undefined;
+    }
+    return String(Math.trunc(value));
+  }
+  const trimmed = value.trim();
+  return trimmed ? trimmed : undefined;
+}
+
+function buildDiscordBaseSessionKey(params: {
+  cfg: OpenClawConfig;
+  agentId: string;
+  accountId?: string | null;
+  peer: RoutePeer;
+}) {
+  return buildAgentSessionKey({
+    agentId: params.agentId,
+    channel: "discord",
+    accountId: params.accountId,
+    peer: params.peer,
+    dmScope: params.cfg.session?.dmScope ?? "main",
+    identityLinks: params.cfg.session?.identityLinks,
+  });
+}
+
+function resolveDiscordOutboundTargetKindHint(params: {
+  target: string;
+  resolvedTarget?: { kind: string };
+}): "user" | "channel" | undefined {
+  const resolvedKind = params.resolvedTarget?.kind;
+  if (resolvedKind === "user") {
+    return "user";
+  }
+  if (resolvedKind === "group" || resolvedKind === "channel") {
+    return "channel";
+  }
+
+  const target = params.target.trim();
+  if (/^channel:/i.test(target)) {
+    return "channel";
+  }
+  if (/^(user:|discord:|@|<@!?)/i.test(target)) {
+    return "user";
+  }
+  return undefined;
+}
+
+function resolveDiscordOutboundSessionRoute(params: {
+  cfg: OpenClawConfig;
+  agentId: string;
+  accountId?: string | null;
+  target: string;
+  resolvedTarget?: { kind: string };
+  replyToId?: string | null;
+  threadId?: string | number | null;
+}) {
+  const parsed = parseDiscordTarget(params.target, {
+    defaultKind: resolveDiscordOutboundTargetKindHint(params),
+  });
+  if (!parsed) {
+    return null;
+  }
+  const isDm = parsed.kind === "user";
+  const peer: RoutePeer = {
+    kind: isDm ? "direct" : "channel",
+    id: parsed.id,
+  };
+  const baseSessionKey = buildDiscordBaseSessionKey({
+    cfg: params.cfg,
+    agentId: params.agentId,
+    accountId: params.accountId,
+    peer,
+  });
+  const explicitThreadId = normalizeOutboundThreadId(params.threadId);
+  const threadCandidate = explicitThreadId ?? normalizeOutboundThreadId(params.replyToId);
+  const threadKeys = resolveThreadSessionKeys({
+    baseSessionKey,
+    threadId: threadCandidate,
+    useSuffix: false,
+  });
+  return {
+    sessionKey: threadKeys.sessionKey,
+    baseSessionKey,
+    peer,
+    chatType: isDm ? ("direct" as const) : ("channel" as const),
+    from: isDm ? `discord:${parsed.id}` : `discord:channel:${parsed.id}`,
+    to: isDm ? `user:${parsed.id}` : `channel:${parsed.id}`,
+    threadId: explicitThreadId ?? undefined,
+  };
+}
+
 const discordConfigAccessors = createScopedAccountConfigAccessors({
   resolveAccount: ({ cfg, accountId }) => resolveDiscordAccount({ cfg, accountId }),
   resolveAllowFrom: (account: ResolvedDiscordAccount) => account.config.dm?.allowFrom,
@@ -341,6 +442,7 @@ export const discordPlugin: ChannelPlugin<ResolvedDiscordAccount> = {
     parseExplicitTarget: ({ raw }) => parseDiscordExplicitTarget(raw),
     inferTargetChatType: ({ to }) => parseDiscordExplicitTarget(to)?.chatType,
     buildCrossContextComponents: buildDiscordCrossContextComponents,
+    resolveOutboundSessionRoute: (params) => resolveDiscordOutboundSessionRoute(params),
     targetResolver: {
       looksLikeId: looksLikeDiscordTargetId,
       hint: "<channelId|user:ID|channel:ID>",
diff --git a/extensions/discord/src/draft-chunking.ts b/extensions/discord/src/draft-chunking.ts
index ce4048379d1..1d56841577a 100644
--- a/extensions/discord/src/draft-chunking.ts
+++ b/extensions/discord/src/draft-chunking.ts
@@ -1,8 +1,8 @@
 import { resolveTextChunkLimit } from "../../../src/auto-reply/chunk.js";
-import { getChannelDock } from "../../../src/channels/dock.js";
 import type { OpenClawConfig } from "../../../src/config/config.js";
 import { resolveAccountEntry } from "../../../src/routing/account-lookup.js";
 import { normalizeAccountId } from "../../../src/routing/session-key.js";
+import { DISCORD_TEXT_CHUNK_LIMIT } from "./outbound-adapter.js";
 
 const DEFAULT_DISCORD_DRAFT_STREAM_MIN = 200;
 const DEFAULT_DISCORD_DRAFT_STREAM_MAX = 800;
@@ -15,9 +15,8 @@ export function resolveDiscordDraftStreamingChunking(
   maxChars: number;
   breakPreference: "paragraph" | "newline" | "sentence";
 } {
-  const providerChunkLimit = getChannelDock("discord")?.outbound?.textChunkLimit;
   const textLimit = resolveTextChunkLimit(cfg, "discord", accountId, {
-    fallbackLimit: providerChunkLimit,
+    fallbackLimit: DISCORD_TEXT_CHUNK_LIMIT,
   });
   const normalizedAccountId = normalizeAccountId(accountId);
   const accountCfg = resolveAccountEntry(cfg?.channels?.discord?.accounts, normalizedAccountId);
diff --git a/extensions/discord/src/outbound-adapter.ts b/extensions/discord/src/outbound-adapter.ts
index 1c6e0111869..bc2f5f8c2d1 100644
--- a/extensions/discord/src/outbound-adapter.ts
+++ b/extensions/discord/src/outbound-adapter.ts
@@ -18,6 +18,8 @@ import {
 } from "./send.js";
 import { buildDiscordInteractiveComponents } from "./shared-interactive.js";
 
+export const DISCORD_TEXT_CHUNK_LIMIT = 2000;
+
 function resolveDiscordOutboundTarget(params: {
   to: string;
   threadId?: string | number | null;
@@ -86,7 +88,7 @@ async function maybeSendDiscordWebhookText(params: {
 export const discordOutbound: ChannelOutboundAdapter = {
   deliveryMode: "direct",
   chunker: null,
-  textChunkLimit: 2000,
+  textChunkLimit: DISCORD_TEXT_CHUNK_LIMIT,
   pollMaxOptions: 10,
   resolveTarget: ({ to }) => normalizeDiscordOutboundTarget(to),
   sendPayload: async (ctx) => {
diff --git a/extensions/googlechat/index.ts b/extensions/googlechat/index.ts
index e218a15c8de..892694f93b4 100644
--- a/extensions/googlechat/index.ts
+++ b/extensions/googlechat/index.ts
@@ -1,6 +1,6 @@
 import type { OpenClawPluginApi } from "openclaw/plugin-sdk/googlechat";
 import { emptyPluginConfigSchema } from "openclaw/plugin-sdk/googlechat";
-import { googlechatDock, googlechatPlugin } from "./src/channel.js";
+import { googlechatPlugin } from "./src/channel.js";
 import { setGoogleChatRuntime } from "./src/runtime.js";
 
 const plugin = {
@@ -10,7 +10,7 @@ const plugin = {
   configSchema: emptyPluginConfigSchema(),
   register(api: OpenClawPluginApi) {
     setGoogleChatRuntime(api.runtime);
-    api.registerChannel({ plugin: googlechatPlugin, dock: googlechatDock });
+    api.registerChannel(googlechatPlugin);
   },
 };
 
diff --git a/extensions/googlechat/setup-entry.ts b/extensions/googlechat/setup-entry.ts
index 7d80304ccf3..be33127799f 100644
--- a/extensions/googlechat/setup-entry.ts
+++ b/extensions/googlechat/setup-entry.ts
@@ -1,6 +1,5 @@
-import { googlechatDock, googlechatPlugin } from "./src/channel.js";
+import { googlechatPlugin } from "./src/channel.js";
 
 export default {
   plugin: googlechatPlugin,
-  dock: googlechatDock,
 };
diff --git a/extensions/googlechat/src/channel.ts b/extensions/googlechat/src/channel.ts
index 5d2c9d86748..bd06b33f8df 100644
--- a/extensions/googlechat/src/channel.ts
+++ b/extensions/googlechat/src/channel.ts
@@ -19,7 +19,6 @@ import {
   resolveChannelMediaMaxBytes,
   resolveGoogleChatGroupRequireMention,
   runPassiveAccountLifecycle,
-  type ChannelDock,
   type ChannelMessageActionAdapter,
   type ChannelPlugin,
   type ChannelStatusIssue,
@@ -94,33 +93,6 @@ const resolveGoogleChatDmPolicy = createScopedDmSecurityResolver<ResolvedGoogleC
   normalizeEntry: (raw) => formatAllowFromEntry(raw),
 });
 
-export const googlechatDock: ChannelDock = {
-  id: "googlechat",
-  capabilities: {
-    chatTypes: ["direct", "group", "thread"],
-    reactions: true,
-    media: true,
-    threads: true,
-    blockStreaming: true,
-  },
-  outbound: { textChunkLimit: 4000 },
-  config: googleChatConfigAccessors,
-  groups: {
-    resolveRequireMention: resolveGoogleChatGroupRequireMention,
-  },
-  threading: {
-    resolveReplyToMode: ({ cfg }) => cfg.channels?.["googlechat"]?.replyToMode ?? "off",
-    buildToolContext: ({ context, hasRepliedRef }) => {
-      const threadId = context.MessageThreadId ?? context.ReplyToId;
-      return {
-        currentChannelId: context.To?.trim() || undefined,
-        currentThreadTs: threadId != null ? String(threadId) : undefined,
-        hasRepliedRef,
-      };
-    },
-  },
-};
-
 const googlechatActions: ChannelMessageActionAdapter = {
   listActions: (ctx) => googlechatMessageActions.listActions?.(ctx) ?? [],
   extractToolSend: (ctx) => googlechatMessageActions.extractToolSend?.(ctx) ?? null,
diff --git a/extensions/imessage/src/channel.ts b/extensions/imessage/src/channel.ts
index 295f16970ad..a4767706757 100644
--- a/extensions/imessage/src/channel.ts
+++ b/extensions/imessage/src/channel.ts
@@ -1,3 +1,4 @@
+import { buildAgentSessionKey, type RoutePeer } from "openclaw/plugin-sdk";
 import {
   buildAccountScopedAllowlistConfigEditor,
   buildAccountScopedDmSecurityPolicy,
@@ -30,6 +31,7 @@ import { resolveOutboundSendDep } from "../../../src/infra/outbound/send-deps.js
 import { buildPassiveProbedChannelStatusSummary } from "../../shared/channel-status-summary.js";
 import { getIMessageRuntime } from "./runtime.js";
 import { createIMessageSetupWizardProxy, imessageSetupAdapter } from "./setup-core.js";
+import { normalizeIMessageHandle, parseIMessageTarget } from "./targets.js";
 
 const meta = getChatChannelMeta("imessage");
 
@@ -75,6 +77,83 @@ async function sendIMessageOutbound(params: {
   });
 }
 
+function buildIMessageBaseSessionKey(params: {
+  cfg: Parameters<typeof resolveIMessageAccount>[0]["cfg"];
+  agentId: string;
+  accountId?: string | null;
+  peer: RoutePeer;
+}) {
+  return buildAgentSessionKey({
+    agentId: params.agentId,
+    channel: "imessage",
+    accountId: params.accountId,
+    peer: params.peer,
+    dmScope: params.cfg.session?.dmScope ?? "main",
+    identityLinks: params.cfg.session?.identityLinks,
+  });
+}
+
+function resolveIMessageOutboundSessionRoute(params: {
+  cfg: Parameters<typeof resolveIMessageAccount>[0]["cfg"];
+  agentId: string;
+  accountId?: string | null;
+  target: string;
+}) {
+  const parsed = parseIMessageTarget(params.target);
+  if (parsed.kind === "handle") {
+    const handle = normalizeIMessageHandle(parsed.to);
+    if (!handle) {
+      return null;
+    }
+    const peer: RoutePeer = { kind: "direct", id: handle };
+    const baseSessionKey = buildIMessageBaseSessionKey({
+      cfg: params.cfg,
+      agentId: params.agentId,
+      accountId: params.accountId,
+      peer,
+    });
+    return {
+      sessionKey: baseSessionKey,
+      baseSessionKey,
+      peer,
+      chatType: "direct" as const,
+      from: `imessage:${handle}`,
+      to: `imessage:${handle}`,
+    };
+  }
+
+  const peerId =
+    parsed.kind === "chat_id"
+      ? String(parsed.chatId)
+      : parsed.kind === "chat_guid"
+        ? parsed.chatGuid
+        : parsed.chatIdentifier;
+  if (!peerId) {
+    return null;
+  }
+  const peer: RoutePeer = { kind: "group", id: peerId };
+  const baseSessionKey = buildIMessageBaseSessionKey({
+    cfg: params.cfg,
+    agentId: params.agentId,
+    accountId: params.accountId,
+    peer,
+  });
+  const toPrefix =
+    parsed.kind === "chat_id"
+      ? "chat_id"
+      : parsed.kind === "chat_guid"
+        ? "chat_guid"
+        : "chat_identifier";
+  return {
+    sessionKey: baseSessionKey,
+    baseSessionKey,
+    peer,
+    chatType: "group" as const,
+    from: `imessage:group:${peerId}`,
+    to: `${toPrefix}:${peerId}`,
+  };
+}
+
 export const imessagePlugin: ChannelPlugin<ResolvedIMessageAccount> = {
   id: "imessage",
   meta: {
@@ -176,6 +255,7 @@ export const imessagePlugin: ChannelPlugin<ResolvedIMessageAccount> = {
   },
   messaging: {
     normalizeTarget: normalizeIMessageMessagingTarget,
+    resolveOutboundSessionRoute: (params) => resolveIMessageOutboundSessionRoute(params),
     targetResolver: {
       looksLikeId: looksLikeIMessageTargetId,
       hint: "<handle|chat_id:ID>",
diff --git a/extensions/signal/src/channel.ts b/extensions/signal/src/channel.ts
index 7567d68d4fa..2d7e1983972 100644
--- a/extensions/signal/src/channel.ts
+++ b/extensions/signal/src/channel.ts
@@ -1,3 +1,4 @@
+import { buildAgentSessionKey, type RoutePeer } from "openclaw/plugin-sdk";
 import {
   buildAccountScopedAllowlistConfigEditor,
   buildAccountScopedDmSecurityPolicy,
@@ -31,6 +32,12 @@ import { resolveTextChunkLimit } from "../../../src/auto-reply/chunk.js";
 import { resolveMarkdownTableMode } from "../../../src/config/markdown-tables.js";
 import { resolveOutboundSendDep } from "../../../src/infra/outbound/send-deps.js";
 import { markdownToSignalTextChunks } from "./format.js";
+import {
+  looksLikeUuid,
+  resolveSignalPeerId,
+  resolveSignalRecipient,
+  resolveSignalSender,
+} from "./identity.js";
 import type { SignalProbe } from "./probe.js";
 import { getSignalRuntime } from "./runtime.js";
 import { createSignalSetupWizardProxy, signalSetupAdapter } from "./setup-core.js";
@@ -138,6 +145,88 @@ function parseSignalExplicitTarget(raw: string) {
   };
 }
 
+function buildSignalBaseSessionKey(params: {
+  cfg: Parameters<typeof resolveSignalAccount>[0]["cfg"];
+  agentId: string;
+  accountId?: string | null;
+  peer: RoutePeer;
+}) {
+  return buildAgentSessionKey({
+    agentId: params.agentId,
+    channel: "signal",
+    accountId: params.accountId,
+    peer: params.peer,
+    dmScope: params.cfg.session?.dmScope ?? "main",
+    identityLinks: params.cfg.session?.identityLinks,
+  });
+}
+
+function resolveSignalOutboundSessionRoute(params: {
+  cfg: Parameters<typeof resolveSignalAccount>[0]["cfg"];
+  agentId: string;
+  accountId?: string | null;
+  target: string;
+}) {
+  const stripped = params.target.replace(/^signal:/i, "").trim();
+  const lowered = stripped.toLowerCase();
+  if (lowered.startsWith("group:")) {
+    const groupId = stripped.slice("group:".length).trim();
+    if (!groupId) {
+      return null;
+    }
+    const peer: RoutePeer = { kind: "group", id: groupId };
+    const baseSessionKey = buildSignalBaseSessionKey({
+      cfg: params.cfg,
+      agentId: params.agentId,
+      accountId: params.accountId,
+      peer,
+    });
+    return {
+      sessionKey: baseSessionKey,
+      baseSessionKey,
+      peer,
+      chatType: "group" as const,
+      from: `group:${groupId}`,
+      to: `group:${groupId}`,
+    };
+  }
+
+  let recipient = stripped.trim();
+  if (lowered.startsWith("username:")) {
+    recipient = stripped.slice("username:".length).trim();
+  } else if (lowered.startsWith("u:")) {
+    recipient = stripped.slice("u:".length).trim();
+  }
+  if (!recipient) {
+    return null;
+  }
+
+  const uuidCandidate = recipient.toLowerCase().startsWith("uuid:")
+    ? recipient.slice("uuid:".length)
+    : recipient;
+  const sender = resolveSignalSender({
+    sourceUuid: looksLikeUuid(uuidCandidate) ? uuidCandidate : null,
+    sourceNumber: looksLikeUuid(uuidCandidate) ? null : recipient,
+  });
+  const peerId = sender ? resolveSignalPeerId(sender) : recipient;
+  const displayRecipient = sender ? resolveSignalRecipient(sender) : recipient;
+  const peer: RoutePeer = { kind: "direct", id: peerId };
+  const baseSessionKey = buildSignalBaseSessionKey({
+    cfg: params.cfg,
+    agentId: params.agentId,
+    accountId: params.accountId,
+    peer,
+  });
+  return {
+    sessionKey: baseSessionKey,
+    baseSessionKey,
+    peer,
+    chatType: "direct" as const,
+    from: `signal:${displayRecipient}`,
+    to: `signal:${displayRecipient}`,
+  };
+}
+
 async function sendFormattedSignalText(ctx: {
   cfg: Parameters<typeof resolveSignalAccount>[0]["cfg"];
   to: string;
@@ -324,6 +413,7 @@ export const signalPlugin: ChannelPlugin<ResolvedSignalAccount> = {
     normalizeTarget: normalizeSignalMessagingTarget,
     parseExplicitTarget: ({ raw }) => parseSignalExplicitTarget(raw),
     inferTargetChatType: ({ to }) => inferSignalTargetChatType(to),
+    resolveOutboundSessionRoute: (params) => resolveSignalOutboundSessionRoute(params),
     targetResolver: {
       looksLikeId: looksLikeSignalTargetId,
       hint: "<E.164|uuid:ID|group:ID|signal:group:ID|signal:+E.164>",
diff --git a/extensions/slack/src/channel.ts b/extensions/slack/src/channel.ts
index 33322732236..32d362be5e6 100644
--- a/extensions/slack/src/channel.ts
+++ b/extensions/slack/src/channel.ts
@@ -1,3 +1,8 @@
+import {
+  buildAgentSessionKey,
+  resolveThreadSessionKeys,
+  type RoutePeer,
+} from "openclaw/plugin-sdk";
 import { createScopedChannelConfigBase } from "openclaw/plugin-sdk/compat";
 import {
   buildAccountScopedAllowlistConfigEditor,
@@ -33,11 +38,14 @@ import {
   buildSlackThreadingToolContext,
   SlackConfigSchema,
   type ChannelPlugin,
+  type OpenClawConfig,
   type ResolvedSlackAccount,
 } from "openclaw/plugin-sdk/slack";
 import { resolveOutboundSendDep } from "../../../src/infra/outbound/send-deps.js";
 import { buildPassiveProbedChannelStatusSummary } from "../../shared/channel-status-summary.js";
 import { parseSlackBlocksInput } from "./blocks-input.js";
+import { createSlackWebClient } from "./client.js";
+import { normalizeAllowListLower } from "./monitor/allow-list.js";
 import type { SlackProbe } from "./probe.js";
 import { resolveSlackUserAllowlist } from "./resolve-users.js";
 import { getSlackRuntime } from "./runtime.js";
@@ -46,6 +54,7 @@ import { createSlackSetupWizardProxy, slackSetupAdapter } from "./setup-core.js"
 import { parseSlackTarget } from "./targets.js";
 
 const meta = getChatChannelMeta("slack");
+const SLACK_CHANNEL_TYPE_CACHE = new Map<string, "channel" | "group" | "dm" | "unknown">();
 
 async function loadSlackChannelRuntime() {
   return await import("./channel.runtime.js");
@@ -142,6 +151,157 @@ function parseSlackExplicitTarget(raw: string) {
   };
 }
 
+function normalizeOutboundThreadId(value?: string | number | null): string | undefined {
+  if (value == null) {
+    return undefined;
+  }
+  if (typeof value === "number") {
+    if (!Number.isFinite(value)) {
+      return undefined;
+    }
+    return String(Math.trunc(value));
+  }
+  const trimmed = value.trim();
+  return trimmed ? trimmed : undefined;
+}
+
+function buildSlackBaseSessionKey(params: {
+  cfg: OpenClawConfig;
+  agentId: string;
+  accountId?: string | null;
+  peer: RoutePeer;
+}) {
+  return buildAgentSessionKey({
+    agentId: params.agentId,
+    channel: "slack",
+    accountId: params.accountId,
+    peer: params.peer,
+    dmScope: params.cfg.session?.dmScope ?? "main",
+    identityLinks: params.cfg.session?.identityLinks,
+  });
+}
+
+async function resolveSlackChannelType(params: {
+  cfg: OpenClawConfig;
+  accountId?: string | null;
+  channelId: string;
+}): Promise<"channel" | "group" | "dm" | "unknown"> {
+  const channelId = params.channelId.trim();
+  if (!channelId) {
+    return "unknown";
+  }
+  const cacheKey = `${params.accountId ?? "default"}:${channelId}`;
+  const cached = SLACK_CHANNEL_TYPE_CACHE.get(cacheKey);
+  if (cached) {
+    return cached;
+  }
+
+  const account = resolveSlackAccount({ cfg: params.cfg, accountId: params.accountId });
+  const groupChannels = normalizeAllowListLower(account.dm?.groupChannels);
+  const channelIdLower = channelId.toLowerCase();
+  if (
+    groupChannels.includes(channelIdLower) ||
+    groupChannels.includes(`slack:${channelIdLower}`) ||
+    groupChannels.includes(`channel:${channelIdLower}`) ||
+    groupChannels.includes(`group:${channelIdLower}`) ||
+    groupChannels.includes(`mpim:${channelIdLower}`)
+  ) {
+    SLACK_CHANNEL_TYPE_CACHE.set(cacheKey, "group");
+    return "group";
+  }
+
+  const channelKeys = Object.keys(account.channels ?? {});
+  if (
+    channelKeys.some((key) => {
+      const normalized = key.trim().toLowerCase();
+      return (
+        normalized === channelIdLower ||
+        normalized === `channel:${channelIdLower}` ||
+        normalized.replace(/^#/, "") === channelIdLower
+      );
+    })
+  ) {
+    SLACK_CHANNEL_TYPE_CACHE.set(cacheKey, "channel");
+    return "channel";
+  }
+
+  const token = account.botToken?.trim() || account.config.userToken?.trim() || "";
+  if (!token) {
+    SLACK_CHANNEL_TYPE_CACHE.set(cacheKey, "unknown");
+    return "unknown";
+  }
+
+  try {
+    const client = createSlackWebClient(token);
+    const info = await client.conversations.info({ channel: channelId });
+    const channel = info.channel as { is_im?: boolean; is_mpim?: boolean } | undefined;
+    const type = channel?.is_im ? "dm" : channel?.is_mpim ? "group" : "channel";
+    SLACK_CHANNEL_TYPE_CACHE.set(cacheKey, type);
+    return type;
+  } catch {
+    SLACK_CHANNEL_TYPE_CACHE.set(cacheKey, "unknown");
+    return "unknown";
+  }
+}
+
+async function resolveSlackOutboundSessionRoute(params: {
+  cfg: OpenClawConfig;
+  agentId: string;
+  accountId?: string | null;
+  target: string;
+  replyToId?: string | null;
+  threadId?: string | number | null;
+}) {
+  const parsed = parseSlackTarget(params.target, { defaultKind: "channel" });
+  if (!parsed) {
+    return null;
+  }
+  const isDm = parsed.kind === "user";
+  let peerKind: "direct" | "channel" | "group" = isDm ? "direct" : "channel";
+  if (!isDm && /^G/i.test(parsed.id)) {
+    const channelType = await resolveSlackChannelType({
+      cfg: params.cfg,
+      accountId: params.accountId,
+      channelId: parsed.id,
+    });
+    if (channelType === "group") {
+      peerKind = "group";
+    }
+    if (channelType === "dm") {
+      peerKind = "direct";
+    }
+  }
+  const peer: RoutePeer = {
+    kind: peerKind,
+    id: parsed.id,
+  };
+  const baseSessionKey = buildSlackBaseSessionKey({
+    cfg: params.cfg,
+    agentId: params.agentId,
+    accountId: params.accountId,
+    peer,
+  });
+  const threadId = normalizeOutboundThreadId(params.threadId ?? params.replyToId);
+  const threadKeys = resolveThreadSessionKeys({
+    baseSessionKey,
+    threadId,
+  });
+  return {
+    sessionKey: threadKeys.sessionKey,
+    baseSessionKey,
+    peer,
+    chatType: peerKind === "direct" ? ("direct" as const) : ("channel" as const),
+    from:
+      peerKind === "direct"
+        ? `slack:${parsed.id}`
+        : peerKind === "group"
+          ? `slack:group:${parsed.id}`
+          : `slack:channel:${parsed.id}`,
+    to: peerKind === "direct" ? `user:${parsed.id}` : `channel:${parsed.id}`,
+    threadId,
+  };
+}
+
 function formatSlackScopeDiagnostic(params: {
   tokenType: "bot" | "user";
   result: Awaited<ReturnType<typeof fetchSlackScopes>>;
@@ -362,6 +522,7 @@ export const slackPlugin: ChannelPlugin<ResolvedSlackAccount> = {
     normalizeTarget: normalizeSlackMessagingTarget,
     parseExplicitTarget: ({ raw }) => parseSlackExplicitTarget(raw),
     inferTargetChatType: ({ to }) => parseSlackExplicitTarget(to)?.chatType,
+    resolveOutboundSessionRoute: async (params) => await resolveSlackOutboundSessionRoute(params),
     enableInteractiveReplies: ({ cfg, accountId }) =>
       isSlackInteractiveRepliesEnabled({ cfg, accountId }),
     hasStructuredReplyPayload: ({ payload }) => {
diff --git a/extensions/telegram/src/channel.ts b/extensions/telegram/src/channel.ts
index dda83e3f521..1b30d43a7e0 100644
--- a/extensions/telegram/src/channel.ts
+++ b/extensions/telegram/src/channel.ts
@@ -1,3 +1,8 @@
+import {
+  buildAgentSessionKey,
+  resolveThreadSessionKeys,
+  type RoutePeer,
+} from "openclaw/plugin-sdk";
 import { createScopedChannelConfigBase } from "openclaw/plugin-sdk/compat";
 import {
   buildAccountScopedAllowlistConfigEditor,
@@ -47,6 +52,7 @@ import {
 } from "../../../src/infra/outbound/send-deps.js";
 import { normalizeMessageChannel } from "../../../src/utils/message-channel.js";
 import { buildTelegramExecApprovalButtons } from "./approval-buttons.js";
+import { buildTelegramGroupPeerId } from "./bot/helpers.js";
 import {
   isTelegramExecApprovalClientEnabled,
   resolveTelegramExecApprovalTarget,
@@ -214,6 +220,87 @@ function parseTelegramExplicitTarget(raw: string) {
   };
 }
 
+function normalizeOutboundThreadId(value?: string | number | null): string | undefined {
+  if (value == null) {
+    return undefined;
+  }
+  if (typeof value === "number") {
+    if (!Number.isFinite(value)) {
+      return undefined;
+    }
+    return String(Math.trunc(value));
+  }
+  const trimmed = value.trim();
+  return trimmed ? trimmed : undefined;
+}
+
+function buildTelegramBaseSessionKey(params: {
+  cfg: OpenClawConfig;
+  agentId: string;
+  accountId?: string | null;
+  peer: RoutePeer;
+}) {
+  return buildAgentSessionKey({
+    agentId: params.agentId,
+    channel: "telegram",
+    accountId: params.accountId,
+    peer: params.peer,
+    dmScope: params.cfg.session?.dmScope ?? "main",
+    identityLinks: params.cfg.session?.identityLinks,
+  });
+}
+
+function resolveTelegramOutboundSessionRoute(params: {
+  cfg: OpenClawConfig;
+  agentId: string;
+  accountId?: string | null;
+  target: string;
+  resolvedTarget?: { kind: string };
+  threadId?: string | number | null;
+}) {
+  const parsed = parseTelegramTarget(params.target);
+  const chatId = parsed.chatId.trim();
+  if (!chatId) {
+    return null;
+  }
+  const fallbackThreadId = normalizeOutboundThreadId(params.threadId);
+  const resolvedThreadId = parsed.messageThreadId ?? parseTelegramThreadId(fallbackThreadId);
+  const isGroup =
+    parsed.chatType === "group" ||
+    (parsed.chatType === "unknown" &&
+      params.resolvedTarget?.kind &&
+      params.resolvedTarget.kind !== "user");
+  const peerId =
+    isGroup && resolvedThreadId ? buildTelegramGroupPeerId(chatId, resolvedThreadId) : chatId;
+  const peer: RoutePeer = {
+    kind: isGroup ? "group" : "direct",
+    id: peerId,
+  };
+  const baseSessionKey = buildTelegramBaseSessionKey({
+    cfg: params.cfg,
+    agentId: params.agentId,
+    accountId: params.accountId,
+    peer,
+  });
+  const threadKeys =
+    resolvedThreadId && !isGroup
+      ? resolveThreadSessionKeys({ baseSessionKey, threadId: String(resolvedThreadId) })
+      : null;
+  return {
+    sessionKey: threadKeys?.sessionKey ?? baseSessionKey,
+    baseSessionKey,
+    peer,
+    chatType: isGroup ? ("group" as const) : ("direct" as const),
+    from: isGroup
+      ? `telegram:group:${peerId}`
+      : resolvedThreadId
+        ? `telegram:${chatId}:topic:${resolvedThreadId}`
+        : `telegram:${chatId}`,
+    to: `telegram:${chatId}`,
+    threadId: resolvedThreadId,
+  };
+}
+
 function hasTelegramExecApprovalDmRoute(cfg: OpenClawConfig): boolean {
   return listTelegramAccountIds(cfg).some((accountId) => {
     if (!isTelegramExecApprovalClientEnabled({ cfg, accountId })) {
@@ -418,6 +505,7 @@ export const telegramPlugin: ChannelPlugin<ResolvedTelegramAccount, TelegramProb
     normalizeTarget: normalizeTelegramMessagingTarget,
     parseExplicitTarget: ({ raw }) => parseTelegramExplicitTarget(raw),
     inferTargetChatType: ({ to }) => parseTelegramExplicitTarget(to).chatType,
+    resolveOutboundSessionRoute: (params) => resolveTelegramOutboundSessionRoute(params),
     targetResolver: {
       looksLikeId: looksLikeTelegramTargetId,
       hint: "<chatId>",
diff --git a/extensions/telegram/src/draft-chunking.ts b/extensions/telegram/src/draft-chunking.ts
index f907faf02f8..951fbb41951 100644
--- a/extensions/telegram/src/draft-chunking.ts
+++ b/extensions/telegram/src/draft-chunking.ts
@@ -1,8 +1,8 @@
 import { resolveTextChunkLimit } from "../../../src/auto-reply/chunk.js";
-import { getChannelDock } from "../../../src/channels/dock.js";
 import type { OpenClawConfig } from "../../../src/config/config.js";
 import { resolveAccountEntry } from "../../../src/routing/account-lookup.js";
 import { normalizeAccountId } from "../../../src/routing/session-key.js";
+import { TELEGRAM_TEXT_CHUNK_LIMIT } from "./outbound-adapter.js";
 
 const DEFAULT_TELEGRAM_DRAFT_STREAM_MIN = 200;
 const DEFAULT_TELEGRAM_DRAFT_STREAM_MAX = 800;
@@ -15,9 +15,8 @@ export function resolveTelegramDraftStreamingChunking(
   maxChars: number;
   breakPreference: "paragraph" | "newline" | "sentence";
 } {
-  const providerChunkLimit = getChannelDock("telegram")?.outbound?.textChunkLimit;
   const textLimit = resolveTextChunkLimit(cfg, "telegram", accountId, {
-    fallbackLimit: providerChunkLimit,
+    fallbackLimit: TELEGRAM_TEXT_CHUNK_LIMIT,
   });
   const normalizedAccountId = normalizeAccountId(accountId);
   const accountCfg = resolveAccountEntry(cfg?.channels?.telegram?.accounts, normalizedAccountId);
diff --git a/extensions/telegram/src/outbound-adapter.ts b/extensions/telegram/src/outbound-adapter.ts
index 0ab050bbd06..25bd2329ed7 100644
--- a/extensions/telegram/src/outbound-adapter.ts
+++ b/extensions/telegram/src/outbound-adapter.ts
@@ -15,6 +15,8 @@ import { markdownToTelegramHtmlChunks } from "./format.js";
 import { parseTelegramReplyToMessageId, parseTelegramThreadId } from "./outbound-params.js";
 import { sendMessageTelegram } from "./send.js";
 
+export const TELEGRAM_TEXT_CHUNK_LIMIT = 4000;
+
 type TelegramSendFn = typeof sendMessageTelegram;
 type TelegramSendOpts = Parameters<TelegramSendFn>[2];
 
@@ -101,7 +103,7 @@ export const telegramOutbound: ChannelOutboundAdapter = {
   deliveryMode: "direct",
   chunker: markdownToTelegramHtmlChunks,
   chunkerMode: "markdown",
-  textChunkLimit: 4000,
+  textChunkLimit: TELEGRAM_TEXT_CHUNK_LIMIT,
   shouldSkipPlainTextSanitization: ({ payload }) => Boolean(payload.channelData),
   resolveEffectiveTextChunkLimit: ({ fallbackLimit }) =>
     typeof fallbackLimit === "number" ? Math.min(fallbackLimit, 4096) : 4096,
diff --git a/extensions/zalo/index.ts b/extensions/zalo/index.ts
index 3028b8b492f..ef62ee6e560 100644
--- a/extensions/zalo/index.ts
+++ b/extensions/zalo/index.ts
@@ -1,6 +1,6 @@
 import type { OpenClawPluginApi } from "openclaw/plugin-sdk/zalo";
 import { emptyPluginConfigSchema } from "openclaw/plugin-sdk/zalo";
-import { zaloDock, zaloPlugin } from "./src/channel.js";
+import { zaloPlugin } from "./src/channel.js";
 import { setZaloRuntime } from "./src/runtime.js";
 
 const plugin = {
@@ -10,7 +10,7 @@ const plugin = {
   configSchema: emptyPluginConfigSchema(),
   register(api: OpenClawPluginApi) {
     setZaloRuntime(api.runtime);
-    api.registerChannel({ plugin: zaloPlugin, dock: zaloDock });
+    api.registerChannel(zaloPlugin);
   },
 };
 
diff --git a/extensions/zalo/src/channel.ts b/extensions/zalo/src/channel.ts
index 69f99c69e3a..32ceeeff110 100644
--- a/extensions/zalo/src/channel.ts
+++ b/extensions/zalo/src/channel.ts
@@ -8,7 +8,6 @@ import {
 } from "openclaw/plugin-sdk/compat";
 import type {
   ChannelAccountSnapshot,
-  ChannelDock,
   ChannelPlugin,
   OpenClawConfig,
 } from "openclaw/plugin-sdk/zalo";
@@ -64,28 +63,6 @@ function normalizeZaloMessagingTarget(raw: string): string | undefined {
   return trimmed.replace(/^(zalo|zl):/i, "");
 }
 
-export const zaloDock: ChannelDock = {
-  id: "zalo",
-  capabilities: {
-    chatTypes: ["direct", "group"],
-    media: true,
-    blockStreaming: true,
-  },
-  outbound: { textChunkLimit: 2000 },
-  config: {
-    resolveAllowFrom: ({ cfg, accountId }) =>
-      mapAllowFromEntries(resolveZaloAccount({ cfg: cfg, accountId }).config.allowFrom),
-    formatAllowFrom: ({ allowFrom }) =>
-      formatAllowFromLowercase({ allowFrom, stripPrefixRe: /^(zalo|zl):/i }),
-  },
-  groups: {
-    resolveRequireMention: () => true,
-  },
-  threading: {
-    resolveReplyToMode: () => "off",
-  },
-};
-
 export const zaloPlugin: ChannelPlugin<ResolvedZaloAccount> = {
   id: "zalo",
   meta,
diff --git a/extensions/zalouser/index.ts b/extensions/zalouser/index.ts
index 747a7e26531..8d470b043e3 100644
--- a/extensions/zalouser/index.ts
+++ b/extensions/zalouser/index.ts
@@ -1,6 +1,6 @@
 import type { AnyAgentTool, OpenClawPluginApi } from "openclaw/plugin-sdk/zalouser";
 import { emptyPluginConfigSchema } from "openclaw/plugin-sdk/zalouser";
-import { zalouserDock, zalouserPlugin } from "./src/channel.js";
+import { zalouserPlugin } from "./src/channel.js";
 import { setZalouserRuntime } from "./src/runtime.js";
 import { ZalouserToolSchema, executeZalouserTool } from "./src/tool.js";
 
@@ -11,7 +11,7 @@ const plugin = {
   configSchema: emptyPluginConfigSchema(),
   register(api: OpenClawPluginApi) {
     setZalouserRuntime(api.runtime);
-    api.registerChannel({ plugin: zalouserPlugin, dock: zalouserDock });
+    api.registerChannel(zalouserPlugin);
     if (api.registrationMode !== "full") {
       return;
     }
diff --git a/extensions/zalouser/src/channel.ts b/extensions/zalouser/src/channel.ts
index 46dbb2c9fee..7e79b186c3d 100644
--- a/extensions/zalouser/src/channel.ts
+++ b/extensions/zalouser/src/channel.ts
@@ -6,7 +6,6 @@ import {
 import type {
   ChannelAccountSnapshot,
   ChannelDirectoryEntry,
-  ChannelDock,
   ChannelGroupContext,
   ChannelMessageActionAdapter,
   ChannelPlugin,
@@ -67,6 +66,8 @@ const meta = {
   quickstartAllowFrom: true,
 };
 
+const ZALOUSER_TEXT_CHUNK_LIMIT = 2000;
+
 function stripZalouserTargetPrefix(raw: string): string {
   return raw
     .trim()
@@ -172,7 +173,7 @@ function resolveZalouserOutboundChunkMode(cfg: OpenClawConfig, accountId?: strin
 
 function resolveZalouserOutboundTextChunkLimit(cfg: OpenClawConfig, accountId?: string) {
   return getZalouserRuntime().channel.text.resolveTextChunkLimit(cfg, "zalouser", accountId, {
-    fallbackLimit: zalouserDock.outbound?.textChunkLimit ?? 2000,
+    fallbackLimit: ZALOUSER_TEXT_CHUNK_LIMIT,
   });
 }
 
@@ -304,29 +305,6 @@ const zalouserMessageActions: ChannelMessageActionAdapter = {
   },
 };
 
-export const zalouserDock: ChannelDock = {
-  id: "zalouser",
-  capabilities: {
-    chatTypes: ["direct", "group"],
-    media: true,
-    blockStreaming: true,
-  },
-  outbound: { textChunkLimit: 2000 },
-  config: {
-    resolveAllowFrom: ({ cfg, accountId }) =>
-      mapAllowFromEntries(resolveZalouserAccountSync({ cfg: cfg, accountId }).config.allowFrom),
-    formatAllowFrom: ({ allowFrom }) =>
-      formatAllowFromLowercase({ allowFrom, stripPrefixRe: /^(zalouser|zlu):/i }),
-  },
-  groups: {
-    resolveRequireMention: resolveZalouserRequireMention,
-    resolveToolPolicy: resolveZalouserGroupToolPolicy,
-  },
-  threading: {
-    resolveReplyToMode: () => "off",
-  },
-};
-
 export const zalouserPlugin: ChannelPlugin<ResolvedZalouserAccount> = {
   id: "zalouser",
   meta,
diff --git a/src/channels/dock.test.ts b/src/channels/dock.test.ts
deleted file mode 100644
index 99e3947be9b..00000000000
--- a/src/channels/dock.test.ts
+++ /dev/null
@@ -1,194 +0,0 @@
-import { describe, expect, it } from "vitest";
-import type { OpenClawConfig } from "../config/config.js";
-import { withEnv } from "../test-utils/env.js";
-import { getChannelDock } from "./dock.js";
-
-function emptyConfig(): OpenClawConfig {
-  return {} as OpenClawConfig;
-}
-
-describe("channels dock", () => {
-  it("telegram and googlechat threading contexts map thread ids consistently", () => {
-    const hasRepliedRef = { value: false };
-    const telegramDock = getChannelDock("telegram");
-    const googleChatDock = getChannelDock("googlechat");
-
-    const telegramContext = telegramDock?.threading?.buildToolContext?.({
-      cfg: emptyConfig(),
-      context: {
-        To: " room-1 ",
-        MessageThreadId: 42,
-        ReplyToId: "fallback",
-        CurrentMessageId: "9001",
-      },
-      hasRepliedRef,
-    });
-    const googleChatContext = googleChatDock?.threading?.buildToolContext?.({
-      cfg: emptyConfig(),
-      context: { To: " space-1 ", ReplyToId: "thread-abc" },
-      hasRepliedRef,
-    });
-
-    expect(telegramContext).toEqual({
-      currentChannelId: "room-1",
-      currentThreadTs: "42",
-      currentMessageId: "9001",
-      hasRepliedRef,
-    });
-    expect(googleChatContext).toEqual({
-      currentChannelId: "space-1",
-      currentThreadTs: "thread-abc",
-      hasRepliedRef,
-    });
-  });
-
-  it("telegram threading does not treat ReplyToId as thread id in DMs", () => {
-    const hasRepliedRef = { value: false };
-    const telegramDock = getChannelDock("telegram");
-    const context = telegramDock?.threading?.buildToolContext?.({
-      cfg: emptyConfig(),
-      context: { To: " dm-1 ", ReplyToId: "12345", CurrentMessageId: "12345" },
-      hasRepliedRef,
-    });
-
-    expect(context).toEqual({
-      currentChannelId: "dm-1",
-      currentThreadTs: undefined,
-      currentMessageId: "12345",
-      hasRepliedRef,
-    });
-  });
-
-  it("irc resolveDefaultTo matches account id case-insensitively", () => {
-    const ircDock = getChannelDock("irc");
-    const cfg = {
-      channels: {
-        irc: {
-          defaultTo: "#root",
-          accounts: {
-            Work: { defaultTo: "#work" },
-          },
-        },
-      },
-    } as unknown as OpenClawConfig;
-
-    const accountDefault = ircDock?.config?.resolveDefaultTo?.({ cfg, accountId: "work" });
-    const rootDefault = ircDock?.config?.resolveDefaultTo?.({ cfg, accountId: "missing" });
-
-    expect(accountDefault).toBe("#work");
-    expect(rootDefault).toBe("#root");
-  });
-
-  it("signal allowFrom formatter normalizes values and preserves wildcard", () => {
-    const signalDock = getChannelDock("signal");
-
-    const formatted = signalDock?.config?.formatAllowFrom?.({
-      cfg: emptyConfig(),
-      allowFrom: [" signal:+14155550100 ", " * "],
-    });
-
-    expect(formatted).toEqual(["+14155550100", "*"]);
-  });
-
-  it("telegram allowFrom formatter trims, strips prefix, and lowercases", () => {
-    const telegramDock = getChannelDock("telegram");
-
-    const formatted = telegramDock?.config?.formatAllowFrom?.({
-      cfg: emptyConfig(),
-      allowFrom: [" TG:User ", "telegram:Foo", " Plain "],
-    });
-
-    expect(formatted).toEqual(["user", "foo", "plain"]);
-  });
-
-  it("telegram dock config readers preserve omitted-account fallback semantics", () => {
-    withEnv({ TELEGRAM_BOT_TOKEN: "tok-env" }, () => {
-      const telegramDock = getChannelDock("telegram");
-      const cfg = {
-        channels: {
-          telegram: {
-            allowFrom: ["top-owner"],
-            defaultTo: "@top-target",
-            accounts: {
-              work: {
-                botToken: "tok-work",
-                allowFrom: ["work-owner"],
-                defaultTo: "@work-target",
-              },
-            },
-          },
-        },
-      } as unknown as OpenClawConfig;
-
-      expect(telegramDock?.config?.resolveAllowFrom?.({ cfg })).toEqual(["top-owner"]);
-      expect(telegramDock?.config?.resolveDefaultTo?.({ cfg })).toBe("@top-target");
-    });
-  });
-
-  it("slack dock config readers stay read-only when tokens are unresolved SecretRefs", () => {
-    const slackDock = getChannelDock("slack");
-    const cfg = {
-      channels: {
-        slack: {
-          botToken: {
-            source: "env",
-            provider: "default",
-            id: "SLACK_BOT_TOKEN",
-          },
-          appToken: {
-            source: "env",
-            provider: "default",
-            id: "SLACK_APP_TOKEN",
-          },
-          defaultTo: "channel:C111",
-          dm: { allowFrom: ["U123"] },
-          channels: {
-            C111: { requireMention: false },
-          },
-          replyToMode: "all",
-        },
-      },
-    } as unknown as OpenClawConfig;
-
-    expect(slackDock?.config?.resolveAllowFrom?.({ cfg, accountId: "default" })).toEqual(["U123"]);
-    expect(slackDock?.config?.resolveDefaultTo?.({ cfg, accountId: "default" })).toBe(
-      "channel:C111",
-    );
-    expect(
-      slackDock?.threading?.resolveReplyToMode?.({
-        cfg,
-        accountId: "default",
-        chatType: "channel",
-      }),
-    ).toBe("all");
-    expect(
-      slackDock?.groups?.resolveRequireMention?.({
-        cfg,
-        accountId: "default",
-        groupId: "C111",
-      }),
-    ).toBe(false);
-  });
-
-  it("dock config readers coerce numeric allowFrom/defaultTo entries through shared helpers", () => {
-    const telegramDock = getChannelDock("telegram");
-    const signalDock = getChannelDock("signal");
-    const cfg = {
-      channels: {
-        telegram: {
-          allowFrom: [12345],
-          defaultTo: 67890,
-        },
-        signal: {
-          allowFrom: [14155550100],
-          defaultTo: 42,
-        },
-      },
-    } as unknown as OpenClawConfig;
-
-    expect(telegramDock?.config?.resolveAllowFrom?.({ cfg })).toEqual(["12345"]);
-    expect(telegramDock?.config?.resolveDefaultTo?.({ cfg })).toBe("67890");
-    expect(signalDock?.config?.resolveAllowFrom?.({ cfg })).toEqual(["14155550100"]);
-    expect(signalDock?.config?.resolveDefaultTo?.({ cfg })).toBe("42");
-  });
-});
diff --git a/src/channels/dock.ts b/src/channels/dock.ts
deleted file mode 100644
index 2e63583ca1b..00000000000
--- a/src/channels/dock.ts
+++ /dev/null
@@ -1,636 +0,0 @@
-import { inspectDiscordAccount } from "../../extensions/discord/src/account-inspect.js";
-import { resolveSignalAccount } from "../../extensions/signal/src/accounts.js";
-import { inspectSlackAccount } from "../../extensions/slack/src/account-inspect.js";
-import { resolveSlackReplyToMode } from "../../extensions/slack/src/accounts.js";
-import { buildSlackThreadingToolContext } from "../../extensions/slack/src/threading-tool-context.js";
-import { inspectTelegramAccount } from "../../extensions/telegram/src/account-inspect.js";
-import {
-  resolveChannelGroupRequireMention,
-  resolveChannelGroupToolsPolicy,
-} from "../config/group-policy.js";
-import {
-  formatAllowFromLowercase,
-  formatNormalizedAllowFromEntries,
-} from "../plugin-sdk/allow-from.js";
-import {
-  mapAllowFromEntries,
-  resolveOptionalConfigString,
-  formatTrimmedAllowFromEntries,
-  formatWhatsAppConfigAllowFromEntries,
-  resolveIMessageConfigAllowFrom,
-  resolveIMessageConfigDefaultTo,
-  resolveWhatsAppConfigAllowFrom,
-  resolveWhatsAppConfigDefaultTo,
-} from "../plugin-sdk/channel-config-helpers.js";
-import { requireActivePluginRegistry } from "../plugins/runtime.js";
-import { normalizeAccountId } from "../routing/session-key.js";
-import { normalizeE164 } from "../utils.js";
-import {
-  resolveDiscordGroupRequireMention,
-  resolveDiscordGroupToolPolicy,
-  resolveGoogleChatGroupRequireMention,
-  resolveGoogleChatGroupToolPolicy,
-  resolveIMessageGroupRequireMention,
-  resolveIMessageGroupToolPolicy,
-  resolveLineGroupRequireMention,
-  resolveLineGroupToolPolicy,
-  resolveSlackGroupRequireMention,
-  resolveSlackGroupToolPolicy,
-  resolveTelegramGroupRequireMention,
-  resolveTelegramGroupToolPolicy,
-  resolveWhatsAppGroupRequireMention,
-  resolveWhatsAppGroupToolPolicy,
-} from "./plugins/group-mentions.js";
-import { normalizeSignalMessagingTarget } from "./plugins/normalize/signal.js";
-import type {
-  ChannelCapabilities,
-  ChannelCommandAdapter,
-  ChannelConfigAdapter,
-  ChannelElevatedAdapter,
-  ChannelGroupAdapter,
-  ChannelId,
-  ChannelAgentPromptAdapter,
-  ChannelMentionAdapter,
-  ChannelPlugin,
-  ChannelThreadingContext,
-  ChannelThreadingAdapter,
-  ChannelThreadingToolContext,
-} from "./plugins/types.js";
-import {
-  resolveWhatsAppGroupIntroHint,
-  resolveWhatsAppMentionStripRegexes,
-} from "./plugins/whatsapp-shared.js";
-import { CHAT_CHANNEL_ORDER, type ChatChannelId, getChatChannelMeta } from "./registry.js";
-
-export type ChannelDock = {
-  id: ChannelId;
-  capabilities: ChannelCapabilities;
-  commands?: ChannelCommandAdapter;
-  outbound?: {
-    textChunkLimit?: number;
-  };
-  streaming?: ChannelDockStreaming;
-  elevated?: ChannelElevatedAdapter;
-  config?: Pick<
-    ChannelConfigAdapter<unknown>,
-    "resolveAllowFrom" | "formatAllowFrom" | "resolveDefaultTo"
-  >;
-  groups?: ChannelGroupAdapter;
-  mentions?: ChannelMentionAdapter;
-  threading?: ChannelThreadingAdapter;
-  agentPrompt?: ChannelAgentPromptAdapter;
-};
-
-type ChannelDockStreaming = {
-  blockStreamingCoalesceDefaults?: {
-    minChars?: number;
-    idleMs?: number;
-  };
-};
-
-const DEFAULT_OUTBOUND_TEXT_CHUNK_LIMIT_4000 = { textChunkLimit: 4000 };
-
-const DEFAULT_BLOCK_STREAMING_COALESCE = {
-  blockStreamingCoalesceDefaults: { minChars: 1500, idleMs: 1000 },
-};
-
-function formatAllowFromWithReplacements(
-  allowFrom: Array<string | number>,
-  replacements: RegExp[],
-): string[] {
-  return formatNormalizedAllowFromEntries({
-    allowFrom,
-    normalizeEntry: (entry) => {
-      let normalized = entry;
-      for (const replacement of replacements) {
-        normalized = normalized.replace(replacement, "");
-      }
-      return normalized.toLowerCase();
-    },
-  });
-}
-
-const formatDiscordAllowFrom = (allowFrom: Array<string | number>) =>
-  allowFrom
-    .map((entry) =>
-      String(entry)
-        .trim()
-        .replace(/^<@!?/, "")
-        .replace(/>$/, "")
-        .replace(/^discord:/i, "")
-        .replace(/^user:/i, "")
-        .replace(/^pk:/i, "")
-        .trim()
-        .toLowerCase(),
-    )
-    .filter(Boolean);
-
-function resolveDirectOrGroupChannelId(context: ChannelThreadingContext): string | undefined {
-  const isDirect = context.ChatType?.toLowerCase() === "direct";
-  return (isDirect ? (context.From ?? context.To) : context.To)?.trim() || undefined;
-}
-
-function buildSignalThreadToolContext(params: {
-  context: ChannelThreadingContext;
-  hasRepliedRef: ChannelThreadingToolContext["hasRepliedRef"];
-}): ChannelThreadingToolContext {
-  const currentChannelIdRaw = resolveDirectOrGroupChannelId(params.context);
-  const currentChannelId = currentChannelIdRaw
-    ? (normalizeSignalMessagingTarget(currentChannelIdRaw) ?? currentChannelIdRaw.trim())
-    : undefined;
-  return {
-    currentChannelId,
-    currentThreadTs: params.context.ReplyToId,
-    hasRepliedRef: params.hasRepliedRef,
-  };
-}
-
-function buildIMessageThreadToolContext(params: {
-  context: ChannelThreadingContext;
-  hasRepliedRef: ChannelThreadingToolContext["hasRepliedRef"];
-}): ChannelThreadingToolContext {
-  return {
-    currentChannelId: resolveDirectOrGroupChannelId(params.context),
-    currentThreadTs: params.context.ReplyToId,
-    hasRepliedRef: params.hasRepliedRef,
-  };
-}
-
-function buildThreadToolContextFromMessageThreadOrReply(params: {
-  context: ChannelThreadingContext;
-  hasRepliedRef: ChannelThreadingToolContext["hasRepliedRef"];
-}): ChannelThreadingToolContext {
-  const threadId = params.context.MessageThreadId ?? params.context.ReplyToId;
-  return {
-    currentChannelId: params.context.To?.trim() || undefined,
-    currentThreadTs: threadId != null ? String(threadId) : undefined,
-    hasRepliedRef: params.hasRepliedRef,
-  };
-}
-
-function resolveCaseInsensitiveAccount<T>(
-  accounts: Record<string, T> | undefined,
-  accountId?: string | null,
-): T | undefined {
-  if (!accounts) {
-    return undefined;
-  }
-  const normalized = normalizeAccountId(accountId);
-  return (
-    accounts[normalized] ??
-    accounts[
-      Object.keys(accounts).find((key) => key.toLowerCase() === normalized.toLowerCase()) ?? ""
-    ]
-  );
-}
-
-function resolveDefaultToCaseInsensitiveAccount(params: {
-  channel?:
-    | {
-        accounts?: Record<string, { defaultTo?: string }>;
-        defaultTo?: string;
-      }
-    | undefined;
-  accountId?: string | null;
-}): string | undefined {
-  const account = resolveCaseInsensitiveAccount(params.channel?.accounts, params.accountId);
-  return (account?.defaultTo ?? params.channel?.defaultTo)?.trim() || undefined;
-}
-
-function resolveChannelDefaultTo(
-  channel:
-    | {
-        accounts?: Record<string, { defaultTo?: string }>;
-        defaultTo?: string;
-      }
-    | undefined,
-  accountId?: string | null,
-): string | undefined {
-  return resolveDefaultToCaseInsensitiveAccount({ channel, accountId });
-}
-
-type CaseInsensitiveDefaultToChannel = {
-  accounts?: Record<string, { defaultTo?: string }>;
-  defaultTo?: string;
-};
-
-type CaseInsensitiveDefaultToChannels = Partial<
-  Record<"irc" | "googlechat", CaseInsensitiveDefaultToChannel>
->;
-
-function resolveNamedChannelDefaultTo(params: {
-  channels?: CaseInsensitiveDefaultToChannels;
-  channelId: keyof CaseInsensitiveDefaultToChannels;
-  accountId?: string | null;
-}): string | undefined {
-  return resolveChannelDefaultTo(params.channels?.[params.channelId], params.accountId);
-}
-// Channel docks: lightweight channel metadata/behavior for shared code paths.
-//
-// Rules:
-// - keep this module *light* (no monitors, probes, puppeteer/web login, etc)
-// - OK: config readers, allowFrom formatting, mention stripping patterns, threading defaults
-// - shared code should import from here (and from `src/channels/registry.ts`), not from the plugins registry
-//
-// Adding a channel:
-// - add a new entry to `DOCKS`
-// - keep it cheap; push heavy logic into `src/channels/plugins/<id>.ts` or channel modules
-const DOCKS: Record<ChatChannelId, ChannelDock> = {
-  telegram: {
-    id: "telegram",
-    capabilities: {
-      chatTypes: ["direct", "group", "channel", "thread"],
-      nativeCommands: true,
-      blockStreaming: true,
-    },
-    outbound: DEFAULT_OUTBOUND_TEXT_CHUNK_LIMIT_4000,
-    config: {
-      resolveAllowFrom: ({ cfg, accountId }) =>
-        mapAllowFromEntries(inspectTelegramAccount({ cfg, accountId }).config.allowFrom),
-      formatAllowFrom: ({ allowFrom }) =>
-        formatAllowFromLowercase({
-          allowFrom,
-          stripPrefixRe: /^(telegram|tg):/i,
-        }),
-      resolveDefaultTo: ({ cfg, accountId }) =>
-        resolveOptionalConfigString(inspectTelegramAccount({ cfg, accountId }).config.defaultTo),
-    },
-    groups: {
-      resolveRequireMention: resolveTelegramGroupRequireMention,
-      resolveToolPolicy: resolveTelegramGroupToolPolicy,
-    },
-    threading: {
-      resolveReplyToMode: ({ cfg }) => cfg.channels?.telegram?.replyToMode ?? "off",
-      buildToolContext: ({ context, hasRepliedRef }) => {
-        // Telegram auto-threading should only use actual thread/topic IDs.
-        // ReplyToId is a message ID and causes invalid message_thread_id in DMs.
-        const threadId = context.MessageThreadId;
-        const rawCurrentMessageId = context.CurrentMessageId;
-        const currentMessageId =
-          typeof rawCurrentMessageId === "number"
-            ? rawCurrentMessageId
-            : rawCurrentMessageId?.trim() || undefined;
-        return {
-          currentChannelId: context.To?.trim() || undefined,
-          currentThreadTs: threadId != null ? String(threadId) : undefined,
-          currentMessageId,
-          hasRepliedRef,
-        };
-      },
-    },
-  },
-  whatsapp: {
-    id: "whatsapp",
-    capabilities: {
-      chatTypes: ["direct", "group"],
-      polls: true,
-      reactions: true,
-      media: true,
-    },
-    commands: {
-      enforceOwnerForCommands: true,
-      skipWhenConfigEmpty: true,
-    },
-    outbound: DEFAULT_OUTBOUND_TEXT_CHUNK_LIMIT_4000,
-    config: {
-      resolveAllowFrom: ({ cfg, accountId }) => resolveWhatsAppConfigAllowFrom({ cfg, accountId }),
-      formatAllowFrom: ({ allowFrom }) => formatWhatsAppConfigAllowFromEntries(allowFrom),
-      resolveDefaultTo: ({ cfg, accountId }) => resolveWhatsAppConfigDefaultTo({ cfg, accountId }),
-    },
-    groups: {
-      resolveRequireMention: resolveWhatsAppGroupRequireMention,
-      resolveToolPolicy: resolveWhatsAppGroupToolPolicy,
-      resolveGroupIntroHint: resolveWhatsAppGroupIntroHint,
-    },
-    mentions: {
-      stripRegexes: ({ ctx }) => resolveWhatsAppMentionStripRegexes(ctx),
-    },
-    threading: {
-      buildToolContext: ({ context, hasRepliedRef }) => {
-        const channelId = context.From?.trim() || context.To?.trim() || undefined;
-        return {
-          currentChannelId: channelId,
-          currentThreadTs: context.ReplyToId,
-          hasRepliedRef,
-        };
-      },
-    },
-  },
-  discord: {
-    id: "discord",
-    capabilities: {
-      chatTypes: ["direct", "channel", "thread"],
-      polls: true,
-      reactions: true,
-      media: true,
-      nativeCommands: true,
-      threads: true,
-    },
-    outbound: { textChunkLimit: 2000 },
-    streaming: DEFAULT_BLOCK_STREAMING_COALESCE,
-    elevated: {
-      allowFromFallback: ({ cfg }) =>
-        cfg.channels?.discord?.allowFrom ?? cfg.channels?.discord?.dm?.allowFrom,
-    },
-    config: {
-      resolveAllowFrom: ({ cfg, accountId }) => {
-        const account = inspectDiscordAccount({ cfg, accountId });
-        return mapAllowFromEntries(account.config.allowFrom ?? account.config.dm?.allowFrom);
-      },
-      formatAllowFrom: ({ allowFrom }) => formatDiscordAllowFrom(allowFrom),
-      resolveDefaultTo: ({ cfg, accountId }) =>
-        resolveOptionalConfigString(inspectDiscordAccount({ cfg, accountId }).config.defaultTo),
-    },
-    groups: {
-      resolveRequireMention: resolveDiscordGroupRequireMention,
-      resolveToolPolicy: resolveDiscordGroupToolPolicy,
-    },
-    mentions: {
-      stripRegexes: () => [/<@!?\d+>/g],
-    },
-    threading: {
-      resolveReplyToMode: ({ cfg }) => cfg.channels?.discord?.replyToMode ?? "off",
-      buildToolContext: ({ context, hasRepliedRef }) => ({
-        currentChannelId: context.To?.trim() || undefined,
-        currentThreadTs: context.ReplyToId,
-        hasRepliedRef,
-      }),
-    },
-  },
-  irc: {
-    id: "irc",
-    capabilities: {
-      chatTypes: ["direct", "group"],
-      media: true,
-      blockStreaming: true,
-    },
-    outbound: { textChunkLimit: 350 },
-    streaming: {
-      blockStreamingCoalesceDefaults: { minChars: 300, idleMs: 1000 },
-    },
-    config: {
-      resolveAllowFrom: ({ cfg, accountId }) => {
-        const channel = cfg.channels?.irc;
-        const account = resolveCaseInsensitiveAccount(channel?.accounts, accountId);
-        return mapAllowFromEntries(account?.allowFrom ?? channel?.allowFrom);
-      },
-      formatAllowFrom: ({ allowFrom }) =>
-        formatAllowFromWithReplacements(allowFrom, [/^irc:/i, /^user:/i]),
-      resolveDefaultTo: ({ cfg, accountId }) =>
-        resolveNamedChannelDefaultTo({
-          channels: cfg.channels as CaseInsensitiveDefaultToChannels | undefined,
-          channelId: "irc",
-          accountId,
-        }),
-    },
-    groups: {
-      resolveRequireMention: ({ cfg, accountId, groupId }) => {
-        if (!groupId) {
-          return true;
-        }
-        return resolveChannelGroupRequireMention({
-          cfg,
-          channel: "irc",
-          groupId,
-          accountId,
-          groupIdCaseInsensitive: true,
-        });
-      },
-      resolveToolPolicy: ({ cfg, accountId, groupId, senderId, senderName, senderUsername }) => {
-        if (!groupId) {
-          return undefined;
-        }
-        // IRC supports per-channel tool policies. Prefer the shared resolver so
-        // toolsBySender is honored consistently across surfaces.
-        return resolveChannelGroupToolsPolicy({
-          cfg,
-          channel: "irc",
-          groupId,
-          accountId,
-          groupIdCaseInsensitive: true,
-          senderId,
-          senderName,
-          senderUsername,
-        });
-      },
-    },
-  },
-  googlechat: {
-    id: "googlechat",
-    capabilities: {
-      chatTypes: ["direct", "group", "thread"],
-      reactions: true,
-      media: true,
-      threads: true,
-      blockStreaming: true,
-    },
-    outbound: DEFAULT_OUTBOUND_TEXT_CHUNK_LIMIT_4000,
-    config: {
-      resolveAllowFrom: ({ cfg, accountId }) => {
-        const channel = cfg.channels?.googlechat as
-          | {
-              accounts?: Record<string, { dm?: { allowFrom?: Array<string | number> } }>;
-              dm?: { allowFrom?: Array<string | number> };
-            }
-          | undefined;
-        const account = resolveCaseInsensitiveAccount(channel?.accounts, accountId);
-        return mapAllowFromEntries(account?.dm?.allowFrom ?? channel?.dm?.allowFrom);
-      },
-      formatAllowFrom: ({ allowFrom }) =>
-        formatAllowFromWithReplacements(allowFrom, [
-          /^(googlechat|google-chat|gchat):/i,
-          /^user:/i,
-          /^users\//i,
-        ]),
-      resolveDefaultTo: ({ cfg, accountId }) =>
-        resolveNamedChannelDefaultTo({
-          channels: cfg.channels as CaseInsensitiveDefaultToChannels | undefined,
-          channelId: "googlechat",
-          accountId,
-        }),
-    },
-    groups: {
-      resolveRequireMention: resolveGoogleChatGroupRequireMention,
-      resolveToolPolicy: resolveGoogleChatGroupToolPolicy,
-    },
-    threading: {
-      resolveReplyToMode: ({ cfg }) => cfg.channels?.googlechat?.replyToMode ?? "off",
-      buildToolContext: ({ context, hasRepliedRef }) =>
-        buildThreadToolContextFromMessageThreadOrReply({ context, hasRepliedRef }),
-    },
-  },
-  slack: {
-    id: "slack",
-    capabilities: {
-      chatTypes: ["direct", "channel", "thread"],
-      reactions: true,
-      media: true,
-      nativeCommands: true,
-      threads: true,
-    },
-    outbound: DEFAULT_OUTBOUND_TEXT_CHUNK_LIMIT_4000,
-    streaming: DEFAULT_BLOCK_STREAMING_COALESCE,
-    config: {
-      resolveAllowFrom: ({ cfg, accountId }) => {
-        const account = inspectSlackAccount({ cfg, accountId });
-        return mapAllowFromEntries(account.config.allowFrom ?? account.dm?.allowFrom);
-      },
-      formatAllowFrom: ({ allowFrom }) => formatAllowFromLowercase({ allowFrom }),
-      resolveDefaultTo: ({ cfg, accountId }) =>
-        resolveOptionalConfigString(inspectSlackAccount({ cfg, accountId }).config.defaultTo),
-    },
-    groups: {
-      resolveRequireMention: resolveSlackGroupRequireMention,
-      resolveToolPolicy: resolveSlackGroupToolPolicy,
-    },
-    mentions: {
-      stripRegexes: () => [/<@[^>]+>/g],
-    },
-    threading: {
-      resolveReplyToMode: ({ cfg, accountId, chatType }) =>
-        resolveSlackReplyToMode(inspectSlackAccount({ cfg, accountId }), chatType),
-      allowExplicitReplyTagsWhenOff: false,
-      buildToolContext: (params) => buildSlackThreadingToolContext(params),
-    },
-  },
-  signal: {
-    id: "signal",
-    capabilities: {
-      chatTypes: ["direct", "group"],
-      reactions: true,
-      media: true,
-    },
-    outbound: DEFAULT_OUTBOUND_TEXT_CHUNK_LIMIT_4000,
-    streaming: DEFAULT_BLOCK_STREAMING_COALESCE,
-    config: {
-      resolveAllowFrom: ({ cfg, accountId }) =>
-        mapAllowFromEntries(resolveSignalAccount({ cfg, accountId }).config.allowFrom),
-      formatAllowFrom: ({ allowFrom }) =>
-        formatNormalizedAllowFromEntries({
-          allowFrom,
-          normalizeEntry: (entry) =>
-            entry === "*" ? "*" : normalizeE164(entry.replace(/^signal:/i, "")),
-        }),
-      resolveDefaultTo: ({ cfg, accountId }) =>
-        resolveOptionalConfigString(resolveSignalAccount({ cfg, accountId }).config.defaultTo),
-    },
-    threading: {
-      buildToolContext: ({ context, hasRepliedRef }) =>
-        buildSignalThreadToolContext({ context, hasRepliedRef }),
-    },
-  },
-  imessage: {
-    id: "imessage",
-    capabilities: {
-      chatTypes: ["direct", "group"],
-      reactions: true,
-      media: true,
-    },
-    outbound: DEFAULT_OUTBOUND_TEXT_CHUNK_LIMIT_4000,
-    config: {
-      resolveAllowFrom: ({ cfg, accountId }) => resolveIMessageConfigAllowFrom({ cfg, accountId }),
-      formatAllowFrom: ({ allowFrom }) => formatTrimmedAllowFromEntries(allowFrom),
-      resolveDefaultTo: ({ cfg, accountId }) => resolveIMessageConfigDefaultTo({ cfg, accountId }),
-    },
-    groups: {
-      resolveRequireMention: resolveIMessageGroupRequireMention,
-      resolveToolPolicy: resolveIMessageGroupToolPolicy,
-    },
-    threading: {
-      buildToolContext: ({ context, hasRepliedRef }) =>
-        buildIMessageThreadToolContext({ context, hasRepliedRef }),
-    },
-  },
-  line: {
-    id: "line",
-    capabilities: {
-      chatTypes: ["direct", "group"],
-      media: true,
-    },
-    outbound: { textChunkLimit: 5000 },
-    groups: {
-      resolveRequireMention: resolveLineGroupRequireMention,
-      resolveToolPolicy: resolveLineGroupToolPolicy,
-    },
-  },
-};
-
-function buildDockFromPlugin(plugin: ChannelPlugin): ChannelDock {
-  return {
-    id: plugin.id,
-    capabilities: plugin.capabilities,
-    commands: plugin.commands,
-    outbound: plugin.outbound?.textChunkLimit
-      ? { textChunkLimit: plugin.outbound.textChunkLimit }
-      : undefined,
-    streaming: plugin.streaming
-      ? { blockStreamingCoalesceDefaults: plugin.streaming.blockStreamingCoalesceDefaults }
-      : undefined,
-    elevated: plugin.elevated,
-    config: plugin.config
-      ? {
-          resolveAllowFrom: plugin.config.resolveAllowFrom,
-          formatAllowFrom: plugin.config.formatAllowFrom,
-          resolveDefaultTo: plugin.config.resolveDefaultTo,
-        }
-      : undefined,
-    groups: plugin.groups,
-    mentions: plugin.mentions,
-    threading: plugin.threading,
-    agentPrompt: plugin.agentPrompt,
-  };
-}
-
-function listPluginDockEntries(): Array<{ id: ChannelId; dock: ChannelDock; order?: number }> {
-  const registry = requireActivePluginRegistry();
-  const entries: Array<{ id: ChannelId; dock: ChannelDock; order?: number }> = [];
-  const seen = new Set<string>();
-  for (const entry of registry.channels) {
-    const plugin = entry.plugin;
-    const id = String(plugin.id).trim();
-    if (!id || seen.has(id)) {
-      continue;
-    }
-    seen.add(id);
-    if (CHAT_CHANNEL_ORDER.includes(plugin.id as ChatChannelId)) {
-      continue;
-    }
-    const dock = entry.dock ?? buildDockFromPlugin(plugin);
-    entries.push({ id: plugin.id, dock, order: plugin.meta.order });
-  }
-  return entries;
-}
-
-export function listChannelDocks(): ChannelDock[] {
-  const baseEntries = CHAT_CHANNEL_ORDER.map((id) => ({
-    id,
-    dock: DOCKS[id],
-    order: getChatChannelMeta(id).order,
-  }));
-  const pluginEntries = listPluginDockEntries();
-  const combined = [...baseEntries, ...pluginEntries];
-  combined.sort((a, b) => {
-    const indexA = CHAT_CHANNEL_ORDER.indexOf(a.id as ChatChannelId);
-    const indexB = CHAT_CHANNEL_ORDER.indexOf(b.id as ChatChannelId);
-    const orderA = a.order ?? (indexA === -1 ? 999 : indexA);
-    const orderB = b.order ?? (indexB === -1 ? 999 : indexB);
-    if (orderA !== orderB) {
-      return orderA - orderB;
-    }
-    return String(a.id).localeCompare(String(b.id));
-  });
-  return combined.map((entry) => entry.dock);
-}
-
-export function getChannelDock(id: ChannelId): ChannelDock | undefined {
-  const core = DOCKS[id as ChatChannelId];
-  if (core) {
-    return core;
-  }
-  const registry = requireActivePluginRegistry();
-  const pluginEntry = registry.channels.find((entry) => entry.plugin.id === id);
-  if (!pluginEntry) {
-    return undefined;
-  }
-  return pluginEntry.dock ?? buildDockFromPlugin(pluginEntry.plugin);
-}
diff --git a/src/channels/plugins/contracts/suites.ts b/src/channels/plugins/contracts/suites.ts
index 48a0f886208..fc79d26fa07 100644
--- a/src/channels/plugins/contracts/suites.ts
+++ b/src/channels/plugins/contracts/suites.ts
@@ -3,11 +3,13 @@ import type { OpenClawConfig } from "../../../config/config.js";
 import type {
   ChannelAccountSnapshot,
   ChannelAccountState,
-  ChannelMessageCapability,
   ChannelSetupInput,
 } from "../types.core.js";
-import type { ChannelPlugin } from "../types.js";
-import type { ChannelMessageActionName } from "../types.js";
+import type {
+  ChannelMessageActionName,
+  ChannelMessageCapability,
+  ChannelPlugin,
+} from "../types.js";
 
 function sortStrings(values: readonly string[]) {
   return [...values].toSorted((left, right) => left.localeCompare(right));
diff --git a/src/channels/plugins/index.ts b/src/channels/plugins/index.ts
index 43b0aa99452..f2a8aa56b95 100644
--- a/src/channels/plugins/index.ts
+++ b/src/channels/plugins/index.ts
@@ -8,8 +8,8 @@ import type { ChannelId, ChannelPlugin } from "./types.js";
 // Channel plugins registry (runtime).
 //
 // This module is intentionally "heavy" (plugins may import channel monitors, web login, etc).
-// Shared code paths (reply flow, command auth, sandbox explain) should depend on `src/channels/dock.ts`
-// instead, and only call `getChannelPlugin()` at execution boundaries.
+// Shared code paths should prefer narrower adapters and helpers instead of reaching into
+// channel-specific runtime modules directly.
 //
 function dedupeChannels(channels: ChannelPlugin[]): ChannelPlugin[] {
   const seen = new Set<string>();
diff --git a/src/infra/outbound/outbound-session.test.ts b/src/infra/outbound/outbound-session.test.ts
index 17367f4a128..44a6df08251 100644
--- a/src/infra/outbound/outbound-session.test.ts
+++ b/src/infra/outbound/outbound-session.test.ts
@@ -1,8 +1,13 @@
-import { describe, expect, it } from "vitest";
+import { beforeEach, describe, expect, it } from "vitest";
+import { setDefaultChannelPluginRegistryForTests } from "../../commands/channel-test-helpers.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import { resolveOutboundSessionRoute } from "./outbound-session.js";
 
 describe("resolveOutboundSessionRoute", () => {
+  beforeEach(() => {
+    setDefaultChannelPluginRegistryForTests();
+  });
+
   const baseConfig = {} as OpenClawConfig;
 
   it("resolves provider-specific session routes", async () => {
diff --git a/src/infra/outbound/outbound-session.ts b/src/infra/outbound/outbound-session.ts
index 4298d6226ce..c8da99c5f66 100644
--- a/src/infra/outbound/outbound-session.ts
+++ b/src/infra/outbound/outbound-session.ts
@@ -1,25 +1,3 @@
-import {
-  parseDiscordTarget,
-  type DiscordTargetKind,
-} from "../../../extensions/discord/src/targets.js";
-import {
-  parseIMessageTarget,
-  normalizeIMessageHandle,
-} from "../../../extensions/imessage/src/targets.js";
-import {
-  looksLikeUuid,
-  resolveSignalPeerId,
-  resolveSignalRecipient,
-  resolveSignalSender,
-} from "../../../extensions/signal/src/identity.js";
-import { resolveSlackAccount } from "../../../extensions/slack/src/accounts.js";
-import { createSlackWebClient } from "../../../extensions/slack/src/client.js";
-import { normalizeAllowListLower } from "../../../extensions/slack/src/monitor/allow-list.js";
-import { parseSlackTarget } from "../../../extensions/slack/src/targets.js";
-import { buildTelegramGroupPeerId } from "../../../extensions/telegram/src/bot/helpers.js";
-import { resolveTelegramTargetChatType } from "../../../extensions/telegram/src/inline-buttons.js";
-import { parseTelegramThreadId } from "../../../extensions/telegram/src/outbound-params.js";
-import { parseTelegramTarget } from "../../../extensions/telegram/src/targets.js";
 import type { MsgContext } from "../../auto-reply/templating.js";
 import type { ChatType } from "../../channels/chat-type.js";
 import { getChannelPlugin } from "../../channels/plugins/index.js";
@@ -52,9 +30,6 @@ export type ResolveOutboundSessionRouteParams = {
   threadId?: string | number | null;
 };
 
-// Cache Slack channel type lookups to avoid repeated API calls.
-const SLACK_CHANNEL_TYPE_CACHE = new Map<string, "channel" | "group" | "dm" | "unknown">();
-
 function normalizeThreadId(value?: string | number | null): string | undefined {
   if (value == null) {
     return undefined;
@@ -124,238 +99,6 @@ function buildBaseSessionKey(params: {
   });
 }
 
-// Best-effort mpim detection: allowlist/config, then Slack API (if token available).
-async function resolveSlackChannelType(params: {
-  cfg: OpenClawConfig;
-  accountId?: string | null;
-  channelId: string;
-}): Promise<"channel" | "group" | "dm" | "unknown"> {
-  const channelId = params.channelId.trim();
-  if (!channelId) {
-    return "unknown";
-  }
-  const cached = SLACK_CHANNEL_TYPE_CACHE.get(`${params.accountId ?? "default"}:${channelId}`);
-  if (cached) {
-    return cached;
-  }
-
-  const account = resolveSlackAccount({ cfg: params.cfg, accountId: params.accountId });
-  const groupChannels = normalizeAllowListLower(account.dm?.groupChannels);
-  const channelIdLower = channelId.toLowerCase();
-  if (
-    groupChannels.includes(channelIdLower) ||
-    groupChannels.includes(`slack:${channelIdLower}`) ||
-    groupChannels.includes(`channel:${channelIdLower}`) ||
-    groupChannels.includes(`group:${channelIdLower}`) ||
-    groupChannels.includes(`mpim:${channelIdLower}`)
-  ) {
-    SLACK_CHANNEL_TYPE_CACHE.set(`${account.accountId}:${channelId}`, "group");
-    return "group";
-  }
-
-  const channelKeys = Object.keys(account.channels ?? {});
-  if (
-    channelKeys.some((key) => {
-      const normalized = key.trim().toLowerCase();
-      return (
-        normalized === channelIdLower ||
-        normalized === `channel:${channelIdLower}` ||
-        normalized.replace(/^#/, "") === channelIdLower
-      );
-    })
-  ) {
-    SLACK_CHANNEL_TYPE_CACHE.set(`${account.accountId}:${channelId}`, "channel");
-    return "channel";
-  }
-
-  const token = account.botToken?.trim() || account.userToken || "";
-  if (!token) {
-    SLACK_CHANNEL_TYPE_CACHE.set(`${account.accountId}:${channelId}`, "unknown");
-    return "unknown";
-  }
-
-  try {
-    const client = createSlackWebClient(token);
-    const info = await client.conversations.info({ channel: channelId });
-    const channel = info.channel as { is_im?: boolean; is_mpim?: boolean } | undefined;
-    const type = channel?.is_im ? "dm" : channel?.is_mpim ? "group" : "channel";
-    SLACK_CHANNEL_TYPE_CACHE.set(`${account.accountId}:${channelId}`, type);
-    return type;
-  } catch {
-    SLACK_CHANNEL_TYPE_CACHE.set(`${account.accountId}:${channelId}`, "unknown");
-    return "unknown";
-  }
-}
-
-async function resolveSlackSession(
-  params: ResolveOutboundSessionRouteParams,
-): Promise<OutboundSessionRoute | null> {
-  const parsed = parseSlackTarget(params.target, { defaultKind: "channel" });
-  if (!parsed) {
-    return null;
-  }
-  const isDm = parsed.kind === "user";
-  let peerKind: ChatType = isDm ? "direct" : "channel";
-  if (!isDm && /^G/i.test(parsed.id)) {
-    // Slack mpim/group DMs share the G-prefix; detect to align session keys with inbound.
-    const channelType = await resolveSlackChannelType({
-      cfg: params.cfg,
-      accountId: params.accountId,
-      channelId: parsed.id,
-    });
-    if (channelType === "group") {
-      peerKind = "group";
-    }
-    if (channelType === "dm") {
-      peerKind = "direct";
-    }
-  }
-  const peer: RoutePeer = {
-    kind: peerKind,
-    id: parsed.id,
-  };
-  const baseSessionKey = buildBaseSessionKey({
-    cfg: params.cfg,
-    agentId: params.agentId,
-    channel: "slack",
-    accountId: params.accountId,
-    peer,
-  });
-  const threadId = normalizeThreadId(params.threadId ?? params.replyToId);
-  const threadKeys = resolveThreadSessionKeys({
-    baseSessionKey,
-    threadId,
-  });
-  return {
-    sessionKey: threadKeys.sessionKey,
-    baseSessionKey,
-    peer,
-    chatType: peerKind === "direct" ? "direct" : "channel",
-    from:
-      peerKind === "direct"
-        ? `slack:${parsed.id}`
-        : peerKind === "group"
-          ? `slack:group:${parsed.id}`
-          : `slack:channel:${parsed.id}`,
-    to: peerKind === "direct" ? `user:${parsed.id}` : `channel:${parsed.id}`,
-    threadId,
-  };
-}
-
-function resolveDiscordSession(
-  params: ResolveOutboundSessionRouteParams,
-): OutboundSessionRoute | null {
-  const parsed = parseDiscordTarget(params.target, {
-    defaultKind: resolveDiscordOutboundTargetKindHint(params),
-  });
-  if (!parsed) {
-    return null;
-  }
-  const isDm = parsed.kind === "user";
-  const peer: RoutePeer = {
-    kind: isDm ? "direct" : "channel",
-    id: parsed.id,
-  };
-  const baseSessionKey = buildBaseSessionKey({
-    cfg: params.cfg,
-    agentId: params.agentId,
-    channel: "discord",
-    accountId: params.accountId,
-    peer,
-  });
-  const explicitThreadId = normalizeThreadId(params.threadId);
-  const threadCandidate = explicitThreadId ?? normalizeThreadId(params.replyToId);
-  // Discord threads use their own channel id; avoid adding a :thread suffix.
-  const threadKeys = resolveThreadSessionKeys({
-    baseSessionKey,
-    threadId: threadCandidate,
-    useSuffix: false,
-  });
-  return {
-    sessionKey: threadKeys.sessionKey,
-    baseSessionKey,
-    peer,
-    chatType: isDm ? "direct" : "channel",
-    from: isDm ? `discord:${parsed.id}` : `discord:channel:${parsed.id}`,
-    to: isDm ? `user:${parsed.id}` : `channel:${parsed.id}`,
-    threadId: explicitThreadId ?? undefined,
-  };
-}
-
-function resolveDiscordOutboundTargetKindHint(
-  params: ResolveOutboundSessionRouteParams,
-): DiscordTargetKind | undefined {
-  const resolvedKind = params.resolvedTarget?.kind;
-  if (resolvedKind === "user") {
-    return "user";
-  }
-  if (resolvedKind === "group" || resolvedKind === "channel") {
-    return "channel";
-  }
-
-  const target = params.target.trim();
-  if (/^channel:/i.test(target)) {
-    return "channel";
-  }
-  if (/^(user:|discord:|@|<@!?)/i.test(target)) {
-    return "user";
-  }
-  return undefined;
-}
-
-function resolveTelegramSession(
-  params: ResolveOutboundSessionRouteParams,
-): OutboundSessionRoute | null {
-  const parsed = parseTelegramTarget(params.target);
-  const chatId = parsed.chatId.trim();
-  if (!chatId) {
-    return null;
-  }
-  const parsedThreadId = parsed.messageThreadId;
-  const fallbackThreadId = normalizeThreadId(params.threadId);
-  const resolvedThreadId = parsedThreadId ?? parseTelegramThreadId(fallbackThreadId);
-  // Telegram topics are encoded in the peer id (chatId:topic:<id>).
-  const chatType = resolveTelegramTargetChatType(params.target);
-  // If the target is a username and we lack a resolvedTarget, default to DM to avoid group keys.
-  const isGroup =
-    chatType === "group" ||
-    (chatType === "unknown" &&
-      params.resolvedTarget?.kind &&
-      params.resolvedTarget.kind !== "user");
-  // For groups: include thread ID in peerId. For DMs: use simple chatId (thread handled via suffix).
-  const peerId =
-    isGroup && resolvedThreadId ? buildTelegramGroupPeerId(chatId, resolvedThreadId) : chatId;
-  const peer: RoutePeer = {
-    kind: isGroup ? "group" : "direct",
-    id: peerId,
-  };
-  const baseSessionKey = buildBaseSessionKey({
-    cfg: params.cfg,
-    agentId: params.agentId,
-    channel: "telegram",
-    accountId: params.accountId,
-    peer,
-  });
-  // Use thread suffix for DM topics to match inbound session key format
-  const threadKeys =
-    resolvedThreadId && !isGroup
-      ? { sessionKey: `${baseSessionKey}:thread:${resolvedThreadId}` }
-      : null;
-  return {
-    sessionKey: threadKeys?.sessionKey ?? baseSessionKey,
-    baseSessionKey,
-    peer,
-    chatType: isGroup ? "group" : "direct",
-    from: isGroup
-      ? `telegram:group:${peerId}`
-      : resolvedThreadId
-        ? `telegram:${chatId}:topic:${resolvedThreadId}`
-        : `telegram:${chatId}`,
-    to: `telegram:${chatId}`,
-    threadId: resolvedThreadId,
-  };
-}
-
 function resolveWhatsAppSession(
   params: ResolveOutboundSessionRouteParams,
 ): OutboundSessionRoute | null {
@@ -385,131 +128,6 @@ function resolveWhatsAppSession(
   };
 }
 
-function resolveSignalSession(
-  params: ResolveOutboundSessionRouteParams,
-): OutboundSessionRoute | null {
-  const stripped = stripProviderPrefix(params.target, "signal");
-  const lowered = stripped.toLowerCase();
-  if (lowered.startsWith("group:")) {
-    const groupId = stripped.slice("group:".length).trim();
-    if (!groupId) {
-      return null;
-    }
-    const peer: RoutePeer = { kind: "group", id: groupId };
-    const baseSessionKey = buildBaseSessionKey({
-      cfg: params.cfg,
-      agentId: params.agentId,
-      channel: "signal",
-      accountId: params.accountId,
-      peer,
-    });
-    return {
-      sessionKey: baseSessionKey,
-      baseSessionKey,
-      peer,
-      chatType: "group",
-      from: `group:${groupId}`,
-      to: `group:${groupId}`,
-    };
-  }
-
-  let recipient = stripped.trim();
-  if (lowered.startsWith("username:")) {
-    recipient = stripped.slice("username:".length).trim();
-  } else if (lowered.startsWith("u:")) {
-    recipient = stripped.slice("u:".length).trim();
-  }
-  if (!recipient) {
-    return null;
-  }
-
-  const uuidCandidate = recipient.toLowerCase().startsWith("uuid:")
-    ? recipient.slice("uuid:".length)
-    : recipient;
-  const sender = resolveSignalSender({
-    sourceUuid: looksLikeUuid(uuidCandidate) ? uuidCandidate : null,
-    sourceNumber: looksLikeUuid(uuidCandidate) ? null : recipient,
-  });
-  const peerId = sender ? resolveSignalPeerId(sender) : recipient;
-  const displayRecipient = sender ? resolveSignalRecipient(sender) : recipient;
-  const peer: RoutePeer = { kind: "direct", id: peerId };
-  const baseSessionKey = buildBaseSessionKey({
-    cfg: params.cfg,
-    agentId: params.agentId,
-    channel: "signal",
-    accountId: params.accountId,
-    peer,
-  });
-  return {
-    sessionKey: baseSessionKey,
-    baseSessionKey,
-    peer,
-    chatType: "direct",
-    from: `signal:${displayRecipient}`,
-    to: `signal:${displayRecipient}`,
-  };
-}
-
-function resolveIMessageSession(
-  params: ResolveOutboundSessionRouteParams,
-): OutboundSessionRoute | null {
-  const parsed = parseIMessageTarget(params.target);
-  if (parsed.kind === "handle") {
-    const handle = normalizeIMessageHandle(parsed.to);
-    if (!handle) {
-      return null;
-    }
-    const peer: RoutePeer = { kind: "direct", id: handle };
-    const baseSessionKey = buildBaseSessionKey({
-      cfg: params.cfg,
-      agentId: params.agentId,
-      channel: "imessage",
-      accountId: params.accountId,
-      peer,
-    });
-    return {
-      sessionKey: baseSessionKey,
-      baseSessionKey,
-      peer,
-      chatType: "direct",
-      from: `imessage:${handle}`,
-      to: `imessage:${handle}`,
-    };
-  }
-
-  const peerId =
-    parsed.kind === "chat_id"
-      ? String(parsed.chatId)
-      : parsed.kind === "chat_guid"
-        ? parsed.chatGuid
-        : parsed.chatIdentifier;
-  if (!peerId) {
-    return null;
-  }
-  const peer: RoutePeer = { kind: "group", id: peerId };
-  const baseSessionKey = buildBaseSessionKey({
-    cfg: params.cfg,
-    agentId: params.agentId,
-    channel: "imessage",
-    accountId: params.accountId,
-    peer,
-  });
-  const toPrefix =
-    parsed.kind === "chat_id"
-      ? "chat_id"
-      : parsed.kind === "chat_guid"
-        ? "chat_guid"
-        : "chat_identifier";
-  return {
-    sessionKey: baseSessionKey,
-    baseSessionKey,
-    peer,
-    chatType: "group",
-    from: `imessage:group:${peerId}`,
-    to: `${toPrefix}:${peerId}`,
-  };
-}
-
 function resolveMatrixSession(
   params: ResolveOutboundSessionRouteParams,
 ): OutboundSessionRoute | null {
@@ -944,12 +562,7 @@ type OutboundSessionResolver = (
 ) => OutboundSessionRoute | null | Promise<OutboundSessionRoute | null>;
 
 const OUTBOUND_SESSION_RESOLVERS: Partial<Record<ChannelId, OutboundSessionResolver>> = {
-  slack: resolveSlackSession,
-  discord: resolveDiscordSession,
-  telegram: resolveTelegramSession,
   whatsapp: resolveWhatsAppSession,
-  signal: resolveSignalSession,
-  imessage: resolveIMessageSession,
   matrix: resolveMatrixSession,
   msteams: resolveMSTeamsSession,
   mattermost: resolveMattermostSession,
diff --git a/src/infra/outbound/outbound.test.ts b/src/infra/outbound/outbound.test.ts
index 5c2303d7154..150dd4e26ea 100644
--- a/src/infra/outbound/outbound.test.ts
+++ b/src/infra/outbound/outbound.test.ts
@@ -4,6 +4,7 @@ import path from "node:path";
 import { afterAll, afterEach, beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
 import { discordPlugin } from "../../../extensions/discord/src/channel.js";
 import type { ReplyPayload } from "../../auto-reply/types.js";
+import { setDefaultChannelPluginRegistryForTests } from "../../commands/channel-test-helpers.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import { setActivePluginRegistry } from "../../plugins/runtime.js";
 import { createTestRegistry } from "../../test-utils/channel-plugins.js";
@@ -888,6 +889,10 @@ const discordConfig = {
 } as OpenClawConfig;
 
 describe("outbound policy", () => {
+  beforeEach(() => {
+    setDefaultChannelPluginRegistryForTests();
+  });
+
   it("allows cross-provider sends when enabled", () => {
     const cfg = {
       ...slackConfig,
@@ -930,6 +935,10 @@ describe("outbound policy", () => {
 });
 
 describe("resolveOutboundSessionRoute", () => {
+  beforeEach(() => {
+    setDefaultChannelPluginRegistryForTests();
+  });
+
   const baseConfig = {} as OpenClawConfig;
 
   it("resolves provider-specific session routes", async () => {
diff --git a/src/plugin-sdk/googlechat.ts b/src/plugin-sdk/googlechat.ts
index c02cf8fe20a..ce05a95b47a 100644
--- a/src/plugin-sdk/googlechat.ts
+++ b/src/plugin-sdk/googlechat.ts
@@ -8,7 +8,6 @@ export {
   readReactionParams,
   readStringParam,
 } from "../agents/tools/common.js";
-export type { ChannelDock } from "../channels/dock.js";
 export { resolveMentionGatingWithBypass } from "../channels/mention-gating.js";
 export {
   deleteAccountFromConfigSection,
diff --git a/src/plugin-sdk/index.ts b/src/plugin-sdk/index.ts
index 5f1ccd91bbe..1b37138e101 100644
--- a/src/plugin-sdk/index.ts
+++ b/src/plugin-sdk/index.ts
@@ -248,7 +248,6 @@ export {
   buildNestedDmConfigSchema,
   buildCatchallMultiAccountChannelSchema,
 } from "../channels/plugins/config-schema.js";
-export type { ChannelDock } from "../channels/dock.js";
 export { getChatChannelMeta } from "../channels/registry.js";
 export {
   compileAllowlist,
@@ -330,6 +329,7 @@ export {
   normalizeAgentId,
   resolveThreadSessionKeys,
 } from "../routing/session-key.js";
+export { buildAgentSessionKey, type RoutePeer } from "../routing/resolve-route.js";
 export {
   formatAllowFromLowercase,
   formatNormalizedAllowFromEntries,
diff --git a/src/plugin-sdk/zalo.ts b/src/plugin-sdk/zalo.ts
index cb8b059dc2c..37e3b9fde26 100644
--- a/src/plugin-sdk/zalo.ts
+++ b/src/plugin-sdk/zalo.ts
@@ -3,7 +3,6 @@
 
 export { jsonResult, readStringParam } from "../agents/tools/common.js";
 export type { ReplyPayload } from "../auto-reply/types.js";
-export type { ChannelDock } from "../channels/dock.js";
 export {
   deleteAccountFromConfigSection,
   setAccountEnabledInConfigSection,
diff --git a/src/plugin-sdk/zalouser.ts b/src/plugin-sdk/zalouser.ts
index 8f4866e949e..b7b95910132 100644
--- a/src/plugin-sdk/zalouser.ts
+++ b/src/plugin-sdk/zalouser.ts
@@ -3,7 +3,6 @@
 
 export type { ReplyPayload } from "../auto-reply/types.js";
 export { mergeAllowlist, summarizeMapping } from "../channels/allowlists/resolve-utils.js";
-export type { ChannelDock } from "../channels/dock.js";
 export { resolveMentionGatingWithBypass } from "../channels/mention-gating.js";
 export {
   deleteAccountFromConfigSection,
diff --git a/src/plugins/loader.ts b/src/plugins/loader.ts
index 103755b4ac1..da9bcd3e993 100644
--- a/src/plugins/loader.ts
+++ b/src/plugins/loader.ts
@@ -2,7 +2,6 @@ import fs from "node:fs";
 import path from "node:path";
 import { fileURLToPath } from "node:url";
 import { createJiti } from "jiti";
-import type { ChannelDock } from "../channels/dock.js";
 import type { ChannelPlugin } from "../channels/plugins/types.js";
 import type { OpenClawConfig } from "../config/config.js";
 import { isChannelConfigured } from "../config/plugin-auto-enable.js";
@@ -407,7 +406,6 @@ function resolvePluginModuleExport(moduleExport: unknown): {
 
 function resolveSetupChannelRegistration(moduleExport: unknown): {
   plugin?: ChannelPlugin;
-  dock?: ChannelDock;
 } {
   const resolved =
     moduleExport &&
@@ -420,14 +418,12 @@ function resolveSetupChannelRegistration(moduleExport: unknown): {
   }
   const setup = resolved as {
     plugin?: unknown;
-    dock?: unknown;
   };
   if (!setup.plugin || typeof setup.plugin !== "object") {
     return {};
   }
   return {
     plugin: setup.plugin as ChannelPlugin,
-    ...(setup.dock && typeof setup.dock === "object" ? { dock: setup.dock as ChannelDock } : {}),
   };
 }
 
@@ -1167,10 +1163,7 @@ export function loadOpenClawPlugins(options: PluginLoadOptions = {}): PluginRegi
           hookPolicy: entry?.hooks,
           registrationMode,
         });
-        api.registerChannel({
-          plugin: setupRegistration.plugin,
-          ...(setupRegistration.dock ? { dock: setupRegistration.dock } : {}),
-        });
+        api.registerChannel(setupRegistration.plugin);
         registry.plugins.push(record);
         seenIds.set(pluginId, candidate.origin);
         continue;
diff --git a/src/plugins/registry.ts b/src/plugins/registry.ts
index 9b450af26e7..fabf9fa1069 100644
--- a/src/plugins/registry.ts
+++ b/src/plugins/registry.ts
@@ -1,6 +1,5 @@
 import path from "node:path";
 import type { AnyAgentTool } from "../agents/tools/common.js";
-import type { ChannelDock } from "../channels/dock.js";
 import type { ChannelPlugin } from "../channels/plugins/types.js";
 import { registerContextEngineForOwner } from "../context-engine/registry.js";
 import type {
@@ -82,7 +81,6 @@ export type PluginChannelRegistration = {
   pluginId: string;
   pluginName?: string;
   plugin: ChannelPlugin;
-  dock?: ChannelDock;
   source: string;
   rootDir?: string;
 };
@@ -516,7 +514,6 @@ export function createPluginRegistry(registryParams: PluginRegistryParams) {
       pluginId: record.id,
       pluginName: record.name,
       plugin,
-      dock: normalized.dock,
       source: record.source,
       rootDir: record.rootDir,
     });
diff --git a/src/plugins/types.ts b/src/plugins/types.ts
index 6dc5788b9eb..04da1293a09 100644
--- a/src/plugins/types.ts
+++ b/src/plugins/types.ts
@@ -16,7 +16,6 @@ import type { ProviderCapabilities } from "../agents/provider-capabilities.js";
 import type { AnyAgentTool } from "../agents/tools/common.js";
 import type { ThinkLevel } from "../auto-reply/thinking.js";
 import type { ReplyPayload } from "../auto-reply/types.js";
-import type { ChannelDock } from "../channels/dock.js";
 import type { ChannelId, ChannelPlugin } from "../channels/plugins/types.js";
 import type { createVpsAwareOAuthHandlers } from "../commands/oauth-flow.js";
 import type { OnboardOptions } from "../commands/onboard-types.js";
@@ -1155,7 +1154,6 @@ export type OpenClawPluginService = {
 
 export type OpenClawPluginChannelRegistration = {
   plugin: ChannelPlugin;
-  dock?: ChannelDock;
 };
 
 export type OpenClawPluginDefinition = {

From 3fe3a53dd948c00bb383e81d52e7f600518e26b5 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 16 Mar 2026 00:09:33 -0700
Subject: [PATCH 077/133] Plugins: add provider runtime contracts

---
 .../contracts/runtime.contract.test.ts        | 587 ++++++++++++++++++
 1 file changed, 587 insertions(+)
 create mode 100644 src/plugins/contracts/runtime.contract.test.ts

diff --git a/src/plugins/contracts/runtime.contract.test.ts b/src/plugins/contracts/runtime.contract.test.ts
new file mode 100644
index 00000000000..1942bc1cbbf
--- /dev/null
+++ b/src/plugins/contracts/runtime.contract.test.ts
@@ -0,0 +1,587 @@
+import { describe, expect, it, vi } from "vitest";
+import { createProviderUsageFetch, makeResponse } from "../../test-utils/provider-usage-fetch.js";
+import type { ProviderRuntimeModel } from "../types.js";
+
+const getOAuthApiKeyMock = vi.hoisted(() => vi.fn());
+const refreshQwenPortalCredentialsMock = vi.hoisted(() => vi.fn());
+
+vi.mock("@mariozechner/pi-ai/oauth", async () => {
+  const actual = await vi.importActual<object>("@mariozechner/pi-ai/oauth");
+  return {
+    ...actual,
+    getOAuthApiKey: getOAuthApiKeyMock,
+  };
+});
+
+vi.mock("../../providers/qwen-portal-oauth.js", () => ({
+  refreshQwenPortalCredentials: refreshQwenPortalCredentialsMock,
+}));
+
+const { providerContractRegistry } = await import("./registry.js");
+
+function requireProvider(providerId: string) {
+  const entry = providerContractRegistry.find((candidate) => candidate.provider.id === providerId);
+  if (!entry) {
+    throw new Error(`provider contract entry missing for ${providerId}`);
+  }
+  return entry.provider;
+}
+
+function createModel(overrides: Partial<ProviderRuntimeModel> & Pick<ProviderRuntimeModel, "id">) {
+  return {
+    id: overrides.id,
+    name: overrides.name ?? overrides.id,
+    api: overrides.api ?? "openai-responses",
+    provider: overrides.provider ?? "demo",
+    baseUrl: overrides.baseUrl ?? "https://api.example.com/v1",
+    reasoning: overrides.reasoning ?? true,
+    input: overrides.input ?? ["text"],
+    cost: overrides.cost ?? { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
+    contextWindow: overrides.contextWindow ?? 200_000,
+    maxTokens: overrides.maxTokens ?? 8_192,
+  } satisfies ProviderRuntimeModel;
+}
+
+describe("provider runtime contract", () => {
+  describe("anthropic", () => {
+    it("owns anthropic 4.6 forward-compat resolution", () => {
+      const provider = requireProvider("anthropic");
+      const model = provider.resolveDynamicModel?.({
+        provider: "anthropic",
+        modelId: "claude-sonnet-4.6-20260219",
+        modelRegistry: {
+          find: (_provider: string, id: string) =>
+            id === "claude-sonnet-4.5-20260219"
+              ? createModel({
+                  id: id,
+                  api: "anthropic-messages",
+                  provider: "anthropic",
+                  baseUrl: "https://api.anthropic.com",
+                })
+              : null,
+        } as never,
+      });
+
+      expect(model).toMatchObject({
+        id: "claude-sonnet-4.6-20260219",
+        provider: "anthropic",
+        api: "anthropic-messages",
+        baseUrl: "https://api.anthropic.com",
+      });
+    });
+
+    it("owns usage auth resolution", async () => {
+      const provider = requireProvider("anthropic");
+      await expect(
+        provider.resolveUsageAuth?.({
+          config: {} as never,
+          env: {} as NodeJS.ProcessEnv,
+          provider: "anthropic",
+          resolveApiKeyFromConfigAndStore: () => undefined,
+          resolveOAuthToken: async () => ({
+            token: "anthropic-oauth-token",
+          }),
+        }),
+      ).resolves.toEqual({
+        token: "anthropic-oauth-token",
+      });
+    });
+
+    it("owns auth doctor hint generation", () => {
+      const provider = requireProvider("anthropic");
+      const hint = provider.buildAuthDoctorHint?.({
+        provider: "anthropic",
+        profileId: "anthropic:default",
+        config: {
+          auth: {
+            profiles: {
+              "anthropic:default": {
+                provider: "anthropic",
+                mode: "oauth",
+              },
+            },
+          },
+        } as never,
+        store: {
+          version: 1,
+          profiles: {
+            "anthropic:oauth-user@example.com": {
+              type: "oauth",
+              provider: "anthropic",
+              access: "oauth-access",
+              refresh: "oauth-refresh",
+              expires: Date.now() + 60_000,
+            },
+          },
+        },
+      });
+
+      expect(hint).toContain("suggested profile: anthropic:oauth-user@example.com");
+      expect(hint).toContain("openclaw doctor --yes");
+    });
+
+    it("owns usage snapshot fetching", async () => {
+      const provider = requireProvider("anthropic");
+      const mockFetch = createProviderUsageFetch(async (url) => {
+        if (url.includes("api.anthropic.com/api/oauth/usage")) {
+          return makeResponse(200, {
+            five_hour: { utilization: 20, resets_at: "2026-01-07T01:00:00Z" },
+            seven_day: { utilization: 35, resets_at: "2026-01-09T01:00:00Z" },
+          });
+        }
+        return makeResponse(404, "not found");
+      });
+
+      await expect(
+        provider.fetchUsageSnapshot?.({
+          config: {} as never,
+          env: {} as NodeJS.ProcessEnv,
+          provider: "anthropic",
+          token: "anthropic-oauth-token",
+          timeoutMs: 5_000,
+          fetchFn: mockFetch as unknown as typeof fetch,
+        }),
+      ).resolves.toEqual({
+        provider: "anthropic",
+        displayName: "Claude",
+        windows: [
+          { label: "5h", usedPercent: 20, resetAt: Date.parse("2026-01-07T01:00:00Z") },
+          { label: "Week", usedPercent: 35, resetAt: Date.parse("2026-01-09T01:00:00Z") },
+        ],
+      });
+    });
+  });
+
+  describe("github-copilot", () => {
+    it("owns Copilot-specific forward-compat fallbacks", () => {
+      const provider = requireProvider("github-copilot");
+      const model = provider.resolveDynamicModel?.({
+        provider: "github-copilot",
+        modelId: "gpt-5.3-codex",
+        modelRegistry: {
+          find: (_provider: string, id: string) =>
+            id === "gpt-5.2-codex"
+              ? createModel({
+                  id,
+                  api: "openai-codex-responses",
+                  provider: "github-copilot",
+                  baseUrl: "https://api.copilot.example",
+                })
+              : null,
+        } as never,
+      });
+
+      expect(model).toMatchObject({
+        id: "gpt-5.3-codex",
+        provider: "github-copilot",
+        api: "openai-codex-responses",
+      });
+    });
+  });
+
+  describe("google", () => {
+    it("owns google direct gemini 3.1 forward-compat resolution", () => {
+      const provider = requireProvider("google");
+      const model = provider.resolveDynamicModel?.({
+        provider: "google",
+        modelId: "gemini-3.1-pro-preview",
+        modelRegistry: {
+          find: (_provider: string, id: string) =>
+            id === "gemini-3-pro-preview"
+              ? createModel({
+                  id,
+                  api: "google-generative-ai",
+                  provider: "google",
+                  baseUrl: "https://generativelanguage.googleapis.com",
+                  reasoning: false,
+                  contextWindow: 1_048_576,
+                  maxTokens: 65_536,
+                })
+              : null,
+        } as never,
+      });
+
+      expect(model).toMatchObject({
+        id: "gemini-3.1-pro-preview",
+        provider: "google",
+        api: "google-generative-ai",
+        baseUrl: "https://generativelanguage.googleapis.com",
+        reasoning: true,
+      });
+    });
+  });
+
+  describe("google-gemini-cli", () => {
+    it("owns gemini cli 3.1 forward-compat resolution", () => {
+      const provider = requireProvider("google-gemini-cli");
+      const model = provider.resolveDynamicModel?.({
+        provider: "google-gemini-cli",
+        modelId: "gemini-3.1-pro-preview",
+        modelRegistry: {
+          find: (_provider: string, id: string) =>
+            id === "gemini-3-pro-preview"
+              ? createModel({
+                  id,
+                  api: "google-gemini-cli",
+                  provider: "google-gemini-cli",
+                  baseUrl: "https://cloudcode-pa.googleapis.com",
+                  reasoning: false,
+                  contextWindow: 1_048_576,
+                  maxTokens: 65_536,
+                })
+              : null,
+        } as never,
+      });
+
+      expect(model).toMatchObject({
+        id: "gemini-3.1-pro-preview",
+        provider: "google-gemini-cli",
+        reasoning: true,
+      });
+    });
+
+    it("owns usage-token parsing", async () => {
+      const provider = requireProvider("google-gemini-cli");
+      await expect(
+        provider.resolveUsageAuth?.({
+          config: {} as never,
+          env: {} as NodeJS.ProcessEnv,
+          provider: "google-gemini-cli",
+          resolveApiKeyFromConfigAndStore: () => undefined,
+          resolveOAuthToken: async () => ({
+            token: '{"token":"google-oauth-token"}',
+            accountId: "google-account",
+          }),
+        }),
+      ).resolves.toEqual({
+        token: "google-oauth-token",
+        accountId: "google-account",
+      });
+    });
+
+    it("owns OAuth auth-profile formatting", () => {
+      const provider = requireProvider("google-gemini-cli");
+
+      expect(
+        provider.formatApiKey?.({
+          type: "oauth",
+          provider: "google-gemini-cli",
+          access: "google-oauth-token",
+          refresh: "refresh-token",
+          expires: Date.now() + 60_000,
+          projectId: "proj-123",
+        }),
+      ).toBe('{"token":"google-oauth-token","projectId":"proj-123"}');
+    });
+
+    it("owns usage snapshot fetching", async () => {
+      const provider = requireProvider("google-gemini-cli");
+      const mockFetch = createProviderUsageFetch(async (url) => {
+        if (url.includes("cloudcode-pa.googleapis.com/v1internal:retrieveUserQuota")) {
+          return makeResponse(200, {
+            buckets: [
+              { modelId: "gemini-3.1-pro-preview", remainingFraction: 0.4 },
+              { modelId: "gemini-3.1-flash-preview", remainingFraction: 0.8 },
+            ],
+          });
+        }
+        return makeResponse(404, "not found");
+      });
+
+      const snapshot = await provider.fetchUsageSnapshot?.({
+        config: {} as never,
+        env: {} as NodeJS.ProcessEnv,
+        provider: "google-gemini-cli",
+        token: "google-oauth-token",
+        timeoutMs: 5_000,
+        fetchFn: mockFetch as unknown as typeof fetch,
+      });
+
+      expect(snapshot).toMatchObject({
+        provider: "google-gemini-cli",
+        displayName: "Gemini",
+      });
+      expect(snapshot?.windows[0]).toEqual({ label: "Pro", usedPercent: 60 });
+      expect(snapshot?.windows[1]?.label).toBe("Flash");
+      expect(snapshot?.windows[1]?.usedPercent).toBeCloseTo(20);
+    });
+  });
+
+  describe("openai", () => {
+    it("owns openai gpt-5.4 forward-compat resolution", () => {
+      const provider = requireProvider("openai");
+      const model = provider.resolveDynamicModel?.({
+        provider: "openai",
+        modelId: "gpt-5.4-pro",
+        modelRegistry: {
+          find: (_provider: string, id: string) =>
+            id === "gpt-5.2-pro"
+              ? createModel({
+                  id,
+                  provider: "openai",
+                  baseUrl: "https://api.openai.com/v1",
+                  input: ["text", "image"],
+                })
+              : null,
+        } as never,
+      });
+
+      expect(model).toMatchObject({
+        id: "gpt-5.4-pro",
+        provider: "openai",
+        api: "openai-responses",
+        baseUrl: "https://api.openai.com/v1",
+        contextWindow: 1_050_000,
+        maxTokens: 128_000,
+      });
+    });
+
+    it("owns direct openai transport normalization", () => {
+      const provider = requireProvider("openai");
+      expect(
+        provider.normalizeResolvedModel?.({
+          provider: "openai",
+          modelId: "gpt-5.4",
+          model: createModel({
+            id: "gpt-5.4",
+            provider: "openai",
+            api: "openai-completions",
+            baseUrl: "https://api.openai.com/v1",
+            input: ["text", "image"],
+            contextWindow: 1_050_000,
+            maxTokens: 128_000,
+          }),
+        }),
+      ).toMatchObject({
+        api: "openai-responses",
+      });
+    });
+
+    it("owns codex-only missing-auth hints and Spark suppression", () => {
+      const provider = requireProvider("openai");
+      expect(
+        provider.buildMissingAuthMessage?.({
+          env: {} as NodeJS.ProcessEnv,
+          provider: "openai",
+          listProfileIds: (providerId) => (providerId === "openai-codex" ? ["p1"] : []),
+        }),
+      ).toContain("openai-codex/gpt-5.4");
+      expect(
+        provider.suppressBuiltInModel?.({
+          env: {} as NodeJS.ProcessEnv,
+          provider: "azure-openai-responses",
+          modelId: "gpt-5.3-codex-spark",
+        }),
+      ).toMatchObject({
+        suppress: true,
+      });
+    });
+  });
+
+  describe("openai-codex", () => {
+    it("owns refresh fallback for accountId extraction failures", async () => {
+      const provider = requireProvider("openai-codex");
+      const credential = {
+        type: "oauth" as const,
+        provider: "openai-codex",
+        access: "cached-access-token",
+        refresh: "refresh-token",
+        expires: Date.now() - 60_000,
+      };
+
+      getOAuthApiKeyMock.mockReset();
+      getOAuthApiKeyMock.mockRejectedValueOnce(new Error("Failed to extract accountId from token"));
+
+      await expect(provider.refreshOAuth?.(credential)).resolves.toEqual(credential);
+    });
+
+    it("owns forward-compat codex models", () => {
+      const provider = requireProvider("openai-codex");
+      const model = provider.resolveDynamicModel?.({
+        provider: "openai-codex",
+        modelId: "gpt-5.4",
+        modelRegistry: {
+          find: (_provider: string, id: string) =>
+            id === "gpt-5.2-codex"
+              ? createModel({
+                  id,
+                  api: "openai-codex-responses",
+                  provider: "openai-codex",
+                  baseUrl: "https://chatgpt.com/backend-api",
+                })
+              : null,
+        } as never,
+      });
+
+      expect(model).toMatchObject({
+        id: "gpt-5.4",
+        provider: "openai-codex",
+        api: "openai-codex-responses",
+        contextWindow: 1_050_000,
+        maxTokens: 128_000,
+      });
+    });
+
+    it("owns codex transport defaults", () => {
+      const provider = requireProvider("openai-codex");
+      expect(
+        provider.prepareExtraParams?.({
+          provider: "openai-codex",
+          modelId: "gpt-5.4",
+          extraParams: { temperature: 0.2 },
+        }),
+      ).toEqual({
+        temperature: 0.2,
+        transport: "auto",
+      });
+    });
+
+    it("owns usage snapshot fetching", async () => {
+      const provider = requireProvider("openai-codex");
+      const mockFetch = createProviderUsageFetch(async (url) => {
+        if (url.includes("chatgpt.com/backend-api/wham/usage")) {
+          return makeResponse(200, {
+            rate_limit: {
+              primary_window: {
+                used_percent: 12,
+                limit_window_seconds: 10800,
+                reset_at: 1_705_000,
+              },
+            },
+            plan_type: "Plus",
+          });
+        }
+        return makeResponse(404, "not found");
+      });
+
+      await expect(
+        provider.fetchUsageSnapshot?.({
+          config: {} as never,
+          env: {} as NodeJS.ProcessEnv,
+          provider: "openai-codex",
+          token: "codex-token",
+          accountId: "acc-1",
+          timeoutMs: 5_000,
+          fetchFn: mockFetch as unknown as typeof fetch,
+        }),
+      ).resolves.toEqual({
+        provider: "openai-codex",
+        displayName: "Codex",
+        windows: [{ label: "3h", usedPercent: 12, resetAt: 1_705_000_000 }],
+        plan: "Plus",
+      });
+    });
+  });
+
+  describe("qwen-portal", () => {
+    it("owns OAuth refresh", async () => {
+      const provider = requireProvider("qwen-portal");
+      const credential = {
+        type: "oauth" as const,
+        provider: "qwen-portal",
+        access: "stale-access-token",
+        refresh: "refresh-token",
+        expires: Date.now() - 60_000,
+      };
+      const refreshed = {
+        ...credential,
+        access: "fresh-access-token",
+        expires: Date.now() + 60_000,
+      };
+
+      refreshQwenPortalCredentialsMock.mockReset();
+      refreshQwenPortalCredentialsMock.mockResolvedValueOnce(refreshed);
+
+      await expect(provider.refreshOAuth?.(credential)).resolves.toEqual(refreshed);
+    });
+  });
+
+  describe("zai", () => {
+    it("owns glm-5 forward-compat resolution", () => {
+      const provider = requireProvider("zai");
+      const model = provider.resolveDynamicModel?.({
+        provider: "zai",
+        modelId: "glm-5",
+        modelRegistry: {
+          find: (_provider: string, id: string) =>
+            id === "glm-4.7"
+              ? createModel({
+                  id,
+                  api: "openai-completions",
+                  provider: "zai",
+                  baseUrl: "https://api.z.ai/api/paas/v4",
+                  reasoning: false,
+                  contextWindow: 202_752,
+                  maxTokens: 16_384,
+                })
+              : null,
+        } as never,
+      });
+
+      expect(model).toMatchObject({
+        id: "glm-5",
+        provider: "zai",
+        api: "openai-completions",
+        reasoning: true,
+      });
+    });
+
+    it("owns usage auth resolution", async () => {
+      const provider = requireProvider("zai");
+      await expect(
+        provider.resolveUsageAuth?.({
+          config: {} as never,
+          env: {
+            ZAI_API_KEY: "env-zai-token",
+          } as NodeJS.ProcessEnv,
+          provider: "zai",
+          resolveApiKeyFromConfigAndStore: () => "env-zai-token",
+          resolveOAuthToken: async () => null,
+        }),
+      ).resolves.toEqual({
+        token: "env-zai-token",
+      });
+    });
+
+    it("owns usage snapshot fetching", async () => {
+      const provider = requireProvider("zai");
+      const mockFetch = createProviderUsageFetch(async (url) => {
+        if (url.includes("api.z.ai/api/monitor/usage/quota/limit")) {
+          return makeResponse(200, {
+            success: true,
+            code: 200,
+            data: {
+              planName: "Pro",
+              limits: [
+                {
+                  type: "TOKENS_LIMIT",
+                  percentage: 25,
+                  unit: 3,
+                  number: 6,
+                  nextResetTime: "2026-01-07T06:00:00Z",
+                },
+              ],
+            },
+          });
+        }
+        return makeResponse(404, "not found");
+      });
+
+      await expect(
+        provider.fetchUsageSnapshot?.({
+          config: {} as never,
+          env: {} as NodeJS.ProcessEnv,
+          provider: "zai",
+          token: "env-zai-token",
+          timeoutMs: 5_000,
+          fetchFn: mockFetch as unknown as typeof fetch,
+        }),
+      ).resolves.toEqual({
+        provider: "zai",
+        displayName: "z.ai",
+        windows: [{ label: "Tokens (6h)", usedPercent: 25, resetAt: 1_767_765_600_000 }],
+        plan: "Pro",
+      });
+    });
+  });
+});

From a9a9cf42579e02212b2b9422f39eb78ac2026afa Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 16 Mar 2026 00:09:48 -0700
Subject: [PATCH 078/133] GitHub Copilot: move runtime tests to provider
 contracts

---
 extensions/github-copilot/index.test.ts | 38 -------------------------
 1 file changed, 38 deletions(-)
 delete mode 100644 extensions/github-copilot/index.test.ts

diff --git a/extensions/github-copilot/index.test.ts b/extensions/github-copilot/index.test.ts
deleted file mode 100644
index 633d1f1ad75..00000000000
--- a/extensions/github-copilot/index.test.ts
+++ /dev/null
@@ -1,38 +0,0 @@
-import { describe, expect, it } from "vitest";
-import { registerSingleProviderPlugin } from "../../src/test-utils/plugin-registration.js";
-import githubCopilotPlugin from "./index.js";
-
-const registerProvider = () => registerSingleProviderPlugin(githubCopilotPlugin);
-
-describe("github-copilot plugin", () => {
-  it("owns Copilot-specific forward-compat fallbacks", () => {
-    const provider = registerProvider();
-    const model = provider.resolveDynamicModel?.({
-      provider: "github-copilot",
-      modelId: "gpt-5.3-codex",
-      modelRegistry: {
-        find: (_provider: string, id: string) =>
-          id === "gpt-5.2-codex"
-            ? {
-                id,
-                name: id,
-                api: "openai-codex-responses",
-                provider: "github-copilot",
-                baseUrl: "https://api.copilot.example",
-                reasoning: true,
-                input: ["text"],
-                cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
-                contextWindow: 128_000,
-                maxTokens: 8_192,
-              }
-            : null,
-      } as never,
-    });
-
-    expect(model).toMatchObject({
-      id: "gpt-5.3-codex",
-      provider: "github-copilot",
-      api: "openai-codex-responses",
-    });
-  });
-});

From 25535b571a45a3f371e7207b6f63b2d406c0ca94 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 16 Mar 2026 00:09:49 -0700
Subject: [PATCH 079/133] Z.ai: move runtime tests to provider contracts

---
 extensions/zai/index.test.ts | 101 -----------------------------------
 1 file changed, 101 deletions(-)
 delete mode 100644 extensions/zai/index.test.ts

diff --git a/extensions/zai/index.test.ts b/extensions/zai/index.test.ts
deleted file mode 100644
index f79f53670b7..00000000000
--- a/extensions/zai/index.test.ts
+++ /dev/null
@@ -1,101 +0,0 @@
-import { describe, expect, it } from "vitest";
-import { registerSingleProviderPlugin } from "../../src/test-utils/plugin-registration.js";
-import {
-  createProviderUsageFetch,
-  makeResponse,
-} from "../../src/test-utils/provider-usage-fetch.js";
-import zaiPlugin from "./index.js";
-
-const registerProvider = () => registerSingleProviderPlugin(zaiPlugin);
-
-describe("zai plugin", () => {
-  it("owns glm-5 forward-compat resolution", () => {
-    const provider = registerProvider();
-    const model = provider.resolveDynamicModel?.({
-      provider: "zai",
-      modelId: "glm-5",
-      modelRegistry: {
-        find: (_provider: string, id: string) =>
-          id === "glm-4.7"
-            ? {
-                id,
-                name: id,
-                api: "openai-completions",
-                provider: "zai",
-                baseUrl: "https://api.z.ai/api/paas/v4",
-                reasoning: false,
-                input: ["text"],
-                cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
-                contextWindow: 202_752,
-                maxTokens: 16_384,
-              }
-            : null,
-      } as never,
-    });
-
-    expect(model).toMatchObject({
-      id: "glm-5",
-      provider: "zai",
-      api: "openai-completions",
-      reasoning: true,
-    });
-  });
-
-  it("owns usage auth resolution", async () => {
-    const provider = registerProvider();
-    await expect(
-      provider.resolveUsageAuth?.({
-        config: {} as never,
-        env: {
-          ZAI_API_KEY: "env-zai-token",
-        } as NodeJS.ProcessEnv,
-        provider: "zai",
-        resolveApiKeyFromConfigAndStore: () => "env-zai-token",
-        resolveOAuthToken: async () => null,
-      }),
-    ).resolves.toEqual({
-      token: "env-zai-token",
-    });
-  });
-
-  it("owns usage snapshot fetching", async () => {
-    const provider = registerProvider();
-    const mockFetch = createProviderUsageFetch(async (url) => {
-      if (url.includes("api.z.ai/api/monitor/usage/quota/limit")) {
-        return makeResponse(200, {
-          success: true,
-          code: 200,
-          data: {
-            planName: "Pro",
-            limits: [
-              {
-                type: "TOKENS_LIMIT",
-                percentage: 25,
-                unit: 3,
-                number: 6,
-                nextResetTime: "2026-01-07T06:00:00Z",
-              },
-            ],
-          },
-        });
-      }
-      return makeResponse(404, "not found");
-    });
-
-    await expect(
-      provider.fetchUsageSnapshot?.({
-        config: {} as never,
-        env: {} as NodeJS.ProcessEnv,
-        provider: "zai",
-        token: "env-zai-token",
-        timeoutMs: 5_000,
-        fetchFn: mockFetch as unknown as typeof fetch,
-      }),
-    ).resolves.toEqual({
-      provider: "zai",
-      displayName: "z.ai",
-      windows: [{ label: "Tokens (6h)", usedPercent: 25, resetAt: 1_767_765_600_000 }],
-      plan: "Pro",
-    });
-  });
-});

From 62de7e02ea7440c71dd7a1a67bde467c04e9652e Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 16 Mar 2026 00:10:01 -0700
Subject: [PATCH 080/133] Anthropic: move runtime tests to provider contracts

---
 extensions/anthropic/index.test.ts | 124 -----------------------------
 1 file changed, 124 deletions(-)
 delete mode 100644 extensions/anthropic/index.test.ts

diff --git a/extensions/anthropic/index.test.ts b/extensions/anthropic/index.test.ts
deleted file mode 100644
index 0bfa830f14f..00000000000
--- a/extensions/anthropic/index.test.ts
+++ /dev/null
@@ -1,124 +0,0 @@
-import { describe, expect, it } from "vitest";
-import { registerSingleProviderPlugin } from "../../src/test-utils/plugin-registration.js";
-import {
-  createProviderUsageFetch,
-  makeResponse,
-} from "../../src/test-utils/provider-usage-fetch.js";
-import anthropicPlugin from "./index.js";
-
-const registerProvider = () => registerSingleProviderPlugin(anthropicPlugin);
-
-describe("anthropic plugin", () => {
-  it("owns anthropic 4.6 forward-compat resolution", () => {
-    const provider = registerProvider();
-    const model = provider.resolveDynamicModel?.({
-      provider: "anthropic",
-      modelId: "claude-sonnet-4.6-20260219",
-      modelRegistry: {
-        find: (_provider: string, id: string) =>
-          id === "claude-sonnet-4.5-20260219"
-            ? {
-                id,
-                name: id,
-                api: "anthropic-messages",
-                provider: "anthropic",
-                baseUrl: "https://api.anthropic.com",
-                reasoning: true,
-                input: ["text"],
-                cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
-                contextWindow: 200_000,
-                maxTokens: 8_192,
-              }
-            : null,
-      } as never,
-    });
-
-    expect(model).toMatchObject({
-      id: "claude-sonnet-4.6-20260219",
-      provider: "anthropic",
-      api: "anthropic-messages",
-      baseUrl: "https://api.anthropic.com",
-    });
-  });
-
-  it("owns usage auth resolution", async () => {
-    const provider = registerProvider();
-    await expect(
-      provider.resolveUsageAuth?.({
-        config: {} as never,
-        env: {} as NodeJS.ProcessEnv,
-        provider: "anthropic",
-        resolveApiKeyFromConfigAndStore: () => undefined,
-        resolveOAuthToken: async () => ({
-          token: "anthropic-oauth-token",
-        }),
-      }),
-    ).resolves.toEqual({
-      token: "anthropic-oauth-token",
-    });
-  });
-
-  it("owns auth doctor hint generation", () => {
-    const provider = registerProvider();
-    const hint = provider.buildAuthDoctorHint?.({
-      provider: "anthropic",
-      profileId: "anthropic:default",
-      config: {
-        auth: {
-          profiles: {
-            "anthropic:default": {
-              provider: "anthropic",
-              mode: "oauth",
-            },
-          },
-        },
-      } as never,
-      store: {
-        version: 1,
-        profiles: {
-          "anthropic:oauth-user@example.com": {
-            type: "oauth",
-            provider: "anthropic",
-            access: "oauth-access",
-            refresh: "oauth-refresh",
-            expires: Date.now() + 60_000,
-          },
-        },
-      },
-    });
-
-    expect(hint).toContain("suggested profile: anthropic:oauth-user@example.com");
-    expect(hint).toContain("openclaw doctor --yes");
-  });
-
-  it("owns usage snapshot fetching", async () => {
-    const provider = registerProvider();
-    const mockFetch = createProviderUsageFetch(async (url) => {
-      if (url.includes("api.anthropic.com/api/oauth/usage")) {
-        return makeResponse(200, {
-          five_hour: { utilization: 20, resets_at: "2026-01-07T01:00:00Z" },
-          seven_day: { utilization: 35, resets_at: "2026-01-09T01:00:00Z" },
-        });
-      }
-      return makeResponse(404, "not found");
-    });
-
-    const snapshot = await provider.fetchUsageSnapshot?.({
-      config: {} as never,
-      env: {} as NodeJS.ProcessEnv,
-      provider: "anthropic",
-      token: "anthropic-oauth-token",
-      timeoutMs: 5_000,
-      fetchFn: mockFetch as unknown as typeof fetch,
-    });
-
-    expect(snapshot).toEqual({
-      provider: "anthropic",
-      displayName: "Claude",
-      windows: [
-        { label: "5h", usedPercent: 20, resetAt: Date.parse("2026-01-07T01:00:00Z") },
-        { label: "Week", usedPercent: 35, resetAt: Date.parse("2026-01-09T01:00:00Z") },
-      ],
-    });
-  });
-});

From 182a00cc49484262086f343c4f7f8fc6b8f5ab78 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 16 Mar 2026 00:10:08 -0700
Subject: [PATCH 081/133] Google: move runtime tests to provider contracts

---
 extensions/google/gemini-cli-provider.test.ts | 197 ------------------
 1 file changed, 197 deletions(-)
 delete mode 100644 extensions/google/gemini-cli-provider.test.ts

diff --git a/extensions/google/gemini-cli-provider.test.ts b/extensions/google/gemini-cli-provider.test.ts
deleted file mode 100644
index 75619863b4b..00000000000
--- a/extensions/google/gemini-cli-provider.test.ts
+++ /dev/null
@@ -1,197 +0,0 @@
-import { describe, expect, it } from "vitest";
-import type { ProviderPlugin } from "../../src/plugins/types.js";
-import { createCapturedPluginRegistration } from "../../src/test-utils/plugin-registration.js";
-import {
-  createProviderUsageFetch,
-  makeResponse,
-} from "../../src/test-utils/provider-usage-fetch.js";
-import googlePlugin from "./index.js";
-
-function findProvider(providers: ProviderPlugin[], id: string): ProviderPlugin {
-  const provider = providers.find((candidate) => candidate.id === id);
-  if (!provider) {
-    throw new Error(`provider ${id} missing`);
-  }
-  return provider;
-}
-
-function registerGooglePlugin(): {
-  providers: ProviderPlugin[];
-  webSearchProvider: {
-    id: string;
-    envVars: string[];
-    label: string;
-  } | null;
-  webSearchProviderRegistered: boolean;
-} {
-  const captured = createCapturedPluginRegistration();
-  googlePlugin.register(captured.api);
-  if (captured.providers.length === 0) {
-    throw new Error("provider registration missing");
-  }
-  const webSearchProvider = captured.webSearchProviders[0] ?? null;
-  return {
-    providers: captured.providers,
-    webSearchProviderRegistered: webSearchProvider !== null,
-    webSearchProvider:
-      webSearchProvider === null
-        ? null
-        : {
-            id: webSearchProvider.id,
-            envVars: webSearchProvider.envVars,
-            label: webSearchProvider.label,
-          },
-  };
-}
-
-describe("google plugin", () => {
-  it("registers Google direct, Gemini CLI auth, and Gemini web search", () => {
-    const result = registerGooglePlugin();
-
-    expect(result.providers.map((provider) => provider.id)).toEqual([
-      "google",
-      "google-gemini-cli",
-    ]);
-    expect(result.webSearchProviderRegistered).toBe(true);
-    expect(result.webSearchProvider).toMatchObject({
-      id: "gemini",
-      label: "Gemini (Google Search)",
-      envVars: ["GEMINI_API_KEY"],
-    });
-  });
-
-  it("owns google direct gemini 3.1 forward-compat resolution", () => {
-    const { providers } = registerGooglePlugin();
-    const provider = findProvider(providers, "google");
-    const model = provider.resolveDynamicModel?.({
-      provider: "google",
-      modelId: "gemini-3.1-pro-preview",
-      modelRegistry: {
-        find: (_provider: string, id: string) =>
-          id === "gemini-3-pro-preview"
-            ? {
-                id,
-                name: id,
-                api: "google-generative-ai",
-                provider: "google",
-                baseUrl: "https://generativelanguage.googleapis.com",
-                reasoning: false,
-                input: ["text"],
-                cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
-                contextWindow: 1_048_576,
-                maxTokens: 65_536,
-              }
-            : null,
-      } as never,
-    });
-
-    expect(model).toMatchObject({
-      id: "gemini-3.1-pro-preview",
-      provider: "google",
-      api: "google-generative-ai",
-      baseUrl: "https://generativelanguage.googleapis.com",
-      reasoning: true,
-    });
-  });
-
-  it("owns gemini cli 3.1 forward-compat resolution", () => {
-    const { providers } = registerGooglePlugin();
-    const provider = findProvider(providers, "google-gemini-cli");
-    const model = provider.resolveDynamicModel?.({
-      provider: "google-gemini-cli",
-      modelId: "gemini-3.1-pro-preview",
-      modelRegistry: {
-        find: (_provider: string, id: string) =>
-          id === "gemini-3-pro-preview"
-            ? {
-                id,
-                name: id,
-                api: "google-gemini-cli",
-                provider: "google-gemini-cli",
-                baseUrl: "https://cloudcode-pa.googleapis.com",
-                reasoning: false,
-                input: ["text"],
-                cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
-                contextWindow: 1_048_576,
-                maxTokens: 65_536,
-              }
-            : null,
-      } as never,
-    });
-
-    expect(model).toMatchObject({
-      id: "gemini-3.1-pro-preview",
-      provider: "google-gemini-cli",
-      reasoning: true,
-    });
-  });
-
-  it("owns usage-token parsing", async () => {
-    const { providers } = registerGooglePlugin();
-    const provider = findProvider(providers, "google-gemini-cli");
-    await expect(
-      provider.resolveUsageAuth?.({
-        config: {} as never,
-        env: {} as NodeJS.ProcessEnv,
-        provider: "google-gemini-cli",
-        resolveApiKeyFromConfigAndStore: () => undefined,
-        resolveOAuthToken: async () => ({
-          token: '{"token":"google-oauth-token"}',
-          accountId: "google-account",
-        }),
-      }),
-    ).resolves.toEqual({
-      token: "google-oauth-token",
-      accountId: "google-account",
-    });
-  });
-
-  it("owns OAuth auth-profile formatting", () => {
-    const { providers } = registerGooglePlugin();
-    const provider = findProvider(providers, "google-gemini-cli");
-
-    expect(
-      provider.formatApiKey?.({
-        type: "oauth",
-        provider: "google-gemini-cli",
-        access: "google-oauth-token",
-        refresh: "refresh-token",
-        expires: Date.now() + 60_000,
-        projectId: "proj-123",
-      }),
-    ).toBe('{"token":"google-oauth-token","projectId":"proj-123"}');
-  });
-
-  it("owns usage snapshot fetching", async () => {
-    const { providers } = registerGooglePlugin();
-    const provider = findProvider(providers, "google-gemini-cli");
-    const mockFetch = createProviderUsageFetch(async (url) => {
-      if (url.includes("cloudcode-pa.googleapis.com/v1internal:retrieveUserQuota")) {
-        return makeResponse(200, {
-          buckets: [
-            { modelId: "gemini-3.1-pro-preview", remainingFraction: 0.4 },
-            { modelId: "gemini-3.1-flash-preview", remainingFraction: 0.8 },
-          ],
-        });
-      }
-      return makeResponse(404, "not found");
-    });
-
-    const snapshot = await provider.fetchUsageSnapshot?.({
-      config: {} as never,
-      env: {} as NodeJS.ProcessEnv,
-      provider: "google-gemini-cli",
-      token: "google-oauth-token",
-      timeoutMs: 5_000,
-      fetchFn: mockFetch as unknown as typeof fetch,
-    });
-
-    expect(snapshot).toMatchObject({
-      provider: "google-gemini-cli",
-      displayName: "Gemini",
-    });
-    expect(snapshot?.windows[0]).toEqual({ label: "Pro", usedPercent: 60 });
-    expect(snapshot?.windows[1]?.label).toBe("Flash");
-    expect(snapshot?.windows[1]?.usedPercent).toBeCloseTo(20);
-  });
-});

From 7dab66c89ef243876836a5212c41da918d1a1896 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 16 Mar 2026 00:10:16 -0700
Subject: [PATCH 082/133] OpenAI: move runtime tests to provider contracts

---
 extensions/openai/index.test.ts        | 105 --------------------
 extensions/openai/openai-codex.test.ts | 129 -------------------------
 2 files changed, 234 deletions(-)
 delete mode 100644 extensions/openai/index.test.ts
 delete mode 100644 extensions/openai/openai-codex.test.ts

diff --git a/extensions/openai/index.test.ts b/extensions/openai/index.test.ts
deleted file mode 100644
index 32b5b4b3a63..00000000000
--- a/extensions/openai/index.test.ts
+++ /dev/null
@@ -1,105 +0,0 @@
-import { describe, expect, it } from "vitest";
-import type { ProviderPlugin } from "../../src/plugins/types.js";
-import openAIPlugin from "./index.js";
-
-function registerProviders(): ProviderPlugin[] {
-  const providers: ProviderPlugin[] = [];
-  openAIPlugin.register({
-    registerProvider(nextProvider: ProviderPlugin) {
-      providers.push(nextProvider);
-    },
-  } as never);
-  return providers;
-}
-
-function requireProvider(id: string): ProviderPlugin {
-  const provider = registerProviders().find((entry) => entry.id === id);
-  if (!provider) {
-    throw new Error(`provider registration missing for ${id}`);
-  }
-  return provider;
-}
-
-describe("openai plugin", () => {
-  it("registers openai and openai-codex providers from one extension", () => {
-    expect(registerProviders().map((provider) => provider.id)).toEqual(["openai", "openai-codex"]);
-  });
-
-  it("owns openai gpt-5.4 forward-compat resolution", () => {
-    const provider = requireProvider("openai");
-    const model = provider.resolveDynamicModel?.({
-      provider: "openai",
-      modelId: "gpt-5.4-pro",
-      modelRegistry: {
-        find: (_provider: string, id: string) =>
-          id === "gpt-5.2-pro"
-            ? {
-                id,
-                name: id,
-                api: "openai-responses",
-                provider: "openai",
-                baseUrl: "https://api.openai.com/v1",
-                reasoning: true,
-                input: ["text", "image"],
-                cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
-                contextWindow: 200_000,
-                maxTokens: 8_192,
-              }
-            : null,
-      } as never,
-    });
-
-    expect(model).toMatchObject({
-      id: "gpt-5.4-pro",
-      provider: "openai",
-      api: "openai-responses",
-      baseUrl: "https://api.openai.com/v1",
-      contextWindow: 1_050_000,
-      maxTokens: 128_000,
-    });
-  });
-
-  it("owns direct openai transport normalization", () => {
-    const provider = requireProvider("openai");
-    expect(
-      provider.normalizeResolvedModel?.({
-        provider: "openai",
-        modelId: "gpt-5.4",
-        model: {
-          id: "gpt-5.4",
-          name: "gpt-5.4",
-          api: "openai-completions",
-          provider: "openai",
-          baseUrl: "https://api.openai.com/v1",
-          reasoning: true,
-          input: ["text", "image"],
-          cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
-          contextWindow: 1_050_000,
-          maxTokens: 128_000,
-        },
-      }),
-    ).toMatchObject({
-      api: "openai-responses",
-    });
-  });
-
-  it("owns codex-only missing-auth hints and Spark suppression", () => {
-    const provider = requireProvider("openai");
-    expect(
-      provider.buildMissingAuthMessage?.({
-        env: {} as NodeJS.ProcessEnv,
-        provider: "openai",
-        listProfileIds: (providerId) => (providerId === "openai-codex" ? ["p1"] : []),
-      }),
-    ).toContain("openai-codex/gpt-5.4");
-    expect(
-      provider.suppressBuiltInModel?.({
-        env: {} as NodeJS.ProcessEnv,
-        provider: "azure-openai-responses",
-        modelId: "gpt-5.3-codex-spark",
-      }),
-    ).toMatchObject({
-      suppress: true,
-    });
-  });
-});
diff --git a/extensions/openai/openai-codex.test.ts b/extensions/openai/openai-codex.test.ts
deleted file mode 100644
index 1e9efd3bfbc..00000000000
--- a/extensions/openai/openai-codex.test.ts
+++ /dev/null
@@ -1,129 +0,0 @@
-import { describe, expect, it, vi } from "vitest";
-import type { ProviderPlugin } from "../../src/plugins/types.js";
-import {
-  createProviderUsageFetch,
-  makeResponse,
-} from "../../src/test-utils/provider-usage-fetch.js";
-import openAIPlugin from "./index.js";
-
-const getOAuthApiKeyMock = vi.hoisted(() => vi.fn());
-
-vi.mock("@mariozechner/pi-ai/oauth", async () => {
-  const actual = await vi.importActual<object>("@mariozechner/pi-ai/oauth");
-  return {
-    ...actual,
-    getOAuthApiKey: getOAuthApiKeyMock,
-  };
-});
-
-function registerCodexProvider(): ProviderPlugin {
-  let provider: ProviderPlugin | undefined;
-  openAIPlugin.register({
-    registerProvider(nextProvider: ProviderPlugin) {
-      if (nextProvider.id === "openai-codex") {
-        provider = nextProvider;
-      }
-    },
-  } as never);
-  if (!provider) {
-    throw new Error("provider registration missing");
-  }
-  return provider;
-}
-
-describe("openai codex provider", () => {
-  it("owns refresh fallback for accountId extraction failures", async () => {
-    const provider = registerCodexProvider();
-    const credential = {
-      type: "oauth" as const,
-      provider: "openai-codex",
-      access: "cached-access-token",
-      refresh: "refresh-token",
-      expires: Date.now() - 60_000,
-    };
-
-    getOAuthApiKeyMock.mockReset();
-    getOAuthApiKeyMock.mockRejectedValueOnce(new Error("Failed to extract accountId from token"));
-
-    await expect(provider.refreshOAuth?.(credential)).resolves.toEqual(credential);
-  });
-
-  it("owns forward-compat codex models", () => {
-    const provider = registerCodexProvider();
-    const model = provider.resolveDynamicModel?.({
-      provider: "openai-codex",
-      modelId: "gpt-5.4",
-      modelRegistry: {
-        find: (_provider: string, id: string) =>
-          id === "gpt-5.2-codex"
-            ? {
-                id,
-                name: id,
-                api: "openai-codex-responses",
-                provider: "openai-codex",
-                baseUrl: "https://chatgpt.com/backend-api",
-                reasoning: true,
-                input: ["text"],
-                cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
-                contextWindow: 200_000,
-                maxTokens: 8_192,
-              }
-            : null,
-      } as never,
-    });
-
-    expect(model).toMatchObject({
-      id: "gpt-5.4",
-      provider: "openai-codex",
-      api: "openai-codex-responses",
-      contextWindow: 1_050_000,
-      maxTokens: 128_000,
-    });
-  });
-
-  it("owns codex transport defaults", () => {
-    const provider = registerCodexProvider();
-    expect(
-      provider.prepareExtraParams?.({
-        provider: "openai-codex",
-        modelId: "gpt-5.4",
-        extraParams: { temperature: 0.2 },
-      }),
-    ).toEqual({
-      temperature: 0.2,
-      transport: "auto",
-    });
-  });
-
-  it("owns usage snapshot fetching", async () => {
-    const provider = registerCodexProvider();
-    const mockFetch = createProviderUsageFetch(async (url) => {
-      if (url.includes("chatgpt.com/backend-api/wham/usage")) {
-        return makeResponse(200, {
-          rate_limit: {
-            primary_window: { used_percent: 12, limit_window_seconds: 10800, reset_at: 1_705_000 },
-          },
-          plan_type: "Plus",
-        });
-      }
-      return makeResponse(404, "not found");
-    });
-
-    await expect(
-      provider.fetchUsageSnapshot?.({
-        config: {} as never,
-        env: {} as NodeJS.ProcessEnv,
-        provider: "openai-codex",
-        token: "codex-token",
-        accountId: "acc-1",
-        timeoutMs: 5_000,
-        fetchFn: mockFetch as unknown as typeof fetch,
-      }),
-    ).resolves.toEqual({
-      provider: "openai-codex",
-      displayName: "Codex",
-      windows: [{ label: "3h", usedPercent: 12, resetAt: 1_705_000_000 }],
-      plan: "Plus",
-    });
-  });
-});

From e7eb410dd1468e5d12251280ec3bc98bfecc4b6d Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 16 Mar 2026 00:10:23 -0700
Subject: [PATCH 083/133] Qwen Portal: move runtime tests to provider contracts

---
 extensions/qwen-portal-auth/index.test.ts | 32 -----------------------
 1 file changed, 32 deletions(-)
 delete mode 100644 extensions/qwen-portal-auth/index.test.ts

diff --git a/extensions/qwen-portal-auth/index.test.ts b/extensions/qwen-portal-auth/index.test.ts
deleted file mode 100644
index f5e7f599f78..00000000000
--- a/extensions/qwen-portal-auth/index.test.ts
+++ /dev/null
@@ -1,32 +0,0 @@
-import { describe, expect, it, vi } from "vitest";
-import { registerSingleProviderPlugin } from "../../src/test-utils/plugin-registration.js";
-import qwenPortalPlugin from "./index.js";
-
-const refreshQwenPortalCredentialsMock = vi.hoisted(() => vi.fn());
-
-vi.mock("../../src/providers/qwen-portal-oauth.js", () => ({
-  refreshQwenPortalCredentials: refreshQwenPortalCredentialsMock,
-}));
-
-describe("qwen portal plugin", () => {
-  it("owns OAuth refresh", async () => {
-    const provider = registerSingleProviderPlugin(qwenPortalPlugin);
-    const credential = {
-      type: "oauth" as const,
-      provider: "qwen-portal",
-      access: "stale-access-token",
-      refresh: "refresh-token",
-      expires: Date.now() - 60_000,
-    };
-    const refreshed = {
-      ...credential,
-      access: "fresh-access-token",
-      expires: Date.now() + 60_000,
-    };
-
-    refreshQwenPortalCredentialsMock.mockReset();
-    refreshQwenPortalCredentialsMock.mockResolvedValueOnce(refreshed);
-
-    await expect(provider.refreshOAuth?.(credential)).resolves.toEqual(refreshed);
-  });
-});

From 0ca1b18517b3da6cb463a52472d58de31b852d82 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 00:09:50 -0700
Subject: [PATCH 084/133] fix(core): restore outbound fallbacks and gate checks

---
 src/infra/bonjour.ts                          |   1 +
 src/infra/exec-approval-forwarder.ts          |  13 +-
 .../outbound/built-in-channel-adapters.ts     | 127 ++++++++++++++++++
 .../outbound/built-in-channel-messaging.ts    |  41 ++++++
 src/infra/outbound/channel-adapters.ts        |   5 +-
 src/infra/outbound/targets.test.ts            |  18 +++
 src/infra/outbound/targets.ts                 |  14 +-
 ui/src/ui/app-scroll.ts                       |  10 +-
 8 files changed, 218 insertions(+), 11 deletions(-)
 create mode 100644 src/infra/outbound/built-in-channel-adapters.ts
 create mode 100644 src/infra/outbound/built-in-channel-messaging.ts

diff --git a/src/infra/bonjour.ts b/src/infra/bonjour.ts
index 2b500986f33..e7ed5adf7f1 100644
--- a/src/infra/bonjour.ts
+++ b/src/infra/bonjour.ts
@@ -1,3 +1,4 @@
+import type { CiaoService, Responder } from "@homebridge/ciao";
 import { logDebug, logWarn } from "../logger.js";
 import { getLogger } from "../logging.js";
 import { ignoreCiaoCancellationRejection } from "./bonjour-ciao.js";
diff --git a/src/infra/exec-approval-forwarder.ts b/src/infra/exec-approval-forwarder.ts
index 0c0c8e30e48..eba329f57ff 100644
--- a/src/infra/exec-approval-forwarder.ts
+++ b/src/infra/exec-approval-forwarder.ts
@@ -22,6 +22,7 @@ import type {
   ExecApprovalRequest,
   ExecApprovalResolved,
 } from "./exec-approvals.js";
+import { resolveBuiltInExecApprovalAdapter } from "./outbound/built-in-channel-adapters.js";
 import { deliverOutboundPayloads } from "./outbound/deliver.js";
 
 const log = createSubsystemLogger("gateway/exec-approvals");
@@ -118,8 +119,10 @@ function shouldSkipForwardingFallback(params: {
   if (!channel) {
     return false;
   }
+  const adapter =
+    getChannelPlugin(channel)?.execApprovals ?? resolveBuiltInExecApprovalAdapter(channel);
   return (
-    getChannelPlugin(channel)?.execApprovals?.shouldSuppressForwardingFallback?.({
+    adapter?.shouldSuppressForwardingFallback?.({
       cfg: params.cfg,
       target: params.target,
       request: params.request,
@@ -275,7 +278,9 @@ function buildRequestPayloadForTarget(
 ): ReplyPayload {
   const channel = normalizeMessageChannel(target.channel) ?? target.channel;
   const pluginPayload = channel
-    ? getChannelPlugin(channel)?.execApprovals?.buildPendingPayload?.({
+    ? (
+        getChannelPlugin(channel)?.execApprovals ?? resolveBuiltInExecApprovalAdapter(channel)
+      )?.buildPendingPayload?.({
         cfg,
         request,
         target,
@@ -410,7 +415,9 @@ export function createExecApprovalForwarder(
         if (!channel) {
           return;
         }
-        await getChannelPlugin(channel)?.execApprovals?.beforeDeliverPending?.({
+        await (
+          getChannelPlugin(channel)?.execApprovals ?? resolveBuiltInExecApprovalAdapter(channel)
+        )?.beforeDeliverPending?.({
           cfg,
           target,
           payload,
diff --git a/src/infra/outbound/built-in-channel-adapters.ts b/src/infra/outbound/built-in-channel-adapters.ts
new file mode 100644
index 00000000000..335457dc48c
--- /dev/null
+++ b/src/infra/outbound/built-in-channel-adapters.ts
@@ -0,0 +1,127 @@
+import { Separator, TextDisplay } from "@buape/carbon";
+import {
+  listDiscordAccountIds,
+  resolveDiscordAccount,
+} from "../../../extensions/discord/src/accounts.js";
+import { isDiscordExecApprovalClientEnabled } from "../../../extensions/discord/src/exec-approvals.js";
+import { DiscordUiContainer } from "../../../extensions/discord/src/ui.js";
+import { listTelegramAccountIds } from "../../../extensions/telegram/src/accounts.js";
+import { buildTelegramExecApprovalButtons } from "../../../extensions/telegram/src/approval-buttons.js";
+import {
+  isTelegramExecApprovalClientEnabled,
+  resolveTelegramExecApprovalTarget,
+} from "../../../extensions/telegram/src/exec-approvals.js";
+import type { ChannelExecApprovalAdapter } from "../../channels/plugins/types.adapters.js";
+import type { ChannelCrossContextComponentsFactory } from "../../channels/plugins/types.core.js";
+import type { ChannelId } from "../../channels/plugins/types.js";
+import type { OpenClawConfig } from "../../config/config.js";
+import { normalizeMessageChannel } from "../../utils/message-channel.js";
+import { resolveExecApprovalCommandDisplay } from "../exec-approval-command-display.js";
+import { buildExecApprovalPendingReplyPayload } from "../exec-approval-reply.js";
+
+const BUILT_IN_DISCORD_CROSS_CONTEXT_COMPONENTS: ChannelCrossContextComponentsFactory = (
+  params,
+) => {
+  const trimmed = params.message.trim();
+  const components: Array<TextDisplay | Separator> = [];
+  if (trimmed) {
+    components.push(new TextDisplay(params.message));
+    components.push(new Separator({ divider: true, spacing: "small" }));
+  }
+  components.push(new TextDisplay(`*From ${params.originLabel}*`));
+  return [new DiscordUiContainer({ cfg: params.cfg, accountId: params.accountId, components })];
+};
+
+function hasDiscordExecApprovalDmRoute(cfg: OpenClawConfig): boolean {
+  return listDiscordAccountIds(cfg).some((accountId) => {
+    const execApprovals = resolveDiscordAccount({ cfg, accountId }).config.execApprovals;
+    if (!execApprovals?.enabled || (execApprovals.approvers?.length ?? 0) === 0) {
+      return false;
+    }
+    const target = execApprovals.target ?? "dm";
+    return target === "dm" || target === "both";
+  });
+}
+
+function hasTelegramExecApprovalDmRoute(cfg: OpenClawConfig): boolean {
+  return listTelegramAccountIds(cfg).some((accountId) => {
+    if (!isTelegramExecApprovalClientEnabled({ cfg, accountId })) {
+      return false;
+    }
+    const target = resolveTelegramExecApprovalTarget({ cfg, accountId });
+    return target === "dm" || target === "both";
+  });
+}
+
+const BUILT_IN_DISCORD_EXEC_APPROVALS: ChannelExecApprovalAdapter = {
+  getInitiatingSurfaceState: ({ cfg, accountId }) =>
+    isDiscordExecApprovalClientEnabled({ cfg, accountId })
+      ? { kind: "enabled" }
+      : { kind: "disabled" },
+  hasConfiguredDmRoute: ({ cfg }) => hasDiscordExecApprovalDmRoute(cfg),
+  shouldSuppressForwardingFallback: ({ cfg, target }) =>
+    (normalizeMessageChannel(target.channel) ?? target.channel) === "discord" &&
+    isDiscordExecApprovalClientEnabled({ cfg, accountId: target.accountId }),
+};
+
+const BUILT_IN_TELEGRAM_EXEC_APPROVALS: ChannelExecApprovalAdapter = {
+  getInitiatingSurfaceState: ({ cfg, accountId }) =>
+    isTelegramExecApprovalClientEnabled({ cfg, accountId })
+      ? { kind: "enabled" }
+      : { kind: "disabled" },
+  hasConfiguredDmRoute: ({ cfg }) => hasTelegramExecApprovalDmRoute(cfg),
+  shouldSuppressForwardingFallback: ({ cfg, target, request }) => {
+    const channel = normalizeMessageChannel(target.channel) ?? target.channel;
+    if (channel !== "telegram") {
+      return false;
+    }
+    const requestChannel = normalizeMessageChannel(request.request.turnSourceChannel ?? "");
+    if (requestChannel !== "telegram") {
+      return false;
+    }
+    const accountId = target.accountId?.trim() || request.request.turnSourceAccountId?.trim();
+    return isTelegramExecApprovalClientEnabled({ cfg, accountId });
+  },
+  buildPendingPayload: ({ request, nowMs }) => {
+    const payload = buildExecApprovalPendingReplyPayload({
+      approvalId: request.id,
+      approvalSlug: request.id.slice(0, 8),
+      approvalCommandId: request.id,
+      command: resolveExecApprovalCommandDisplay(request.request).commandText,
+      cwd: request.request.cwd ?? undefined,
+      host: request.request.host === "node" ? "node" : "gateway",
+      nodeId: request.request.nodeId ?? undefined,
+      expiresAtMs: request.expiresAtMs,
+      nowMs,
+    });
+    const buttons = buildTelegramExecApprovalButtons(request.id);
+    if (!buttons) {
+      return payload;
+    }
+    return {
+      ...payload,
+      channelData: {
+        ...payload.channelData,
+        telegram: { buttons },
+      },
+    };
+  },
+};
+
+export function resolveBuiltInCrossContextComponentsFactory(
+  channel: ChannelId,
+): ChannelCrossContextComponentsFactory | undefined {
+  return channel === "discord" ? BUILT_IN_DISCORD_CROSS_CONTEXT_COMPONENTS : undefined;
+}
+
+export function resolveBuiltInExecApprovalAdapter(
+  channel: ChannelId,
+): ChannelExecApprovalAdapter | undefined {
+  if (channel === "discord") {
+    return BUILT_IN_DISCORD_EXEC_APPROVALS;
+  }
+  if (channel === "telegram") {
+    return BUILT_IN_TELEGRAM_EXEC_APPROVALS;
+  }
+  return undefined;
+}
diff --git a/src/infra/outbound/built-in-channel-messaging.ts b/src/infra/outbound/built-in-channel-messaging.ts
new file mode 100644
index 00000000000..b06b6c41bc3
--- /dev/null
+++ b/src/infra/outbound/built-in-channel-messaging.ts
@@ -0,0 +1,41 @@
+import { parseTelegramTarget } from "../../../extensions/telegram/src/targets.js";
+import type { ChatType } from "../../channels/chat-type.js";
+import type { ChannelId } from "../../channels/plugins/types.js";
+import { isWhatsAppGroupJid, normalizeWhatsAppTarget } from "../../whatsapp/normalize.js";
+
+export type BuiltInExplicitTarget = {
+  to: string;
+  threadId?: string | number;
+  chatType?: ChatType;
+};
+
+export function resolveBuiltInExplicitTarget(
+  channel: ChannelId,
+  raw: string,
+): BuiltInExplicitTarget | null {
+  if (channel === "telegram") {
+    const target = parseTelegramTarget(raw);
+    return {
+      to: target.chatId,
+      threadId: target.messageThreadId,
+      chatType: target.chatType === "unknown" ? undefined : target.chatType,
+    };
+  }
+
+  if (channel === "whatsapp") {
+    const normalized = normalizeWhatsAppTarget(raw);
+    if (!normalized) {
+      return null;
+    }
+    return {
+      to: normalized,
+      chatType: isWhatsAppGroupJid(normalized) ? "group" : "direct",
+    };
+  }
+
+  return null;
+}
+
+export function resolveBuiltInTargetChatType(channel: ChannelId, to: string): ChatType | undefined {
+  return resolveBuiltInExplicitTarget(channel, to)?.chatType;
+}
diff --git a/src/infra/outbound/channel-adapters.ts b/src/infra/outbound/channel-adapters.ts
index 0c752854e8d..4f541bf0f84 100644
--- a/src/infra/outbound/channel-adapters.ts
+++ b/src/infra/outbound/channel-adapters.ts
@@ -2,6 +2,7 @@ import type { TopLevelComponents } from "@buape/carbon";
 import { getChannelPlugin } from "../../channels/plugins/index.js";
 import type { ChannelId } from "../../channels/plugins/types.js";
 import type { OpenClawConfig } from "../../config/config.js";
+import { resolveBuiltInCrossContextComponentsFactory } from "./built-in-channel-adapters.js";
 
 export type CrossContextComponentsBuilder = (message: string) => TopLevelComponents[];
 
@@ -22,7 +23,9 @@ const DEFAULT_ADAPTER: ChannelMessageAdapter = {
 };
 
 export function getChannelMessageAdapter(channel: ChannelId): ChannelMessageAdapter {
-  const adapter = getChannelPlugin(channel)?.messaging?.buildCrossContextComponents;
+  const adapter =
+    getChannelPlugin(channel)?.messaging?.buildCrossContextComponents ??
+    resolveBuiltInCrossContextComponentsFactory(channel);
   if (adapter) {
     return {
       supportsComponentsV2: true,
diff --git a/src/infra/outbound/targets.test.ts b/src/infra/outbound/targets.test.ts
index 76bb9a2b3b5..cfe8d06bd25 100644
--- a/src/infra/outbound/targets.test.ts
+++ b/src/infra/outbound/targets.test.ts
@@ -387,6 +387,24 @@ describe("resolveSessionDeliveryTarget", () => {
     expect(resolved.threadId).toBeUndefined();
   });
 
+  it("keeps :topic: parsing when the telegram plugin registry is unavailable", () => {
+    setActivePluginRegistry(createTestRegistry([]));
+
+    const resolved = resolveSessionDeliveryTarget({
+      entry: {
+        sessionId: "sess-no-registry",
+        updatedAt: 1,
+        lastChannel: "telegram",
+        lastTo: "63448508",
+      },
+      requestedChannel: "last",
+      explicitTo: "63448508:topic:1008013",
+    });
+
+    expect(resolved.to).toBe("63448508");
+    expect(resolved.threadId).toBe(1008013);
+  });
+
   it("explicitThreadId takes priority over :topic: parsed value", () => {
     const resolved = resolveSessionDeliveryTarget({
       entry: {
diff --git a/src/infra/outbound/targets.ts b/src/infra/outbound/targets.ts
index 3a584473b8c..313db3cf636 100644
--- a/src/infra/outbound/targets.ts
+++ b/src/infra/outbound/targets.ts
@@ -16,6 +16,10 @@ import {
   isDeliverableMessageChannel,
   normalizeMessageChannel,
 } from "../../utils/message-channel.js";
+import {
+  resolveBuiltInExplicitTarget,
+  resolveBuiltInTargetChatType,
+} from "./built-in-channel-messaging.js";
 import {
   normalizeDeliverableOutboundChannel,
   resolveOutboundChannelPlugin,
@@ -74,7 +78,7 @@ function parseExplicitTargetWithPlugin(params: {
   return (
     resolveOutboundChannelPlugin({ channel: provider })?.messaging?.parseExplicitTarget?.({
       raw,
-    }) ?? null
+    }) ?? resolveBuiltInExplicitTarget(provider, raw)
   );
 }
 
@@ -415,9 +419,11 @@ function inferChatTypeFromTarget(params: {
   if (/^group:/i.test(to)) {
     return "group";
   }
-  return resolveOutboundChannelPlugin({
-    channel: params.channel,
-  })?.messaging?.inferTargetChatType?.({ to });
+  return (
+    resolveOutboundChannelPlugin({
+      channel: params.channel,
+    })?.messaging?.inferTargetChatType?.({ to }) ?? resolveBuiltInTargetChatType(params.channel, to)
+  );
 }
 
 function resolveHeartbeatDeliveryChatType(params: {
diff --git a/ui/src/ui/app-scroll.ts b/ui/src/ui/app-scroll.ts
index d8bd1d5b077..c5b75d24a64 100644
--- a/ui/src/ui/app-scroll.ts
+++ b/ui/src/ui/app-scroll.ts
@@ -15,6 +15,10 @@ type ScrollHost = {
   topbarObserver: ResizeObserver | null;
 };
 
+function queryHost(host: Partial<ScrollHost>, selectors: string): Element | null {
+  return typeof host.querySelector === "function" ? host.querySelector(selectors) : null;
+}
+
 export function scheduleChatScroll(host: ScrollHost, force = false, smooth = false) {
   if (host.chatScrollFrame) {
     cancelAnimationFrame(host.chatScrollFrame);
@@ -24,7 +28,7 @@ export function scheduleChatScroll(host: ScrollHost, force = false, smooth = fal
     host.chatScrollTimeout = null;
   }
   const pickScrollTarget = () => {
-    const container = host.querySelector(".chat-thread") as HTMLElement | null;
+    const container = queryHost(host, ".chat-thread") as HTMLElement | null;
     if (container) {
       const overflowY = getComputedStyle(container).overflowY;
       const canScroll =
@@ -104,7 +108,7 @@ export function scheduleLogsScroll(host: ScrollHost, force = false) {
   void host.updateComplete.then(() => {
     host.logsScrollFrame = requestAnimationFrame(() => {
       host.logsScrollFrame = null;
-      const container = host.querySelector(".log-stream") as HTMLElement | null;
+      const container = queryHost(host, ".log-stream") as HTMLElement | null;
       if (!container) {
         return;
       }
@@ -165,7 +169,7 @@ export function observeTopbar(host: ScrollHost) {
   if (typeof ResizeObserver === "undefined") {
     return;
   }
-  const topbar = host.querySelector(".topbar");
+  const topbar = queryHost(host, ".topbar");
   if (!topbar) {
     return;
   }

From e3ab0e174cbb68a4505ae88839aaec2414ed2e53 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 00:12:20 -0700
Subject: [PATCH 085/133] style(core): normalize rebase fallout

---
 src/cron/isolated-agent.test-setup.ts |  2 +-
 src/infra/bonjour.ts                  |  1 -
 ui/src/ui/storage.ts                  | 10 ++++++++--
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/cron/isolated-agent.test-setup.ts b/src/cron/isolated-agent.test-setup.ts
index 17093bda0a5..c70ea583f68 100644
--- a/src/cron/isolated-agent.test-setup.ts
+++ b/src/cron/isolated-agent.test-setup.ts
@@ -1,6 +1,6 @@
 import { vi } from "vitest";
-import { signalOutbound, telegramOutbound } from "../../test/channel-outbounds.js";
 import { parseTelegramTarget } from "../../extensions/telegram/src/targets.js";
+import { signalOutbound, telegramOutbound } from "../../test/channel-outbounds.js";
 import { loadModelCatalog } from "../agents/model-catalog.js";
 import { runEmbeddedPiAgent } from "../agents/pi-embedded.js";
 import { runSubagentAnnounceFlow } from "../agents/subagent-announce.js";
diff --git a/src/infra/bonjour.ts b/src/infra/bonjour.ts
index e7ed5adf7f1..2b500986f33 100644
--- a/src/infra/bonjour.ts
+++ b/src/infra/bonjour.ts
@@ -1,4 +1,3 @@
-import type { CiaoService, Responder } from "@homebridge/ciao";
 import { logDebug, logWarn } from "../logger.js";
 import { getLogger } from "../logging.js";
 import { ignoreCiaoCancellationRejection } from "./bonjour-ciao.js";
diff --git a/ui/src/ui/storage.ts b/ui/src/ui/storage.ts
index fcd9c4469c8..aea47188bd3 100644
--- a/ui/src/ui/storage.ts
+++ b/ui/src/ui/storage.ts
@@ -194,7 +194,10 @@ export function loadSettings(): UiSettings {
   try {
     // First check for legacy key (no scope), then check for scoped key
     const scopedKey = settingsKeyForGateway(defaults.gatewayUrl);
-    const raw = storage?.getItem(scopedKey) ?? storage?.getItem(SETTINGS_KEY_PREFIX + "default") ?? storage?.getItem("openclaw.control.settings.v1");
+    const raw =
+      storage?.getItem(scopedKey) ??
+      storage?.getItem(SETTINGS_KEY_PREFIX + "default") ??
+      storage?.getItem("openclaw.control.settings.v1");
     if (!raw) {
       return defaults;
     }
@@ -266,7 +269,10 @@ function persistSettings(next: UiSettings) {
   let existingSessionsByGateway: Record<string, ScopedSessionSelection> = {};
   try {
     // Try to migrate from legacy key or other scopes
-    const raw = storage?.getItem(scopedKey) ?? storage?.getItem(SETTINGS_KEY_PREFIX + "default") ?? storage?.getItem("openclaw.control.settings.v1");
+    const raw =
+      storage?.getItem(scopedKey) ??
+      storage?.getItem(SETTINGS_KEY_PREFIX + "default") ??
+      storage?.getItem("openclaw.control.settings.v1");
     if (raw) {
       const parsed = JSON.parse(raw) as PersistedUiSettings;
       if (parsed.sessionsByGateway && typeof parsed.sessionsByGateway === "object") {

From 36f0f216ce329a1ee84274b4e55347707156fd9e Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 00:14:48 -0700
Subject: [PATCH 086/133] fix: accept sandbox plugin id hints

---
 src/plugins/manifest-registry.test.ts | 17 +++++++++++++++++
 src/plugins/manifest-registry.ts      |  6 +++++-
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/src/plugins/manifest-registry.test.ts b/src/plugins/manifest-registry.test.ts
index 29edb0da176..c60e5444443 100644
--- a/src/plugins/manifest-registry.test.ts
+++ b/src/plugins/manifest-registry.test.ts
@@ -386,6 +386,23 @@ describe("loadPluginManifestRegistry", () => {
     );
   });
 
+  it("accepts sandbox-style id hints without warning", () => {
+    const dir = makeTempDir();
+    writeManifest(dir, { id: "openshell", configSchema: { type: "object" } });
+
+    const registry = loadRegistry([
+      createPluginCandidate({
+        idHint: "openshell-sandbox",
+        rootDir: dir,
+        origin: "bundled",
+      }),
+    ]);
+
+    expect(registry.diagnostics.some((diag) => diag.message.includes("plugin id mismatch"))).toBe(
+      false,
+    );
+  });
+
   it("still warns for unrelated id hint mismatches", () => {
     const dir = makeTempDir();
     writeManifest(dir, { id: "openai", configSchema: { type: "object" } });
diff --git a/src/plugins/manifest-registry.ts b/src/plugins/manifest-registry.ts
index f9f77f8f041..ea646f38797 100644
--- a/src/plugins/manifest-registry.ts
+++ b/src/plugins/manifest-registry.ts
@@ -133,7 +133,11 @@ function isCompatiblePluginIdHint(idHint: string | undefined, manifestId: string
   if (normalizedHint === manifestId) {
     return true;
   }
-  return normalizedHint === `${manifestId}-provider` || normalizedHint === `${manifestId}-plugin`;
+  return (
+    normalizedHint === `${manifestId}-provider` ||
+    normalizedHint === `${manifestId}-plugin` ||
+    normalizedHint === `${manifestId}-sandbox`
+  );
 }
 
 function buildRecord(params: {

From 66447830524e3b91cd950cab2971e678d2086ce0 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 16 Mar 2026 00:13:18 -0700
Subject: [PATCH 087/133] Plugins: capture tool registrations in test registry

---
 src/plugins/contracts/registry.ts     | 30 ++++++++++++++++++++++-----
 src/test-utils/plugin-registration.ts |  7 +++++++
 2 files changed, 32 insertions(+), 5 deletions(-)

diff --git a/src/plugins/contracts/registry.ts b/src/plugins/contracts/registry.ts
index fce86382798..24366afe7f6 100644
--- a/src/plugins/contracts/registry.ts
+++ b/src/plugins/contracts/registry.ts
@@ -52,6 +52,13 @@ type WebSearchProviderContractEntry = {
   credentialValue: unknown;
 };
 
+type PluginRegistrationContractEntry = {
+  pluginId: string;
+  providerIds: string[];
+  webSearchProviderIds: string[];
+  toolNames: string[];
+};
+
 const bundledProviderPlugins: RegistrablePlugin[] = [
   anthropicPlugin,
   byteplusPlugin,
@@ -97,11 +104,7 @@ const bundledWebSearchPlugins: Array<RegistrablePlugin & { credentialValue: unkn
 
 function captureRegistrations(plugin: RegistrablePlugin) {
   const captured = createCapturedPluginRegistration();
-  const api = {
-    ...captured.api,
-    registerTool() {},
-  } satisfies Partial<OpenClawPluginApi>;
-  plugin.register(api as OpenClawPluginApi);
+  plugin.register(captured.api);
   return captured;
 }
 
@@ -124,3 +127,20 @@ export const webSearchProviderContractRegistry: WebSearchProviderContractEntry[]
       credentialValue: plugin.credentialValue,
     }));
   });
+
+const bundledPluginRegistrationList = [
+  ...new Map(
+    [...bundledProviderPlugins, ...bundledWebSearchPlugins].map((plugin) => [plugin.id, plugin]),
+  ).values(),
+];
+
+export const pluginRegistrationContractRegistry: PluginRegistrationContractEntry[] =
+  bundledPluginRegistrationList.map((plugin) => {
+    const captured = captureRegistrations(plugin);
+    return {
+      pluginId: plugin.id,
+      providerIds: captured.providers.map((provider) => provider.id),
+      webSearchProviderIds: captured.webSearchProviders.map((provider) => provider.id),
+      toolNames: captured.tools.map((tool) => tool.name),
+    };
+  });
diff --git a/src/test-utils/plugin-registration.ts b/src/test-utils/plugin-registration.ts
index fe89acc5d92..e17e4a2520d 100644
--- a/src/test-utils/plugin-registration.ts
+++ b/src/test-utils/plugin-registration.ts
@@ -1,4 +1,5 @@
 import type {
+  AnyAgentTool,
   OpenClawPluginApi,
   ProviderPlugin,
   WebSearchProviderPlugin,
@@ -8,15 +9,18 @@ export type CapturedPluginRegistration = {
   api: OpenClawPluginApi;
   providers: ProviderPlugin[];
   webSearchProviders: WebSearchProviderPlugin[];
+  tools: AnyAgentTool[];
 };
 
 export function createCapturedPluginRegistration(): CapturedPluginRegistration {
   const providers: ProviderPlugin[] = [];
   const webSearchProviders: WebSearchProviderPlugin[] = [];
+  const tools: AnyAgentTool[] = [];
 
   return {
     providers,
     webSearchProviders,
+    tools,
     api: {
       registerProvider(provider: ProviderPlugin) {
         providers.push(provider);
@@ -24,6 +28,9 @@ export function createCapturedPluginRegistration(): CapturedPluginRegistration {
       registerWebSearchProvider(provider: WebSearchProviderPlugin) {
         webSearchProviders.push(provider);
       },
+      registerTool(tool: AnyAgentTool) {
+        tools.push(tool);
+      },
     } as OpenClawPluginApi,
   };
 }

From 947b548870a52dd2387530a95c9b7c0e5e80c502 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 16 Mar 2026 00:13:52 -0700
Subject: [PATCH 088/133] Plugins: cover Firecrawl tool ownership

---
 .../contracts/registry.contract.test.ts       | 24 ++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/src/plugins/contracts/registry.contract.test.ts b/src/plugins/contracts/registry.contract.test.ts
index a87261fe58c..2bf113fe76d 100644
--- a/src/plugins/contracts/registry.contract.test.ts
+++ b/src/plugins/contracts/registry.contract.test.ts
@@ -1,5 +1,9 @@
 import { describe, expect, it } from "vitest";
-import { providerContractRegistry, webSearchProviderContractRegistry } from "./registry.js";
+import {
+  pluginRegistrationContractRegistry,
+  providerContractRegistry,
+  webSearchProviderContractRegistry,
+} from "./registry.js";
 
 function findProviderIdsForPlugin(pluginId: string) {
   return providerContractRegistry
@@ -15,6 +19,16 @@ function findWebSearchIdsForPlugin(pluginId: string) {
     .toSorted((left, right) => left.localeCompare(right));
 }
 
+function findRegistrationForPlugin(pluginId: string) {
+  const entry = pluginRegistrationContractRegistry.find(
+    (candidate) => candidate.pluginId === pluginId,
+  );
+  if (!entry) {
+    throw new Error(`plugin registration contract missing for ${pluginId}`);
+  }
+  return entry;
+}
+
 describe("plugin contract registry", () => {
   it("does not duplicate bundled provider ids", () => {
     const ids = providerContractRegistry.map((entry) => entry.provider.id);
@@ -40,4 +54,12 @@ describe("plugin contract registry", () => {
     expect(findWebSearchIdsForPlugin("perplexity")).toEqual(["perplexity"]);
     expect(findWebSearchIdsForPlugin("xai")).toEqual(["grok"]);
   });
+
+  it("keeps bundled provider and web search tool ownership explicit", () => {
+    expect(findRegistrationForPlugin("firecrawl")).toMatchObject({
+      providerIds: [],
+      webSearchProviderIds: ["firecrawl"],
+      toolNames: ["firecrawl_search", "firecrawl_scrape"],
+    });
+  });
 });

From 95b761a2e1c71b7faf09c539bb71aefd0b8e9847 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 16 Mar 2026 00:14:32 -0700
Subject: [PATCH 089/133] Firecrawl: drop local registration contract test

---
 extensions/firecrawl/index.test.ts | 18 ------------------
 1 file changed, 18 deletions(-)

diff --git a/extensions/firecrawl/index.test.ts b/extensions/firecrawl/index.test.ts
index 084d3c0c055..d4777161656 100644
--- a/extensions/firecrawl/index.test.ts
+++ b/extensions/firecrawl/index.test.ts
@@ -3,24 +3,6 @@ import plugin from "./index.js";
 import { __testing as firecrawlClientTesting } from "./src/firecrawl-client.js";
 
 describe("firecrawl plugin", () => {
-  it("registers a web search provider and tools", () => {
-    const tools: Array<{ name: string }> = [];
-    const webSearchProviders: Array<{ id: string }> = [];
-
-    plugin.register?.({
-      config: {},
-      registerTool(tool: { name: string }) {
-        tools.push(tool);
-      },
-      registerWebSearchProvider(provider: { id: string }) {
-        webSearchProviders.push(provider);
-      },
-    } as never);
-
-    expect(webSearchProviders.map((provider) => provider.id)).toEqual(["firecrawl"]);
-    expect(tools.map((tool) => tool.name)).toEqual(["firecrawl_search", "firecrawl_scrape"]);
-  });
-
   it("parses scrape payloads into wrapped external-content results", () => {
     const result = firecrawlClientTesting.parseFirecrawlScrapePayload({
       payload: {

From 79a67a5e089800f5329b2651bd5a6445d226f789 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 16 Mar 2026 00:18:00 -0700
Subject: [PATCH 090/133] Plugins: add provider catalog contracts

---
 .../contracts/catalog.contract.test.ts        | 63 +++++++++++++++++++
 1 file changed, 63 insertions(+)
 create mode 100644 src/plugins/contracts/catalog.contract.test.ts

diff --git a/src/plugins/contracts/catalog.contract.test.ts b/src/plugins/contracts/catalog.contract.test.ts
new file mode 100644
index 00000000000..306162b2dcf
--- /dev/null
+++ b/src/plugins/contracts/catalog.contract.test.ts
@@ -0,0 +1,63 @@
+import { describe, expect, it } from "vitest";
+import {
+  augmentModelCatalogWithProviderPlugins,
+  buildProviderMissingAuthMessageWithPlugin,
+  resolveProviderBuiltInModelSuppression,
+} from "../provider-runtime.js";
+
+describe("provider catalog contract", () => {
+  it("keeps codex-only missing-auth hints wired through the provider runtime", () => {
+    expect(
+      buildProviderMissingAuthMessageWithPlugin({
+        provider: "openai",
+        env: process.env,
+        context: {
+          env: process.env,
+          provider: "openai",
+          listProfileIds: (providerId) => (providerId === "openai-codex" ? ["p1"] : []),
+        },
+      }),
+    ).toContain("openai-codex/gpt-5.4");
+  });
+
+  it("keeps built-in model suppression wired through the provider runtime", () => {
+    expect(
+      resolveProviderBuiltInModelSuppression({
+        env: process.env,
+        context: {
+          env: process.env,
+          provider: "azure-openai-responses",
+          modelId: "gpt-5.3-codex-spark",
+        },
+      }),
+    ).toMatchObject({
+      suppress: true,
+      errorMessage: expect.stringContaining("openai-codex/gpt-5.3-codex-spark"),
+    });
+  });
+
+  it("keeps bundled model augmentation wired through the provider runtime", async () => {
+    await expect(
+      augmentModelCatalogWithProviderPlugins({
+        env: process.env,
+        context: {
+          env: process.env,
+          entries: [
+            { provider: "openai", id: "gpt-5.2", name: "GPT-5.2" },
+            { provider: "openai", id: "gpt-5.2-pro", name: "GPT-5.2 Pro" },
+            { provider: "openai-codex", id: "gpt-5.3-codex", name: "GPT-5.3 Codex" },
+          ],
+        },
+      }),
+    ).resolves.toEqual([
+      { provider: "openai", id: "gpt-5.4", name: "gpt-5.4" },
+      { provider: "openai", id: "gpt-5.4-pro", name: "gpt-5.4-pro" },
+      { provider: "openai-codex", id: "gpt-5.4", name: "gpt-5.4" },
+      {
+        provider: "openai-codex",
+        id: "gpt-5.3-codex-spark",
+        name: "gpt-5.3-codex-spark",
+      },
+    ]);
+  });
+});

From 3c62ab5c89d20192eb84a53f133edbe4e142ceb3 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 16 Mar 2026 00:18:10 -0700
Subject: [PATCH 091/133] Plugins: narrow provider runtime contracts

---
 .../contracts/runtime.contract.test.ts        | 20 -------------------
 1 file changed, 20 deletions(-)

diff --git a/src/plugins/contracts/runtime.contract.test.ts b/src/plugins/contracts/runtime.contract.test.ts
index 1942bc1cbbf..ee8503d88bf 100644
--- a/src/plugins/contracts/runtime.contract.test.ts
+++ b/src/plugins/contracts/runtime.contract.test.ts
@@ -356,26 +356,6 @@ describe("provider runtime contract", () => {
         api: "openai-responses",
       });
     });
-
-    it("owns codex-only missing-auth hints and Spark suppression", () => {
-      const provider = requireProvider("openai");
-      expect(
-        provider.buildMissingAuthMessage?.({
-          env: {} as NodeJS.ProcessEnv,
-          provider: "openai",
-          listProfileIds: (providerId) => (providerId === "openai-codex" ? ["p1"] : []),
-        }),
-      ).toContain("openai-codex/gpt-5.4");
-      expect(
-        provider.suppressBuiltInModel?.({
-          env: {} as NodeJS.ProcessEnv,
-          provider: "azure-openai-responses",
-          modelId: "gpt-5.3-codex-spark",
-        }),
-      ).toMatchObject({
-        suppress: true,
-      });
-    });
   });
 
   describe("openai-codex", () => {

From 99c501a9a797cd0e1b8376ce3bc291869d1d4c86 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 00:19:21 -0700
Subject: [PATCH 092/133] refactor(plugin-sdk): use scoped core imports for
 bundled channels

---
 extensions/discord/src/channel.ts  | 10 +++++-----
 extensions/imessage/src/channel.ts |  2 +-
 extensions/signal/src/channel.ts   |  2 +-
 extensions/slack/src/channel.ts    | 10 +++++-----
 extensions/telegram/src/channel.ts | 10 +++++-----
 src/plugin-sdk/core.ts             |  6 ++++++
 src/plugin-sdk/subpaths.test.ts    |  6 ++++++
 7 files changed, 29 insertions(+), 17 deletions(-)

diff --git a/extensions/discord/src/channel.ts b/extensions/discord/src/channel.ts
index f83be6bbe41..88295c61880 100644
--- a/extensions/discord/src/channel.ts
+++ b/extensions/discord/src/channel.ts
@@ -1,9 +1,4 @@
 import { Separator, TextDisplay } from "@buape/carbon";
-import {
-  buildAgentSessionKey,
-  resolveThreadSessionKeys,
-  type RoutePeer,
-} from "openclaw/plugin-sdk";
 import { createScopedChannelConfigBase } from "openclaw/plugin-sdk/compat";
 import {
   buildAccountScopedAllowlistConfigEditor,
@@ -13,6 +8,11 @@ import {
   createScopedAccountConfigAccessors,
   formatAllowFromLowercase,
 } from "openclaw/plugin-sdk/compat";
+import {
+  buildAgentSessionKey,
+  resolveThreadSessionKeys,
+  type RoutePeer,
+} from "openclaw/plugin-sdk/core";
 import {
   buildComputedAccountStatusSnapshot,
   buildChannelConfigSchema,
diff --git a/extensions/imessage/src/channel.ts b/extensions/imessage/src/channel.ts
index a4767706757..2d5b0ba9b39 100644
--- a/extensions/imessage/src/channel.ts
+++ b/extensions/imessage/src/channel.ts
@@ -1,9 +1,9 @@
-import { buildAgentSessionKey, type RoutePeer } from "openclaw/plugin-sdk";
 import {
   buildAccountScopedAllowlistConfigEditor,
   buildAccountScopedDmSecurityPolicy,
   collectAllowlistProviderRestrictSendersWarnings,
 } from "openclaw/plugin-sdk/compat";
+import { buildAgentSessionKey, type RoutePeer } from "openclaw/plugin-sdk/core";
 import {
   buildChannelConfigSchema,
   collectStatusIssuesFromLastError,
diff --git a/extensions/signal/src/channel.ts b/extensions/signal/src/channel.ts
index 2d7e1983972..bb65502e017 100644
--- a/extensions/signal/src/channel.ts
+++ b/extensions/signal/src/channel.ts
@@ -1,10 +1,10 @@
-import { buildAgentSessionKey, type RoutePeer } from "openclaw/plugin-sdk";
 import {
   buildAccountScopedAllowlistConfigEditor,
   buildAccountScopedDmSecurityPolicy,
   createScopedAccountConfigAccessors,
   collectAllowlistProviderRestrictSendersWarnings,
 } from "openclaw/plugin-sdk/compat";
+import { buildAgentSessionKey, type RoutePeer } from "openclaw/plugin-sdk/core";
 import {
   buildBaseAccountStatusSnapshot,
   buildBaseChannelStatusSummary,
diff --git a/extensions/slack/src/channel.ts b/extensions/slack/src/channel.ts
index 32d362be5e6..3b0e347ba24 100644
--- a/extensions/slack/src/channel.ts
+++ b/extensions/slack/src/channel.ts
@@ -1,8 +1,3 @@
-import {
-  buildAgentSessionKey,
-  resolveThreadSessionKeys,
-  type RoutePeer,
-} from "openclaw/plugin-sdk";
 import { createScopedChannelConfigBase } from "openclaw/plugin-sdk/compat";
 import {
   buildAccountScopedAllowlistConfigEditor,
@@ -12,6 +7,11 @@ import {
   createScopedAccountConfigAccessors,
   formatAllowFromLowercase,
 } from "openclaw/plugin-sdk/compat";
+import {
+  buildAgentSessionKey,
+  resolveThreadSessionKeys,
+  type RoutePeer,
+} from "openclaw/plugin-sdk/core";
 import {
   buildComputedAccountStatusSnapshot,
   buildChannelConfigSchema,
diff --git a/extensions/telegram/src/channel.ts b/extensions/telegram/src/channel.ts
index 1b30d43a7e0..37915fa07df 100644
--- a/extensions/telegram/src/channel.ts
+++ b/extensions/telegram/src/channel.ts
@@ -1,8 +1,3 @@
-import {
-  buildAgentSessionKey,
-  resolveThreadSessionKeys,
-  type RoutePeer,
-} from "openclaw/plugin-sdk";
 import { createScopedChannelConfigBase } from "openclaw/plugin-sdk/compat";
 import {
   buildAccountScopedAllowlistConfigEditor,
@@ -12,6 +7,11 @@ import {
   createScopedDmSecurityResolver,
   formatAllowFromLowercase,
 } from "openclaw/plugin-sdk/compat";
+import {
+  buildAgentSessionKey,
+  resolveThreadSessionKeys,
+  type RoutePeer,
+} from "openclaw/plugin-sdk/core";
 import {
   buildChannelConfigSchema,
   buildTokenChannelStatusSummary,
diff --git a/src/plugin-sdk/core.ts b/src/plugin-sdk/core.ts
index 1dd8ada1f6e..458a4ecfce7 100644
--- a/src/plugin-sdk/core.ts
+++ b/src/plugin-sdk/core.ts
@@ -138,3 +138,9 @@ export type {
   TailscaleStatusCommandResult,
   TailscaleStatusCommandRunner,
 } from "../shared/tailscale-status.js";
+export {
+  buildAgentSessionKey,
+  type RoutePeer,
+  type RoutePeerKind,
+} from "../routing/resolve-route.js";
+export { resolveThreadSessionKeys } from "../routing/session-key.js";
diff --git a/src/plugin-sdk/subpaths.test.ts b/src/plugin-sdk/subpaths.test.ts
index 8a57148f430..be9e2680ec5 100644
--- a/src/plugin-sdk/subpaths.test.ts
+++ b/src/plugin-sdk/subpaths.test.ts
@@ -1,5 +1,6 @@
 import * as extensionApi from "openclaw/extension-api";
 import * as compatSdk from "openclaw/plugin-sdk/compat";
+import * as coreSdk from "openclaw/plugin-sdk/core";
 import * as discordSdk from "openclaw/plugin-sdk/discord";
 import * as imessageSdk from "openclaw/plugin-sdk/imessage";
 import * as lineSdk from "openclaw/plugin-sdk/line";
@@ -25,6 +26,11 @@ describe("plugin-sdk subpath exports", () => {
     expect(typeof compatSdk.resolveControlCommandGate).toBe("function");
   });
 
+  it("exports core routing helpers", () => {
+    expect(typeof coreSdk.buildAgentSessionKey).toBe("function");
+    expect(typeof coreSdk.resolveThreadSessionKeys).toBe("function");
+  });
+
   it("exports Discord helpers", () => {
     expect(typeof discordSdk.resolveDiscordAccount).toBe("function");
     expect(typeof discordSdk.inspectDiscordAccount).toBe("function");

From cec10703dcefbbef52f0e362611fb45abf88bd8d Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 07:19:09 +0000
Subject: [PATCH 093/133] fix: unblock ci gates

---
 docs/.generated/config-baseline.json  | 16 ++++++++++
 docs/.generated/config-baseline.jsonl |  3 +-
 scripts/check-cli-startup-memory.mjs  |  6 +++-
 src/plugins/discovery.test.ts         | 29 +++++++++++++-----
 src/security/audit.ts                 | 43 ++++++++++++++++++++-------
 5 files changed, 77 insertions(+), 20 deletions(-)

diff --git a/docs/.generated/config-baseline.json b/docs/.generated/config-baseline.json
index d162ba7a92e..c976fbac1af 100644
--- a/docs/.generated/config-baseline.json
+++ b/docs/.generated/config-baseline.json
@@ -40252,6 +40252,22 @@
       "help": "Debounce window (ms) before applying config changes.",
       "hasChildren": false
     },
+    {
+      "path": "gateway.reload.deferralTimeoutMs",
+      "kind": "core",
+      "type": "integer",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "network",
+        "performance",
+        "reliability"
+      ],
+      "label": "Restart Deferral Timeout (ms)",
+      "help": "Maximum time (ms) to wait for in-flight operations to complete before forcing a SIGUSR1 restart. Default: 300000 (5 minutes). Lower values risk aborting active subagent LLM calls.",
+      "hasChildren": false
+    },
     {
       "path": "gateway.reload.mode",
       "kind": "core",
diff --git a/docs/.generated/config-baseline.jsonl b/docs/.generated/config-baseline.jsonl
index 80b18c4cc4b..522e41beb37 100644
--- a/docs/.generated/config-baseline.jsonl
+++ b/docs/.generated/config-baseline.jsonl
@@ -1,4 +1,4 @@
-{"generatedBy":"scripts/generate-config-doc-baseline.ts","recordType":"meta","totalPaths":5093}
+{"generatedBy":"scripts/generate-config-doc-baseline.ts","recordType":"meta","totalPaths":5094}
 {"recordType":"path","path":"acp","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"ACP","help":"ACP runtime controls for enabling dispatch, selecting backends, constraining allowed agent targets, and tuning streamed turn projection behavior.","hasChildren":true}
 {"recordType":"path","path":"acp.allowedAgents","kind":"core","type":"array","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"ACP Allowed Agents","help":"Allowlist of ACP target agent ids permitted for ACP runtime sessions. Empty means no additional allowlist restriction.","hasChildren":true}
 {"recordType":"path","path":"acp.allowedAgents.*","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
@@ -3603,6 +3603,7 @@
 {"recordType":"path","path":"gateway.push.apns.relay.timeoutMs","kind":"core","type":"integer","required":false,"deprecated":false,"sensitive":false,"tags":["network","performance"],"label":"Gateway APNs Relay Timeout (ms)","help":"Timeout in milliseconds for relay send requests from the gateway to the APNs relay (default: 10000). Increase for slower relays or networks, or lower to fail wake attempts faster.","hasChildren":false}
 {"recordType":"path","path":"gateway.reload","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["network","reliability"],"label":"Config Reload","help":"Live config-reload policy for how edits are applied and when full restarts are triggered. Keep hybrid behavior for safest operational updates unless debugging reload internals.","hasChildren":true}
 {"recordType":"path","path":"gateway.reload.debounceMs","kind":"core","type":"integer","required":false,"deprecated":false,"sensitive":false,"tags":["network","performance","reliability"],"label":"Config Reload Debounce (ms)","help":"Debounce window (ms) before applying config changes.","hasChildren":false}
+{"recordType":"path","path":"gateway.reload.deferralTimeoutMs","kind":"core","type":"integer","required":false,"deprecated":false,"sensitive":false,"tags":["network","performance","reliability"],"label":"Restart Deferral Timeout (ms)","help":"Maximum time (ms) to wait for in-flight operations to complete before forcing a SIGUSR1 restart. Default: 300000 (5 minutes). Lower values risk aborting active subagent LLM calls.","hasChildren":false}
 {"recordType":"path","path":"gateway.reload.mode","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":["network","reliability"],"label":"Config Reload Mode","help":"Controls how config edits are applied: \"off\" ignores live edits, \"restart\" always restarts, \"hot\" applies in-process, and \"hybrid\" tries hot then restarts if required. Keep \"hybrid\" for safest routine updates.","hasChildren":false}
 {"recordType":"path","path":"gateway.remote","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["network"],"label":"Remote Gateway","help":"Remote gateway connection settings for direct or SSH transport when this instance proxies to another runtime host. Use remote mode only when split-host operation is intentionally configured.","hasChildren":true}
 {"recordType":"path","path":"gateway.remote.password","kind":"core","type":["object","string"],"required":false,"deprecated":false,"sensitive":true,"tags":["auth","network","security"],"label":"Remote Gateway Password","help":"Password credential used for remote gateway authentication when password mode is enabled. Keep this secret managed externally and avoid plaintext values in committed config.","hasChildren":true}
diff --git a/scripts/check-cli-startup-memory.mjs b/scripts/check-cli-startup-memory.mjs
index 1b17e28ceea..fcbd63d8d11 100644
--- a/scripts/check-cli-startup-memory.mjs
+++ b/scripts/check-cli-startup-memory.mjs
@@ -33,7 +33,7 @@ writeFileSync(
 
 const DEFAULT_LIMITS_MB = {
   help: 500,
-  statusJson: 900,
+  statusJson: 925,
   gatewayStatus: 900,
 };
 
@@ -93,6 +93,10 @@ function buildBenchEnv() {
   }
   if (process.env.NODE_DISABLE_COMPILE_CACHE) {
     env.NODE_DISABLE_COMPILE_CACHE = process.env.NODE_DISABLE_COMPILE_CACHE;
+  } else {
+    // Keep the regression check focused on app/runtime startup, not Node's
+    // one-shot compile cache overhead, which varies across runner builds.
+    env.NODE_DISABLE_COMPILE_CACHE = "1";
   }
 
   return env;
diff --git a/src/plugins/discovery.test.ts b/src/plugins/discovery.test.ts
index a61c21e4125..ea84b562729 100644
--- a/src/plugins/discovery.test.ts
+++ b/src/plugins/discovery.test.ts
@@ -16,6 +16,23 @@ function makeTempDir() {
 
 const mkdirSafe = mkdirSafeDir;
 
+function normalizePathForAssertion(value: string | undefined): string | undefined {
+  if (!value) {
+    return value;
+  }
+  return value.replace(/\\/g, "/");
+}
+
+function hasDiagnosticSourceSuffix(
+  diagnostics: Array<{ source?: string }>,
+  suffix: string,
+): boolean {
+  const normalizedSuffix = normalizePathForAssertion(suffix);
+  return diagnostics.some((entry) =>
+    normalizePathForAssertion(entry.source)?.endsWith(normalizedSuffix ?? suffix),
+  );
+}
+
 function buildDiscoveryEnv(stateDir: string): NodeJS.ProcessEnv {
   return {
     OPENCLAW_STATE_DIR: stateDir,
@@ -242,7 +259,9 @@ describe("discoverOpenClawPlugins", () => {
     expect(bundle?.format).toBe("bundle");
     expect(bundle?.bundleFormat).toBe("codex");
     expect(bundle?.source).toBe(bundleDir);
-    expect(bundle?.rootDir).toBe(fs.realpathSync.native(bundleDir));
+    expect(normalizePathForAssertion(bundle?.rootDir)).toBe(
+      normalizePathForAssertion(fs.realpathSync(bundleDir)),
+    );
   });
 
   it("auto-detects manifestless Claude bundles from the default layout", async () => {
@@ -296,9 +315,7 @@ describe("discoverOpenClawPlugins", () => {
 
     expect(legacy).toBeDefined();
     expect(legacy?.format).toBe("openclaw");
-    expect(
-      result.diagnostics.some((entry) => entry.source?.endsWith(".claude-plugin/plugin.json")),
-    ).toBe(true);
+    expect(hasDiagnosticSourceSuffix(result.diagnostics, ".claude-plugin/plugin.json")).toBe(true);
   });
 
   it("falls back to legacy index discovery for configured paths with malformed bundle sidecars", async () => {
@@ -317,9 +334,7 @@ describe("discoverOpenClawPlugins", () => {
 
     expect(legacy).toBeDefined();
     expect(legacy?.format).toBe("openclaw");
-    expect(
-      result.diagnostics.some((entry) => entry.source?.endsWith(".codex-plugin/plugin.json")),
-    ).toBe(true);
+    expect(hasDiagnosticSourceSuffix(result.diagnostics, ".codex-plugin/plugin.json")).toBe(true);
   });
 
   it("blocks extension entries that escape package directory", async () => {
diff --git a/src/security/audit.ts b/src/security/audit.ts
index 4e3ef0a6920..ba809a1714c 100644
--- a/src/security/audit.ts
+++ b/src/security/audit.ts
@@ -1,7 +1,6 @@
 import { isIP } from "node:net";
 import path from "node:path";
 import { resolveSandboxConfigForAgent } from "../agents/sandbox.js";
-import { execDockerRaw } from "../agents/sandbox/docker.js";
 import { redactCdpUrl } from "../browser/cdp.helpers.js";
 import { resolveBrowserConfig, resolveProfile } from "../browser/config.js";
 import { resolveBrowserControlAuth } from "../browser/control-auth.js";
@@ -12,9 +11,6 @@ import type { ConfigFileSnapshot, OpenClawConfig } from "../config/config.js";
 import { resolveConfigPath, resolveStateDir } from "../config/paths.js";
 import { hasConfiguredSecretInput } from "../config/types.secrets.js";
 import { resolveGatewayAuth } from "../gateway/auth.js";
-import { buildGatewayConnectionDetails } from "../gateway/call.js";
-import { resolveGatewayProbeAuthSafe } from "../gateway/probe-auth.js";
-import { probeGateway } from "../gateway/probe.js";
 import {
   listInterpreterLikeSafeBins,
   resolveMergedSafeBinProfileFixtures,
@@ -30,6 +26,9 @@ import { collectEnabledInsecureOrDangerousFlags } from "./dangerous-config-flags
 import { DEFAULT_GATEWAY_HTTP_TOOL_DENY } from "./dangerous-tools.js";
 import type { ExecFn } from "./windows-acl.js";
 
+type ExecDockerRawFn = typeof import("../agents/sandbox/docker.js").execDockerRaw;
+type ProbeGatewayFn = typeof import("../gateway/probe.js").probeGateway;
+
 export type SecurityAuditSeverity = "info" | "warn" | "critical";
 
 export type SecurityAuditFinding = {
@@ -77,18 +76,18 @@ export type SecurityAuditOptions = {
   deepTimeoutMs?: number;
   /** Dependency injection for tests. */
   plugins?: ReturnType<typeof listChannelPlugins>;
-  /** Dependency injection for tests. */
-  probeGatewayFn?: typeof probeGateway;
   /** Dependency injection for tests (Windows ACL checks). */
   execIcacls?: ExecFn;
   /** Dependency injection for tests (Docker label checks). */
-  execDockerRawFn?: typeof execDockerRaw;
+  execDockerRawFn?: ExecDockerRawFn;
   /** Optional preloaded config snapshot to skip audit-time config file reads. */
   configSnapshot?: ConfigFileSnapshot | null;
   /** Optional cache for code-safety summaries across repeated deep audits. */
   codeSafetySummaryCache?: Map<string, Promise<unknown>>;
   /** Optional explicit auth for deep gateway probe. */
   deepProbeAuth?: { token?: string; password?: string };
+  /** Dependency injection for tests. */
+  probeGatewayFn?: ProbeGatewayFn;
 };
 
 type AuditExecutionContext = {
@@ -103,8 +102,8 @@ type AuditExecutionContext = {
   stateDir: string;
   configPath: string;
   execIcacls?: ExecFn;
-  execDockerRawFn?: typeof execDockerRaw;
-  probeGatewayFn?: typeof probeGateway;
+  execDockerRawFn?: ExecDockerRawFn;
+  probeGatewayFn?: ProbeGatewayFn;
   plugins?: ReturnType<typeof listChannelPlugins>;
   configSnapshot: ConfigFileSnapshot | null;
   codeSafetySummaryCache: Map<string, Promise<unknown>>;
@@ -117,6 +116,13 @@ let auditDeepModulePromise: Promise<typeof import("./audit.deep.runtime.js")> |
 let auditChannelModulePromise:
   | Promise<typeof import("./audit-channel.collect.runtime.js")>
   | undefined;
+let gatewayProbeDepsPromise:
+  | Promise<{
+      buildGatewayConnectionDetails: typeof import("../gateway/call.js").buildGatewayConnectionDetails;
+      resolveGatewayProbeAuthSafe: typeof import("../gateway/probe-auth.js").resolveGatewayProbeAuthSafe;
+      probeGateway: typeof import("../gateway/probe.js").probeGateway;
+    }>
+  | undefined;
 
 async function loadChannelPlugins() {
   channelPluginsModulePromise ??= import("../channels/plugins/index.js");
@@ -138,6 +144,19 @@ async function loadAuditChannelModule() {
   return await auditChannelModulePromise;
 }
 
+async function loadGatewayProbeDeps() {
+  gatewayProbeDepsPromise ??= Promise.all([
+    import("../gateway/call.js"),
+    import("../gateway/probe-auth.js"),
+    import("../gateway/probe.js"),
+  ]).then(([callModule, probeAuthModule, probeModule]) => ({
+    buildGatewayConnectionDetails: callModule.buildGatewayConnectionDetails,
+    resolveGatewayProbeAuthSafe: probeAuthModule.resolveGatewayProbeAuthSafe,
+    probeGateway: probeModule.probeGateway,
+  }));
+  return await gatewayProbeDepsPromise;
+}
+
 function countBySeverity(findings: SecurityAuditFinding[]): SecurityAuditSummary {
   let critical = 0;
   let warn = 0;
@@ -1066,12 +1085,14 @@ async function maybeProbeGateway(params: {
   cfg: OpenClawConfig;
   env: NodeJS.ProcessEnv;
   timeoutMs: number;
-  probe: typeof probeGateway;
+  probe: ProbeGatewayFn;
   explicitAuth?: { token?: string; password?: string };
 }): Promise<{
   deep: SecurityAuditReport["deep"];
   authWarning?: string;
 }> {
+  const { buildGatewayConnectionDetails, resolveGatewayProbeAuthSafe } =
+    await loadGatewayProbeDeps();
   const connection = buildGatewayConnectionDetails({ config: params.cfg });
   const url = connection.url;
   const isRemoteMode = params.cfg.gateway?.mode === "remote";
@@ -1267,7 +1288,7 @@ export async function runSecurityAudit(opts: SecurityAuditOptions): Promise<Secu
         cfg,
         env,
         timeoutMs: context.deepTimeoutMs,
-        probe: context.probeGatewayFn ?? probeGateway,
+        probe: context.probeGatewayFn ?? (await loadGatewayProbeDeps()).probeGateway,
         explicitAuth: context.deepProbeAuth,
       })
     : undefined;

From 320b4bcb078b3ef6e9ddabab04aff9d465a18885 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 16 Mar 2026 00:21:42 -0700
Subject: [PATCH 094/133] Plugins: add provider wizard contracts

---
 src/plugins/contracts/wizard.contract.test.ts | 142 ++++++++++++++++++
 1 file changed, 142 insertions(+)
 create mode 100644 src/plugins/contracts/wizard.contract.test.ts

diff --git a/src/plugins/contracts/wizard.contract.test.ts b/src/plugins/contracts/wizard.contract.test.ts
new file mode 100644
index 00000000000..ee0cd879b25
--- /dev/null
+++ b/src/plugins/contracts/wizard.contract.test.ts
@@ -0,0 +1,142 @@
+import { describe, expect, it } from "vitest";
+import {
+  buildProviderPluginMethodChoice,
+  resolveProviderModelPickerEntries,
+  resolveProviderPluginChoice,
+  resolveProviderWizardOptions,
+} from "../provider-wizard.js";
+import { resolvePluginProviders } from "../providers.js";
+import type { ProviderPlugin } from "../types.js";
+import { providerContractRegistry } from "./registry.js";
+
+function createBundledProviderConfig() {
+  return {
+    plugins: {
+      enabled: true,
+      allow: [...new Set(providerContractRegistry.map((entry) => entry.pluginId))],
+      slots: {
+        memory: "none",
+      },
+    },
+  };
+}
+
+function resolveExpectedWizardChoiceValues(providers: ProviderPlugin[]) {
+  const values: string[] = [];
+
+  for (const provider of providers) {
+    const methodSetups = provider.auth.filter((method) => method.wizard);
+    if (methodSetups.length > 0) {
+      values.push(
+        ...methodSetups.map(
+          (method) =>
+            method.wizard?.choiceId?.trim() ||
+            buildProviderPluginMethodChoice(provider.id, method.id),
+        ),
+      );
+      continue;
+    }
+
+    const setup = provider.wizard?.setup;
+    if (!setup) {
+      continue;
+    }
+
+    const explicitMethodId = setup.methodId?.trim();
+    if (explicitMethodId && provider.auth.some((method) => method.id === explicitMethodId)) {
+      values.push(
+        setup.choiceId?.trim() || buildProviderPluginMethodChoice(provider.id, explicitMethodId),
+      );
+      continue;
+    }
+
+    values.push(
+      ...provider.auth.map((method) => buildProviderPluginMethodChoice(provider.id, method.id)),
+    );
+  }
+
+  return values.toSorted((left, right) => left.localeCompare(right));
+}
+
+function resolveExpectedModelPickerValues(providers: ProviderPlugin[]) {
+  return providers
+    .flatMap((provider) => {
+      const modelPicker = provider.wizard?.modelPicker;
+      if (!modelPicker) {
+        return [];
+      }
+      const explicitMethodId = modelPicker.methodId?.trim();
+      if (explicitMethodId) {
+        return [buildProviderPluginMethodChoice(provider.id, explicitMethodId)];
+      }
+      if (provider.auth.length === 1) {
+        return [provider.id];
+      }
+      return [buildProviderPluginMethodChoice(provider.id, provider.auth[0]?.id ?? "default")];
+    })
+    .toSorted((left, right) => left.localeCompare(right));
+}
+
+describe("provider wizard contract", () => {
+  it("exposes every registered provider setup choice through the shared wizard layer", () => {
+    const config = createBundledProviderConfig();
+    const providers = resolvePluginProviders({
+      config,
+      env: process.env,
+    });
+
+    const options = resolveProviderWizardOptions({
+      config,
+      env: process.env,
+    });
+
+    expect(
+      options.map((option) => option.value).toSorted((left, right) => left.localeCompare(right)),
+    ).toEqual(resolveExpectedWizardChoiceValues(providers));
+    expect(options.map((option) => option.value)).toEqual([
+      ...new Set(options.map((option) => option.value)),
+    ]);
+  });
+
+  it("round-trips every shared wizard choice back to its provider and auth method", () => {
+    const config = createBundledProviderConfig();
+    const providers = resolvePluginProviders({
+      config,
+      env: process.env,
+    });
+
+    for (const option of resolveProviderWizardOptions({ config, env: process.env })) {
+      const resolved = resolveProviderPluginChoice({
+        providers,
+        choice: option.value,
+      });
+      expect(resolved).not.toBeNull();
+      expect(resolved?.provider.id).toBeTruthy();
+      expect(resolved?.method.id).toBeTruthy();
+    }
+  });
+
+  it("exposes every registered model-picker entry through the shared wizard layer", () => {
+    const config = createBundledProviderConfig();
+    const providers = resolvePluginProviders({
+      config,
+      env: process.env,
+    });
+
+    const entries = resolveProviderModelPickerEntries({
+      config,
+      env: process.env,
+    });
+
+    expect(
+      entries.map((entry) => entry.value).toSorted((left, right) => left.localeCompare(right)),
+    ).toEqual(resolveExpectedModelPickerValues(providers));
+    for (const entry of entries) {
+      const resolved = resolveProviderPluginChoice({
+        providers,
+        choice: entry.value,
+      });
+      expect(resolved).not.toBeNull();
+    }
+  });
+});

From e90c1d9add66578048b0a04b9a7e4ba2813a31f7 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 07:23:36 +0000
Subject: [PATCH 095/133] fix: unblock docs and registry checks

---
 scripts/docs-link-audit.mjs       | 15 ++++++++++++++-
 src/plugins/contracts/registry.ts |  1 -
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/scripts/docs-link-audit.mjs b/scripts/docs-link-audit.mjs
index 2b9bb91de16..2419fc2d8f5 100644
--- a/scripts/docs-link-audit.mjs
+++ b/scripts/docs-link-audit.mjs
@@ -63,7 +63,17 @@ for (const item of docsConfig.redirects || []) {
 const allFiles = walk(DOCS_DIR);
 const relAllFiles = new Set(allFiles.map((abs) => normalizeSlashes(path.relative(DOCS_DIR, abs))));
 
-const markdownFiles = allFiles.filter((abs) => /\.(md|mdx)$/i.test(abs));
+function isGeneratedTranslatedDoc(relPath) {
+  return relPath.startsWith("zh-CN/");
+}
+
+const markdownFiles = allFiles.filter((abs) => {
+  if (!/\.(md|mdx)$/i.test(abs)) {
+    return false;
+  }
+  const rel = normalizeSlashes(path.relative(DOCS_DIR, abs));
+  return !isGeneratedTranslatedDoc(rel);
+});
 const routes = new Set();
 
 for (const abs of markdownFiles) {
@@ -257,6 +267,9 @@ for (const abs of markdownFiles) {
 }
 
 for (const page of collectNavPageEntries(docsConfig.navigation || [])) {
+  if (isGeneratedTranslatedDoc(String(page))) {
+    continue;
+  }
   checked++;
   const route = normalizeRoute(page);
   const resolvedRoute = resolveRoute(route);
diff --git a/src/plugins/contracts/registry.ts b/src/plugins/contracts/registry.ts
index 24366afe7f6..8099ce4ca44 100644
--- a/src/plugins/contracts/registry.ts
+++ b/src/plugins/contracts/registry.ts
@@ -33,7 +33,6 @@ import xaiPlugin from "../../../extensions/xai/index.js";
 import xiaomiPlugin from "../../../extensions/xiaomi/index.js";
 import zaiPlugin from "../../../extensions/zai/index.js";
 import { createCapturedPluginRegistration } from "../../test-utils/plugin-registration.js";
-import type { OpenClawPluginApi } from "../types.js";
 import type { ProviderPlugin, WebSearchProviderPlugin } from "../types.js";
 
 type RegistrablePlugin = {

From 7964563299b2f561cca07d0597047797cc7867a1 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 00:24:40 -0700
Subject: [PATCH 096/133] refactor: finish plugin-owned channel runtime seams

---
 extensions/discord/src/channel.ts             |  16 +-
 extensions/imessage/src/channel.ts            |   1 +
 extensions/signal/src/channel.ts              |   2 +-
 extensions/slack/src/channel.ts               |   2 +-
 extensions/telegram/src/channel.ts            |   2 +-
 package.json                                  |   4 +
 scripts/lib/plugin-sdk-entrypoints.json       |   1 +
 .../reply/commands-subagents/shared.ts        |  12 +-
 .../reply/dispatch-from-config.test.ts        |  11 ++
 src/auto-reply/reply/dispatch-from-config.ts  |   6 +-
 src/auto-reply/reply/reply-payloads.ts        |  17 +-
 src/auto-reply/reply/telegram-context.test.ts |  11 +-
 src/auto-reply/reply/telegram-context.ts      |   4 +-
 src/channels/plugins/directory-config.ts      |  81 +++++++--
 src/channels/plugins/exec-approval-local.ts   |  22 +++
 src/channels/plugins/index.ts                 |  91 +---------
 src/channels/plugins/registry.ts              |  82 +++++++++
 src/channels/plugins/target-parsing.ts        |  26 +++
 src/channels/plugins/types.adapters.ts        |   5 +
 src/plugin-sdk/channel-config-helpers.ts      |  20 ++-
 src/plugin-sdk/routing.ts                     |   6 +
 src/plugins/commands.test.ts                  |  11 +-
 src/plugins/commands.ts                       |  16 +-
 src/plugins/runtime/runtime-channel.ts        | 164 ++----------------
 src/plugins/runtime/runtime-discord.ts        |  60 +++++++
 src/plugins/runtime/runtime-imessage.ts       |  12 ++
 src/plugins/runtime/runtime-signal.ts         |  14 ++
 src/plugins/runtime/runtime-slack.ts          |  24 +++
 src/plugins/runtime/runtime-telegram.ts       |  61 +++++++
 29 files changed, 488 insertions(+), 296 deletions(-)
 create mode 100644 src/channels/plugins/exec-approval-local.ts
 create mode 100644 src/channels/plugins/registry.ts
 create mode 100644 src/channels/plugins/target-parsing.ts
 create mode 100644 src/plugin-sdk/routing.ts
 create mode 100644 src/plugins/runtime/runtime-discord.ts
 create mode 100644 src/plugins/runtime/runtime-imessage.ts
 create mode 100644 src/plugins/runtime/runtime-signal.ts
 create mode 100644 src/plugins/runtime/runtime-slack.ts
 create mode 100644 src/plugins/runtime/runtime-telegram.ts

diff --git a/extensions/discord/src/channel.ts b/extensions/discord/src/channel.ts
index 88295c61880..e3833f56ed5 100644
--- a/extensions/discord/src/channel.ts
+++ b/extensions/discord/src/channel.ts
@@ -41,9 +41,17 @@ import {
   type OpenClawConfig,
   type ResolvedDiscordAccount,
 } from "openclaw/plugin-sdk/discord";
+import {
+  buildAgentSessionKey,
+  resolveThreadSessionKeys,
+  type RoutePeer,
+} from "openclaw/plugin-sdk/routing";
 import { resolveOutboundSendDep } from "../../../src/infra/outbound/send-deps.js";
 import { normalizeMessageChannel } from "../../../src/utils/message-channel.js";
-import { isDiscordExecApprovalClientEnabled } from "./exec-approvals.js";
+import {
+  isDiscordExecApprovalClientEnabled,
+  shouldSuppressLocalDiscordExecApprovalPrompt,
+} from "./exec-approvals.js";
 import type { DiscordProbe } from "./probe.js";
 import { resolveDiscordUserAllowlist } from "./resolve-users.js";
 import { getDiscordRuntime } from "./runtime.js";
@@ -453,6 +461,12 @@ export const discordPlugin: ChannelPlugin<ResolvedDiscordAccount> = {
       isDiscordExecApprovalClientEnabled({ cfg, accountId })
         ? { kind: "enabled" }
         : { kind: "disabled" },
+    shouldSuppressLocalPrompt: ({ cfg, accountId, payload }) =>
+      shouldSuppressLocalDiscordExecApprovalPrompt({
+        cfg,
+        accountId,
+        payload,
+      }),
     hasConfiguredDmRoute: ({ cfg }) => hasDiscordExecApprovalDmRoute(cfg),
     shouldSuppressForwardingFallback: ({ cfg, target }) =>
       (normalizeMessageChannel(target.channel) ?? target.channel) === "discord" &&
diff --git a/extensions/imessage/src/channel.ts b/extensions/imessage/src/channel.ts
index 2d5b0ba9b39..e66ee5a3c82 100644
--- a/extensions/imessage/src/channel.ts
+++ b/extensions/imessage/src/channel.ts
@@ -27,6 +27,7 @@ import {
   type ChannelPlugin,
   type ResolvedIMessageAccount,
 } from "openclaw/plugin-sdk/imessage";
+import { buildAgentSessionKey, type RoutePeer } from "openclaw/plugin-sdk/routing";
 import { resolveOutboundSendDep } from "../../../src/infra/outbound/send-deps.js";
 import { buildPassiveProbedChannelStatusSummary } from "../../shared/channel-status-summary.js";
 import { getIMessageRuntime } from "./runtime.js";
diff --git a/extensions/signal/src/channel.ts b/extensions/signal/src/channel.ts
index bb65502e017..a38db8b60d5 100644
--- a/extensions/signal/src/channel.ts
+++ b/extensions/signal/src/channel.ts
@@ -4,7 +4,7 @@ import {
   createScopedAccountConfigAccessors,
   collectAllowlistProviderRestrictSendersWarnings,
 } from "openclaw/plugin-sdk/compat";
-import { buildAgentSessionKey, type RoutePeer } from "openclaw/plugin-sdk/core";
+import { buildAgentSessionKey, type RoutePeer } from "openclaw/plugin-sdk/routing";
 import {
   buildBaseAccountStatusSnapshot,
   buildBaseChannelStatusSummary,
diff --git a/extensions/slack/src/channel.ts b/extensions/slack/src/channel.ts
index 3b0e347ba24..592ce5a6331 100644
--- a/extensions/slack/src/channel.ts
+++ b/extensions/slack/src/channel.ts
@@ -11,7 +11,7 @@ import {
   buildAgentSessionKey,
   resolveThreadSessionKeys,
   type RoutePeer,
-} from "openclaw/plugin-sdk/core";
+} from "openclaw/plugin-sdk/routing";
 import {
   buildComputedAccountStatusSnapshot,
   buildChannelConfigSchema,
diff --git a/extensions/telegram/src/channel.ts b/extensions/telegram/src/channel.ts
index 37915fa07df..0b7da81d561 100644
--- a/extensions/telegram/src/channel.ts
+++ b/extensions/telegram/src/channel.ts
@@ -11,7 +11,7 @@ import {
   buildAgentSessionKey,
   resolveThreadSessionKeys,
   type RoutePeer,
-} from "openclaw/plugin-sdk/core";
+} from "openclaw/plugin-sdk/routing";
 import {
   buildChannelConfigSchema,
   buildTokenChannelStatusSummary,
diff --git a/package.json b/package.json
index 5aeb794f174..0a345f172a0 100644
--- a/package.json
+++ b/package.json
@@ -48,6 +48,10 @@
       "types": "./dist/plugin-sdk/compat.d.ts",
       "default": "./dist/plugin-sdk/compat.js"
     },
+    "./plugin-sdk/routing": {
+      "types": "./dist/plugin-sdk/routing.d.ts",
+      "default": "./dist/plugin-sdk/routing.js"
+    },
     "./plugin-sdk/telegram": {
       "types": "./dist/plugin-sdk/telegram.d.ts",
       "default": "./dist/plugin-sdk/telegram.js"
diff --git a/scripts/lib/plugin-sdk-entrypoints.json b/scripts/lib/plugin-sdk-entrypoints.json
index c42f27db5a1..91b16c36450 100644
--- a/scripts/lib/plugin-sdk-entrypoints.json
+++ b/scripts/lib/plugin-sdk-entrypoints.json
@@ -2,6 +2,7 @@
   "index",
   "core",
   "compat",
+  "routing",
   "telegram",
   "discord",
   "slack",
diff --git a/src/auto-reply/reply/commands-subagents/shared.ts b/src/auto-reply/reply/commands-subagents/shared.ts
index 1c7db7e13cd..9781683267e 100644
--- a/src/auto-reply/reply/commands-subagents/shared.ts
+++ b/src/auto-reply/reply/commands-subagents/shared.ts
@@ -1,4 +1,3 @@
-import { parseDiscordTarget } from "../../../../extensions/discord/src/targets.js";
 import { resolveStoredSubagentCapabilities } from "../../../agents/subagent-capabilities.js";
 import type { ResolvedSubagentController } from "../../../agents/subagent-control.js";
 import {
@@ -12,6 +11,7 @@ import {
   sanitizeTextContent,
   stripToolMessages,
 } from "../../../agents/tools/sessions-helpers.js";
+import { parseExplicitTargetForChannel } from "../../../channels/plugins/target-parsing.js";
 import type {
   SessionEntry,
   loadSessionStore as loadSessionStoreFn,
@@ -335,13 +335,9 @@ export function resolveDiscordChannelIdForFocus(
     typeof params.ctx.To === "string" ? params.ctx.To.trim() : "",
   ].filter(Boolean);
   for (const candidate of toCandidates) {
-    try {
-      const target = parseDiscordTarget(candidate, { defaultKind: "channel" });
-      if (target?.kind === "channel" && target.id) {
-        return target.id;
-      }
-    } catch {
-      // Ignore parse failures and try the next candidate.
+    const target = parseExplicitTargetForChannel("discord", candidate);
+    if (target?.chatType === "channel" && target.to) {
+      return target.to;
     }
   }
   return undefined;
diff --git a/src/auto-reply/reply/dispatch-from-config.test.ts b/src/auto-reply/reply/dispatch-from-config.test.ts
index 38e3615dd9f..6d1604227bd 100644
--- a/src/auto-reply/reply/dispatch-from-config.test.ts
+++ b/src/auto-reply/reply/dispatch-from-config.test.ts
@@ -1,8 +1,11 @@
 import { beforeEach, describe, expect, it, vi } from "vitest";
+import { discordPlugin } from "../../../extensions/discord/src/channel.js";
 import { AcpRuntimeError } from "../../acp/runtime/errors.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import type { SessionBindingRecord } from "../../infra/outbound/session-binding-service.js";
 import type { PluginTargetedInboundClaimOutcome } from "../../plugins/hooks.js";
+import { setActivePluginRegistry } from "../../plugins/runtime.js";
+import { createTestRegistry } from "../../test-utils/channel-plugins.js";
 import { createInternalHookEventPayload } from "../../test-utils/internal-hook-event-payload.js";
 import type { MsgContext } from "../templating.js";
 import type { GetReplyOptions, ReplyPayload } from "../types.js";
@@ -252,6 +255,9 @@ async function dispatchTwiceWithFreshDispatchers(params: Omit<DispatchReplyArgs,
 
 describe("dispatchReplyFromConfig", () => {
   beforeEach(() => {
+    setActivePluginRegistry(
+      createTestRegistry([{ pluginId: "discord", source: "test", plugin: discordPlugin }]),
+    );
     acpManagerTesting.resetAcpSessionManagerForTests();
     resetInboundDedupe();
     mocks.routeReply.mockReset();
@@ -1295,6 +1301,11 @@ describe("dispatchReplyFromConfig", () => {
       commands: {
         text: false,
       },
+      session: {
+        sendPolicy: {
+          default: "allow",
+        },
+      },
     } as OpenClawConfig;
     const dispatcher = createDispatcher();
     const ctx = buildTestCtx({
diff --git a/src/auto-reply/reply/dispatch-from-config.ts b/src/auto-reply/reply/dispatch-from-config.ts
index 1e90dd58887..18a7eb7802d 100644
--- a/src/auto-reply/reply/dispatch-from-config.ts
+++ b/src/auto-reply/reply/dispatch-from-config.ts
@@ -1,5 +1,5 @@
-import { shouldSuppressLocalDiscordExecApprovalPrompt } from "../../../extensions/discord/src/exec-approvals.js";
 import { resolveSessionAgentId } from "../../agents/agent-scope.js";
+import { shouldSuppressLocalExecApprovalPrompt } from "../../channels/plugins/exec-approval-local.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import {
   loadSessionStore,
@@ -506,8 +506,8 @@ export async function dispatchReplyFromConfig(params: {
 
     const resolveToolDeliveryPayload = (payload: ReplyPayload): ReplyPayload | null => {
       if (
-        normalizeMessageChannel(ctx.Surface ?? ctx.Provider) === "discord" &&
-        shouldSuppressLocalDiscordExecApprovalPrompt({
+        shouldSuppressLocalExecApprovalPrompt({
+          channel: normalizeMessageChannel(ctx.Surface ?? ctx.Provider),
           cfg,
           accountId: ctx.AccountId,
           payload,
diff --git a/src/auto-reply/reply/reply-payloads.ts b/src/auto-reply/reply/reply-payloads.ts
index f5f409e2900..7d7ae82975c 100644
--- a/src/auto-reply/reply/reply-payloads.ts
+++ b/src/auto-reply/reply/reply-payloads.ts
@@ -1,7 +1,7 @@
-import { parseTelegramTarget } from "../../../extensions/telegram/src/targets.js";
 import { isMessagingToolDuplicate } from "../../agents/pi-embedded-helpers.js";
 import type { MessagingToolSend } from "../../agents/pi-embedded-runner.js";
 import { normalizeChannelId } from "../../channels/plugins/index.js";
+import { parseExplicitTargetForChannel } from "../../channels/plugins/target-parsing.js";
 import type { ReplyToMode } from "../../config/types.js";
 import { normalizeTargetForProvider } from "../../infra/outbound/target-normalization.js";
 import { hasReplyChannelData, hasReplyContent } from "../../interactive/payload.js";
@@ -210,15 +210,16 @@ function targetsMatchForSuppression(params: {
     return params.targetKey === params.originTarget;
   }
 
-  const origin = parseTelegramTarget(params.originTarget);
-  const target = parseTelegramTarget(params.targetKey);
+  const origin = parseExplicitTargetForChannel("telegram", params.originTarget);
+  const target = parseExplicitTargetForChannel("telegram", params.targetKey);
+  if (!origin || !target) {
+    return params.targetKey === params.originTarget;
+  }
   const explicitTargetThreadId = normalizeThreadIdForComparison(params.targetThreadId);
   const targetThreadId =
-    explicitTargetThreadId ??
-    (target.messageThreadId != null ? String(target.messageThreadId) : undefined);
-  const originThreadId =
-    origin.messageThreadId != null ? String(origin.messageThreadId) : undefined;
-  if (origin.chatId.trim().toLowerCase() !== target.chatId.trim().toLowerCase()) {
+    explicitTargetThreadId ?? (target.threadId != null ? String(target.threadId) : undefined);
+  const originThreadId = origin.threadId != null ? String(origin.threadId) : undefined;
+  if (origin.to.trim().toLowerCase() !== target.to.trim().toLowerCase()) {
     return false;
   }
   if (originThreadId && targetThreadId != null) {
diff --git a/src/auto-reply/reply/telegram-context.test.ts b/src/auto-reply/reply/telegram-context.test.ts
index 7b58b780180..b38397a1c01 100644
--- a/src/auto-reply/reply/telegram-context.test.ts
+++ b/src/auto-reply/reply/telegram-context.test.ts
@@ -1,6 +1,15 @@
-import { describe, expect, it } from "vitest";
+import { beforeEach, describe, expect, it } from "vitest";
+import { telegramPlugin } from "../../../extensions/telegram/src/channel.js";
+import { setActivePluginRegistry } from "../../plugins/runtime.js";
+import { createTestRegistry } from "../../test-utils/channel-plugins.js";
 import { resolveTelegramConversationId } from "./telegram-context.js";
 
+beforeEach(() => {
+  setActivePluginRegistry(
+    createTestRegistry([{ pluginId: "telegram", source: "test", plugin: telegramPlugin }]),
+  );
+});
+
 describe("resolveTelegramConversationId", () => {
   it("builds canonical topic ids from chat target and message thread id", () => {
     const conversationId = resolveTelegramConversationId({
diff --git a/src/auto-reply/reply/telegram-context.ts b/src/auto-reply/reply/telegram-context.ts
index f209af031fb..8ab905a44d1 100644
--- a/src/auto-reply/reply/telegram-context.ts
+++ b/src/auto-reply/reply/telegram-context.ts
@@ -1,4 +1,4 @@
-import { parseTelegramTarget } from "../../../extensions/telegram/src/targets.js";
+import { parseExplicitTargetForChannel } from "../../channels/plugins/target-parsing.js";
 
 type TelegramConversationParams = {
   ctx: {
@@ -25,7 +25,7 @@ export function resolveTelegramConversationId(
     .map((value) => value.trim())
     .filter(Boolean);
   const chatId = toCandidates
-    .map((candidate) => parseTelegramTarget(candidate).chatId.trim())
+    .map((candidate) => parseExplicitTargetForChannel("telegram", candidate)?.to.trim() ?? "")
     .find((candidate) => candidate.length > 0);
   if (!chatId) {
     return undefined;
diff --git a/src/channels/plugins/directory-config.ts b/src/channels/plugins/directory-config.ts
index 45fb8bcf46a..e54889076e8 100644
--- a/src/channels/plugins/directory-config.ts
+++ b/src/channels/plugins/directory-config.ts
@@ -1,12 +1,13 @@
-import { inspectDiscordAccount } from "../../../extensions/discord/src/account-inspect.js";
-import { inspectSlackAccount } from "../../../extensions/slack/src/account-inspect.js";
-import { inspectTelegramAccount } from "../../../extensions/telegram/src/account-inspect.js";
-import { resolveWhatsAppAccount } from "../../../extensions/whatsapp/src/accounts.js";
 import type { OpenClawConfig } from "../../config/types.js";
 import { mapAllowFromEntries } from "../../plugin-sdk/channel-config-helpers.js";
 import { isWhatsAppGroupJid, normalizeWhatsAppTarget } from "../../whatsapp/normalize.js";
+import type { InspectedDiscordAccount } from "../read-only-account-inspect.discord.runtime.js";
+import { inspectReadOnlyChannelAccount } from "../read-only-account-inspect.js";
+import type { InspectedSlackAccount } from "../read-only-account-inspect.slack.runtime.js";
+import type { InspectedTelegramAccount } from "../read-only-account-inspect.telegram.runtime.js";
 import { applyDirectoryQueryAndLimit, toDirectoryEntries } from "./directory-config-helpers.js";
 import { normalizeSlackMessagingTarget } from "./normalize/slack.js";
+import { getChannelPlugin } from "./registry.js";
 import type { ChannelDirectoryEntry } from "./types.js";
 
 export type DirectoryConfigParams = {
@@ -58,7 +59,14 @@ function normalizeTrimmedSet(
 export async function listSlackDirectoryPeersFromConfig(
   params: DirectoryConfigParams,
 ): Promise<ChannelDirectoryEntry[]> {
-  const account = inspectSlackAccount({ cfg: params.cfg, accountId: params.accountId });
+  const account = (await inspectReadOnlyChannelAccount({
+    channelId: "slack",
+    cfg: params.cfg,
+    accountId: params.accountId,
+  })) as InspectedSlackAccount | null;
+  if (!account || !("config" in account)) {
+    return [];
+  }
   const ids = new Set<string>();
 
   addAllowFromAndDmsIds(ids, account.config.allowFrom ?? account.dm?.allowFrom, account.config.dms);
@@ -81,7 +89,14 @@ export async function listSlackDirectoryPeersFromConfig(
 export async function listSlackDirectoryGroupsFromConfig(
   params: DirectoryConfigParams,
 ): Promise<ChannelDirectoryEntry[]> {
-  const account = inspectSlackAccount({ cfg: params.cfg, accountId: params.accountId });
+  const account = (await inspectReadOnlyChannelAccount({
+    channelId: "slack",
+    cfg: params.cfg,
+    accountId: params.accountId,
+  })) as InspectedSlackAccount | null;
+  if (!account || !("config" in account)) {
+    return [];
+  }
   const ids = Object.keys(account.config.channels ?? {})
     .map((raw) => raw.trim())
     .filter(Boolean)
@@ -93,7 +108,14 @@ export async function listSlackDirectoryGroupsFromConfig(
 export async function listDiscordDirectoryPeersFromConfig(
   params: DirectoryConfigParams,
 ): Promise<ChannelDirectoryEntry[]> {
-  const account = inspectDiscordAccount({ cfg: params.cfg, accountId: params.accountId });
+  const account = (await inspectReadOnlyChannelAccount({
+    channelId: "discord",
+    cfg: params.cfg,
+    accountId: params.accountId,
+  })) as InspectedDiscordAccount | null;
+  if (!account || !("config" in account)) {
+    return [];
+  }
   const ids = new Set<string>();
 
   addAllowFromAndDmsIds(
@@ -122,7 +144,14 @@ export async function listDiscordDirectoryPeersFromConfig(
 export async function listDiscordDirectoryGroupsFromConfig(
   params: DirectoryConfigParams,
 ): Promise<ChannelDirectoryEntry[]> {
-  const account = inspectDiscordAccount({ cfg: params.cfg, accountId: params.accountId });
+  const account = (await inspectReadOnlyChannelAccount({
+    channelId: "discord",
+    cfg: params.cfg,
+    accountId: params.accountId,
+  })) as InspectedDiscordAccount | null;
+  if (!account || !("config" in account)) {
+    return [];
+  }
   const ids = new Set<string>();
   for (const guild of Object.values(account.config.guilds ?? {})) {
     addTrimmedEntries(ids, Object.keys(guild.channels ?? {}));
@@ -142,7 +171,14 @@ export async function listDiscordDirectoryGroupsFromConfig(
 export async function listTelegramDirectoryPeersFromConfig(
   params: DirectoryConfigParams,
 ): Promise<ChannelDirectoryEntry[]> {
-  const account = inspectTelegramAccount({ cfg: params.cfg, accountId: params.accountId });
+  const account = (await inspectReadOnlyChannelAccount({
+    channelId: "telegram",
+    cfg: params.cfg,
+    accountId: params.accountId,
+  })) as InspectedTelegramAccount | null;
+  if (!account || !("config" in account)) {
+    return [];
+  }
   const raw = [
     ...mapAllowFromEntries(account.config.allowFrom),
     ...Object.keys(account.config.dms ?? {}),
@@ -173,7 +209,14 @@ export async function listTelegramDirectoryPeersFromConfig(
 export async function listTelegramDirectoryGroupsFromConfig(
   params: DirectoryConfigParams,
 ): Promise<ChannelDirectoryEntry[]> {
-  const account = inspectTelegramAccount({ cfg: params.cfg, accountId: params.accountId });
+  const account = (await inspectReadOnlyChannelAccount({
+    channelId: "telegram",
+    cfg: params.cfg,
+    accountId: params.accountId,
+  })) as InspectedTelegramAccount | null;
+  if (!account || !("config" in account)) {
+    return [];
+  }
   const ids = Object.keys(account.config.groups ?? {})
     .map((id) => id.trim())
     .filter((id) => Boolean(id) && id !== "*");
@@ -183,9 +226,15 @@ export async function listTelegramDirectoryGroupsFromConfig(
 export async function listWhatsAppDirectoryPeersFromConfig(
   params: DirectoryConfigParams,
 ): Promise<ChannelDirectoryEntry[]> {
-  const account = resolveWhatsAppAccount({ cfg: params.cfg, accountId: params.accountId });
+  const account = getChannelPlugin("whatsapp")?.config.resolveAccount(
+    params.cfg,
+    params.accountId,
+  ) as { allowFrom?: unknown[] } | null | undefined;
+  if (!account || typeof account !== "object") {
+    return [];
+  }
   const ids = (account.allowFrom ?? [])
-    .map((entry) => String(entry).trim())
+    .map((entry: unknown) => String(entry).trim())
     .filter((entry) => Boolean(entry) && entry !== "*")
     .map((entry) => normalizeWhatsAppTarget(entry) ?? "")
     .filter(Boolean)
@@ -196,7 +245,13 @@ export async function listWhatsAppDirectoryPeersFromConfig(
 export async function listWhatsAppDirectoryGroupsFromConfig(
   params: DirectoryConfigParams,
 ): Promise<ChannelDirectoryEntry[]> {
-  const account = resolveWhatsAppAccount({ cfg: params.cfg, accountId: params.accountId });
+  const account = getChannelPlugin("whatsapp")?.config.resolveAccount(
+    params.cfg,
+    params.accountId,
+  ) as { groups?: Record<string, unknown> } | null | undefined;
+  if (!account || typeof account !== "object") {
+    return [];
+  }
   const ids = Object.keys(account.groups ?? {})
     .map((id) => id.trim())
     .filter((id) => Boolean(id) && id !== "*");
diff --git a/src/channels/plugins/exec-approval-local.ts b/src/channels/plugins/exec-approval-local.ts
new file mode 100644
index 00000000000..0f4f409e0ae
--- /dev/null
+++ b/src/channels/plugins/exec-approval-local.ts
@@ -0,0 +1,22 @@
+import type { ReplyPayload } from "../../auto-reply/types.js";
+import type { OpenClawConfig } from "../../config/config.js";
+import { getChannelPlugin, normalizeChannelId } from "./registry.js";
+
+export function shouldSuppressLocalExecApprovalPrompt(params: {
+  channel?: string | null;
+  cfg: OpenClawConfig;
+  accountId?: string | null;
+  payload: ReplyPayload;
+}): boolean {
+  const channel = params.channel ? normalizeChannelId(params.channel) : null;
+  if (!channel) {
+    return false;
+  }
+  return (
+    getChannelPlugin(channel)?.execApprovals?.shouldSuppressLocalPrompt?.({
+      cfg: params.cfg,
+      accountId: params.accountId,
+      payload: params.payload,
+    }) ?? false
+  );
+}
diff --git a/src/channels/plugins/index.ts b/src/channels/plugins/index.ts
index f2a8aa56b95..d7c91248109 100644
--- a/src/channels/plugins/index.ts
+++ b/src/channels/plugins/index.ts
@@ -1,93 +1,4 @@
-import {
-  getActivePluginRegistryVersion,
-  requireActivePluginRegistry,
-} from "../../plugins/runtime.js";
-import { CHAT_CHANNEL_ORDER, type ChatChannelId, normalizeAnyChannelId } from "../registry.js";
-import type { ChannelId, ChannelPlugin } from "./types.js";
-
-// Channel plugins registry (runtime).
-//
-// This module is intentionally "heavy" (plugins may import channel monitors, web login, etc).
-// Shared code paths should prefer narrower adapters and helpers instead of reaching into
-// channel-specific runtime modules directly.
-//
-function dedupeChannels(channels: ChannelPlugin[]): ChannelPlugin[] {
-  const seen = new Set<string>();
-  const resolved: ChannelPlugin[] = [];
-  for (const plugin of channels) {
-    const id = String(plugin.id).trim();
-    if (!id || seen.has(id)) {
-      continue;
-    }
-    seen.add(id);
-    resolved.push(plugin);
-  }
-  return resolved;
-}
-
-type CachedChannelPlugins = {
-  registryVersion: number;
-  sorted: ChannelPlugin[];
-  byId: Map<string, ChannelPlugin>;
-};
-
-const EMPTY_CHANNEL_PLUGIN_CACHE: CachedChannelPlugins = {
-  registryVersion: -1,
-  sorted: [],
-  byId: new Map(),
-};
-
-let cachedChannelPlugins = EMPTY_CHANNEL_PLUGIN_CACHE;
-
-function resolveCachedChannelPlugins(): CachedChannelPlugins {
-  const registry = requireActivePluginRegistry();
-  const registryVersion = getActivePluginRegistryVersion();
-  const cached = cachedChannelPlugins;
-  if (cached.registryVersion === registryVersion) {
-    return cached;
-  }
-
-  const sorted = dedupeChannels(registry.channels.map((entry) => entry.plugin)).toSorted((a, b) => {
-    const indexA = CHAT_CHANNEL_ORDER.indexOf(a.id as ChatChannelId);
-    const indexB = CHAT_CHANNEL_ORDER.indexOf(b.id as ChatChannelId);
-    const orderA = a.meta.order ?? (indexA === -1 ? 999 : indexA);
-    const orderB = b.meta.order ?? (indexB === -1 ? 999 : indexB);
-    if (orderA !== orderB) {
-      return orderA - orderB;
-    }
-    return a.id.localeCompare(b.id);
-  });
-  const byId = new Map<string, ChannelPlugin>();
-  for (const plugin of sorted) {
-    byId.set(plugin.id, plugin);
-  }
-
-  const next: CachedChannelPlugins = {
-    registryVersion,
-    sorted,
-    byId,
-  };
-  cachedChannelPlugins = next;
-  return next;
-}
-
-export function listChannelPlugins(): ChannelPlugin[] {
-  return resolveCachedChannelPlugins().sorted.slice();
-}
-
-export function getChannelPlugin(id: ChannelId): ChannelPlugin | undefined {
-  const resolvedId = String(id).trim();
-  if (!resolvedId) {
-    return undefined;
-  }
-  return resolveCachedChannelPlugins().byId.get(resolvedId);
-}
-
-export function normalizeChannelId(raw?: string | null): ChannelId | null {
-  // Channel docking: keep input normalization centralized in src/channels/registry.ts.
-  // Plugin registry must be initialized before calling.
-  return normalizeAnyChannelId(raw);
-}
+export { getChannelPlugin, listChannelPlugins, normalizeChannelId } from "./registry.js";
 export {
   listDiscordDirectoryGroupsFromConfig,
   listDiscordDirectoryPeersFromConfig,
diff --git a/src/channels/plugins/registry.ts b/src/channels/plugins/registry.ts
new file mode 100644
index 00000000000..3f170cbfb92
--- /dev/null
+++ b/src/channels/plugins/registry.ts
@@ -0,0 +1,82 @@
+import {
+  getActivePluginRegistryVersion,
+  requireActivePluginRegistry,
+} from "../../plugins/runtime.js";
+import { CHAT_CHANNEL_ORDER, type ChatChannelId, normalizeAnyChannelId } from "../registry.js";
+import type { ChannelId, ChannelPlugin } from "./types.js";
+
+function dedupeChannels(channels: ChannelPlugin[]): ChannelPlugin[] {
+  const seen = new Set<string>();
+  const resolved: ChannelPlugin[] = [];
+  for (const plugin of channels) {
+    const id = String(plugin.id).trim();
+    if (!id || seen.has(id)) {
+      continue;
+    }
+    seen.add(id);
+    resolved.push(plugin);
+  }
+  return resolved;
+}
+
+type CachedChannelPlugins = {
+  registryVersion: number;
+  sorted: ChannelPlugin[];
+  byId: Map<string, ChannelPlugin>;
+};
+
+const EMPTY_CHANNEL_PLUGIN_CACHE: CachedChannelPlugins = {
+  registryVersion: -1,
+  sorted: [],
+  byId: new Map(),
+};
+
+let cachedChannelPlugins = EMPTY_CHANNEL_PLUGIN_CACHE;
+
+function resolveCachedChannelPlugins(): CachedChannelPlugins {
+  const registry = requireActivePluginRegistry();
+  const registryVersion = getActivePluginRegistryVersion();
+  const cached = cachedChannelPlugins;
+  if (cached.registryVersion === registryVersion) {
+    return cached;
+  }
+
+  const sorted = dedupeChannels(registry.channels.map((entry) => entry.plugin)).toSorted((a, b) => {
+    const indexA = CHAT_CHANNEL_ORDER.indexOf(a.id as ChatChannelId);
+    const indexB = CHAT_CHANNEL_ORDER.indexOf(b.id as ChatChannelId);
+    const orderA = a.meta.order ?? (indexA === -1 ? 999 : indexA);
+    const orderB = b.meta.order ?? (indexB === -1 ? 999 : indexB);
+    if (orderA !== orderB) {
+      return orderA - orderB;
+    }
+    return a.id.localeCompare(b.id);
+  });
+  const byId = new Map<string, ChannelPlugin>();
+  for (const plugin of sorted) {
+    byId.set(plugin.id, plugin);
+  }
+
+  const next: CachedChannelPlugins = {
+    registryVersion,
+    sorted,
+    byId,
+  };
+  cachedChannelPlugins = next;
+  return next;
+}
+
+export function listChannelPlugins(): ChannelPlugin[] {
+  return resolveCachedChannelPlugins().sorted.slice();
+}
+
+export function getChannelPlugin(id: ChannelId): ChannelPlugin | undefined {
+  const resolvedId = String(id).trim();
+  if (!resolvedId) {
+    return undefined;
+  }
+  return resolveCachedChannelPlugins().byId.get(resolvedId);
+}
+
+export function normalizeChannelId(raw?: string | null): ChannelId | null {
+  return normalizeAnyChannelId(raw);
+}
diff --git a/src/channels/plugins/target-parsing.ts b/src/channels/plugins/target-parsing.ts
new file mode 100644
index 00000000000..5d7fd6e28da
--- /dev/null
+++ b/src/channels/plugins/target-parsing.ts
@@ -0,0 +1,26 @@
+import type { ChatType } from "../chat-type.js";
+import { getChannelPlugin, normalizeChannelId } from "./registry.js";
+
+export type ParsedChannelExplicitTarget = {
+  to: string;
+  threadId?: string | number;
+  chatType?: ChatType;
+};
+
+function parseWithPlugin(
+  rawChannel: string,
+  rawTarget: string,
+): ParsedChannelExplicitTarget | null {
+  const channel = normalizeChannelId(rawChannel);
+  if (!channel) {
+    return null;
+  }
+  return getChannelPlugin(channel)?.messaging?.parseExplicitTarget?.({ raw: rawTarget }) ?? null;
+}
+
+export function parseExplicitTargetForChannel(
+  channel: string,
+  rawTarget: string,
+): ParsedChannelExplicitTarget | null {
+  return parseWithPlugin(channel, rawTarget);
+}
diff --git a/src/channels/plugins/types.adapters.ts b/src/channels/plugins/types.adapters.ts
index 9f9e279bdc1..eff6878e85e 100644
--- a/src/channels/plugins/types.adapters.ts
+++ b/src/channels/plugins/types.adapters.ts
@@ -456,6 +456,11 @@ export type ChannelExecApprovalAdapter = {
     cfg: OpenClawConfig;
     accountId?: string | null;
   }) => ChannelExecApprovalInitiatingSurfaceState;
+  shouldSuppressLocalPrompt?: (params: {
+    cfg: OpenClawConfig;
+    accountId?: string | null;
+    payload: ReplyPayload;
+  }) => boolean;
   hasConfiguredDmRoute?: (params: { cfg: OpenClawConfig }) => boolean;
   shouldSuppressForwardingFallback?: (params: {
     cfg: OpenClawConfig;
diff --git a/src/plugin-sdk/channel-config-helpers.ts b/src/plugin-sdk/channel-config-helpers.ts
index ccd5de7a31a..aa405c4b9b7 100644
--- a/src/plugin-sdk/channel-config-helpers.ts
+++ b/src/plugin-sdk/channel-config-helpers.ts
@@ -1,11 +1,10 @@
-import { resolveIMessageAccount } from "../../extensions/imessage/src/accounts.js";
-import { resolveWhatsAppAccount } from "../../extensions/whatsapp/src/accounts.js";
 import {
   deleteAccountFromConfigSection,
   setAccountEnabledInConfigSection,
 } from "../channels/plugins/config-helpers.js";
 import { buildAccountScopedDmSecurityPolicy } from "../channels/plugins/helpers.js";
 import { normalizeWhatsAppAllowFromEntries } from "../channels/plugins/normalize/whatsapp.js";
+import { getChannelPlugin } from "../channels/plugins/registry.js";
 import type { ChannelConfigAdapter } from "../channels/plugins/types.adapters.js";
 import type { OpenClawConfig } from "../config/config.js";
 import { normalizeAccountId } from "../routing/session-key.js";
@@ -148,7 +147,10 @@ export function resolveWhatsAppConfigAllowFrom(params: {
   cfg: OpenClawConfig;
   accountId?: string | null;
 }): string[] {
-  return resolveWhatsAppAccount(params).allowFrom ?? [];
+  const account = getChannelPlugin("whatsapp")?.config.resolveAccount(params.cfg, params.accountId);
+  return account && typeof account === "object" && Array.isArray(account.allowFrom)
+    ? account.allowFrom.map(String)
+    : [];
 }
 
 export function formatWhatsAppConfigAllowFromEntries(allowFrom: Array<string | number>): string[] {
@@ -169,12 +171,20 @@ export function resolveIMessageConfigAllowFrom(params: {
   cfg: OpenClawConfig;
   accountId?: string | null;
 }): string[] {
-  return mapAllowFromEntries(resolveIMessageAccount(params).config.allowFrom);
+  const account = getChannelPlugin("imessage")?.config.resolveAccount(params.cfg, params.accountId);
+  if (!account || typeof account !== "object" || !("config" in account)) {
+    return [];
+  }
+  return mapAllowFromEntries(account.config.allowFrom);
 }
 
 export function resolveIMessageConfigDefaultTo(params: {
   cfg: OpenClawConfig;
   accountId?: string | null;
 }): string | undefined {
-  return resolveOptionalConfigString(resolveIMessageAccount(params).config.defaultTo);
+  const account = getChannelPlugin("imessage")?.config.resolveAccount(params.cfg, params.accountId);
+  if (!account || typeof account !== "object" || !("config" in account)) {
+    return undefined;
+  }
+  return resolveOptionalConfigString(account.config.defaultTo);
 }
diff --git a/src/plugin-sdk/routing.ts b/src/plugin-sdk/routing.ts
new file mode 100644
index 00000000000..921d085ae55
--- /dev/null
+++ b/src/plugin-sdk/routing.ts
@@ -0,0 +1,6 @@
+export {
+  buildAgentSessionKey,
+  type RoutePeer,
+  type RoutePeerKind,
+} from "../routing/resolve-route.js";
+export { resolveThreadSessionKeys } from "../routing/session-key.js";
diff --git a/src/plugins/commands.test.ts b/src/plugins/commands.test.ts
index 64f953fb014..6f371305a81 100644
--- a/src/plugins/commands.test.ts
+++ b/src/plugins/commands.test.ts
@@ -1,4 +1,6 @@
-import { afterEach, describe, expect, it } from "vitest";
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+import { discordPlugin } from "../../extensions/discord/src/channel.js";
+import { createTestRegistry } from "../test-utils/channel-plugins.js";
 import {
   __testing,
   clearPluginCommands,
@@ -7,6 +9,13 @@ import {
   listPluginCommands,
   registerPluginCommand,
 } from "./commands.js";
+import { setActivePluginRegistry } from "./runtime.js";
+
+beforeEach(() => {
+  setActivePluginRegistry(
+    createTestRegistry([{ pluginId: "discord", source: "test", plugin: discordPlugin }]),
+  );
+});
 
 afterEach(() => {
   clearPluginCommands();
diff --git a/src/plugins/commands.ts b/src/plugins/commands.ts
index 91e38a6ae99..fdd71d4f31c 100644
--- a/src/plugins/commands.ts
+++ b/src/plugins/commands.ts
@@ -5,8 +5,7 @@
  * These commands are processed before built-in commands and before agent invocation.
  */
 
-import { parseDiscordTarget } from "../../extensions/discord/src/targets.js";
-import { parseTelegramTarget } from "../../extensions/telegram/src/targets.js";
+import { parseExplicitTargetForChannel } from "../channels/plugins/target-parsing.js";
 import type { OpenClawConfig } from "../config/config.js";
 import { logVerbose } from "../globals.js";
 import {
@@ -286,12 +285,15 @@ function resolveBindingConversationFromCommand(params: {
     if (!rawTarget) {
       return null;
     }
-    const target = parseTelegramTarget(rawTarget);
+    const target = parseExplicitTargetForChannel("telegram", rawTarget);
+    if (!target) {
+      return null;
+    }
     return {
       channel: "telegram",
       accountId,
-      conversationId: target.chatId,
-      threadId: params.messageThreadId ?? target.messageThreadId,
+      conversationId: target.to,
+      threadId: params.messageThreadId ?? target.threadId,
     };
   }
   if (params.channel === "discord") {
@@ -304,14 +306,14 @@ function resolveBindingConversationFromCommand(params: {
     if (!rawTarget || rawTarget.startsWith("slash:")) {
       return null;
     }
-    const target = parseDiscordTarget(rawTarget, { defaultKind: "channel" });
+    const target = parseExplicitTargetForChannel("discord", rawTarget);
     if (!target) {
       return null;
     }
     return {
       channel: "discord",
       accountId,
-      conversationId: `${target.kind}:${target.id}`,
+      conversationId: `${target.chatType === "direct" ? "user" : "channel"}:${target.to}`,
     };
   }
   return null;
diff --git a/src/plugins/runtime/runtime-channel.ts b/src/plugins/runtime/runtime-channel.ts
index 94ea9a0b8cb..23b47d48eeb 100644
--- a/src/plugins/runtime/runtime-channel.ts
+++ b/src/plugins/runtime/runtime-channel.ts
@@ -1,59 +1,4 @@
-import { auditDiscordChannelPermissions } from "../../../extensions/discord/src/audit.js";
-import {
-  listDiscordDirectoryGroupsLive,
-  listDiscordDirectoryPeersLive,
-} from "../../../extensions/discord/src/directory-live.js";
-import { monitorDiscordProvider } from "../../../extensions/discord/src/monitor.js";
-import { probeDiscord } from "../../../extensions/discord/src/probe.js";
-import { resolveDiscordChannelAllowlist } from "../../../extensions/discord/src/resolve-channels.js";
-import { resolveDiscordUserAllowlist } from "../../../extensions/discord/src/resolve-users.js";
-import {
-  createThreadDiscord,
-  deleteMessageDiscord,
-  editChannelDiscord,
-  editMessageDiscord,
-  pinMessageDiscord,
-  sendDiscordComponentMessage,
-  sendMessageDiscord,
-  sendPollDiscord,
-  sendTypingDiscord,
-  unpinMessageDiscord,
-} from "../../../extensions/discord/src/send.js";
-import { monitorIMessageProvider } from "../../../extensions/imessage/src/monitor.js";
-import { probeIMessage } from "../../../extensions/imessage/src/probe.js";
-import { sendMessageIMessage } from "../../../extensions/imessage/src/send.js";
-import { monitorSignalProvider } from "../../../extensions/signal/src/index.js";
-import { probeSignal } from "../../../extensions/signal/src/probe.js";
-import { sendMessageSignal } from "../../../extensions/signal/src/send.js";
-import {
-  listSlackDirectoryGroupsLive,
-  listSlackDirectoryPeersLive,
-} from "../../../extensions/slack/src/directory-live.js";
-import { monitorSlackProvider } from "../../../extensions/slack/src/index.js";
-import { probeSlack } from "../../../extensions/slack/src/probe.js";
-import { resolveSlackChannelAllowlist } from "../../../extensions/slack/src/resolve-channels.js";
-import { resolveSlackUserAllowlist } from "../../../extensions/slack/src/resolve-users.js";
-import { sendMessageSlack } from "../../../extensions/slack/src/send.js";
-import {
-  auditTelegramGroupMembership,
-  collectTelegramUnmentionedGroupIds,
-} from "../../../extensions/telegram/src/audit.js";
-import { monitorTelegramProvider } from "../../../extensions/telegram/src/monitor.js";
-import { probeTelegram } from "../../../extensions/telegram/src/probe.js";
-import {
-  deleteMessageTelegram,
-  editMessageReplyMarkupTelegram,
-  editMessageTelegram,
-  pinMessageTelegram,
-  renameForumTopicTelegram,
-  sendMessageTelegram,
-  sendPollTelegram,
-  sendTypingTelegram,
-  unpinMessageTelegram,
-} from "../../../extensions/telegram/src/send.js";
-import { resolveTelegramToken } from "../../../extensions/telegram/src/token.js";
 import { resolveEffectiveMessagesConfig, resolveHumanDelayConfig } from "../../agents/identity.js";
-import { handleSlackAction } from "../../agents/tools/slack-actions.js";
 import {
   chunkByNewline,
   chunkMarkdownText,
@@ -90,9 +35,6 @@ import { dispatchReplyWithBufferedBlockDispatcher } from "../../auto-reply/reply
 import { createReplyDispatcherWithTyping } from "../../auto-reply/reply/reply-dispatcher.js";
 import { removeAckReactionAfterReply, shouldAckReaction } from "../../channels/ack-reactions.js";
 import { resolveCommandAuthorizedFromAuthorizers } from "../../channels/command-gating.js";
-import { discordMessageActions } from "../../channels/plugins/actions/discord.js";
-import { signalMessageActions } from "../../channels/plugins/actions/signal.js";
-import { telegramMessageActions } from "../../channels/plugins/actions/telegram.js";
 import { recordInboundSession } from "../../channels/session.js";
 import {
   resolveChannelGroupPolicy,
@@ -134,8 +76,11 @@ import {
   upsertChannelPairingRequest,
 } from "../../pairing/pairing-store.js";
 import { buildAgentSessionKey, resolveAgentRoute } from "../../routing/resolve-route.js";
-import { createDiscordTypingLease } from "./runtime-discord-typing.js";
-import { createTelegramTypingLease } from "./runtime-telegram-typing.js";
+import { createRuntimeDiscord } from "./runtime-discord.js";
+import { createRuntimeIMessage } from "./runtime-imessage.js";
+import { createRuntimeSignal } from "./runtime-signal.js";
+import { createRuntimeSlack } from "./runtime-slack.js";
+import { createRuntimeTelegram } from "./runtime-telegram.js";
 import { createRuntimeWhatsApp } from "./runtime-whatsapp.js";
 import type { PluginRuntime } from "./types.js";
 
@@ -222,100 +167,11 @@ export function createRuntimeChannel(): PluginRuntime["channel"] {
       shouldComputeCommandAuthorized,
       shouldHandleTextCommands,
     },
-    discord: {
-      messageActions: discordMessageActions,
-      auditChannelPermissions: auditDiscordChannelPermissions,
-      listDirectoryGroupsLive: listDiscordDirectoryGroupsLive,
-      listDirectoryPeersLive: listDiscordDirectoryPeersLive,
-      probeDiscord,
-      resolveChannelAllowlist: resolveDiscordChannelAllowlist,
-      resolveUserAllowlist: resolveDiscordUserAllowlist,
-      sendComponentMessage: sendDiscordComponentMessage,
-      sendMessageDiscord,
-      sendPollDiscord,
-      monitorDiscordProvider,
-      typing: {
-        pulse: sendTypingDiscord,
-        start: async ({ channelId, accountId, cfg, intervalMs }) =>
-          await createDiscordTypingLease({
-            channelId,
-            accountId,
-            cfg,
-            intervalMs,
-            pulse: async ({ channelId, accountId, cfg }) =>
-              void (await sendTypingDiscord(channelId, {
-                accountId,
-                cfg,
-              })),
-          }),
-      },
-      conversationActions: {
-        editMessage: editMessageDiscord,
-        deleteMessage: deleteMessageDiscord,
-        pinMessage: pinMessageDiscord,
-        unpinMessage: unpinMessageDiscord,
-        createThread: createThreadDiscord,
-        editChannel: editChannelDiscord,
-      },
-    },
-    slack: {
-      listDirectoryGroupsLive: listSlackDirectoryGroupsLive,
-      listDirectoryPeersLive: listSlackDirectoryPeersLive,
-      probeSlack,
-      resolveChannelAllowlist: resolveSlackChannelAllowlist,
-      resolveUserAllowlist: resolveSlackUserAllowlist,
-      sendMessageSlack,
-      monitorSlackProvider,
-      handleSlackAction,
-    },
-    telegram: {
-      auditGroupMembership: auditTelegramGroupMembership,
-      collectUnmentionedGroupIds: collectTelegramUnmentionedGroupIds,
-      probeTelegram,
-      resolveTelegramToken,
-      sendMessageTelegram,
-      sendPollTelegram,
-      monitorTelegramProvider,
-      messageActions: telegramMessageActions,
-      typing: {
-        pulse: sendTypingTelegram,
-        start: async ({ to, accountId, cfg, intervalMs, messageThreadId }) =>
-          await createTelegramTypingLease({
-            to,
-            accountId,
-            cfg,
-            intervalMs,
-            messageThreadId,
-            pulse: async ({ to, accountId, cfg, messageThreadId }) =>
-              await sendTypingTelegram(to, {
-                accountId,
-                cfg,
-                messageThreadId,
-              }),
-          }),
-      },
-      conversationActions: {
-        editMessage: editMessageTelegram,
-        editReplyMarkup: editMessageReplyMarkupTelegram,
-        clearReplyMarkup: async (chatIdInput, messageIdInput, opts = {}) =>
-          await editMessageReplyMarkupTelegram(chatIdInput, messageIdInput, [], opts),
-        deleteMessage: deleteMessageTelegram,
-        renameTopic: renameForumTopicTelegram,
-        pinMessage: pinMessageTelegram,
-        unpinMessage: unpinMessageTelegram,
-      },
-    },
-    signal: {
-      probeSignal,
-      sendMessageSignal,
-      monitorSignalProvider,
-      messageActions: signalMessageActions,
-    },
-    imessage: {
-      monitorIMessageProvider,
-      probeIMessage,
-      sendMessageIMessage,
-    },
+    discord: createRuntimeDiscord(),
+    slack: createRuntimeSlack(),
+    telegram: createRuntimeTelegram(),
+    signal: createRuntimeSignal(),
+    imessage: createRuntimeIMessage(),
     whatsapp: createRuntimeWhatsApp(),
     line: {
       listLineAccountIds,
diff --git a/src/plugins/runtime/runtime-discord.ts b/src/plugins/runtime/runtime-discord.ts
new file mode 100644
index 00000000000..6f827f27504
--- /dev/null
+++ b/src/plugins/runtime/runtime-discord.ts
@@ -0,0 +1,60 @@
+import { auditDiscordChannelPermissions } from "../../../extensions/discord/src/audit.js";
+import {
+  listDiscordDirectoryGroupsLive,
+  listDiscordDirectoryPeersLive,
+} from "../../../extensions/discord/src/directory-live.js";
+import { monitorDiscordProvider } from "../../../extensions/discord/src/monitor.js";
+import { probeDiscord } from "../../../extensions/discord/src/probe.js";
+import { resolveDiscordChannelAllowlist } from "../../../extensions/discord/src/resolve-channels.js";
+import { resolveDiscordUserAllowlist } from "../../../extensions/discord/src/resolve-users.js";
+import {
+  createThreadDiscord,
+  deleteMessageDiscord,
+  editChannelDiscord,
+  editMessageDiscord,
+  pinMessageDiscord,
+  sendDiscordComponentMessage,
+  sendMessageDiscord,
+  sendPollDiscord,
+  sendTypingDiscord,
+  unpinMessageDiscord,
+} from "../../../extensions/discord/src/send.js";
+import { discordMessageActions } from "../../channels/plugins/actions/discord.js";
+import { createDiscordTypingLease } from "./runtime-discord-typing.js";
+import type { PluginRuntimeChannel } from "./types-channel.js";
+
+export function createRuntimeDiscord(): PluginRuntimeChannel["discord"] {
+  return {
+    messageActions: discordMessageActions,
+    auditChannelPermissions: auditDiscordChannelPermissions,
+    listDirectoryGroupsLive: listDiscordDirectoryGroupsLive,
+    listDirectoryPeersLive: listDiscordDirectoryPeersLive,
+    probeDiscord,
+    resolveChannelAllowlist: resolveDiscordChannelAllowlist,
+    resolveUserAllowlist: resolveDiscordUserAllowlist,
+    sendComponentMessage: sendDiscordComponentMessage,
+    sendMessageDiscord,
+    sendPollDiscord,
+    monitorDiscordProvider,
+    typing: {
+      pulse: sendTypingDiscord,
+      start: async ({ channelId, accountId, cfg, intervalMs }) =>
+        await createDiscordTypingLease({
+          channelId,
+          accountId,
+          cfg,
+          intervalMs,
+          pulse: async ({ channelId, accountId, cfg }) =>
+            void (await sendTypingDiscord(channelId, { accountId, cfg })),
+        }),
+    },
+    conversationActions: {
+      editMessage: editMessageDiscord,
+      deleteMessage: deleteMessageDiscord,
+      pinMessage: pinMessageDiscord,
+      unpinMessage: unpinMessageDiscord,
+      createThread: createThreadDiscord,
+      editChannel: editChannelDiscord,
+    },
+  };
+}
diff --git a/src/plugins/runtime/runtime-imessage.ts b/src/plugins/runtime/runtime-imessage.ts
new file mode 100644
index 00000000000..01430cacc3c
--- /dev/null
+++ b/src/plugins/runtime/runtime-imessage.ts
@@ -0,0 +1,12 @@
+import { monitorIMessageProvider } from "../../../extensions/imessage/src/monitor.js";
+import { probeIMessage } from "../../../extensions/imessage/src/probe.js";
+import { sendMessageIMessage } from "../../../extensions/imessage/src/send.js";
+import type { PluginRuntimeChannel } from "./types-channel.js";
+
+export function createRuntimeIMessage(): PluginRuntimeChannel["imessage"] {
+  return {
+    monitorIMessageProvider,
+    probeIMessage,
+    sendMessageIMessage,
+  };
+}
diff --git a/src/plugins/runtime/runtime-signal.ts b/src/plugins/runtime/runtime-signal.ts
new file mode 100644
index 00000000000..2465ecbdbbc
--- /dev/null
+++ b/src/plugins/runtime/runtime-signal.ts
@@ -0,0 +1,14 @@
+import { monitorSignalProvider } from "../../../extensions/signal/src/index.js";
+import { probeSignal } from "../../../extensions/signal/src/probe.js";
+import { sendMessageSignal } from "../../../extensions/signal/src/send.js";
+import { signalMessageActions } from "../../channels/plugins/actions/signal.js";
+import type { PluginRuntimeChannel } from "./types-channel.js";
+
+export function createRuntimeSignal(): PluginRuntimeChannel["signal"] {
+  return {
+    probeSignal,
+    sendMessageSignal,
+    monitorSignalProvider,
+    messageActions: signalMessageActions,
+  };
+}
diff --git a/src/plugins/runtime/runtime-slack.ts b/src/plugins/runtime/runtime-slack.ts
new file mode 100644
index 00000000000..095b14ec9c7
--- /dev/null
+++ b/src/plugins/runtime/runtime-slack.ts
@@ -0,0 +1,24 @@
+import {
+  listSlackDirectoryGroupsLive,
+  listSlackDirectoryPeersLive,
+} from "../../../extensions/slack/src/directory-live.js";
+import { monitorSlackProvider } from "../../../extensions/slack/src/index.js";
+import { probeSlack } from "../../../extensions/slack/src/probe.js";
+import { resolveSlackChannelAllowlist } from "../../../extensions/slack/src/resolve-channels.js";
+import { resolveSlackUserAllowlist } from "../../../extensions/slack/src/resolve-users.js";
+import { sendMessageSlack } from "../../../extensions/slack/src/send.js";
+import { handleSlackAction } from "../../agents/tools/slack-actions.js";
+import type { PluginRuntimeChannel } from "./types-channel.js";
+
+export function createRuntimeSlack(): PluginRuntimeChannel["slack"] {
+  return {
+    listDirectoryGroupsLive: listSlackDirectoryGroupsLive,
+    listDirectoryPeersLive: listSlackDirectoryPeersLive,
+    probeSlack,
+    resolveChannelAllowlist: resolveSlackChannelAllowlist,
+    resolveUserAllowlist: resolveSlackUserAllowlist,
+    sendMessageSlack,
+    monitorSlackProvider,
+    handleSlackAction,
+  };
+}
diff --git a/src/plugins/runtime/runtime-telegram.ts b/src/plugins/runtime/runtime-telegram.ts
new file mode 100644
index 00000000000..864761480ff
--- /dev/null
+++ b/src/plugins/runtime/runtime-telegram.ts
@@ -0,0 +1,61 @@
+import {
+  auditTelegramGroupMembership,
+  collectTelegramUnmentionedGroupIds,
+} from "../../../extensions/telegram/src/audit.js";
+import { monitorTelegramProvider } from "../../../extensions/telegram/src/monitor.js";
+import { probeTelegram } from "../../../extensions/telegram/src/probe.js";
+import {
+  deleteMessageTelegram,
+  editMessageReplyMarkupTelegram,
+  editMessageTelegram,
+  pinMessageTelegram,
+  renameForumTopicTelegram,
+  sendMessageTelegram,
+  sendPollTelegram,
+  sendTypingTelegram,
+  unpinMessageTelegram,
+} from "../../../extensions/telegram/src/send.js";
+import { resolveTelegramToken } from "../../../extensions/telegram/src/token.js";
+import { telegramMessageActions } from "../../channels/plugins/actions/telegram.js";
+import { createTelegramTypingLease } from "./runtime-telegram-typing.js";
+import type { PluginRuntimeChannel } from "./types-channel.js";
+
+export function createRuntimeTelegram(): PluginRuntimeChannel["telegram"] {
+  return {
+    auditGroupMembership: auditTelegramGroupMembership,
+    collectUnmentionedGroupIds: collectTelegramUnmentionedGroupIds,
+    probeTelegram,
+    resolveTelegramToken,
+    sendMessageTelegram,
+    sendPollTelegram,
+    monitorTelegramProvider,
+    messageActions: telegramMessageActions,
+    typing: {
+      pulse: sendTypingTelegram,
+      start: async ({ to, accountId, cfg, intervalMs, messageThreadId }) =>
+        await createTelegramTypingLease({
+          to,
+          accountId,
+          cfg,
+          intervalMs,
+          messageThreadId,
+          pulse: async ({ to, accountId, cfg, messageThreadId }) =>
+            await sendTypingTelegram(to, {
+              accountId,
+              cfg,
+              messageThreadId,
+            }),
+        }),
+    },
+    conversationActions: {
+      editMessage: editMessageTelegram,
+      editReplyMarkup: editMessageReplyMarkupTelegram,
+      clearReplyMarkup: async (chatIdInput, messageIdInput, opts = {}) =>
+        await editMessageReplyMarkupTelegram(chatIdInput, messageIdInput, [], opts),
+      deleteMessage: deleteMessageTelegram,
+      renameTopic: renameForumTopicTelegram,
+      pinMessage: pinMessageTelegram,
+      unpinMessage: unpinMessageTelegram,
+    },
+  };
+}

From b3025e6d8eb43a8fba08c0b87139b926c6568b28 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 00:25:22 -0700
Subject: [PATCH 097/133] refactor(plugin-sdk): clean shared core imports

---
 docs/tools/plugin.md                                    | 2 +-
 extensions/shared/passive-monitor.ts                    | 2 +-
 extensions/shared/runtime.ts                            | 2 +-
 scripts/check-no-monolithic-plugin-sdk-entry-imports.ts | 7 +++++++
 src/plugin-sdk/core.ts                                  | 2 ++
 src/plugin-sdk/subpaths.test.ts                         | 2 ++
 6 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/docs/tools/plugin.md b/docs/tools/plugin.md
index a53a05bf6c0..246724719ff 100644
--- a/docs/tools/plugin.md
+++ b/docs/tools/plugin.md
@@ -571,7 +571,7 @@ Notes:
 Use SDK subpaths instead of the monolithic `openclaw/plugin-sdk` import when
 authoring plugins:
 
-- `openclaw/plugin-sdk/core` for generic plugin APIs, provider auth types, and shared helpers.
+- `openclaw/plugin-sdk/core` for generic plugin APIs, provider auth types, and shared helpers such as routing/session utilities and logger-backed runtimes.
 - `openclaw/plugin-sdk/compat` for bundled/internal plugin code that needs broader shared runtime helpers than `core`.
 - `openclaw/plugin-sdk/telegram` for Telegram channel plugins.
 - `openclaw/plugin-sdk/discord` for Discord channel plugins.
diff --git a/extensions/shared/passive-monitor.ts b/extensions/shared/passive-monitor.ts
index e5ffb3f03ff..0be48afd014 100644
--- a/extensions/shared/passive-monitor.ts
+++ b/extensions/shared/passive-monitor.ts
@@ -1,4 +1,4 @@
-import { runPassiveAccountLifecycle } from "openclaw/plugin-sdk";
+import { runPassiveAccountLifecycle } from "openclaw/plugin-sdk/core";
 
 type StoppableMonitor = {
   stop: () => void;
diff --git a/extensions/shared/runtime.ts b/extensions/shared/runtime.ts
index a1950ba6be0..2a75360aa20 100644
--- a/extensions/shared/runtime.ts
+++ b/extensions/shared/runtime.ts
@@ -1,4 +1,4 @@
-import { createLoggerBackedRuntime } from "openclaw/plugin-sdk";
+import { createLoggerBackedRuntime } from "openclaw/plugin-sdk/core";
 
 export function resolveLoggerBackedRuntime<TRuntime>(
   runtime: TRuntime | undefined,
diff --git a/scripts/check-no-monolithic-plugin-sdk-entry-imports.ts b/scripts/check-no-monolithic-plugin-sdk-entry-imports.ts
index 9b77ae9cf61..01a2eb38c75 100644
--- a/scripts/check-no-monolithic-plugin-sdk-entry-imports.ts
+++ b/scripts/check-no-monolithic-plugin-sdk-entry-imports.ts
@@ -59,6 +59,10 @@ function collectPluginSourceFiles(rootDir: string): string[] {
   return files;
 }
 
+function collectSharedExtensionSourceFiles(): string[] {
+  return collectPluginSourceFiles(path.join(process.cwd(), "extensions", "shared"));
+}
+
 function main() {
   const discovery = discoverOpenClawPlugins({});
   const bundledCandidates = discovery.candidates.filter((c) => c.origin === "bundled");
@@ -69,6 +73,9 @@ function main() {
       filesToCheck.add(srcFile);
     }
   }
+  for (const sharedFile of collectSharedExtensionSourceFiles()) {
+    filesToCheck.add(sharedFile);
+  }
 
   const offenders: string[] = [];
   for (const entryFile of filesToCheck) {
diff --git a/src/plugin-sdk/core.ts b/src/plugin-sdk/core.ts
index 458a4ecfce7..01807d79132 100644
--- a/src/plugin-sdk/core.ts
+++ b/src/plugin-sdk/core.ts
@@ -144,3 +144,5 @@ export {
   type RoutePeerKind,
 } from "../routing/resolve-route.js";
 export { resolveThreadSessionKeys } from "../routing/session-key.js";
+export { runPassiveAccountLifecycle } from "./channel-lifecycle.js";
+export { createLoggerBackedRuntime } from "./runtime.js";
diff --git a/src/plugin-sdk/subpaths.test.ts b/src/plugin-sdk/subpaths.test.ts
index be9e2680ec5..5c26ebf44ca 100644
--- a/src/plugin-sdk/subpaths.test.ts
+++ b/src/plugin-sdk/subpaths.test.ts
@@ -29,6 +29,8 @@ describe("plugin-sdk subpath exports", () => {
   it("exports core routing helpers", () => {
     expect(typeof coreSdk.buildAgentSessionKey).toBe("function");
     expect(typeof coreSdk.resolveThreadSessionKeys).toBe("function");
+    expect(typeof coreSdk.runPassiveAccountLifecycle).toBe("function");
+    expect(typeof coreSdk.createLoggerBackedRuntime).toBe("function");
   });
 
   it("exports Discord helpers", () => {

From bbf3b4acf278b2a09f734328c60bc3931257bd1a Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 16 Mar 2026 00:24:49 -0700
Subject: [PATCH 098/133] Plugins: add provider auth contracts

---
 src/plugins/contracts/auth.contract.test.ts | 255 ++++++++++++++++++++
 1 file changed, 255 insertions(+)
 create mode 100644 src/plugins/contracts/auth.contract.test.ts

diff --git a/src/plugins/contracts/auth.contract.test.ts b/src/plugins/contracts/auth.contract.test.ts
new file mode 100644
index 00000000000..1d753ca2f53
--- /dev/null
+++ b/src/plugins/contracts/auth.contract.test.ts
@@ -0,0 +1,255 @@
+import { afterEach, describe, expect, it, vi } from "vitest";
+import {
+  clearRuntimeAuthProfileStoreSnapshots,
+  replaceRuntimeAuthProfileStoreSnapshots,
+} from "../../agents/auth-profiles/store.js";
+import { createNonExitingRuntime } from "../../runtime.js";
+import { createCapturedPluginRegistration } from "../../test-utils/plugin-registration.js";
+import type { WizardPrompter, WizardProgress } from "../../wizard/prompts.js";
+import type { OpenClawPluginApi, ProviderPlugin } from "../types.js";
+
+const loginOpenAICodexOAuthMock = vi.hoisted(() => vi.fn());
+const loginQwenPortalOAuthMock = vi.hoisted(() => vi.fn());
+const githubCopilotLoginCommandMock = vi.hoisted(() => vi.fn());
+
+vi.mock("../../commands/openai-codex-oauth.js", () => ({
+  loginOpenAICodexOAuth: loginOpenAICodexOAuthMock,
+}));
+
+vi.mock("../../../extensions/qwen-portal-auth/oauth.js", () => ({
+  loginQwenPortalOAuth: loginQwenPortalOAuthMock,
+}));
+
+vi.mock("../../providers/github-copilot-auth.js", () => ({
+  githubCopilotLoginCommand: githubCopilotLoginCommandMock,
+}));
+
+const openAIPlugin = (await import("../../../extensions/openai/index.js")).default;
+const qwenPortalPlugin = (await import("../../../extensions/qwen-portal-auth/index.js")).default;
+const githubCopilotPlugin = (await import("../../../extensions/github-copilot/index.js")).default;
+
+function buildPrompter(): WizardPrompter {
+  const progress: WizardProgress = {
+    update() {},
+    stop() {},
+  };
+  return {
+    intro: async () => {},
+    outro: async () => {},
+    note: async () => {},
+    select: async () => "",
+    multiselect: async () => [],
+    text: async () => "",
+    confirm: async () => false,
+    progress: () => progress,
+  };
+}
+
+function buildAuthContext() {
+  return {
+    config: {},
+    prompter: buildPrompter(),
+    runtime: createNonExitingRuntime(),
+    isRemote: false,
+    openUrl: async () => {},
+    oauth: {
+      createVpsAwareHandlers: vi.fn() as never,
+    },
+  };
+}
+
+function registerProviders(...plugins: Array<{ register(api: OpenClawPluginApi): void }>) {
+  const captured = createCapturedPluginRegistration();
+  for (const plugin of plugins) {
+    plugin.register(captured.api);
+  }
+  return captured.providers;
+}
+
+function requireProvider(providers: ProviderPlugin[], providerId: string) {
+  const provider = providers.find((entry) => entry.id === providerId);
+  if (!provider) {
+    throw new Error(`provider ${providerId} missing`);
+  }
+  return provider;
+}
+
+describe("provider auth contract", () => {
+  afterEach(() => {
+    loginOpenAICodexOAuthMock.mockReset();
+    loginQwenPortalOAuthMock.mockReset();
+    githubCopilotLoginCommandMock.mockReset();
+    clearRuntimeAuthProfileStoreSnapshots();
+  });
+
+  it("keeps OpenAI Codex OAuth auth results provider-owned", async () => {
+    const provider = requireProvider(registerProviders(openAIPlugin), "openai-codex");
+    loginOpenAICodexOAuthMock.mockResolvedValueOnce({
+      email: "user@example.com",
+      refresh: "refresh-token",
+      access: "access-token",
+      expires: 1_700_000_000_000,
+    });
+
+    const result = await provider.auth[0]?.run(buildAuthContext() as never);
+
+    expect(result).toEqual({
+      profiles: [
+        {
+          profileId: "openai-codex:user@example.com",
+          credential: {
+            type: "oauth",
+            provider: "openai-codex",
+            access: "access-token",
+            refresh: "refresh-token",
+            expires: 1_700_000_000_000,
+            email: "user@example.com",
+          },
+        },
+      ],
+      configPatch: {
+        agents: {
+          defaults: {
+            models: {
+              "openai-codex/gpt-5.4": {},
+            },
+          },
+        },
+      },
+      defaultModel: "openai-codex/gpt-5.4",
+      notes: undefined,
+    });
+  });
+
+  it("keeps OpenAI Codex OAuth failures non-fatal at the provider layer", async () => {
+    const provider = requireProvider(registerProviders(openAIPlugin), "openai-codex");
+    loginOpenAICodexOAuthMock.mockRejectedValueOnce(new Error("oauth failed"));
+
+    await expect(provider.auth[0]?.run(buildAuthContext() as never)).resolves.toEqual({
+      profiles: [],
+    });
+  });
+
+  it("keeps Qwen portal OAuth auth results provider-owned", async () => {
+    const provider = requireProvider(registerProviders(qwenPortalPlugin), "qwen-portal");
+    loginQwenPortalOAuthMock.mockResolvedValueOnce({
+      access: "access-token",
+      refresh: "refresh-token",
+      expires: 1_700_000_000_000,
+      resourceUrl: "portal.qwen.ai",
+    });
+
+    const result = await provider.auth[0]?.run(buildAuthContext() as never);
+
+    expect(result).toMatchObject({
+      profiles: [
+        {
+          profileId: "qwen-portal:default",
+          credential: {
+            type: "oauth",
+            provider: "qwen-portal",
+            access: "access-token",
+            refresh: "refresh-token",
+            expires: 1_700_000_000_000,
+          },
+        },
+      ],
+      defaultModel: "qwen-portal/coder-model",
+      configPatch: {
+        models: {
+          providers: {
+            "qwen-portal": {
+              baseUrl: "https://portal.qwen.ai/v1",
+              models: [],
+            },
+          },
+        },
+      },
+    });
+    expect(result?.notes).toEqual(
+      expect.arrayContaining([
+        expect.stringContaining("auto-refresh"),
+        expect.stringContaining("Base URL defaults"),
+      ]),
+    );
+  });
+
+  it("keeps GitHub Copilot device auth results provider-owned", async () => {
+    const provider = requireProvider(registerProviders(githubCopilotPlugin), "github-copilot");
+    replaceRuntimeAuthProfileStoreSnapshots([
+      {
+        store: {
+          version: 1,
+          profiles: {
+            "github-copilot:github": {
+              type: "token",
+              provider: "github-copilot",
+              token: "github-device-token",
+            },
+          },
+        },
+      },
+    ]);
+
+    const stdin = process.stdin as NodeJS.ReadStream & { isTTY?: boolean };
+    const hadOwnIsTTY = Object.prototype.hasOwnProperty.call(stdin, "isTTY");
+    const previousIsTTYDescriptor = Object.getOwnPropertyDescriptor(stdin, "isTTY");
+    Object.defineProperty(stdin, "isTTY", {
+      configurable: true,
+      enumerable: true,
+      get: () => true,
+    });
+
+    try {
+      const result = await provider.auth[0]?.run(buildAuthContext() as never);
+      expect(githubCopilotLoginCommandMock).toHaveBeenCalledWith(
+        { yes: true, profileId: "github-copilot:github" },
+        expect.any(Object),
+      );
+      expect(result).toEqual({
+        profiles: [
+          {
+            profileId: "github-copilot:github",
+            credential: {
+              type: "token",
+              provider: "github-copilot",
+              token: "github-device-token",
+            },
+          },
+        ],
+        defaultModel: "github-copilot/gpt-4o",
+      });
+    } finally {
+      if (previousIsTTYDescriptor) {
+        Object.defineProperty(stdin, "isTTY", previousIsTTYDescriptor);
+      } else if (!hadOwnIsTTY) {
+        delete (stdin as { isTTY?: boolean }).isTTY;
+      }
+    }
+  });
+
+  it("keeps GitHub Copilot auth gated on interactive TTYs", async () => {
+    const provider = requireProvider(registerProviders(githubCopilotPlugin), "github-copilot");
+    const stdin = process.stdin as NodeJS.ReadStream & { isTTY?: boolean };
+    const hadOwnIsTTY = Object.prototype.hasOwnProperty.call(stdin, "isTTY");
+    const previousIsTTYDescriptor = Object.getOwnPropertyDescriptor(stdin, "isTTY");
+    Object.defineProperty(stdin, "isTTY", {
+      configurable: true,
+      enumerable: true,
+      get: () => false,
+    });
+
+    try {
+      await expect(provider.auth[0]?.run(buildAuthContext() as never)).resolves.toEqual({
+        profiles: [],
+      });
+      expect(githubCopilotLoginCommandMock).not.toHaveBeenCalled();
+    } finally {
+      if (previousIsTTYDescriptor) {
+        Object.defineProperty(stdin, "isTTY", previousIsTTYDescriptor);
+      } else if (!hadOwnIsTTY) {
+        delete (stdin as { isTTY?: boolean }).isTTY;
+      }
+    }
+  });
+});

From 209f1a08d7a352a52a095c5883d9b6c4804738a6 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 16 Mar 2026 00:28:51 -0700
Subject: [PATCH 099/133] Plugins: dedupe routing imports in channel adapters

---
 extensions/discord/src/channel.ts  | 5 -----
 extensions/imessage/src/channel.ts | 1 -
 2 files changed, 6 deletions(-)

diff --git a/extensions/discord/src/channel.ts b/extensions/discord/src/channel.ts
index e3833f56ed5..0b6063bf52d 100644
--- a/extensions/discord/src/channel.ts
+++ b/extensions/discord/src/channel.ts
@@ -8,11 +8,6 @@ import {
   createScopedAccountConfigAccessors,
   formatAllowFromLowercase,
 } from "openclaw/plugin-sdk/compat";
-import {
-  buildAgentSessionKey,
-  resolveThreadSessionKeys,
-  type RoutePeer,
-} from "openclaw/plugin-sdk/core";
 import {
   buildComputedAccountStatusSnapshot,
   buildChannelConfigSchema,
diff --git a/extensions/imessage/src/channel.ts b/extensions/imessage/src/channel.ts
index e66ee5a3c82..0fd5ca12546 100644
--- a/extensions/imessage/src/channel.ts
+++ b/extensions/imessage/src/channel.ts
@@ -3,7 +3,6 @@ import {
   buildAccountScopedDmSecurityPolicy,
   collectAllowlistProviderRestrictSendersWarnings,
 } from "openclaw/plugin-sdk/compat";
-import { buildAgentSessionKey, type RoutePeer } from "openclaw/plugin-sdk/core";
 import {
   buildChannelConfigSchema,
   collectStatusIssuesFromLastError,

From a6eda07316292686f7f07b84c7b615d1e6639a4a Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 16 Mar 2026 00:29:03 -0700
Subject: [PATCH 100/133] Plugins: add provider discovery contracts

---
 .../contracts/discovery.contract.test.ts      | 193 ++++++++++++++++++
 1 file changed, 193 insertions(+)
 create mode 100644 src/plugins/contracts/discovery.contract.test.ts

diff --git a/src/plugins/contracts/discovery.contract.test.ts b/src/plugins/contracts/discovery.contract.test.ts
new file mode 100644
index 00000000000..c1c47a752aa
--- /dev/null
+++ b/src/plugins/contracts/discovery.contract.test.ts
@@ -0,0 +1,193 @@
+import { afterEach, describe, expect, it, vi } from "vitest";
+import {
+  clearRuntimeAuthProfileStoreSnapshots,
+  replaceRuntimeAuthProfileStoreSnapshots,
+} from "../../agents/auth-profiles/store.js";
+import { QWEN_OAUTH_MARKER } from "../../agents/model-auth-markers.js";
+import { createCapturedPluginRegistration } from "../../test-utils/plugin-registration.js";
+import { runProviderCatalog } from "../provider-discovery.js";
+import type { OpenClawPluginApi, ProviderPlugin } from "../types.js";
+
+const resolveCopilotApiTokenMock = vi.hoisted(() => vi.fn());
+
+vi.mock("../../../extensions/github-copilot/token.js", async () => {
+  const actual = await vi.importActual<object>("../../../extensions/github-copilot/token.js");
+  return {
+    ...actual,
+    resolveCopilotApiToken: resolveCopilotApiTokenMock,
+  };
+});
+
+const qwenPortalPlugin = (await import("../../../extensions/qwen-portal-auth/index.js")).default;
+const githubCopilotPlugin = (await import("../../../extensions/github-copilot/index.js")).default;
+
+function registerProviders(...plugins: Array<{ register(api: OpenClawPluginApi): void }>) {
+  const captured = createCapturedPluginRegistration();
+  for (const plugin of plugins) {
+    plugin.register(captured.api);
+  }
+  return captured.providers;
+}
+
+function requireProvider(providers: ProviderPlugin[], providerId: string) {
+  const provider = providers.find((entry) => entry.id === providerId);
+  if (!provider) {
+    throw new Error(`provider ${providerId} missing`);
+  }
+  return provider;
+}
+
+describe("provider discovery contract", () => {
+  afterEach(() => {
+    resolveCopilotApiTokenMock.mockReset();
+    clearRuntimeAuthProfileStoreSnapshots();
+  });
+
+  it("keeps qwen portal oauth marker fallback provider-owned", async () => {
+    const provider = requireProvider(registerProviders(qwenPortalPlugin), "qwen-portal");
+    replaceRuntimeAuthProfileStoreSnapshots([
+      {
+        store: {
+          version: 1,
+          profiles: {
+            "qwen-portal:default": {
+              type: "oauth",
+              provider: "qwen-portal",
+              access: "access-token",
+              refresh: "refresh-token",
+              expires: Date.now() + 60_000,
+            },
+          },
+        },
+      },
+    ]);
+
+    await expect(
+      runProviderCatalog({
+        provider,
+        config: {},
+        env: {} as NodeJS.ProcessEnv,
+        resolveProviderApiKey: () => ({ apiKey: undefined }),
+      }),
+    ).resolves.toEqual({
+      provider: {
+        baseUrl: "https://portal.qwen.ai/v1",
+        apiKey: QWEN_OAUTH_MARKER,
+        api: "openai-completions",
+        models: [
+          expect.objectContaining({ id: "coder-model", name: "Qwen Coder" }),
+          expect.objectContaining({ id: "vision-model", name: "Qwen Vision" }),
+        ],
+      },
+    });
+  });
+
+  it("keeps qwen portal env api keys higher priority than oauth markers", async () => {
+    const provider = requireProvider(registerProviders(qwenPortalPlugin), "qwen-portal");
+    replaceRuntimeAuthProfileStoreSnapshots([
+      {
+        store: {
+          version: 1,
+          profiles: {
+            "qwen-portal:default": {
+              type: "oauth",
+              provider: "qwen-portal",
+              access: "access-token",
+              refresh: "refresh-token",
+              expires: Date.now() + 60_000,
+            },
+          },
+        },
+      },
+    ]);
+
+    await expect(
+      runProviderCatalog({
+        provider,
+        config: {},
+        env: { QWEN_PORTAL_API_KEY: "env-key" } as NodeJS.ProcessEnv,
+        resolveProviderApiKey: () => ({ apiKey: "env-key" }),
+      }),
+    ).resolves.toMatchObject({
+      provider: {
+        apiKey: "env-key",
+      },
+    });
+  });
+
+  it("keeps GitHub Copilot catalog disabled without env tokens or profiles", async () => {
+    const provider = requireProvider(registerProviders(githubCopilotPlugin), "github-copilot");
+
+    await expect(
+      runProviderCatalog({
+        provider,
+        config: {},
+        env: {} as NodeJS.ProcessEnv,
+        resolveProviderApiKey: () => ({ apiKey: undefined }),
+      }),
+    ).resolves.toBeNull();
+  });
+
+  it("keeps GitHub Copilot profile-only catalog fallback provider-owned", async () => {
+    const provider = requireProvider(registerProviders(githubCopilotPlugin), "github-copilot");
+    replaceRuntimeAuthProfileStoreSnapshots([
+      {
+        store: {
+          version: 1,
+          profiles: {
+            "github-copilot:github": {
+              type: "token",
+              provider: "github-copilot",
+              token: "profile-token",
+            },
+          },
+        },
+      },
+    ]);
+
+    await expect(
+      runProviderCatalog({
+        provider,
+        config: {},
+        env: {} as NodeJS.ProcessEnv,
+        resolveProviderApiKey: () => ({ apiKey: undefined }),
+      }),
+    ).resolves.toEqual({
+      provider: {
+        baseUrl: "https://api.individual.githubcopilot.com",
+        models: [],
+      },
+    });
+  });
+
+  it("keeps GitHub Copilot env-token base URL resolution provider-owned", async () => {
+    const provider = requireProvider(registerProviders(githubCopilotPlugin), "github-copilot");
+    resolveCopilotApiTokenMock.mockResolvedValueOnce({
+      token: "copilot-api-token",
+      baseUrl: "https://copilot-proxy.example.com",
+      expiresAt: Date.now() + 60_000,
+    });
+
+    await expect(
+      runProviderCatalog({
+        provider,
+        config: {},
+        env: {
+          GITHUB_TOKEN: "github-env-token",
+        } as NodeJS.ProcessEnv,
+        resolveProviderApiKey: () => ({ apiKey: undefined }),
+      }),
+    ).resolves.toEqual({
+      provider: {
+        baseUrl: "https://copilot-proxy.example.com",
+        models: [],
+      },
+    });
+    expect(resolveCopilotApiTokenMock).toHaveBeenCalledWith({
+      githubToken: "github-env-token",
+      env: expect.objectContaining({
+        GITHUB_TOKEN: "github-env-token",
+      }),
+    });
+  });
+});

From 045a879acfd84006becf706d4059d6a3d349c315 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 07:32:27 +0000
Subject: [PATCH 101/133] fix: stop bonjour before re-advertising

---
 src/infra/bonjour.test.ts | 11 +++++++++--
 src/infra/bonjour.ts      |  2 +-
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/infra/bonjour.test.ts b/src/infra/bonjour.test.ts
index efccc1ce8b1..d9e438f5cce 100644
--- a/src/infra/bonjour.test.ts
+++ b/src/infra/bonjour.test.ts
@@ -299,9 +299,15 @@ describe("gateway bonjour advertiser", () => {
     vi.useFakeTimers();
 
     const stateRef = { value: "announcing" };
-    const destroy = vi.fn().mockResolvedValue(undefined);
+    const events: string[] = [];
+    let advertiseCount = 0;
+    const destroy = vi.fn().mockImplementation(async () => {
+      events.push("destroy");
+    });
     const advertise = vi.fn().mockImplementation(() => {
-      if (advertise.mock.calls.length === 1) {
+      advertiseCount += 1;
+      events.push(`advertise:${advertiseCount}`);
+      if (advertiseCount === 1) {
         stateRef.value = "announcing";
         return new Promise<void>(() => {});
       }
@@ -325,6 +331,7 @@ describe("gateway bonjour advertiser", () => {
     expect(advertise).toHaveBeenCalledTimes(2);
     expect(destroy).toHaveBeenCalledTimes(1);
     expect(shutdown).toHaveBeenCalledTimes(1);
+    expect(events).toEqual(["advertise:1", "destroy", "advertise:2"]);
 
     await started.stop();
     expect(destroy).toHaveBeenCalledTimes(2);
diff --git a/src/infra/bonjour.ts b/src/infra/bonjour.ts
index 2b500986f33..44a0ed99448 100644
--- a/src/infra/bonjour.ts
+++ b/src/infra/bonjour.ts
@@ -273,11 +273,11 @@ export async function startGatewayBonjourAdvertiser(
     recreatePromise = (async () => {
       logWarn(`bonjour: restarting advertiser (${reason})`);
       const previous = cycle;
+      await stopCycle(previous);
       cycle = createCycle();
       stateTracker.clear();
       attachConflictListeners(cycle.services);
       startAdvertising(cycle.services);
-      await stopCycle(previous);
     })().finally(() => {
       recreatePromise = null;
     });

From 67b886b725d8c7c0577dd351397fdde321c8113a Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 16 Mar 2026 00:35:04 -0700
Subject: [PATCH 102/133] Plugins: extend provider discovery contracts

---
 .../contracts/discovery.contract.test.ts      | 134 ++++++++++++++++++
 1 file changed, 134 insertions(+)

diff --git a/src/plugins/contracts/discovery.contract.test.ts b/src/plugins/contracts/discovery.contract.test.ts
index c1c47a752aa..8394cbfa992 100644
--- a/src/plugins/contracts/discovery.contract.test.ts
+++ b/src/plugins/contracts/discovery.contract.test.ts
@@ -9,6 +9,9 @@ import { runProviderCatalog } from "../provider-discovery.js";
 import type { OpenClawPluginApi, ProviderPlugin } from "../types.js";
 
 const resolveCopilotApiTokenMock = vi.hoisted(() => vi.fn());
+const buildOllamaProviderMock = vi.hoisted(() => vi.fn());
+const buildVllmProviderMock = vi.hoisted(() => vi.fn());
+const buildSglangProviderMock = vi.hoisted(() => vi.fn());
 
 vi.mock("../../../extensions/github-copilot/token.js", async () => {
   const actual = await vi.importActual<object>("../../../extensions/github-copilot/token.js");
@@ -18,8 +21,21 @@ vi.mock("../../../extensions/github-copilot/token.js", async () => {
   };
 });
 
+vi.mock("openclaw/plugin-sdk/core", async () => {
+  const actual = await vi.importActual<object>("openclaw/plugin-sdk/core");
+  return {
+    ...actual,
+    buildOllamaProvider: (...args: unknown[]) => buildOllamaProviderMock(...args),
+    buildVllmProvider: (...args: unknown[]) => buildVllmProviderMock(...args),
+    buildSglangProvider: (...args: unknown[]) => buildSglangProviderMock(...args),
+  };
+});
+
 const qwenPortalPlugin = (await import("../../../extensions/qwen-portal-auth/index.js")).default;
 const githubCopilotPlugin = (await import("../../../extensions/github-copilot/index.js")).default;
+const ollamaPlugin = (await import("../../../extensions/ollama/index.js")).default;
+const vllmPlugin = (await import("../../../extensions/vllm/index.js")).default;
+const sglangPlugin = (await import("../../../extensions/sglang/index.js")).default;
 
 function registerProviders(...plugins: Array<{ register(api: OpenClawPluginApi): void }>) {
   const captured = createCapturedPluginRegistration();
@@ -40,6 +56,9 @@ function requireProvider(providers: ProviderPlugin[], providerId: string) {
 describe("provider discovery contract", () => {
   afterEach(() => {
     resolveCopilotApiTokenMock.mockReset();
+    buildOllamaProviderMock.mockReset();
+    buildVllmProviderMock.mockReset();
+    buildSglangProviderMock.mockReset();
     clearRuntimeAuthProfileStoreSnapshots();
   });
 
@@ -190,4 +209,119 @@ describe("provider discovery contract", () => {
       }),
     });
   });
+
+  it("keeps Ollama explicit catalog normalization provider-owned", async () => {
+    const provider = requireProvider(registerProviders(ollamaPlugin), "ollama");
+
+    await expect(
+      runProviderCatalog({
+        provider,
+        config: {
+          models: {
+            providers: {
+              ollama: {
+                baseUrl: "http://ollama-host:11434/v1/",
+                models: [{ id: "llama3.2", name: "llama3.2" }],
+              },
+            },
+          },
+        },
+        env: {} as NodeJS.ProcessEnv,
+        resolveProviderApiKey: () => ({ apiKey: undefined }),
+      }),
+    ).resolves.toEqual({
+      provider: {
+        baseUrl: "http://ollama-host:11434",
+        api: "ollama",
+        apiKey: "ollama-local",
+        models: [{ id: "llama3.2", name: "llama3.2" }],
+      },
+    });
+    expect(buildOllamaProviderMock).not.toHaveBeenCalled();
+  });
+
+  it("keeps Ollama empty autodiscovery disabled without keys or explicit config", async () => {
+    const provider = requireProvider(registerProviders(ollamaPlugin), "ollama");
+    buildOllamaProviderMock.mockResolvedValueOnce({
+      baseUrl: "http://127.0.0.1:11434",
+      api: "ollama",
+      models: [],
+    });
+
+    await expect(
+      runProviderCatalog({
+        provider,
+        config: {},
+        env: {} as NodeJS.ProcessEnv,
+        resolveProviderApiKey: () => ({ apiKey: undefined }),
+      }),
+    ).resolves.toBeNull();
+    expect(buildOllamaProviderMock).toHaveBeenCalledWith(undefined, { quiet: true });
+  });
+
+  it("keeps vLLM self-hosted discovery provider-owned", async () => {
+    const provider = requireProvider(registerProviders(vllmPlugin), "vllm");
+    buildVllmProviderMock.mockResolvedValueOnce({
+      baseUrl: "http://127.0.0.1:8000/v1",
+      api: "openai-completions",
+      models: [{ id: "meta-llama/Meta-Llama-3-8B-Instruct", name: "Meta Llama 3" }],
+    });
+
+    await expect(
+      runProviderCatalog({
+        provider,
+        config: {},
+        env: {
+          VLLM_API_KEY: "env-vllm-key",
+        } as NodeJS.ProcessEnv,
+        resolveProviderApiKey: () => ({
+          apiKey: "VLLM_API_KEY",
+          discoveryApiKey: "env-vllm-key",
+        }),
+      }),
+    ).resolves.toEqual({
+      provider: {
+        baseUrl: "http://127.0.0.1:8000/v1",
+        api: "openai-completions",
+        apiKey: "VLLM_API_KEY",
+        models: [{ id: "meta-llama/Meta-Llama-3-8B-Instruct", name: "Meta Llama 3" }],
+      },
+    });
+    expect(buildVllmProviderMock).toHaveBeenCalledWith({
+      apiKey: "env-vllm-key",
+    });
+  });
+
+  it("keeps SGLang self-hosted discovery provider-owned", async () => {
+    const provider = requireProvider(registerProviders(sglangPlugin), "sglang");
+    buildSglangProviderMock.mockResolvedValueOnce({
+      baseUrl: "http://127.0.0.1:30000/v1",
+      api: "openai-completions",
+      models: [{ id: "Qwen/Qwen3-8B", name: "Qwen3-8B" }],
+    });
+
+    await expect(
+      runProviderCatalog({
+        provider,
+        config: {},
+        env: {
+          SGLANG_API_KEY: "env-sglang-key",
+        } as NodeJS.ProcessEnv,
+        resolveProviderApiKey: () => ({
+          apiKey: "SGLANG_API_KEY",
+          discoveryApiKey: "env-sglang-key",
+        }),
+      }),
+    ).resolves.toEqual({
+      provider: {
+        baseUrl: "http://127.0.0.1:30000/v1",
+        api: "openai-completions",
+        apiKey: "SGLANG_API_KEY",
+        models: [{ id: "Qwen/Qwen3-8B", name: "Qwen3-8B" }],
+      },
+    });
+    expect(buildSglangProviderMock).toHaveBeenCalledWith({
+      apiKey: "env-sglang-key",
+    });
+  });
 });

From 49251def617a66cfbf5702f615e8f939528a4993 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 00:37:15 -0700
Subject: [PATCH 103/133] docs: codify macOS parallels discord smoke

---
 .../parallels-discord-roundtrip/SKILL.md      |  54 ++++
 AGENTS.md                                     |   5 +
 scripts/e2e/parallels-macos-smoke.sh          | 306 +++++++++++++++++-
 3 files changed, 362 insertions(+), 3 deletions(-)
 create mode 100644 .agents/skills/parallels-discord-roundtrip/SKILL.md

diff --git a/.agents/skills/parallels-discord-roundtrip/SKILL.md b/.agents/skills/parallels-discord-roundtrip/SKILL.md
new file mode 100644
index 00000000000..1986bc67187
--- /dev/null
+++ b/.agents/skills/parallels-discord-roundtrip/SKILL.md
@@ -0,0 +1,54 @@
+# Parallels Discord Roundtrip
+
+Use when macOS Parallels smoke must prove Discord two-way delivery end to end.
+
+## Goal
+
+Cover:
+
+- install on fresh macOS snapshot
+- onboard + gateway health
+- guest `message send` to Discord
+- host sees that message on Discord
+- host posts a new Discord message
+- guest `message read` sees that new message
+
+## Inputs
+
+- host env var with Discord bot token
+- Discord guild ID
+- Discord channel ID
+- `OPENAI_API_KEY`
+
+## Preferred run
+
+```bash
+export OPENCLAW_PARALLELS_DISCORD_TOKEN="$(
+  ssh peters-mac-studio-1 'jq -r ".channels.discord.token" ~/.openclaw/openclaw.json' | tr -d '\n'
+)"
+
+pnpm test:parallels:macos \
+  --discord-token-env OPENCLAW_PARALLELS_DISCORD_TOKEN \
+  --discord-guild-id 1456350064065904867 \
+  --discord-channel-id 1456744319972282449 \
+  --json
+```
+
+## Notes
+
+- Snapshot target: closest to `macOS 26.3.1 fresh`.
+- Harness configures Discord inside the guest; no checked-in token/config.
+- Use the `openclaw` wrapper for guest `message send/read`; `node openclaw.mjs message ...` does not expose the lazy message subcommands the same way.
+- Write `channels.discord.guilds` in one JSON object (`--strict-json`), not dotted `config set channels.discord.guilds.<snowflake>...` paths; numeric snowflakes get treated like array indexes.
+- Avoid `prlctl enter` / expect for long Discord setup scripts; it line-wraps/corrupts long commands. Use `prlctl exec --current-user /bin/sh -lc ...` for the Discord config phase.
+- Harness cleanup deletes the temporary Discord smoke messages at exit.
+- Per-phase logs: `/tmp/openclaw-parallels-smoke.*`
+- Machine summary: pass `--json`
+- If roundtrip flakes, inspect `fresh.discord-roundtrip.log` and `discord-last-readback.json` in the run dir first.
+
+## Pass criteria
+
+- fresh lane or upgrade lane requested passes
+- summary reports `discord=pass` for that lane
+- guest outbound nonce appears in channel history
+- host inbound nonce appears in `openclaw message read` output
diff --git a/AGENTS.md b/AGENTS.md
index 1197f6fb48f..df72efbe720 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -212,6 +212,11 @@
   - `prlctl exec` is fine for deterministic repo commands, but it can misrepresent interactive shell behavior (`PATH`, `HOME`, `curl | bash`, shebang resolution). For installer parity or shell-sensitive repros, prefer the guest Terminal or `prlctl enter`.
   - Fresh Tahoe snapshot current reality: `brew` exists, `node` may not be on `PATH` in noninteractive guest exec. Use absolute `/opt/homebrew/bin/node` for repo/CLI runs when needed.
   - Preferred automation entrypoint: `pnpm test:parallels:macos`. It restores the snapshot most closely matching `macOS 26.3.1 fresh`, serves the current `main` tarball from the host, then runs fresh-install and latest-release-to-main smoke lanes.
+  - Discord roundtrip smoke is opt-in. Pass `--discord-token-env <VAR> --discord-guild-id <guild> --discord-channel-id <channel>`; the harness will configure Discord in-guest, post a guest message, verify host-side visibility via the Discord REST API, post a fresh host-side message back into the channel, then verify `openclaw message read` sees it in-guest.
+  - Keep the Discord token in a host env var only. For Peter’s Mac Studio bot, fetch it into a temp env var from `~/.openclaw/openclaw.json` over SSH instead of hardcoding it in repo files/shell history.
+  - For Discord smoke on this snapshot: use `openclaw message send/read` via the installed wrapper, not `node openclaw.mjs message ...`; lazy `message` subcommands do not resolve the same way through the direct module entrypoint.
+  - For Discord guild allowlists: set `channels.discord.guilds` as one JSON object. Do not use dotted `config set channels.discord.guilds.<snowflake>...` paths; numeric snowflakes get treated as array indexes.
+  - Avoid `prlctl enter` / expect for the Discord config phase; long lines get mangled. Use `prlctl exec --current-user /bin/sh -lc ...` with short commands or temp files.
   - Gateway verification in smoke runs should use `openclaw gateway status --deep --require-rpc`, not plain `--deep`, so probe failures go non-zero.
   - Latest-release pre-upgrade diagnostics still need compatibility fallback: stable `2026.3.12` does not know `--require-rpc`, so precheck status dumps should fall back to plain `gateway status --deep` until the guest is upgraded.
   - Harness output: pass `--json` for machine-readable summary; per-phase logs land under `/tmp/openclaw-parallels-smoke.*`.
diff --git a/scripts/e2e/parallels-macos-smoke.sh b/scripts/e2e/parallels-macos-smoke.sh
index 0b790346358..fcdb940161f 100644
--- a/scripts/e2e/parallels-macos-smoke.sh
+++ b/scripts/e2e/parallels-macos-smoke.sh
@@ -17,6 +17,10 @@ TARGET_PACKAGE_SPEC=""
 KEEP_SERVER=0
 CHECK_LATEST_REF=1
 JSON_OUTPUT=0
+DISCORD_TOKEN_ENV=""
+DISCORD_TOKEN_VALUE=""
+DISCORD_GUILD_ID=""
+DISCORD_CHANNEL_ID=""
 GUEST_OPENCLAW_BIN="/opt/homebrew/bin/openclaw"
 GUEST_OPENCLAW_ENTRY="/opt/homebrew/lib/node_modules/openclaw/openclaw.mjs"
 GUEST_NODE_BIN="/opt/homebrew/bin/node"
@@ -35,6 +39,7 @@ TIMEOUT_GATEWAY_S=60
 TIMEOUT_AGENT_S=120
 TIMEOUT_PERMISSION_S=60
 TIMEOUT_SNAPSHOT_S=180
+TIMEOUT_DISCORD_S=180
 
 FRESH_MAIN_VERSION="skip"
 LATEST_INSTALLED_VERSION="skip"
@@ -43,6 +48,8 @@ FRESH_GATEWAY_STATUS="skip"
 UPGRADE_GATEWAY_STATUS="skip"
 FRESH_AGENT_STATUS="skip"
 UPGRADE_AGENT_STATUS="skip"
+FRESH_DISCORD_STATUS="skip"
+UPGRADE_DISCORD_STATUS="skip"
 
 say() {
   printf '==> %s\n' "$*"
@@ -66,6 +73,9 @@ die() {
 }
 
 cleanup() {
+  if command -v cleanup_discord_smoke_messages >/dev/null 2>&1; then
+    cleanup_discord_smoke_messages
+  fi
   if [[ -n "${SERVER_PID:-}" ]]; then
     kill "$SERVER_PID" >/dev/null 2>&1 || true
   fi
@@ -106,6 +116,9 @@ Options:
                              Example: openclaw@2026.3.13-beta.1
   --skip-latest-ref-check    Skip the known latest-release ref-mode precheck in upgrade lane.
   --keep-server              Leave temp host HTTP server running.
+  --discord-token-env <var>  Host env var name for Discord bot token.
+  --discord-guild-id <id>    Discord guild ID for smoke roundtrip.
+  --discord-channel-id <id>  Discord channel ID for smoke roundtrip.
   --json                     Print machine-readable JSON summary.
   -h, --help                 Show help.
 EOF
@@ -154,6 +167,18 @@ while [[ $# -gt 0 ]]; do
       TARGET_PACKAGE_SPEC="$2"
       shift 2
       ;;
+    --discord-token-env)
+      DISCORD_TOKEN_ENV="$2"
+      shift 2
+      ;;
+    --discord-guild-id)
+      DISCORD_GUILD_ID="$2"
+      shift 2
+      ;;
+    --discord-channel-id)
+      DISCORD_CHANNEL_ID="$2"
+      shift 2
+      ;;
     --skip-latest-ref-check)
       CHECK_LATEST_REF=0
       shift
@@ -186,6 +211,86 @@ esac
 OPENAI_API_KEY_VALUE="${!OPENAI_API_KEY_ENV:-}"
 [[ -n "$OPENAI_API_KEY_VALUE" ]] || die "$OPENAI_API_KEY_ENV is required"
 
+if [[ -n "$DISCORD_TOKEN_ENV" || -n "$DISCORD_GUILD_ID" || -n "$DISCORD_CHANNEL_ID" ]]; then
+  [[ -n "$DISCORD_TOKEN_ENV" ]] || die "--discord-token-env is required when Discord smoke args are set"
+  [[ -n "$DISCORD_GUILD_ID" ]] || die "--discord-guild-id is required when Discord smoke args are set"
+  [[ -n "$DISCORD_CHANNEL_ID" ]] || die "--discord-channel-id is required when Discord smoke args are set"
+  DISCORD_TOKEN_VALUE="${!DISCORD_TOKEN_ENV:-}"
+  [[ -n "$DISCORD_TOKEN_VALUE" ]] || die "$DISCORD_TOKEN_ENV is required for Discord smoke"
+fi
+
+discord_smoke_enabled() {
+  [[ -n "$DISCORD_TOKEN_VALUE" && -n "$DISCORD_GUILD_ID" && -n "$DISCORD_CHANNEL_ID" ]]
+}
+
+discord_api_request() {
+  local method="$1"
+  local path="$2"
+  local payload="${3:-}"
+  local url="https://discord.com/api/v10$path"
+  if [[ -n "$payload" ]]; then
+    curl -fsS -X "$method" \
+      -H "Authorization: Bot $DISCORD_TOKEN_VALUE" \
+      -H "Content-Type: application/json" \
+      --data "$payload" \
+      "$url"
+    return
+  fi
+  curl -fsS -X "$method" \
+    -H "Authorization: Bot $DISCORD_TOKEN_VALUE" \
+    "$url"
+}
+
+json_contains_string() {
+  local needle="$1"
+  python3 - "$needle" <<'PY'
+import json
+import sys
+
+needle = sys.argv[1]
+try:
+    payload = json.load(sys.stdin)
+except Exception:
+    raise SystemExit(1)
+
+def contains(value):
+    if isinstance(value, str):
+        return needle in value
+    if isinstance(value, list):
+        return any(contains(item) for item in value)
+    if isinstance(value, dict):
+        return any(contains(item) for item in value.values())
+    return False
+
+raise SystemExit(0 if contains(payload) else 1)
+PY
+}
+
+discord_delete_message_id_file() {
+  local path="$1"
+  [[ -f "$path" ]] || return 0
+  [[ -s "$path" ]] || return 0
+  discord_smoke_enabled || return 0
+
+  local message_id
+  message_id="$(tr -d '\r\n' <"$path")"
+  [[ -n "$message_id" ]] || return 0
+
+  set +e
+  discord_api_request DELETE "/channels/$DISCORD_CHANNEL_ID/messages/$message_id" >/dev/null
+  set -e
+}
+
+cleanup_discord_smoke_messages() {
+  discord_smoke_enabled || return 0
+  [[ -d "$RUN_DIR" ]] || return 0
+
+  discord_delete_message_id_file "$RUN_DIR/fresh.discord-sent-message-id"
+  discord_delete_message_id_file "$RUN_DIR/fresh.discord-host-message-id"
+  discord_delete_message_id_file "$RUN_DIR/upgrade.discord-sent-message-id"
+  discord_delete_message_id_file "$RUN_DIR/upgrade.discord-host-message-id"
+}
+
 resolve_snapshot_id() {
   local json hint
   json="$(prlctl snapshot-list "$VM_NAME" --json)"
@@ -286,7 +391,7 @@ wait_for_current_user() {
 
 guest_current_user_exec() {
   prlctl exec "$VM_NAME" --current-user /usr/bin/env \
-    PATH=/opt/homebrew/bin:/opt/homebrew/sbin:/usr/bin:/bin:/usr/sbin:/sbin \
+    PATH=/opt/homebrew/bin:/opt/homebrew/opt/node/bin:/opt/homebrew/sbin:/usr/bin:/bin:/usr/sbin:/sbin \
     "$@"
 }
 
@@ -553,6 +658,180 @@ verify_turn() {
   guest_current_user_exec "$GUEST_NODE_BIN" "$GUEST_OPENCLAW_ENTRY" agent --agent main --message ping --json
 }
 
+configure_discord_smoke() {
+  local guilds_json script
+  guilds_json="$(
+    DISCORD_GUILD_ID="$DISCORD_GUILD_ID" DISCORD_CHANNEL_ID="$DISCORD_CHANNEL_ID" python3 - <<'PY'
+import json
+import os
+
+print(
+    json.dumps(
+        {
+            os.environ["DISCORD_GUILD_ID"]: {
+                "channels": {
+                    os.environ["DISCORD_CHANNEL_ID"]: {
+                        "allow": True,
+                        "requireMention": False,
+                    }
+                }
+            }
+        }
+    )
+)
+PY
+  )"
+  script="$(cat <<EOF
+cat >/tmp/openclaw-discord-token <<'__OPENCLAW_TOKEN__'
+$DISCORD_TOKEN_VALUE
+__OPENCLAW_TOKEN__
+cat >/tmp/openclaw-discord-guilds.json <<'__OPENCLAW_GUILDS__'
+$guilds_json
+__OPENCLAW_GUILDS__
+token="\$(tr -d '\n' </tmp/openclaw-discord-token)"
+guilds_json="\$(cat /tmp/openclaw-discord-guilds.json)"
+$GUEST_NODE_BIN $GUEST_OPENCLAW_ENTRY config set channels.discord.token "\$token"
+$GUEST_NODE_BIN $GUEST_OPENCLAW_ENTRY config set channels.discord.enabled true
+$GUEST_NODE_BIN $GUEST_OPENCLAW_ENTRY config set channels.discord.groupPolicy allowlist
+$GUEST_NODE_BIN $GUEST_OPENCLAW_ENTRY config set channels.discord.guilds "\$guilds_json" --strict-json
+$GUEST_NODE_BIN $GUEST_OPENCLAW_ENTRY gateway restart
+for _ in 1 2 3 4 5 6 7 8; do
+  if $GUEST_NODE_BIN $GUEST_OPENCLAW_ENTRY gateway status --deep --require-rpc >/dev/null 2>&1; then
+    break
+  fi
+  sleep 2
+done
+$GUEST_NODE_BIN $GUEST_OPENCLAW_ENTRY channels status --probe --json
+rm -f /tmp/openclaw-discord-token /tmp/openclaw-discord-guilds.json
+EOF
+)"
+  prlctl exec "$VM_NAME" --current-user /usr/bin/env \
+    PATH=/opt/homebrew/bin:/opt/homebrew/opt/node/bin:/opt/homebrew/sbin:/usr/bin:/bin:/usr/sbin:/sbin \
+    /bin/sh -lc "$script"
+}
+
+discord_message_id_from_send_log() {
+  local path="$1"
+  python3 - "$path" <<'PY'
+import json
+import pathlib
+import sys
+
+payload = json.loads(pathlib.Path(sys.argv[1]).read_text())
+message_id = payload.get("payload", {}).get("messageId")
+if not message_id:
+    message_id = payload.get("payload", {}).get("result", {}).get("messageId")
+if not message_id:
+    raise SystemExit("messageId missing from send output")
+print(message_id)
+PY
+}
+
+wait_for_discord_host_visibility() {
+  local nonce="$1"
+  local response
+  local deadline=$((SECONDS + TIMEOUT_DISCORD_S))
+  while (( SECONDS < deadline )); do
+    set +e
+    response="$(discord_api_request GET "/channels/$DISCORD_CHANNEL_ID/messages?limit=20")"
+    local rc=$?
+    set -e
+    if [[ $rc -eq 0 ]] && [[ -n "$response" ]] && printf '%s' "$response" | json_contains_string "$nonce"; then
+      return 0
+    fi
+    sleep 2
+  done
+  return 1
+}
+
+post_host_discord_message() {
+  local nonce="$1"
+  local id_file="$2"
+  local payload response
+  payload="$(
+    NONCE="$nonce" python3 - <<'PY'
+import json
+import os
+
+print(
+    json.dumps(
+        {
+            "content": f"parallels-macos-smoke-inbound-{os.environ['NONCE']}",
+            "flags": 4096,
+        }
+    )
+)
+PY
+  )"
+  response="$(discord_api_request POST "/channels/$DISCORD_CHANNEL_ID/messages" "$payload")"
+  printf '%s' "$response" | python3 - "$id_file" <<'PY'
+import json
+import pathlib
+import sys
+
+payload = json.load(sys.stdin)
+message_id = payload.get("id")
+if not isinstance(message_id, str) or not message_id:
+    raise SystemExit("host Discord post missing message id")
+pathlib.Path(sys.argv[1]).write_text(f"{message_id}\n", encoding="utf-8")
+PY
+}
+
+wait_for_guest_discord_readback() {
+  local nonce="$1"
+  local response rc
+  local last_response_path="$RUN_DIR/discord-last-readback.json"
+  local deadline=$((SECONDS + TIMEOUT_DISCORD_S))
+  while (( SECONDS < deadline )); do
+    set +e
+    response="$(
+      guest_current_user_exec \
+      "$GUEST_OPENCLAW_BIN" \
+      message read \
+      --channel discord \
+      --target "channel:$DISCORD_CHANNEL_ID" \
+      --limit 20 \
+      --json
+    )"
+    rc=$?
+    set -e
+    if [[ -n "$response" ]]; then
+      printf '%s' "$response" >"$last_response_path"
+    fi
+    if [[ $rc -eq 0 ]] && [[ -n "$response" ]] && printf '%s' "$response" | json_contains_string "$nonce"; then
+      return 0
+    fi
+    sleep 3
+  done
+  return 1
+}
+
+run_discord_roundtrip_smoke() {
+  local phase="$1"
+  local nonce outbound_nonce inbound_nonce outbound_message outbound_log sent_id_file host_id_file
+  nonce="$(date +%s)-$RANDOM"
+  outbound_nonce="$phase-out-$nonce"
+  inbound_nonce="$phase-in-$nonce"
+  outbound_message="parallels-macos-smoke-outbound-$outbound_nonce"
+  outbound_log="$RUN_DIR/$phase.discord-send.json"
+  sent_id_file="$RUN_DIR/$phase.discord-sent-message-id"
+  host_id_file="$RUN_DIR/$phase.discord-host-message-id"
+
+  guest_current_user_exec \
+    "$GUEST_OPENCLAW_BIN" \
+    message send \
+    --channel discord \
+    --target "channel:$DISCORD_CHANNEL_ID" \
+    --message "$outbound_message" \
+    --silent \
+    --json >"$outbound_log"
+
+  discord_message_id_from_send_log "$outbound_log" >"$sent_id_file"
+  wait_for_discord_host_visibility "$outbound_nonce"
+  post_host_discord_message "$inbound_nonce" "$host_id_file"
+  wait_for_guest_discord_readback "$inbound_nonce"
+}
+
 phase_log_path() {
   printf '%s/%s.log\n' "$RUN_DIR" "$1"
 }
@@ -646,6 +925,7 @@ summary = {
         "version": os.environ["SUMMARY_FRESH_MAIN_VERSION"],
         "gateway": os.environ["SUMMARY_FRESH_GATEWAY_STATUS"],
         "agent": os.environ["SUMMARY_FRESH_AGENT_STATUS"],
+        "discord": os.environ["SUMMARY_FRESH_DISCORD_STATUS"],
     },
     "upgrade": {
         "precheck": os.environ["SUMMARY_UPGRADE_PRECHECK_STATUS"],
@@ -654,6 +934,7 @@ summary = {
         "mainVersion": os.environ["SUMMARY_UPGRADE_MAIN_VERSION"],
         "gateway": os.environ["SUMMARY_UPGRADE_GATEWAY_STATUS"],
         "agent": os.environ["SUMMARY_UPGRADE_AGENT_STATUS"],
+        "discord": os.environ["SUMMARY_UPGRADE_DISCORD_STATUS"],
     },
 }
 with open(sys.argv[1], "w", encoding="utf-8") as handle:
@@ -691,6 +972,12 @@ run_fresh_main_lane() {
   FRESH_GATEWAY_STATUS="pass"
   phase_run "fresh.first-agent-turn" "$TIMEOUT_AGENT_S" verify_turn
   FRESH_AGENT_STATUS="pass"
+  if discord_smoke_enabled; then
+    FRESH_DISCORD_STATUS="fail"
+    phase_run "fresh.discord-config" "$TIMEOUT_GATEWAY_S" configure_discord_smoke
+    phase_run "fresh.discord-roundtrip" "$TIMEOUT_DISCORD_S" run_discord_roundtrip_smoke "fresh"
+    FRESH_DISCORD_STATUS="pass"
+  fi
 }
 
 run_upgrade_lane() {
@@ -718,6 +1005,12 @@ run_upgrade_lane() {
   UPGRADE_GATEWAY_STATUS="pass"
   phase_run "upgrade.first-agent-turn" "$TIMEOUT_AGENT_S" verify_turn
   UPGRADE_AGENT_STATUS="pass"
+  if discord_smoke_enabled; then
+    UPGRADE_DISCORD_STATUS="fail"
+    phase_run "upgrade.discord-config" "$TIMEOUT_GATEWAY_S" configure_discord_smoke
+    phase_run "upgrade.discord-roundtrip" "$TIMEOUT_DISCORD_S" run_discord_roundtrip_smoke "upgrade"
+    UPGRADE_DISCORD_STATUS="pass"
+  fi
 }
 
 FRESH_MAIN_STATUS="skip"
@@ -733,6 +1026,11 @@ say "VM: $VM_NAME"
 say "Snapshot hint: $SNAPSHOT_HINT"
 say "Latest npm version: $LATEST_VERSION"
 say "Current head: $(git rev-parse --short HEAD)"
+if discord_smoke_enabled; then
+  say "Discord smoke: guild=$DISCORD_GUILD_ID channel=$DISCORD_CHANNEL_ID"
+else
+  say "Discord smoke: disabled"
+fi
 say "Run logs: $RUN_DIR"
 
 pack_main_tgz
@@ -781,12 +1079,14 @@ SUMMARY_JSON_PATH="$(
   SUMMARY_FRESH_MAIN_VERSION="$FRESH_MAIN_VERSION" \
   SUMMARY_FRESH_GATEWAY_STATUS="$FRESH_GATEWAY_STATUS" \
   SUMMARY_FRESH_AGENT_STATUS="$FRESH_AGENT_STATUS" \
+  SUMMARY_FRESH_DISCORD_STATUS="$FRESH_DISCORD_STATUS" \
   SUMMARY_UPGRADE_PRECHECK_STATUS="$UPGRADE_PRECHECK_STATUS" \
   SUMMARY_UPGRADE_STATUS="$UPGRADE_STATUS" \
   SUMMARY_LATEST_INSTALLED_VERSION="$LATEST_INSTALLED_VERSION" \
   SUMMARY_UPGRADE_MAIN_VERSION="$UPGRADE_MAIN_VERSION" \
   SUMMARY_UPGRADE_GATEWAY_STATUS="$UPGRADE_GATEWAY_STATUS" \
   SUMMARY_UPGRADE_AGENT_STATUS="$UPGRADE_AGENT_STATUS" \
+  SUMMARY_UPGRADE_DISCORD_STATUS="$UPGRADE_DISCORD_STATUS" \
   write_summary_json
 )"
 
@@ -800,9 +1100,9 @@ else
   if [[ -n "$INSTALL_VERSION" ]]; then
     printf '  baseline-install-version: %s\n' "$INSTALL_VERSION"
   fi
-  printf '  fresh-main: %s (%s)\n' "$FRESH_MAIN_STATUS" "$FRESH_MAIN_VERSION"
+  printf '  fresh-main: %s (%s) discord=%s\n' "$FRESH_MAIN_STATUS" "$FRESH_MAIN_VERSION" "$FRESH_DISCORD_STATUS"
   printf '  latest->main precheck: %s (%s)\n' "$UPGRADE_PRECHECK_STATUS" "$LATEST_INSTALLED_VERSION"
-  printf '  latest->main: %s (%s)\n' "$UPGRADE_STATUS" "$UPGRADE_MAIN_VERSION"
+  printf '  latest->main: %s (%s) discord=%s\n' "$UPGRADE_STATUS" "$UPGRADE_MAIN_VERSION" "$UPGRADE_DISCORD_STATUS"
   printf '  logs: %s\n' "$RUN_DIR"
   printf '  summary: %s\n' "$SUMMARY_JSON_PATH"
 fi

From 74d0c39b3274f4312b7ed5829cd98fa35852fb76 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 00:40:32 -0700
Subject: [PATCH 104/133] refactor: move session lifecycle and outbound
 fallbacks into plugins

---
 .../reply/commands-session-lifecycle.test.ts  |  54 +++++---
 src/auto-reply/reply/commands-session.ts      |  37 ++---
 ...sessions.gateway-server-sessions-a.test.ts |  20 ++-
 src/gateway/session-reset-service.ts          |   5 +-
 src/infra/exec-approval-forwarder.ts          |  12 +-
 .../outbound/built-in-channel-adapters.ts     | 127 ------------------
 .../outbound/built-in-channel-messaging.ts    |  41 ------
 src/infra/outbound/channel-adapters.ts        |   5 +-
 src/infra/outbound/targets.test.ts            |   6 +-
 src/infra/outbound/targets.ts                 |   8 +-
 src/plugins/runtime/runtime-discord.ts        |  20 +++
 src/plugins/runtime/runtime-telegram.ts       |   8 ++
 src/plugins/runtime/types-channel.ts          |  14 ++
 13 files changed, 114 insertions(+), 243 deletions(-)
 delete mode 100644 src/infra/outbound/built-in-channel-adapters.ts
 delete mode 100644 src/infra/outbound/built-in-channel-messaging.ts

diff --git a/src/auto-reply/reply/commands-session-lifecycle.test.ts b/src/auto-reply/reply/commands-session-lifecycle.test.ts
index 92812abaae6..bb56ef82bd9 100644
--- a/src/auto-reply/reply/commands-session-lifecycle.test.ts
+++ b/src/auto-reply/reply/commands-session-lifecycle.test.ts
@@ -1,6 +1,9 @@
 import { beforeEach, describe, expect, it, vi } from "vitest";
+import { telegramPlugin } from "../../../extensions/telegram/src/channel.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import type { SessionBindingRecord } from "../../infra/outbound/session-binding-service.js";
+import { setActivePluginRegistry } from "../../plugins/runtime.js";
+import { createTestRegistry } from "../../test-utils/channel-plugins.js";
 
 const hoisted = vi.hoisted(() => {
   const getThreadBindingManagerMock = vi.fn();
@@ -19,28 +22,34 @@ const hoisted = vi.hoisted(() => {
   };
 });
 
-vi.mock("../../../extensions/discord/src/monitor/thread-bindings.js", async (importOriginal) => {
-  const actual =
-    await importOriginal<
-      typeof import("../../../extensions/discord/src/monitor/thread-bindings.js")
-    >();
+vi.mock("../../plugins/runtime/index.js", async () => {
+  const discordThreadBindings = await vi.importActual<
+    typeof import("../../../extensions/discord/src/monitor/thread-bindings.js")
+  >("../../../extensions/discord/src/monitor/thread-bindings.js");
   return {
-    ...actual,
-    getThreadBindingManager: hoisted.getThreadBindingManagerMock,
-    setThreadBindingIdleTimeoutBySessionKey: hoisted.setThreadBindingIdleTimeoutBySessionKeyMock,
-    setThreadBindingMaxAgeBySessionKey: hoisted.setThreadBindingMaxAgeBySessionKeyMock,
-  };
-});
-
-vi.mock("../../../extensions/telegram/src/thread-bindings.js", async (importOriginal) => {
-  const actual =
-    await importOriginal<typeof import("../../../extensions/telegram/src/thread-bindings.js")>();
-  return {
-    ...actual,
-    setTelegramThreadBindingIdleTimeoutBySessionKey:
-      hoisted.setTelegramThreadBindingIdleTimeoutBySessionKeyMock,
-    setTelegramThreadBindingMaxAgeBySessionKey:
-      hoisted.setTelegramThreadBindingMaxAgeBySessionKeyMock,
+    createPluginRuntime: () => ({
+      channel: {
+        discord: {
+          threadBindings: {
+            getManager: hoisted.getThreadBindingManagerMock,
+            resolveIdleTimeoutMs: discordThreadBindings.resolveThreadBindingIdleTimeoutMs,
+            resolveInactivityExpiresAt:
+              discordThreadBindings.resolveThreadBindingInactivityExpiresAt,
+            resolveMaxAgeMs: discordThreadBindings.resolveThreadBindingMaxAgeMs,
+            resolveMaxAgeExpiresAt: discordThreadBindings.resolveThreadBindingMaxAgeExpiresAt,
+            setIdleTimeoutBySessionKey: hoisted.setThreadBindingIdleTimeoutBySessionKeyMock,
+            setMaxAgeBySessionKey: hoisted.setThreadBindingMaxAgeBySessionKeyMock,
+            unbindBySessionKey: vi.fn(),
+          },
+        },
+        telegram: {
+          threadBindings: {
+            setIdleTimeoutBySessionKey: hoisted.setTelegramThreadBindingIdleTimeoutBySessionKeyMock,
+            setMaxAgeBySessionKey: hoisted.setTelegramThreadBindingMaxAgeBySessionKeyMock,
+          },
+        },
+      },
+    }),
   };
 });
 
@@ -168,6 +177,9 @@ function createFakeThreadBindingManager(binding: FakeBinding | null) {
 
 describe("/session idle and /session max-age", () => {
   beforeEach(() => {
+    setActivePluginRegistry(
+      createTestRegistry([{ pluginId: "telegram", source: "test", plugin: telegramPlugin }]),
+    );
     hoisted.getThreadBindingManagerMock.mockReset();
     hoisted.setThreadBindingIdleTimeoutBySessionKeyMock.mockReset();
     hoisted.setThreadBindingMaxAgeBySessionKeyMock.mockReset();
diff --git a/src/auto-reply/reply/commands-session.ts b/src/auto-reply/reply/commands-session.ts
index b04d5112345..07f984eb92e 100644
--- a/src/auto-reply/reply/commands-session.ts
+++ b/src/auto-reply/reply/commands-session.ts
@@ -1,18 +1,5 @@
-import {
-  formatThreadBindingDurationLabel,
-  getThreadBindingManager,
-  resolveThreadBindingIdleTimeoutMs,
-  resolveThreadBindingInactivityExpiresAt,
-  resolveThreadBindingMaxAgeExpiresAt,
-  resolveThreadBindingMaxAgeMs,
-  setThreadBindingIdleTimeoutBySessionKey,
-  setThreadBindingMaxAgeBySessionKey,
-} from "../../../extensions/discord/src/monitor/thread-bindings.js";
-import {
-  setTelegramThreadBindingIdleTimeoutBySessionKey,
-  setTelegramThreadBindingMaxAgeBySessionKey,
-} from "../../../extensions/telegram/src/thread-bindings.js";
 import { resolveFastModeState } from "../../agents/fast-mode.js";
+import { formatThreadBindingDurationLabel } from "../../channels/thread-bindings-messages.js";
 import { parseDurationMs } from "../../cli/parse-duration.js";
 import { isRestartEnabled } from "../../config/commands.js";
 import { logVerbose } from "../../globals.js";
@@ -20,6 +7,7 @@ import { getSessionBindingService } from "../../infra/outbound/session-binding-s
 import type { SessionBindingRecord } from "../../infra/outbound/session-binding-service.js";
 import { scheduleGatewaySigusr1Restart, triggerOpenClawRestart } from "../../infra/restart.js";
 import { loadCostUsageSummary, loadSessionCostSummary } from "../../infra/session-cost-usage.js";
+import { createPluginRuntime } from "../../plugins/runtime/index.js";
 import { formatTokenCount, formatUsd } from "../../utils/usage-format.js";
 import { parseActivationCommand } from "../group-activation.js";
 import { parseSendPolicyCommand } from "../send-policy.js";
@@ -34,6 +22,7 @@ const SESSION_COMMAND_PREFIX = "/session";
 const SESSION_DURATION_OFF_VALUES = new Set(["off", "disable", "disabled", "none", "0"]);
 const SESSION_ACTION_IDLE = "idle";
 const SESSION_ACTION_MAX_AGE = "max-age";
+const channelRuntime = createPluginRuntime().channel;
 
 function resolveSessionCommandUsage() {
   return "Usage: /session idle <duration|off> | /session max-age <duration|off> (example: /session idle 24h)";
@@ -385,7 +374,9 @@ export const handleSessionCommand: CommandHandler = async (params, allowTextComm
     params.ctx.MessageThreadId != null ? String(params.ctx.MessageThreadId).trim() : "";
   const telegramConversationId = onTelegram ? resolveTelegramConversationId(params) : undefined;
 
-  const discordManager = onDiscord ? getThreadBindingManager(accountId) : null;
+  const discordManager = onDiscord
+    ? channelRuntime.discord.threadBindings.getManager(accountId)
+    : null;
   if (onDiscord && !discordManager) {
     return {
       shouldContinue: false,
@@ -433,13 +424,13 @@ export const handleSessionCommand: CommandHandler = async (params, allowTextComm
   }
 
   const idleTimeoutMs = onDiscord
-    ? resolveThreadBindingIdleTimeoutMs({
+    ? channelRuntime.discord.threadBindings.resolveIdleTimeoutMs({
         record: discordBinding!,
         defaultIdleTimeoutMs: discordManager!.getIdleTimeoutMs(),
       })
     : resolveTelegramBindingDurationMs(telegramBinding!, "idleTimeoutMs", 24 * 60 * 60 * 1000);
   const idleExpiresAt = onDiscord
-    ? resolveThreadBindingInactivityExpiresAt({
+    ? channelRuntime.discord.threadBindings.resolveInactivityExpiresAt({
         record: discordBinding!,
         defaultIdleTimeoutMs: discordManager!.getIdleTimeoutMs(),
       })
@@ -447,13 +438,13 @@ export const handleSessionCommand: CommandHandler = async (params, allowTextComm
       ? resolveTelegramBindingLastActivityAt(telegramBinding!) + idleTimeoutMs
       : undefined;
   const maxAgeMs = onDiscord
-    ? resolveThreadBindingMaxAgeMs({
+    ? channelRuntime.discord.threadBindings.resolveMaxAgeMs({
         record: discordBinding!,
         defaultMaxAgeMs: discordManager!.getMaxAgeMs(),
       })
     : resolveTelegramBindingDurationMs(telegramBinding!, "maxAgeMs", 0);
   const maxAgeExpiresAt = onDiscord
-    ? resolveThreadBindingMaxAgeExpiresAt({
+    ? channelRuntime.discord.threadBindings.resolveMaxAgeExpiresAt({
         record: discordBinding!,
         defaultMaxAgeMs: discordManager!.getMaxAgeMs(),
       })
@@ -528,24 +519,24 @@ export const handleSessionCommand: CommandHandler = async (params, allowTextComm
   const updatedBindings = (() => {
     if (onDiscord) {
       return action === SESSION_ACTION_IDLE
-        ? setThreadBindingIdleTimeoutBySessionKey({
+        ? channelRuntime.discord.threadBindings.setIdleTimeoutBySessionKey({
             targetSessionKey: discordBinding!.targetSessionKey,
             accountId,
             idleTimeoutMs: durationMs,
           })
-        : setThreadBindingMaxAgeBySessionKey({
+        : channelRuntime.discord.threadBindings.setMaxAgeBySessionKey({
             targetSessionKey: discordBinding!.targetSessionKey,
             accountId,
             maxAgeMs: durationMs,
           });
     }
     return action === SESSION_ACTION_IDLE
-      ? setTelegramThreadBindingIdleTimeoutBySessionKey({
+      ? channelRuntime.telegram.threadBindings.setIdleTimeoutBySessionKey({
           targetSessionKey: telegramBinding!.targetSessionKey,
           accountId,
           idleTimeoutMs: durationMs,
         })
-      : setTelegramThreadBindingMaxAgeBySessionKey({
+      : channelRuntime.telegram.threadBindings.setMaxAgeBySessionKey({
           targetSessionKey: telegramBinding!.targetSessionKey,
           accountId,
           maxAgeMs: durationMs,
diff --git a/src/gateway/server.sessions.gateway-server-sessions-a.test.ts b/src/gateway/server.sessions.gateway-server-sessions-a.test.ts
index fdce44e33f4..903a52592a3 100644
--- a/src/gateway/server.sessions.gateway-server-sessions-a.test.ts
+++ b/src/gateway/server.sessions.gateway-server-sessions-a.test.ts
@@ -102,15 +102,21 @@ vi.mock("../plugins/hook-runner-global.js", async (importOriginal) => {
   };
 });
 
-vi.mock("../../extensions/discord/src/monitor/thread-bindings.js", async (importOriginal) => {
-  const actual =
-    await importOriginal<
-      typeof import("../../extensions/discord/src/monitor/thread-bindings.js")
-    >();
+vi.mock("../plugins/runtime/runtime-discord.js", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("../plugins/runtime/runtime-discord.js")>();
   return {
     ...actual,
-    unbindThreadBindingsBySessionKey: (params: unknown) =>
-      threadBindingMocks.unbindThreadBindingsBySessionKey(params),
+    createRuntimeDiscord: () => {
+      const runtime = actual.createRuntimeDiscord();
+      return {
+        ...runtime,
+        threadBindings: {
+          ...runtime.threadBindings,
+          unbindBySessionKey: (params: unknown) =>
+            threadBindingMocks.unbindThreadBindingsBySessionKey(params),
+        },
+      };
+    },
   };
 });
 
diff --git a/src/gateway/session-reset-service.ts b/src/gateway/session-reset-service.ts
index b07bf0095dd..d662d60841b 100644
--- a/src/gateway/session-reset-service.ts
+++ b/src/gateway/session-reset-service.ts
@@ -1,5 +1,4 @@
 import { randomUUID } from "node:crypto";
-import { unbindThreadBindingsBySessionKey } from "../../extensions/discord/src/monitor/thread-bindings.js";
 import { getAcpSessionManager } from "../acp/control-plane/manager.js";
 import { resolveDefaultAgentId } from "../agents/agent-scope.js";
 import { clearBootstrapSnapshot } from "../agents/bootstrap-cache.js";
@@ -16,6 +15,7 @@ import {
 import { logVerbose } from "../globals.js";
 import { createInternalHookEvent, triggerInternalHook } from "../hooks/internal-hooks.js";
 import { getGlobalHookRunner } from "../plugins/hook-runner-global.js";
+import { createPluginRuntime } from "../plugins/runtime/index.js";
 import {
   isSubagentSessionKey,
   normalizeAgentId,
@@ -31,6 +31,7 @@ import {
 } from "./session-utils.js";
 
 const ACP_RUNTIME_CLEANUP_TIMEOUT_MS = 15_000;
+const channelRuntime = createPluginRuntime().channel;
 
 function stripRuntimeModelState(entry?: SessionEntry): SessionEntry | undefined {
   if (!entry) {
@@ -70,7 +71,7 @@ export async function emitSessionUnboundLifecycleEvent(params: {
   emitHooks?: boolean;
 }) {
   const targetKind = isSubagentSessionKey(params.targetSessionKey) ? "subagent" : "acp";
-  unbindThreadBindingsBySessionKey({
+  channelRuntime.discord.threadBindings.unbindBySessionKey({
     targetSessionKey: params.targetSessionKey,
     targetKind,
     reason: params.reason,
diff --git a/src/infra/exec-approval-forwarder.ts b/src/infra/exec-approval-forwarder.ts
index eba329f57ff..93a53d445c7 100644
--- a/src/infra/exec-approval-forwarder.ts
+++ b/src/infra/exec-approval-forwarder.ts
@@ -22,7 +22,6 @@ import type {
   ExecApprovalRequest,
   ExecApprovalResolved,
 } from "./exec-approvals.js";
-import { resolveBuiltInExecApprovalAdapter } from "./outbound/built-in-channel-adapters.js";
 import { deliverOutboundPayloads } from "./outbound/deliver.js";
 
 const log = createSubsystemLogger("gateway/exec-approvals");
@@ -119,8 +118,7 @@ function shouldSkipForwardingFallback(params: {
   if (!channel) {
     return false;
   }
-  const adapter =
-    getChannelPlugin(channel)?.execApprovals ?? resolveBuiltInExecApprovalAdapter(channel);
+  const adapter = getChannelPlugin(channel)?.execApprovals;
   return (
     adapter?.shouldSuppressForwardingFallback?.({
       cfg: params.cfg,
@@ -278,9 +276,7 @@ function buildRequestPayloadForTarget(
 ): ReplyPayload {
   const channel = normalizeMessageChannel(target.channel) ?? target.channel;
   const pluginPayload = channel
-    ? (
-        getChannelPlugin(channel)?.execApprovals ?? resolveBuiltInExecApprovalAdapter(channel)
-      )?.buildPendingPayload?.({
+    ? getChannelPlugin(channel)?.execApprovals?.buildPendingPayload?.({
         cfg,
         request,
         target,
@@ -415,9 +411,7 @@ export function createExecApprovalForwarder(
         if (!channel) {
           return;
         }
-        await (
-          getChannelPlugin(channel)?.execApprovals ?? resolveBuiltInExecApprovalAdapter(channel)
-        )?.beforeDeliverPending?.({
+        await getChannelPlugin(channel)?.execApprovals?.beforeDeliverPending?.({
           cfg,
           target,
           payload,
diff --git a/src/infra/outbound/built-in-channel-adapters.ts b/src/infra/outbound/built-in-channel-adapters.ts
deleted file mode 100644
index 335457dc48c..00000000000
--- a/src/infra/outbound/built-in-channel-adapters.ts
+++ /dev/null
@@ -1,127 +0,0 @@
-import { Separator, TextDisplay } from "@buape/carbon";
-import {
-  listDiscordAccountIds,
-  resolveDiscordAccount,
-} from "../../../extensions/discord/src/accounts.js";
-import { isDiscordExecApprovalClientEnabled } from "../../../extensions/discord/src/exec-approvals.js";
-import { DiscordUiContainer } from "../../../extensions/discord/src/ui.js";
-import { listTelegramAccountIds } from "../../../extensions/telegram/src/accounts.js";
-import { buildTelegramExecApprovalButtons } from "../../../extensions/telegram/src/approval-buttons.js";
-import {
-  isTelegramExecApprovalClientEnabled,
-  resolveTelegramExecApprovalTarget,
-} from "../../../extensions/telegram/src/exec-approvals.js";
-import type { ChannelExecApprovalAdapter } from "../../channels/plugins/types.adapters.js";
-import type { ChannelCrossContextComponentsFactory } from "../../channels/plugins/types.core.js";
-import type { ChannelId } from "../../channels/plugins/types.js";
-import type { OpenClawConfig } from "../../config/config.js";
-import { normalizeMessageChannel } from "../../utils/message-channel.js";
-import { resolveExecApprovalCommandDisplay } from "../exec-approval-command-display.js";
-import { buildExecApprovalPendingReplyPayload } from "../exec-approval-reply.js";
-
-const BUILT_IN_DISCORD_CROSS_CONTEXT_COMPONENTS: ChannelCrossContextComponentsFactory = (
-  params,
-) => {
-  const trimmed = params.message.trim();
-  const components: Array<TextDisplay | Separator> = [];
-  if (trimmed) {
-    components.push(new TextDisplay(params.message));
-    components.push(new Separator({ divider: true, spacing: "small" }));
-  }
-  components.push(new TextDisplay(`*From ${params.originLabel}*`));
-  return [new DiscordUiContainer({ cfg: params.cfg, accountId: params.accountId, components })];
-};
-
-function hasDiscordExecApprovalDmRoute(cfg: OpenClawConfig): boolean {
-  return listDiscordAccountIds(cfg).some((accountId) => {
-    const execApprovals = resolveDiscordAccount({ cfg, accountId }).config.execApprovals;
-    if (!execApprovals?.enabled || (execApprovals.approvers?.length ?? 0) === 0) {
-      return false;
-    }
-    const target = execApprovals.target ?? "dm";
-    return target === "dm" || target === "both";
-  });
-}
-
-function hasTelegramExecApprovalDmRoute(cfg: OpenClawConfig): boolean {
-  return listTelegramAccountIds(cfg).some((accountId) => {
-    if (!isTelegramExecApprovalClientEnabled({ cfg, accountId })) {
-      return false;
-    }
-    const target = resolveTelegramExecApprovalTarget({ cfg, accountId });
-    return target === "dm" || target === "both";
-  });
-}
-
-const BUILT_IN_DISCORD_EXEC_APPROVALS: ChannelExecApprovalAdapter = {
-  getInitiatingSurfaceState: ({ cfg, accountId }) =>
-    isDiscordExecApprovalClientEnabled({ cfg, accountId })
-      ? { kind: "enabled" }
-      : { kind: "disabled" },
-  hasConfiguredDmRoute: ({ cfg }) => hasDiscordExecApprovalDmRoute(cfg),
-  shouldSuppressForwardingFallback: ({ cfg, target }) =>
-    (normalizeMessageChannel(target.channel) ?? target.channel) === "discord" &&
-    isDiscordExecApprovalClientEnabled({ cfg, accountId: target.accountId }),
-};
-
-const BUILT_IN_TELEGRAM_EXEC_APPROVALS: ChannelExecApprovalAdapter = {
-  getInitiatingSurfaceState: ({ cfg, accountId }) =>
-    isTelegramExecApprovalClientEnabled({ cfg, accountId })
-      ? { kind: "enabled" }
-      : { kind: "disabled" },
-  hasConfiguredDmRoute: ({ cfg }) => hasTelegramExecApprovalDmRoute(cfg),
-  shouldSuppressForwardingFallback: ({ cfg, target, request }) => {
-    const channel = normalizeMessageChannel(target.channel) ?? target.channel;
-    if (channel !== "telegram") {
-      return false;
-    }
-    const requestChannel = normalizeMessageChannel(request.request.turnSourceChannel ?? "");
-    if (requestChannel !== "telegram") {
-      return false;
-    }
-    const accountId = target.accountId?.trim() || request.request.turnSourceAccountId?.trim();
-    return isTelegramExecApprovalClientEnabled({ cfg, accountId });
-  },
-  buildPendingPayload: ({ request, nowMs }) => {
-    const payload = buildExecApprovalPendingReplyPayload({
-      approvalId: request.id,
-      approvalSlug: request.id.slice(0, 8),
-      approvalCommandId: request.id,
-      command: resolveExecApprovalCommandDisplay(request.request).commandText,
-      cwd: request.request.cwd ?? undefined,
-      host: request.request.host === "node" ? "node" : "gateway",
-      nodeId: request.request.nodeId ?? undefined,
-      expiresAtMs: request.expiresAtMs,
-      nowMs,
-    });
-    const buttons = buildTelegramExecApprovalButtons(request.id);
-    if (!buttons) {
-      return payload;
-    }
-    return {
-      ...payload,
-      channelData: {
-        ...payload.channelData,
-        telegram: { buttons },
-      },
-    };
-  },
-};
-
-export function resolveBuiltInCrossContextComponentsFactory(
-  channel: ChannelId,
-): ChannelCrossContextComponentsFactory | undefined {
-  return channel === "discord" ? BUILT_IN_DISCORD_CROSS_CONTEXT_COMPONENTS : undefined;
-}
-
-export function resolveBuiltInExecApprovalAdapter(
-  channel: ChannelId,
-): ChannelExecApprovalAdapter | undefined {
-  if (channel === "discord") {
-    return BUILT_IN_DISCORD_EXEC_APPROVALS;
-  }
-  if (channel === "telegram") {
-    return BUILT_IN_TELEGRAM_EXEC_APPROVALS;
-  }
-  return undefined;
-}
diff --git a/src/infra/outbound/built-in-channel-messaging.ts b/src/infra/outbound/built-in-channel-messaging.ts
deleted file mode 100644
index b06b6c41bc3..00000000000
--- a/src/infra/outbound/built-in-channel-messaging.ts
+++ /dev/null
@@ -1,41 +0,0 @@
-import { parseTelegramTarget } from "../../../extensions/telegram/src/targets.js";
-import type { ChatType } from "../../channels/chat-type.js";
-import type { ChannelId } from "../../channels/plugins/types.js";
-import { isWhatsAppGroupJid, normalizeWhatsAppTarget } from "../../whatsapp/normalize.js";
-
-export type BuiltInExplicitTarget = {
-  to: string;
-  threadId?: string | number;
-  chatType?: ChatType;
-};
-
-export function resolveBuiltInExplicitTarget(
-  channel: ChannelId,
-  raw: string,
-): BuiltInExplicitTarget | null {
-  if (channel === "telegram") {
-    const target = parseTelegramTarget(raw);
-    return {
-      to: target.chatId,
-      threadId: target.messageThreadId,
-      chatType: target.chatType === "unknown" ? undefined : target.chatType,
-    };
-  }
-
-  if (channel === "whatsapp") {
-    const normalized = normalizeWhatsAppTarget(raw);
-    if (!normalized) {
-      return null;
-    }
-    return {
-      to: normalized,
-      chatType: isWhatsAppGroupJid(normalized) ? "group" : "direct",
-    };
-  }
-
-  return null;
-}
-
-export function resolveBuiltInTargetChatType(channel: ChannelId, to: string): ChatType | undefined {
-  return resolveBuiltInExplicitTarget(channel, to)?.chatType;
-}
diff --git a/src/infra/outbound/channel-adapters.ts b/src/infra/outbound/channel-adapters.ts
index 4f541bf0f84..0c752854e8d 100644
--- a/src/infra/outbound/channel-adapters.ts
+++ b/src/infra/outbound/channel-adapters.ts
@@ -2,7 +2,6 @@ import type { TopLevelComponents } from "@buape/carbon";
 import { getChannelPlugin } from "../../channels/plugins/index.js";
 import type { ChannelId } from "../../channels/plugins/types.js";
 import type { OpenClawConfig } from "../../config/config.js";
-import { resolveBuiltInCrossContextComponentsFactory } from "./built-in-channel-adapters.js";
 
 export type CrossContextComponentsBuilder = (message: string) => TopLevelComponents[];
 
@@ -23,9 +22,7 @@ const DEFAULT_ADAPTER: ChannelMessageAdapter = {
 };
 
 export function getChannelMessageAdapter(channel: ChannelId): ChannelMessageAdapter {
-  const adapter =
-    getChannelPlugin(channel)?.messaging?.buildCrossContextComponents ??
-    resolveBuiltInCrossContextComponentsFactory(channel);
+  const adapter = getChannelPlugin(channel)?.messaging?.buildCrossContextComponents;
   if (adapter) {
     return {
       supportsComponentsV2: true,
diff --git a/src/infra/outbound/targets.test.ts b/src/infra/outbound/targets.test.ts
index cfe8d06bd25..2ac707a804d 100644
--- a/src/infra/outbound/targets.test.ts
+++ b/src/infra/outbound/targets.test.ts
@@ -387,7 +387,7 @@ describe("resolveSessionDeliveryTarget", () => {
     expect(resolved.threadId).toBeUndefined();
   });
 
-  it("keeps :topic: parsing when the telegram plugin registry is unavailable", () => {
+  it("keeps raw :topic: targets when the telegram plugin registry is unavailable", () => {
     setActivePluginRegistry(createTestRegistry([]));
 
     const resolved = resolveSessionDeliveryTarget({
@@ -401,8 +401,8 @@ describe("resolveSessionDeliveryTarget", () => {
       explicitTo: "63448508:topic:1008013",
     });
 
-    expect(resolved.to).toBe("63448508");
-    expect(resolved.threadId).toBe(1008013);
+    expect(resolved.to).toBe("63448508:topic:1008013");
+    expect(resolved.threadId).toBeUndefined();
   });
 
   it("explicitThreadId takes priority over :topic: parsed value", () => {
diff --git a/src/infra/outbound/targets.ts b/src/infra/outbound/targets.ts
index 313db3cf636..b15dfb881b2 100644
--- a/src/infra/outbound/targets.ts
+++ b/src/infra/outbound/targets.ts
@@ -16,10 +16,6 @@ import {
   isDeliverableMessageChannel,
   normalizeMessageChannel,
 } from "../../utils/message-channel.js";
-import {
-  resolveBuiltInExplicitTarget,
-  resolveBuiltInTargetChatType,
-} from "./built-in-channel-messaging.js";
 import {
   normalizeDeliverableOutboundChannel,
   resolveOutboundChannelPlugin,
@@ -78,7 +74,7 @@ function parseExplicitTargetWithPlugin(params: {
   return (
     resolveOutboundChannelPlugin({ channel: provider })?.messaging?.parseExplicitTarget?.({
       raw,
-    }) ?? resolveBuiltInExplicitTarget(provider, raw)
+    }) ?? null
   );
 }
 
@@ -422,7 +418,7 @@ function inferChatTypeFromTarget(params: {
   return (
     resolveOutboundChannelPlugin({
       channel: params.channel,
-    })?.messaging?.inferTargetChatType?.({ to }) ?? resolveBuiltInTargetChatType(params.channel, to)
+    })?.messaging?.inferTargetChatType?.({ to }) ?? undefined
   );
 }
 
diff --git a/src/plugins/runtime/runtime-discord.ts b/src/plugins/runtime/runtime-discord.ts
index 6f827f27504..1ca7b32bf9b 100644
--- a/src/plugins/runtime/runtime-discord.ts
+++ b/src/plugins/runtime/runtime-discord.ts
@@ -4,6 +4,16 @@ import {
   listDiscordDirectoryPeersLive,
 } from "../../../extensions/discord/src/directory-live.js";
 import { monitorDiscordProvider } from "../../../extensions/discord/src/monitor.js";
+import {
+  getThreadBindingManager,
+  resolveThreadBindingIdleTimeoutMs,
+  resolveThreadBindingInactivityExpiresAt,
+  resolveThreadBindingMaxAgeExpiresAt,
+  resolveThreadBindingMaxAgeMs,
+  setThreadBindingIdleTimeoutBySessionKey,
+  setThreadBindingMaxAgeBySessionKey,
+  unbindThreadBindingsBySessionKey,
+} from "../../../extensions/discord/src/monitor/thread-bindings.js";
 import { probeDiscord } from "../../../extensions/discord/src/probe.js";
 import { resolveDiscordChannelAllowlist } from "../../../extensions/discord/src/resolve-channels.js";
 import { resolveDiscordUserAllowlist } from "../../../extensions/discord/src/resolve-users.js";
@@ -36,6 +46,16 @@ export function createRuntimeDiscord(): PluginRuntimeChannel["discord"] {
     sendMessageDiscord,
     sendPollDiscord,
     monitorDiscordProvider,
+    threadBindings: {
+      getManager: getThreadBindingManager,
+      resolveIdleTimeoutMs: resolveThreadBindingIdleTimeoutMs,
+      resolveInactivityExpiresAt: resolveThreadBindingInactivityExpiresAt,
+      resolveMaxAgeMs: resolveThreadBindingMaxAgeMs,
+      resolveMaxAgeExpiresAt: resolveThreadBindingMaxAgeExpiresAt,
+      setIdleTimeoutBySessionKey: setThreadBindingIdleTimeoutBySessionKey,
+      setMaxAgeBySessionKey: setThreadBindingMaxAgeBySessionKey,
+      unbindBySessionKey: unbindThreadBindingsBySessionKey,
+    },
     typing: {
       pulse: sendTypingDiscord,
       start: async ({ channelId, accountId, cfg, intervalMs }) =>
diff --git a/src/plugins/runtime/runtime-telegram.ts b/src/plugins/runtime/runtime-telegram.ts
index 864761480ff..1e6993ef489 100644
--- a/src/plugins/runtime/runtime-telegram.ts
+++ b/src/plugins/runtime/runtime-telegram.ts
@@ -15,6 +15,10 @@ import {
   sendTypingTelegram,
   unpinMessageTelegram,
 } from "../../../extensions/telegram/src/send.js";
+import {
+  setTelegramThreadBindingIdleTimeoutBySessionKey,
+  setTelegramThreadBindingMaxAgeBySessionKey,
+} from "../../../extensions/telegram/src/thread-bindings.js";
 import { resolveTelegramToken } from "../../../extensions/telegram/src/token.js";
 import { telegramMessageActions } from "../../channels/plugins/actions/telegram.js";
 import { createTelegramTypingLease } from "./runtime-telegram-typing.js";
@@ -30,6 +34,10 @@ export function createRuntimeTelegram(): PluginRuntimeChannel["telegram"] {
     sendPollTelegram,
     monitorTelegramProvider,
     messageActions: telegramMessageActions,
+    threadBindings: {
+      setIdleTimeoutBySessionKey: setTelegramThreadBindingIdleTimeoutBySessionKey,
+      setMaxAgeBySessionKey: setTelegramThreadBindingMaxAgeBySessionKey,
+    },
     typing: {
       pulse: sendTypingTelegram,
       start: async ({ to, accountId, cfg, intervalMs, messageThreadId }) =>
diff --git a/src/plugins/runtime/types-channel.ts b/src/plugins/runtime/types-channel.ts
index f2e775b7275..b0b5941f24d 100644
--- a/src/plugins/runtime/types-channel.ts
+++ b/src/plugins/runtime/types-channel.ts
@@ -98,6 +98,16 @@ export type PluginRuntimeChannel = {
     sendMessageDiscord: typeof import("../../../extensions/discord/src/send.js").sendMessageDiscord;
     sendPollDiscord: typeof import("../../../extensions/discord/src/send.js").sendPollDiscord;
     monitorDiscordProvider: typeof import("../../../extensions/discord/src/monitor.js").monitorDiscordProvider;
+    threadBindings: {
+      getManager: typeof import("../../../extensions/discord/src/monitor/thread-bindings.js").getThreadBindingManager;
+      resolveIdleTimeoutMs: typeof import("../../../extensions/discord/src/monitor/thread-bindings.js").resolveThreadBindingIdleTimeoutMs;
+      resolveInactivityExpiresAt: typeof import("../../../extensions/discord/src/monitor/thread-bindings.js").resolveThreadBindingInactivityExpiresAt;
+      resolveMaxAgeMs: typeof import("../../../extensions/discord/src/monitor/thread-bindings.js").resolveThreadBindingMaxAgeMs;
+      resolveMaxAgeExpiresAt: typeof import("../../../extensions/discord/src/monitor/thread-bindings.js").resolveThreadBindingMaxAgeExpiresAt;
+      setIdleTimeoutBySessionKey: typeof import("../../../extensions/discord/src/monitor/thread-bindings.js").setThreadBindingIdleTimeoutBySessionKey;
+      setMaxAgeBySessionKey: typeof import("../../../extensions/discord/src/monitor/thread-bindings.js").setThreadBindingMaxAgeBySessionKey;
+      unbindBySessionKey: typeof import("../../../extensions/discord/src/monitor/thread-bindings.js").unbindThreadBindingsBySessionKey;
+    };
     typing: {
       pulse: typeof import("../../../extensions/discord/src/send.js").sendTypingDiscord;
       start: (params: {
@@ -138,6 +148,10 @@ export type PluginRuntimeChannel = {
     sendPollTelegram: typeof import("../../../extensions/telegram/src/send.js").sendPollTelegram;
     monitorTelegramProvider: typeof import("../../../extensions/telegram/src/monitor.js").monitorTelegramProvider;
     messageActions: typeof import("../../channels/plugins/actions/telegram.js").telegramMessageActions;
+    threadBindings: {
+      setIdleTimeoutBySessionKey: typeof import("../../../extensions/telegram/src/thread-bindings.js").setTelegramThreadBindingIdleTimeoutBySessionKey;
+      setMaxAgeBySessionKey: typeof import("../../../extensions/telegram/src/thread-bindings.js").setTelegramThreadBindingMaxAgeBySessionKey;
+    };
     typing: {
       pulse: typeof import("../../../extensions/telegram/src/send.js").sendTypingTelegram;
       start: (params: {

From 8fe08df2eb327f0b156562aa2ff716cb487cfd06 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 00:40:58 -0700
Subject: [PATCH 105/133] refactor(plugins): derive compat provider ids from
 manifests

---
 extensions/discord/src/channel.ts             |  5 --
 extensions/imessage/src/channel.ts            |  1 -
 extensions/signal/src/channel.ts              |  2 +-
 extensions/slack/src/channel.ts               |  2 +-
 extensions/telegram/src/channel.ts            |  2 +-
 ...-no-monolithic-plugin-sdk-entry-imports.ts | 42 +++++++++---
 src/plugins/providers.test.ts                 | 26 +++++++-
 src/plugins/providers.ts                      | 65 +++++++++----------
 8 files changed, 88 insertions(+), 57 deletions(-)

diff --git a/extensions/discord/src/channel.ts b/extensions/discord/src/channel.ts
index 0b6063bf52d..13b5d9bb6e8 100644
--- a/extensions/discord/src/channel.ts
+++ b/extensions/discord/src/channel.ts
@@ -36,11 +36,6 @@ import {
   type OpenClawConfig,
   type ResolvedDiscordAccount,
 } from "openclaw/plugin-sdk/discord";
-import {
-  buildAgentSessionKey,
-  resolveThreadSessionKeys,
-  type RoutePeer,
-} from "openclaw/plugin-sdk/routing";
 import { resolveOutboundSendDep } from "../../../src/infra/outbound/send-deps.js";
 import { normalizeMessageChannel } from "../../../src/utils/message-channel.js";
 import {
diff --git a/extensions/imessage/src/channel.ts b/extensions/imessage/src/channel.ts
index 0fd5ca12546..71526f20564 100644
--- a/extensions/imessage/src/channel.ts
+++ b/extensions/imessage/src/channel.ts
@@ -26,7 +26,6 @@ import {
   type ChannelPlugin,
   type ResolvedIMessageAccount,
 } from "openclaw/plugin-sdk/imessage";
-import { buildAgentSessionKey, type RoutePeer } from "openclaw/plugin-sdk/routing";
 import { resolveOutboundSendDep } from "../../../src/infra/outbound/send-deps.js";
 import { buildPassiveProbedChannelStatusSummary } from "../../shared/channel-status-summary.js";
 import { getIMessageRuntime } from "./runtime.js";
diff --git a/extensions/signal/src/channel.ts b/extensions/signal/src/channel.ts
index a38db8b60d5..bb65502e017 100644
--- a/extensions/signal/src/channel.ts
+++ b/extensions/signal/src/channel.ts
@@ -4,7 +4,7 @@ import {
   createScopedAccountConfigAccessors,
   collectAllowlistProviderRestrictSendersWarnings,
 } from "openclaw/plugin-sdk/compat";
-import { buildAgentSessionKey, type RoutePeer } from "openclaw/plugin-sdk/routing";
+import { buildAgentSessionKey, type RoutePeer } from "openclaw/plugin-sdk/core";
 import {
   buildBaseAccountStatusSnapshot,
   buildBaseChannelStatusSummary,
diff --git a/extensions/slack/src/channel.ts b/extensions/slack/src/channel.ts
index 592ce5a6331..3b0e347ba24 100644
--- a/extensions/slack/src/channel.ts
+++ b/extensions/slack/src/channel.ts
@@ -11,7 +11,7 @@ import {
   buildAgentSessionKey,
   resolveThreadSessionKeys,
   type RoutePeer,
-} from "openclaw/plugin-sdk/routing";
+} from "openclaw/plugin-sdk/core";
 import {
   buildComputedAccountStatusSnapshot,
   buildChannelConfigSchema,
diff --git a/extensions/telegram/src/channel.ts b/extensions/telegram/src/channel.ts
index 0b7da81d561..37915fa07df 100644
--- a/extensions/telegram/src/channel.ts
+++ b/extensions/telegram/src/channel.ts
@@ -11,7 +11,7 @@ import {
   buildAgentSessionKey,
   resolveThreadSessionKeys,
   type RoutePeer,
-} from "openclaw/plugin-sdk/routing";
+} from "openclaw/plugin-sdk/core";
 import {
   buildChannelConfigSchema,
   buildTokenChannelStatusSummary,
diff --git a/scripts/check-no-monolithic-plugin-sdk-entry-imports.ts b/scripts/check-no-monolithic-plugin-sdk-entry-imports.ts
index 01a2eb38c75..dacf30b5623 100644
--- a/scripts/check-no-monolithic-plugin-sdk-entry-imports.ts
+++ b/scripts/check-no-monolithic-plugin-sdk-entry-imports.ts
@@ -5,11 +5,16 @@ import { discoverOpenClawPlugins } from "../src/plugins/discovery.js";
 // Match exact monolithic-root specifier in any code path:
 // imports/exports, require/dynamic import, and test mocks (vi.mock/jest.mock).
 const ROOT_IMPORT_PATTERN = /["']openclaw\/plugin-sdk["']/;
+const LEGACY_ROUTING_IMPORT_PATTERN = /["']openclaw\/plugin-sdk\/routing["']/;
 
 function hasMonolithicRootImport(content: string): boolean {
   return ROOT_IMPORT_PATTERN.test(content);
 }
 
+function hasLegacyRoutingImport(content: string): boolean {
+  return LEGACY_ROUTING_IMPORT_PATTERN.test(content);
+}
+
 function isSourceFile(filePath: string): boolean {
   if (filePath.endsWith(".d.ts")) {
     return false;
@@ -77,7 +82,8 @@ function main() {
     filesToCheck.add(sharedFile);
   }
 
-  const offenders: string[] = [];
+  const monolithicOffenders: string[] = [];
+  const legacyRoutingOffenders: string[] = [];
   for (const entryFile of filesToCheck) {
     let content = "";
     try {
@@ -86,19 +92,35 @@ function main() {
       continue;
     }
     if (hasMonolithicRootImport(content)) {
-      offenders.push(entryFile);
+      monolithicOffenders.push(entryFile);
+    }
+    if (hasLegacyRoutingImport(content)) {
+      legacyRoutingOffenders.push(entryFile);
     }
   }
 
-  if (offenders.length > 0) {
-    console.error("Bundled plugin source files must not import monolithic openclaw/plugin-sdk.");
-    for (const file of offenders.toSorted()) {
-      const relative = path.relative(process.cwd(), file) || file;
-      console.error(`- ${relative}`);
+  if (monolithicOffenders.length > 0 || legacyRoutingOffenders.length > 0) {
+    if (monolithicOffenders.length > 0) {
+      console.error("Bundled plugin source files must not import monolithic openclaw/plugin-sdk.");
+      for (const file of monolithicOffenders.toSorted()) {
+        const relative = path.relative(process.cwd(), file) || file;
+        console.error(`- ${relative}`);
+      }
+    }
+    if (legacyRoutingOffenders.length > 0) {
+      console.error(
+        "Bundled plugin source files must not import legacy openclaw/plugin-sdk/routing.",
+      );
+      for (const file of legacyRoutingOffenders.toSorted()) {
+        const relative = path.relative(process.cwd(), file) || file;
+        console.error(`- ${relative}`);
+      }
+    }
+    if (monolithicOffenders.length > 0 || legacyRoutingOffenders.length > 0) {
+      console.error(
+        "Use openclaw/plugin-sdk/<channel> for channel plugins, /core for shared routing and startup surfaces, or /compat for broader internals.",
+      );
     }
-    console.error(
-      "Use openclaw/plugin-sdk/<channel> for channel plugins, /core for startup surfaces, or /compat for broader internals.",
-    );
     process.exit(1);
   }
 
diff --git a/src/plugins/providers.test.ts b/src/plugins/providers.test.ts
index 1a365d71e87..50530a3c051 100644
--- a/src/plugins/providers.test.ts
+++ b/src/plugins/providers.test.ts
@@ -20,7 +20,13 @@ describe("resolvePluginProviders", () => {
     });
     loadPluginManifestRegistryMock.mockReset();
     loadPluginManifestRegistryMock.mockReturnValue({
-      plugins: [],
+      plugins: [
+        { id: "google", providers: ["google"], origin: "bundled" },
+        { id: "kilocode", providers: ["kilocode"], origin: "bundled" },
+        { id: "moonshot", providers: ["moonshot"], origin: "bundled" },
+        { id: "google-gemini-cli-auth", providers: [], origin: "bundled" },
+        { id: "workspace-provider", providers: ["workspace-provider"], origin: "workspace" },
+      ],
       diagnostics: [],
     });
   });
@@ -77,7 +83,7 @@ describe("resolvePluginProviders", () => {
         config: expect.objectContaining({
           plugins: expect.objectContaining({
             enabled: true,
-            allow: expect.arrayContaining(["openai", "moonshot", "zai"]),
+            allow: expect.arrayContaining(["google", "moonshot"]),
           }),
         }),
         cache: false,
@@ -103,6 +109,22 @@ describe("resolvePluginProviders", () => {
     expect(allow).not.toContain("google-gemini-cli-auth");
   });
 
+  it("does not inject non-bundled provider plugin ids into compat allowlists", () => {
+    resolvePluginProviders({
+      config: {
+        plugins: {
+          allow: ["openrouter"],
+        },
+      },
+      bundledProviderAllowlistCompat: true,
+    });
+
+    const call = loadOpenClawPluginsMock.mock.calls.at(-1)?.[0];
+    const allow = call?.config?.plugins?.allow;
+
+    expect(allow).not.toContain("workspace-provider");
+  });
+
   it("maps provider ids to owning plugin ids via manifests", () => {
     loadPluginManifestRegistryMock.mockReturnValue({
       plugins: [
diff --git a/src/plugins/providers.ts b/src/plugins/providers.ts
index 97a4dc0b32d..f2a2b4497c9 100644
--- a/src/plugins/providers.ts
+++ b/src/plugins/providers.ts
@@ -7,39 +7,6 @@ import { loadPluginManifestRegistry } from "./manifest-registry.js";
 import type { ProviderPlugin } from "./types.js";
 
 const log = createSubsystemLogger("plugins");
-const BUNDLED_PROVIDER_ALLOWLIST_COMPAT_PLUGIN_IDS = [
-  "anthropic",
-  "byteplus",
-  "cloudflare-ai-gateway",
-  "copilot-proxy",
-  "github-copilot",
-  "google",
-  "huggingface",
-  "kilocode",
-  "kimi-coding",
-  "minimax",
-  "mistral",
-  "modelstudio",
-  "moonshot",
-  "nvidia",
-  "ollama",
-  "openai",
-  "opencode",
-  "opencode-go",
-  "openrouter",
-  "qianfan",
-  "qwen-portal-auth",
-  "sglang",
-  "synthetic",
-  "together",
-  "venice",
-  "vercel-ai-gateway",
-  "volcengine",
-  "xai",
-  "vllm",
-  "xiaomi",
-  "zai",
-] as const;
 
 function hasExplicitPluginConfig(config: PluginLoadOptions["config"]): boolean {
   const plugins = config?.plugins;
@@ -69,10 +36,11 @@ function hasExplicitPluginConfig(config: PluginLoadOptions["config"]): boolean {
 
 function withBundledProviderVitestCompat(params: {
   config: PluginLoadOptions["config"];
+  pluginIds: readonly string[];
   env?: PluginLoadOptions["env"];
 }): PluginLoadOptions["config"] {
   const env = params.env ?? process.env;
-  if (!env.VITEST || hasExplicitPluginConfig(params.config)) {
+  if (!env.VITEST || hasExplicitPluginConfig(params.config) || params.pluginIds.length === 0) {
     return params.config;
   }
 
@@ -81,7 +49,7 @@ function withBundledProviderVitestCompat(params: {
     plugins: {
       ...params.config?.plugins,
       enabled: true,
-      allow: [...BUNDLED_PROVIDER_ALLOWLIST_COMPAT_PLUGIN_IDS],
+      allow: [...params.pluginIds],
       slots: {
         ...params.config?.plugins?.slots,
         memory: "none",
@@ -90,6 +58,22 @@ function withBundledProviderVitestCompat(params: {
   };
 }
 
+function resolveBundledProviderCompatPluginIds(params: {
+  config?: PluginLoadOptions["config"];
+  workspaceDir?: string;
+  env?: PluginLoadOptions["env"];
+}): string[] {
+  const registry = loadPluginManifestRegistry({
+    config: params.config,
+    workspaceDir: params.workspaceDir,
+    env: params.env,
+  });
+  return registry.plugins
+    .filter((plugin) => plugin.origin === "bundled" && plugin.providers.length > 0)
+    .map((plugin) => plugin.id)
+    .toSorted((left, right) => left.localeCompare(right));
+}
+
 export function resolveOwningPluginIdsForProvider(params: {
   provider: string;
   config?: PluginLoadOptions["config"];
@@ -126,15 +110,24 @@ export function resolvePluginProviders(params: {
   activate?: boolean;
   cache?: boolean;
 }): ProviderPlugin[] {
+  const bundledProviderCompatPluginIds =
+    params.bundledProviderAllowlistCompat || params.bundledProviderVitestCompat
+      ? resolveBundledProviderCompatPluginIds({
+          config: params.config,
+          workspaceDir: params.workspaceDir,
+          env: params.env,
+        })
+      : [];
   const maybeAllowlistCompat = params.bundledProviderAllowlistCompat
     ? withBundledPluginAllowlistCompat({
         config: params.config,
-        pluginIds: BUNDLED_PROVIDER_ALLOWLIST_COMPAT_PLUGIN_IDS,
+        pluginIds: bundledProviderCompatPluginIds,
       })
     : params.config;
   const config = params.bundledProviderVitestCompat
     ? withBundledProviderVitestCompat({
         config: maybeAllowlistCompat,
+        pluginIds: bundledProviderCompatPluginIds,
         env: params.env,
       })
     : maybeAllowlistCompat;

From 4f8c0666808729b941764a53f94899b425b44413 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 16 Mar 2026 00:40:33 -0700
Subject: [PATCH 106/133] Plugins: cover catalog discovery providers

---
 .../contracts/discovery.contract.test.ts      | 191 ++++++++++++++++++
 1 file changed, 191 insertions(+)

diff --git a/src/plugins/contracts/discovery.contract.test.ts b/src/plugins/contracts/discovery.contract.test.ts
index 8394cbfa992..6dbc767635d 100644
--- a/src/plugins/contracts/discovery.contract.test.ts
+++ b/src/plugins/contracts/discovery.contract.test.ts
@@ -36,6 +36,11 @@ const githubCopilotPlugin = (await import("../../../extensions/github-copilot/in
 const ollamaPlugin = (await import("../../../extensions/ollama/index.js")).default;
 const vllmPlugin = (await import("../../../extensions/vllm/index.js")).default;
 const sglangPlugin = (await import("../../../extensions/sglang/index.js")).default;
+const minimaxPlugin = (await import("../../../extensions/minimax/index.js")).default;
+const modelStudioPlugin = (await import("../../../extensions/modelstudio/index.js")).default;
+const cloudflareAiGatewayPlugin = (
+  await import("../../../extensions/cloudflare-ai-gateway/index.js")
+).default;
 
 function registerProviders(...plugins: Array<{ register(api: OpenClawPluginApi): void }>) {
   const captured = createCapturedPluginRegistration();
@@ -324,4 +329,190 @@ describe("provider discovery contract", () => {
       apiKey: "env-sglang-key",
     });
   });
+
+  it("keeps MiniMax API catalog provider-owned", async () => {
+    const provider = requireProvider(registerProviders(minimaxPlugin), "minimax");
+
+    await expect(
+      runProviderCatalog({
+        provider,
+        config: {},
+        env: {
+          MINIMAX_API_KEY: "minimax-key",
+        } as NodeJS.ProcessEnv,
+        resolveProviderApiKey: () => ({ apiKey: "minimax-key" }),
+      }),
+    ).resolves.toMatchObject({
+      provider: {
+        baseUrl: "https://api.minimax.io/anthropic",
+        api: "anthropic-messages",
+        authHeader: true,
+        apiKey: "minimax-key",
+        models: expect.arrayContaining([
+          expect.objectContaining({ id: "MiniMax-M2.5" }),
+          expect.objectContaining({ id: "MiniMax-VL-01" }),
+        ]),
+      },
+    });
+  });
+
+  it("keeps MiniMax portal oauth marker fallback provider-owned", async () => {
+    const provider = requireProvider(registerProviders(minimaxPlugin), "minimax-portal");
+    replaceRuntimeAuthProfileStoreSnapshots([
+      {
+        store: {
+          version: 1,
+          profiles: {
+            "minimax-portal:default": {
+              type: "oauth",
+              provider: "minimax-portal",
+              access: "access-token",
+              refresh: "refresh-token",
+              expires: Date.now() + 60_000,
+            },
+          },
+        },
+      },
+    ]);
+
+    await expect(
+      runProviderCatalog({
+        provider,
+        config: {},
+        env: {} as NodeJS.ProcessEnv,
+        resolveProviderApiKey: () => ({ apiKey: undefined }),
+      }),
+    ).resolves.toMatchObject({
+      provider: {
+        baseUrl: "https://api.minimax.io/anthropic",
+        api: "anthropic-messages",
+        authHeader: true,
+        apiKey: "minimax-oauth",
+        models: expect.arrayContaining([expect.objectContaining({ id: "MiniMax-M2.5" })]),
+      },
+    });
+  });
+
+  it("keeps MiniMax portal explicit base URL override provider-owned", async () => {
+    const provider = requireProvider(registerProviders(minimaxPlugin), "minimax-portal");
+
+    await expect(
+      runProviderCatalog({
+        provider,
+        config: {
+          models: {
+            providers: {
+              "minimax-portal": {
+                baseUrl: "https://portal-proxy.example.com/anthropic",
+                apiKey: "explicit-key",
+              },
+            },
+          },
+        },
+        env: {} as NodeJS.ProcessEnv,
+        resolveProviderApiKey: () => ({ apiKey: undefined }),
+      }),
+    ).resolves.toMatchObject({
+      provider: {
+        baseUrl: "https://portal-proxy.example.com/anthropic",
+        apiKey: "explicit-key",
+      },
+    });
+  });
+
+  it("keeps Model Studio catalog provider-owned", async () => {
+    const provider = requireProvider(registerProviders(modelStudioPlugin), "modelstudio");
+
+    await expect(
+      runProviderCatalog({
+        provider,
+        config: {
+          models: {
+            providers: {
+              modelstudio: {
+                baseUrl: "https://coding.dashscope.aliyuncs.com/v1",
+              },
+            },
+          },
+        },
+        env: {
+          MODELSTUDIO_API_KEY: "modelstudio-key",
+        } as NodeJS.ProcessEnv,
+        resolveProviderApiKey: () => ({ apiKey: "modelstudio-key" }),
+      }),
+    ).resolves.toMatchObject({
+      provider: {
+        baseUrl: "https://coding.dashscope.aliyuncs.com/v1",
+        api: "openai-completions",
+        apiKey: "modelstudio-key",
+        models: expect.arrayContaining([
+          expect.objectContaining({ id: "qwen3.5-plus" }),
+          expect.objectContaining({ id: "MiniMax-M2.5" }),
+        ]),
+      },
+    });
+  });
+
+  it("keeps Cloudflare AI Gateway catalog disabled without stored metadata", async () => {
+    const provider = requireProvider(
+      registerProviders(cloudflareAiGatewayPlugin),
+      "cloudflare-ai-gateway",
+    );
+
+    await expect(
+      runProviderCatalog({
+        provider,
+        config: {},
+        env: {} as NodeJS.ProcessEnv,
+        resolveProviderApiKey: () => ({ apiKey: undefined }),
+      }),
+    ).resolves.toBeNull();
+  });
+
+  it("keeps Cloudflare AI Gateway env-managed catalog provider-owned", async () => {
+    const provider = requireProvider(
+      registerProviders(cloudflareAiGatewayPlugin),
+      "cloudflare-ai-gateway",
+    );
+    replaceRuntimeAuthProfileStoreSnapshots([
+      {
+        store: {
+          version: 1,
+          profiles: {
+            "cloudflare-ai-gateway:default": {
+              type: "api_key",
+              provider: "cloudflare-ai-gateway",
+              keyRef: {
+                source: "env",
+                provider: "default",
+                id: "CLOUDFLARE_AI_GATEWAY_API_KEY",
+              },
+              metadata: {
+                accountId: "acc-123",
+                gatewayId: "gw-456",
+              },
+            },
+          },
+        },
+      },
+    ]);
+
+    await expect(
+      runProviderCatalog({
+        provider,
+        config: {},
+        env: {
+          CLOUDFLARE_AI_GATEWAY_API_KEY: "secret-value",
+        } as NodeJS.ProcessEnv,
+        resolveProviderApiKey: () => ({ apiKey: undefined }),
+      }),
+    ).resolves.toEqual({
+      provider: {
+        baseUrl: "https://gateway.ai.cloudflare.com/v1/acc-123/gw-456/anthropic",
+        api: "anthropic-messages",
+        apiKey: "CLOUDFLARE_AI_GATEWAY_API_KEY",
+        models: [expect.objectContaining({ id: "claude-sonnet-4-5" })],
+      },
+    });
+  });
 });

From 78f24dcaa23a10059e2fe958a66e447038bf08dd Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 16 Mar 2026 00:40:33 -0700
Subject: [PATCH 107/133] Tests: type auth contract prompt mocks

---
 src/plugins/contracts/auth.contract.test.ts | 28 +++++++++++++++------
 1 file changed, 21 insertions(+), 7 deletions(-)

diff --git a/src/plugins/contracts/auth.contract.test.ts b/src/plugins/contracts/auth.contract.test.ts
index 1d753ca2f53..386c7acb6e7 100644
--- a/src/plugins/contracts/auth.contract.test.ts
+++ b/src/plugins/contracts/auth.contract.test.ts
@@ -5,12 +5,26 @@ import {
 } from "../../agents/auth-profiles/store.js";
 import { createNonExitingRuntime } from "../../runtime.js";
 import { createCapturedPluginRegistration } from "../../test-utils/plugin-registration.js";
-import type { WizardPrompter, WizardProgress } from "../../wizard/prompts.js";
+import type {
+  WizardMultiSelectParams,
+  WizardPrompter,
+  WizardProgress,
+  WizardSelectParams,
+} from "../../wizard/prompts.js";
 import type { OpenClawPluginApi, ProviderPlugin } from "../types.js";
 
-const loginOpenAICodexOAuthMock = vi.hoisted(() => vi.fn());
-const loginQwenPortalOAuthMock = vi.hoisted(() => vi.fn());
-const githubCopilotLoginCommandMock = vi.hoisted(() => vi.fn());
+type LoginOpenAICodexOAuth =
+  (typeof import("../../commands/openai-codex-oauth.js"))["loginOpenAICodexOAuth"];
+type LoginQwenPortalOAuth =
+  (typeof import("../../../extensions/qwen-portal-auth/oauth.js"))["loginQwenPortalOAuth"];
+type GithubCopilotLoginCommand =
+  (typeof import("../../providers/github-copilot-auth.js"))["githubCopilotLoginCommand"];
+type CreateVpsAwareHandlers =
+  (typeof import("../../commands/oauth-flow.js"))["createVpsAwareOAuthHandlers"];
+
+const loginOpenAICodexOAuthMock = vi.hoisted(() => vi.fn<LoginOpenAICodexOAuth>());
+const loginQwenPortalOAuthMock = vi.hoisted(() => vi.fn<LoginQwenPortalOAuth>());
+const githubCopilotLoginCommandMock = vi.hoisted(() => vi.fn<GithubCopilotLoginCommand>());
 
 vi.mock("../../commands/openai-codex-oauth.js", () => ({
   loginOpenAICodexOAuth: loginOpenAICodexOAuthMock,
@@ -37,8 +51,8 @@ function buildPrompter(): WizardPrompter {
     intro: async () => {},
     outro: async () => {},
     note: async () => {},
-    select: async () => "",
-    multiselect: async () => [],
+    select: async <T>(params: WizardSelectParams<T>) => params.options[0].value,
+    multiselect: async <T>(params: WizardMultiSelectParams<T>) => params.initialValues ?? [],
     text: async () => "",
     confirm: async () => false,
     progress: () => progress,
@@ -53,7 +67,7 @@ function buildAuthContext() {
     isRemote: false,
     openUrl: async () => {},
     oauth: {
-      createVpsAwareHandlers: vi.fn() as never,
+      createVpsAwareHandlers: vi.fn<CreateVpsAwareHandlers>(),
     },
   };
 }

From 0ed64f124d60b6349540cdcf42da62f3d968e833 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 07:44:10 +0000
Subject: [PATCH 108/133] fix: mount CLI auth dirs in docker live tests

---
 docs/help/testing.md                       | 3 ++-
 scripts/test-live-gateway-models-docker.sh | 9 +++++++++
 scripts/test-live-models-docker.sh         | 9 +++++++++
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/docs/help/testing.md b/docs/help/testing.md
index 9fa1404a8d4..09388dd769e 100644
--- a/docs/help/testing.md
+++ b/docs/help/testing.md
@@ -362,7 +362,7 @@ If you want to rely on env keys (e.g. exported in your `~/.profile`), run local
 
 ## Docker runners (optional “works in Linux” checks)
 
-These run `pnpm test:live` inside the repo Docker image, mounting your local config dir and workspace (and sourcing `~/.profile` if mounted):
+These run `pnpm test:live` inside the repo Docker image, mounting your local config dir and workspace (and sourcing `~/.profile` if mounted). They also bind-mount CLI auth homes like `~/.codex`, `~/.claude`, `~/.qwen`, and `~/.minimax` when present so external-CLI OAuth stays available in-container:
 
 - Direct models: `pnpm test:docker:live-models` (script: `scripts/test-live-models-docker.sh`)
 - Gateway + dev agent: `pnpm test:docker:live-gateway` (script: `scripts/test-live-gateway-models-docker.sh`)
@@ -384,6 +384,7 @@ Useful env vars:
 - `OPENCLAW_CONFIG_DIR=...` (default: `~/.openclaw`) mounted to `/home/node/.openclaw`
 - `OPENCLAW_WORKSPACE_DIR=...` (default: `~/.openclaw/workspace`) mounted to `/home/node/.openclaw/workspace`
 - `OPENCLAW_PROFILE_FILE=...` (default: `~/.profile`) mounted to `/home/node/.profile` and sourced before running tests
+- External CLI auth dirs under `$HOME` (`.codex`, `.claude`, `.qwen`, `.minimax`) are mounted read-only to the matching `/home/node/...` paths when present
 - `OPENCLAW_LIVE_GATEWAY_MODELS=...` / `OPENCLAW_LIVE_MODELS=...` to narrow the run
 - `OPENCLAW_LIVE_REQUIRE_PROFILE_KEYS=1` to ensure creds come from the profile store (not env)
 
diff --git a/scripts/test-live-gateway-models-docker.sh b/scripts/test-live-gateway-models-docker.sh
index 3998110efa6..f40e064910b 100755
--- a/scripts/test-live-gateway-models-docker.sh
+++ b/scripts/test-live-gateway-models-docker.sh
@@ -13,6 +13,14 @@ if [[ -f "$PROFILE_FILE" ]]; then
   PROFILE_MOUNT=(-v "$PROFILE_FILE":/home/node/.profile:ro)
 fi
 
+EXTERNAL_AUTH_MOUNTS=()
+for auth_dir in .claude .codex .minimax .qwen; do
+  host_path="$HOME/$auth_dir"
+  if [[ -d "$host_path" ]]; then
+    EXTERNAL_AUTH_MOUNTS+=(-v "$host_path":/home/node/"$auth_dir":ro)
+  fi
+done
+
 read -r -d '' LIVE_TEST_CMD <<'EOF' || true
 set -euo pipefail
 [ -f "$HOME/.profile" ] && source "$HOME/.profile" || true
@@ -51,6 +59,7 @@ docker run --rm -t \
   -v "$ROOT_DIR":/src:ro \
   -v "$CONFIG_DIR":/home/node/.openclaw \
   -v "$WORKSPACE_DIR":/home/node/.openclaw/workspace \
+  "${EXTERNAL_AUTH_MOUNTS[@]}" \
   "${PROFILE_MOUNT[@]}" \
   "$LIVE_IMAGE_NAME" \
   -lc "$LIVE_TEST_CMD"
diff --git a/scripts/test-live-models-docker.sh b/scripts/test-live-models-docker.sh
index cca4202710d..52257cd3230 100755
--- a/scripts/test-live-models-docker.sh
+++ b/scripts/test-live-models-docker.sh
@@ -13,6 +13,14 @@ if [[ -f "$PROFILE_FILE" ]]; then
   PROFILE_MOUNT=(-v "$PROFILE_FILE":/home/node/.profile:ro)
 fi
 
+EXTERNAL_AUTH_MOUNTS=()
+for auth_dir in .claude .codex .minimax .qwen; do
+  host_path="$HOME/$auth_dir"
+  if [[ -d "$host_path" ]]; then
+    EXTERNAL_AUTH_MOUNTS+=(-v "$host_path":/home/node/"$auth_dir":ro)
+  fi
+done
+
 read -r -d '' LIVE_TEST_CMD <<'EOF' || true
 set -euo pipefail
 [ -f "$HOME/.profile" ] && source "$HOME/.profile" || true
@@ -52,6 +60,7 @@ docker run --rm -t \
   -v "$ROOT_DIR":/src:ro \
   -v "$CONFIG_DIR":/home/node/.openclaw \
   -v "$WORKSPACE_DIR":/home/node/.openclaw/workspace \
+  "${EXTERNAL_AUTH_MOUNTS[@]}" \
   "${PROFILE_MOUNT[@]}" \
   "$LIVE_IMAGE_NAME" \
   -lc "$LIVE_TEST_CMD"

From 3a2c24e598ee15ce3a28f17684c3792c302ef3d9 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 00:48:47 -0700
Subject: [PATCH 109/133] refactor: route shared channel sdk imports through
 plugin seams

---
 src/auto-reply/reply/commands-approve.ts      |   6 +-
 src/auto-reply/reply/commands-models.ts       |  14 +-
 .../reply/directive-handling.model.ts         |   2 +-
 src/channels/plugins/actions/signal.ts        |  12 +-
 src/channels/plugins/group-mentions.ts        |   2 +-
 src/channels/plugins/normalize/imessage.ts    |   2 +-
 src/channels/plugins/normalize/slack.ts       |   2 +-
 src/channels/plugins/slack.actions.ts         |  12 +-
 src/commands/doctor-config-flow.ts            |  18 +--
 src/infra/outbound/message-action-params.ts   |   2 +-
 src/infra/state-migrations.ts                 |   2 +-
 src/media/outbound-attachment.ts              |   2 +-
 src/plugin-sdk/discord.ts                     |   5 +
 src/plugin-sdk/imessage-targets.ts            |   1 +
 src/plugin-sdk/imessage.ts                    |  13 ++
 src/plugin-sdk/index.ts                       | 144 ++++++++----------
 src/plugin-sdk/line.ts                        |   6 +
 src/plugin-sdk/msteams.ts                     |   2 +-
 src/plugin-sdk/outbound-media.ts              |   2 +-
 src/plugin-sdk/signal.ts                      |   6 +
 src/plugin-sdk/slack-targets.ts               |   6 +
 src/plugin-sdk/slack.ts                       |   2 +
 src/plugin-sdk/telegram.ts                    |  17 +++
 src/plugin-sdk/web-media.ts                   |   1 +
 src/security/audit-channel.runtime.ts         |   2 +-
 25 files changed, 163 insertions(+), 120 deletions(-)
 create mode 100644 src/plugin-sdk/imessage-targets.ts
 create mode 100644 src/plugin-sdk/slack-targets.ts
 create mode 100644 src/plugin-sdk/web-media.ts

diff --git a/src/auto-reply/reply/commands-approve.ts b/src/auto-reply/reply/commands-approve.ts
index ad1fde9eb0b..630ea988c05 100644
--- a/src/auto-reply/reply/commands-approve.ts
+++ b/src/auto-reply/reply/commands-approve.ts
@@ -1,9 +1,9 @@
+import { callGateway } from "../../gateway/call.js";
+import { logVerbose } from "../../globals.js";
 import {
   isTelegramExecApprovalApprover,
   isTelegramExecApprovalClientEnabled,
-} from "../../../extensions/telegram/src/exec-approvals.js";
-import { callGateway } from "../../gateway/call.js";
-import { logVerbose } from "../../globals.js";
+} from "../../plugin-sdk/telegram.js";
 import { GATEWAY_CLIENT_MODES, GATEWAY_CLIENT_NAMES } from "../../utils/message-channel.js";
 import { requireGatewayClientScopeForInternalChannel } from "./command-gates.js";
 import type { CommandHandler } from "./commands-types.js";
diff --git a/src/auto-reply/reply/commands-models.ts b/src/auto-reply/reply/commands-models.ts
index afe56688256..25f309361d2 100644
--- a/src/auto-reply/reply/commands-models.ts
+++ b/src/auto-reply/reply/commands-models.ts
@@ -1,10 +1,3 @@
-import {
-  buildModelsKeyboard,
-  buildProviderKeyboard,
-  calculateTotalPages,
-  getModelsPageSize,
-  type ProviderInfo,
-} from "../../../extensions/telegram/src/model-buttons.js";
 import { resolveAgentDir, resolveSessionAgentId } from "../../agents/agent-scope.js";
 import { resolveModelAuthLabel } from "../../agents/model-auth-label.js";
 import { loadModelCatalog } from "../../agents/model-catalog.js";
@@ -17,6 +10,13 @@ import {
 } from "../../agents/model-selection.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import type { SessionEntry } from "../../config/sessions.js";
+import {
+  buildModelsKeyboard,
+  buildProviderKeyboard,
+  calculateTotalPages,
+  getModelsPageSize,
+  type ProviderInfo,
+} from "../../plugin-sdk/telegram.js";
 import type { ReplyPayload } from "../types.js";
 import { rejectUnauthorizedCommand } from "./command-gates.js";
 import type { CommandHandler } from "./commands-types.js";
diff --git a/src/auto-reply/reply/directive-handling.model.ts b/src/auto-reply/reply/directive-handling.model.ts
index bb66d8b8d7f..521d3bd6fea 100644
--- a/src/auto-reply/reply/directive-handling.model.ts
+++ b/src/auto-reply/reply/directive-handling.model.ts
@@ -1,4 +1,3 @@
-import { buildBrowseProvidersButton } from "../../../extensions/telegram/src/model-buttons.js";
 import { resolveAuthStorePathForDisplay } from "../../agents/auth-profiles.js";
 import {
   type ModelAliasIndex,
@@ -9,6 +8,7 @@ import {
 } from "../../agents/model-selection.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import type { SessionEntry } from "../../config/sessions.js";
+import { buildBrowseProvidersButton } from "../../plugin-sdk/telegram.js";
 import { shortenHomePath } from "../../utils.js";
 import { resolveSelectedAndActiveModel } from "../model-runtime.js";
 import type { ReplyPayload } from "../types.js";
diff --git a/src/channels/plugins/actions/signal.ts b/src/channels/plugins/actions/signal.ts
index b75a20ae2ec..60a70bac4c0 100644
--- a/src/channels/plugins/actions/signal.ts
+++ b/src/channels/plugins/actions/signal.ts
@@ -1,13 +1,11 @@
+import { createActionGate, jsonResult, readStringParam } from "../../../agents/tools/common.js";
 import {
   listEnabledSignalAccounts,
-  resolveSignalAccount,
-} from "../../../../extensions/signal/src/accounts.js";
-import { resolveSignalReactionLevel } from "../../../../extensions/signal/src/reaction-level.js";
-import {
-  sendReactionSignal,
   removeReactionSignal,
-} from "../../../../extensions/signal/src/send-reactions.js";
-import { createActionGate, jsonResult, readStringParam } from "../../../agents/tools/common.js";
+  resolveSignalAccount,
+  resolveSignalReactionLevel,
+  sendReactionSignal,
+} from "../../../plugin-sdk/signal.js";
 import type { ChannelMessageActionAdapter, ChannelMessageActionName } from "../types.js";
 import { resolveReactionMessageId } from "./reaction-message-id.js";
 
diff --git a/src/channels/plugins/group-mentions.ts b/src/channels/plugins/group-mentions.ts
index 4dac8bbc7f2..f825fc73fe5 100644
--- a/src/channels/plugins/group-mentions.ts
+++ b/src/channels/plugins/group-mentions.ts
@@ -1,4 +1,3 @@
-import { inspectSlackAccount } from "../../../extensions/slack/src/account-inspect.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import {
   resolveChannelGroupRequireMention,
@@ -11,6 +10,7 @@ import type {
   GroupToolPolicyConfig,
 } from "../../config/types.tools.js";
 import { resolveExactLineGroupConfigKey } from "../../line/group-keys.js";
+import { inspectSlackAccount } from "../../plugin-sdk/slack.js";
 import { normalizeAtHashSlug, normalizeHyphenSlug } from "../../shared/string-normalization.js";
 import type { ChannelGroupContext } from "./types.js";
 
diff --git a/src/channels/plugins/normalize/imessage.ts b/src/channels/plugins/normalize/imessage.ts
index 3b9ecbe1837..a6043632121 100644
--- a/src/channels/plugins/normalize/imessage.ts
+++ b/src/channels/plugins/normalize/imessage.ts
@@ -1,4 +1,4 @@
-import { normalizeIMessageHandle } from "../../../../extensions/imessage/src/targets.js";
+import { normalizeIMessageHandle } from "../../../plugin-sdk/imessage-targets.js";
 import { looksLikeHandleOrPhoneTarget, trimMessagingTarget } from "./shared.js";
 
 // Service prefixes that indicate explicit delivery method; must be preserved during normalization
diff --git a/src/channels/plugins/normalize/slack.ts b/src/channels/plugins/normalize/slack.ts
index 52d4c905342..50e31a0feee 100644
--- a/src/channels/plugins/normalize/slack.ts
+++ b/src/channels/plugins/normalize/slack.ts
@@ -1,4 +1,4 @@
-import { parseSlackTarget } from "../../../../extensions/slack/src/targets.js";
+import { parseSlackTarget } from "../../../plugin-sdk/slack-targets.js";
 
 export function normalizeSlackMessagingTarget(raw: string): string | undefined {
   const target = parseSlackTarget(raw, { defaultKind: "channel" });
diff --git a/src/channels/plugins/slack.actions.ts b/src/channels/plugins/slack.actions.ts
index 66bc6679680..8c7f02ee9ec 100644
--- a/src/channels/plugins/slack.actions.ts
+++ b/src/channels/plugins/slack.actions.ts
@@ -1,11 +1,11 @@
-import { isSlackInteractiveRepliesEnabled } from "../../../extensions/slack/src/interactive-replies.js";
-import {
-  extractSlackToolSend,
-  listSlackMessageActions,
-} from "../../../extensions/slack/src/message-actions.js";
-import { resolveSlackChannelId } from "../../../extensions/slack/src/targets.js";
 import { handleSlackAction, type SlackActionContext } from "../../agents/tools/slack-actions.js";
 import { handleSlackMessageAction } from "../../plugin-sdk/slack-message-actions.js";
+import {
+  extractSlackToolSend,
+  isSlackInteractiveRepliesEnabled,
+  listSlackMessageActions,
+  resolveSlackChannelId,
+} from "../../plugin-sdk/slack.js";
 import type { ChannelMessageActionAdapter } from "./types.js";
 
 export function createSlackActions(providerId: string): ChannelMessageActionAdapter {
diff --git a/src/commands/doctor-config-flow.ts b/src/commands/doctor-config-flow.ts
index e6c6a15609c..a1cbf5fa6d9 100644
--- a/src/commands/doctor-config-flow.ts
+++ b/src/commands/doctor-config-flow.ts
@@ -1,15 +1,5 @@
 import fs from "node:fs/promises";
 import path from "node:path";
-import { inspectTelegramAccount } from "../../extensions/telegram/src/account-inspect.js";
-import {
-  listTelegramAccountIds,
-  resolveTelegramAccount,
-} from "../../extensions/telegram/src/accounts.js";
-import {
-  isNumericTelegramUserId,
-  normalizeTelegramAllowFromEntry,
-} from "../../extensions/telegram/src/allow-from.js";
-import { fetchTelegramChatId } from "../../extensions/telegram/src/api-fetch.js";
 import { normalizeChatChannelId } from "../channels/registry.js";
 import { formatCliCommand } from "../cli/command-format.js";
 import { resolveCommandSecretRefsViaGateway } from "../cli/command-secret-gateway.js";
@@ -32,6 +22,14 @@ import {
   normalizeTrustedSafeBinDirs,
 } from "../infra/exec-safe-bin-trust.js";
 import { readChannelAllowFromStore } from "../pairing/pairing-store.js";
+import {
+  fetchTelegramChatId,
+  inspectTelegramAccount,
+  isNumericTelegramUserId,
+  listTelegramAccountIds,
+  normalizeTelegramAllowFromEntry,
+  resolveTelegramAccount,
+} from "../plugin-sdk/telegram.js";
 import {
   formatChannelAccountsDefaultPath,
   formatSetExplicitDefaultInstruction,
diff --git a/src/infra/outbound/message-action-params.ts b/src/infra/outbound/message-action-params.ts
index 30991639129..6f95e0a5a4d 100644
--- a/src/infra/outbound/message-action-params.ts
+++ b/src/infra/outbound/message-action-params.ts
@@ -1,6 +1,5 @@
 import path from "node:path";
 import { fileURLToPath } from "node:url";
-import { loadWebMedia } from "../../../extensions/whatsapp/src/media.js";
 import { assertMediaNotDataUrl, resolveSandboxedMediaSource } from "../../agents/sandbox-paths.js";
 import { readStringParam } from "../../agents/tools/common.js";
 import type { ChannelId, ChannelMessageActionName } from "../../channels/plugins/types.js";
@@ -8,6 +7,7 @@ import type { OpenClawConfig } from "../../config/config.js";
 import { createRootScopedReadFile } from "../../infra/fs-safe.js";
 import { extensionForMime } from "../../media/mime.js";
 import { readBooleanParam as readBooleanParamShared } from "../../plugin-sdk/boolean-param.js";
+import { loadWebMedia } from "../../plugin-sdk/web-media.js";
 
 export const readBooleanParam = readBooleanParamShared;
 
diff --git a/src/infra/state-migrations.ts b/src/infra/state-migrations.ts
index 96f3071bd57..b429365a4a4 100644
--- a/src/infra/state-migrations.ts
+++ b/src/infra/state-migrations.ts
@@ -1,7 +1,6 @@
 import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
-import { listTelegramAccountIds } from "../../extensions/telegram/src/accounts.js";
 import { resolveDefaultAgentId } from "../agents/agent-scope.js";
 import type { OpenClawConfig } from "../config/config.js";
 import {
@@ -16,6 +15,7 @@ import { canonicalizeMainSessionAlias } from "../config/sessions/main-session.js
 import type { SessionScope } from "../config/sessions/types.js";
 import { createSubsystemLogger } from "../logging/subsystem.js";
 import { resolveChannelAllowFromPath } from "../pairing/pairing-store.js";
+import { listTelegramAccountIds } from "../plugin-sdk/telegram.js";
 import {
   buildAgentMainSessionKey,
   DEFAULT_ACCOUNT_ID,
diff --git a/src/media/outbound-attachment.ts b/src/media/outbound-attachment.ts
index 374f0696b96..7e2a180c2e1 100644
--- a/src/media/outbound-attachment.ts
+++ b/src/media/outbound-attachment.ts
@@ -1,4 +1,4 @@
-import { loadWebMedia } from "../../extensions/whatsapp/src/media.js";
+import { loadWebMedia } from "../plugin-sdk/web-media.js";
 import { buildOutboundMediaLoadOptions } from "./load-options.js";
 import { saveMediaBuffer } from "./store.js";
 
diff --git a/src/plugin-sdk/discord.ts b/src/plugin-sdk/discord.ts
index 27f6c17bdff..c2060fa4b3e 100644
--- a/src/plugin-sdk/discord.ts
+++ b/src/plugin-sdk/discord.ts
@@ -44,6 +44,11 @@ export {
   listThreadBindingsBySessionKey,
   unbindThreadBindingsBySessionKey,
 } from "../../extensions/discord/src/monitor/thread-bindings.js";
+export type {
+  ThreadBindingManager,
+  ThreadBindingRecord,
+  ThreadBindingTargetKind,
+} from "../../extensions/discord/src/monitor/thread-bindings.js";
 
 export {
   buildComputedAccountStatusSnapshot,
diff --git a/src/plugin-sdk/imessage-targets.ts b/src/plugin-sdk/imessage-targets.ts
new file mode 100644
index 00000000000..b3353edc3df
--- /dev/null
+++ b/src/plugin-sdk/imessage-targets.ts
@@ -0,0 +1 @@
+export { normalizeIMessageHandle } from "../../extensions/imessage/src/targets.js";
diff --git a/src/plugin-sdk/imessage.ts b/src/plugin-sdk/imessage.ts
index 1d767798873..a3a42f110ee 100644
--- a/src/plugin-sdk/imessage.ts
+++ b/src/plugin-sdk/imessage.ts
@@ -15,6 +15,19 @@ export {
   looksLikeIMessageTargetId,
   normalizeIMessageMessagingTarget,
 } from "../channels/plugins/normalize/imessage.js";
+export {
+  createAllowedChatSenderMatcher,
+  parseChatAllowTargetPrefixes,
+  parseChatTargetPrefixesOrThrow,
+  resolveServicePrefixedChatTarget,
+  resolveServicePrefixedAllowTarget,
+  resolveServicePrefixedOrChatAllowTarget,
+  resolveServicePrefixedTarget,
+} from "../../extensions/imessage/src/target-parsing-helpers.js";
+export type {
+  ChatSenderAllowParams,
+  ParsedChatTarget,
+} from "../../extensions/imessage/src/target-parsing-helpers.js";
 
 export {
   resolveAllowlistProviderRuntimeGroupPolicy,
diff --git a/src/plugin-sdk/index.ts b/src/plugin-sdk/index.ts
index 1b37138e101..4afc94eebab 100644
--- a/src/plugin-sdk/index.ts
+++ b/src/plugin-sdk/index.ts
@@ -61,16 +61,6 @@ export type {
   BaseTokenResolution,
 } from "../channels/plugins/types.js";
 export type { ChannelConfigSchema, ChannelPlugin } from "../channels/plugins/types.plugin.js";
-export type {
-  ThreadBindingManager,
-  ThreadBindingRecord,
-  ThreadBindingTargetKind,
-} from "../../extensions/discord/src/monitor/thread-bindings.js";
-export {
-  autoBindSpawnedDiscordSubagent,
-  listThreadBindingsBySessionKey,
-  unbindThreadBindingsBySessionKey,
-} from "../../extensions/discord/src/monitor/thread-bindings.js";
 export type {
   AcpRuntimeCapabilities,
   AcpRuntimeControl,
@@ -673,108 +663,107 @@ export type { SkillCommandSpec } from "../agents/skills.js";
 
 // Channel: Discord
 export {
+  autoBindSpawnedDiscordSubagent,
+  collectDiscordAuditChannelIds,
+  collectDiscordStatusIssues,
+  discordSetupAdapter,
+  discordSetupWizard,
+  inspectDiscordAccount,
   listDiscordAccountIds,
-  resolveDefaultDiscordAccountId,
-  resolveDiscordAccount,
-  type ResolvedDiscordAccount,
-} from "../../extensions/discord/src/accounts.js";
-export { inspectDiscordAccount } from "../../extensions/discord/src/account-inspect.js";
-export type { InspectedDiscordAccount } from "../../extensions/discord/src/account-inspect.js";
-export { collectDiscordAuditChannelIds } from "../../extensions/discord/src/audit.js";
-export { discordSetupWizard } from "../../extensions/discord/src/setup-surface.js";
-export { discordSetupAdapter } from "../../extensions/discord/src/setup-core.js";
-export {
   looksLikeDiscordTargetId,
   normalizeDiscordMessagingTarget,
   normalizeDiscordOutboundTarget,
-} from "../channels/plugins/normalize/discord.js";
-export { collectDiscordStatusIssues } from "../channels/plugins/status-issues/discord.js";
+  resolveDefaultDiscordAccountId,
+  resolveDiscordAccount,
+  type InspectedDiscordAccount,
+  type ResolvedDiscordAccount,
+  type ThreadBindingManager,
+  type ThreadBindingRecord,
+  type ThreadBindingTargetKind,
+  listThreadBindingsBySessionKey,
+  unbindThreadBindingsBySessionKey,
+} from "./discord.js";
 
 // Channel: iMessage
 export {
+  createAllowedChatSenderMatcher,
+  imessageSetupAdapter,
+  imessageSetupWizard,
   listIMessageAccountIds,
-  resolveDefaultIMessageAccountId,
-  resolveIMessageAccount,
-  type ResolvedIMessageAccount,
-} from "../../extensions/imessage/src/accounts.js";
-export { imessageSetupWizard } from "../../extensions/imessage/src/setup-surface.js";
-export { imessageSetupAdapter } from "../../extensions/imessage/src/setup-core.js";
-export {
   looksLikeIMessageTargetId,
   normalizeIMessageMessagingTarget,
-} from "../channels/plugins/normalize/imessage.js";
-export {
-  createAllowedChatSenderMatcher,
   parseChatAllowTargetPrefixes,
   parseChatTargetPrefixesOrThrow,
   resolveServicePrefixedChatTarget,
   resolveServicePrefixedAllowTarget,
   resolveServicePrefixedOrChatAllowTarget,
   resolveServicePrefixedTarget,
-} from "../../extensions/imessage/src/target-parsing-helpers.js";
-export type {
-  ChatSenderAllowParams,
-  ParsedChatTarget,
-} from "../../extensions/imessage/src/target-parsing-helpers.js";
+  resolveDefaultIMessageAccountId,
+  resolveIMessageAccount,
+  type ChatSenderAllowParams,
+  type ParsedChatTarget,
+  type ResolvedIMessageAccount,
+} from "./imessage.js";
 
 // Channel: Slack
 export {
+  buildSlackThreadingToolContext,
+  extractSlackToolSend,
+  inspectSlackAccount,
   listEnabledSlackAccounts,
   listSlackAccountIds,
+  listSlackMessageActions,
+  looksLikeSlackTargetId,
+  normalizeSlackMessagingTarget,
   resolveDefaultSlackAccountId,
   resolveSlackAccount,
   resolveSlackReplyToMode,
+  slackSetupAdapter,
+  slackSetupWizard,
+  type InspectedSlackAccount,
   type ResolvedSlackAccount,
-} from "../../extensions/slack/src/accounts.js";
-export { inspectSlackAccount } from "../../extensions/slack/src/account-inspect.js";
-export type { InspectedSlackAccount } from "../../extensions/slack/src/account-inspect.js";
-export {
-  extractSlackToolSend,
-  listSlackMessageActions,
-} from "../../extensions/slack/src/message-actions.js";
-export { slackSetupAdapter } from "../../extensions/slack/src/setup-core.js";
-export { slackSetupWizard } from "../../extensions/slack/src/setup-surface.js";
-export {
-  looksLikeSlackTargetId,
-  normalizeSlackMessagingTarget,
-} from "../channels/plugins/normalize/slack.js";
-export { buildSlackThreadingToolContext } from "../../extensions/slack/src/threading-tool-context.js";
+} from "./slack.js";
 
 // Channel: Telegram
 export {
+  buildBrowseProvidersButton,
+  buildModelsKeyboard,
+  buildProviderKeyboard,
+  calculateTotalPages,
+  fetchTelegramChatId,
+  getModelsPageSize,
+  inspectTelegramAccount,
+  isNumericTelegramUserId,
+  isTelegramExecApprovalApprover,
+  isTelegramExecApprovalClientEnabled,
   listTelegramAccountIds,
-  resolveDefaultTelegramAccountId,
-  resolveTelegramAccount,
-  type ResolvedTelegramAccount,
-} from "../../extensions/telegram/src/accounts.js";
-export { inspectTelegramAccount } from "../../extensions/telegram/src/account-inspect.js";
-export type { InspectedTelegramAccount } from "../../extensions/telegram/src/account-inspect.js";
-export { telegramSetupWizard } from "../../extensions/telegram/src/setup-surface.js";
-export { telegramSetupAdapter } from "../../extensions/telegram/src/setup-core.js";
-export {
   looksLikeTelegramTargetId,
+  normalizeTelegramAllowFromEntry,
   normalizeTelegramMessagingTarget,
-} from "../channels/plugins/normalize/telegram.js";
-export { collectTelegramStatusIssues } from "../channels/plugins/status-issues/telegram.js";
-export {
   parseTelegramReplyToMessageId,
   parseTelegramThreadId,
-} from "../../extensions/telegram/src/outbound-params.js";
-export { type TelegramProbe } from "../../extensions/telegram/src/probe.js";
+  resolveDefaultTelegramAccountId,
+  resolveTelegramAccount,
+  telegramSetupAdapter,
+  telegramSetupWizard,
+  type ResolvedTelegramAccount,
+  type InspectedTelegramAccount,
+  type ProviderInfo,
+  type TelegramProbe,
+  collectTelegramStatusIssues,
+} from "./telegram.js";
 
 // Channel: Signal
 export {
   listSignalAccountIds,
-  resolveDefaultSignalAccountId,
-  resolveSignalAccount,
-  type ResolvedSignalAccount,
-} from "../../extensions/signal/src/accounts.js";
-export { signalSetupWizard } from "../../extensions/signal/src/setup-surface.js";
-export { signalSetupAdapter } from "../../extensions/signal/src/setup-core.js";
-export {
   looksLikeSignalTargetId,
   normalizeSignalMessagingTarget,
-} from "../channels/plugins/normalize/signal.js";
+  resolveDefaultSignalAccountId,
+  resolveSignalAccount,
+  signalSetupAdapter,
+  signalSetupWizard,
+  type ResolvedSignalAccount,
+} from "./signal.js";
 
 // Channel: WhatsApp — WhatsApp-specific exports moved to extensions/whatsapp/src/
 export { isWhatsAppGroupJid, normalizeWhatsAppTarget } from "../whatsapp/normalize.js";
@@ -786,12 +775,13 @@ export { collectBlueBubblesStatusIssues } from "../channels/plugins/status-issue
 // Channel: LINE
 export {
   listLineAccountIds,
+  lineSetupAdapter,
+  lineSetupWizard,
   normalizeAccountId as normalizeLineAccountId,
   resolveDefaultLineAccountId,
   resolveLineAccount,
-} from "../line/accounts.js";
-export { lineSetupAdapter, lineSetupWizard } from "../../extensions/line/src/setup-surface.js";
-export { LineConfigSchema } from "../line/config-schema.js";
+  LineConfigSchema,
+} from "./line.js";
 export type {
   LineConfig,
   LineAccountConfig,
@@ -815,7 +805,7 @@ export {
 export type { ProcessedLineMessage } from "../line/markdown-to-line.js";
 
 // Media utilities
-export { loadWebMedia, type WebMediaResult } from "../../extensions/whatsapp/src/media.js";
+export { loadWebMedia, type WebMediaResult } from "./web-media.js";
 
 // Context engine
 export type {
diff --git a/src/plugin-sdk/line.ts b/src/plugin-sdk/line.ts
index 6022c2ea318..c21ee9661fb 100644
--- a/src/plugin-sdk/line.ts
+++ b/src/plugin-sdk/line.ts
@@ -27,6 +27,12 @@ export {
   buildTokenChannelStatusSummary,
 } from "./status-helpers.js";
 
+export {
+  listLineAccountIds,
+  normalizeAccountId,
+  resolveDefaultLineAccountId,
+  resolveLineAccount,
+} from "../line/accounts.js";
 export { lineSetupAdapter } from "../../extensions/line/src/setup-core.js";
 export { lineSetupWizard } from "../../extensions/line/src/setup-surface.js";
 export { LineConfigSchema } from "../line/config-schema.js";
diff --git a/src/plugin-sdk/msteams.ts b/src/plugin-sdk/msteams.ts
index 4a2d12a9ba0..b30e6c6914a 100644
--- a/src/plugin-sdk/msteams.ts
+++ b/src/plugin-sdk/msteams.ts
@@ -96,7 +96,7 @@ export {
 } from "./group-access.js";
 export { formatDocsLink } from "../terminal/links.js";
 export { sleep } from "../utils.js";
-export { loadWebMedia } from "../../extensions/whatsapp/src/media.js";
+export { loadWebMedia } from "./web-media.js";
 export type { WizardPrompter } from "../wizard/prompts.js";
 export { keepHttpServerTaskAlive } from "./channel-lifecycle.js";
 export { withFileLock } from "./file-lock.js";
diff --git a/src/plugin-sdk/outbound-media.ts b/src/plugin-sdk/outbound-media.ts
index b1e89b17866..731ca9d140e 100644
--- a/src/plugin-sdk/outbound-media.ts
+++ b/src/plugin-sdk/outbound-media.ts
@@ -1,4 +1,4 @@
-import { loadWebMedia } from "../../extensions/whatsapp/src/media.js";
+import { loadWebMedia } from "./web-media.js";
 
 export type OutboundMediaLoadOptions = {
   maxBytes?: number;
diff --git a/src/plugin-sdk/signal.ts b/src/plugin-sdk/signal.ts
index f57a046ab03..b407e944e47 100644
--- a/src/plugin-sdk/signal.ts
+++ b/src/plugin-sdk/signal.ts
@@ -3,10 +3,16 @@ export type { ResolvedSignalAccount } from "../../extensions/signal/src/accounts
 export type { SignalAccountConfig } from "../config/types.js";
 export * from "./channel-plugin-common.js";
 export {
+  listEnabledSignalAccounts,
   listSignalAccountIds,
   resolveDefaultSignalAccountId,
   resolveSignalAccount,
 } from "../../extensions/signal/src/accounts.js";
+export { resolveSignalReactionLevel } from "../../extensions/signal/src/reaction-level.js";
+export {
+  removeReactionSignal,
+  sendReactionSignal,
+} from "../../extensions/signal/src/send-reactions.js";
 export {
   looksLikeSignalTargetId,
   normalizeSignalMessagingTarget,
diff --git a/src/plugin-sdk/slack-targets.ts b/src/plugin-sdk/slack-targets.ts
new file mode 100644
index 00000000000..be9ded918cf
--- /dev/null
+++ b/src/plugin-sdk/slack-targets.ts
@@ -0,0 +1,6 @@
+export {
+  parseSlackTarget,
+  resolveSlackChannelId,
+  type SlackTarget,
+  type SlackTargetKind,
+} from "../../extensions/slack/src/targets.js";
diff --git a/src/plugin-sdk/slack.ts b/src/plugin-sdk/slack.ts
index 7e200ab5995..0cbfd236274 100644
--- a/src/plugin-sdk/slack.ts
+++ b/src/plugin-sdk/slack.ts
@@ -4,6 +4,7 @@ export type { InspectedSlackAccount } from "../../extensions/slack/src/account-i
 export type { ResolvedSlackAccount } from "../../extensions/slack/src/accounts.js";
 export * from "./channel-plugin-common.js";
 export {
+  listEnabledSlackAccounts,
   listSlackAccountIds,
   resolveDefaultSlackAccountId,
   resolveSlackAccount,
@@ -24,6 +25,7 @@ export {
   looksLikeSlackTargetId,
   normalizeSlackMessagingTarget,
 } from "../channels/plugins/normalize/slack.js";
+export { parseSlackTarget, resolveSlackChannelId } from "./slack-targets.js";
 export {
   extractSlackToolSend,
   listSlackMessageActions,
diff --git a/src/plugin-sdk/telegram.ts b/src/plugin-sdk/telegram.ts
index 3e6d1df1257..e8e823a6628 100644
--- a/src/plugin-sdk/telegram.ts
+++ b/src/plugin-sdk/telegram.ts
@@ -53,8 +53,25 @@ export {
   parseTelegramReplyToMessageId,
   parseTelegramThreadId,
 } from "../../extensions/telegram/src/outbound-params.js";
+export {
+  isNumericTelegramUserId,
+  normalizeTelegramAllowFromEntry,
+} from "../../extensions/telegram/src/allow-from.js";
+export { fetchTelegramChatId } from "../../extensions/telegram/src/api-fetch.js";
 export { collectTelegramStatusIssues } from "../channels/plugins/status-issues/telegram.js";
 export { sendTelegramPayloadMessages } from "../../extensions/telegram/src/outbound-adapter.js";
+export {
+  buildBrowseProvidersButton,
+  buildModelsKeyboard,
+  buildProviderKeyboard,
+  calculateTotalPages,
+  getModelsPageSize,
+  type ProviderInfo,
+} from "../../extensions/telegram/src/model-buttons.js";
+export {
+  isTelegramExecApprovalApprover,
+  isTelegramExecApprovalClientEnabled,
+} from "../../extensions/telegram/src/exec-approvals.js";
 
 export {
   resolveAllowlistProviderRuntimeGroupPolicy,
diff --git a/src/plugin-sdk/web-media.ts b/src/plugin-sdk/web-media.ts
new file mode 100644
index 00000000000..02194b867b2
--- /dev/null
+++ b/src/plugin-sdk/web-media.ts
@@ -0,0 +1 @@
+export { loadWebMedia, type WebMediaResult } from "../../extensions/whatsapp/src/media.js";
diff --git a/src/security/audit-channel.runtime.ts b/src/security/audit-channel.runtime.ts
index 71fa1cbea6c..867f0a91162 100644
--- a/src/security/audit-channel.runtime.ts
+++ b/src/security/audit-channel.runtime.ts
@@ -6,4 +6,4 @@ export {
 export {
   isNumericTelegramUserId,
   normalizeTelegramAllowFromEntry,
-} from "../../extensions/telegram/src/allow-from.js";
+} from "../plugin-sdk/telegram.js";

From ced20e799791dab4043d2a5d7c1a1f3dbcedebd6 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 16 Mar 2026 00:54:32 -0700
Subject: [PATCH 110/133] Plugins: add auth choice contracts

---
 .../contracts/auth-choice.contract.test.ts    | 230 ++++++++++++++++++
 1 file changed, 230 insertions(+)
 create mode 100644 src/plugins/contracts/auth-choice.contract.test.ts

diff --git a/src/plugins/contracts/auth-choice.contract.test.ts b/src/plugins/contracts/auth-choice.contract.test.ts
new file mode 100644
index 00000000000..6ffa2a22055
--- /dev/null
+++ b/src/plugins/contracts/auth-choice.contract.test.ts
@@ -0,0 +1,230 @@
+import { afterEach, describe, expect, it, vi } from "vitest";
+import { clearRuntimeAuthProfileStoreSnapshots } from "../../agents/auth-profiles/store.js";
+import { applyAuthChoiceLoadedPluginProvider } from "../../commands/auth-choice.apply.plugin-provider.js";
+import { resolvePreferredProviderForAuthChoice } from "../../commands/auth-choice.preferred-provider.js";
+import type { AuthChoice } from "../../commands/onboard-types.js";
+import {
+  createAuthTestLifecycle,
+  createExitThrowingRuntime,
+  createWizardPrompter,
+  readAuthProfilesForAgent,
+  requireOpenClawAgentDir,
+  setupAuthTestEnv,
+} from "../../commands/test-wizard-helpers.js";
+import { createCapturedPluginRegistration } from "../../test-utils/plugin-registration.js";
+import type { OpenClawPluginApi, ProviderPlugin } from "../types.js";
+
+const loginQwenPortalOAuthMock = vi.hoisted(() => vi.fn());
+const githubCopilotLoginCommandMock = vi.hoisted(() => vi.fn());
+const resolvePluginProvidersMock = vi.hoisted(() => vi.fn<() => ProviderPlugin[]>(() => []));
+const resolveProviderPluginChoiceMock = vi.hoisted(() =>
+  vi.fn<() => { provider: ProviderPlugin; method: ProviderPlugin["auth"][number] } | null>(),
+);
+const runProviderModelSelectedHookMock = vi.hoisted(() => vi.fn(async () => {}));
+
+vi.mock("../../../extensions/qwen-portal-auth/oauth.js", () => ({
+  loginQwenPortalOAuth: loginQwenPortalOAuthMock,
+}));
+
+vi.mock("../../providers/github-copilot-auth.js", () => ({
+  githubCopilotLoginCommand: githubCopilotLoginCommandMock,
+}));
+
+vi.mock("../../commands/auth-choice.apply.plugin-provider.runtime.js", () => ({
+  resolvePluginProviders: (...args: unknown[]) => resolvePluginProvidersMock(...args),
+  resolveProviderPluginChoice: (...args: unknown[]) => resolveProviderPluginChoiceMock(...args),
+  runProviderModelSelectedHook: (...args: unknown[]) => runProviderModelSelectedHookMock(...args),
+}));
+
+type StoredAuthProfile = {
+  type?: string;
+  provider?: string;
+  access?: string;
+  refresh?: string;
+  key?: string;
+  token?: string;
+};
+
+const qwenPortalPlugin = (await import("../../../extensions/qwen-portal-auth/index.js")).default;
+
+function registerProviders(...plugins: Array<{ register(api: OpenClawPluginApi): void }>) {
+  const captured = createCapturedPluginRegistration();
+  for (const plugin of plugins) {
+    plugin.register(captured.api);
+  }
+  return captured.providers;
+}
+
+function requireProvider(providers: ProviderPlugin[], providerId: string) {
+  const provider = providers.find((entry) => entry.id === providerId);
+  if (!provider) {
+    throw new Error(`provider ${providerId} missing`);
+  }
+  return provider;
+}
+
+describe("provider auth-choice contract", () => {
+  const lifecycle = createAuthTestLifecycle([
+    "OPENCLAW_STATE_DIR",
+    "OPENCLAW_AGENT_DIR",
+    "PI_CODING_AGENT_DIR",
+  ]);
+  let activeStateDir: string | null = null;
+
+  async function setupTempState() {
+    if (activeStateDir) {
+      await lifecycle.cleanup();
+    }
+    const env = await setupAuthTestEnv("openclaw-provider-auth-choice-");
+    activeStateDir = env.stateDir;
+    lifecycle.setStateDir(env.stateDir);
+  }
+
+  afterEach(async () => {
+    loginQwenPortalOAuthMock.mockReset();
+    githubCopilotLoginCommandMock.mockReset();
+    resolvePluginProvidersMock.mockReset();
+    resolvePluginProvidersMock.mockReturnValue([]);
+    resolveProviderPluginChoiceMock.mockReset();
+    resolveProviderPluginChoiceMock.mockReturnValue(null);
+    runProviderModelSelectedHookMock.mockReset();
+    clearRuntimeAuthProfileStoreSnapshots();
+    await lifecycle.cleanup();
+    activeStateDir = null;
+  });
+
+  it("maps plugin-backed auth choices through the shared preferred-provider resolver", async () => {
+    const scenarios = [
+      { authChoice: "github-copilot" as const, expectedProvider: "github-copilot" },
+      { authChoice: "qwen-portal" as const, expectedProvider: "qwen-portal" },
+      { authChoice: "minimax-global-oauth" as const, expectedProvider: "minimax-portal" },
+      { authChoice: "modelstudio-api-key" as const, expectedProvider: "modelstudio" },
+      { authChoice: "ollama" as const, expectedProvider: "ollama" },
+      { authChoice: "unknown" as AuthChoice, expectedProvider: undefined },
+    ] as const;
+
+    for (const scenario of scenarios) {
+      await expect(
+        resolvePreferredProviderForAuthChoice({ choice: scenario.authChoice }),
+      ).resolves.toBe(scenario.expectedProvider);
+    }
+  });
+
+  it("applies qwen portal auth choices through the shared plugin-provider path", async () => {
+    await setupTempState();
+    const qwenProvider = requireProvider(registerProviders(qwenPortalPlugin), "qwen-portal");
+    resolvePluginProvidersMock.mockReturnValue([qwenProvider]);
+    resolveProviderPluginChoiceMock.mockReturnValue({
+      provider: qwenProvider,
+      method: qwenProvider.auth[0],
+    });
+    loginQwenPortalOAuthMock.mockResolvedValueOnce({
+      access: "access-token",
+      refresh: "refresh-token",
+      expires: 1_700_000_000_000,
+      resourceUrl: "portal.qwen.ai",
+    });
+
+    const note = vi.fn(async () => {});
+    const result = await applyAuthChoiceLoadedPluginProvider({
+      authChoice: "qwen-portal",
+      config: {},
+      prompter: createWizardPrompter({ note }),
+      runtime: createExitThrowingRuntime(),
+      setDefaultModel: true,
+    });
+
+    expect(result?.config.agents?.defaults?.model).toEqual({
+      primary: "qwen-portal/coder-model",
+    });
+    expect(result?.config.auth?.profiles?.["qwen-portal:default"]).toMatchObject({
+      provider: "qwen-portal",
+      mode: "oauth",
+    });
+    expect(result?.config.models?.providers?.["qwen-portal"]).toMatchObject({
+      baseUrl: "https://portal.qwen.ai/v1",
+      models: [],
+    });
+    expect(note).toHaveBeenCalledWith(
+      "Default model set to qwen-portal/coder-model",
+      "Model configured",
+    );
+
+    const stored = await readAuthProfilesForAgent<{ profiles?: Record<string, StoredAuthProfile> }>(
+      requireOpenClawAgentDir(),
+    );
+    expect(stored.profiles?.["qwen-portal:default"]).toMatchObject({
+      type: "oauth",
+      provider: "qwen-portal",
+      access: "access-token",
+      refresh: "refresh-token",
+    });
+  });
+
+  it("returns provider agent overrides when default-model application is deferred", async () => {
+    await setupTempState();
+    const qwenProvider = requireProvider(registerProviders(qwenPortalPlugin), "qwen-portal");
+    resolvePluginProvidersMock.mockReturnValue([qwenProvider]);
+    resolveProviderPluginChoiceMock.mockReturnValue({
+      provider: qwenProvider,
+      method: qwenProvider.auth[0],
+    });
+    loginQwenPortalOAuthMock.mockResolvedValueOnce({
+      access: "access-token",
+      refresh: "refresh-token",
+      expires: 1_700_000_000_000,
+      resourceUrl: "portal.qwen.ai",
+    });
+
+    const result = await applyAuthChoiceLoadedPluginProvider({
+      authChoice: "qwen-portal",
+      config: {},
+      prompter: createWizardPrompter({}),
+      runtime: createExitThrowingRuntime(),
+      setDefaultModel: false,
+    });
+
+    expect(githubCopilotLoginCommandMock).not.toHaveBeenCalled();
+    expect(result).toEqual({
+      config: {
+        agents: {
+          defaults: {
+            models: {
+              "qwen-portal/coder-model": {
+                alias: "qwen",
+              },
+              "qwen-portal/vision-model": {},
+            },
+          },
+        },
+        auth: {
+          profiles: {
+            "qwen-portal:default": {
+              provider: "qwen-portal",
+              mode: "oauth",
+            },
+          },
+        },
+        models: {
+          providers: {
+            "qwen-portal": {
+              baseUrl: "https://portal.qwen.ai/v1",
+              models: [],
+            },
+          },
+        },
+      },
+      agentModelOverride: "qwen-portal/coder-model",
+    });
+
+    const stored = await readAuthProfilesForAgent<{
+      profiles?: Record<string, StoredAuthProfile>;
+    }>(requireOpenClawAgentDir());
+    expect(stored.profiles?.["qwen-portal:default"]).toMatchObject({
+      type: "oauth",
+      provider: "qwen-portal",
+      access: "access-token",
+      refresh: "refresh-token",
+    });
+  });
+});

From 83ddb0fb4c7793153fab5841a3c80c758ecacb11 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 16 Mar 2026 00:55:45 -0700
Subject: [PATCH 111/133] Plugins: restore routing seams and discovery fixtures

---
 extensions/discord/src/channel.ts             |  5 ++++
 extensions/imessage/src/channel.ts            |  1 +
 .../contracts/discovery.contract.test.ts      | 26 ++++++++++++++++---
 3 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/extensions/discord/src/channel.ts b/extensions/discord/src/channel.ts
index 13b5d9bb6e8..ac858b9c108 100644
--- a/extensions/discord/src/channel.ts
+++ b/extensions/discord/src/channel.ts
@@ -8,6 +8,11 @@ import {
   createScopedAccountConfigAccessors,
   formatAllowFromLowercase,
 } from "openclaw/plugin-sdk/compat";
+import {
+  buildAgentSessionKey,
+  resolveThreadSessionKeys,
+  type RoutePeer,
+} from "openclaw/plugin-sdk/core";
 import {
   buildComputedAccountStatusSnapshot,
   buildChannelConfigSchema,
diff --git a/extensions/imessage/src/channel.ts b/extensions/imessage/src/channel.ts
index 71526f20564..2d5b0ba9b39 100644
--- a/extensions/imessage/src/channel.ts
+++ b/extensions/imessage/src/channel.ts
@@ -3,6 +3,7 @@ import {
   buildAccountScopedDmSecurityPolicy,
   collectAllowlistProviderRestrictSendersWarnings,
 } from "openclaw/plugin-sdk/compat";
+import { buildAgentSessionKey, type RoutePeer } from "openclaw/plugin-sdk/core";
 import {
   buildChannelConfigSchema,
   collectStatusIssuesFromLastError,
diff --git a/src/plugins/contracts/discovery.contract.test.ts b/src/plugins/contracts/discovery.contract.test.ts
index 6dbc767635d..3fff691b6af 100644
--- a/src/plugins/contracts/discovery.contract.test.ts
+++ b/src/plugins/contracts/discovery.contract.test.ts
@@ -4,6 +4,7 @@ import {
   replaceRuntimeAuthProfileStoreSnapshots,
 } from "../../agents/auth-profiles/store.js";
 import { QWEN_OAUTH_MARKER } from "../../agents/model-auth-markers.js";
+import type { ModelDefinitionConfig } from "../../config/types.models.js";
 import { createCapturedPluginRegistration } from "../../test-utils/plugin-registration.js";
 import { runProviderCatalog } from "../provider-discovery.js";
 import type { OpenClawPluginApi, ProviderPlugin } from "../types.js";
@@ -58,6 +59,23 @@ function requireProvider(providers: ProviderPlugin[], providerId: string) {
   return provider;
 }
 
+function buildTestModel(params: { id: string; name: string }): ModelDefinitionConfig {
+  return {
+    id: params.id,
+    name: params.name,
+    reasoning: false,
+    input: ["text"],
+    cost: {
+      input: 0,
+      output: 0,
+      cacheRead: 0,
+      cacheWrite: 0,
+    },
+    contextWindow: 128_000,
+    maxTokens: 8_192,
+  };
+}
+
 describe("provider discovery contract", () => {
   afterEach(() => {
     resolveCopilotApiTokenMock.mockReset();
@@ -226,7 +244,7 @@ describe("provider discovery contract", () => {
             providers: {
               ollama: {
                 baseUrl: "http://ollama-host:11434/v1/",
-                models: [{ id: "llama3.2", name: "llama3.2" }],
+                models: [buildTestModel({ id: "llama3.2", name: "llama3.2" })],
               },
             },
           },
@@ -234,12 +252,12 @@ describe("provider discovery contract", () => {
         env: {} as NodeJS.ProcessEnv,
         resolveProviderApiKey: () => ({ apiKey: undefined }),
       }),
-    ).resolves.toEqual({
+    ).resolves.toMatchObject({
       provider: {
         baseUrl: "http://ollama-host:11434",
         api: "ollama",
         apiKey: "ollama-local",
-        models: [{ id: "llama3.2", name: "llama3.2" }],
+        models: [expect.objectContaining({ id: "llama3.2", name: "llama3.2" })],
       },
     });
     expect(buildOllamaProviderMock).not.toHaveBeenCalled();
@@ -405,6 +423,7 @@ describe("provider discovery contract", () => {
               "minimax-portal": {
                 baseUrl: "https://portal-proxy.example.com/anthropic",
                 apiKey: "explicit-key",
+                models: [],
               },
             },
           },
@@ -431,6 +450,7 @@ describe("provider discovery contract", () => {
             providers: {
               modelstudio: {
                 baseUrl: "https://coding.dashscope.aliyuncs.com/v1",
+                models: [],
               },
             },
           },

From 7c2863d401291e9ba81ed46cd27806ad8cefa3cc Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 07:59:09 +0000
Subject: [PATCH 112/133] fix: harden bonjour retry recovery

---
 src/infra/bonjour.test.ts | 46 ++++++++++++++++++++++++++++++++++++---
 src/infra/bonjour.ts      | 30 +++++++++++++++++++++----
 2 files changed, 69 insertions(+), 7 deletions(-)

diff --git a/src/infra/bonjour.test.ts b/src/infra/bonjour.test.ts
index d9e438f5cce..b101171782b 100644
--- a/src/infra/bonjour.test.ts
+++ b/src/infra/bonjour.test.ts
@@ -264,14 +264,16 @@ describe("gateway bonjour advertiser", () => {
     await Promise.resolve();
     expect(logWarn).toHaveBeenCalledWith(expect.stringContaining("advertise failed"));
 
-    // watchdog should attempt re-advertise at the 60s interval tick
+    // watchdog first retries, then recreates the advertiser after the service
+    // stays unhealthy across multiple 5s ticks.
     await vi.advanceTimersByTimeAsync(15_000);
-    expect(advertise).toHaveBeenCalledTimes(2);
+    expect(advertise).toHaveBeenCalledTimes(3);
+    expect(createService).toHaveBeenCalledTimes(2);
 
     await started.stop();
 
     await vi.advanceTimersByTimeAsync(60_000);
-    expect(advertise).toHaveBeenCalledTimes(2);
+    expect(advertise).toHaveBeenCalledTimes(3);
   });
 
   it("handles advertise throwing synchronously", async () => {
@@ -338,6 +340,44 @@ describe("gateway bonjour advertiser", () => {
     expect(shutdown).toHaveBeenCalledTimes(2);
   });
 
+  it("treats probing-to-announcing churn as one unhealthy window", async () => {
+    enableAdvertiserUnitMode();
+    vi.useFakeTimers();
+
+    const stateRef = { value: "probing" };
+    let advertiseCount = 0;
+    const destroy = vi.fn().mockResolvedValue(undefined);
+    const advertise = vi.fn().mockImplementation(() => {
+      advertiseCount += 1;
+      if (advertiseCount === 2) {
+        stateRef.value = "announcing";
+      }
+      if (advertiseCount >= 3) {
+        stateRef.value = "announced";
+      }
+      return Promise.resolve();
+    });
+    mockCiaoService({ advertise, destroy, stateRef });
+
+    const started = await startGatewayBonjourAdvertiser({
+      gatewayPort: 18789,
+      sshPort: 2222,
+    });
+
+    expect(createService).toHaveBeenCalledTimes(1);
+    expect(advertise).toHaveBeenCalledTimes(1);
+
+    await vi.advanceTimersByTimeAsync(15_000);
+
+    expect(logWarn).toHaveBeenCalledWith(expect.stringContaining("service stuck in announcing"));
+    expect(createService).toHaveBeenCalledTimes(2);
+    expect(advertise).toHaveBeenCalledTimes(3);
+    expect(destroy).toHaveBeenCalledTimes(1);
+    expect(shutdown).toHaveBeenCalledTimes(1);
+
+    await started.stop();
+  });
+
   it("normalizes hostnames with domains for service names", async () => {
     // Allow advertiser to run in unit tests.
     delete process.env.VITEST;
diff --git a/src/infra/bonjour.ts b/src/infra/bonjour.ts
index 44a0ed99448..c99d45d85f4 100644
--- a/src/infra/bonjour.ts
+++ b/src/infra/bonjour.ts
@@ -90,6 +90,10 @@ function serviceSummary(label: string, svc: BonjourService): string {
   return `${label} fqdn=${fqdn} host=${hostname} port=${port} state=${state}`;
 }
 
+function isAnnouncedState(state: BonjourServiceState | "unknown") {
+  return String(state) === "announced";
+}
+
 export async function startGatewayBonjourAdvertiser(
   opts: GatewayBonjourAdvertiseOpts,
 ): Promise<GatewayBonjourAdvertiser> {
@@ -181,6 +185,20 @@ export async function startGatewayBonjourAdvertiser(
     if (!cycle) {
       return;
     }
+    const responder = cycle.responder as {
+      advertiseService?: (...args: unknown[]) => unknown;
+      announce?: (...args: unknown[]) => unknown;
+      probe?: (...args: unknown[]) => unknown;
+      republishService?: (...args: unknown[]) => unknown;
+    };
+    const noopAsync = async () => {};
+    // ciao schedules its own 2s retry timers after failed probe/announce attempts.
+    // Those callbacks target the original responder instance, so disarm it before
+    // destroy/shutdown to prevent a dead cycle from re-entering advertise/probe.
+    responder.advertiseService = noopAsync;
+    responder.announce = noopAsync;
+    responder.probe = noopAsync;
+    responder.republishService = noopAsync;
     for (const { svc } of cycle.services) {
       try {
         await svc.destroy();
@@ -257,8 +275,12 @@ export async function startGatewayBonjourAdvertiser(
       const nextState: BonjourServiceState | "unknown" =
         typeof svc.serviceState === "string" ? svc.serviceState : "unknown";
       const current = stateTracker.get(label);
-      if (!current || current.state !== nextState) {
-        stateTracker.set(label, { state: nextState, sinceMs: now });
+      const nextEnteredAt =
+        current && !isAnnouncedState(current.state) && !isAnnouncedState(nextState)
+          ? current.sinceMs
+          : now;
+      if (!current || current.state !== nextState || current.sinceMs !== nextEnteredAt) {
+        stateTracker.set(label, { state: nextState, sinceMs: nextEnteredAt });
       }
     }
   };
@@ -299,12 +321,12 @@ export async function startGatewayBonjourAdvertiser(
       }
       const tracked = stateTracker.get(label);
       if (
-        stateUnknown === "announcing" &&
+        stateUnknown !== "announced" &&
         tracked &&
         Date.now() - tracked.sinceMs >= STUCK_ANNOUNCING_MS
       ) {
         void recreateAdvertiser(
-          `service stuck announcing for ${Date.now() - tracked.sinceMs}ms (${serviceSummary(
+          `service stuck in ${stateUnknown} for ${Date.now() - tracked.sinceMs}ms (${serviceSummary(
             label,
             svc,
           )})`,

From 7a09255361b7fb85f0e7a917c53660c8ac7edf71 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 16 Mar 2026 01:01:27 -0700
Subject: [PATCH 113/133] Runtime: lazy-load channel runtime singletons

---
 src/auto-reply/reply/commands-session.ts | 8 +++++++-
 src/gateway/session-reset-service.ts     | 8 +++++++-
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/auto-reply/reply/commands-session.ts b/src/auto-reply/reply/commands-session.ts
index 07f984eb92e..0359c77331b 100644
--- a/src/auto-reply/reply/commands-session.ts
+++ b/src/auto-reply/reply/commands-session.ts
@@ -22,7 +22,12 @@ const SESSION_COMMAND_PREFIX = "/session";
 const SESSION_DURATION_OFF_VALUES = new Set(["off", "disable", "disabled", "none", "0"]);
 const SESSION_ACTION_IDLE = "idle";
 const SESSION_ACTION_MAX_AGE = "max-age";
-const channelRuntime = createPluginRuntime().channel;
+let cachedChannelRuntime: ReturnType<typeof createPluginRuntime>["channel"] | undefined;
+
+function getChannelRuntime() {
+  cachedChannelRuntime ??= createPluginRuntime().channel;
+  return cachedChannelRuntime;
+}
 
 function resolveSessionCommandUsage() {
   return "Usage: /session idle <duration|off> | /session max-age <duration|off> (example: /session idle 24h)";
@@ -373,6 +378,7 @@ export const handleSessionCommand: CommandHandler = async (params, allowTextComm
   const threadId =
     params.ctx.MessageThreadId != null ? String(params.ctx.MessageThreadId).trim() : "";
   const telegramConversationId = onTelegram ? resolveTelegramConversationId(params) : undefined;
+  const channelRuntime = getChannelRuntime();
 
   const discordManager = onDiscord
     ? channelRuntime.discord.threadBindings.getManager(accountId)
diff --git a/src/gateway/session-reset-service.ts b/src/gateway/session-reset-service.ts
index d662d60841b..48066b6e2a7 100644
--- a/src/gateway/session-reset-service.ts
+++ b/src/gateway/session-reset-service.ts
@@ -31,7 +31,12 @@ import {
 } from "./session-utils.js";
 
 const ACP_RUNTIME_CLEANUP_TIMEOUT_MS = 15_000;
-const channelRuntime = createPluginRuntime().channel;
+let cachedChannelRuntime: ReturnType<typeof createPluginRuntime>["channel"] | undefined;
+
+function getChannelRuntime() {
+  cachedChannelRuntime ??= createPluginRuntime().channel;
+  return cachedChannelRuntime;
+}
 
 function stripRuntimeModelState(entry?: SessionEntry): SessionEntry | undefined {
   if (!entry) {
@@ -71,6 +76,7 @@ export async function emitSessionUnboundLifecycleEvent(params: {
   emitHooks?: boolean;
 }) {
   const targetKind = isSubagentSessionKey(params.targetSessionKey) ? "subagent" : "acp";
+  const channelRuntime = getChannelRuntime();
   channelRuntime.discord.threadBindings.unbindBySessionKey({
     targetSessionKey: params.targetSessionKey,
     targetKind,

From f11589b311c5f48dff9fa4b746ca706d53379a86 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 01:05:18 -0700
Subject: [PATCH 114/133] refactor: tighten plugin sdk channel seams

---
 src/auto-reply/reply/commands-acp.test.ts     |  2 +
 src/auto-reply/reply/commands-acp/context.ts  |  2 +-
 src/auto-reply/templating.ts                  |  2 +-
 src/channels/plugins/actions/discord.ts       |  2 +-
 src/channels/plugins/actions/telegram.ts      |  1 +
 src/channels/plugins/bundled.ts               | 88 ++++++++++++++++++
 src/channels/plugins/contracts/registry.ts    | 90 +++++++------------
 src/channels/plugins/normalize/discord.ts     |  2 -
 src/channels/plugins/normalize/telegram.ts    |  1 -
 src/channels/plugins/normalize/whatsapp.ts    | 27 +++++-
 src/channels/plugins/setup-registry.ts        | 24 +----
 src/channels/plugins/status-issues/discord.ts |  2 -
 .../plugins/status-issues/telegram.ts         |  1 -
 .../plugins/status-issues/whatsapp.ts         |  2 -
 src/commands/channel-test-helpers.ts          | 22 ++---
 src/config/plugin-auto-enable.ts              |  2 +-
 src/config/schema.help.ts                     |  2 +-
 .../explicit-session-key-normalization.ts     |  2 +-
 src/config/types.discord.ts                   |  2 +-
 src/cron/isolated-agent/delivery-target.ts    |  2 +-
 src/plugin-sdk/account-resolution.ts          |  2 +
 src/plugin-sdk/agent-media-payload.ts         |  1 +
 src/plugin-sdk/allow-from.ts                  |  4 +
 src/plugin-sdk/allowlist-config-edit.ts       |  1 +
 src/plugin-sdk/allowlist-resolution.ts        |  2 +
 src/plugin-sdk/boolean-param.ts               |  1 +
 src/plugin-sdk/channel-config-helpers.ts      | 11 +++
 src/plugin-sdk/channel-lifecycle.ts           |  1 +
 src/plugin-sdk/channel-send-result.ts         |  1 +
 src/plugin-sdk/command-auth.ts                |  3 +
 src/plugin-sdk/config-paths.ts                |  1 +
 src/plugin-sdk/discord-send.ts                |  3 +
 src/plugin-sdk/discord.ts                     | 10 ++-
 src/plugin-sdk/entrypoints.ts                 |  4 +
 src/plugin-sdk/feishu.ts                      |  4 +
 src/plugin-sdk/fetch-auth.ts                  |  1 +
 src/plugin-sdk/file-lock.ts                   |  2 +
 src/plugin-sdk/group-access.ts                |  5 ++
 src/plugin-sdk/inbound-envelope.ts            |  3 +
 src/plugin-sdk/inbound-reply-dispatch.ts      |  4 +
 src/plugin-sdk/json-store.ts                  |  2 +
 src/plugin-sdk/keyed-async-queue.ts           |  1 +
 src/plugin-sdk/oauth-utils.ts                 |  2 +
 src/plugin-sdk/outbound-media.ts              |  1 +
 src/plugin-sdk/pairing-access.ts              |  1 +
 src/plugin-sdk/persistent-dedupe.ts           |  1 +
 src/plugin-sdk/provider-auth-result.ts        |  1 +
 src/plugin-sdk/reply-payload.ts               |  7 ++
 src/plugin-sdk/request-url.ts                 |  1 +
 src/plugin-sdk/resolution-notes.ts            |  1 +
 src/plugin-sdk/run-command.ts                 |  1 +
 src/plugin-sdk/runtime-store.ts               |  1 +
 src/plugin-sdk/runtime.ts                     |  3 +
 src/plugin-sdk/secret-input-schema.ts         |  1 +
 src/plugin-sdk/slack-message-actions.ts       |  1 +
 src/plugin-sdk/ssrf-policy.ts                 |  2 +
 src/plugin-sdk/status-helpers.ts              |  8 ++
 src/plugin-sdk/telegram.ts                    |  5 +-
 src/plugin-sdk/temp-path.ts                   |  2 +
 src/plugin-sdk/text-chunking.ts               |  1 +
 src/plugin-sdk/tool-send.ts                   |  1 +
 src/plugin-sdk/webhook-memory-guards.ts       |  3 +
 src/plugin-sdk/webhook-path.ts                |  2 +
 src/plugin-sdk/webhook-request-guards.ts      |  6 ++
 src/plugin-sdk/webhook-targets.ts             |  9 ++
 src/plugin-sdk/whatsapp.ts                    |  6 ++
 src/plugin-sdk/windows-spawn.ts               |  5 ++
 src/plugins/contracts/auth.contract.test.ts   |  8 +-
 .../contracts/discovery.contract.test.ts      | 11 ++-
 src/plugins/runtime/runtime-discord.ts        |  2 +-
 src/plugins/runtime/runtime-telegram.ts       |  2 +-
 src/plugins/runtime/types-channel.ts          |  4 +-
 72 files changed, 319 insertions(+), 125 deletions(-)
 create mode 100644 src/channels/plugins/bundled.ts
 delete mode 100644 src/channels/plugins/normalize/discord.ts
 delete mode 100644 src/channels/plugins/normalize/telegram.ts
 delete mode 100644 src/channels/plugins/status-issues/discord.ts
 delete mode 100644 src/channels/plugins/status-issues/telegram.ts
 delete mode 100644 src/channels/plugins/status-issues/whatsapp.ts

diff --git a/src/auto-reply/reply/commands-acp.test.ts b/src/auto-reply/reply/commands-acp.test.ts
index e41fbd80ec2..5d732e4b4e6 100644
--- a/src/auto-reply/reply/commands-acp.test.ts
+++ b/src/auto-reply/reply/commands-acp.test.ts
@@ -1,5 +1,6 @@
 import { beforeEach, describe, expect, it, vi } from "vitest";
 import { AcpRuntimeError } from "../../acp/runtime/errors.js";
+import { setDefaultChannelPluginRegistryForTests } from "../../commands/channel-test-helpers.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import type { SessionBindingRecord } from "../../infra/outbound/session-binding-service.js";
 import { INTERNAL_MESSAGE_CHANNEL } from "../../utils/message-channel.js";
@@ -395,6 +396,7 @@ async function runInternalAcpCommand(params: {
 
 describe("/acp command", () => {
   beforeEach(() => {
+    setDefaultChannelPluginRegistryForTests();
     acpManagerTesting.resetAcpSessionManagerForTests();
     hoisted.listAcpSessionEntriesMock.mockReset().mockResolvedValue([]);
     hoisted.callGatewayMock.mockReset().mockResolvedValue({ ok: true });
diff --git a/src/auto-reply/reply/commands-acp/context.ts b/src/auto-reply/reply/commands-acp/context.ts
index fd5eb50ee09..59db08384af 100644
--- a/src/auto-reply/reply/commands-acp/context.ts
+++ b/src/auto-reply/reply/commands-acp/context.ts
@@ -1,4 +1,3 @@
-import { buildFeishuConversationId } from "../../../../extensions/feishu/src/conversation-id.js";
 import {
   buildTelegramTopicConversationId,
   normalizeConversationText,
@@ -7,6 +6,7 @@ import {
 import { DISCORD_THREAD_BINDING_CHANNEL } from "../../../channels/thread-bindings-policy.js";
 import { resolveConversationIdFromTargets } from "../../../infra/outbound/conversation-id.js";
 import { getSessionBindingService } from "../../../infra/outbound/session-binding-service.js";
+import { buildFeishuConversationId } from "../../../plugin-sdk/feishu.js";
 import { parseAgentSessionKey } from "../../../routing/session-key.js";
 import type { HandleCommandsParams } from "../commands-types.js";
 import { parseDiscordParentChannelFromSessionKey } from "../discord-parent-channel.js";
diff --git a/src/auto-reply/templating.ts b/src/auto-reply/templating.ts
index c97584aeae3..a32fdc3ba87 100644
--- a/src/auto-reply/templating.ts
+++ b/src/auto-reply/templating.ts
@@ -1,9 +1,9 @@
-import type { StickerMetadata } from "../../extensions/telegram/src/bot/types.js";
 import type { ChannelId } from "../channels/plugins/types.js";
 import type {
   MediaUnderstandingDecision,
   MediaUnderstandingOutput,
 } from "../media-understanding/types.js";
+import type { StickerMetadata } from "../plugin-sdk/telegram.js";
 import type { InputProvenance } from "../sessions/input-provenance.js";
 import type { InternalMessageChannel } from "../utils/message-channel.js";
 import type { CommandArgs } from "./commands-registry.types.js";
diff --git a/src/channels/plugins/actions/discord.ts b/src/channels/plugins/actions/discord.ts
index 6b8689effb3..ccf1b489035 100644
--- a/src/channels/plugins/actions/discord.ts
+++ b/src/channels/plugins/actions/discord.ts
@@ -1,2 +1,2 @@
-// Shim: re-exports from extension
+// Public entrypoint for the Discord channel action adapter.
 export * from "../../../../extensions/discord/src/channel-actions.js";
diff --git a/src/channels/plugins/actions/telegram.ts b/src/channels/plugins/actions/telegram.ts
index 57a690d2208..7961baf334f 100644
--- a/src/channels/plugins/actions/telegram.ts
+++ b/src/channels/plugins/actions/telegram.ts
@@ -1 +1,2 @@
+// Public entrypoint for the Telegram channel action adapter.
 export * from "../../../../extensions/telegram/src/channel-actions.js";
diff --git a/src/channels/plugins/bundled.ts b/src/channels/plugins/bundled.ts
new file mode 100644
index 00000000000..c7cae53de20
--- /dev/null
+++ b/src/channels/plugins/bundled.ts
@@ -0,0 +1,88 @@
+import { bluebubblesPlugin } from "../../../extensions/bluebubbles/src/channel.js";
+import { discordPlugin } from "../../../extensions/discord/src/channel.js";
+import { discordSetupPlugin } from "../../../extensions/discord/src/channel.setup.js";
+import { setDiscordRuntime } from "../../../extensions/discord/src/runtime.js";
+import { feishuPlugin } from "../../../extensions/feishu/src/channel.js";
+import { googlechatPlugin } from "../../../extensions/googlechat/src/channel.js";
+import { imessagePlugin } from "../../../extensions/imessage/src/channel.js";
+import { imessageSetupPlugin } from "../../../extensions/imessage/src/channel.setup.js";
+import { ircPlugin } from "../../../extensions/irc/src/channel.js";
+import { linePlugin } from "../../../extensions/line/src/channel.js";
+import { lineSetupPlugin } from "../../../extensions/line/src/channel.setup.js";
+import { setLineRuntime } from "../../../extensions/line/src/runtime.js";
+import { matrixPlugin } from "../../../extensions/matrix/src/channel.js";
+import { mattermostPlugin } from "../../../extensions/mattermost/src/channel.js";
+import { msteamsPlugin } from "../../../extensions/msteams/src/channel.js";
+import { nextcloudTalkPlugin } from "../../../extensions/nextcloud-talk/src/channel.js";
+import { nostrPlugin } from "../../../extensions/nostr/src/channel.js";
+import { signalPlugin } from "../../../extensions/signal/src/channel.js";
+import { signalSetupPlugin } from "../../../extensions/signal/src/channel.setup.js";
+import { slackPlugin } from "../../../extensions/slack/src/channel.js";
+import { slackSetupPlugin } from "../../../extensions/slack/src/channel.setup.js";
+import { synologyChatPlugin } from "../../../extensions/synology-chat/src/channel.js";
+import { telegramPlugin } from "../../../extensions/telegram/src/channel.js";
+import { telegramSetupPlugin } from "../../../extensions/telegram/src/channel.setup.js";
+import { setTelegramRuntime } from "../../../extensions/telegram/src/runtime.js";
+import { tlonPlugin } from "../../../extensions/tlon/src/channel.js";
+import { whatsappPlugin } from "../../../extensions/whatsapp/src/channel.js";
+import { whatsappSetupPlugin } from "../../../extensions/whatsapp/src/channel.setup.js";
+import { zaloPlugin } from "../../../extensions/zalo/src/channel.js";
+import { zalouserPlugin } from "../../../extensions/zalouser/src/channel.js";
+import type { ChannelId, ChannelPlugin } from "./types.js";
+
+export const bundledChannelPlugins = [
+  bluebubblesPlugin,
+  discordPlugin,
+  feishuPlugin,
+  googlechatPlugin,
+  imessagePlugin,
+  ircPlugin,
+  linePlugin,
+  matrixPlugin,
+  mattermostPlugin,
+  msteamsPlugin,
+  nextcloudTalkPlugin,
+  nostrPlugin,
+  signalPlugin,
+  slackPlugin,
+  synologyChatPlugin,
+  telegramPlugin,
+  tlonPlugin,
+  whatsappPlugin,
+  zaloPlugin,
+  zalouserPlugin,
+] as ChannelPlugin[];
+
+export const bundledChannelSetupPlugins = [
+  telegramSetupPlugin,
+  whatsappSetupPlugin,
+  discordSetupPlugin,
+  ircPlugin,
+  googlechatPlugin,
+  slackSetupPlugin,
+  signalSetupPlugin,
+  imessageSetupPlugin,
+  lineSetupPlugin,
+] as ChannelPlugin[];
+
+const bundledChannelPluginsById = new Map(
+  bundledChannelPlugins.map((plugin) => [plugin.id, plugin] as const),
+);
+
+export function getBundledChannelPlugin(id: ChannelId): ChannelPlugin | undefined {
+  return bundledChannelPluginsById.get(id);
+}
+
+export function requireBundledChannelPlugin(id: ChannelId): ChannelPlugin {
+  const plugin = getBundledChannelPlugin(id);
+  if (!plugin) {
+    throw new Error(`missing bundled channel plugin: ${id}`);
+  }
+  return plugin;
+}
+
+export const bundledChannelRuntimeSetters = {
+  setDiscordRuntime,
+  setLineRuntime,
+  setTelegramRuntime,
+};
diff --git a/src/channels/plugins/contracts/registry.ts b/src/channels/plugins/contracts/registry.ts
index f5bb1d845e2..567181cef46 100644
--- a/src/channels/plugins/contracts/registry.ts
+++ b/src/channels/plugins/contracts/registry.ts
@@ -1,33 +1,11 @@
 import { expect, vi } from "vitest";
-import { bluebubblesPlugin } from "../../../../extensions/bluebubbles/src/channel.js";
-import { discordPlugin } from "../../../../extensions/discord/src/channel.js";
-import { setDiscordRuntime } from "../../../../extensions/discord/src/runtime.js";
-import { feishuPlugin } from "../../../../extensions/feishu/src/channel.js";
-import { googlechatPlugin } from "../../../../extensions/googlechat/src/channel.js";
-import { imessagePlugin } from "../../../../extensions/imessage/src/channel.js";
-import { ircPlugin } from "../../../../extensions/irc/src/channel.js";
-import { linePlugin } from "../../../../extensions/line/src/channel.js";
-import { setLineRuntime } from "../../../../extensions/line/src/runtime.js";
-import { matrixPlugin } from "../../../../extensions/matrix/src/channel.js";
-import { mattermostPlugin } from "../../../../extensions/mattermost/src/channel.js";
-import { msteamsPlugin } from "../../../../extensions/msteams/src/channel.js";
-import { nextcloudTalkPlugin } from "../../../../extensions/nextcloud-talk/src/channel.js";
-import { nostrPlugin } from "../../../../extensions/nostr/src/channel.js";
-import { signalPlugin } from "../../../../extensions/signal/src/channel.js";
-import { slackPlugin } from "../../../../extensions/slack/src/channel.js";
-import { synologyChatPlugin } from "../../../../extensions/synology-chat/src/channel.js";
-import { telegramPlugin } from "../../../../extensions/telegram/src/channel.js";
-import { setTelegramRuntime } from "../../../../extensions/telegram/src/runtime.js";
-import { tlonPlugin } from "../../../../extensions/tlon/src/channel.js";
-import { whatsappPlugin } from "../../../../extensions/whatsapp/src/channel.js";
-import { zaloPlugin } from "../../../../extensions/zalo/src/channel.js";
-import { zalouserPlugin } from "../../../../extensions/zalouser/src/channel.js";
 import type { OpenClawConfig } from "../../../config/config.js";
 import {
   resolveDefaultLineAccountId,
   resolveLineAccount,
   listLineAccountIds,
 } from "../../../line/accounts.js";
+import { bundledChannelRuntimeSetters, requireBundledChannelPlugin } from "../bundled.js";
 import type { ChannelPlugin } from "../types.js";
 
 type PluginContractEntry = {
@@ -84,7 +62,7 @@ const telegramGetCapabilitiesMock = vi.fn();
 const discordListActionsMock = vi.fn();
 const discordGetCapabilitiesMock = vi.fn();
 
-setTelegramRuntime({
+bundledChannelRuntimeSetters.setTelegramRuntime({
   channel: {
     telegram: {
       messageActions: {
@@ -95,7 +73,7 @@ setTelegramRuntime({
   },
 } as never);
 
-setDiscordRuntime({
+bundledChannelRuntimeSetters.setDiscordRuntime({
   channel: {
     discord: {
       messageActions: {
@@ -106,7 +84,7 @@ setDiscordRuntime({
   },
 } as never);
 
-setLineRuntime({
+bundledChannelRuntimeSetters.setLineRuntime({
   channel: {
     line: {
       listLineAccountIds,
@@ -118,32 +96,32 @@ setLineRuntime({
 } as never);
 
 export const pluginContractRegistry: PluginContractEntry[] = [
-  { id: "bluebubbles", plugin: bluebubblesPlugin },
-  { id: "discord", plugin: discordPlugin },
-  { id: "feishu", plugin: feishuPlugin },
-  { id: "googlechat", plugin: googlechatPlugin },
-  { id: "imessage", plugin: imessagePlugin },
-  { id: "irc", plugin: ircPlugin },
-  { id: "line", plugin: linePlugin },
-  { id: "matrix", plugin: matrixPlugin },
-  { id: "mattermost", plugin: mattermostPlugin },
-  { id: "msteams", plugin: msteamsPlugin },
-  { id: "nextcloud-talk", plugin: nextcloudTalkPlugin },
-  { id: "nostr", plugin: nostrPlugin },
-  { id: "signal", plugin: signalPlugin },
-  { id: "slack", plugin: slackPlugin },
-  { id: "synology-chat", plugin: synologyChatPlugin },
-  { id: "telegram", plugin: telegramPlugin },
-  { id: "tlon", plugin: tlonPlugin },
-  { id: "whatsapp", plugin: whatsappPlugin },
-  { id: "zalo", plugin: zaloPlugin },
-  { id: "zalouser", plugin: zalouserPlugin },
+  { id: "bluebubbles", plugin: requireBundledChannelPlugin("bluebubbles") },
+  { id: "discord", plugin: requireBundledChannelPlugin("discord") },
+  { id: "feishu", plugin: requireBundledChannelPlugin("feishu") },
+  { id: "googlechat", plugin: requireBundledChannelPlugin("googlechat") },
+  { id: "imessage", plugin: requireBundledChannelPlugin("imessage") },
+  { id: "irc", plugin: requireBundledChannelPlugin("irc") },
+  { id: "line", plugin: requireBundledChannelPlugin("line") },
+  { id: "matrix", plugin: requireBundledChannelPlugin("matrix") },
+  { id: "mattermost", plugin: requireBundledChannelPlugin("mattermost") },
+  { id: "msteams", plugin: requireBundledChannelPlugin("msteams") },
+  { id: "nextcloud-talk", plugin: requireBundledChannelPlugin("nextcloud-talk") },
+  { id: "nostr", plugin: requireBundledChannelPlugin("nostr") },
+  { id: "signal", plugin: requireBundledChannelPlugin("signal") },
+  { id: "slack", plugin: requireBundledChannelPlugin("slack") },
+  { id: "synology-chat", plugin: requireBundledChannelPlugin("synology-chat") },
+  { id: "telegram", plugin: requireBundledChannelPlugin("telegram") },
+  { id: "tlon", plugin: requireBundledChannelPlugin("tlon") },
+  { id: "whatsapp", plugin: requireBundledChannelPlugin("whatsapp") },
+  { id: "zalo", plugin: requireBundledChannelPlugin("zalo") },
+  { id: "zalouser", plugin: requireBundledChannelPlugin("zalouser") },
 ];
 
 export const actionContractRegistry: ActionsContractEntry[] = [
   {
     id: "slack",
-    plugin: slackPlugin,
+    plugin: requireBundledChannelPlugin("slack"),
     unsupportedAction: "poll",
     cases: [
       {
@@ -217,7 +195,7 @@ export const actionContractRegistry: ActionsContractEntry[] = [
   },
   {
     id: "mattermost",
-    plugin: mattermostPlugin,
+    plugin: requireBundledChannelPlugin("mattermost"),
     unsupportedAction: "poll",
     cases: [
       {
@@ -265,7 +243,7 @@ export const actionContractRegistry: ActionsContractEntry[] = [
   },
   {
     id: "telegram",
-    plugin: telegramPlugin,
+    plugin: requireBundledChannelPlugin("telegram"),
     cases: [
       {
         name: "forwards runtime-backed Telegram actions and capabilities",
@@ -283,7 +261,7 @@ export const actionContractRegistry: ActionsContractEntry[] = [
   },
   {
     id: "discord",
-    plugin: discordPlugin,
+    plugin: requireBundledChannelPlugin("discord"),
     cases: [
       {
         name: "forwards runtime-backed Discord actions and capabilities",
@@ -304,7 +282,7 @@ export const actionContractRegistry: ActionsContractEntry[] = [
 export const setupContractRegistry: SetupContractEntry[] = [
   {
     id: "slack",
-    plugin: slackPlugin,
+    plugin: requireBundledChannelPlugin("slack"),
     cases: [
       {
         name: "default account stores tokens and enables the channel",
@@ -334,7 +312,7 @@ export const setupContractRegistry: SetupContractEntry[] = [
   },
   {
     id: "mattermost",
-    plugin: mattermostPlugin,
+    plugin: requireBundledChannelPlugin("mattermost"),
     cases: [
       {
         name: "default account stores token and normalized base URL",
@@ -363,7 +341,7 @@ export const setupContractRegistry: SetupContractEntry[] = [
   },
   {
     id: "line",
-    plugin: linePlugin,
+    plugin: requireBundledChannelPlugin("line"),
     cases: [
       {
         name: "default account stores token and secret",
@@ -396,7 +374,7 @@ export const setupContractRegistry: SetupContractEntry[] = [
 export const statusContractRegistry: StatusContractEntry[] = [
   {
     id: "slack",
-    plugin: slackPlugin,
+    plugin: requireBundledChannelPlugin("slack"),
     cases: [
       {
         name: "configured account produces a configured status snapshot",
@@ -424,7 +402,7 @@ export const statusContractRegistry: StatusContractEntry[] = [
   },
   {
     id: "mattermost",
-    plugin: mattermostPlugin,
+    plugin: requireBundledChannelPlugin("mattermost"),
     cases: [
       {
         name: "configured account preserves connectivity details in the snapshot",
@@ -455,7 +433,7 @@ export const statusContractRegistry: StatusContractEntry[] = [
   },
   {
     id: "line",
-    plugin: linePlugin,
+    plugin: requireBundledChannelPlugin("line"),
     cases: [
       {
         name: "configured account produces a webhook status snapshot",
diff --git a/src/channels/plugins/normalize/discord.ts b/src/channels/plugins/normalize/discord.ts
deleted file mode 100644
index e4fcc4e9c00..00000000000
--- a/src/channels/plugins/normalize/discord.ts
+++ /dev/null
@@ -1,2 +0,0 @@
-// Shim: re-exports from extension
-export * from "../../../../extensions/discord/src/normalize.js";
diff --git a/src/channels/plugins/normalize/telegram.ts b/src/channels/plugins/normalize/telegram.ts
deleted file mode 100644
index ab3971ff32b..00000000000
--- a/src/channels/plugins/normalize/telegram.ts
+++ /dev/null
@@ -1 +0,0 @@
-export * from "../../../../extensions/telegram/src/normalize.js";
diff --git a/src/channels/plugins/normalize/whatsapp.ts b/src/channels/plugins/normalize/whatsapp.ts
index 1e464489818..edff8bfe5e1 100644
--- a/src/channels/plugins/normalize/whatsapp.ts
+++ b/src/channels/plugins/normalize/whatsapp.ts
@@ -1,2 +1,25 @@
-// Shim: re-exports from extensions/whatsapp/src/normalize.ts
-export * from "../../../../extensions/whatsapp/src/normalize.js";
+import { normalizeWhatsAppTarget } from "../../../whatsapp/normalize.js";
+import { looksLikeHandleOrPhoneTarget, trimMessagingTarget } from "./shared.js";
+
+export function normalizeWhatsAppMessagingTarget(raw: string): string | undefined {
+  const trimmed = trimMessagingTarget(raw);
+  if (!trimmed) {
+    return undefined;
+  }
+  return normalizeWhatsAppTarget(trimmed) ?? undefined;
+}
+
+export function normalizeWhatsAppAllowFromEntries(allowFrom: Array<string | number>): string[] {
+  return allowFrom
+    .map((entry) => String(entry).trim())
+    .filter((entry): entry is string => Boolean(entry))
+    .map((entry) => (entry === "*" ? entry : normalizeWhatsAppTarget(entry)))
+    .filter((entry): entry is string => Boolean(entry));
+}
+
+export function looksLikeWhatsAppTargetId(raw: string): boolean {
+  return looksLikeHandleOrPhoneTarget({
+    raw,
+    prefixPattern: /^whatsapp:/i,
+  });
+}
diff --git a/src/channels/plugins/setup-registry.ts b/src/channels/plugins/setup-registry.ts
index a8c7212ca1f..bbb82022da9 100644
--- a/src/channels/plugins/setup-registry.ts
+++ b/src/channels/plugins/setup-registry.ts
@@ -1,17 +1,9 @@
-import { discordSetupPlugin } from "../../../extensions/discord/src/channel.setup.js";
-import { googlechatPlugin } from "../../../extensions/googlechat/src/channel.js";
-import { imessageSetupPlugin } from "../../../extensions/imessage/src/channel.setup.js";
-import { ircPlugin } from "../../../extensions/irc/src/channel.js";
-import { lineSetupPlugin } from "../../../extensions/line/src/channel.setup.js";
-import { signalSetupPlugin } from "../../../extensions/signal/src/channel.setup.js";
-import { slackSetupPlugin } from "../../../extensions/slack/src/channel.setup.js";
-import { telegramSetupPlugin } from "../../../extensions/telegram/src/channel.setup.js";
-import { whatsappSetupPlugin } from "../../../extensions/whatsapp/src/channel.setup.js";
 import {
   getActivePluginRegistryVersion,
   requireActivePluginRegistry,
 } from "../../plugins/runtime.js";
 import { CHAT_CHANNEL_ORDER, type ChatChannelId } from "../registry.js";
+import { bundledChannelSetupPlugins } from "./bundled.js";
 import type { ChannelId, ChannelPlugin } from "./types.js";
 
 type CachedChannelSetupPlugins = {
@@ -28,18 +20,6 @@ const EMPTY_CHANNEL_SETUP_CACHE: CachedChannelSetupPlugins = {
 
 let cachedChannelSetupPlugins = EMPTY_CHANNEL_SETUP_CACHE;
 
-const BUNDLED_CHANNEL_SETUP_PLUGINS = [
-  telegramSetupPlugin,
-  whatsappSetupPlugin,
-  discordSetupPlugin,
-  ircPlugin,
-  googlechatPlugin,
-  slackSetupPlugin,
-  signalSetupPlugin,
-  imessageSetupPlugin,
-  lineSetupPlugin,
-] as ChannelPlugin[];
-
 function dedupeSetupPlugins(plugins: ChannelPlugin[]): ChannelPlugin[] {
   const seen = new Set<string>();
   const resolved: ChannelPlugin[] = [];
@@ -77,7 +57,7 @@ function resolveCachedChannelSetupPlugins(): CachedChannelSetupPlugins {
 
   const registryPlugins = (registry.channelSetups ?? []).map((entry) => entry.plugin);
   const sorted = sortChannelSetupPlugins(
-    registryPlugins.length > 0 ? registryPlugins : BUNDLED_CHANNEL_SETUP_PLUGINS,
+    registryPlugins.length > 0 ? registryPlugins : bundledChannelSetupPlugins,
   );
   const byId = new Map<string, ChannelPlugin>();
   for (const plugin of sorted) {
diff --git a/src/channels/plugins/status-issues/discord.ts b/src/channels/plugins/status-issues/discord.ts
deleted file mode 100644
index f42578df1e9..00000000000
--- a/src/channels/plugins/status-issues/discord.ts
+++ /dev/null
@@ -1,2 +0,0 @@
-// Shim: re-exports from extension
-export * from "../../../../extensions/discord/src/status-issues.js";
diff --git a/src/channels/plugins/status-issues/telegram.ts b/src/channels/plugins/status-issues/telegram.ts
deleted file mode 100644
index 26425a07ae4..00000000000
--- a/src/channels/plugins/status-issues/telegram.ts
+++ /dev/null
@@ -1 +0,0 @@
-export * from "../../../../extensions/telegram/src/status-issues.js";
diff --git a/src/channels/plugins/status-issues/whatsapp.ts b/src/channels/plugins/status-issues/whatsapp.ts
deleted file mode 100644
index 45be4231ed2..00000000000
--- a/src/channels/plugins/status-issues/whatsapp.ts
+++ /dev/null
@@ -1,2 +0,0 @@
-// Shim: re-exports from extensions/whatsapp/src/status-issues.ts
-export * from "../../../../extensions/whatsapp/src/status-issues.js";
diff --git a/src/commands/channel-test-helpers.ts b/src/commands/channel-test-helpers.ts
index a76f747b326..38f3621146f 100644
--- a/src/commands/channel-test-helpers.ts
+++ b/src/commands/channel-test-helpers.ts
@@ -1,10 +1,4 @@
-import { discordPlugin } from "../../extensions/discord/src/channel.js";
-import { feishuPlugin } from "../../extensions/feishu/src/channel.js";
-import { imessagePlugin } from "../../extensions/imessage/src/channel.js";
-import { signalPlugin } from "../../extensions/signal/src/channel.js";
-import { slackPlugin } from "../../extensions/slack/src/channel.js";
-import { telegramPlugin } from "../../extensions/telegram/src/channel.js";
-import { whatsappPlugin } from "../../extensions/whatsapp/src/channel.js";
+import { requireBundledChannelPlugin } from "../channels/plugins/bundled.js";
 import { setActivePluginRegistry } from "../plugins/runtime.js";
 import { createTestRegistry } from "../test-utils/channel-plugins.js";
 import { getChannelSetupWizardAdapter } from "./channel-setup/registry.js";
@@ -27,13 +21,13 @@ type PatchedSetupAdapterFields = {
 
 export function setDefaultChannelPluginRegistryForTests(): void {
   const channels = [
-    { pluginId: "discord", plugin: discordPlugin, source: "test" },
-    { pluginId: "feishu", plugin: feishuPlugin, source: "test" },
-    { pluginId: "slack", plugin: slackPlugin, source: "test" },
-    { pluginId: "telegram", plugin: telegramPlugin, source: "test" },
-    { pluginId: "whatsapp", plugin: whatsappPlugin, source: "test" },
-    { pluginId: "signal", plugin: signalPlugin, source: "test" },
-    { pluginId: "imessage", plugin: imessagePlugin, source: "test" },
+    { pluginId: "discord", plugin: requireBundledChannelPlugin("discord"), source: "test" },
+    { pluginId: "feishu", plugin: requireBundledChannelPlugin("feishu"), source: "test" },
+    { pluginId: "slack", plugin: requireBundledChannelPlugin("slack"), source: "test" },
+    { pluginId: "telegram", plugin: requireBundledChannelPlugin("telegram"), source: "test" },
+    { pluginId: "whatsapp", plugin: requireBundledChannelPlugin("whatsapp"), source: "test" },
+    { pluginId: "signal", plugin: requireBundledChannelPlugin("signal"), source: "test" },
+    { pluginId: "imessage", plugin: requireBundledChannelPlugin("imessage"), source: "test" },
   ] as unknown as Parameters<typeof createTestRegistry>[0];
   setActivePluginRegistry(createTestRegistry(channels));
 }
diff --git a/src/config/plugin-auto-enable.ts b/src/config/plugin-auto-enable.ts
index 2a7524b2558..1c93c61c800 100644
--- a/src/config/plugin-auto-enable.ts
+++ b/src/config/plugin-auto-enable.ts
@@ -1,4 +1,3 @@
-import { hasAnyWhatsAppAuth } from "../../extensions/whatsapp/src/accounts.js";
 import { normalizeProviderId } from "../agents/model-selection.js";
 import {
   getChannelPluginCatalogEntry,
@@ -9,6 +8,7 @@ import {
   listChatChannels,
   normalizeChatChannelId,
 } from "../channels/registry.js";
+import { hasAnyWhatsAppAuth } from "../plugin-sdk/whatsapp.js";
 import {
   loadPluginManifestRegistry,
   type PluginManifestRegistry,
diff --git a/src/config/schema.help.ts b/src/config/schema.help.ts
index 46cce98d193..3d93ee58465 100644
--- a/src/config/schema.help.ts
+++ b/src/config/schema.help.ts
@@ -1,7 +1,7 @@
 import {
   DISCORD_DEFAULT_INBOUND_WORKER_TIMEOUT_MS,
   DISCORD_DEFAULT_LISTENER_TIMEOUT_MS,
-} from "../../extensions/discord/src/monitor/timeouts.js";
+} from "../plugin-sdk/discord.js";
 import { MEDIA_AUDIO_FIELD_HELP } from "./media-audio-field-metadata.js";
 import { IRC_FIELD_HELP } from "./schema.irc.js";
 import { describeTalkSilenceTimeoutDefaults } from "./talk-defaults.js";
diff --git a/src/config/sessions/explicit-session-key-normalization.ts b/src/config/sessions/explicit-session-key-normalization.ts
index 984b70487a3..08543e5a6d0 100644
--- a/src/config/sessions/explicit-session-key-normalization.ts
+++ b/src/config/sessions/explicit-session-key-normalization.ts
@@ -1,5 +1,5 @@
-import { normalizeExplicitDiscordSessionKey } from "../../../extensions/discord/src/session-key-normalization.js";
 import type { MsgContext } from "../../auto-reply/templating.js";
+import { normalizeExplicitDiscordSessionKey } from "../../plugin-sdk/discord.js";
 
 type ExplicitSessionKeyNormalizer = (sessionKey: string, ctx: MsgContext) => string;
 type ExplicitSessionKeyNormalizerEntry = {
diff --git a/src/config/types.discord.ts b/src/config/types.discord.ts
index a27fd3f8b45..c9269c6b8fd 100644
--- a/src/config/types.discord.ts
+++ b/src/config/types.discord.ts
@@ -1,4 +1,4 @@
-import type { DiscordPluralKitConfig } from "../../extensions/discord/src/pluralkit.js";
+import type { DiscordPluralKitConfig } from "../plugin-sdk/discord.js";
 import type {
   BlockStreamingChunkConfig,
   BlockStreamingCoalesceConfig,
diff --git a/src/cron/isolated-agent/delivery-target.ts b/src/cron/isolated-agent/delivery-target.ts
index 4a70352e233..e903cd15cab 100644
--- a/src/cron/isolated-agent/delivery-target.ts
+++ b/src/cron/isolated-agent/delivery-target.ts
@@ -1,4 +1,3 @@
-import { resolveWhatsAppAccount } from "../../../extensions/whatsapp/src/accounts.js";
 import type { ChannelId } from "../../channels/plugins/types.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import {
@@ -14,6 +13,7 @@ import {
   resolveSessionDeliveryTarget,
 } from "../../infra/outbound/targets.js";
 import { readChannelAllowFromStoreSync } from "../../pairing/pairing-store.js";
+import { resolveWhatsAppAccount } from "../../plugin-sdk/whatsapp.js";
 import { buildChannelAccountBindings } from "../../routing/bindings.js";
 import { normalizeAccountId, normalizeAgentId } from "../../routing/session-key.js";
 import { normalizeWhatsAppTarget } from "../../whatsapp/normalize.js";
diff --git a/src/plugin-sdk/account-resolution.ts b/src/plugin-sdk/account-resolution.ts
index e25c2cc74cb..4aceec2c945 100644
--- a/src/plugin-sdk/account-resolution.ts
+++ b/src/plugin-sdk/account-resolution.ts
@@ -1,3 +1,4 @@
+/** Resolve an account by id, then fall back to the default account when the primary lacks credentials. */
 export function resolveAccountWithDefaultFallback<TAccount>(params: {
   accountId?: string | null;
   normalizeAccountId: (accountId?: string | null) => string;
@@ -23,6 +24,7 @@ export function resolveAccountWithDefaultFallback<TAccount>(params: {
   return fallback;
 }
 
+/** List normalized configured account ids from a raw channel account record map. */
 export function listConfiguredAccountIds(params: {
   accounts: Record<string, unknown> | undefined;
   normalizeAccountId: (accountId: string) => string;
diff --git a/src/plugin-sdk/agent-media-payload.ts b/src/plugin-sdk/agent-media-payload.ts
index 98d12a8420b..5fa1fb767f5 100644
--- a/src/plugin-sdk/agent-media-payload.ts
+++ b/src/plugin-sdk/agent-media-payload.ts
@@ -7,6 +7,7 @@ export type AgentMediaPayload = {
   MediaTypes?: string[];
 };
 
+/** Convert outbound media descriptors into the legacy agent payload field layout. */
 export function buildAgentMediaPayload(
   mediaList: Array<{ path: string; contentType?: string | null }>,
 ): AgentMediaPayload {
diff --git a/src/plugin-sdk/allow-from.ts b/src/plugin-sdk/allow-from.ts
index 9b43a8ced6d..f03f2427558 100644
--- a/src/plugin-sdk/allow-from.ts
+++ b/src/plugin-sdk/allow-from.ts
@@ -1,3 +1,4 @@
+/** Lowercase and optionally strip prefixes from allowlist entries before sender comparisons. */
 export function formatAllowFromLowercase(params: {
   allowFrom: Array<string | number>;
   stripPrefixRe?: RegExp;
@@ -9,6 +10,7 @@ export function formatAllowFromLowercase(params: {
     .map((entry) => entry.toLowerCase());
 }
 
+/** Normalize allowlist entries through a channel-provided parser or canonicalizer. */
 export function formatNormalizedAllowFromEntries(params: {
   allowFrom: Array<string | number>;
   normalizeEntry: (entry: string) => string | undefined | null;
@@ -20,6 +22,7 @@ export function formatNormalizedAllowFromEntries(params: {
     .filter((entry): entry is string => Boolean(entry));
 }
 
+/** Check whether a sender id matches a simple normalized allowlist with wildcard support. */
 export function isNormalizedSenderAllowed(params: {
   senderId: string | number;
   allowFrom: Array<string | number>;
@@ -45,6 +48,7 @@ type ParsedChatAllowTarget =
   | { kind: "chat_identifier"; chatIdentifier: string }
   | { kind: "handle"; handle: string };
 
+/** Match chat-aware allowlist entries against sender, chat id, guid, or identifier fields. */
 export function isAllowedParsedChatSender<TParsed extends ParsedChatAllowTarget>(params: {
   allowFrom: Array<string | number>;
   sender: string;
diff --git a/src/plugin-sdk/allowlist-config-edit.ts b/src/plugin-sdk/allowlist-config-edit.ts
index 4c9f10ec278..c9f2a92e3be 100644
--- a/src/plugin-sdk/allowlist-config-edit.ts
+++ b/src/plugin-sdk/allowlist-config-edit.ts
@@ -183,6 +183,7 @@ function applyAccountScopedAllowlistConfigEdit(params: {
   };
 }
 
+/** Build the default account-scoped allowlist editor used by channel plugins with config-backed lists. */
 export function buildAccountScopedAllowlistConfigEditor(params: {
   channelId: ChannelId;
   normalize: (params: {
diff --git a/src/plugin-sdk/allowlist-resolution.ts b/src/plugin-sdk/allowlist-resolution.ts
index 8e955e422b3..1acf87f4d1c 100644
--- a/src/plugin-sdk/allowlist-resolution.ts
+++ b/src/plugin-sdk/allowlist-resolution.ts
@@ -6,6 +6,7 @@ export type BasicAllowlistResolutionEntry = {
   note?: string;
 };
 
+/** Clone allowlist resolution entries into a plain serializable shape for UI and docs output. */
 export function mapBasicAllowlistResolutionEntries(
   entries: BasicAllowlistResolutionEntry[],
 ): BasicAllowlistResolutionEntry[] {
@@ -18,6 +19,7 @@ export function mapBasicAllowlistResolutionEntries(
   }));
 }
 
+/** Map allowlist inputs sequentially so resolver side effects stay ordered and predictable. */
 export async function mapAllowlistResolutionInputs<T>(params: {
   inputs: string[];
   mapInput: (input: string) => Promise<T> | T;
diff --git a/src/plugin-sdk/boolean-param.ts b/src/plugin-sdk/boolean-param.ts
index 4616eaec3b8..9e583027052 100644
--- a/src/plugin-sdk/boolean-param.ts
+++ b/src/plugin-sdk/boolean-param.ts
@@ -1,3 +1,4 @@
+/** Read loose boolean params from tool input that may arrive as booleans or "true"/"false" strings. */
 export function readBooleanParam(
   params: Record<string, unknown>,
   key: string,
diff --git a/src/plugin-sdk/channel-config-helpers.ts b/src/plugin-sdk/channel-config-helpers.ts
index aa405c4b9b7..564bc86bc68 100644
--- a/src/plugin-sdk/channel-config-helpers.ts
+++ b/src/plugin-sdk/channel-config-helpers.ts
@@ -10,16 +10,19 @@ import type { OpenClawConfig } from "../config/config.js";
 import { normalizeAccountId } from "../routing/session-key.js";
 import { normalizeStringEntries } from "../shared/string-normalization.js";
 
+/** Coerce mixed allowlist config values into plain strings without trimming or deduping. */
 export function mapAllowFromEntries(
   allowFrom: Array<string | number> | null | undefined,
 ): string[] {
   return (allowFrom ?? []).map((entry) => String(entry));
 }
 
+/** Normalize user-facing allowlist entries the same way config and doctor flows expect. */
 export function formatTrimmedAllowFromEntries(allowFrom: Array<string | number>): string[] {
   return normalizeStringEntries(allowFrom);
 }
 
+/** Collapse nullable config scalars into a trimmed optional string. */
 export function resolveOptionalConfigString(
   value: string | number | null | undefined,
 ): string | undefined {
@@ -30,6 +33,7 @@ export function resolveOptionalConfigString(
   return normalized || undefined;
 }
 
+/** Build the shared allowlist/default target adapter surface for account-scoped channel configs. */
 export function createScopedAccountConfigAccessors<ResolvedAccount>(params: {
   resolveAccount: (params: { cfg: OpenClawConfig; accountId?: string | null }) => ResolvedAccount;
   resolveAllowFrom: (account: ResolvedAccount) => Array<string | number> | null | undefined;
@@ -59,6 +63,7 @@ export function createScopedAccountConfigAccessors<ResolvedAccount>(params: {
   };
 }
 
+/** Build the common CRUD/config helpers for channels that store multiple named accounts. */
 export function createScopedChannelConfigBase<
   ResolvedAccount,
   Config extends OpenClawConfig = OpenClawConfig,
@@ -104,6 +109,7 @@ export function createScopedChannelConfigBase<
   };
 }
 
+/** Convert account-specific DM security fields into the shared runtime policy resolver shape. */
 export function createScopedDmSecurityResolver<
   ResolvedAccount extends { accountId?: string | null },
 >(params: {
@@ -143,6 +149,7 @@ export function createScopedDmSecurityResolver<
     });
 }
 
+/** Read the effective WhatsApp allowlist through the active plugin contract. */
 export function resolveWhatsAppConfigAllowFrom(params: {
   cfg: OpenClawConfig;
   accountId?: string | null;
@@ -153,10 +160,12 @@ export function resolveWhatsAppConfigAllowFrom(params: {
     : [];
 }
 
+/** Format WhatsApp allowlist entries with the same normalization used by the channel plugin. */
 export function formatWhatsAppConfigAllowFromEntries(allowFrom: Array<string | number>): string[] {
   return normalizeWhatsAppAllowFromEntries(allowFrom);
 }
 
+/** Resolve the effective WhatsApp default recipient after account and root config fallback. */
 export function resolveWhatsAppConfigDefaultTo(params: {
   cfg: OpenClawConfig;
   accountId?: string | null;
@@ -167,6 +176,7 @@ export function resolveWhatsAppConfigDefaultTo(params: {
   return (account?.defaultTo ?? root?.defaultTo)?.trim() || undefined;
 }
 
+/** Read iMessage allowlist entries from the active plugin's resolved account view. */
 export function resolveIMessageConfigAllowFrom(params: {
   cfg: OpenClawConfig;
   accountId?: string | null;
@@ -178,6 +188,7 @@ export function resolveIMessageConfigAllowFrom(params: {
   return mapAllowFromEntries(account.config.allowFrom);
 }
 
+/** Resolve the effective iMessage default recipient from the plugin-resolved account config. */
 export function resolveIMessageConfigDefaultTo(params: {
   cfg: OpenClawConfig;
   accountId?: string | null;
diff --git a/src/plugin-sdk/channel-lifecycle.ts b/src/plugin-sdk/channel-lifecycle.ts
index 7d4fea578d5..28045aeb058 100644
--- a/src/plugin-sdk/channel-lifecycle.ts
+++ b/src/plugin-sdk/channel-lifecycle.ts
@@ -11,6 +11,7 @@ type PassiveAccountLifecycleParams<Handle> = {
   onStop?: () => void | Promise<void>;
 };
 
+/** Bind a fixed account id into a status writer so lifecycle code can emit partial snapshots. */
 export function createAccountStatusSink(params: {
   accountId: string;
   setStatus: (next: ChannelAccountSnapshot) => void;
diff --git a/src/plugin-sdk/channel-send-result.ts b/src/plugin-sdk/channel-send-result.ts
index e64ff290fea..b73df6f0448 100644
--- a/src/plugin-sdk/channel-send-result.ts
+++ b/src/plugin-sdk/channel-send-result.ts
@@ -4,6 +4,7 @@ export type ChannelSendRawResult = {
   error?: string | null;
 };
 
+/** Normalize raw channel send results into the shape shared outbound callers expect. */
 export function buildChannelSendResult(channel: string, result: ChannelSendRawResult) {
   return {
     channel,
diff --git a/src/plugin-sdk/command-auth.ts b/src/plugin-sdk/command-auth.ts
index 2e95974cf1f..0a09e0c1dcd 100644
--- a/src/plugin-sdk/command-auth.ts
+++ b/src/plugin-sdk/command-auth.ts
@@ -33,6 +33,7 @@ export type ResolveSenderCommandAuthorizationWithRuntimeParams = Omit<
   runtime: CommandAuthorizationRuntime;
 };
 
+/** Fast-path DM command authorization when only policy and sender allowlist state matter. */
 export function resolveDirectDmAuthorizationOutcome(params: {
   isGroup: boolean;
   dmPolicy: string;
@@ -50,6 +51,7 @@ export function resolveDirectDmAuthorizationOutcome(params: {
   return "allowed";
 }
 
+/** Runtime-backed wrapper around sender command authorization for grouped helper surfaces. */
 export async function resolveSenderCommandAuthorizationWithRuntime(
   params: ResolveSenderCommandAuthorizationWithRuntimeParams,
 ): ReturnType<typeof resolveSenderCommandAuthorization> {
@@ -60,6 +62,7 @@ export async function resolveSenderCommandAuthorizationWithRuntime(
   });
 }
 
+/** Compute effective allowlists and command authorization for one inbound sender. */
 export async function resolveSenderCommandAuthorization(
   params: ResolveSenderCommandAuthorizationParams,
 ): Promise<{
diff --git a/src/plugin-sdk/config-paths.ts b/src/plugin-sdk/config-paths.ts
index 06940f1842a..00c67a3036b 100644
--- a/src/plugin-sdk/config-paths.ts
+++ b/src/plugin-sdk/config-paths.ts
@@ -1,5 +1,6 @@
 import type { OpenClawConfig } from "../config/config.js";
 
+/** Resolve the config path prefix for a channel account, falling back to the root channel section. */
 export function resolveChannelAccountConfigBasePath(params: {
   cfg: OpenClawConfig;
   channelKey: string;
diff --git a/src/plugin-sdk/discord-send.ts b/src/plugin-sdk/discord-send.ts
index d3cdaf38a22..6cca5f9f803 100644
--- a/src/plugin-sdk/discord-send.ts
+++ b/src/plugin-sdk/discord-send.ts
@@ -11,6 +11,7 @@ type DiscordSendMediaOptionInput = DiscordSendOptionInput & {
   mediaLocalRoots?: readonly string[];
 };
 
+/** Build the common Discord send options from SDK-level reply payload fields. */
 export function buildDiscordSendOptions(input: DiscordSendOptionInput) {
   return {
     verbose: false,
@@ -20,6 +21,7 @@ export function buildDiscordSendOptions(input: DiscordSendOptionInput) {
   };
 }
 
+/** Extend the base Discord send options with media-specific fields. */
 export function buildDiscordSendMediaOptions(input: DiscordSendMediaOptionInput) {
   return {
     ...buildDiscordSendOptions(input),
@@ -28,6 +30,7 @@ export function buildDiscordSendMediaOptions(input: DiscordSendMediaOptionInput)
   };
 }
 
+/** Stamp raw Discord send results with the channel id expected by shared outbound flows. */
 export function tagDiscordChannelResult(result: DiscordSendResult) {
   return { channel: "discord" as const, ...result };
 }
diff --git a/src/plugin-sdk/discord.ts b/src/plugin-sdk/discord.ts
index c2060fa4b3e..d9e40370d23 100644
--- a/src/plugin-sdk/discord.ts
+++ b/src/plugin-sdk/discord.ts
@@ -23,9 +23,15 @@ export {
   looksLikeDiscordTargetId,
   normalizeDiscordMessagingTarget,
   normalizeDiscordOutboundTarget,
-} from "../channels/plugins/normalize/discord.js";
+} from "../../extensions/discord/src/normalize.js";
 export { collectDiscordAuditChannelIds } from "../../extensions/discord/src/audit.js";
-export { collectDiscordStatusIssues } from "../channels/plugins/status-issues/discord.js";
+export { collectDiscordStatusIssues } from "../../extensions/discord/src/status-issues.js";
+export {
+  DISCORD_DEFAULT_INBOUND_WORKER_TIMEOUT_MS,
+  DISCORD_DEFAULT_LISTENER_TIMEOUT_MS,
+} from "../../extensions/discord/src/monitor/timeouts.js";
+export { normalizeExplicitDiscordSessionKey } from "../../extensions/discord/src/session-key-normalization.js";
+export type { DiscordPluralKitConfig } from "../../extensions/discord/src/pluralkit.js";
 
 export {
   resolveDefaultGroupPolicy,
diff --git a/src/plugin-sdk/entrypoints.ts b/src/plugin-sdk/entrypoints.ts
index 04b7902de9e..cc337c16fcf 100644
--- a/src/plugin-sdk/entrypoints.ts
+++ b/src/plugin-sdk/entrypoints.ts
@@ -4,18 +4,21 @@ export const pluginSdkEntrypoints = [...pluginSdkEntryList];
 
 export const pluginSdkSubpaths = pluginSdkEntrypoints.filter((entry) => entry !== "index");
 
+/** Map every SDK entrypoint name to its source file path inside the repo. */
 export function buildPluginSdkEntrySources() {
   return Object.fromEntries(
     pluginSdkEntrypoints.map((entry) => [entry, `src/plugin-sdk/${entry}.ts`]),
   );
 }
 
+/** List the public package specifiers that should resolve to plugin SDK entrypoints. */
 export function buildPluginSdkSpecifiers() {
   return pluginSdkEntrypoints.map((entry) =>
     entry === "index" ? "openclaw/plugin-sdk" : `openclaw/plugin-sdk/${entry}`,
   );
 }
 
+/** Build the package.json exports map for all plugin SDK subpaths. */
 export function buildPluginSdkPackageExports() {
   return Object.fromEntries(
     pluginSdkEntrypoints.map((entry) => [
@@ -28,6 +31,7 @@ export function buildPluginSdkPackageExports() {
   );
 }
 
+/** List the dist artifacts expected for every generated plugin SDK entrypoint. */
 export function listPluginSdkDistArtifacts() {
   return pluginSdkEntrypoints.flatMap((entry) => [
     `dist/plugin-sdk/${entry}.js`,
diff --git a/src/plugin-sdk/feishu.ts b/src/plugin-sdk/feishu.ts
index 4a6d8dc6251..ee15823738b 100644
--- a/src/plugin-sdk/feishu.ts
+++ b/src/plugin-sdk/feishu.ts
@@ -76,6 +76,10 @@ export {
   createDefaultChannelRuntimeState,
 } from "./status-helpers.js";
 export { withTempDownloadPath } from "./temp-path.js";
+export {
+  buildFeishuConversationId,
+  parseFeishuConversationId,
+} from "../../extensions/feishu/src/conversation-id.js";
 export {
   createFixedWindowRateLimiter,
   createWebhookAnomalyTracker,
diff --git a/src/plugin-sdk/fetch-auth.ts b/src/plugin-sdk/fetch-auth.ts
index fc04e4aa910..10945bb2a44 100644
--- a/src/plugin-sdk/fetch-auth.ts
+++ b/src/plugin-sdk/fetch-auth.ts
@@ -6,6 +6,7 @@ function isAuthFailureStatus(status: number): boolean {
   return status === 401 || status === 403;
 }
 
+/** Retry a fetch with bearer tokens from the provided scopes when the unauthenticated attempt fails. */
 export async function fetchWithBearerAuthScopeFallback(params: {
   url: string;
   scopes: readonly string[];
diff --git a/src/plugin-sdk/file-lock.ts b/src/plugin-sdk/file-lock.ts
index 98277381868..3870c38fc35 100644
--- a/src/plugin-sdk/file-lock.ts
+++ b/src/plugin-sdk/file-lock.ts
@@ -100,6 +100,7 @@ async function releaseHeldLock(normalizedFile: string): Promise<void> {
   await fs.rm(current.lockPath, { force: true }).catch(() => undefined);
 }
 
+/** Acquire a re-entrant process-local file lock backed by a `.lock` sidecar file. */
 export async function acquireFileLock(
   filePath: string,
   options: FileLockOptions,
@@ -147,6 +148,7 @@ export async function acquireFileLock(
   throw new Error(`file lock timeout for ${normalizedFile}`);
 }
 
+/** Run an async callback while holding a file lock, always releasing the lock afterward. */
 export async function withFileLock<T>(
   filePath: string,
   options: FileLockOptions,
diff --git a/src/plugin-sdk/group-access.ts b/src/plugin-sdk/group-access.ts
index 5a58242338b..bec84b4ba7c 100644
--- a/src/plugin-sdk/group-access.ts
+++ b/src/plugin-sdk/group-access.ts
@@ -40,6 +40,7 @@ export type MatchedGroupAccessDecision = {
   reason: MatchedGroupAccessReason;
 };
 
+/** Downgrade sender-scoped group policy to open mode when no allowlist is configured. */
 export function resolveSenderScopedGroupPolicy(params: {
   groupPolicy: GroupPolicy;
   groupAllowFrom: string[];
@@ -50,6 +51,7 @@ export function resolveSenderScopedGroupPolicy(params: {
   return params.groupAllowFrom.length > 0 ? "allowlist" : "open";
 }
 
+/** Evaluate route-level group access after policy, route match, and enablement checks. */
 export function evaluateGroupRouteAccessForPolicy(params: {
   groupPolicy: GroupPolicy;
   routeAllowlistConfigured: boolean;
@@ -96,6 +98,7 @@ export function evaluateGroupRouteAccessForPolicy(params: {
   };
 }
 
+/** Evaluate generic allowlist match state for channels that compare derived group identifiers. */
 export function evaluateMatchedGroupAccessForPolicy(params: {
   groupPolicy: GroupPolicy;
   allowlistConfigured: boolean;
@@ -142,6 +145,7 @@ export function evaluateMatchedGroupAccessForPolicy(params: {
   };
 }
 
+/** Evaluate sender access for an already-resolved group policy and allowlist. */
 export function evaluateSenderGroupAccessForPolicy(params: {
   groupPolicy: GroupPolicy;
   providerMissingFallbackApplied?: boolean;
@@ -184,6 +188,7 @@ export function evaluateSenderGroupAccessForPolicy(params: {
   };
 }
 
+/** Resolve provider fallback policy first, then evaluate sender access against that result. */
 export function evaluateSenderGroupAccess(params: {
   providerConfigPresent: boolean;
   configuredGroupPolicy?: GroupPolicy;
diff --git a/src/plugin-sdk/inbound-envelope.ts b/src/plugin-sdk/inbound-envelope.ts
index 2a4ff0aaa06..f3662b725c3 100644
--- a/src/plugin-sdk/inbound-envelope.ts
+++ b/src/plugin-sdk/inbound-envelope.ts
@@ -24,6 +24,7 @@ type InboundRouteResolveParams<TConfig, TPeer extends RoutePeerLike> = {
   peer: TPeer;
 };
 
+/** Create an envelope formatter bound to one resolved route and session store. */
 export function createInboundEnvelopeBuilder<TConfig, TEnvelope>(params: {
   cfg: TConfig;
   route: RouteLike;
@@ -54,6 +55,7 @@ export function createInboundEnvelopeBuilder<TConfig, TEnvelope>(params: {
   };
 }
 
+/** Resolve a route first, then return both the route and a formatter for future inbound messages. */
 export function resolveInboundRouteEnvelopeBuilder<
   TConfig,
   TEnvelope,
@@ -111,6 +113,7 @@ type InboundRouteEnvelopeRuntime<
   };
 };
 
+/** Runtime-driven variant of inbound envelope resolution for plugins that already expose grouped helpers. */
 export function resolveInboundRouteEnvelopeBuilderWithRuntime<
   TConfig,
   TEnvelope,
diff --git a/src/plugin-sdk/inbound-reply-dispatch.ts b/src/plugin-sdk/inbound-reply-dispatch.ts
index cf11b3ee451..b2ba466a21c 100644
--- a/src/plugin-sdk/inbound-reply-dispatch.ts
+++ b/src/plugin-sdk/inbound-reply-dispatch.ts
@@ -20,6 +20,7 @@ type DispatchReplyWithBufferedBlockDispatcherFn =
 
 type ReplyDispatchFromConfigOptions = Omit<GetReplyOptions, "onToolResult" | "onBlockReply">;
 
+/** Run `dispatchReplyFromConfig` with a dispatcher that always gets its settled callback. */
 export async function dispatchReplyFromConfigWithSettledDispatcher(params: {
   cfg: OpenClawConfig;
   ctxPayload: FinalizedMsgContext;
@@ -40,6 +41,7 @@ export async function dispatchReplyFromConfigWithSettledDispatcher(params: {
   });
 }
 
+/** Assemble the common inbound reply dispatch dependencies for a resolved route. */
 export function buildInboundReplyDispatchBase(params: {
   cfg: OpenClawConfig;
   channel: string;
@@ -80,6 +82,7 @@ type RecordInboundSessionAndDispatchReplyParams = Parameters<
   typeof recordInboundSessionAndDispatchReply
 >[0];
 
+/** Resolve the shared dispatch base and immediately record + dispatch one inbound reply turn. */
 export async function dispatchInboundReplyWithBase(
   params: BuildInboundReplyDispatchBaseParams &
     Pick<
@@ -97,6 +100,7 @@ export async function dispatchInboundReplyWithBase(
   });
 }
 
+/** Record the inbound session first, then dispatch the reply using normalized outbound delivery. */
 export async function recordInboundSessionAndDispatchReply(params: {
   cfg: OpenClawConfig;
   channel: string;
diff --git a/src/plugin-sdk/json-store.ts b/src/plugin-sdk/json-store.ts
index 5c08be6c561..faff8f64e59 100644
--- a/src/plugin-sdk/json-store.ts
+++ b/src/plugin-sdk/json-store.ts
@@ -2,6 +2,7 @@ import fs from "node:fs";
 import { writeJsonAtomic } from "../infra/json-files.js";
 import { safeParseJson } from "../utils.js";
 
+/** Read JSON from disk and fall back cleanly when the file is missing or invalid. */
 export async function readJsonFileWithFallback<T>(
   filePath: string,
   fallback: T,
@@ -22,6 +23,7 @@ export async function readJsonFileWithFallback<T>(
   }
 }
 
+/** Write JSON with secure file permissions and atomic replacement semantics. */
 export async function writeJsonFileAtomically(filePath: string, value: unknown): Promise<void> {
   await writeJsonAtomic(filePath, value, {
     mode: 0o600,
diff --git a/src/plugin-sdk/keyed-async-queue.ts b/src/plugin-sdk/keyed-async-queue.ts
index 6e79cf35d59..0f07f3c8462 100644
--- a/src/plugin-sdk/keyed-async-queue.ts
+++ b/src/plugin-sdk/keyed-async-queue.ts
@@ -3,6 +3,7 @@ export type KeyedAsyncQueueHooks = {
   onSettle?: () => void;
 };
 
+/** Serialize async work per key while allowing unrelated keys to run concurrently. */
 export function enqueueKeyedTask<T>(params: {
   tails: Map<string, Promise<void>>;
   key: string;
diff --git a/src/plugin-sdk/oauth-utils.ts b/src/plugin-sdk/oauth-utils.ts
index a6465d4d40e..e96a1856946 100644
--- a/src/plugin-sdk/oauth-utils.ts
+++ b/src/plugin-sdk/oauth-utils.ts
@@ -1,11 +1,13 @@
 import { createHash, randomBytes } from "node:crypto";
 
+/** Encode a flat object as application/x-www-form-urlencoded form data. */
 export function toFormUrlEncoded(data: Record<string, string>): string {
   return Object.entries(data)
     .map(([key, value]) => `${encodeURIComponent(key)}=${encodeURIComponent(value)}`)
     .join("&");
 }
 
+/** Generate a PKCE verifier/challenge pair suitable for OAuth authorization flows. */
 export function generatePkceVerifierChallenge(): { verifier: string; challenge: string } {
   const verifier = randomBytes(32).toString("base64url");
   const challenge = createHash("sha256").update(verifier).digest("base64url");
diff --git a/src/plugin-sdk/outbound-media.ts b/src/plugin-sdk/outbound-media.ts
index 731ca9d140e..979f8ac77a3 100644
--- a/src/plugin-sdk/outbound-media.ts
+++ b/src/plugin-sdk/outbound-media.ts
@@ -5,6 +5,7 @@ export type OutboundMediaLoadOptions = {
   mediaLocalRoots?: readonly string[];
 };
 
+/** Load outbound media from a remote URL or approved local path using the shared web-media policy. */
 export async function loadOutboundMediaFromUrl(
   mediaUrl: string,
   options: OutboundMediaLoadOptions = {},
diff --git a/src/plugin-sdk/pairing-access.ts b/src/plugin-sdk/pairing-access.ts
index 31f0cd4d3a7..260f24c89d1 100644
--- a/src/plugin-sdk/pairing-access.ts
+++ b/src/plugin-sdk/pairing-access.ts
@@ -8,6 +8,7 @@ type ScopedUpsertInput = Omit<
   "channel" | "accountId"
 >;
 
+/** Scope pairing store operations to one channel/account pair for plugin-facing helpers. */
 export function createScopedPairingAccess(params: {
   core: PluginRuntime;
   channel: ChannelId;
diff --git a/src/plugin-sdk/persistent-dedupe.ts b/src/plugin-sdk/persistent-dedupe.ts
index 0b33824c795..7a6ea159841 100644
--- a/src/plugin-sdk/persistent-dedupe.ts
+++ b/src/plugin-sdk/persistent-dedupe.ts
@@ -91,6 +91,7 @@ function pruneData(
     });
 }
 
+/** Create a dedupe helper that combines in-memory fast checks with a lock-protected disk store. */
 export function createPersistentDedupe(options: PersistentDedupeOptions): PersistentDedupe {
   const ttlMs = Math.max(0, Math.floor(options.ttlMs));
   const memoryMaxSize = Math.max(0, Math.floor(options.memoryMaxSize));
diff --git a/src/plugin-sdk/provider-auth-result.ts b/src/plugin-sdk/provider-auth-result.ts
index c16c23cc15e..ece6cebb0df 100644
--- a/src/plugin-sdk/provider-auth-result.ts
+++ b/src/plugin-sdk/provider-auth-result.ts
@@ -2,6 +2,7 @@ import type { AuthProfileCredential } from "../agents/auth-profiles/types.js";
 import type { OpenClawConfig } from "../config/config.js";
 import type { ProviderAuthResult } from "../plugins/types.js";
 
+/** Build the standard auth result payload for OAuth-style provider login flows. */
 export function buildOauthProviderAuthResult(params: {
   providerId: string;
   defaultModel: string;
diff --git a/src/plugin-sdk/reply-payload.ts b/src/plugin-sdk/reply-payload.ts
index e141da2a940..a35380f5250 100644
--- a/src/plugin-sdk/reply-payload.ts
+++ b/src/plugin-sdk/reply-payload.ts
@@ -5,6 +5,7 @@ export type OutboundReplyPayload = {
   replyToId?: string;
 };
 
+/** Extract the supported outbound reply fields from loose tool or agent payload objects. */
 export function normalizeOutboundReplyPayload(
   payload: Record<string, unknown>,
 ): OutboundReplyPayload {
@@ -24,6 +25,7 @@ export function normalizeOutboundReplyPayload(
   };
 }
 
+/** Wrap a deliverer so callers can hand it arbitrary payloads while channels receive normalized data. */
 export function createNormalizedOutboundDeliverer(
   handler: (payload: OutboundReplyPayload) => Promise<void>,
 ): (payload: unknown) => Promise<void> {
@@ -36,6 +38,7 @@ export function createNormalizedOutboundDeliverer(
   };
 }
 
+/** Prefer multi-attachment payloads, then fall back to the legacy single-media field. */
 export function resolveOutboundMediaUrls(payload: {
   mediaUrls?: string[];
   mediaUrl?: string;
@@ -49,6 +52,7 @@ export function resolveOutboundMediaUrls(payload: {
   return [];
 }
 
+/** Send media-first payloads intact, or chunk text-only payloads through the caller's transport hooks. */
 export async function sendPayloadWithChunkedTextAndMedia<
   TContext extends { payload: object },
   TResult,
@@ -90,6 +94,7 @@ export async function sendPayloadWithChunkedTextAndMedia<
   return lastResult!;
 }
 
+/** Detect numeric-looking target ids for channels that distinguish ids from handles. */
 export function isNumericTargetId(raw: string): boolean {
   const trimmed = raw.trim();
   if (!trimmed) {
@@ -98,6 +103,7 @@ export function isNumericTargetId(raw: string): boolean {
   return /^\d{3,}$/.test(trimmed);
 }
 
+/** Append attachment links to plain text when the channel cannot send media inline. */
 export function formatTextWithAttachmentLinks(
   text: string | undefined,
   mediaUrls: string[],
@@ -118,6 +124,7 @@ export function formatTextWithAttachmentLinks(
   return `${trimmedText}\n\n${mediaBlock}`;
 }
 
+/** Send a caption with only the first media item, mirroring caption-limited channel transports. */
 export async function sendMediaWithLeadingCaption(params: {
   mediaUrls: string[];
   caption: string;
diff --git a/src/plugin-sdk/request-url.ts b/src/plugin-sdk/request-url.ts
index 2ba7354cc28..a1ce2216276 100644
--- a/src/plugin-sdk/request-url.ts
+++ b/src/plugin-sdk/request-url.ts
@@ -1,3 +1,4 @@
+/** Extract a string URL from the common request-like inputs accepted by fetch helpers. */
 export function resolveRequestUrl(input: RequestInfo | URL): string {
   if (typeof input === "string") {
     return input;
diff --git a/src/plugin-sdk/resolution-notes.ts b/src/plugin-sdk/resolution-notes.ts
index 9baf64c21d4..49b2f9c67e9 100644
--- a/src/plugin-sdk/resolution-notes.ts
+++ b/src/plugin-sdk/resolution-notes.ts
@@ -1,3 +1,4 @@
+/** Format a short note that separates successfully resolved targets from unresolved passthrough values. */
 export function formatResolvedUnresolvedNote(params: {
   resolved: string[];
   unresolved: string[];
diff --git a/src/plugin-sdk/run-command.ts b/src/plugin-sdk/run-command.ts
index 03f0846a57e..7cf626ce8ef 100644
--- a/src/plugin-sdk/run-command.ts
+++ b/src/plugin-sdk/run-command.ts
@@ -13,6 +13,7 @@ export type PluginCommandRunOptions = {
   env?: NodeJS.ProcessEnv;
 };
 
+/** Run a plugin-managed command with timeout handling and normalized stdout/stderr results. */
 export async function runPluginCommandWithTimeout(
   options: PluginCommandRunOptions,
 ): Promise<PluginCommandRunResult> {
diff --git a/src/plugin-sdk/runtime-store.ts b/src/plugin-sdk/runtime-store.ts
index de0d84131e1..67e8bb3644c 100644
--- a/src/plugin-sdk/runtime-store.ts
+++ b/src/plugin-sdk/runtime-store.ts
@@ -1,3 +1,4 @@
+/** Create a tiny mutable runtime slot with strict access when the runtime has not been initialized. */
 export function createPluginRuntimeStore<T>(errorMessage: string): {
   setRuntime: (next: T) => void;
   clearRuntime: () => void;
diff --git a/src/plugin-sdk/runtime.ts b/src/plugin-sdk/runtime.ts
index c438a4e9788..75b6f955dc7 100644
--- a/src/plugin-sdk/runtime.ts
+++ b/src/plugin-sdk/runtime.ts
@@ -6,6 +6,7 @@ type LoggerLike = {
   error: (message: string) => void;
 };
 
+/** Adapt a simple logger into the RuntimeEnv contract used by shared plugin SDK helpers. */
 export function createLoggerBackedRuntime(params: {
   logger: LoggerLike;
   exitError?: (code: number) => Error;
@@ -23,6 +24,7 @@ export function createLoggerBackedRuntime(params: {
   };
 }
 
+/** Reuse an existing runtime when present, otherwise synthesize one from the provided logger. */
 export function resolveRuntimeEnv(params: {
   runtime?: RuntimeEnv;
   logger: LoggerLike;
@@ -31,6 +33,7 @@ export function resolveRuntimeEnv(params: {
   return params.runtime ?? createLoggerBackedRuntime(params);
 }
 
+/** Resolve a runtime that treats exit requests as unsupported errors instead of process termination. */
 export function resolveRuntimeEnvWithUnavailableExit(params: {
   runtime?: RuntimeEnv;
   logger: LoggerLike;
diff --git a/src/plugin-sdk/secret-input-schema.ts b/src/plugin-sdk/secret-input-schema.ts
index 579d80df441..96d5247c767 100644
--- a/src/plugin-sdk/secret-input-schema.ts
+++ b/src/plugin-sdk/secret-input-schema.ts
@@ -7,6 +7,7 @@ import {
   SECRET_PROVIDER_ALIAS_PATTERN,
 } from "../secrets/ref-contract.js";
 
+/** Build the shared zod schema for secret inputs accepted by plugin auth/config surfaces. */
 export function buildSecretInputSchema() {
   const providerSchema = z
     .string()
diff --git a/src/plugin-sdk/slack-message-actions.ts b/src/plugin-sdk/slack-message-actions.ts
index 1dbf597d0bf..ef7a5f12876 100644
--- a/src/plugin-sdk/slack-message-actions.ts
+++ b/src/plugin-sdk/slack-message-actions.ts
@@ -15,6 +15,7 @@ function readSlackBlocksParam(actionParams: Record<string, unknown>) {
   return parseSlackBlocksInput(actionParams.blocks) as Record<string, unknown>[] | undefined;
 }
 
+/** Translate generic channel action requests into Slack-specific tool invocations and payload shapes. */
 export async function handleSlackMessageAction(params: {
   providerId: string;
   ctx: ChannelMessageActionContext;
diff --git a/src/plugin-sdk/ssrf-policy.ts b/src/plugin-sdk/ssrf-policy.ts
index 351938d0456..420f7dfc6b7 100644
--- a/src/plugin-sdk/ssrf-policy.ts
+++ b/src/plugin-sdk/ssrf-policy.ts
@@ -24,6 +24,7 @@ function isHostnameAllowedBySuffixAllowlist(
   return allowlist.some((entry) => normalized === entry || normalized.endsWith(`.${entry}`));
 }
 
+/** Normalize suffix-style host allowlists into lowercase canonical entries with wildcard collapse. */
 export function normalizeHostnameSuffixAllowlist(
   input?: readonly string[],
   defaults?: readonly string[],
@@ -39,6 +40,7 @@ export function normalizeHostnameSuffixAllowlist(
   return Array.from(new Set(normalized));
 }
 
+/** Check whether a URL is HTTPS and its hostname matches the normalized suffix allowlist. */
 export function isHttpsUrlAllowedByHostnameSuffixAllowlist(
   url: string,
   allowlist: readonly string[],
diff --git a/src/plugin-sdk/status-helpers.ts b/src/plugin-sdk/status-helpers.ts
index 42aad35a702..231c438b8ef 100644
--- a/src/plugin-sdk/status-helpers.ts
+++ b/src/plugin-sdk/status-helpers.ts
@@ -9,6 +9,7 @@ type RuntimeLifecycleSnapshot = {
   lastOutboundAt?: number | null;
 };
 
+/** Create the baseline runtime snapshot shape used by channel/account status stores. */
 export function createDefaultChannelRuntimeState<T extends Record<string, unknown>>(
   accountId: string,
   extra?: T,
@@ -29,6 +30,7 @@ export function createDefaultChannelRuntimeState<T extends Record<string, unknow
   };
 }
 
+/** Normalize a channel-level status summary so missing lifecycle fields become explicit nulls. */
 export function buildBaseChannelStatusSummary(snapshot: {
   configured?: boolean | null;
   running?: boolean | null;
@@ -45,6 +47,7 @@ export function buildBaseChannelStatusSummary(snapshot: {
   };
 }
 
+/** Extend the base summary with probe fields while preserving stable null defaults. */
 export function buildProbeChannelStatusSummary<TExtra extends Record<string, unknown>>(
   snapshot: {
     configured?: boolean | null;
@@ -65,6 +68,7 @@ export function buildProbeChannelStatusSummary<TExtra extends Record<string, unk
   };
 }
 
+/** Build the standard per-account status payload from config metadata plus runtime state. */
 export function buildBaseAccountStatusSnapshot(params: {
   account: {
     accountId: string;
@@ -87,6 +91,7 @@ export function buildBaseAccountStatusSnapshot(params: {
   };
 }
 
+/** Convenience wrapper when the caller already has flattened account fields instead of an account object. */
 export function buildComputedAccountStatusSnapshot(params: {
   accountId: string;
   name?: string;
@@ -108,6 +113,7 @@ export function buildComputedAccountStatusSnapshot(params: {
   });
 }
 
+/** Normalize runtime-only account state into the shared status snapshot fields. */
 export function buildRuntimeAccountStatusSnapshot(params: {
   runtime?: RuntimeLifecycleSnapshot | null;
   probe?: unknown;
@@ -122,6 +128,7 @@ export function buildRuntimeAccountStatusSnapshot(params: {
   };
 }
 
+/** Build token-based channel status summaries with optional mode reporting. */
 export function buildTokenChannelStatusSummary(
   snapshot: {
     configured?: boolean | null;
@@ -151,6 +158,7 @@ export function buildTokenChannelStatusSummary(
   };
 }
 
+/** Convert account runtime errors into the generic channel status issue format. */
 export function collectStatusIssuesFromLastError(
   channel: string,
   accounts: Array<{ accountId: string; lastError?: unknown }>,
diff --git a/src/plugin-sdk/telegram.ts b/src/plugin-sdk/telegram.ts
index e8e823a6628..2db97fb74b5 100644
--- a/src/plugin-sdk/telegram.ts
+++ b/src/plugin-sdk/telegram.ts
@@ -48,7 +48,7 @@ export {
 export {
   looksLikeTelegramTargetId,
   normalizeTelegramMessagingTarget,
-} from "../channels/plugins/normalize/telegram.js";
+} from "../../extensions/telegram/src/normalize.js";
 export {
   parseTelegramReplyToMessageId,
   parseTelegramThreadId,
@@ -58,7 +58,7 @@ export {
   normalizeTelegramAllowFromEntry,
 } from "../../extensions/telegram/src/allow-from.js";
 export { fetchTelegramChatId } from "../../extensions/telegram/src/api-fetch.js";
-export { collectTelegramStatusIssues } from "../channels/plugins/status-issues/telegram.js";
+export { collectTelegramStatusIssues } from "../../extensions/telegram/src/status-issues.js";
 export { sendTelegramPayloadMessages } from "../../extensions/telegram/src/outbound-adapter.js";
 export {
   buildBrowseProvidersButton,
@@ -72,6 +72,7 @@ export {
   isTelegramExecApprovalApprover,
   isTelegramExecApprovalClientEnabled,
 } from "../../extensions/telegram/src/exec-approvals.js";
+export type { StickerMetadata } from "../../extensions/telegram/src/bot/types.js";
 
 export {
   resolveAllowlistProviderRuntimeGroupPolicy,
diff --git a/src/plugin-sdk/temp-path.ts b/src/plugin-sdk/temp-path.ts
index c418fe9f664..436377fe5e1 100644
--- a/src/plugin-sdk/temp-path.ts
+++ b/src/plugin-sdk/temp-path.ts
@@ -40,6 +40,7 @@ function isNodeErrorWithCode(err: unknown, code: string): boolean {
   );
 }
 
+/** Build a unique temp file path with sanitized prefix/extension parts. */
 export function buildRandomTempFilePath(params: {
   prefix: string;
   extension?: string;
@@ -58,6 +59,7 @@ export function buildRandomTempFilePath(params: {
   return path.join(resolveTempRoot(params.tmpDir), `${prefix}-${now}-${uuid}${extension}`);
 }
 
+/** Create a temporary download directory, run the callback, then clean it up best-effort. */
 export async function withTempDownloadPath<T>(
   params: {
     prefix: string;
diff --git a/src/plugin-sdk/text-chunking.ts b/src/plugin-sdk/text-chunking.ts
index 47c98c10851..724c651168a 100644
--- a/src/plugin-sdk/text-chunking.ts
+++ b/src/plugin-sdk/text-chunking.ts
@@ -1,5 +1,6 @@
 import { chunkTextByBreakResolver } from "../shared/text-chunking.js";
 
+/** Chunk outbound text while preferring newline boundaries over spaces. */
 export function chunkTextForOutbound(text: string, limit: number): string[] {
   return chunkTextByBreakResolver(text, limit, (window) => {
     const lastNewline = window.lastIndexOf("\n");
diff --git a/src/plugin-sdk/tool-send.ts b/src/plugin-sdk/tool-send.ts
index 835cd688d8a..61ee56fa9ac 100644
--- a/src/plugin-sdk/tool-send.ts
+++ b/src/plugin-sdk/tool-send.ts
@@ -1,3 +1,4 @@
+/** Extract the canonical send target fields from tool arguments when the action matches. */
 export function extractToolSend(
   args: Record<string, unknown>,
   expectedAction = "sendMessage",
diff --git a/src/plugin-sdk/webhook-memory-guards.ts b/src/plugin-sdk/webhook-memory-guards.ts
index 50a43c0b3ab..6b4061cac3b 100644
--- a/src/plugin-sdk/webhook-memory-guards.ts
+++ b/src/plugin-sdk/webhook-memory-guards.ts
@@ -48,6 +48,7 @@ export type WebhookAnomalyTracker = {
   clear: () => void;
 };
 
+/** Create a simple fixed-window rate limiter for in-memory webhook protection. */
 export function createFixedWindowRateLimiter(options: {
   windowMs: number;
   maxRequests: number;
@@ -104,6 +105,7 @@ export function createFixedWindowRateLimiter(options: {
   };
 }
 
+/** Count keyed events in memory with optional TTL pruning and bounded cardinality. */
 export function createBoundedCounter(options: {
   maxTrackedKeys: number;
   ttlMs?: number;
@@ -161,6 +163,7 @@ export function createBoundedCounter(options: {
   };
 }
 
+/** Track repeated webhook failures and emit sampled logs for suspicious request patterns. */
 export function createWebhookAnomalyTracker(options?: {
   maxTrackedKeys?: number;
   ttlMs?: number;
diff --git a/src/plugin-sdk/webhook-path.ts b/src/plugin-sdk/webhook-path.ts
index 41e4bd0ba98..fa68c9e20ee 100644
--- a/src/plugin-sdk/webhook-path.ts
+++ b/src/plugin-sdk/webhook-path.ts
@@ -1,3 +1,4 @@
+/** Normalize webhook paths into the canonical registry form used by route lookup. */
 export function normalizeWebhookPath(raw: string): string {
   const trimmed = raw.trim();
   if (!trimmed) {
@@ -10,6 +11,7 @@ export function normalizeWebhookPath(raw: string): string {
   return withSlash;
 }
 
+/** Resolve the effective webhook path from explicit path, URL, or default fallback. */
 export function resolveWebhookPath(params: {
   webhookPath?: string;
   webhookUrl?: string;
diff --git a/src/plugin-sdk/webhook-request-guards.ts b/src/plugin-sdk/webhook-request-guards.ts
index a45df7c06dd..f181859bc84 100644
--- a/src/plugin-sdk/webhook-request-guards.ts
+++ b/src/plugin-sdk/webhook-request-guards.ts
@@ -81,6 +81,7 @@ function respondWebhookBodyReadError(params: {
   return { ok: false };
 }
 
+/** Create an in-memory limiter that caps concurrent webhook handlers per key. */
 export function createWebhookInFlightLimiter(options?: {
   maxInFlightPerKey?: number;
   maxTrackedKeys?: number;
@@ -127,6 +128,7 @@ export function createWebhookInFlightLimiter(options?: {
   };
 }
 
+/** Detect JSON content types, including structured syntax suffixes like `application/ld+json`. */
 export function isJsonContentType(value: string | string[] | undefined): boolean {
   const first = Array.isArray(value) ? value[0] : value;
   if (!first) {
@@ -136,6 +138,7 @@ export function isJsonContentType(value: string | string[] | undefined): boolean
   return mediaType === "application/json" || Boolean(mediaType?.endsWith("+json"));
 }
 
+/** Apply method, rate-limit, and content-type guards before a webhook handler reads the body. */
 export function applyBasicWebhookRequestGuards(params: {
   req: IncomingMessage;
   res: ServerResponse;
@@ -176,6 +179,7 @@ export function applyBasicWebhookRequestGuards(params: {
   return true;
 }
 
+/** Start the shared webhook request lifecycle and return a release hook for in-flight tracking. */
 export function beginWebhookRequestPipelineOrReject(params: {
   req: IncomingMessage;
   res: ServerResponse;
@@ -226,6 +230,7 @@ export function beginWebhookRequestPipelineOrReject(params: {
   };
 }
 
+/** Read a webhook request body with bounded size/time limits and translate failures into responses. */
 export async function readWebhookBodyOrReject(params: {
   req: IncomingMessage;
   res: ServerResponse;
@@ -260,6 +265,7 @@ export async function readWebhookBodyOrReject(params: {
   }
 }
 
+/** Read and parse a JSON webhook body, rejecting malformed or oversized payloads consistently. */
 export async function readJsonWebhookBodyOrReject(params: {
   req: IncomingMessage;
   res: ServerResponse;
diff --git a/src/plugin-sdk/webhook-targets.ts b/src/plugin-sdk/webhook-targets.ts
index 791f4591101..e3dd9eda01d 100644
--- a/src/plugin-sdk/webhook-targets.ts
+++ b/src/plugin-sdk/webhook-targets.ts
@@ -24,6 +24,7 @@ export type RegisterWebhookPluginRouteOptions = Omit<
   "path" | "fallbackPath"
 >;
 
+/** Register a webhook target and lazily install the matching plugin HTTP route on first use. */
 export function registerWebhookTargetWithPluginRoute<T extends { path: string }>(params: {
   targetsByPath: Map<string, T[]>;
   target: T;
@@ -54,6 +55,7 @@ function getPathTeardownMap<T>(targetsByPath: Map<string, T[]>): Map<string, ()
   return created;
 }
 
+/** Add a normalized target to a path bucket and clean up route state when the last target leaves. */
 export function registerWebhookTarget<T extends { path: string }>(
   targetsByPath: Map<string, T[]>,
   target: T,
@@ -99,6 +101,7 @@ export function registerWebhookTarget<T extends { path: string }>(
   return { target: normalizedTarget, unregister };
 }
 
+/** Resolve all registered webhook targets for the incoming request path. */
 export function resolveWebhookTargets<T>(
   req: IncomingMessage,
   targetsByPath: Map<string, T[]>,
@@ -112,6 +115,7 @@ export function resolveWebhookTargets<T>(
   return { path, targets };
 }
 
+/** Run common webhook guards, then dispatch only when the request path resolves to live targets. */
 export async function withResolvedWebhookRequestPipeline<T>(params: {
   req: IncomingMessage;
   res: ServerResponse;
@@ -183,6 +187,7 @@ function finalizeMatchedWebhookTarget<T>(matched: T | undefined): WebhookTargetM
   return { kind: "single", target: matched };
 }
 
+/** Match exactly one synchronous target or report whether resolution was empty or ambiguous. */
 export function resolveSingleWebhookTarget<T>(
   targets: readonly T[],
   isMatch: (target: T) => boolean,
@@ -201,6 +206,7 @@ export function resolveSingleWebhookTarget<T>(
   return finalizeMatchedWebhookTarget(matched);
 }
 
+/** Async variant of single-target resolution for auth checks that need I/O. */
 export async function resolveSingleWebhookTargetAsync<T>(
   targets: readonly T[],
   isMatch: (target: T) => Promise<boolean>,
@@ -219,6 +225,7 @@ export async function resolveSingleWebhookTargetAsync<T>(
   return finalizeMatchedWebhookTarget(matched);
 }
 
+/** Resolve an authorized target and send the standard unauthorized or ambiguous response on failure. */
 export async function resolveWebhookTargetWithAuthOrReject<T>(params: {
   targets: readonly T[];
   res: ServerResponse;
@@ -234,6 +241,7 @@ export async function resolveWebhookTargetWithAuthOrReject<T>(params: {
   return resolveWebhookTargetMatchOrReject(params, match);
 }
 
+/** Synchronous variant of webhook auth resolution for cheap in-memory match checks. */
 export function resolveWebhookTargetWithAuthOrRejectSync<T>(params: {
   targets: readonly T[];
   res: ServerResponse;
@@ -270,6 +278,7 @@ function resolveWebhookTargetMatchOrReject<T>(
   return null;
 }
 
+/** Reject non-POST webhook requests with the conventional Allow header. */
 export function rejectNonPostWebhookRequest(req: IncomingMessage, res: ServerResponse): boolean {
   if (req.method === "POST") {
     return false;
diff --git a/src/plugin-sdk/whatsapp.ts b/src/plugin-sdk/whatsapp.ts
index e84a60e785c..759a56b080e 100644
--- a/src/plugin-sdk/whatsapp.ts
+++ b/src/plugin-sdk/whatsapp.ts
@@ -26,6 +26,12 @@ export {
   listWhatsAppDirectoryGroupsFromConfig,
   listWhatsAppDirectoryPeersFromConfig,
 } from "../channels/plugins/directory-config.js";
+export {
+  hasAnyWhatsAppAuth,
+  listEnabledWhatsAppAccounts,
+  resolveWhatsAppAccount,
+} from "../../extensions/whatsapp/src/accounts.js";
+export { normalizeWhatsAppAllowFromEntries } from "../channels/plugins/normalize/whatsapp.js";
 export {
   collectAllowlistProviderGroupPolicyWarnings,
   collectOpenGroupPolicyRouteAllowlistWarnings,
diff --git a/src/plugin-sdk/windows-spawn.ts b/src/plugin-sdk/windows-spawn.ts
index 16d24de629a..9a296508165 100644
--- a/src/plugin-sdk/windows-spawn.ts
+++ b/src/plugin-sdk/windows-spawn.ts
@@ -52,6 +52,7 @@ function isFilePath(candidate: string): boolean {
   }
 }
 
+/** Resolve a Windows command name through PATH and PATHEXT so wrapper inspection sees the real file. */
 export function resolveWindowsExecutablePath(command: string, env: NodeJS.ProcessEnv): string {
   if (command.includes("/") || command.includes("\\") || path.isAbsolute(command)) {
     return command;
@@ -188,6 +189,7 @@ function resolveEntrypointFromPackageJson(
   return null;
 }
 
+/** Resolve the safest direct spawn candidate for Windows wrappers, scripts, and binaries. */
 export function resolveWindowsSpawnProgramCandidate(
   params: ResolveWindowsSpawnProgramCandidateParams,
 ): WindowsSpawnProgramCandidate {
@@ -250,6 +252,7 @@ export function resolveWindowsSpawnProgramCandidate(
   };
 }
 
+/** Apply shell-fallback policy when Windows wrapper resolution could not find a direct entrypoint. */
 export function applyWindowsSpawnProgramPolicy(params: {
   candidate: WindowsSpawnProgramCandidate;
   allowShellFallback?: boolean;
@@ -275,6 +278,7 @@ export function applyWindowsSpawnProgramPolicy(params: {
   );
 }
 
+/** Resolve the final Windows spawn program after candidate discovery and fallback policy. */
 export function resolveWindowsSpawnProgram(
   params: ResolveWindowsSpawnProgramParams,
 ): WindowsSpawnProgram {
@@ -285,6 +289,7 @@ export function resolveWindowsSpawnProgram(
   });
 }
 
+/** Combine a resolved Windows spawn program with call-site argv for actual process launch. */
 export function materializeWindowsSpawnProgram(
   program: WindowsSpawnProgram,
   argv: string[],
diff --git a/src/plugins/contracts/auth.contract.test.ts b/src/plugins/contracts/auth.contract.test.ts
index 386c7acb6e7..cca85917c59 100644
--- a/src/plugins/contracts/auth.contract.test.ts
+++ b/src/plugins/contracts/auth.contract.test.ts
@@ -51,7 +51,13 @@ function buildPrompter(): WizardPrompter {
     intro: async () => {},
     outro: async () => {},
     note: async () => {},
-    select: async <T>(params: WizardSelectParams<T>) => params.options[0].value,
+    select: async <T>(params: WizardSelectParams<T>) => {
+      const option = params.options[0];
+      if (!option) {
+        throw new Error("missing select option");
+      }
+      return option.value;
+    },
     multiselect: async <T>(params: WizardMultiSelectParams<T>) => params.initialValues ?? [],
     text: async () => "",
     confirm: async () => false,
diff --git a/src/plugins/contracts/discovery.contract.test.ts b/src/plugins/contracts/discovery.contract.test.ts
index 3fff691b6af..9ca5f1184e6 100644
--- a/src/plugins/contracts/discovery.contract.test.ts
+++ b/src/plugins/contracts/discovery.contract.test.ts
@@ -59,10 +59,10 @@ function requireProvider(providers: ProviderPlugin[], providerId: string) {
   return provider;
 }
 
-function buildTestModel(params: { id: string; name: string }): ModelDefinitionConfig {
+function createModelConfig(id: string, name = id): ModelDefinitionConfig {
   return {
-    id: params.id,
-    name: params.name,
+    id,
+    name,
     reasoning: false,
     input: ["text"],
     cost: {
@@ -75,7 +75,6 @@ function buildTestModel(params: { id: string; name: string }): ModelDefinitionCo
     maxTokens: 8_192,
   };
 }
-
 describe("provider discovery contract", () => {
   afterEach(() => {
     resolveCopilotApiTokenMock.mockReset();
@@ -244,7 +243,7 @@ describe("provider discovery contract", () => {
             providers: {
               ollama: {
                 baseUrl: "http://ollama-host:11434/v1/",
-                models: [buildTestModel({ id: "llama3.2", name: "llama3.2" })],
+                models: [createModelConfig("llama3.2")],
               },
             },
           },
@@ -257,7 +256,7 @@ describe("provider discovery contract", () => {
         baseUrl: "http://ollama-host:11434",
         api: "ollama",
         apiKey: "ollama-local",
-        models: [expect.objectContaining({ id: "llama3.2", name: "llama3.2" })],
+        models: [createModelConfig("llama3.2")],
       },
     });
     expect(buildOllamaProviderMock).not.toHaveBeenCalled();
diff --git a/src/plugins/runtime/runtime-discord.ts b/src/plugins/runtime/runtime-discord.ts
index 1ca7b32bf9b..6aadba32a9a 100644
--- a/src/plugins/runtime/runtime-discord.ts
+++ b/src/plugins/runtime/runtime-discord.ts
@@ -1,4 +1,5 @@
 import { auditDiscordChannelPermissions } from "../../../extensions/discord/src/audit.js";
+import { discordMessageActions } from "../../../extensions/discord/src/channel-actions.js";
 import {
   listDiscordDirectoryGroupsLive,
   listDiscordDirectoryPeersLive,
@@ -29,7 +30,6 @@ import {
   sendTypingDiscord,
   unpinMessageDiscord,
 } from "../../../extensions/discord/src/send.js";
-import { discordMessageActions } from "../../channels/plugins/actions/discord.js";
 import { createDiscordTypingLease } from "./runtime-discord-typing.js";
 import type { PluginRuntimeChannel } from "./types-channel.js";
 
diff --git a/src/plugins/runtime/runtime-telegram.ts b/src/plugins/runtime/runtime-telegram.ts
index 1e6993ef489..9481c718565 100644
--- a/src/plugins/runtime/runtime-telegram.ts
+++ b/src/plugins/runtime/runtime-telegram.ts
@@ -2,6 +2,7 @@ import {
   auditTelegramGroupMembership,
   collectTelegramUnmentionedGroupIds,
 } from "../../../extensions/telegram/src/audit.js";
+import { telegramMessageActions } from "../../../extensions/telegram/src/channel-actions.js";
 import { monitorTelegramProvider } from "../../../extensions/telegram/src/monitor.js";
 import { probeTelegram } from "../../../extensions/telegram/src/probe.js";
 import {
@@ -20,7 +21,6 @@ import {
   setTelegramThreadBindingMaxAgeBySessionKey,
 } from "../../../extensions/telegram/src/thread-bindings.js";
 import { resolveTelegramToken } from "../../../extensions/telegram/src/token.js";
-import { telegramMessageActions } from "../../channels/plugins/actions/telegram.js";
 import { createTelegramTypingLease } from "./runtime-telegram-typing.js";
 import type { PluginRuntimeChannel } from "./types-channel.js";
 
diff --git a/src/plugins/runtime/types-channel.ts b/src/plugins/runtime/types-channel.ts
index b0b5941f24d..f8e6e095ef5 100644
--- a/src/plugins/runtime/types-channel.ts
+++ b/src/plugins/runtime/types-channel.ts
@@ -87,7 +87,7 @@ export type PluginRuntimeChannel = {
     shouldHandleTextCommands: typeof import("../../auto-reply/commands-registry.js").shouldHandleTextCommands;
   };
   discord: {
-    messageActions: typeof import("../../channels/plugins/actions/discord.js").discordMessageActions;
+    messageActions: typeof import("../../../extensions/discord/src/channel-actions.js").discordMessageActions;
     auditChannelPermissions: typeof import("../../../extensions/discord/src/audit.js").auditDiscordChannelPermissions;
     listDirectoryGroupsLive: typeof import("../../../extensions/discord/src/directory-live.js").listDiscordDirectoryGroupsLive;
     listDirectoryPeersLive: typeof import("../../../extensions/discord/src/directory-live.js").listDiscordDirectoryPeersLive;
@@ -147,7 +147,7 @@ export type PluginRuntimeChannel = {
     sendMessageTelegram: typeof import("../../../extensions/telegram/src/send.js").sendMessageTelegram;
     sendPollTelegram: typeof import("../../../extensions/telegram/src/send.js").sendPollTelegram;
     monitorTelegramProvider: typeof import("../../../extensions/telegram/src/monitor.js").monitorTelegramProvider;
-    messageActions: typeof import("../../channels/plugins/actions/telegram.js").telegramMessageActions;
+    messageActions: typeof import("../../../extensions/telegram/src/channel-actions.js").telegramMessageActions;
     threadBindings: {
       setIdleTimeoutBySessionKey: typeof import("../../../extensions/telegram/src/thread-bindings.js").setTelegramThreadBindingIdleTimeoutBySessionKey;
       setMaxAgeBySessionKey: typeof import("../../../extensions/telegram/src/thread-bindings.js").setTelegramThreadBindingMaxAgeBySessionKey;

From a73d6620b3be24007eb1d1bff2cd831e101a8f7f Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 01:17:13 -0700
Subject: [PATCH 115/133] refactor: route remaining channel imports through
 plugin sdk

---
 src/agents/pi-embedded-runner/compact.ts      |  8 +--
 src/agents/pi-embedded-runner/run/attempt.ts  |  8 +--
 src/agents/pi-embedded-runner/run/images.ts   |  2 +-
 src/agents/tools/discord-actions-guild.ts     |  6 +--
 src/agents/tools/discord-actions-messaging.ts | 16 +++---
 .../tools/discord-actions-moderation.ts       |  4 +-
 src/agents/tools/discord-actions-presence.ts  |  2 +-
 src/agents/tools/discord-actions.ts           |  2 +-
 src/agents/tools/image-tool.ts                |  2 +-
 src/agents/tools/media-tool-shared.ts         |  2 +-
 src/agents/tools/pdf-tool.ts                  |  2 +-
 src/agents/tools/slack-actions.ts             | 15 +++---
 src/agents/tools/telegram-actions.ts          | 24 ++++-----
 src/agents/tools/whatsapp-actions.ts          |  2 +-
 src/agents/tools/whatsapp-target-auth.ts      |  2 +-
 src/channel-web.ts                            | 20 +++----
 src/channels/plugins/actions/discord.ts       |  2 +-
 src/channels/plugins/actions/telegram.ts      |  2 +-
 .../plugins/agent-tools/whatsapp-login.ts     |  4 +-
 ...ad-only-account-inspect.discord.runtime.ts |  6 +--
 ...read-only-account-inspect.slack.runtime.ts |  6 +--
 ...d-only-account-inspect.telegram.runtime.ts |  6 +--
 src/cli/deps.test.ts                          | 12 ++---
 src/cli/deps.ts                               | 14 ++---
 src/gateway/server-http.ts                    |  2 +-
 src/plugin-sdk/discord.ts                     | 54 +++++++++++++++++++
 src/plugin-sdk/imessage.ts                    |  1 +
 src/plugin-sdk/signal.ts                      |  1 +
 src/plugin-sdk/slack.ts                       | 20 +++++++
 src/plugin-sdk/telegram.ts                    | 24 +++++++++
 src/plugin-sdk/web-media.ts                   |  7 ++-
 src/plugin-sdk/whatsapp.ts                    | 47 ++++++++++++++++
 32 files changed, 233 insertions(+), 92 deletions(-)

diff --git a/src/agents/pi-embedded-runner/compact.ts b/src/agents/pi-embedded-runner/compact.ts
index 908c323c676..41f681f8de5 100644
--- a/src/agents/pi-embedded-runner/compact.ts
+++ b/src/agents/pi-embedded-runner/compact.ts
@@ -7,9 +7,6 @@ import {
   estimateTokens,
   SessionManager,
 } from "@mariozechner/pi-coding-agent";
-import { resolveSignalReactionLevel } from "../../../extensions/signal/src/reaction-level.js";
-import { resolveTelegramInlineButtonsScope } from "../../../extensions/telegram/src/inline-buttons.js";
-import { resolveTelegramReactionLevel } from "../../../extensions/telegram/src/reaction-level.js";
 import { resolveHeartbeatPrompt } from "../../auto-reply/heartbeat.js";
 import type { ReasoningLevel, ThinkLevel } from "../../auto-reply/thinking.js";
 import { resolveChannelCapabilities } from "../../config/channel-capabilities.js";
@@ -22,6 +19,11 @@ import { createInternalHookEvent, triggerInternalHook } from "../../hooks/intern
 import { getMachineDisplayName } from "../../infra/machine-name.js";
 import { generateSecureToken } from "../../infra/secure-random.js";
 import { getMemorySearchManager } from "../../memory/index.js";
+import { resolveSignalReactionLevel } from "../../plugin-sdk/signal.js";
+import {
+  resolveTelegramInlineButtonsScope,
+  resolveTelegramReactionLevel,
+} from "../../plugin-sdk/telegram.js";
 import { getGlobalHookRunner } from "../../plugins/hook-runner-global.js";
 import { prepareProviderRuntimeAuth } from "../../plugins/provider-runtime.js";
 import { type enqueueCommand, enqueueCommandInLane } from "../../process/command-queue.js";
diff --git a/src/agents/pi-embedded-runner/run/attempt.ts b/src/agents/pi-embedded-runner/run/attempt.ts
index b02e8a59fb8..2194e87f9e0 100644
--- a/src/agents/pi-embedded-runner/run/attempt.ts
+++ b/src/agents/pi-embedded-runner/run/attempt.ts
@@ -7,9 +7,6 @@ import {
   DefaultResourceLoader,
   SessionManager,
 } from "@mariozechner/pi-coding-agent";
-import { resolveSignalReactionLevel } from "../../../../extensions/signal/src/reaction-level.js";
-import { resolveTelegramInlineButtonsScope } from "../../../../extensions/telegram/src/inline-buttons.js";
-import { resolveTelegramReactionLevel } from "../../../../extensions/telegram/src/reaction-level.js";
 import { resolveHeartbeatPrompt } from "../../../auto-reply/heartbeat.js";
 import { resolveChannelCapabilities } from "../../../config/channel-capabilities.js";
 import type { OpenClawConfig } from "../../../config/config.js";
@@ -19,6 +16,11 @@ import {
   ensureGlobalUndiciStreamTimeouts,
 } from "../../../infra/net/undici-global-dispatcher.js";
 import { MAX_IMAGE_BYTES } from "../../../media/constants.js";
+import { resolveSignalReactionLevel } from "../../../plugin-sdk/signal.js";
+import {
+  resolveTelegramInlineButtonsScope,
+  resolveTelegramReactionLevel,
+} from "../../../plugin-sdk/telegram.js";
 import { getGlobalHookRunner } from "../../../plugins/hook-runner-global.js";
 import type {
   PluginHookAgentContext,
diff --git a/src/agents/pi-embedded-runner/run/images.ts b/src/agents/pi-embedded-runner/run/images.ts
index a1899bb99af..193fad8b94e 100644
--- a/src/agents/pi-embedded-runner/run/images.ts
+++ b/src/agents/pi-embedded-runner/run/images.ts
@@ -1,7 +1,7 @@
 import path from "node:path";
 import { fileURLToPath } from "node:url";
 import type { ImageContent } from "@mariozechner/pi-ai";
-import { loadWebMedia } from "../../../../extensions/whatsapp/src/media.js";
+import { loadWebMedia } from "../../../plugin-sdk/web-media.js";
 import { resolveUserPath } from "../../../utils.js";
 import type { ImageSanitizationLimits } from "../../image-sanitization.js";
 import {
diff --git a/src/agents/tools/discord-actions-guild.ts b/src/agents/tools/discord-actions-guild.ts
index 6e08c87a276..fa427d87650 100644
--- a/src/agents/tools/discord-actions-guild.ts
+++ b/src/agents/tools/discord-actions-guild.ts
@@ -1,5 +1,5 @@
 import type { AgentToolResult } from "@mariozechner/pi-agent-core";
-import { getPresence } from "../../../extensions/discord/src/monitor/presence-cache.js";
+import type { DiscordActionConfig } from "../../config/config.js";
 import {
   addRoleDiscord,
   createChannelDiscord,
@@ -19,8 +19,8 @@ import {
   setChannelPermissionDiscord,
   uploadEmojiDiscord,
   uploadStickerDiscord,
-} from "../../../extensions/discord/src/send.js";
-import type { DiscordActionConfig } from "../../config/config.js";
+} from "../../plugin-sdk/discord.js";
+import { getPresence } from "../../plugin-sdk/discord.js";
 import {
   type ActionGate,
   jsonResult,
diff --git a/src/agents/tools/discord-actions-messaging.ts b/src/agents/tools/discord-actions-messaging.ts
index c38f2d7066f..20fdfcc6a02 100644
--- a/src/agents/tools/discord-actions-messaging.ts
+++ b/src/agents/tools/discord-actions-messaging.ts
@@ -1,5 +1,7 @@
 import type { AgentToolResult } from "@mariozechner/pi-agent-core";
-import { readDiscordComponentSpec } from "../../../extensions/discord/src/components.js";
+import type { DiscordActionConfig } from "../../config/config.js";
+import type { OpenClawConfig } from "../../config/config.js";
+import { readBooleanParam } from "../../plugin-sdk/boolean-param.js";
 import {
   createThreadDiscord,
   deleteMessageDiscord,
@@ -21,15 +23,9 @@ import {
   sendStickerDiscord,
   sendVoiceMessageDiscord,
   unpinMessageDiscord,
-} from "../../../extensions/discord/src/send.js";
-import type {
-  DiscordSendComponents,
-  DiscordSendEmbeds,
-} from "../../../extensions/discord/src/send.shared.js";
-import { resolveDiscordChannelId } from "../../../extensions/discord/src/targets.js";
-import type { DiscordActionConfig } from "../../config/config.js";
-import type { OpenClawConfig } from "../../config/config.js";
-import { readBooleanParam } from "../../plugin-sdk/boolean-param.js";
+} from "../../plugin-sdk/discord.js";
+import type { DiscordSendComponents, DiscordSendEmbeds } from "../../plugin-sdk/discord.js";
+import { readDiscordComponentSpec, resolveDiscordChannelId } from "../../plugin-sdk/discord.js";
 import { resolvePollMaxSelections } from "../../polls.js";
 import { withNormalizedTimestamp } from "../date-time.js";
 import { assertMediaNotDataUrl } from "../sandbox-paths.js";
diff --git a/src/agents/tools/discord-actions-moderation.ts b/src/agents/tools/discord-actions-moderation.ts
index 68db19d1d7f..56d7a80d4c9 100644
--- a/src/agents/tools/discord-actions-moderation.ts
+++ b/src/agents/tools/discord-actions-moderation.ts
@@ -1,11 +1,11 @@
 import type { AgentToolResult } from "@mariozechner/pi-agent-core";
+import type { DiscordActionConfig } from "../../config/config.js";
 import {
   banMemberDiscord,
   hasAnyGuildPermissionDiscord,
   kickMemberDiscord,
   timeoutMemberDiscord,
-} from "../../../extensions/discord/src/send.js";
-import type { DiscordActionConfig } from "../../config/config.js";
+} from "../../plugin-sdk/discord.js";
 import { type ActionGate, jsonResult, readStringParam } from "./common.js";
 import {
   isDiscordModerationAction,
diff --git a/src/agents/tools/discord-actions-presence.ts b/src/agents/tools/discord-actions-presence.ts
index 46f476bafec..53c42829bb0 100644
--- a/src/agents/tools/discord-actions-presence.ts
+++ b/src/agents/tools/discord-actions-presence.ts
@@ -1,7 +1,7 @@
 import type { Activity, UpdatePresenceData } from "@buape/carbon/gateway";
 import type { AgentToolResult } from "@mariozechner/pi-agent-core";
-import { getGateway } from "../../../extensions/discord/src/monitor/gateway-registry.js";
 import type { DiscordActionConfig } from "../../config/config.js";
+import { getGateway } from "../../plugin-sdk/discord.js";
 import { type ActionGate, jsonResult, readStringParam } from "./common.js";
 
 const ACTIVITY_TYPE_MAP: Record<string, number> = {
diff --git a/src/agents/tools/discord-actions.ts b/src/agents/tools/discord-actions.ts
index 9b1c57bb240..b953e56cffd 100644
--- a/src/agents/tools/discord-actions.ts
+++ b/src/agents/tools/discord-actions.ts
@@ -1,6 +1,6 @@
 import type { AgentToolResult } from "@mariozechner/pi-agent-core";
-import { createDiscordActionGate } from "../../../extensions/discord/src/accounts.js";
 import type { OpenClawConfig } from "../../config/config.js";
+import { createDiscordActionGate } from "../../plugin-sdk/discord.js";
 import { readStringParam } from "./common.js";
 import { handleDiscordGuildAction } from "./discord-actions-guild.js";
 import { handleDiscordMessagingAction } from "./discord-actions-messaging.js";
diff --git a/src/agents/tools/image-tool.ts b/src/agents/tools/image-tool.ts
index 4a50263cada..402ee0b3eda 100644
--- a/src/agents/tools/image-tool.ts
+++ b/src/agents/tools/image-tool.ts
@@ -1,7 +1,7 @@
 import { type Context, complete } from "@mariozechner/pi-ai";
 import { Type } from "@sinclair/typebox";
-import { loadWebMedia } from "../../../extensions/whatsapp/src/media.js";
 import type { OpenClawConfig } from "../../config/config.js";
+import { loadWebMedia } from "../../plugin-sdk/web-media.js";
 import { resolveUserPath } from "../../utils.js";
 import { isMinimaxVlmModel, isMinimaxVlmProvider, minimaxUnderstandImage } from "../minimax-vlm.js";
 import {
diff --git a/src/agents/tools/media-tool-shared.ts b/src/agents/tools/media-tool-shared.ts
index 8ad943a4b91..56f4a92ca97 100644
--- a/src/agents/tools/media-tool-shared.ts
+++ b/src/agents/tools/media-tool-shared.ts
@@ -1,6 +1,6 @@
 import { type Api, type Model } from "@mariozechner/pi-ai";
-import { getDefaultLocalRoots } from "../../../extensions/whatsapp/src/media.js";
 import type { OpenClawConfig } from "../../config/config.js";
+import { getDefaultLocalRoots } from "../../plugin-sdk/web-media.js";
 import type { ImageModelConfig } from "./image-tool.helpers.js";
 import { getApiKeyForModel, normalizeWorkspaceDir, requireApiKey } from "./tool-runtime.helpers.js";
 
diff --git a/src/agents/tools/pdf-tool.ts b/src/agents/tools/pdf-tool.ts
index 8f229dd7b10..c20bec5936a 100644
--- a/src/agents/tools/pdf-tool.ts
+++ b/src/agents/tools/pdf-tool.ts
@@ -1,8 +1,8 @@
 import { type Context, complete } from "@mariozechner/pi-ai";
 import { Type } from "@sinclair/typebox";
-import { loadWebMediaRaw } from "../../../extensions/whatsapp/src/media.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import { extractPdfContent, type PdfExtractedContent } from "../../media/pdf-extract.js";
+import { loadWebMediaRaw } from "../../plugin-sdk/web-media.js";
 import { resolveUserPath } from "../../utils.js";
 import {
   coerceImageModelConfig,
diff --git a/src/agents/tools/slack-actions.ts b/src/agents/tools/slack-actions.ts
index 5ed58d5960f..e9089cbfdcc 100644
--- a/src/agents/tools/slack-actions.ts
+++ b/src/agents/tools/slack-actions.ts
@@ -1,5 +1,5 @@
 import type { AgentToolResult } from "@mariozechner/pi-agent-core";
-import { resolveSlackAccount } from "../../../extensions/slack/src/accounts.js";
+import type { OpenClawConfig } from "../../config/config.js";
 import {
   deleteSlackMessage,
   downloadSlackFile,
@@ -15,11 +15,14 @@ import {
   removeSlackReaction,
   sendSlackMessage,
   unpinSlackMessage,
-} from "../../../extensions/slack/src/actions.js";
-import { parseSlackBlocksInput } from "../../../extensions/slack/src/blocks-input.js";
-import { recordSlackThreadParticipation } from "../../../extensions/slack/src/sent-thread-cache.js";
-import { parseSlackTarget, resolveSlackChannelId } from "../../../extensions/slack/src/targets.js";
-import type { OpenClawConfig } from "../../config/config.js";
+} from "../../plugin-sdk/slack.js";
+import {
+  parseSlackBlocksInput,
+  parseSlackTarget,
+  recordSlackThreadParticipation,
+  resolveSlackAccount,
+  resolveSlackChannelId,
+} from "../../plugin-sdk/slack.js";
 import { withNormalizedTimestamp } from "../date-time.js";
 import {
   createActionGate,
diff --git a/src/agents/tools/telegram-actions.ts b/src/agents/tools/telegram-actions.ts
index ccfc9d5ae13..d648b1e5f41 100644
--- a/src/agents/tools/telegram-actions.ts
+++ b/src/agents/tools/telegram-actions.ts
@@ -1,17 +1,15 @@
 import type { AgentToolResult } from "@mariozechner/pi-agent-core";
+import type { OpenClawConfig } from "../../config/config.js";
+import { readBooleanParam } from "../../plugin-sdk/boolean-param.js";
 import {
   createTelegramActionGate,
   resolveTelegramPollActionGateState,
-} from "../../../extensions/telegram/src/accounts.js";
-import type {
-  TelegramButtonStyle,
-  TelegramInlineButtons,
-} from "../../../extensions/telegram/src/button-types.js";
+} from "../../plugin-sdk/telegram.js";
+import type { TelegramButtonStyle, TelegramInlineButtons } from "../../plugin-sdk/telegram.js";
 import {
   resolveTelegramInlineButtonsScope,
   resolveTelegramTargetChatType,
-} from "../../../extensions/telegram/src/inline-buttons.js";
-import { resolveTelegramReactionLevel } from "../../../extensions/telegram/src/reaction-level.js";
+} from "../../plugin-sdk/telegram.js";
 import {
   createForumTopicTelegram,
   deleteMessageTelegram,
@@ -21,11 +19,13 @@ import {
   sendMessageTelegram,
   sendPollTelegram,
   sendStickerTelegram,
-} from "../../../extensions/telegram/src/send.js";
-import { getCacheStats, searchStickers } from "../../../extensions/telegram/src/sticker-cache.js";
-import { resolveTelegramToken } from "../../../extensions/telegram/src/token.js";
-import type { OpenClawConfig } from "../../config/config.js";
-import { readBooleanParam } from "../../plugin-sdk/boolean-param.js";
+} from "../../plugin-sdk/telegram.js";
+import {
+  getCacheStats,
+  resolveTelegramReactionLevel,
+  resolveTelegramToken,
+  searchStickers,
+} from "../../plugin-sdk/telegram.js";
 import { resolvePollMaxSelections } from "../../polls.js";
 import {
   jsonResult,
diff --git a/src/agents/tools/whatsapp-actions.ts b/src/agents/tools/whatsapp-actions.ts
index 92332d1b3c5..a84dc0a3d5b 100644
--- a/src/agents/tools/whatsapp-actions.ts
+++ b/src/agents/tools/whatsapp-actions.ts
@@ -1,6 +1,6 @@
 import type { AgentToolResult } from "@mariozechner/pi-agent-core";
-import { sendReactionWhatsApp } from "../../../extensions/whatsapp/src/send.js";
 import type { OpenClawConfig } from "../../config/config.js";
+import { sendReactionWhatsApp } from "../../plugin-sdk/whatsapp.js";
 import { createActionGate, jsonResult, readReactionParams, readStringParam } from "./common.js";
 import { resolveAuthorizedWhatsAppOutboundTarget } from "./whatsapp-target-auth.js";
 
diff --git a/src/agents/tools/whatsapp-target-auth.ts b/src/agents/tools/whatsapp-target-auth.ts
index 569a930d1a5..edc0052fbab 100644
--- a/src/agents/tools/whatsapp-target-auth.ts
+++ b/src/agents/tools/whatsapp-target-auth.ts
@@ -1,5 +1,5 @@
-import { resolveWhatsAppAccount } from "../../../extensions/whatsapp/src/accounts.js";
 import type { OpenClawConfig } from "../../config/config.js";
+import { resolveWhatsAppAccount } from "../../plugin-sdk/whatsapp.js";
 import { resolveWhatsAppOutboundTarget } from "../../whatsapp/resolve-outbound-target.js";
 import { ToolAuthorizationError } from "./common.js";
 
diff --git a/src/channel-web.ts b/src/channel-web.ts
index 99e36ef67bc..e6df4bda0d7 100644
--- a/src/channel-web.ts
+++ b/src/channel-web.ts
@@ -7,19 +7,11 @@ export {
   monitorWebChannel,
   resolveHeartbeatRecipients,
   runWebHeartbeatOnce,
-  type WebChannelStatus,
-  type WebMonitorTuning,
-} from "../extensions/whatsapp/src/auto-reply.js";
-export {
-  extractMediaPlaceholder,
-  extractText,
-  monitorWebInbox,
-  type WebInboundMessage,
-  type WebListenerCloseReason,
-} from "../extensions/whatsapp/src/inbound.js";
-export { loginWeb } from "../extensions/whatsapp/src/login.js";
-export { loadWebMedia, optimizeImageToJpeg } from "../extensions/whatsapp/src/media.js";
-export { sendMessageWhatsApp } from "../extensions/whatsapp/src/send.js";
+} from "./plugin-sdk/whatsapp.js";
+export { extractMediaPlaceholder, extractText, monitorWebInbox } from "./plugin-sdk/whatsapp.js";
+export { loginWeb } from "./plugin-sdk/whatsapp.js";
+export { loadWebMedia, optimizeImageToJpeg } from "./plugin-sdk/whatsapp.js";
+export { sendMessageWhatsApp } from "./plugin-sdk/whatsapp.js";
 export {
   createWaSocket,
   formatError,
@@ -30,4 +22,4 @@ export {
   WA_WEB_AUTH_DIR,
   waitForWaConnection,
   webAuthExists,
-} from "../extensions/whatsapp/src/session.js";
+} from "./plugin-sdk/whatsapp.js";
diff --git a/src/channels/plugins/actions/discord.ts b/src/channels/plugins/actions/discord.ts
index ccf1b489035..4615a88f3c5 100644
--- a/src/channels/plugins/actions/discord.ts
+++ b/src/channels/plugins/actions/discord.ts
@@ -1,2 +1,2 @@
 // Public entrypoint for the Discord channel action adapter.
-export * from "../../../../extensions/discord/src/channel-actions.js";
+export * from "../../../plugin-sdk/discord.js";
diff --git a/src/channels/plugins/actions/telegram.ts b/src/channels/plugins/actions/telegram.ts
index 7961baf334f..e811e757b94 100644
--- a/src/channels/plugins/actions/telegram.ts
+++ b/src/channels/plugins/actions/telegram.ts
@@ -1,2 +1,2 @@
 // Public entrypoint for the Telegram channel action adapter.
-export * from "../../../../extensions/telegram/src/channel-actions.js";
+export * from "../../../plugin-sdk/telegram.js";
diff --git a/src/channels/plugins/agent-tools/whatsapp-login.ts b/src/channels/plugins/agent-tools/whatsapp-login.ts
index 741b40a6fc9..2204225bdda 100644
--- a/src/channels/plugins/agent-tools/whatsapp-login.ts
+++ b/src/channels/plugins/agent-tools/whatsapp-login.ts
@@ -1,2 +1,2 @@
-// Shim: re-exports from extensions/whatsapp/src/agent-tools-login.ts
-export * from "../../../../extensions/whatsapp/src/agent-tools-login.js";
+// Shim: keep legacy import path while the runtime loads the plugin SDK surface.
+export * from "../../../plugin-sdk/whatsapp.js";
diff --git a/src/channels/read-only-account-inspect.discord.runtime.ts b/src/channels/read-only-account-inspect.discord.runtime.ts
index aed3283b7a2..9d2ac6ef427 100644
--- a/src/channels/read-only-account-inspect.discord.runtime.ts
+++ b/src/channels/read-only-account-inspect.discord.runtime.ts
@@ -1,4 +1,2 @@
-export {
-  inspectDiscordAccount,
-  type InspectedDiscordAccount,
-} from "../../extensions/discord/src/account-inspect.js";
+export { inspectDiscordAccount } from "../plugin-sdk/discord.js";
+export type { InspectedDiscordAccount } from "../plugin-sdk/discord.js";
diff --git a/src/channels/read-only-account-inspect.slack.runtime.ts b/src/channels/read-only-account-inspect.slack.runtime.ts
index 6d0e0a10b29..a7526e2ea95 100644
--- a/src/channels/read-only-account-inspect.slack.runtime.ts
+++ b/src/channels/read-only-account-inspect.slack.runtime.ts
@@ -1,4 +1,2 @@
-export {
-  inspectSlackAccount,
-  type InspectedSlackAccount,
-} from "../../extensions/slack/src/account-inspect.js";
+export { inspectSlackAccount } from "../plugin-sdk/slack.js";
+export type { InspectedSlackAccount } from "../plugin-sdk/slack.js";
diff --git a/src/channels/read-only-account-inspect.telegram.runtime.ts b/src/channels/read-only-account-inspect.telegram.runtime.ts
index 07866b9d450..0ab48f2c241 100644
--- a/src/channels/read-only-account-inspect.telegram.runtime.ts
+++ b/src/channels/read-only-account-inspect.telegram.runtime.ts
@@ -1,4 +1,2 @@
-export {
-  inspectTelegramAccount,
-  type InspectedTelegramAccount,
-} from "../../extensions/telegram/src/account-inspect.js";
+export { inspectTelegramAccount } from "../plugin-sdk/telegram.js";
+export type { InspectedTelegramAccount } from "../plugin-sdk/telegram.js";
diff --git a/src/cli/deps.test.ts b/src/cli/deps.test.ts
index f345e1a24bb..64b66313907 100644
--- a/src/cli/deps.test.ts
+++ b/src/cli/deps.test.ts
@@ -19,32 +19,32 @@ const sendFns = vi.hoisted(() => ({
   imessage: vi.fn(async () => ({ messageId: "i1", chatId: "imessage:1" })),
 }));
 
-vi.mock("../channels/web/index.js", () => {
+vi.mock("../plugin-sdk/whatsapp.js", () => {
   moduleLoads.whatsapp();
   return { sendMessageWhatsApp: sendFns.whatsapp };
 });
 
-vi.mock("../../extensions/telegram/src/send.js", () => {
+vi.mock("../plugin-sdk/telegram.js", () => {
   moduleLoads.telegram();
   return { sendMessageTelegram: sendFns.telegram };
 });
 
-vi.mock("../../extensions/discord/src/send.js", () => {
+vi.mock("../plugin-sdk/discord.js", () => {
   moduleLoads.discord();
   return { sendMessageDiscord: sendFns.discord };
 });
 
-vi.mock("../../extensions/slack/src/send.js", () => {
+vi.mock("../plugin-sdk/slack.js", () => {
   moduleLoads.slack();
   return { sendMessageSlack: sendFns.slack };
 });
 
-vi.mock("../../extensions/signal/src/send.js", () => {
+vi.mock("../plugin-sdk/signal.js", () => {
   moduleLoads.signal();
   return { sendMessageSignal: sendFns.signal };
 });
 
-vi.mock("../../extensions/imessage/src/send.js", () => {
+vi.mock("../plugin-sdk/imessage.js", () => {
   moduleLoads.imessage();
   return { sendMessageIMessage: sendFns.imessage };
 });
diff --git a/src/cli/deps.ts b/src/cli/deps.ts
index c9ab341dd18..7ebfbf74f5b 100644
--- a/src/cli/deps.ts
+++ b/src/cli/deps.ts
@@ -35,32 +35,32 @@ export function createDefaultDeps(): CliDeps {
   return {
     whatsapp: createLazySender(
       "whatsapp",
-      () => import("../channels/web/index.js") as Promise<Record<string, unknown>>,
+      () => import("../plugin-sdk/whatsapp.js") as Promise<Record<string, unknown>>,
       "sendMessageWhatsApp",
     ),
     telegram: createLazySender(
       "telegram",
-      () => import("../../extensions/telegram/src/send.js") as Promise<Record<string, unknown>>,
+      () => import("../plugin-sdk/telegram.js") as Promise<Record<string, unknown>>,
       "sendMessageTelegram",
     ),
     discord: createLazySender(
       "discord",
-      () => import("../../extensions/discord/src/send.js") as Promise<Record<string, unknown>>,
+      () => import("../plugin-sdk/discord.js") as Promise<Record<string, unknown>>,
       "sendMessageDiscord",
     ),
     slack: createLazySender(
       "slack",
-      () => import("../../extensions/slack/src/send.js") as Promise<Record<string, unknown>>,
+      () => import("../plugin-sdk/slack.js") as Promise<Record<string, unknown>>,
       "sendMessageSlack",
     ),
     signal: createLazySender(
       "signal",
-      () => import("../../extensions/signal/src/send.js") as Promise<Record<string, unknown>>,
+      () => import("../plugin-sdk/signal.js") as Promise<Record<string, unknown>>,
       "sendMessageSignal",
     ),
     imessage: createLazySender(
       "imessage",
-      () => import("../../extensions/imessage/src/send.js") as Promise<Record<string, unknown>>,
+      () => import("../plugin-sdk/imessage.js") as Promise<Record<string, unknown>>,
       "sendMessageIMessage",
     ),
   };
@@ -70,4 +70,4 @@ export function createOutboundSendDeps(deps: CliDeps): OutboundSendDeps {
   return createOutboundSendDepsFromCliSource(deps);
 }
 
-export { logWebSelfId } from "../../extensions/whatsapp/src/auth-store.js";
+export { logWebSelfId } from "../plugin-sdk/whatsapp.js";
diff --git a/src/gateway/server-http.ts b/src/gateway/server-http.ts
index 75af96dd545..0ad655f4990 100644
--- a/src/gateway/server-http.ts
+++ b/src/gateway/server-http.ts
@@ -8,12 +8,12 @@ import {
 import { createServer as createHttpsServer } from "node:https";
 import type { TlsOptions } from "node:tls";
 import type { WebSocketServer } from "ws";
-import { handleSlackHttpRequest } from "../../extensions/slack/src/http/index.js";
 import { resolveAgentAvatar } from "../agents/identity-avatar.js";
 import { CANVAS_WS_PATH, handleA2uiHttpRequest } from "../canvas-host/a2ui.js";
 import type { CanvasHostHandler } from "../canvas-host/server.js";
 import { loadConfig } from "../config/config.js";
 import type { createSubsystemLogger } from "../logging/subsystem.js";
+import { handleSlackHttpRequest } from "../plugin-sdk/slack.js";
 import { safeEqualSecret } from "../security/secret-equal.js";
 import {
   AUTH_RATE_LIMIT_SCOPE_HOOK_AUTH,
diff --git a/src/plugin-sdk/discord.ts b/src/plugin-sdk/discord.ts
index d9e40370d23..d89f768071b 100644
--- a/src/plugin-sdk/discord.ts
+++ b/src/plugin-sdk/discord.ts
@@ -3,9 +3,14 @@ export type { OpenClawConfig } from "../config/config.js";
 export type { DiscordAccountConfig, DiscordActionConfig } from "../config/types.js";
 export type { InspectedDiscordAccount } from "../../extensions/discord/src/account-inspect.js";
 export type { ResolvedDiscordAccount } from "../../extensions/discord/src/accounts.js";
+export type {
+  DiscordSendComponents,
+  DiscordSendEmbeds,
+} from "../../extensions/discord/src/send.shared.js";
 export * from "./channel-plugin-common.js";
 
 export {
+  createDiscordActionGate,
   listDiscordAccountIds,
   resolveDefaultDiscordAccountId,
   resolveDiscordAccount,
@@ -50,6 +55,55 @@ export {
   listThreadBindingsBySessionKey,
   unbindThreadBindingsBySessionKey,
 } from "../../extensions/discord/src/monitor/thread-bindings.js";
+export { getGateway } from "../../extensions/discord/src/monitor/gateway-registry.js";
+export { getPresence } from "../../extensions/discord/src/monitor/presence-cache.js";
+export { readDiscordComponentSpec } from "../../extensions/discord/src/components.js";
+export { resolveDiscordChannelId } from "../../extensions/discord/src/targets.js";
+export {
+  addRoleDiscord,
+  banMemberDiscord,
+  createChannelDiscord,
+  createScheduledEventDiscord,
+  createThreadDiscord,
+  deleteChannelDiscord,
+  deleteMessageDiscord,
+  editChannelDiscord,
+  editMessageDiscord,
+  fetchChannelInfoDiscord,
+  fetchChannelPermissionsDiscord,
+  fetchMemberInfoDiscord,
+  fetchMessageDiscord,
+  fetchReactionsDiscord,
+  fetchRoleInfoDiscord,
+  fetchVoiceStatusDiscord,
+  hasAnyGuildPermissionDiscord,
+  kickMemberDiscord,
+  listGuildChannelsDiscord,
+  listGuildEmojisDiscord,
+  listPinsDiscord,
+  listScheduledEventsDiscord,
+  listThreadsDiscord,
+  moveChannelDiscord,
+  pinMessageDiscord,
+  reactMessageDiscord,
+  readMessagesDiscord,
+  removeChannelPermissionDiscord,
+  removeOwnReactionsDiscord,
+  removeReactionDiscord,
+  removeRoleDiscord,
+  searchMessagesDiscord,
+  sendDiscordComponentMessage,
+  sendMessageDiscord,
+  sendPollDiscord,
+  sendStickerDiscord,
+  sendVoiceMessageDiscord,
+  setChannelPermissionDiscord,
+  timeoutMemberDiscord,
+  unpinMessageDiscord,
+  uploadEmojiDiscord,
+  uploadStickerDiscord,
+} from "../../extensions/discord/src/send.js";
+export { discordMessageActions } from "../../extensions/discord/src/channel-actions.js";
 export type {
   ThreadBindingManager,
   ThreadBindingRecord,
diff --git a/src/plugin-sdk/imessage.ts b/src/plugin-sdk/imessage.ts
index a3a42f110ee..0fe2e278d40 100644
--- a/src/plugin-sdk/imessage.ts
+++ b/src/plugin-sdk/imessage.ts
@@ -28,6 +28,7 @@ export type {
   ChatSenderAllowParams,
   ParsedChatTarget,
 } from "../../extensions/imessage/src/target-parsing-helpers.js";
+export { sendMessageIMessage } from "../../extensions/imessage/src/send.js";
 
 export {
   resolveAllowlistProviderRuntimeGroupPolicy,
diff --git a/src/plugin-sdk/signal.ts b/src/plugin-sdk/signal.ts
index b407e944e47..3683115143e 100644
--- a/src/plugin-sdk/signal.ts
+++ b/src/plugin-sdk/signal.ts
@@ -13,6 +13,7 @@ export {
   removeReactionSignal,
   sendReactionSignal,
 } from "../../extensions/signal/src/send-reactions.js";
+export { sendMessageSignal } from "../../extensions/signal/src/send.js";
 export {
   looksLikeSignalTargetId,
   normalizeSignalMessagingTarget,
diff --git a/src/plugin-sdk/slack.ts b/src/plugin-sdk/slack.ts
index 0cbfd236274..8ac3915ec31 100644
--- a/src/plugin-sdk/slack.ts
+++ b/src/plugin-sdk/slack.ts
@@ -31,6 +31,26 @@ export {
   listSlackMessageActions,
 } from "../../extensions/slack/src/message-actions.js";
 export { buildSlackThreadingToolContext } from "../../extensions/slack/src/threading-tool-context.js";
+export { parseSlackBlocksInput } from "../../extensions/slack/src/blocks-input.js";
+export { handleSlackHttpRequest } from "../../extensions/slack/src/http/index.js";
+export { sendMessageSlack } from "../../extensions/slack/src/send.js";
+export {
+  deleteSlackMessage,
+  downloadSlackFile,
+  editSlackMessage,
+  getSlackMemberInfo,
+  listSlackEmojis,
+  listSlackPins,
+  listSlackReactions,
+  pinSlackMessage,
+  reactSlackMessage,
+  readSlackMessages,
+  removeOwnSlackReactions,
+  removeSlackReaction,
+  sendSlackMessage,
+  unpinSlackMessage,
+} from "../../extensions/slack/src/actions.js";
+export { recordSlackThreadParticipation } from "../../extensions/slack/src/sent-thread-cache.js";
 export { buildComputedAccountStatusSnapshot } from "./status-helpers.js";
 
 export {
diff --git a/src/plugin-sdk/telegram.ts b/src/plugin-sdk/telegram.ts
index 2db97fb74b5..52d0269f712 100644
--- a/src/plugin-sdk/telegram.ts
+++ b/src/plugin-sdk/telegram.ts
@@ -11,6 +11,10 @@ export type { TelegramAccountConfig, TelegramActionConfig } from "../config/type
 export type { InspectedTelegramAccount } from "../../extensions/telegram/src/account-inspect.js";
 export type { ResolvedTelegramAccount } from "../../extensions/telegram/src/accounts.js";
 export type { TelegramProbe } from "../../extensions/telegram/src/probe.js";
+export type {
+  TelegramButtonStyle,
+  TelegramInlineButtons,
+} from "../../extensions/telegram/src/button-types.js";
 
 export { emptyPluginConfigSchema } from "../plugins/config-schema.js";
 
@@ -32,8 +36,10 @@ export { PAIRING_APPROVED_MESSAGE } from "../channels/plugins/pairing-message.js
 export { getChatChannelMeta } from "../channels/registry.js";
 
 export {
+  createTelegramActionGate,
   listTelegramAccountIds,
   resolveDefaultTelegramAccountId,
+  resolveTelegramPollActionGateState,
   resolveTelegramAccount,
 } from "../../extensions/telegram/src/accounts.js";
 export { inspectTelegramAccount } from "../../extensions/telegram/src/account-inspect.js";
@@ -58,6 +64,24 @@ export {
   normalizeTelegramAllowFromEntry,
 } from "../../extensions/telegram/src/allow-from.js";
 export { fetchTelegramChatId } from "../../extensions/telegram/src/api-fetch.js";
+export {
+  resolveTelegramInlineButtonsScope,
+  resolveTelegramTargetChatType,
+} from "../../extensions/telegram/src/inline-buttons.js";
+export { resolveTelegramReactionLevel } from "../../extensions/telegram/src/reaction-level.js";
+export {
+  createForumTopicTelegram,
+  deleteMessageTelegram,
+  editForumTopicTelegram,
+  editMessageTelegram,
+  reactMessageTelegram,
+  sendMessageTelegram,
+  sendPollTelegram,
+  sendStickerTelegram,
+} from "../../extensions/telegram/src/send.js";
+export { getCacheStats, searchStickers } from "../../extensions/telegram/src/sticker-cache.js";
+export { resolveTelegramToken } from "../../extensions/telegram/src/token.js";
+export { telegramMessageActions } from "../../extensions/telegram/src/channel-actions.js";
 export { collectTelegramStatusIssues } from "../../extensions/telegram/src/status-issues.js";
 export { sendTelegramPayloadMessages } from "../../extensions/telegram/src/outbound-adapter.js";
 export {
diff --git a/src/plugin-sdk/web-media.ts b/src/plugin-sdk/web-media.ts
index 02194b867b2..1c7432ad2b5 100644
--- a/src/plugin-sdk/web-media.ts
+++ b/src/plugin-sdk/web-media.ts
@@ -1 +1,6 @@
-export { loadWebMedia, type WebMediaResult } from "../../extensions/whatsapp/src/media.js";
+export {
+  getDefaultLocalRoots,
+  loadWebMedia,
+  loadWebMediaRaw,
+  type WebMediaResult,
+} from "../../extensions/whatsapp/src/media.js";
diff --git a/src/plugin-sdk/whatsapp.ts b/src/plugin-sdk/whatsapp.ts
index 759a56b080e..56db52bfc13 100644
--- a/src/plugin-sdk/whatsapp.ts
+++ b/src/plugin-sdk/whatsapp.ts
@@ -31,6 +31,53 @@ export {
   listEnabledWhatsAppAccounts,
   resolveWhatsAppAccount,
 } from "../../extensions/whatsapp/src/accounts.js";
+export {
+  WA_WEB_AUTH_DIR,
+  logWebSelfId,
+  logoutWeb,
+  pickWebChannel,
+  webAuthExists,
+} from "../../extensions/whatsapp/src/auth-store.js";
+export {
+  DEFAULT_WEB_MEDIA_BYTES,
+  HEARTBEAT_PROMPT,
+  HEARTBEAT_TOKEN,
+  monitorWebChannel,
+  resolveHeartbeatRecipients,
+  runWebHeartbeatOnce,
+} from "../../extensions/whatsapp/src/auto-reply.js";
+export type {
+  WebChannelStatus,
+  WebMonitorTuning,
+} from "../../extensions/whatsapp/src/auto-reply.js";
+export {
+  extractMediaPlaceholder,
+  extractText,
+  monitorWebInbox,
+} from "../../extensions/whatsapp/src/inbound.js";
+export type {
+  WebInboundMessage,
+  WebListenerCloseReason,
+} from "../../extensions/whatsapp/src/inbound.js";
+export { loginWeb } from "../../extensions/whatsapp/src/login.js";
+export {
+  getDefaultLocalRoots,
+  loadWebMedia,
+  loadWebMediaRaw,
+  optimizeImageToJpeg,
+} from "../../extensions/whatsapp/src/media.js";
+export {
+  sendMessageWhatsApp,
+  sendPollWhatsApp,
+  sendReactionWhatsApp,
+} from "../../extensions/whatsapp/src/send.js";
+export {
+  createWaSocket,
+  formatError,
+  getStatusCode,
+  waitForWaConnection,
+} from "../../extensions/whatsapp/src/session.js";
+export { createWhatsAppLoginTool } from "../../extensions/whatsapp/src/agent-tools-login.js";
 export { normalizeWhatsAppAllowFromEntries } from "../channels/plugins/normalize/whatsapp.js";
 export {
   collectAllowlistProviderGroupPolicyWarnings,

From 7cc5789202a000b6adb396f30c345d8c278959e2 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 01:20:15 -0700
Subject: [PATCH 116/133] refactor(plugins): finish provider auth boundary
 cleanup

---
 extensions/amazon-bedrock/index.test.ts       |  22 +
 extensions/amazon-bedrock/index.ts            |  23 +
 .../amazon-bedrock/openclaw.plugin.json       |   9 +
 extensions/amazon-bedrock/package.json        |  12 +
 extensions/cloudflare-ai-gateway/index.ts     |   5 +-
 extensions/minimax/index.ts                   |  20 +-
 extensions/opencode-go/index.ts               |   1 +
 extensions/opencode/index.ts                  |   1 +
 extensions/zai/detect.ts                      |  21 +
 extensions/zai/index.ts                       |  30 +-
 src/agents/auth-profiles/doctor.ts            |  38 +-
 .../pi-embedded-runner/cache-ttl.test.ts      |  20 +-
 src/agents/pi-embedded-runner/cache-ttl.ts    |  13 -
 src/auto-reply/thinking.test.ts               |   9 +-
 src/auto-reply/thinking.ts                    |   7 -
 .../auth-choice.apply.api-key-providers.ts    | 497 +----------------
 .../auth-choice.apply.api-providers.ts        | 296 +----------
 .../auth-choice.apply.huggingface.test.ts     | 194 -------
 src/commands/auth-choice.apply.huggingface.ts | 137 -----
 .../auth-choice.apply.minimax.test.ts         | 208 --------
 src/commands/auth-choice.apply.minimax.ts     | 106 ----
 src/commands/auth-choice.apply.openrouter.ts  |  93 ----
 .../auth-choice.apply.plugin-provider.ts      |  47 +-
 src/commands/auth-choice.apply.ts             |   4 +-
 src/commands/auth-choice.test.ts              |  53 +-
 ...oard-non-interactive.provider-auth.test.ts | 160 +++---
 .../local/auth-choice.api-key-providers.ts    | 500 +-----------------
 .../local/auth-choice.plugin-providers.ts     |   2 +
 .../local/auth-choice.ts                      | 113 +---
 src/plugins/config-state.ts                   |   1 +
 src/plugins/provider-api-key-auth.ts          |  92 ++--
 src/plugins/provider-auth-choices.ts          |  20 +
 src/plugins/types.ts                          |   7 +
 33 files changed, 483 insertions(+), 2278 deletions(-)
 create mode 100644 extensions/amazon-bedrock/index.test.ts
 create mode 100644 extensions/amazon-bedrock/index.ts
 create mode 100644 extensions/amazon-bedrock/openclaw.plugin.json
 create mode 100644 extensions/amazon-bedrock/package.json
 create mode 100644 extensions/zai/detect.ts
 delete mode 100644 src/commands/auth-choice.apply.huggingface.test.ts
 delete mode 100644 src/commands/auth-choice.apply.huggingface.ts
 delete mode 100644 src/commands/auth-choice.apply.minimax.test.ts
 delete mode 100644 src/commands/auth-choice.apply.minimax.ts
 delete mode 100644 src/commands/auth-choice.apply.openrouter.ts

diff --git a/extensions/amazon-bedrock/index.test.ts b/extensions/amazon-bedrock/index.test.ts
new file mode 100644
index 00000000000..641173cd6ce
--- /dev/null
+++ b/extensions/amazon-bedrock/index.test.ts
@@ -0,0 +1,22 @@
+import { describe, expect, it } from "vitest";
+import { registerSingleProviderPlugin } from "../../src/test-utils/plugin-registration.js";
+import amazonBedrockPlugin from "./index.js";
+
+describe("amazon-bedrock provider plugin", () => {
+  it("marks Claude 4.6 Bedrock models as adaptive by default", () => {
+    const provider = registerSingleProviderPlugin(amazonBedrockPlugin);
+
+    expect(
+      provider.resolveDefaultThinkingLevel?.({
+        provider: "amazon-bedrock",
+        modelId: "us.anthropic.claude-opus-4-6-v1",
+      } as never),
+    ).toBe("adaptive");
+    expect(
+      provider.resolveDefaultThinkingLevel?.({
+        provider: "amazon-bedrock",
+        modelId: "amazon.nova-micro-v1:0",
+      } as never),
+    ).toBeUndefined();
+  });
+});
diff --git a/extensions/amazon-bedrock/index.ts b/extensions/amazon-bedrock/index.ts
new file mode 100644
index 00000000000..33fa3a08d32
--- /dev/null
+++ b/extensions/amazon-bedrock/index.ts
@@ -0,0 +1,23 @@
+import { emptyPluginConfigSchema, type OpenClawPluginApi } from "openclaw/plugin-sdk/core";
+
+const PROVIDER_ID = "amazon-bedrock";
+const CLAUDE_46_MODEL_RE = /claude-(?:opus|sonnet)-4(?:\.|-)6(?:$|[-.])/i;
+
+const amazonBedrockPlugin = {
+  id: PROVIDER_ID,
+  name: "Amazon Bedrock Provider",
+  description: "Bundled Amazon Bedrock provider policy plugin",
+  configSchema: emptyPluginConfigSchema(),
+  register(api: OpenClawPluginApi) {
+    api.registerProvider({
+      id: PROVIDER_ID,
+      label: "Amazon Bedrock",
+      docsPath: "/providers/models",
+      auth: [],
+      resolveDefaultThinkingLevel: ({ modelId }) =>
+        CLAUDE_46_MODEL_RE.test(modelId.trim()) ? "adaptive" : undefined,
+    });
+  },
+};
+
+export default amazonBedrockPlugin;
diff --git a/extensions/amazon-bedrock/openclaw.plugin.json b/extensions/amazon-bedrock/openclaw.plugin.json
new file mode 100644
index 00000000000..9239ea19146
--- /dev/null
+++ b/extensions/amazon-bedrock/openclaw.plugin.json
@@ -0,0 +1,9 @@
+{
+  "id": "amazon-bedrock",
+  "providers": ["amazon-bedrock"],
+  "configSchema": {
+    "type": "object",
+    "additionalProperties": false,
+    "properties": {}
+  }
+}
diff --git a/extensions/amazon-bedrock/package.json b/extensions/amazon-bedrock/package.json
new file mode 100644
index 00000000000..6c1471c92c3
--- /dev/null
+++ b/extensions/amazon-bedrock/package.json
@@ -0,0 +1,12 @@
+{
+  "name": "@openclaw/amazon-bedrock-provider",
+  "version": "2026.3.14",
+  "private": true,
+  "description": "OpenClaw Amazon Bedrock provider plugin",
+  "type": "module",
+  "openclaw": {
+    "extensions": [
+      "./index.ts"
+    ]
+  }
+}
diff --git a/extensions/cloudflare-ai-gateway/index.ts b/extensions/cloudflare-ai-gateway/index.ts
index 4544a932faf..ddc0bd7405a 100644
--- a/extensions/cloudflare-ai-gateway/index.ts
+++ b/extensions/cloudflare-ai-gateway/index.ts
@@ -143,7 +143,10 @@ const cloudflareAiGatewayPlugin = {
             await ensureApiKeyFromOptionEnvOrPrompt({
               token: normalizeOptionalSecretInput(ctx.opts?.cloudflareAiGatewayApiKey),
               tokenProvider: "cloudflare-ai-gateway",
-              secretInputMode: ctx.secretInputMode,
+              secretInputMode:
+                ctx.allowSecretRefPrompt === false
+                  ? (ctx.secretInputMode ?? "plaintext")
+                  : ctx.secretInputMode,
               config: ctx.config,
               expectedProviders: [PROVIDER_ID],
               provider: PROVIDER_ID,
diff --git a/extensions/minimax/index.ts b/extensions/minimax/index.ts
index 6906bb0438d..604e8627d22 100644
--- a/extensions/minimax/index.ts
+++ b/extensions/minimax/index.ts
@@ -31,7 +31,11 @@ function getDefaultBaseUrl(region: MiniMaxRegion): string {
   return region === "cn" ? DEFAULT_BASE_URL_CN : DEFAULT_BASE_URL_GLOBAL;
 }
 
-function modelRef(modelId: string): string {
+function apiModelRef(modelId: string): string {
+  return `${API_PROVIDER_ID}/${modelId}`;
+}
+
+function portalModelRef(modelId: string): string {
   return `${PORTAL_PROVIDER_ID}/${modelId}`;
 }
 
@@ -109,7 +113,7 @@ function createOAuthHandler(region: MiniMaxRegion) {
 
       return buildOauthProviderAuthResult({
         providerId: PORTAL_PROVIDER_ID,
-        defaultModel: modelRef(DEFAULT_MODEL),
+        defaultModel: portalModelRef(DEFAULT_MODEL),
         access: result.access,
         refresh: result.refresh,
         expires: result.expires,
@@ -125,11 +129,11 @@ function createOAuthHandler(region: MiniMaxRegion) {
           agents: {
             defaults: {
               models: {
-                [modelRef("MiniMax-M2.5")]: { alias: "minimax-m2.5" },
-                [modelRef("MiniMax-M2.5-highspeed")]: {
+                [portalModelRef("MiniMax-M2.5")]: { alias: "minimax-m2.5" },
+                [portalModelRef("MiniMax-M2.5-highspeed")]: {
                   alias: "minimax-m2.5-highspeed",
                 },
-                [modelRef("MiniMax-M2.5-Lightning")]: {
+                [portalModelRef("MiniMax-M2.5-Lightning")]: {
                   alias: "minimax-m2.5-lightning",
                 },
               },
@@ -177,7 +181,8 @@ const minimaxPlugin = {
           promptMessage:
             "Enter MiniMax API key (sk-api- or sk-cp-)\nhttps://platform.minimax.io/user-center/basic-information/interface-key",
           profileId: "minimax:global",
-          defaultModel: modelRef(DEFAULT_MODEL),
+          allowProfile: false,
+          defaultModel: apiModelRef(DEFAULT_MODEL),
           expectedProviders: ["minimax"],
           applyConfig: (cfg) => applyMinimaxApiConfig(cfg),
           wizard: {
@@ -200,7 +205,8 @@ const minimaxPlugin = {
           promptMessage:
             "Enter MiniMax CN API key (sk-api- or sk-cp-)\nhttps://platform.minimaxi.com/user-center/basic-information/interface-key",
           profileId: "minimax:cn",
-          defaultModel: modelRef(DEFAULT_MODEL),
+          allowProfile: false,
+          defaultModel: apiModelRef(DEFAULT_MODEL),
           expectedProviders: ["minimax", "minimax-cn"],
           applyConfig: (cfg) => applyMinimaxApiConfigCn(cfg),
           wizard: {
diff --git a/extensions/opencode-go/index.ts b/extensions/opencode-go/index.ts
index 2027f9ad05d..c0a8cea9b91 100644
--- a/extensions/opencode-go/index.ts
+++ b/extensions/opencode-go/index.ts
@@ -26,6 +26,7 @@ const opencodeGoPlugin = {
           flagName: "--opencode-go-api-key",
           envVar: "OPENCODE_API_KEY",
           promptMessage: "Enter OpenCode API key",
+          profileIds: ["opencode:default", "opencode-go:default"],
           defaultModel: OPENCODE_GO_DEFAULT_MODEL_REF,
           expectedProviders: ["opencode", "opencode-go"],
           applyConfig: (cfg) => applyOpencodeGoConfig(cfg),
diff --git a/extensions/opencode/index.ts b/extensions/opencode/index.ts
index 008afe4091c..d00ae301bc5 100644
--- a/extensions/opencode/index.ts
+++ b/extensions/opencode/index.ts
@@ -35,6 +35,7 @@ const opencodePlugin = {
           flagName: "--opencode-zen-api-key",
           envVar: "OPENCODE_API_KEY",
           promptMessage: "Enter OpenCode API key",
+          profileIds: ["opencode:default", "opencode-go:default"],
           defaultModel: OPENCODE_ZEN_DEFAULT_MODEL,
           expectedProviders: ["opencode", "opencode-go"],
           applyConfig: (cfg) => applyOpencodeZenConfig(cfg),
diff --git a/extensions/zai/detect.ts b/extensions/zai/detect.ts
new file mode 100644
index 00000000000..07f06a9f052
--- /dev/null
+++ b/extensions/zai/detect.ts
@@ -0,0 +1,21 @@
+import {
+  detectZaiEndpoint as detectZaiEndpointCore,
+  type ZaiDetectedEndpoint,
+  type ZaiEndpointId,
+} from "../../src/commands/zai-endpoint-detect.js";
+
+type DetectZaiEndpointFn = typeof detectZaiEndpointCore;
+
+let detectZaiEndpointImpl: DetectZaiEndpointFn = detectZaiEndpointCore;
+
+export function setDetectZaiEndpointForTesting(fn?: DetectZaiEndpointFn): void {
+  detectZaiEndpointImpl = fn ?? detectZaiEndpointCore;
+}
+
+export async function detectZaiEndpoint(
+  ...args: Parameters<DetectZaiEndpointFn>
+): ReturnType<DetectZaiEndpointFn> {
+  return await detectZaiEndpointImpl(...args);
+}
+
+export type { ZaiDetectedEndpoint, ZaiEndpointId };
diff --git a/extensions/zai/index.ts b/extensions/zai/index.ts
index d6a1561167d..16f1c311ea3 100644
--- a/extensions/zai/index.ts
+++ b/extensions/zai/index.ts
@@ -26,11 +26,11 @@ import {
   applyZaiProviderConfig,
   ZAI_DEFAULT_MODEL_REF,
 } from "../../src/commands/onboard-auth.js";
-import { detectZaiEndpoint, type ZaiEndpointId } from "../../src/commands/zai-endpoint-detect.js";
 import type { SecretInput } from "../../src/config/types.secrets.js";
 import { resolveRequiredHomeDir } from "../../src/infra/home-dir.js";
 import { fetchZaiUsage } from "../../src/infra/provider-usage.fetch.js";
 import { normalizeOptionalSecretInput } from "../../src/utils/normalize-secret-input.js";
+import { detectZaiEndpoint, type ZaiEndpointId } from "./detect.js";
 
 const PROVIDER_ID = "zai";
 const GLM5_MODEL_ID = "glm-5";
@@ -97,6 +97,27 @@ function resolveZaiDefaultModel(modelIdOverride?: string): string {
   return modelIdOverride ? `zai/${modelIdOverride}` : ZAI_DEFAULT_MODEL_REF;
 }
 
+async function promptForZaiEndpoint(ctx: ProviderAuthContext): Promise<ZaiEndpointId> {
+  return await ctx.prompter.select<ZaiEndpointId>({
+    message: "Select Z.AI endpoint",
+    initialValue: "global",
+    options: [
+      { value: "global", label: "Global", hint: "Z.AI Global (api.z.ai)" },
+      { value: "cn", label: "CN", hint: "Z.AI CN (open.bigmodel.cn)" },
+      {
+        value: "coding-global",
+        label: "Coding-Plan-Global",
+        hint: "GLM Coding Plan Global (api.z.ai)",
+      },
+      {
+        value: "coding-cn",
+        label: "Coding-Plan-CN",
+        hint: "GLM Coding Plan CN (open.bigmodel.cn)",
+      },
+    ],
+  });
+}
+
 async function runZaiApiKeyAuth(
   ctx: ProviderAuthContext,
   endpoint?: ZaiEndpointId,
@@ -116,7 +137,10 @@ async function runZaiApiKeyAuth(
     tokenProvider: normalizeOptionalSecretInput(ctx.opts?.zaiApiKey)
       ? PROVIDER_ID
       : normalizeOptionalSecretInput(ctx.opts?.tokenProvider),
-    secretInputMode: ctx.secretInputMode,
+    secretInputMode:
+      ctx.allowSecretRefPrompt === false
+        ? (ctx.secretInputMode ?? "plaintext")
+        : ctx.secretInputMode,
     config: ctx.config,
     expectedProviders: [PROVIDER_ID, "z-ai"],
     provider: PROVIDER_ID,
@@ -138,7 +162,7 @@ async function runZaiApiKeyAuth(
 
   const detected = await detectZaiEndpoint({ apiKey, ...(endpoint ? { endpoint } : {}) });
   const modelIdOverride = detected?.modelId;
-  const nextEndpoint = detected?.endpoint ?? endpoint;
+  const nextEndpoint = detected?.endpoint ?? endpoint ?? (await promptForZaiEndpoint(ctx));
   return {
     profiles: [
       {
diff --git a/src/agents/auth-profiles/doctor.ts b/src/agents/auth-profiles/doctor.ts
index 220d20f2294..e2ce1a7efca 100644
--- a/src/agents/auth-profiles/doctor.ts
+++ b/src/agents/auth-profiles/doctor.ts
@@ -1,8 +1,5 @@
-import { formatCliCommand } from "../../cli/command-format.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import { normalizeProviderId } from "../model-selection.js";
-import { listProfilesForProvider } from "./profiles.js";
-import { suggestOAuthProfileIdForLegacyDefault } from "./repair.js";
 import type { AuthProfileStore } from "./types.js";
 
 let providerRuntimePromise:
@@ -34,38 +31,5 @@ export async function formatAuthDoctorHint(params: {
   if (typeof pluginHint === "string" && pluginHint.trim()) {
     return pluginHint;
   }
-
-  const providerKey = normalizeProviderId(params.provider);
-  if (providerKey !== "anthropic") {
-    return "";
-  }
-
-  const legacyProfileId = params.profileId ?? "anthropic:default";
-  const suggested = suggestOAuthProfileIdForLegacyDefault({
-    cfg: params.cfg,
-    store: params.store,
-    provider: providerKey,
-    legacyProfileId,
-  });
-  if (!suggested || suggested === legacyProfileId) {
-    return "";
-  }
-
-  const storeOauthProfiles = listProfilesForProvider(params.store, providerKey)
-    .filter((id) => params.store.profiles[id]?.type === "oauth")
-    .join(", ");
-
-  const cfgMode = params.cfg?.auth?.profiles?.[legacyProfileId]?.mode;
-  const cfgProvider = params.cfg?.auth?.profiles?.[legacyProfileId]?.provider;
-
-  return [
-    "Doctor hint (for GitHub issue):",
-    `- provider: ${providerKey}`,
-    `- config: ${legacyProfileId}${
-      cfgProvider || cfgMode ? ` (provider=${cfgProvider ?? "?"}, mode=${cfgMode ?? "?"})` : ""
-    }`,
-    `- auth store oauth profiles: ${storeOauthProfiles || "(none)"}`,
-    `- suggested profile: ${suggested}`,
-    `Fix: run "${formatCliCommand("openclaw doctor --yes")}"`,
-  ].join("\n");
+  return "";
 }
diff --git a/src/agents/pi-embedded-runner/cache-ttl.test.ts b/src/agents/pi-embedded-runner/cache-ttl.test.ts
index d968b6b79eb..f5ff8be2827 100644
--- a/src/agents/pi-embedded-runner/cache-ttl.test.ts
+++ b/src/agents/pi-embedded-runner/cache-ttl.test.ts
@@ -3,12 +3,20 @@ import { describe, expect, it, vi } from "vitest";
 vi.mock("../../plugins/provider-runtime.js", () => ({
   resolveProviderCacheTtlEligibility: (params: {
     context: { provider: string; modelId: string };
-  }) =>
-    params.context.provider === "openrouter"
-      ? ["anthropic/", "moonshot/", "moonshotai/", "zai/"].some((prefix) =>
-          params.context.modelId.startsWith(prefix),
-        )
-      : undefined,
+  }) => {
+    if (params.context.provider === "anthropic") {
+      return true;
+    }
+    if (params.context.provider === "moonshot" || params.context.provider === "zai") {
+      return true;
+    }
+    if (params.context.provider === "openrouter") {
+      return ["anthropic/", "moonshot/", "moonshotai/", "zai/"].some((prefix) =>
+        params.context.modelId.startsWith(prefix),
+      );
+    }
+    return undefined;
+  },
 }));
 
 import { isCacheTtlEligibleProvider } from "./cache-ttl.js";
diff --git a/src/agents/pi-embedded-runner/cache-ttl.ts b/src/agents/pi-embedded-runner/cache-ttl.ts
index e5e577d331a..dfea1c714b9 100644
--- a/src/agents/pi-embedded-runner/cache-ttl.ts
+++ b/src/agents/pi-embedded-runner/cache-ttl.ts
@@ -10,8 +10,6 @@ export type CacheTtlEntryData = {
   modelId?: string;
 };
 
-const CACHE_TTL_NATIVE_PROVIDERS = new Set(["moonshot", "zai"]);
-
 export function isCacheTtlEligibleProvider(provider: string, modelId: string): boolean {
   const normalizedProvider = provider.toLowerCase();
   const normalizedModelId = modelId.toLowerCase();
@@ -25,17 +23,6 @@ export function isCacheTtlEligibleProvider(provider: string, modelId: string): b
   if (pluginEligibility !== undefined) {
     return pluginEligibility;
   }
-  if (normalizedProvider === "kilocode" && normalizedModelId.startsWith("anthropic/")) {
-    return true;
-  }
-  // Legacy fallback for tests / plugin-disabled contexts. The Anthropic plugin
-  // owns this policy in normal runtime.
-  if (normalizedProvider === "anthropic") {
-    return true;
-  }
-  if (CACHE_TTL_NATIVE_PROVIDERS.has(normalizedProvider)) {
-    return true;
-  }
   return false;
 }
 
diff --git a/src/auto-reply/thinking.test.ts b/src/auto-reply/thinking.test.ts
index 18736f38905..35d1c289271 100644
--- a/src/auto-reply/thinking.test.ts
+++ b/src/auto-reply/thinking.test.ts
@@ -144,7 +144,14 @@ describe("resolveThinkingDefaultForModel", () => {
     ).toBe("adaptive");
   });
 
-  it("treats Bedrock Anthropic aliases as adaptive", () => {
+  it("uses provider-advertised adaptive defaults for Bedrock aliases", () => {
+    providerRuntimeMocks.resolveProviderDefaultThinkingLevel.mockImplementation(
+      ({ provider, context }) =>
+        provider === "amazon-bedrock" && context.modelId === "claude-sonnet-4-6"
+          ? "adaptive"
+          : undefined,
+    );
+
     expect(
       resolveThinkingDefaultForModel({ provider: "aws-bedrock", model: "claude-sonnet-4-6" }),
     ).toBe("adaptive");
diff --git a/src/auto-reply/thinking.ts b/src/auto-reply/thinking.ts
index 1652a80bdf6..f43ca7bc34b 100644
--- a/src/auto-reply/thinking.ts
+++ b/src/auto-reply/thinking.ts
@@ -17,8 +17,6 @@ export type ThinkingCatalogEntry = {
   reasoning?: boolean;
 };
 
-const CLAUDE_46_MODEL_RE = /claude-(?:opus|sonnet)-4(?:\.|-)6(?:$|[-.])/i;
-
 function normalizeProviderId(provider?: string | null): string {
   if (!provider) {
     return "";
@@ -146,7 +144,6 @@ export function resolveThinkingDefaultForModel(params: {
   catalog?: ThinkingCatalogEntry[];
 }): ThinkLevel {
   const normalizedProvider = normalizeProviderId(params.provider);
-  const modelLower = params.model.trim().toLowerCase();
   const candidate = params.catalog?.find(
     (entry) => entry.provider === params.provider && entry.id === params.model,
   );
@@ -161,10 +158,6 @@ export function resolveThinkingDefaultForModel(params: {
   if (pluginDecision) {
     return pluginDecision;
   }
-
-  if (normalizedProvider === "amazon-bedrock" && CLAUDE_46_MODEL_RE.test(modelLower)) {
-    return "adaptive";
-  }
   if (candidate?.reasoning) {
     return "low";
   }
diff --git a/src/commands/auth-choice.apply.api-key-providers.ts b/src/commands/auth-choice.apply.api-key-providers.ts
index 078dac8d0a1..3ff35a46365 100644
--- a/src/commands/auth-choice.apply.api-key-providers.ts
+++ b/src/commands/auth-choice.apply.api-key-providers.ts
@@ -1,81 +1,15 @@
 import { ensureAuthProfileStore, resolveAuthProfileOrder } from "../agents/auth-profiles.js";
-import type { SecretInput } from "../config/types.secrets.js";
 import { normalizeApiKeyInput, validateApiKeyInput } from "./auth-choice.api-key.js";
 import { ensureApiKeyFromOptionEnvOrPrompt } from "./auth-choice.apply-helpers.js";
 import type { ApplyAuthChoiceParams, ApplyAuthChoiceResult } from "./auth-choice.apply.js";
-import { ensureModelAllowlistEntry } from "./model-allowlist.js";
-import { applyPrimaryModel } from "./model-picker.js";
-import type { ApiKeyStorageOptions } from "./onboard-auth.credentials.js";
 import {
   applyAuthProfileConfig,
-  applyKilocodeConfig,
-  applyKilocodeProviderConfig,
-  applyKimiCodeConfig,
-  applyKimiCodeProviderConfig,
   applyLitellmConfig,
   applyLitellmProviderConfig,
-  applyMistralConfig,
-  applyMistralProviderConfig,
-  applyModelStudioConfig,
-  applyModelStudioConfigCn,
-  applyModelStudioProviderConfig,
-  applyModelStudioProviderConfigCn,
-  applyMoonshotConfig,
-  applyMoonshotConfigCn,
-  applyMoonshotProviderConfig,
-  applyMoonshotProviderConfigCn,
-  applyOpencodeGoConfig,
-  applyOpencodeGoProviderConfig,
-  applyOpencodeZenConfig,
-  applyOpencodeZenProviderConfig,
-  applyQianfanConfig,
-  applyQianfanProviderConfig,
-  applySyntheticConfig,
-  applySyntheticProviderConfig,
-  applyTogetherConfig,
-  applyTogetherProviderConfig,
-  applyVeniceConfig,
-  applyVeniceProviderConfig,
-  applyVercelAiGatewayConfig,
-  applyVercelAiGatewayProviderConfig,
-  applyXaiConfig,
-  applyXaiProviderConfig,
-  applyXiaomiConfig,
-  applyXiaomiProviderConfig,
-  KILOCODE_DEFAULT_MODEL_REF,
-  KIMI_CODING_MODEL_REF,
   LITELLM_DEFAULT_MODEL_REF,
-  MISTRAL_DEFAULT_MODEL_REF,
-  MODELSTUDIO_DEFAULT_MODEL_REF,
-  MOONSHOT_DEFAULT_MODEL_REF,
-  QIANFAN_DEFAULT_MODEL_REF,
-  setKilocodeApiKey,
-  setKimiCodingApiKey,
   setLitellmApiKey,
-  setMistralApiKey,
-  setModelStudioApiKey,
-  setMoonshotApiKey,
-  setOpencodeGoApiKey,
-  setOpencodeZenApiKey,
-  setQianfanApiKey,
-  setSyntheticApiKey,
-  setTogetherApiKey,
-  setVeniceApiKey,
-  setVercelAiGatewayApiKey,
-  setVolcengineApiKey,
-  setByteplusApiKey,
-  setXaiApiKey,
-  setXiaomiApiKey,
-  SYNTHETIC_DEFAULT_MODEL_REF,
-  TOGETHER_DEFAULT_MODEL_REF,
-  VENICE_DEFAULT_MODEL_REF,
-  VERCEL_AI_GATEWAY_DEFAULT_MODEL_REF,
-  XAI_DEFAULT_MODEL_REF,
-  XIAOMI_DEFAULT_MODEL_REF,
 } from "./onboard-auth.js";
-import type { AuthChoice, SecretInputMode } from "./onboard-types.js";
-import { OPENCODE_GO_DEFAULT_MODEL_REF } from "./opencode-go-model-default.js";
-import { OPENCODE_ZEN_DEFAULT_MODEL } from "./opencode-zen-model-default.js";
+import type { SecretInputMode } from "./onboard-types.js";
 
 type ApiKeyProviderConfigApplier = (
   config: ApplyAuthChoiceParams["config"],
@@ -90,7 +24,7 @@ type ApplyProviderDefaultModel = (args: {
 
 type ApplyApiKeyProviderParams = {
   params: ApplyAuthChoiceParams;
-  authChoice: AuthChoice;
+  authChoice: string;
   config: ApplyAuthChoiceParams["config"];
   setConfig: (config: ApplyAuthChoiceParams["config"]) => void;
   getConfig: () => ApplyAuthChoiceParams["config"];
@@ -100,386 +34,6 @@ type ApplyApiKeyProviderParams = {
   getAgentModelOverride: () => string | undefined;
 };
 
-type SimpleApiKeyProviderFlow = {
-  provider: Parameters<typeof ensureApiKeyFromOptionEnvOrPrompt>[0]["provider"];
-  profileId: string;
-  expectedProviders: string[];
-  envLabel: string;
-  promptMessage: string;
-  setCredential: (
-    apiKey: SecretInput,
-    agentDir?: string,
-    options?: ApiKeyStorageOptions,
-  ) => void | Promise<void>;
-  defaultModel: string;
-  applyDefaultConfig: ApiKeyProviderConfigApplier;
-  applyProviderConfig: ApiKeyProviderConfigApplier;
-  tokenProvider?: string;
-  normalize?: (value: string) => string;
-  validate?: (value: string) => string | undefined;
-  noteDefault?: string;
-  noteMessage?: string;
-  noteTitle?: string;
-};
-
-const VOLCENGINE_DEFAULT_MODEL_REF = "volcengine-plan/ark-code-latest";
-const BYTEPLUS_DEFAULT_MODEL_REF = "byteplus-plan/ark-code-latest";
-
-const SIMPLE_API_KEY_PROVIDER_FLOWS: Partial<Record<AuthChoice, SimpleApiKeyProviderFlow>> = {
-  "ai-gateway-api-key": {
-    provider: "vercel-ai-gateway",
-    profileId: "vercel-ai-gateway:default",
-    expectedProviders: ["vercel-ai-gateway"],
-    envLabel: "AI_GATEWAY_API_KEY",
-    promptMessage: "Enter Vercel AI Gateway API key",
-    setCredential: setVercelAiGatewayApiKey,
-    defaultModel: VERCEL_AI_GATEWAY_DEFAULT_MODEL_REF,
-    applyDefaultConfig: applyVercelAiGatewayConfig,
-    applyProviderConfig: applyVercelAiGatewayProviderConfig,
-    noteDefault: VERCEL_AI_GATEWAY_DEFAULT_MODEL_REF,
-  },
-  "moonshot-api-key": {
-    provider: "moonshot",
-    profileId: "moonshot:default",
-    expectedProviders: ["moonshot"],
-    envLabel: "MOONSHOT_API_KEY",
-    promptMessage: "Enter Moonshot API key",
-    setCredential: setMoonshotApiKey,
-    defaultModel: MOONSHOT_DEFAULT_MODEL_REF,
-    applyDefaultConfig: applyMoonshotConfig,
-    applyProviderConfig: applyMoonshotProviderConfig,
-  },
-  "moonshot-api-key-cn": {
-    provider: "moonshot",
-    profileId: "moonshot:default",
-    expectedProviders: ["moonshot"],
-    envLabel: "MOONSHOT_API_KEY",
-    promptMessage: "Enter Moonshot API key (.cn)",
-    setCredential: setMoonshotApiKey,
-    defaultModel: MOONSHOT_DEFAULT_MODEL_REF,
-    applyDefaultConfig: applyMoonshotConfigCn,
-    applyProviderConfig: applyMoonshotProviderConfigCn,
-  },
-  "kimi-code-api-key": {
-    provider: "kimi-coding",
-    profileId: "kimi-coding:default",
-    expectedProviders: ["kimi-code", "kimi-coding"],
-    envLabel: "KIMI_API_KEY",
-    promptMessage: "Enter Kimi Coding API key",
-    setCredential: setKimiCodingApiKey,
-    defaultModel: KIMI_CODING_MODEL_REF,
-    applyDefaultConfig: applyKimiCodeConfig,
-    applyProviderConfig: applyKimiCodeProviderConfig,
-    noteDefault: KIMI_CODING_MODEL_REF,
-    noteMessage: [
-      "Kimi Coding uses a dedicated endpoint and API key.",
-      "Get your API key at: https://www.kimi.com/code/en",
-    ].join("\n"),
-    noteTitle: "Kimi Coding",
-  },
-  "xiaomi-api-key": {
-    provider: "xiaomi",
-    profileId: "xiaomi:default",
-    expectedProviders: ["xiaomi"],
-    envLabel: "XIAOMI_API_KEY",
-    promptMessage: "Enter Xiaomi API key",
-    setCredential: setXiaomiApiKey,
-    defaultModel: XIAOMI_DEFAULT_MODEL_REF,
-    applyDefaultConfig: applyXiaomiConfig,
-    applyProviderConfig: applyXiaomiProviderConfig,
-    noteDefault: XIAOMI_DEFAULT_MODEL_REF,
-  },
-  "xai-api-key": {
-    provider: "xai",
-    profileId: "xai:default",
-    expectedProviders: ["xai"],
-    envLabel: "XAI_API_KEY",
-    promptMessage: "Enter xAI API key",
-    setCredential: setXaiApiKey,
-    defaultModel: XAI_DEFAULT_MODEL_REF,
-    applyDefaultConfig: applyXaiConfig,
-    applyProviderConfig: applyXaiProviderConfig,
-    noteDefault: XAI_DEFAULT_MODEL_REF,
-  },
-  "mistral-api-key": {
-    provider: "mistral",
-    profileId: "mistral:default",
-    expectedProviders: ["mistral"],
-    envLabel: "MISTRAL_API_KEY",
-    promptMessage: "Enter Mistral API key",
-    setCredential: setMistralApiKey,
-    defaultModel: MISTRAL_DEFAULT_MODEL_REF,
-    applyDefaultConfig: applyMistralConfig,
-    applyProviderConfig: applyMistralProviderConfig,
-    noteDefault: MISTRAL_DEFAULT_MODEL_REF,
-  },
-  "venice-api-key": {
-    provider: "venice",
-    profileId: "venice:default",
-    expectedProviders: ["venice"],
-    envLabel: "VENICE_API_KEY",
-    promptMessage: "Enter Venice AI API key",
-    setCredential: setVeniceApiKey,
-    defaultModel: VENICE_DEFAULT_MODEL_REF,
-    applyDefaultConfig: applyVeniceConfig,
-    applyProviderConfig: applyVeniceProviderConfig,
-    noteDefault: VENICE_DEFAULT_MODEL_REF,
-    noteMessage: [
-      "Venice AI provides privacy-focused inference with uncensored models.",
-      "Get your API key at: https://venice.ai/settings/api",
-      "Supports 'private' (fully private) and 'anonymized' (proxy) modes.",
-    ].join("\n"),
-    noteTitle: "Venice AI",
-  },
-  "opencode-zen": {
-    provider: "opencode",
-    profileId: "opencode:default",
-    expectedProviders: ["opencode", "opencode-go"],
-    envLabel: "OPENCODE_API_KEY",
-    promptMessage: "Enter OpenCode API key",
-    setCredential: setOpencodeZenApiKey,
-    defaultModel: OPENCODE_ZEN_DEFAULT_MODEL,
-    applyDefaultConfig: applyOpencodeZenConfig,
-    applyProviderConfig: applyOpencodeZenProviderConfig,
-    noteDefault: OPENCODE_ZEN_DEFAULT_MODEL,
-    noteMessage: [
-      "OpenCode uses one API key across the Zen and Go catalogs.",
-      "Zen provides access to Claude, GPT, Gemini, and more models.",
-      "Get your API key at: https://opencode.ai/auth",
-      "Choose the Zen catalog when you want the curated multi-model proxy.",
-    ].join("\n"),
-    noteTitle: "OpenCode",
-  },
-  "opencode-go": {
-    provider: "opencode-go",
-    profileId: "opencode-go:default",
-    expectedProviders: ["opencode", "opencode-go"],
-    envLabel: "OPENCODE_API_KEY",
-    promptMessage: "Enter OpenCode API key",
-    setCredential: setOpencodeGoApiKey,
-    defaultModel: OPENCODE_GO_DEFAULT_MODEL_REF,
-    applyDefaultConfig: applyOpencodeGoConfig,
-    applyProviderConfig: applyOpencodeGoProviderConfig,
-    noteDefault: OPENCODE_GO_DEFAULT_MODEL_REF,
-    noteMessage: [
-      "OpenCode uses one API key across the Zen and Go catalogs.",
-      "Go provides access to Kimi, GLM, and MiniMax models through the Go catalog.",
-      "Get your API key at: https://opencode.ai/auth",
-      "Choose the Go catalog when you want the OpenCode-hosted Kimi/GLM/MiniMax lineup.",
-    ].join("\n"),
-    noteTitle: "OpenCode",
-  },
-  "together-api-key": {
-    provider: "together",
-    profileId: "together:default",
-    expectedProviders: ["together"],
-    envLabel: "TOGETHER_API_KEY",
-    promptMessage: "Enter Together AI API key",
-    setCredential: setTogetherApiKey,
-    defaultModel: TOGETHER_DEFAULT_MODEL_REF,
-    applyDefaultConfig: applyTogetherConfig,
-    applyProviderConfig: applyTogetherProviderConfig,
-    noteDefault: TOGETHER_DEFAULT_MODEL_REF,
-    noteMessage: [
-      "Together AI provides access to leading open-source models including Llama, DeepSeek, Qwen, and more.",
-      "Get your API key at: https://api.together.xyz/settings/api-keys",
-    ].join("\n"),
-    noteTitle: "Together AI",
-  },
-  "qianfan-api-key": {
-    provider: "qianfan",
-    profileId: "qianfan:default",
-    expectedProviders: ["qianfan"],
-    envLabel: "QIANFAN_API_KEY",
-    promptMessage: "Enter QIANFAN API key",
-    setCredential: setQianfanApiKey,
-    defaultModel: QIANFAN_DEFAULT_MODEL_REF,
-    applyDefaultConfig: applyQianfanConfig,
-    applyProviderConfig: applyQianfanProviderConfig,
-    noteDefault: QIANFAN_DEFAULT_MODEL_REF,
-    noteMessage: [
-      "Get your API key at: https://console.bce.baidu.com/qianfan/ais/console/apiKey",
-      "API key format: bce-v3/ALTAK-...",
-    ].join("\n"),
-    noteTitle: "QIANFAN",
-  },
-  "kilocode-api-key": {
-    provider: "kilocode",
-    profileId: "kilocode:default",
-    expectedProviders: ["kilocode"],
-    envLabel: "KILOCODE_API_KEY",
-    promptMessage: "Enter Kilo Gateway API key",
-    setCredential: setKilocodeApiKey,
-    defaultModel: KILOCODE_DEFAULT_MODEL_REF,
-    applyDefaultConfig: applyKilocodeConfig,
-    applyProviderConfig: applyKilocodeProviderConfig,
-    noteDefault: KILOCODE_DEFAULT_MODEL_REF,
-  },
-  "modelstudio-api-key-cn": {
-    provider: "modelstudio",
-    profileId: "modelstudio:default",
-    expectedProviders: ["modelstudio"],
-    envLabel: "MODELSTUDIO_API_KEY",
-    promptMessage: "Enter Alibaba Cloud Model Studio Coding Plan API key (China)",
-    setCredential: setModelStudioApiKey,
-    defaultModel: MODELSTUDIO_DEFAULT_MODEL_REF,
-    applyDefaultConfig: applyModelStudioConfigCn,
-    applyProviderConfig: applyModelStudioProviderConfigCn,
-    noteDefault: MODELSTUDIO_DEFAULT_MODEL_REF,
-    noteMessage: [
-      "Get your API key at: https://bailian.console.aliyun.com/",
-      "Endpoint: coding.dashscope.aliyuncs.com",
-      "Models: qwen3.5-plus, glm-4.7, kimi-k2.5, MiniMax-M2.5, etc.",
-    ].join("\n"),
-    noteTitle: "Alibaba Cloud Model Studio Coding Plan (China)",
-    normalize: (value) => String(value ?? "").trim(),
-    validate: (value) => (String(value ?? "").trim() ? undefined : "Required"),
-  },
-  "modelstudio-api-key": {
-    provider: "modelstudio",
-    profileId: "modelstudio:default",
-    expectedProviders: ["modelstudio"],
-    envLabel: "MODELSTUDIO_API_KEY",
-    promptMessage: "Enter Alibaba Cloud Model Studio Coding Plan API key (Global/Intl)",
-    setCredential: setModelStudioApiKey,
-    defaultModel: MODELSTUDIO_DEFAULT_MODEL_REF,
-    applyDefaultConfig: applyModelStudioConfig,
-    applyProviderConfig: applyModelStudioProviderConfig,
-    noteDefault: MODELSTUDIO_DEFAULT_MODEL_REF,
-    noteMessage: [
-      "Get your API key at: https://bailian.console.aliyun.com/",
-      "Endpoint: coding-intl.dashscope.aliyuncs.com",
-      "Models: qwen3.5-plus, glm-4.7, kimi-k2.5, MiniMax-M2.5, etc.",
-    ].join("\n"),
-    noteTitle: "Alibaba Cloud Model Studio Coding Plan (Global/Intl)",
-    normalize: (value) => String(value ?? "").trim(),
-    validate: (value) => (String(value ?? "").trim() ? undefined : "Required"),
-  },
-  "volcengine-api-key": {
-    provider: "volcengine",
-    profileId: "volcengine:default",
-    expectedProviders: ["volcengine"],
-    envLabel: "VOLCANO_ENGINE_API_KEY",
-    promptMessage: "Enter Volcano Engine API key",
-    setCredential: setVolcengineApiKey,
-    defaultModel: VOLCENGINE_DEFAULT_MODEL_REF,
-    applyDefaultConfig: (cfg) => applyPrimaryModel(cfg, VOLCENGINE_DEFAULT_MODEL_REF),
-    applyProviderConfig: (cfg) =>
-      ensureModelAllowlistEntry({
-        cfg,
-        modelRef: VOLCENGINE_DEFAULT_MODEL_REF,
-      }),
-    noteDefault: VOLCENGINE_DEFAULT_MODEL_REF,
-  },
-  "byteplus-api-key": {
-    provider: "byteplus",
-    profileId: "byteplus:default",
-    expectedProviders: ["byteplus"],
-    envLabel: "BYTEPLUS_API_KEY",
-    promptMessage: "Enter BytePlus API key",
-    setCredential: setByteplusApiKey,
-    defaultModel: BYTEPLUS_DEFAULT_MODEL_REF,
-    applyDefaultConfig: (cfg) => applyPrimaryModel(cfg, BYTEPLUS_DEFAULT_MODEL_REF),
-    applyProviderConfig: (cfg) =>
-      ensureModelAllowlistEntry({
-        cfg,
-        modelRef: BYTEPLUS_DEFAULT_MODEL_REF,
-      }),
-    noteDefault: BYTEPLUS_DEFAULT_MODEL_REF,
-  },
-  "synthetic-api-key": {
-    provider: "synthetic",
-    profileId: "synthetic:default",
-    expectedProviders: ["synthetic"],
-    envLabel: "SYNTHETIC_API_KEY",
-    promptMessage: "Enter Synthetic API key",
-    setCredential: setSyntheticApiKey,
-    defaultModel: SYNTHETIC_DEFAULT_MODEL_REF,
-    applyDefaultConfig: applySyntheticConfig,
-    applyProviderConfig: applySyntheticProviderConfig,
-    normalize: (value) => String(value ?? "").trim(),
-    validate: (value) => (String(value ?? "").trim() ? undefined : "Required"),
-  },
-};
-
-async function applyApiKeyProviderWithDefaultModel({
-  params,
-  config,
-  setConfig,
-  getConfig,
-  normalizedTokenProvider,
-  requestedSecretInputMode,
-  applyProviderDefaultModel,
-  getAgentModelOverride,
-  provider,
-  profileId,
-  expectedProviders,
-  envLabel,
-  promptMessage,
-  setCredential,
-  defaultModel,
-  applyDefaultConfig,
-  applyProviderConfig,
-  noteMessage,
-  noteTitle,
-  tokenProvider = normalizedTokenProvider,
-  normalize = normalizeApiKeyInput,
-  validate = validateApiKeyInput,
-  noteDefault = defaultModel,
-}: ApplyApiKeyProviderParams & {
-  provider: Parameters<typeof ensureApiKeyFromOptionEnvOrPrompt>[0]["provider"];
-  profileId: string;
-  expectedProviders: string[];
-  envLabel: string;
-  promptMessage: string;
-  setCredential: (apiKey: SecretInput, mode?: SecretInputMode) => void | Promise<void>;
-  defaultModel: string;
-  applyDefaultConfig: ApiKeyProviderConfigApplier;
-  applyProviderConfig: ApiKeyProviderConfigApplier;
-  noteMessage?: string;
-  noteTitle?: string;
-  tokenProvider?: string;
-  normalize?: (value: string) => string;
-  validate?: (value: string) => string | undefined;
-  noteDefault?: string;
-}): Promise<ApplyAuthChoiceResult> {
-  let nextConfig = config;
-
-  await ensureApiKeyFromOptionEnvOrPrompt({
-    token: params.opts?.token,
-    provider,
-    tokenProvider,
-    secretInputMode: requestedSecretInputMode,
-    config: nextConfig,
-    expectedProviders,
-    envLabel,
-    promptMessage,
-    setCredential: async (apiKey, mode) => {
-      await setCredential(apiKey, mode);
-    },
-    noteMessage,
-    noteTitle,
-    normalize,
-    validate,
-    prompter: params.prompter,
-  });
-
-  nextConfig = applyAuthProfileConfig(nextConfig, {
-    profileId,
-    provider,
-    mode: "api_key",
-  });
-  setConfig(nextConfig);
-  await applyProviderDefaultModel({
-    defaultModel,
-    applyDefaultConfig,
-    applyProviderConfig,
-    noteDefault,
-  });
-
-  return { config: getConfig(), agentModelOverride: getAgentModelOverride() };
-}
-
 export async function applyLiteLlmApiKeyProvider({
   params,
   authChoice,
@@ -544,50 +98,3 @@ export async function applyLiteLlmApiKeyProvider({
   });
   return { config: getConfig(), agentModelOverride: getAgentModelOverride() };
 }
-
-export async function applySimpleAuthChoiceApiProvider({
-  params,
-  authChoice,
-  config,
-  setConfig,
-  getConfig,
-  normalizedTokenProvider,
-  requestedSecretInputMode,
-  applyProviderDefaultModel,
-  getAgentModelOverride,
-}: ApplyApiKeyProviderParams): Promise<ApplyAuthChoiceResult | null> {
-  const simpleApiKeyProviderFlow = SIMPLE_API_KEY_PROVIDER_FLOWS[authChoice];
-  if (!simpleApiKeyProviderFlow) {
-    return null;
-  }
-
-  return await applyApiKeyProviderWithDefaultModel({
-    params,
-    authChoice,
-    config,
-    setConfig,
-    getConfig,
-    normalizedTokenProvider,
-    requestedSecretInputMode,
-    applyProviderDefaultModel,
-    getAgentModelOverride,
-    provider: simpleApiKeyProviderFlow.provider,
-    profileId: simpleApiKeyProviderFlow.profileId,
-    expectedProviders: simpleApiKeyProviderFlow.expectedProviders,
-    envLabel: simpleApiKeyProviderFlow.envLabel,
-    promptMessage: simpleApiKeyProviderFlow.promptMessage,
-    setCredential: async (apiKey, mode) =>
-      simpleApiKeyProviderFlow.setCredential(apiKey, params.agentDir, {
-        secretInputMode: mode ?? requestedSecretInputMode,
-      }),
-    defaultModel: simpleApiKeyProviderFlow.defaultModel,
-    applyDefaultConfig: simpleApiKeyProviderFlow.applyDefaultConfig,
-    applyProviderConfig: simpleApiKeyProviderFlow.applyProviderConfig,
-    noteDefault: simpleApiKeyProviderFlow.noteDefault,
-    noteMessage: simpleApiKeyProviderFlow.noteMessage,
-    noteTitle: simpleApiKeyProviderFlow.noteTitle,
-    tokenProvider: simpleApiKeyProviderFlow.tokenProvider,
-    normalize: simpleApiKeyProviderFlow.normalize,
-    validate: simpleApiKeyProviderFlow.validate,
-  });
-}
diff --git a/src/commands/auth-choice.apply.api-providers.ts b/src/commands/auth-choice.apply.api-providers.ts
index eef881c2b13..6376dd51c7d 100644
--- a/src/commands/auth-choice.apply.api-providers.ts
+++ b/src/commands/auth-choice.apply.api-providers.ts
@@ -1,71 +1,23 @@
-import { normalizeApiKeyInput, validateApiKeyInput } from "./auth-choice.api-key.js";
+import { resolveManifestProviderApiKeyChoice } from "../plugins/provider-auth-choices.js";
 import {
-  normalizeSecretInputModeInput,
-  createAuthChoiceAgentModelNoter,
   createAuthChoiceDefaultModelApplierForMutableState,
-  ensureApiKeyFromOptionEnvOrPrompt,
+  normalizeSecretInputModeInput,
   normalizeTokenProviderInput,
 } from "./auth-choice.apply-helpers.js";
-import {
-  applyLiteLlmApiKeyProvider,
-  applySimpleAuthChoiceApiProvider,
-} from "./auth-choice.apply.api-key-providers.js";
-import { applyAuthChoiceHuggingface } from "./auth-choice.apply.huggingface.js";
+import { applyLiteLlmApiKeyProvider } from "./auth-choice.apply.api-key-providers.js";
 import type { ApplyAuthChoiceParams, ApplyAuthChoiceResult } from "./auth-choice.apply.js";
-import { applyAuthChoiceOpenRouter } from "./auth-choice.apply.openrouter.js";
-import {
-  applyGoogleGeminiModelDefault,
-  GOOGLE_GEMINI_DEFAULT_MODEL,
-} from "./google-gemini-model-default.js";
-import {
-  applyAuthProfileConfig,
-  applyCloudflareAiGatewayConfig,
-  applyCloudflareAiGatewayProviderConfig,
-  applyZaiConfig,
-  applyZaiProviderConfig,
-  CLOUDFLARE_AI_GATEWAY_DEFAULT_MODEL_REF,
-  setCloudflareAiGatewayConfig,
-  setGeminiApiKey,
-  setZaiApiKey,
-  ZAI_DEFAULT_MODEL_REF,
-} from "./onboard-auth.js";
 import type { AuthChoice } from "./onboard-types.js";
-import { detectZaiEndpoint } from "./zai-endpoint-detect.js";
 
-const API_KEY_TOKEN_PROVIDER_AUTH_CHOICE: Record<string, AuthChoice> = {
-  openrouter: "openrouter-api-key",
+const CORE_API_KEY_TOKEN_PROVIDER_AUTH_CHOICES: Partial<Record<string, AuthChoice>> = {
   litellm: "litellm-api-key",
-  "vercel-ai-gateway": "ai-gateway-api-key",
-  "cloudflare-ai-gateway": "cloudflare-ai-gateway-api-key",
-  moonshot: "moonshot-api-key",
-  "kimi-code": "kimi-code-api-key",
-  "kimi-coding": "kimi-code-api-key",
-  google: "gemini-api-key",
-  zai: "zai-api-key",
-  xiaomi: "xiaomi-api-key",
-  synthetic: "synthetic-api-key",
-  venice: "venice-api-key",
-  together: "together-api-key",
-  huggingface: "huggingface-api-key",
-  mistral: "mistral-api-key",
-  opencode: "opencode-zen",
-  "opencode-go": "opencode-go",
-  kilocode: "kilocode-api-key",
-  qianfan: "qianfan-api-key",
-};
-
-const ZAI_AUTH_CHOICE_ENDPOINT: Partial<
-  Record<AuthChoice, "global" | "cn" | "coding-global" | "coding-cn">
-> = {
-  "zai-coding-global": "coding-global",
-  "zai-coding-cn": "coding-cn",
-  "zai-global": "global",
-  "zai-cn": "cn",
 };
 
 export function normalizeApiKeyTokenProviderAuthChoice(params: {
   authChoice: AuthChoice;
   tokenProvider?: string;
+  config?: ApplyAuthChoiceParams["config"];
+  workspaceDir?: string;
+  env?: NodeJS.ProcessEnv;
 }): AuthChoice {
   if (params.authChoice !== "apiKey" || !params.tokenProvider) {
     return params.authChoice;
@@ -74,10 +26,16 @@ export function normalizeApiKeyTokenProviderAuthChoice(params: {
   if (!normalizedTokenProvider) {
     return params.authChoice;
   }
-  if (normalizedTokenProvider === "anthropic" || normalizedTokenProvider === "openai") {
-    return params.authChoice;
-  }
-  return API_KEY_TOKEN_PROVIDER_AUTH_CHOICE[normalizedTokenProvider] ?? params.authChoice;
+  return (
+    (resolveManifestProviderApiKeyChoice({
+      providerId: normalizedTokenProvider,
+      config: params.config,
+      workspaceDir: params.workspaceDir,
+      env: params.env,
+    })?.choiceId as AuthChoice | undefined) ??
+    CORE_API_KEY_TOKEN_PROVIDER_AUTH_CHOICES[normalizedTokenProvider] ??
+    params.authChoice
+  );
 }
 
 export async function applyAuthChoiceApiProviders(
@@ -85,7 +43,6 @@ export async function applyAuthChoiceApiProviders(
 ): Promise<ApplyAuthChoiceResult | null> {
   let nextConfig = params.config;
   let agentModelOverride: string | undefined;
-  const noteAgentModel = createAuthChoiceAgentModelNoter(params);
   const applyProviderDefaultModel = createAuthChoiceDefaultModelApplierForMutableState(
     params,
     () => nextConfig,
@@ -97,14 +54,12 @@ export async function applyAuthChoiceApiProviders(
   const authChoice = normalizeApiKeyTokenProviderAuthChoice({
     authChoice: params.authChoice,
     tokenProvider: params.opts?.tokenProvider,
+    config: params.config,
+    env: process.env,
   });
   const normalizedTokenProvider = normalizeTokenProviderInput(params.opts?.tokenProvider);
   const requestedSecretInputMode = normalizeSecretInputModeInput(params.opts?.secretInputMode);
 
-  if (authChoice === "openrouter-api-key") {
-    return applyAuthChoiceOpenRouter(params);
-  }
-
   const litellmResult = await applyLiteLlmApiKeyProvider({
     params,
     authChoice,
@@ -120,218 +75,5 @@ export async function applyAuthChoiceApiProviders(
     return litellmResult;
   }
 
-  const simpleProviderResult = await applySimpleAuthChoiceApiProvider({
-    params,
-    authChoice,
-    config: nextConfig,
-    setConfig: (config) => (nextConfig = config),
-    getConfig: () => nextConfig,
-    normalizedTokenProvider,
-    requestedSecretInputMode,
-    applyProviderDefaultModel,
-    getAgentModelOverride: () => agentModelOverride,
-  });
-  if (simpleProviderResult) {
-    return simpleProviderResult;
-  }
-
-  if (authChoice === "cloudflare-ai-gateway-api-key") {
-    let accountId = params.opts?.cloudflareAiGatewayAccountId?.trim() ?? "";
-    let gatewayId = params.opts?.cloudflareAiGatewayGatewayId?.trim() ?? "";
-
-    const ensureAccountGateway = async () => {
-      if (!accountId) {
-        const value = await params.prompter.text({
-          message: "Enter Cloudflare Account ID",
-          validate: (val) => (String(val ?? "").trim() ? undefined : "Account ID is required"),
-        });
-        accountId = String(value ?? "").trim();
-      }
-      if (!gatewayId) {
-        const value = await params.prompter.text({
-          message: "Enter Cloudflare AI Gateway ID",
-          validate: (val) => (String(val ?? "").trim() ? undefined : "Gateway ID is required"),
-        });
-        gatewayId = String(value ?? "").trim();
-      }
-    };
-
-    await ensureAccountGateway();
-
-    await ensureApiKeyFromOptionEnvOrPrompt({
-      token: params.opts?.cloudflareAiGatewayApiKey,
-      tokenProvider: "cloudflare-ai-gateway",
-      secretInputMode: requestedSecretInputMode,
-      config: nextConfig,
-      expectedProviders: ["cloudflare-ai-gateway"],
-      provider: "cloudflare-ai-gateway",
-      envLabel: "CLOUDFLARE_AI_GATEWAY_API_KEY",
-      promptMessage: "Enter Cloudflare AI Gateway API key",
-      normalize: normalizeApiKeyInput,
-      validate: validateApiKeyInput,
-      prompter: params.prompter,
-      setCredential: async (apiKey, mode) =>
-        setCloudflareAiGatewayConfig(accountId, gatewayId, apiKey, params.agentDir, {
-          secretInputMode: mode,
-        }),
-    });
-
-    nextConfig = applyAuthProfileConfig(nextConfig, {
-      profileId: "cloudflare-ai-gateway:default",
-      provider: "cloudflare-ai-gateway",
-      mode: "api_key",
-    });
-    await applyProviderDefaultModel({
-      defaultModel: CLOUDFLARE_AI_GATEWAY_DEFAULT_MODEL_REF,
-      applyDefaultConfig: (cfg) =>
-        applyCloudflareAiGatewayConfig(cfg, {
-          accountId: accountId || params.opts?.cloudflareAiGatewayAccountId,
-          gatewayId: gatewayId || params.opts?.cloudflareAiGatewayGatewayId,
-        }),
-      applyProviderConfig: (cfg) =>
-        applyCloudflareAiGatewayProviderConfig(cfg, {
-          accountId: accountId || params.opts?.cloudflareAiGatewayAccountId,
-          gatewayId: gatewayId || params.opts?.cloudflareAiGatewayGatewayId,
-        }),
-      noteDefault: CLOUDFLARE_AI_GATEWAY_DEFAULT_MODEL_REF,
-    });
-    return { config: nextConfig, agentModelOverride };
-  }
-
-  if (authChoice === "gemini-api-key") {
-    await ensureApiKeyFromOptionEnvOrPrompt({
-      token: params.opts?.token,
-      provider: "google",
-      tokenProvider: normalizedTokenProvider,
-      secretInputMode: requestedSecretInputMode,
-      config: nextConfig,
-      expectedProviders: ["google"],
-      envLabel: "GEMINI_API_KEY",
-      promptMessage: "Enter Gemini API key",
-      normalize: normalizeApiKeyInput,
-      validate: validateApiKeyInput,
-      prompter: params.prompter,
-      setCredential: async (apiKey, mode) =>
-        setGeminiApiKey(apiKey, params.agentDir, { secretInputMode: mode }),
-    });
-    nextConfig = applyAuthProfileConfig(nextConfig, {
-      profileId: "google:default",
-      provider: "google",
-      mode: "api_key",
-    });
-    if (params.setDefaultModel) {
-      const applied = applyGoogleGeminiModelDefault(nextConfig);
-      nextConfig = applied.next;
-      if (applied.changed) {
-        await params.prompter.note(
-          `Default model set to ${GOOGLE_GEMINI_DEFAULT_MODEL}`,
-          "Model configured",
-        );
-      }
-    } else {
-      agentModelOverride = GOOGLE_GEMINI_DEFAULT_MODEL;
-      await noteAgentModel(GOOGLE_GEMINI_DEFAULT_MODEL);
-    }
-    return { config: nextConfig, agentModelOverride };
-  }
-
-  if (
-    authChoice === "zai-api-key" ||
-    authChoice === "zai-coding-global" ||
-    authChoice === "zai-coding-cn" ||
-    authChoice === "zai-global" ||
-    authChoice === "zai-cn"
-  ) {
-    let endpoint = ZAI_AUTH_CHOICE_ENDPOINT[authChoice];
-
-    const apiKey = await ensureApiKeyFromOptionEnvOrPrompt({
-      token: params.opts?.token,
-      provider: "zai",
-      tokenProvider: normalizedTokenProvider,
-      secretInputMode: requestedSecretInputMode,
-      config: nextConfig,
-      expectedProviders: ["zai"],
-      envLabel: "ZAI_API_KEY",
-      promptMessage: "Enter Z.AI API key",
-      normalize: normalizeApiKeyInput,
-      validate: validateApiKeyInput,
-      prompter: params.prompter,
-      setCredential: async (apiKey, mode) =>
-        setZaiApiKey(apiKey, params.agentDir, { secretInputMode: mode }),
-    });
-
-    let modelIdOverride: string | undefined;
-    if (endpoint) {
-      const detected = await detectZaiEndpoint({ apiKey, endpoint });
-      if (detected) {
-        modelIdOverride = detected.modelId;
-        await params.prompter.note(detected.note, "Z.AI endpoint");
-      }
-    } else {
-      // zai-api-key: auto-detect endpoint + choose a working default model.
-      const detected = await detectZaiEndpoint({ apiKey });
-      if (detected) {
-        endpoint = detected.endpoint;
-        modelIdOverride = detected.modelId;
-        await params.prompter.note(detected.note, "Z.AI endpoint");
-      } else {
-        endpoint = await params.prompter.select({
-          message: "Select Z.AI endpoint",
-          options: [
-            {
-              value: "coding-global",
-              label: "Coding-Plan-Global",
-              hint: "GLM Coding Plan Global (api.z.ai)",
-            },
-            {
-              value: "coding-cn",
-              label: "Coding-Plan-CN",
-              hint: "GLM Coding Plan CN (open.bigmodel.cn)",
-            },
-            {
-              value: "global",
-              label: "Global",
-              hint: "Z.AI Global (api.z.ai)",
-            },
-            {
-              value: "cn",
-              label: "CN",
-              hint: "Z.AI CN (open.bigmodel.cn)",
-            },
-          ],
-          initialValue: "global",
-        });
-      }
-    }
-
-    nextConfig = applyAuthProfileConfig(nextConfig, {
-      profileId: "zai:default",
-      provider: "zai",
-      mode: "api_key",
-    });
-
-    const defaultModel = modelIdOverride ? `zai/${modelIdOverride}` : ZAI_DEFAULT_MODEL_REF;
-    await applyProviderDefaultModel({
-      defaultModel,
-      applyDefaultConfig: (config) =>
-        applyZaiConfig(config, {
-          endpoint,
-          ...(modelIdOverride ? { modelId: modelIdOverride } : {}),
-        }),
-      applyProviderConfig: (config) =>
-        applyZaiProviderConfig(config, {
-          endpoint,
-          ...(modelIdOverride ? { modelId: modelIdOverride } : {}),
-        }),
-      noteDefault: defaultModel,
-    });
-
-    return { config: nextConfig, agentModelOverride };
-  }
-
-  if (authChoice === "huggingface-api-key") {
-    return applyAuthChoiceHuggingface({ ...params, authChoice });
-  }
-
   return null;
 }
diff --git a/src/commands/auth-choice.apply.huggingface.test.ts b/src/commands/auth-choice.apply.huggingface.test.ts
deleted file mode 100644
index 5b55252067f..00000000000
--- a/src/commands/auth-choice.apply.huggingface.test.ts
+++ /dev/null
@@ -1,194 +0,0 @@
-import { afterEach, describe, expect, it, vi } from "vitest";
-import { resolveAgentModelPrimaryValue } from "../config/model-input.js";
-import type { WizardPrompter } from "../wizard/prompts.js";
-import { applyAuthChoiceHuggingface } from "./auth-choice.apply.huggingface.js";
-import {
-  createAuthTestLifecycle,
-  createExitThrowingRuntime,
-  createWizardPrompter,
-  readAuthProfilesForAgent,
-  setupAuthTestEnv,
-} from "./test-wizard-helpers.js";
-
-function createHuggingfacePrompter(params: {
-  text: WizardPrompter["text"];
-  select: WizardPrompter["select"];
-  confirm?: WizardPrompter["confirm"];
-  note?: WizardPrompter["note"];
-}): WizardPrompter {
-  const overrides: Partial<WizardPrompter> = {
-    text: params.text,
-    select: params.select,
-  };
-  if (params.confirm) {
-    overrides.confirm = params.confirm;
-  }
-  if (params.note) {
-    overrides.note = params.note;
-  }
-  return createWizardPrompter(overrides, { defaultSelect: "" });
-}
-
-type ApplyHuggingfaceParams = Parameters<typeof applyAuthChoiceHuggingface>[0];
-
-async function runHuggingfaceApply(
-  params: Omit<ApplyHuggingfaceParams, "authChoice" | "setDefaultModel"> &
-    Partial<Pick<ApplyHuggingfaceParams, "setDefaultModel">>,
-) {
-  return await applyAuthChoiceHuggingface({
-    authChoice: "huggingface-api-key",
-    setDefaultModel: params.setDefaultModel ?? true,
-    ...params,
-  });
-}
-
-describe("applyAuthChoiceHuggingface", () => {
-  const lifecycle = createAuthTestLifecycle([
-    "OPENCLAW_STATE_DIR",
-    "OPENCLAW_AGENT_DIR",
-    "PI_CODING_AGENT_DIR",
-    "HF_TOKEN",
-    "HUGGINGFACE_HUB_TOKEN",
-  ]);
-
-  async function setupTempState() {
-    const env = await setupAuthTestEnv("openclaw-hf-");
-    lifecycle.setStateDir(env.stateDir);
-    return env.agentDir;
-  }
-
-  async function readAuthProfiles(agentDir: string) {
-    return await readAuthProfilesForAgent<{
-      profiles?: Record<string, { key?: string }>;
-    }>(agentDir);
-  }
-
-  afterEach(async () => {
-    await lifecycle.cleanup();
-  });
-
-  it("returns null when authChoice is not huggingface-api-key", async () => {
-    const result = await applyAuthChoiceHuggingface({
-      authChoice: "openrouter-api-key",
-      config: {},
-      prompter: {} as WizardPrompter,
-      runtime: createExitThrowingRuntime(),
-      setDefaultModel: false,
-    });
-    expect(result).toBeNull();
-  });
-
-  it("prompts for key and model, then writes config and auth profile", async () => {
-    const agentDir = await setupTempState();
-
-    const text = vi.fn().mockResolvedValue("hf-test-token");
-    const select: WizardPrompter["select"] = vi.fn(
-      async (params) => params.options?.[0]?.value as never,
-    );
-    const prompter = createHuggingfacePrompter({ text, select });
-    const runtime = createExitThrowingRuntime();
-
-    const result = await runHuggingfaceApply({
-      config: {},
-      prompter,
-      runtime,
-    });
-
-    expect(result).not.toBeNull();
-    expect(result?.config.auth?.profiles?.["huggingface:default"]).toMatchObject({
-      provider: "huggingface",
-      mode: "api_key",
-    });
-    expect(resolveAgentModelPrimaryValue(result?.config.agents?.defaults?.model)).toMatch(
-      /^huggingface\/.+/,
-    );
-    expect(text).toHaveBeenCalledWith(
-      expect.objectContaining({ message: expect.stringContaining("Hugging Face") }),
-    );
-    expect(select).toHaveBeenCalledWith(
-      expect.objectContaining({ message: "Default Hugging Face model" }),
-    );
-
-    const parsed = await readAuthProfiles(agentDir);
-    expect(parsed.profiles?.["huggingface:default"]?.key).toBe("hf-test-token");
-  });
-
-  it.each([
-    {
-      caseName: "does not prompt to reuse env token when opts.token already provided",
-      tokenProvider: "huggingface",
-      token: "hf-opts-token",
-      envToken: "hf-env-token",
-    },
-    {
-      caseName: "accepts mixed-case tokenProvider from opts without prompting",
-      tokenProvider: "  HuGgInGfAcE  ",
-      token: "hf-opts-mixed",
-      envToken: undefined,
-    },
-  ])("$caseName", async ({ tokenProvider, token, envToken }) => {
-    const agentDir = await setupTempState();
-    if (envToken) {
-      process.env.HF_TOKEN = envToken;
-    } else {
-      delete process.env.HF_TOKEN;
-    }
-    delete process.env.HUGGINGFACE_HUB_TOKEN;
-
-    const text = vi.fn().mockResolvedValue("hf-text-token");
-    const select: WizardPrompter["select"] = vi.fn(
-      async (params) => params.options?.[0]?.value as never,
-    );
-    const confirm = vi.fn(async () => true);
-    const prompter = createHuggingfacePrompter({ text, select, confirm });
-    const runtime = createExitThrowingRuntime();
-
-    const result = await runHuggingfaceApply({
-      config: {},
-      prompter,
-      runtime,
-      opts: {
-        tokenProvider,
-        token,
-      },
-    });
-
-    expect(result).not.toBeNull();
-    expect(confirm).not.toHaveBeenCalled();
-    expect(text).not.toHaveBeenCalled();
-
-    const parsed = await readAuthProfiles(agentDir);
-    expect(parsed.profiles?.["huggingface:default"]?.key).toBe(token);
-  });
-
-  it("notes when selected Hugging Face model uses a locked router policy", async () => {
-    await setupTempState();
-    delete process.env.HF_TOKEN;
-    delete process.env.HUGGINGFACE_HUB_TOKEN;
-
-    const text = vi.fn().mockResolvedValue("hf-test-token");
-    const select: WizardPrompter["select"] = vi.fn(async (params) => {
-      const options = (params.options ?? []) as Array<{ value: string }>;
-      const cheapest = options.find((option) => option.value.endsWith(":cheapest"));
-      return (cheapest?.value ?? options[0]?.value ?? "") as never;
-    });
-    const note: WizardPrompter["note"] = vi.fn(async () => {});
-    const prompter = createHuggingfacePrompter({ text, select, note });
-    const runtime = createExitThrowingRuntime();
-
-    const result = await runHuggingfaceApply({
-      config: {},
-      prompter,
-      runtime,
-    });
-
-    expect(result).not.toBeNull();
-    expect(String(resolveAgentModelPrimaryValue(result?.config.agents?.defaults?.model))).toContain(
-      ":cheapest",
-    );
-    expect(note).toHaveBeenCalledWith(
-      "Provider locked — router will choose backend by cost or speed.",
-      "Hugging Face",
-    );
-  });
-});
diff --git a/src/commands/auth-choice.apply.huggingface.ts b/src/commands/auth-choice.apply.huggingface.ts
deleted file mode 100644
index 91bfd533cb0..00000000000
--- a/src/commands/auth-choice.apply.huggingface.ts
+++ /dev/null
@@ -1,137 +0,0 @@
-import {
-  discoverHuggingfaceModels,
-  isHuggingfacePolicyLocked,
-} from "../agents/huggingface-models.js";
-import { normalizeApiKeyInput, validateApiKeyInput } from "./auth-choice.api-key.js";
-import {
-  createAuthChoiceAgentModelNoter,
-  ensureApiKeyFromOptionEnvOrPrompt,
-  normalizeSecretInputModeInput,
-} from "./auth-choice.apply-helpers.js";
-import type { ApplyAuthChoiceParams, ApplyAuthChoiceResult } from "./auth-choice.apply.js";
-import { applyDefaultModelChoice } from "./auth-choice.default-model.js";
-import { ensureModelAllowlistEntry } from "./model-allowlist.js";
-import {
-  applyAuthProfileConfig,
-  applyHuggingfaceProviderConfig,
-  setHuggingfaceApiKey,
-  HUGGINGFACE_DEFAULT_MODEL_REF,
-} from "./onboard-auth.js";
-
-export async function applyAuthChoiceHuggingface(
-  params: ApplyAuthChoiceParams,
-): Promise<ApplyAuthChoiceResult | null> {
-  if (params.authChoice !== "huggingface-api-key") {
-    return null;
-  }
-
-  let nextConfig = params.config;
-  let agentModelOverride: string | undefined;
-  const noteAgentModel = createAuthChoiceAgentModelNoter(params);
-  const requestedSecretInputMode = normalizeSecretInputModeInput(params.opts?.secretInputMode);
-
-  const hfKey = await ensureApiKeyFromOptionEnvOrPrompt({
-    token: params.opts?.token,
-    tokenProvider: params.opts?.tokenProvider,
-    secretInputMode: requestedSecretInputMode,
-    config: nextConfig,
-    expectedProviders: ["huggingface"],
-    provider: "huggingface",
-    envLabel: "Hugging Face token",
-    promptMessage: "Enter Hugging Face API key (HF token)",
-    normalize: normalizeApiKeyInput,
-    validate: validateApiKeyInput,
-    prompter: params.prompter,
-    setCredential: async (apiKey, mode) =>
-      setHuggingfaceApiKey(apiKey, params.agentDir, { secretInputMode: mode }),
-    noteMessage: [
-      "Hugging Face Inference Providers offer OpenAI-compatible chat completions.",
-      "Create a token at: https://huggingface.co/settings/tokens (fine-grained, 'Make calls to Inference Providers').",
-    ].join("\n"),
-    noteTitle: "Hugging Face",
-  });
-  nextConfig = applyAuthProfileConfig(nextConfig, {
-    profileId: "huggingface:default",
-    provider: "huggingface",
-    mode: "api_key",
-  });
-
-  const models = await discoverHuggingfaceModels(hfKey);
-  const modelRefPrefix = "huggingface/";
-  const options: { value: string; label: string }[] = [];
-  for (const m of models) {
-    const baseRef = `${modelRefPrefix}${m.id}`;
-    const label = m.name ?? m.id;
-    options.push({ value: baseRef, label });
-    options.push({ value: `${baseRef}:cheapest`, label: `${label} (cheapest)` });
-    options.push({ value: `${baseRef}:fastest`, label: `${label} (fastest)` });
-  }
-  const defaultRef = HUGGINGFACE_DEFAULT_MODEL_REF;
-  options.sort((a, b) => {
-    if (a.value === defaultRef) {
-      return -1;
-    }
-    if (b.value === defaultRef) {
-      return 1;
-    }
-    return a.label.localeCompare(b.label, undefined, { sensitivity: "base" });
-  });
-  const selectedModelRef =
-    options.length === 0
-      ? defaultRef
-      : options.length === 1
-        ? options[0].value
-        : await params.prompter.select({
-            message: "Default Hugging Face model",
-            options,
-            initialValue: options.some((o) => o.value === defaultRef)
-              ? defaultRef
-              : options[0].value,
-          });
-
-  if (isHuggingfacePolicyLocked(selectedModelRef)) {
-    await params.prompter.note(
-      "Provider locked — router will choose backend by cost or speed.",
-      "Hugging Face",
-    );
-  }
-
-  const applied = await applyDefaultModelChoice({
-    config: nextConfig,
-    setDefaultModel: params.setDefaultModel,
-    defaultModel: selectedModelRef,
-    applyDefaultConfig: (config) => {
-      const withProvider = applyHuggingfaceProviderConfig(config);
-      const existingModel = withProvider.agents?.defaults?.model;
-      const withPrimary = {
-        ...withProvider,
-        agents: {
-          ...withProvider.agents,
-          defaults: {
-            ...withProvider.agents?.defaults,
-            model: {
-              ...(existingModel && typeof existingModel === "object" && "fallbacks" in existingModel
-                ? {
-                    fallbacks: (existingModel as { fallbacks?: string[] }).fallbacks,
-                  }
-                : {}),
-              primary: selectedModelRef,
-            },
-          },
-        },
-      };
-      return ensureModelAllowlistEntry({
-        cfg: withPrimary,
-        modelRef: selectedModelRef,
-      });
-    },
-    applyProviderConfig: applyHuggingfaceProviderConfig,
-    noteDefault: selectedModelRef,
-    noteAgentModel,
-    prompter: params.prompter,
-  });
-  nextConfig = applied.config;
-  agentModelOverride = applied.agentModelOverride ?? agentModelOverride;
-
-  return { config: nextConfig, agentModelOverride };
-}
diff --git a/src/commands/auth-choice.apply.minimax.test.ts b/src/commands/auth-choice.apply.minimax.test.ts
deleted file mode 100644
index 9b5442b108c..00000000000
--- a/src/commands/auth-choice.apply.minimax.test.ts
+++ /dev/null
@@ -1,208 +0,0 @@
-import { afterEach, describe, expect, it, vi } from "vitest";
-import { resolveAgentModelPrimaryValue } from "../config/model-input.js";
-import { applyAuthChoiceMiniMax } from "./auth-choice.apply.minimax.js";
-import {
-  createAuthTestLifecycle,
-  createExitThrowingRuntime,
-  createWizardPrompter,
-  readAuthProfilesForAgent,
-  setupAuthTestEnv,
-} from "./test-wizard-helpers.js";
-
-describe("applyAuthChoiceMiniMax", () => {
-  const lifecycle = createAuthTestLifecycle([
-    "OPENCLAW_STATE_DIR",
-    "OPENCLAW_AGENT_DIR",
-    "PI_CODING_AGENT_DIR",
-    "MINIMAX_API_KEY",
-    "MINIMAX_OAUTH_TOKEN",
-  ]);
-
-  async function setupTempState() {
-    const env = await setupAuthTestEnv("openclaw-minimax-");
-    lifecycle.setStateDir(env.stateDir);
-    return env.agentDir;
-  }
-
-  async function readAuthProfiles(agentDir: string) {
-    return await readAuthProfilesForAgent<{
-      profiles?: Record<string, { key?: string; keyRef?: { source: string; id: string } }>;
-    }>(agentDir);
-  }
-
-  function resetMiniMaxEnv(): void {
-    delete process.env.MINIMAX_API_KEY;
-    delete process.env.MINIMAX_OAUTH_TOKEN;
-  }
-
-  async function runMiniMaxChoice(params: {
-    authChoice: Parameters<typeof applyAuthChoiceMiniMax>[0]["authChoice"];
-    opts?: Parameters<typeof applyAuthChoiceMiniMax>[0]["opts"];
-    env?: { apiKey?: string };
-    prompterText?: () => Promise<string>;
-  }) {
-    const agentDir = await setupTempState();
-    resetMiniMaxEnv();
-    if (params.env?.apiKey !== undefined) {
-      process.env.MINIMAX_API_KEY = params.env.apiKey;
-    }
-
-    const text = vi.fn(async () => "should-not-be-used");
-    const confirm = vi.fn(async () => true);
-    const result = await applyAuthChoiceMiniMax({
-      authChoice: params.authChoice,
-      config: {},
-      // Pass select: undefined so ref-mode uses the non-interactive fallback (same as old test behavior).
-      prompter: createWizardPrompter({
-        text: params.prompterText ?? text,
-        confirm,
-        select: undefined,
-      }),
-      runtime: createExitThrowingRuntime(),
-      setDefaultModel: true,
-      ...(params.opts ? { opts: params.opts } : {}),
-    });
-
-    return { agentDir, result, text, confirm };
-  }
-
-  afterEach(async () => {
-    await lifecycle.cleanup();
-  });
-
-  it("returns null for unrelated authChoice", async () => {
-    const result = await applyAuthChoiceMiniMax({
-      authChoice: "openrouter-api-key",
-      config: {},
-      prompter: createWizardPrompter({}),
-      runtime: createExitThrowingRuntime(),
-      setDefaultModel: true,
-    });
-
-    expect(result).toBeNull();
-  });
-
-  it.each([
-    {
-      caseName: "uses opts token for minimax-global-api without prompt",
-      authChoice: "minimax-global-api" as const,
-      tokenProvider: "minimax",
-      token: "mm-opts-token",
-      profileId: "minimax:global",
-      expectedModel: "minimax/MiniMax-M2.5",
-    },
-    {
-      caseName: "uses opts token for minimax-cn-api with trimmed/case-insensitive tokenProvider",
-      authChoice: "minimax-cn-api" as const,
-      tokenProvider: "  MINIMAX  ",
-      token: "mm-cn-opts-token",
-      profileId: "minimax:cn",
-      expectedModel: "minimax/MiniMax-M2.5",
-    },
-  ])("$caseName", async ({ authChoice, tokenProvider, token, profileId, expectedModel }) => {
-    const { agentDir, result, text, confirm } = await runMiniMaxChoice({
-      authChoice,
-      opts: { tokenProvider, token },
-    });
-
-    expect(result).not.toBeNull();
-    expect(result?.config.auth?.profiles?.[profileId]).toMatchObject({
-      provider: "minimax",
-      mode: "api_key",
-    });
-    expect(resolveAgentModelPrimaryValue(result?.config.agents?.defaults?.model)).toBe(
-      expectedModel,
-    );
-    expect(text).not.toHaveBeenCalled();
-    expect(confirm).not.toHaveBeenCalled();
-
-    const parsed = await readAuthProfiles(agentDir);
-    expect(parsed.profiles?.[profileId]?.key).toBe(token);
-  });
-
-  it.each([
-    {
-      name: "uses env token for minimax-cn-api as plaintext by default",
-      opts: undefined,
-      expectKey: "mm-env-token",
-      expectKeyRef: undefined,
-      expectConfirmCalls: 1,
-    },
-    {
-      name: "uses env token for minimax-cn-api as keyRef in ref mode",
-      opts: { secretInputMode: "ref" as const }, // pragma: allowlist secret
-      expectKey: undefined,
-      expectKeyRef: {
-        source: "env",
-        provider: "default",
-        id: "MINIMAX_API_KEY",
-      },
-      expectConfirmCalls: 0,
-    },
-  ])("$name", async ({ opts, expectKey, expectKeyRef, expectConfirmCalls }) => {
-    const { agentDir, result, text, confirm } = await runMiniMaxChoice({
-      authChoice: "minimax-cn-api",
-      opts,
-      env: { apiKey: "mm-env-token" }, // pragma: allowlist secret
-    });
-
-    expect(result).not.toBeNull();
-    if (!opts) {
-      expect(result?.config.auth?.profiles?.["minimax:cn"]).toMatchObject({
-        provider: "minimax",
-        mode: "api_key",
-      });
-      expect(resolveAgentModelPrimaryValue(result?.config.agents?.defaults?.model)).toBe(
-        "minimax/MiniMax-M2.5",
-      );
-    }
-    expect(text).not.toHaveBeenCalled();
-    expect(confirm).toHaveBeenCalledTimes(expectConfirmCalls);
-
-    const parsed = await readAuthProfiles(agentDir);
-    expect(parsed.profiles?.["minimax:cn"]?.key).toBe(expectKey);
-    if (expectKeyRef) {
-      expect(parsed.profiles?.["minimax:cn"]?.keyRef).toEqual(expectKeyRef);
-    } else {
-      expect(parsed.profiles?.["minimax:cn"]?.keyRef).toBeUndefined();
-    }
-  });
-
-  it("minimax-global-api uses minimax:global profile and minimax/MiniMax-M2.5 model", async () => {
-    const { agentDir, result, text, confirm } = await runMiniMaxChoice({
-      authChoice: "minimax-global-api",
-      opts: {
-        tokenProvider: "minimax",
-        token: "mm-global-token",
-      },
-    });
-
-    expect(result).not.toBeNull();
-    expect(result?.config.auth?.profiles?.["minimax:global"]).toMatchObject({
-      provider: "minimax",
-      mode: "api_key",
-    });
-    expect(resolveAgentModelPrimaryValue(result?.config.agents?.defaults?.model)).toBe(
-      "minimax/MiniMax-M2.5",
-    );
-    expect(result?.config.models?.providers?.minimax?.baseUrl).toContain("minimax.io");
-    expect(text).not.toHaveBeenCalled();
-    expect(confirm).not.toHaveBeenCalled();
-
-    const parsed = await readAuthProfiles(agentDir);
-    expect(parsed.profiles?.["minimax:global"]?.key).toBe("mm-global-token");
-  });
-
-  it("minimax-cn-api sets CN baseUrl", async () => {
-    const { result } = await runMiniMaxChoice({
-      authChoice: "minimax-cn-api",
-      opts: {
-        tokenProvider: "minimax",
-        token: "mm-cn-token",
-      },
-    });
-
-    expect(result).not.toBeNull();
-    expect(result?.config.models?.providers?.minimax?.baseUrl).toContain("minimaxi.com");
-  });
-});
diff --git a/src/commands/auth-choice.apply.minimax.ts b/src/commands/auth-choice.apply.minimax.ts
deleted file mode 100644
index 6438b94c043..00000000000
--- a/src/commands/auth-choice.apply.minimax.ts
+++ /dev/null
@@ -1,106 +0,0 @@
-import { normalizeApiKeyInput, validateApiKeyInput } from "./auth-choice.api-key.js";
-import {
-  createAuthChoiceDefaultModelApplierForMutableState,
-  ensureApiKeyFromOptionEnvOrPrompt,
-  normalizeSecretInputModeInput,
-} from "./auth-choice.apply-helpers.js";
-import type { ApplyAuthChoiceParams, ApplyAuthChoiceResult } from "./auth-choice.apply.js";
-import { applyAuthChoicePluginProvider } from "./auth-choice.apply.plugin-provider.js";
-import {
-  applyAuthProfileConfig,
-  applyMinimaxApiConfig,
-  applyMinimaxApiConfigCn,
-  applyMinimaxApiProviderConfig,
-  applyMinimaxApiProviderConfigCn,
-  setMinimaxApiKey,
-} from "./onboard-auth.js";
-
-export async function applyAuthChoiceMiniMax(
-  params: ApplyAuthChoiceParams,
-): Promise<ApplyAuthChoiceResult | null> {
-  // OAuth paths — delegate to plugin, no API key needed
-  if (params.authChoice === "minimax-global-oauth") {
-    return await applyAuthChoicePluginProvider(params, {
-      authChoice: "minimax-global-oauth",
-      pluginId: "minimax",
-      providerId: "minimax-portal",
-      methodId: "oauth",
-      label: "MiniMax",
-    });
-  }
-
-  if (params.authChoice === "minimax-cn-oauth") {
-    return await applyAuthChoicePluginProvider(params, {
-      authChoice: "minimax-cn-oauth",
-      pluginId: "minimax",
-      providerId: "minimax-portal",
-      methodId: "oauth-cn",
-      label: "MiniMax CN",
-    });
-  }
-
-  // API key paths
-  if (params.authChoice === "minimax-global-api" || params.authChoice === "minimax-cn-api") {
-    const isCn = params.authChoice === "minimax-cn-api";
-    const profileId = isCn ? "minimax:cn" : "minimax:global";
-    const keyLink = isCn
-      ? "https://platform.minimaxi.com/user-center/basic-information/interface-key"
-      : "https://platform.minimax.io/user-center/basic-information/interface-key";
-    const promptMessage = `Enter MiniMax ${isCn ? "CN " : ""}API key (sk-api- or sk-cp-)\n${keyLink}`;
-
-    let nextConfig = params.config;
-    let agentModelOverride: string | undefined;
-    const applyProviderDefaultModel = createAuthChoiceDefaultModelApplierForMutableState(
-      params,
-      () => nextConfig,
-      (config) => (nextConfig = config),
-      () => agentModelOverride,
-      (model) => (agentModelOverride = model),
-    );
-    const requestedSecretInputMode = normalizeSecretInputModeInput(params.opts?.secretInputMode);
-
-    // Warn when both Global and CN share the same `minimax` provider entry — configuring one
-    // overwrites the other's baseUrl. Only show when the other profile is already present.
-    const otherProfileId = isCn ? "minimax:global" : "minimax:cn";
-    const hasOtherProfile = Boolean(nextConfig.auth?.profiles?.[otherProfileId]);
-    const noteMessage = hasOtherProfile
-      ? `Note: Global and CN both use the "minimax" provider entry. Saving this key will overwrite the existing ${isCn ? "Global" : "CN"} endpoint (${otherProfileId}).`
-      : undefined;
-
-    await ensureApiKeyFromOptionEnvOrPrompt({
-      token: params.opts?.token,
-      tokenProvider: params.opts?.tokenProvider,
-      secretInputMode: requestedSecretInputMode,
-      config: nextConfig,
-      // Accept "minimax-cn" as a legacy tokenProvider alias for the CN path.
-      expectedProviders: isCn ? ["minimax", "minimax-cn"] : ["minimax"],
-      provider: "minimax",
-      envLabel: "MINIMAX_API_KEY",
-      promptMessage,
-      normalize: normalizeApiKeyInput,
-      validate: validateApiKeyInput,
-      prompter: params.prompter,
-      noteMessage,
-      setCredential: async (apiKey, mode) =>
-        setMinimaxApiKey(apiKey, params.agentDir, profileId, { secretInputMode: mode }),
-    });
-
-    nextConfig = applyAuthProfileConfig(nextConfig, {
-      profileId,
-      provider: "minimax",
-      mode: "api_key",
-    });
-
-    await applyProviderDefaultModel({
-      defaultModel: "minimax/MiniMax-M2.5",
-      applyDefaultConfig: (config) =>
-        isCn ? applyMinimaxApiConfigCn(config) : applyMinimaxApiConfig(config),
-      applyProviderConfig: (config) =>
-        isCn ? applyMinimaxApiProviderConfigCn(config) : applyMinimaxApiProviderConfig(config),
-    });
-
-    return { config: nextConfig, agentModelOverride };
-  }
-
-  return null;
-}
diff --git a/src/commands/auth-choice.apply.openrouter.ts b/src/commands/auth-choice.apply.openrouter.ts
deleted file mode 100644
index 4cf01762615..00000000000
--- a/src/commands/auth-choice.apply.openrouter.ts
+++ /dev/null
@@ -1,93 +0,0 @@
-import { ensureAuthProfileStore, resolveAuthProfileOrder } from "../agents/auth-profiles.js";
-import { normalizeApiKeyInput, validateApiKeyInput } from "./auth-choice.api-key.js";
-import {
-  createAuthChoiceAgentModelNoter,
-  ensureApiKeyFromOptionEnvOrPrompt,
-  normalizeSecretInputModeInput,
-} from "./auth-choice.apply-helpers.js";
-import type { ApplyAuthChoiceParams, ApplyAuthChoiceResult } from "./auth-choice.apply.js";
-import { applyDefaultModelChoice } from "./auth-choice.default-model.js";
-import {
-  applyAuthProfileConfig,
-  applyOpenrouterConfig,
-  applyOpenrouterProviderConfig,
-  setOpenrouterApiKey,
-  OPENROUTER_DEFAULT_MODEL_REF,
-} from "./onboard-auth.js";
-
-export async function applyAuthChoiceOpenRouter(
-  params: ApplyAuthChoiceParams,
-): Promise<ApplyAuthChoiceResult> {
-  let nextConfig = params.config;
-  let agentModelOverride: string | undefined;
-  const noteAgentModel = createAuthChoiceAgentModelNoter(params);
-  const requestedSecretInputMode = normalizeSecretInputModeInput(params.opts?.secretInputMode);
-
-  const store = ensureAuthProfileStore(params.agentDir, { allowKeychainPrompt: false });
-  const profileOrder = resolveAuthProfileOrder({
-    cfg: nextConfig,
-    store,
-    provider: "openrouter",
-  });
-  const existingProfileId = profileOrder.find((profileId) => Boolean(store.profiles[profileId]));
-  const existingCred = existingProfileId ? store.profiles[existingProfileId] : undefined;
-  let profileId = "openrouter:default";
-  let mode: "api_key" | "oauth" | "token" = "api_key";
-  let hasCredential = false;
-
-  if (existingProfileId && existingCred?.type) {
-    profileId = existingProfileId;
-    mode =
-      existingCred.type === "oauth" ? "oauth" : existingCred.type === "token" ? "token" : "api_key";
-    hasCredential = true;
-  }
-
-  if (!hasCredential && params.opts?.token && params.opts?.tokenProvider === "openrouter") {
-    await setOpenrouterApiKey(normalizeApiKeyInput(params.opts.token), params.agentDir, {
-      secretInputMode: requestedSecretInputMode,
-    });
-    hasCredential = true;
-  }
-
-  if (!hasCredential) {
-    await ensureApiKeyFromOptionEnvOrPrompt({
-      token: params.opts?.token,
-      tokenProvider: params.opts?.tokenProvider,
-      secretInputMode: requestedSecretInputMode,
-      config: nextConfig,
-      expectedProviders: ["openrouter"],
-      provider: "openrouter",
-      envLabel: "OPENROUTER_API_KEY",
-      promptMessage: "Enter OpenRouter API key",
-      normalize: normalizeApiKeyInput,
-      validate: validateApiKeyInput,
-      prompter: params.prompter,
-      setCredential: async (apiKey, mode) =>
-        setOpenrouterApiKey(apiKey, params.agentDir, { secretInputMode: mode }),
-    });
-    hasCredential = true;
-  }
-
-  if (hasCredential) {
-    nextConfig = applyAuthProfileConfig(nextConfig, {
-      profileId,
-      provider: "openrouter",
-      mode,
-    });
-  }
-
-  const applied = await applyDefaultModelChoice({
-    config: nextConfig,
-    setDefaultModel: params.setDefaultModel,
-    defaultModel: OPENROUTER_DEFAULT_MODEL_REF,
-    applyDefaultConfig: applyOpenrouterConfig,
-    applyProviderConfig: applyOpenrouterProviderConfig,
-    noteDefault: OPENROUTER_DEFAULT_MODEL_REF,
-    noteAgentModel,
-    prompter: params.prompter,
-  });
-  nextConfig = applied.config;
-  agentModelOverride = applied.agentModelOverride ?? agentModelOverride;
-
-  return { config: nextConfig, agentModelOverride };
-}
diff --git a/src/commands/auth-choice.apply.plugin-provider.ts b/src/commands/auth-choice.apply.plugin-provider.ts
index 76994d27b32..746eb219fff 100644
--- a/src/commands/auth-choice.apply.plugin-provider.ts
+++ b/src/commands/auth-choice.apply.plugin-provider.ts
@@ -29,6 +29,38 @@ export type PluginProviderAuthChoiceOptions = {
   label: string;
 };
 
+function restoreConfiguredPrimaryModel(
+  nextConfig: ApplyAuthChoiceParams["config"],
+  originalConfig: ApplyAuthChoiceParams["config"],
+): ApplyAuthChoiceParams["config"] {
+  const originalModel = originalConfig.agents?.defaults?.model;
+  const nextAgents = nextConfig.agents;
+  const nextDefaults = nextAgents?.defaults;
+  if (!nextDefaults) {
+    return nextConfig;
+  }
+  if (originalModel !== undefined) {
+    return {
+      ...nextConfig,
+      agents: {
+        ...nextAgents,
+        defaults: {
+          ...nextDefaults,
+          model: originalModel,
+        },
+      },
+    };
+  }
+  const { model: _model, ...restDefaults } = nextDefaults;
+  return {
+    ...nextConfig,
+    agents: {
+      ...nextAgents,
+      defaults: restDefaults,
+    },
+  };
+}
+
 async function loadPluginProviderRuntime() {
   return import("./auth-choice.apply.plugin-provider.runtime.js");
 }
@@ -140,14 +172,15 @@ export async function applyAuthChoiceLoadedPluginProvider(
     agentId: params.agentId,
     workspaceDir,
     secretInputMode: params.opts?.secretInputMode,
-    allowSecretRefPrompt: true,
+    allowSecretRefPrompt: false,
     opts: params.opts,
   });
 
+  let nextConfig = applied.config;
   let agentModelOverride: string | undefined;
   if (applied.defaultModel) {
     if (params.setDefaultModel) {
-      const nextConfig = applyDefaultModel(applied.config, applied.defaultModel);
+      nextConfig = applyDefaultModel(nextConfig, applied.defaultModel);
       await runProviderModelSelectedHook({
         config: nextConfig,
         model: applied.defaultModel,
@@ -161,10 +194,11 @@ export async function applyAuthChoiceLoadedPluginProvider(
       );
       return { config: nextConfig };
     }
+    nextConfig = restoreConfiguredPrimaryModel(nextConfig, params.config);
     agentModelOverride = applied.defaultModel;
   }
 
-  return { config: applied.config, agentModelOverride };
+  return { config: nextConfig, agentModelOverride };
 }
 
 export async function applyAuthChoicePluginProvider(
@@ -225,7 +259,7 @@ export async function applyAuthChoicePluginProvider(
     agentId,
     workspaceDir,
     secretInputMode: params.opts?.secretInputMode,
-    allowSecretRefPrompt: true,
+    allowSecretRefPrompt: false,
     opts: params.opts,
   });
   nextConfig = applied.config;
@@ -245,7 +279,10 @@ export async function applyAuthChoicePluginProvider(
         `Default model set to ${applied.defaultModel}`,
         "Model configured",
       );
-    } else if (params.agentId) {
+    } else {
+      nextConfig = restoreConfiguredPrimaryModel(nextConfig, params.config);
+    }
+    if (!params.setDefaultModel && params.agentId) {
       agentModelOverride = applied.defaultModel;
       await params.prompter.note(
         `Default model set to ${applied.defaultModel} for agent "${params.agentId}".`,
diff --git a/src/commands/auth-choice.apply.ts b/src/commands/auth-choice.apply.ts
index f8dab665f23..cf96b8f8905 100644
--- a/src/commands/auth-choice.apply.ts
+++ b/src/commands/auth-choice.apply.ts
@@ -4,7 +4,6 @@ import type { WizardPrompter } from "../wizard/prompts.js";
 import { normalizeLegacyOnboardAuthChoice } from "./auth-choice-legacy.js";
 import { applyAuthChoiceApiProviders } from "./auth-choice.apply.api-providers.js";
 import { normalizeApiKeyTokenProviderAuthChoice } from "./auth-choice.apply.api-providers.js";
-import { applyAuthChoiceMiniMax } from "./auth-choice.apply.minimax.js";
 import { applyAuthChoiceOAuth } from "./auth-choice.apply.oauth.js";
 import { applyAuthChoiceLoadedPluginProvider } from "./auth-choice.apply.plugin-provider.js";
 import type { AuthChoice, OnboardOptions } from "./onboard-types.js";
@@ -33,6 +32,8 @@ export async function applyAuthChoice(
   const normalizedProviderAuthChoice = normalizeApiKeyTokenProviderAuthChoice({
     authChoice: normalizedAuthChoice,
     tokenProvider: params.opts?.tokenProvider,
+    config: params.config,
+    env: process.env,
   });
   const normalizedParams =
     normalizedProviderAuthChoice === params.authChoice
@@ -42,7 +43,6 @@ export async function applyAuthChoice(
     applyAuthChoiceLoadedPluginProvider,
     applyAuthChoiceOAuth,
     applyAuthChoiceApiProviders,
-    applyAuthChoiceMiniMax,
   ];
 
   for (const handler of handlers) {
diff --git a/src/commands/auth-choice.test.ts b/src/commands/auth-choice.test.ts
index 52a6211a87f..f6ca9d29332 100644
--- a/src/commands/auth-choice.test.ts
+++ b/src/commands/auth-choice.test.ts
@@ -2,11 +2,29 @@ import fs from "node:fs/promises";
 import type { OAuthCredentials } from "@mariozechner/pi-ai";
 import { afterEach, describe, expect, it, vi } from "vitest";
 import anthropicPlugin from "../../extensions/anthropic/index.js";
+import cloudflareAiGatewayPlugin from "../../extensions/cloudflare-ai-gateway/index.js";
+import googlePlugin from "../../extensions/google/index.js";
 import huggingfacePlugin from "../../extensions/huggingface/index.js";
 import kimiCodingPlugin from "../../extensions/kimi-coding/index.js";
+import minimaxPlugin from "../../extensions/minimax/index.js";
+import mistralPlugin from "../../extensions/mistral/index.js";
+import moonshotPlugin from "../../extensions/moonshot/index.js";
 import ollamaPlugin from "../../extensions/ollama/index.js";
 import openAIPlugin from "../../extensions/openai/index.js";
+import opencodeGoPlugin from "../../extensions/opencode-go/index.js";
+import opencodePlugin from "../../extensions/opencode/index.js";
+import openrouterPlugin from "../../extensions/openrouter/index.js";
+import qianfanPlugin from "../../extensions/qianfan/index.js";
+import qwenPortalAuthPlugin from "../../extensions/qwen-portal-auth/index.js";
+import syntheticPlugin from "../../extensions/synthetic/index.js";
 import togetherPlugin from "../../extensions/together/index.js";
+import venicePlugin from "../../extensions/venice/index.js";
+import vercelAiGatewayPlugin from "../../extensions/vercel-ai-gateway/index.js";
+import xaiPlugin from "../../extensions/xai/index.js";
+import xiaomiPlugin from "../../extensions/xiaomi/index.js";
+import { setDetectZaiEndpointForTesting } from "../../extensions/zai/detect.js";
+import zaiPlugin from "../../extensions/zai/index.js";
+import { resolveAgentDir } from "../agents/agent-scope.js";
 import { resolveAgentModelPrimaryValue } from "../config/model-input.js";
 import type { ProviderPlugin } from "../plugins/types.js";
 import { createCapturedPluginRegistration } from "../test-utils/plugin-registration.js";
@@ -67,11 +85,27 @@ function createDefaultProviderPlugins() {
   const captured = createCapturedPluginRegistration();
   for (const plugin of [
     anthropicPlugin,
+    cloudflareAiGatewayPlugin,
+    googlePlugin,
     huggingfacePlugin,
     kimiCodingPlugin,
+    minimaxPlugin,
+    mistralPlugin,
+    moonshotPlugin,
     ollamaPlugin,
     openAIPlugin,
+    opencodeGoPlugin,
+    opencodePlugin,
+    openrouterPlugin,
+    qianfanPlugin,
+    qwenPortalAuthPlugin,
+    syntheticPlugin,
     togetherPlugin,
+    venicePlugin,
+    vercelAiGatewayPlugin,
+    xaiPlugin,
+    xiaomiPlugin,
+    zaiPlugin,
   ]) {
     plugin.register(captured.api);
   }
@@ -153,12 +187,14 @@ describe("applyAuthChoice", () => {
     resolvePluginProviders.mockReturnValue(createDefaultProviderPlugins());
     detectZaiEndpoint.mockReset();
     detectZaiEndpoint.mockResolvedValue(null);
+    setDetectZaiEndpointForTesting(detectZaiEndpoint);
     loginOpenAICodexOAuth.mockReset();
     loginOpenAICodexOAuth.mockResolvedValue(null);
     await lifecycle.cleanup();
     activeStateDir = null;
   });
 
+  setDetectZaiEndpointForTesting(detectZaiEndpoint);
   resolvePluginProviders.mockReturnValue(createDefaultProviderPlugins());
 
   it("does not throw when openai-codex oauth fails", async () => {
@@ -978,10 +1014,22 @@ describe("applyAuthChoice", () => {
           provider: scenario.profileProvider,
           mode: "api_key",
         });
-        expect((await readAuthProfile(scenario.profileId))?.key).toBe(scenario.token);
+        const profileStore =
+          scenario.agentId && scenario.agentId !== "default"
+            ? await readAuthProfilesForAgent<{ profiles?: Record<string, StoredAuthProfile> }>(
+                resolveAgentDir(result.config, scenario.agentId),
+              )
+            : await readAuthProfiles();
+        expect(profileStore.profiles?.[scenario.profileId]?.key).toBe(scenario.token);
       }
       if (scenario.extraProfileId) {
-        expect((await readAuthProfile(scenario.extraProfileId))?.key).toBe(scenario.token);
+        const profileStore =
+          scenario.agentId && scenario.agentId !== "default"
+            ? await readAuthProfilesForAgent<{ profiles?: Record<string, StoredAuthProfile> }>(
+                resolveAgentDir(result.config, scenario.agentId),
+              )
+            : await readAuthProfiles();
+        expect(profileStore.profiles?.[scenario.extraProfileId]?.key).toBe(scenario.token);
       }
       if (scenario.expectProviderConfigUndefined) {
         expect(
@@ -1393,6 +1441,7 @@ describe("applyAuthChoice", () => {
               id: scenario.authId,
               label: scenario.authLabel,
               kind: "device_code",
+              wizard: { choiceId: scenario.authChoice },
               run: vi.fn(async () => ({
                 profiles: [
                   {
diff --git a/src/commands/onboard-non-interactive.provider-auth.test.ts b/src/commands/onboard-non-interactive.provider-auth.test.ts
index 10de2ecbcb6..abf8362d694 100644
--- a/src/commands/onboard-non-interactive.provider-auth.test.ts
+++ b/src/commands/onboard-non-interactive.provider-auth.test.ts
@@ -1,10 +1,16 @@
 import fs from "node:fs/promises";
 import path from "node:path";
 import { setTimeout as delay } from "node:timers/promises";
-import { beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
+import { beforeAll, describe, expect, it, vi } from "vitest";
 import { makeTempWorkspace } from "../test-helpers/workspace.js";
 import { withEnvAsync } from "../test-utils/env.js";
-import { MINIMAX_API_BASE_URL, MINIMAX_CN_API_BASE_URL } from "./onboard-auth.js";
+import {
+  MINIMAX_API_BASE_URL,
+  MINIMAX_CN_API_BASE_URL,
+  ZAI_CODING_CN_BASE_URL,
+  ZAI_CODING_GLOBAL_BASE_URL,
+  ZAI_GLOBAL_BASE_URL,
+} from "./onboard-auth.js";
 import {
   createThrowingRuntime,
   readJsonFile,
@@ -18,8 +24,6 @@ type OnboardEnv = {
 };
 
 const ensureWorkspaceAndSessionsMock = vi.hoisted(() => vi.fn(async (..._args: unknown[]) => {}));
-type DetectZaiEndpoint = typeof import("./zai-endpoint-detect.js").detectZaiEndpoint;
-const detectZaiEndpoint = vi.hoisted(() => vi.fn<DetectZaiEndpoint>(async () => null));
 
 vi.mock("./onboard-helpers.js", async (importOriginal) => {
   const actual = await importOriginal<typeof import("./onboard-helpers.js")>();
@@ -29,10 +33,6 @@ vi.mock("./onboard-helpers.js", async (importOriginal) => {
   };
 });
 
-vi.mock("./zai-endpoint-detect.js", () => ({
-  detectZaiEndpoint,
-}));
-
 const { runNonInteractiveSetup } = await import("./onboard-non-interactive.js");
 
 const NON_INTERACTIVE_DEFAULT_OPTIONS = {
@@ -61,6 +61,45 @@ type ProviderAuthConfigSnapshot = {
   };
 };
 
+function createZaiFetchMock(responses: Record<string, number>): typeof fetch {
+  return vi.fn(async (input, init) => {
+    const url = typeof input === "string" ? input : input instanceof URL ? input.toString() : "";
+    const parsedBody =
+      typeof init?.body === "string" ? (JSON.parse(init.body) as { model?: string }) : {};
+    const key = `${url}::${parsedBody.model ?? ""}`;
+    const status = responses[key] ?? 404;
+    return new Response(
+      JSON.stringify(
+        status === 200 ? { ok: true } : { error: { code: "unsupported", message: "unsupported" } },
+      ),
+      {
+        status,
+        headers: { "content-type": "application/json" },
+      },
+    );
+  }) as typeof fetch;
+}
+
+async function withZaiProbeFetch<T>(
+  responses: Record<string, number>,
+  run: (fetchMock: typeof fetch) => Promise<T>,
+): Promise<T> {
+  const originalVitest = process.env.VITEST;
+  delete process.env.VITEST;
+  const fetchMock = createZaiFetchMock(responses);
+  vi.stubGlobal("fetch", fetchMock);
+  try {
+    return await run(fetchMock);
+  } finally {
+    vi.unstubAllGlobals();
+    if (originalVitest === undefined) {
+      delete process.env.VITEST;
+    } else {
+      process.env.VITEST = originalVitest;
+    }
+  }
+}
+
 async function removeDirWithRetry(dir: string): Promise<void> {
   for (let attempt = 0; attempt < 5; attempt += 1) {
     try {
@@ -186,11 +225,6 @@ describe("onboard (non-interactive): provider auth", () => {
     ({ ensureAuthProfileStore, upsertAuthProfile } = await import("../agents/auth-profiles.js"));
   });
 
-  beforeEach(() => {
-    detectZaiEndpoint.mockReset();
-    detectZaiEndpoint.mockResolvedValue(null);
-  });
-
   it("stores MiniMax API key and uses global baseUrl by default", async () => {
     await withOnboardEnv("openclaw-onboard-minimax-", async (env) => {
       const cfg = await runOnboardingAndReadConfig(env, {
@@ -230,62 +264,68 @@ describe("onboard (non-interactive): provider auth", () => {
   });
 
   it("stores Z.AI API key and uses global baseUrl by default", async () => {
-    await withOnboardEnv("openclaw-onboard-zai-", async (env) => {
-      detectZaiEndpoint.mockResolvedValueOnce({
-        endpoint: "global",
-        baseUrl: "https://api.z.ai/api/paas/v4",
-        modelId: "glm-5",
-        note: "Verified GLM-5 on global endpoint.",
-      });
-      const cfg = await runOnboardingAndReadConfig(env, {
-        authChoice: "zai-api-key",
-        zaiApiKey: "zai-test-key", // pragma: allowlist secret
-      });
+    await withZaiProbeFetch(
+      {
+        [`${ZAI_GLOBAL_BASE_URL}/chat/completions::glm-5`]: 200,
+      },
+      async (fetchMock) =>
+        await withOnboardEnv("openclaw-onboard-zai-", async (env) => {
+          const cfg = await runOnboardingAndReadConfig(env, {
+            authChoice: "zai-api-key",
+            zaiApiKey: "zai-test-key", // pragma: allowlist secret
+          });
 
-      expect(cfg.auth?.profiles?.["zai:default"]?.provider).toBe("zai");
-      expect(cfg.auth?.profiles?.["zai:default"]?.mode).toBe("api_key");
-      expect(cfg.models?.providers?.zai?.baseUrl).toBe("https://api.z.ai/api/paas/v4");
-      expect(cfg.agents?.defaults?.model?.primary).toBe("zai/glm-5");
-      await expectApiKeyProfile({ profileId: "zai:default", provider: "zai", key: "zai-test-key" });
-    });
+          expect(cfg.auth?.profiles?.["zai:default"]?.provider).toBe("zai");
+          expect(cfg.auth?.profiles?.["zai:default"]?.mode).toBe("api_key");
+          expect(cfg.models?.providers?.zai?.baseUrl).toBe(ZAI_GLOBAL_BASE_URL);
+          expect(cfg.agents?.defaults?.model?.primary).toBe("zai/glm-5");
+          expect(fetchMock).toHaveBeenCalled();
+          await expectApiKeyProfile({
+            profileId: "zai:default",
+            provider: "zai",
+            key: "zai-test-key",
+          });
+        }),
+    );
   });
 
   it("supports Z.AI CN coding endpoint auth choice", async () => {
-    await withOnboardEnv("openclaw-onboard-zai-cn-", async (env) => {
-      detectZaiEndpoint.mockResolvedValueOnce({
-        endpoint: "coding-cn",
-        baseUrl: "https://open.bigmodel.cn/api/coding/paas/v4",
-        modelId: "glm-4.7",
-        note: "Coding Plan CN endpoint verified, but this key/plan does not expose GLM-5 there. Defaulting to GLM-4.7.",
-      });
-      const cfg = await runOnboardingAndReadConfig(env, {
-        authChoice: "zai-coding-cn",
-        zaiApiKey: "zai-test-key", // pragma: allowlist secret
-      });
+    await withZaiProbeFetch(
+      {
+        [`${ZAI_CODING_CN_BASE_URL}/chat/completions::glm-5`]: 404,
+        [`${ZAI_CODING_CN_BASE_URL}/chat/completions::glm-4.7`]: 200,
+      },
+      async (fetchMock) =>
+        await withOnboardEnv("openclaw-onboard-zai-cn-", async (env) => {
+          const cfg = await runOnboardingAndReadConfig(env, {
+            authChoice: "zai-coding-cn",
+            zaiApiKey: "zai-test-key", // pragma: allowlist secret
+          });
 
-      expect(cfg.models?.providers?.zai?.baseUrl).toBe(
-        "https://open.bigmodel.cn/api/coding/paas/v4",
-      );
-      expect(cfg.agents?.defaults?.model?.primary).toBe("zai/glm-4.7");
-    });
+          expect(cfg.models?.providers?.zai?.baseUrl).toBe(ZAI_CODING_CN_BASE_URL);
+          expect(cfg.agents?.defaults?.model?.primary).toBe("zai/glm-4.7");
+          expect(fetchMock).toHaveBeenCalled();
+        }),
+    );
   });
 
   it("supports Z.AI Coding Plan global endpoint with GLM-5 when available", async () => {
-    await withOnboardEnv("openclaw-onboard-zai-coding-global-", async (env) => {
-      detectZaiEndpoint.mockResolvedValueOnce({
-        endpoint: "coding-global",
-        baseUrl: "https://api.z.ai/api/coding/paas/v4",
-        modelId: "glm-5",
-        note: "Verified GLM-5 on coding-global endpoint.",
-      });
-      const cfg = await runOnboardingAndReadConfig(env, {
-        authChoice: "zai-coding-global",
-        zaiApiKey: "zai-test-key", // pragma: allowlist secret
-      });
+    await withZaiProbeFetch(
+      {
+        [`${ZAI_CODING_GLOBAL_BASE_URL}/chat/completions::glm-5`]: 200,
+      },
+      async (fetchMock) =>
+        await withOnboardEnv("openclaw-onboard-zai-coding-global-", async (env) => {
+          const cfg = await runOnboardingAndReadConfig(env, {
+            authChoice: "zai-coding-global",
+            zaiApiKey: "zai-test-key", // pragma: allowlist secret
+          });
 
-      expect(cfg.models?.providers?.zai?.baseUrl).toBe("https://api.z.ai/api/coding/paas/v4");
-      expect(cfg.agents?.defaults?.model?.primary).toBe("zai/glm-5");
-    });
+          expect(cfg.models?.providers?.zai?.baseUrl).toBe(ZAI_CODING_GLOBAL_BASE_URL);
+          expect(cfg.agents?.defaults?.model?.primary).toBe("zai/glm-5");
+          expect(fetchMock).toHaveBeenCalled();
+        }),
+    );
   });
 
   it("stores xAI API key and sets default model", async () => {
diff --git a/src/commands/onboard-non-interactive/local/auth-choice.api-key-providers.ts b/src/commands/onboard-non-interactive/local/auth-choice.api-key-providers.ts
index a04dda68fd1..4c0454401ad 100644
--- a/src/commands/onboard-non-interactive/local/auth-choice.api-key-providers.ts
+++ b/src/commands/onboard-non-interactive/local/auth-choice.api-key-providers.ts
@@ -1,499 +1,22 @@
 import type { OpenClawConfig } from "../../../config/config.js";
 import type { SecretInput } from "../../../config/types.secrets.js";
 import type { RuntimeEnv } from "../../../runtime.js";
-import { applyGoogleGeminiModelDefault } from "../../google-gemini-model-default.js";
-import { applyPrimaryModel } from "../../model-picker.js";
 import {
   applyAuthProfileConfig,
-  applyHuggingfaceConfig,
-  applyKilocodeConfig,
-  applyKimiCodeConfig,
   applyLitellmConfig,
-  applyMistralConfig,
-  applyModelStudioConfig,
-  applyModelStudioConfigCn,
-  applyMoonshotConfig,
-  applyMoonshotConfigCn,
-  applyOpencodeGoConfig,
-  applyOpencodeZenConfig,
-  applyOpenrouterConfig,
-  applyQianfanConfig,
-  applySyntheticConfig,
-  applyTogetherConfig,
-  applyVeniceConfig,
-  applyVercelAiGatewayConfig,
-  applyXaiConfig,
-  applyXiaomiConfig,
-  setAnthropicApiKey,
-  setGeminiApiKey,
-  setHuggingfaceApiKey,
-  setKilocodeApiKey,
-  setKimiCodingApiKey,
   setLitellmApiKey,
-  setMistralApiKey,
-  setModelStudioApiKey,
-  setMoonshotApiKey,
-  setOpenaiApiKey,
-  setOpencodeGoApiKey,
-  setOpencodeZenApiKey,
-  setOpenrouterApiKey,
-  setQianfanApiKey,
-  setSyntheticApiKey,
-  setTogetherApiKey,
-  setVeniceApiKey,
-  setVercelAiGatewayApiKey,
-  setVolcengineApiKey,
-  setXaiApiKey,
-  setXiaomiApiKey,
-  setByteplusApiKey,
 } from "../../onboard-auth.js";
 import type { AuthChoice, OnboardOptions } from "../../onboard-types.js";
-import { applyOpenAIConfig } from "../../openai-model-default.js";
 
 type ApiKeyStorageOptions = {
   secretInputMode: "plaintext" | "ref";
 };
 
-type SimpleApiKeyAuthChoice = {
-  authChoices: AuthChoice[];
-  provider: string;
-  flagValue?: string;
-  flagName: `--${string}`;
-  envVar: string;
-  profileId: string;
-  setCredential: (value: SecretInput, options?: ApiKeyStorageOptions) => Promise<void> | void;
-  applyConfig: (cfg: OpenClawConfig) => OpenClawConfig;
-};
-
 type ResolvedNonInteractiveApiKey = {
   key: string;
   source: "profile" | "env" | "flag";
 };
 
-function buildSimpleApiKeyAuthChoices(params: { opts: OnboardOptions }): SimpleApiKeyAuthChoice[] {
-  const withStorage =
-    (
-      setter: (
-        value: SecretInput,
-        agentDir?: string,
-        options?: ApiKeyStorageOptions,
-      ) => Promise<void> | void,
-    ) =>
-    (value: SecretInput, options?: ApiKeyStorageOptions) =>
-      setter(value, undefined, options);
-
-  return [
-    {
-      authChoices: ["apiKey"],
-      provider: "anthropic",
-      flagValue: params.opts.anthropicApiKey,
-      flagName: "--anthropic-api-key",
-      envVar: "ANTHROPIC_API_KEY",
-      profileId: "anthropic:default",
-      setCredential: withStorage(setAnthropicApiKey),
-      applyConfig: (cfg) =>
-        applyAuthProfileConfig(cfg, {
-          profileId: "anthropic:default",
-          provider: "anthropic",
-          mode: "api_key",
-        }),
-    },
-    {
-      authChoices: ["gemini-api-key"],
-      provider: "google",
-      flagValue: params.opts.geminiApiKey,
-      flagName: "--gemini-api-key",
-      envVar: "GEMINI_API_KEY",
-      profileId: "google:default",
-      setCredential: withStorage(setGeminiApiKey),
-      applyConfig: (cfg) =>
-        applyGoogleGeminiModelDefault(
-          applyAuthProfileConfig(cfg, {
-            profileId: "google:default",
-            provider: "google",
-            mode: "api_key",
-          }),
-        ).next,
-    },
-    {
-      authChoices: ["xiaomi-api-key"],
-      provider: "xiaomi",
-      flagValue: params.opts.xiaomiApiKey,
-      flagName: "--xiaomi-api-key",
-      envVar: "XIAOMI_API_KEY",
-      profileId: "xiaomi:default",
-      setCredential: withStorage(setXiaomiApiKey),
-      applyConfig: (cfg) =>
-        applyXiaomiConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "xiaomi:default",
-            provider: "xiaomi",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["xai-api-key"],
-      provider: "xai",
-      flagValue: params.opts.xaiApiKey,
-      flagName: "--xai-api-key",
-      envVar: "XAI_API_KEY",
-      profileId: "xai:default",
-      setCredential: withStorage(setXaiApiKey),
-      applyConfig: (cfg) =>
-        applyXaiConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "xai:default",
-            provider: "xai",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["mistral-api-key"],
-      provider: "mistral",
-      flagValue: params.opts.mistralApiKey,
-      flagName: "--mistral-api-key",
-      envVar: "MISTRAL_API_KEY",
-      profileId: "mistral:default",
-      setCredential: withStorage(setMistralApiKey),
-      applyConfig: (cfg) =>
-        applyMistralConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "mistral:default",
-            provider: "mistral",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["volcengine-api-key"],
-      provider: "volcengine",
-      flagValue: params.opts.volcengineApiKey,
-      flagName: "--volcengine-api-key",
-      envVar: "VOLCANO_ENGINE_API_KEY",
-      profileId: "volcengine:default",
-      setCredential: withStorage(setVolcengineApiKey),
-      applyConfig: (cfg) =>
-        applyPrimaryModel(
-          applyAuthProfileConfig(cfg, {
-            profileId: "volcengine:default",
-            provider: "volcengine",
-            mode: "api_key",
-          }),
-          "volcengine-plan/ark-code-latest",
-        ),
-    },
-    {
-      authChoices: ["byteplus-api-key"],
-      provider: "byteplus",
-      flagValue: params.opts.byteplusApiKey,
-      flagName: "--byteplus-api-key",
-      envVar: "BYTEPLUS_API_KEY",
-      profileId: "byteplus:default",
-      setCredential: withStorage(setByteplusApiKey),
-      applyConfig: (cfg) =>
-        applyPrimaryModel(
-          applyAuthProfileConfig(cfg, {
-            profileId: "byteplus:default",
-            provider: "byteplus",
-            mode: "api_key",
-          }),
-          "byteplus-plan/ark-code-latest",
-        ),
-    },
-    {
-      authChoices: ["qianfan-api-key"],
-      provider: "qianfan",
-      flagValue: params.opts.qianfanApiKey,
-      flagName: "--qianfan-api-key",
-      envVar: "QIANFAN_API_KEY",
-      profileId: "qianfan:default",
-      setCredential: withStorage(setQianfanApiKey),
-      applyConfig: (cfg) =>
-        applyQianfanConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "qianfan:default",
-            provider: "qianfan",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["modelstudio-api-key-cn"],
-      provider: "modelstudio",
-      flagValue: params.opts.modelstudioApiKeyCn,
-      flagName: "--modelstudio-api-key-cn",
-      envVar: "MODELSTUDIO_API_KEY",
-      profileId: "modelstudio:default",
-      setCredential: withStorage(setModelStudioApiKey),
-      applyConfig: (cfg) =>
-        applyModelStudioConfigCn(
-          applyAuthProfileConfig(cfg, {
-            profileId: "modelstudio:default",
-            provider: "modelstudio",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["modelstudio-api-key"],
-      provider: "modelstudio",
-      flagValue: params.opts.modelstudioApiKey,
-      flagName: "--modelstudio-api-key",
-      envVar: "MODELSTUDIO_API_KEY",
-      profileId: "modelstudio:default",
-      setCredential: withStorage(setModelStudioApiKey),
-      applyConfig: (cfg) =>
-        applyModelStudioConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "modelstudio:default",
-            provider: "modelstudio",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["openai-api-key"],
-      provider: "openai",
-      flagValue: params.opts.openaiApiKey,
-      flagName: "--openai-api-key",
-      envVar: "OPENAI_API_KEY",
-      profileId: "openai:default",
-      setCredential: withStorage(setOpenaiApiKey),
-      applyConfig: (cfg) =>
-        applyOpenAIConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "openai:default",
-            provider: "openai",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["openrouter-api-key"],
-      provider: "openrouter",
-      flagValue: params.opts.openrouterApiKey,
-      flagName: "--openrouter-api-key",
-      envVar: "OPENROUTER_API_KEY",
-      profileId: "openrouter:default",
-      setCredential: withStorage(setOpenrouterApiKey),
-      applyConfig: (cfg) =>
-        applyOpenrouterConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "openrouter:default",
-            provider: "openrouter",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["kilocode-api-key"],
-      provider: "kilocode",
-      flagValue: params.opts.kilocodeApiKey,
-      flagName: "--kilocode-api-key",
-      envVar: "KILOCODE_API_KEY",
-      profileId: "kilocode:default",
-      setCredential: withStorage(setKilocodeApiKey),
-      applyConfig: (cfg) =>
-        applyKilocodeConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "kilocode:default",
-            provider: "kilocode",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["litellm-api-key"],
-      provider: "litellm",
-      flagValue: params.opts.litellmApiKey,
-      flagName: "--litellm-api-key",
-      envVar: "LITELLM_API_KEY",
-      profileId: "litellm:default",
-      setCredential: withStorage(setLitellmApiKey),
-      applyConfig: (cfg) =>
-        applyLitellmConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "litellm:default",
-            provider: "litellm",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["ai-gateway-api-key"],
-      provider: "vercel-ai-gateway",
-      flagValue: params.opts.aiGatewayApiKey,
-      flagName: "--ai-gateway-api-key",
-      envVar: "AI_GATEWAY_API_KEY",
-      profileId: "vercel-ai-gateway:default",
-      setCredential: withStorage(setVercelAiGatewayApiKey),
-      applyConfig: (cfg) =>
-        applyVercelAiGatewayConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "vercel-ai-gateway:default",
-            provider: "vercel-ai-gateway",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["moonshot-api-key"],
-      provider: "moonshot",
-      flagValue: params.opts.moonshotApiKey,
-      flagName: "--moonshot-api-key",
-      envVar: "MOONSHOT_API_KEY",
-      profileId: "moonshot:default",
-      setCredential: withStorage(setMoonshotApiKey),
-      applyConfig: (cfg) =>
-        applyMoonshotConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "moonshot:default",
-            provider: "moonshot",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["moonshot-api-key-cn"],
-      provider: "moonshot",
-      flagValue: params.opts.moonshotApiKey,
-      flagName: "--moonshot-api-key",
-      envVar: "MOONSHOT_API_KEY",
-      profileId: "moonshot:default",
-      setCredential: withStorage(setMoonshotApiKey),
-      applyConfig: (cfg) =>
-        applyMoonshotConfigCn(
-          applyAuthProfileConfig(cfg, {
-            profileId: "moonshot:default",
-            provider: "moonshot",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["kimi-code-api-key"],
-      provider: "kimi-coding",
-      flagValue: params.opts.kimiCodeApiKey,
-      flagName: "--kimi-code-api-key",
-      envVar: "KIMI_API_KEY",
-      profileId: "kimi-coding:default",
-      setCredential: withStorage(setKimiCodingApiKey),
-      applyConfig: (cfg) =>
-        applyKimiCodeConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "kimi-coding:default",
-            provider: "kimi-coding",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["synthetic-api-key"],
-      provider: "synthetic",
-      flagValue: params.opts.syntheticApiKey,
-      flagName: "--synthetic-api-key",
-      envVar: "SYNTHETIC_API_KEY",
-      profileId: "synthetic:default",
-      setCredential: withStorage(setSyntheticApiKey),
-      applyConfig: (cfg) =>
-        applySyntheticConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "synthetic:default",
-            provider: "synthetic",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["venice-api-key"],
-      provider: "venice",
-      flagValue: params.opts.veniceApiKey,
-      flagName: "--venice-api-key",
-      envVar: "VENICE_API_KEY",
-      profileId: "venice:default",
-      setCredential: withStorage(setVeniceApiKey),
-      applyConfig: (cfg) =>
-        applyVeniceConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "venice:default",
-            provider: "venice",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["opencode-zen"],
-      provider: "opencode",
-      flagValue: params.opts.opencodeZenApiKey,
-      flagName: "--opencode-zen-api-key",
-      envVar: "OPENCODE_API_KEY (or OPENCODE_ZEN_API_KEY)",
-      profileId: "opencode:default",
-      setCredential: withStorage(setOpencodeZenApiKey),
-      applyConfig: (cfg) =>
-        applyOpencodeZenConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "opencode:default",
-            provider: "opencode",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["opencode-go"],
-      provider: "opencode-go",
-      flagValue: params.opts.opencodeGoApiKey,
-      flagName: "--opencode-go-api-key",
-      envVar: "OPENCODE_API_KEY",
-      profileId: "opencode-go:default",
-      setCredential: withStorage(setOpencodeGoApiKey),
-      applyConfig: (cfg) =>
-        applyOpencodeGoConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "opencode-go:default",
-            provider: "opencode-go",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["together-api-key"],
-      provider: "together",
-      flagValue: params.opts.togetherApiKey,
-      flagName: "--together-api-key",
-      envVar: "TOGETHER_API_KEY",
-      profileId: "together:default",
-      setCredential: withStorage(setTogetherApiKey),
-      applyConfig: (cfg) =>
-        applyTogetherConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "together:default",
-            provider: "together",
-            mode: "api_key",
-          }),
-        ),
-    },
-    {
-      authChoices: ["huggingface-api-key"],
-      provider: "huggingface",
-      flagValue: params.opts.huggingfaceApiKey,
-      flagName: "--huggingface-api-key",
-      envVar: "HF_TOKEN",
-      profileId: "huggingface:default",
-      setCredential: withStorage(setHuggingfaceApiKey),
-      applyConfig: (cfg) =>
-        applyHuggingfaceConfig(
-          applyAuthProfileConfig(cfg, {
-            profileId: "huggingface:default",
-            provider: "huggingface",
-            mode: "api_key",
-          }),
-        ),
-    },
-  ];
-}
-
 export async function applySimpleNonInteractiveApiKeyChoice(params: {
   authChoice: AuthChoice;
   nextConfig: OpenClawConfig;
@@ -514,19 +37,16 @@ export async function applySimpleNonInteractiveApiKeyChoice(params: {
     setter: (value: SecretInput) => Promise<void> | void,
   ) => Promise<boolean>;
 }): Promise<OpenClawConfig | null | undefined> {
-  const definition = buildSimpleApiKeyAuthChoices({
-    opts: params.opts,
-  }).find((entry) => entry.authChoices.includes(params.authChoice));
-  if (!definition) {
+  if (params.authChoice !== "litellm-api-key") {
     return undefined;
   }
 
   const resolved = await params.resolveApiKey({
-    provider: definition.provider,
+    provider: "litellm",
     cfg: params.baseConfig,
-    flagValue: definition.flagValue,
-    flagName: definition.flagName,
-    envVar: definition.envVar,
+    flagValue: params.opts.litellmApiKey,
+    flagName: "--litellm-api-key",
+    envVar: "LITELLM_API_KEY",
     runtime: params.runtime,
   });
   if (!resolved) {
@@ -534,10 +54,16 @@ export async function applySimpleNonInteractiveApiKeyChoice(params: {
   }
   if (
     !(await params.maybeSetResolvedApiKey(resolved, (value) =>
-      definition.setCredential(value, params.apiKeyStorageOptions),
+      setLitellmApiKey(value, undefined, params.apiKeyStorageOptions),
     ))
   ) {
     return null;
   }
-  return definition.applyConfig(params.nextConfig);
+  return applyLitellmConfig(
+    applyAuthProfileConfig(params.nextConfig, {
+      profileId: "litellm:default",
+      provider: "litellm",
+      mode: "api_key",
+    }),
+  );
 }
diff --git a/src/commands/onboard-non-interactive/local/auth-choice.plugin-providers.ts b/src/commands/onboard-non-interactive/local/auth-choice.plugin-providers.ts
index 0cc8d2883a1..8d9b820fc52 100644
--- a/src/commands/onboard-non-interactive/local/auth-choice.plugin-providers.ts
+++ b/src/commands/onboard-non-interactive/local/auth-choice.plugin-providers.ts
@@ -84,6 +84,8 @@ export async function applyNonInteractivePluginProviderChoice(params: {
     providers: resolvePluginProviders({
       config: resolutionConfig,
       workspaceDir,
+      bundledProviderAllowlistCompat: true,
+      bundledProviderVitestCompat: true,
     }),
     choice: params.authChoice,
   });
diff --git a/src/commands/onboard-non-interactive/local/auth-choice.ts b/src/commands/onboard-non-interactive/local/auth-choice.ts
index 5c61e247c89..c52be44afda 100644
--- a/src/commands/onboard-non-interactive/local/auth-choice.ts
+++ b/src/commands/onboard-non-interactive/local/auth-choice.ts
@@ -4,15 +4,11 @@ import type { SecretInput } from "../../../config/types.secrets.js";
 import type { RuntimeEnv } from "../../../runtime.js";
 import { resolveDefaultSecretProviderAlias } from "../../../secrets/ref-contract.js";
 import { normalizeSecretInputModeInput } from "../../auth-choice.apply-helpers.js";
+import { normalizeApiKeyTokenProviderAuthChoice } from "../../auth-choice.apply.api-providers.js";
 import {
   applyAuthProfileConfig,
   applyCloudflareAiGatewayConfig,
-  applyMinimaxApiConfig,
-  applyMinimaxApiConfigCn,
-  applyZaiConfig,
   setCloudflareAiGatewayConfig,
-  setMinimaxApiKey,
-  setZaiApiKey,
 } from "../../onboard-auth.js";
 import {
   applyCustomApiConfig,
@@ -21,7 +17,6 @@ import {
   resolveCustomProviderId,
 } from "../../onboard-custom.js";
 import type { AuthChoice, OnboardOptions } from "../../onboard-types.js";
-import { detectZaiEndpoint } from "../../zai-endpoint-detect.js";
 import { resolveNonInteractiveApiKey } from "../api-keys.js";
 import { applySimpleNonInteractiveApiKeyChoice } from "./auth-choice.api-key-providers.js";
 import { applyNonInteractivePluginProviderChoice } from "./auth-choice.plugin-providers.js";
@@ -37,7 +32,13 @@ export async function applyNonInteractiveAuthChoice(params: {
   runtime: RuntimeEnv;
   baseConfig: OpenClawConfig;
 }): Promise<OpenClawConfig | null> {
-  const { authChoice, opts, runtime, baseConfig } = params;
+  const { opts, runtime, baseConfig } = params;
+  const authChoice = normalizeApiKeyTokenProviderAuthChoice({
+    authChoice: params.authChoice,
+    tokenProvider: opts.tokenProvider,
+    config: params.nextConfig,
+    env: process.env,
+  });
   let nextConfig = params.nextConfig;
   const requestedSecretInputMode = normalizeSecretInputModeInput(opts.secretInputMode);
   if (opts.secretInputMode && !requestedSecretInputMode) {
@@ -188,72 +189,6 @@ export async function applyNonInteractiveAuthChoice(params: {
     return simpleApiKeyChoice;
   }
 
-  if (
-    authChoice === "zai-api-key" ||
-    authChoice === "zai-coding-global" ||
-    authChoice === "zai-coding-cn" ||
-    authChoice === "zai-global" ||
-    authChoice === "zai-cn"
-  ) {
-    const resolved = await resolveApiKey({
-      provider: "zai",
-      cfg: baseConfig,
-      flagValue: opts.zaiApiKey,
-      flagName: "--zai-api-key",
-      envVar: "ZAI_API_KEY",
-      runtime,
-    });
-    if (!resolved) {
-      return null;
-    }
-    if (
-      !(await maybeSetResolvedApiKey(resolved, (value) =>
-        setZaiApiKey(value, undefined, apiKeyStorageOptions),
-      ))
-    ) {
-      return null;
-    }
-    nextConfig = applyAuthProfileConfig(nextConfig, {
-      profileId: "zai:default",
-      provider: "zai",
-      mode: "api_key",
-    });
-
-    // Determine endpoint from authChoice or detect from the API key.
-    let endpoint: "global" | "cn" | "coding-global" | "coding-cn" | undefined;
-    let modelIdOverride: string | undefined;
-
-    if (authChoice === "zai-coding-global") {
-      endpoint = "coding-global";
-    } else if (authChoice === "zai-coding-cn") {
-      endpoint = "coding-cn";
-    } else if (authChoice === "zai-global") {
-      endpoint = "global";
-    } else if (authChoice === "zai-cn") {
-      endpoint = "cn";
-    }
-
-    if (endpoint) {
-      const detected = await detectZaiEndpoint({ apiKey: resolved.key, endpoint });
-      if (detected) {
-        modelIdOverride = detected.modelId;
-      }
-    } else {
-      const detected = await detectZaiEndpoint({ apiKey: resolved.key });
-      if (detected) {
-        endpoint = detected.endpoint;
-        modelIdOverride = detected.modelId;
-      } else {
-        endpoint = "global";
-      }
-    }
-
-    return applyZaiConfig(nextConfig, {
-      endpoint,
-      ...(modelIdOverride ? { modelId: modelIdOverride } : {}),
-    });
-  }
-
   if (authChoice === "cloudflare-ai-gateway-api-key") {
     const accountId = opts.cloudflareAiGatewayAccountId?.trim() ?? "";
     const gatewayId = opts.cloudflareAiGatewayGatewayId?.trim() ?? "";
@@ -320,38 +255,6 @@ export async function applyNonInteractiveAuthChoice(params: {
     return null;
   }
 
-  if (authChoice === "minimax-global-api" || authChoice === "minimax-cn-api") {
-    const isCn = authChoice === "minimax-cn-api";
-    const profileId = isCn ? "minimax:cn" : "minimax:global";
-    const resolved = await resolveApiKey({
-      provider: "minimax",
-      cfg: baseConfig,
-      flagValue: opts.minimaxApiKey,
-      flagName: "--minimax-api-key",
-      envVar: "MINIMAX_API_KEY",
-      runtime,
-      // Disable profile fallback: both regions share provider "minimax", so an existing
-      // Global profile key must not be silently reused when configuring CN (and vice versa).
-      allowProfile: false,
-    });
-    if (!resolved) {
-      return null;
-    }
-    if (
-      !(await maybeSetResolvedApiKey(resolved, (value) =>
-        setMinimaxApiKey(value, undefined, profileId, apiKeyStorageOptions),
-      ))
-    ) {
-      return null;
-    }
-    nextConfig = applyAuthProfileConfig(nextConfig, {
-      profileId,
-      provider: "minimax",
-      mode: "api_key",
-    });
-    return isCn ? applyMinimaxApiConfigCn(nextConfig) : applyMinimaxApiConfig(nextConfig);
-  }
-
   if (authChoice === "custom-api-key") {
     try {
       const customAuth = parseNonInteractiveCustomApiFlags({
diff --git a/src/plugins/config-state.ts b/src/plugins/config-state.ts
index e43e23631cb..46070deab34 100644
--- a/src/plugins/config-state.ts
+++ b/src/plugins/config-state.ts
@@ -24,6 +24,7 @@ export type NormalizedPluginsConfig = {
 };
 
 export const BUNDLED_ENABLED_BY_DEFAULT = new Set<string>([
+  "amazon-bedrock",
   "anthropic",
   "byteplus",
   "cloudflare-ai-gateway",
diff --git a/src/plugins/provider-api-key-auth.ts b/src/plugins/provider-api-key-auth.ts
index df8e172fcfb..75fa4afb77d 100644
--- a/src/plugins/provider-api-key-auth.ts
+++ b/src/plugins/provider-api-key-auth.ts
@@ -1,6 +1,7 @@
 import { upsertAuthProfile } from "../agents/auth-profiles.js";
 import { normalizeApiKeyInput, validateApiKeyInput } from "../commands/auth-choice.api-key.js";
 import { ensureApiKeyFromOptionEnvOrPrompt } from "../commands/auth-choice.apply-helpers.js";
+import { applyPrimaryModel } from "../commands/model-picker.js";
 import { buildApiKeyCredential } from "../commands/onboard-auth.credentials.js";
 import { applyAuthProfileConfig } from "../commands/onboard-auth.js";
 import type { OpenClawConfig } from "../config/config.js";
@@ -23,6 +24,8 @@ type ProviderApiKeyAuthMethodOptions = {
   envVar: string;
   promptMessage: string;
   profileId?: string;
+  profileIds?: string[];
+  allowProfile?: boolean;
   defaultModel?: string;
   expectedProviders?: string[];
   metadata?: Record<string, string>;
@@ -39,18 +42,39 @@ function resolveProfileId(params: { providerId: string; profileId?: string }) {
   return params.profileId?.trim() || `${params.providerId}:default`;
 }
 
+function resolveProfileIds(params: {
+  providerId: string;
+  profileId?: string;
+  profileIds?: string[];
+}) {
+  const explicit = Array.from(
+    new Set((params.profileIds ?? []).map((value) => value.trim()).filter(Boolean)),
+  );
+  if (explicit.length > 0) {
+    return explicit;
+  }
+  return [resolveProfileId(params)];
+}
+
 function applyApiKeyConfig(params: {
   ctx: ProviderAuthMethodNonInteractiveContext;
   providerId: string;
-  profileId: string;
+  profileIds: string[];
+  defaultModel?: string;
   applyConfig?: (cfg: OpenClawConfig) => OpenClawConfig;
 }) {
-  const next = applyAuthProfileConfig(params.ctx.config, {
-    profileId: params.profileId,
-    provider: params.providerId,
-    mode: "api_key",
-  });
-  return params.applyConfig ? params.applyConfig(next) : next;
+  let next = params.ctx.config;
+  for (const profileId of params.profileIds) {
+    next = applyAuthProfileConfig(next, {
+      profileId,
+      provider: profileId.split(":", 1)[0]?.trim() || params.providerId,
+      mode: "api_key",
+    });
+  }
+  if (params.applyConfig) {
+    next = params.applyConfig(next);
+  }
+  return params.defaultModel ? applyPrimaryModel(next, params.defaultModel) : next;
 }
 
 export function createProviderApiKeyAuthMethod(
@@ -99,19 +123,19 @@ export function createProviderApiKeyAuthMethod(
         throw new Error(`Missing API key input for provider "${params.providerId}".`);
       }
       const credentialInput = capturedSecretInput ?? "";
+      const profileIds = resolveProfileIds(params);
 
       return {
-        profiles: [
-          {
-            profileId: resolveProfileId(params),
-            credential: buildApiKeyCredential(
-              params.providerId,
-              credentialInput,
-              params.metadata,
-              capturedMode ? { secretInputMode: capturedMode } : undefined,
-            ),
-          },
-        ],
+        profiles: profileIds.map((profileId) => ({
+          profileId,
+          credential: buildApiKeyCredential(
+            profileId.split(":", 1)[0]?.trim() || params.providerId,
+            credentialInput,
+            params.metadata,
+            capturedMode ? { secretInputMode: capturedMode } : undefined,
+          ),
+        })),
+        ...(params.applyConfig ? { configPatch: params.applyConfig(ctx.config) } : {}),
         ...(params.defaultModel ? { defaultModel: params.defaultModel } : {}),
       };
     },
@@ -122,32 +146,36 @@ export function createProviderApiKeyAuthMethod(
         flagValue: resolveStringOption(opts, params.optionKey),
         flagName: params.flagName,
         envVar: params.envVar,
+        ...(params.allowProfile === false ? { allowProfile: false } : {}),
       });
       if (!resolved) {
         return null;
       }
 
-      const profileId = resolveProfileId(params);
+      const profileIds = resolveProfileIds(params);
       if (resolved.source !== "profile") {
-        const credential = ctx.toApiKeyCredential({
-          provider: params.providerId,
-          resolved,
-          ...(params.metadata ? { metadata: params.metadata } : {}),
-        });
-        if (!credential) {
-          return null;
+        for (const profileId of profileIds) {
+          const credential = ctx.toApiKeyCredential({
+            provider: profileId.split(":", 1)[0]?.trim() || params.providerId,
+            resolved,
+            ...(params.metadata ? { metadata: params.metadata } : {}),
+          });
+          if (!credential) {
+            return null;
+          }
+          upsertAuthProfile({
+            profileId,
+            credential,
+            agentDir: ctx.agentDir,
+          });
         }
-        upsertAuthProfile({
-          profileId,
-          credential,
-          agentDir: ctx.agentDir,
-        });
       }
 
       return applyApiKeyConfig({
         ctx,
         providerId: params.providerId,
-        profileId,
+        profileIds,
+        defaultModel: params.defaultModel,
         applyConfig: params.applyConfig,
       });
     },
diff --git a/src/plugins/provider-auth-choices.ts b/src/plugins/provider-auth-choices.ts
index 1d583c618f4..86388d9b6e5 100644
--- a/src/plugins/provider-auth-choices.ts
+++ b/src/plugins/provider-auth-choices.ts
@@ -1,3 +1,4 @@
+import { normalizeProviderIdForAuth } from "../agents/model-selection.js";
 import type { OpenClawConfig } from "../config/config.js";
 import { loadPluginManifestRegistry } from "./manifest-registry.js";
 
@@ -72,6 +73,25 @@ export function resolveManifestProviderAuthChoice(
   );
 }
 
+export function resolveManifestProviderApiKeyChoice(params: {
+  providerId: string;
+  config?: OpenClawConfig;
+  workspaceDir?: string;
+  env?: NodeJS.ProcessEnv;
+}): ProviderAuthChoiceMetadata | undefined {
+  const normalizedProviderId = normalizeProviderIdForAuth(params.providerId);
+  if (!normalizedProviderId) {
+    return undefined;
+  }
+
+  return resolveManifestProviderAuthChoices(params).find((choice) => {
+    if (!choice.optionKey) {
+      return false;
+    }
+    return normalizeProviderIdForAuth(choice.providerId) === normalizedProviderId;
+  });
+}
+
 export function resolveManifestProviderOnboardAuthFlags(params?: {
   config?: OpenClawConfig;
   workspaceDir?: string;
diff --git a/src/plugins/types.ts b/src/plugins/types.ts
index 04da1293a09..b9b6e801214 100644
--- a/src/plugins/types.ts
+++ b/src/plugins/types.ts
@@ -107,6 +107,13 @@ export type ProviderAuthKind = "oauth" | "api_key" | "token" | "device_code" | "
 
 export type ProviderAuthResult = {
   profiles: Array<{ profileId: string; credential: AuthProfileCredential }>;
+  /**
+   * Optional config patch to merge after credentials are written.
+   *
+   * Use this for provider-owned onboarding defaults such as
+   * `models.providers.<id>` entries, default aliases, or agent model helpers.
+   * The caller still persists auth-profile bindings separately.
+   */
   configPatch?: Partial<OpenClawConfig>;
   defaultModel?: string;
   notes?: string[];

From e575f419a537973934ae3d09399ae83803cb0559 Mon Sep 17 00:00:00 2001
From: Prompt Driven <promptdriven@Prompts-MacBook-Air.local>
Date: Sun, 15 Mar 2026 21:10:29 -0700
Subject: [PATCH 117/133] fix(infra): wire gaxios-fetch-compat shim to prevent
 node-fetch crash on Node.js 25

---
 src/entry.ts                     |  1 +
 src/infra/gaxios-fetch-compat.ts | 27 +++++++++++++++++++++++++++
 2 files changed, 28 insertions(+)
 create mode 100644 src/infra/gaxios-fetch-compat.ts

diff --git a/src/entry.ts b/src/entry.ts
index 9b693c756e3..1136d4c954a 100644
--- a/src/entry.ts
+++ b/src/entry.ts
@@ -7,6 +7,7 @@ import { isRootHelpInvocation, isRootVersionInvocation } from "./cli/argv.js";
 import { applyCliProfileEnv, parseCliProfileArgs } from "./cli/profile.js";
 import { shouldSkipRespawnForArgv } from "./cli/respawn-policy.js";
 import { normalizeWindowsArgv } from "./cli/windows-argv.js";
+import "./infra/gaxios-fetch-compat.js";
 import { isTruthyEnvValue, normalizeEnv } from "./infra/env.js";
 import { isMainModule } from "./infra/is-main.js";
 import { ensureOpenClawExecMarkerOnProcess } from "./infra/openclaw-exec-env.js";
diff --git a/src/infra/gaxios-fetch-compat.ts b/src/infra/gaxios-fetch-compat.ts
new file mode 100644
index 00000000000..2c0d0391a58
--- /dev/null
+++ b/src/infra/gaxios-fetch-compat.ts
@@ -0,0 +1,27 @@
+/**
+ * Compatibility shim for gaxios@7.x on Node.js 22+.
+ *
+ * gaxios checks `typeof window !== 'undefined'` to decide between
+ * `window.fetch` (browser) and `import('node-fetch')` (Node.js).
+ * On Node.js 22+, `globalThis.fetch` is available natively, but gaxios
+ * does not check for it before falling back to node-fetch.
+ *
+ * node-fetch@3.x ESM loading is broken on Node.js 25 (ESM translator
+ * calls hasOwnProperty on null, throwing "Cannot convert undefined or
+ * null to object"). This causes ALL google-vertex auth requests to fail
+ * before any network call is made.
+ *
+ * Fix: define a minimal `window` shim with `fetch = globalThis.fetch` so
+ * gaxios uses the native fetch implementation instead of importing node-fetch.
+ *
+ * This module must be imported (as a side effect) before any google-auth-library
+ * or gaxios request is made.
+ */
+if (
+  typeof (globalThis as Record<string, unknown>)["window"] === "undefined" &&
+  typeof globalThis.fetch === "function"
+) {
+  // Tell gaxios it's in a "browser-like" environment with a working fetch.
+  // Only the `fetch` property is needed; gaxios only reads `window.fetch`.
+  (globalThis as Record<string, unknown>)["window"] = { fetch: globalThis.fetch };
+}

From 1aabce78e73cc0e64ec3308ed1ae14123ca539ff Mon Sep 17 00:00:00 2001
From: Prompt Driven <promptdriven@Prompts-MacBook-Air.local>
Date: Sun, 15 Mar 2026 22:19:19 -0700
Subject: [PATCH 118/133] fix(infra): also wire gaxios-fetch-compat shim into
 src/index.ts (gateway entry)

---
 src/index.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/index.ts b/src/index.ts
index 4daf6521df7..83a5caacfa9 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -1,4 +1,5 @@
 #!/usr/bin/env node
+import "./infra/gaxios-fetch-compat.js";
 import process from "node:process";
 import { fileURLToPath } from "node:url";
 import { formatUncaughtError } from "./infra/errors.js";

From 94a01c978907f9ef4d1b23efc7767ee18c77769b Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 08:21:40 +0000
Subject: [PATCH 119/133] fix: keep gaxios compat off the package root (#47914)
 (thanks @pdd-cli)

---
 CHANGELOG.md                          |   1 +
 src/entry.ts                          |   4 +-
 src/index.test.ts                     |  14 ++
 src/index.ts                          |   8 +-
 src/infra/gaxios-fetch-compat.test.ts |  60 +++++++
 src/infra/gaxios-fetch-compat.ts      | 237 +++++++++++++++++++++++---
 6 files changed, 295 insertions(+), 29 deletions(-)
 create mode 100644 src/infra/gaxios-fetch-compat.test.ts

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a80bae4ced0..4f9fb7a653d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -92,6 +92,7 @@ Docs: https://docs.openclaw.ai
 - Plugins/context engines: enforce owner-aware context-engine registration on both loader and public SDK paths so plugins cannot spoof privileged ownership, claim the core `legacy` engine id, or overwrite an existing engine id through direct SDK imports. (#47595) Thanks @vincentkoc.
 - Windows/gateway status: accept `schtasks` `Last Result` output as an alias for `Last Run Result`, so running scheduled-task installs no longer show `Runtime: unknown`. (#47844) Thanks @MoerAI.
 - Control UI/session routing: preserve established external delivery routes when webchat views or sends in externally originated sessions, so subagent completions still return to the original channel instead of the dashboard. (#47797) Thanks @brokemac79.
+- Google auth/Node 25: patch `gaxios` to use native fetch without injecting `globalThis.window`, while translating proxy and mTLS transport settings so Google Vertex and Google Chat auth keep working on Node 25. (#47914) Thanks @pdd-cli.
 
 ## 2026.3.13
 
diff --git a/src/entry.ts b/src/entry.ts
index 1136d4c954a..3496e48f0e9 100644
--- a/src/entry.ts
+++ b/src/entry.ts
@@ -7,7 +7,6 @@ import { isRootHelpInvocation, isRootVersionInvocation } from "./cli/argv.js";
 import { applyCliProfileEnv, parseCliProfileArgs } from "./cli/profile.js";
 import { shouldSkipRespawnForArgv } from "./cli/respawn-policy.js";
 import { normalizeWindowsArgv } from "./cli/windows-argv.js";
-import "./infra/gaxios-fetch-compat.js";
 import { isTruthyEnvValue, normalizeEnv } from "./infra/env.js";
 import { isMainModule } from "./infra/is-main.js";
 import { ensureOpenClawExecMarkerOnProcess } from "./infra/openclaw-exec-env.js";
@@ -42,6 +41,9 @@ if (
 ) {
   // Imported as a dependency — skip all entry-point side effects.
 } else {
+  const { installGaxiosFetchCompat } = await import("./infra/gaxios-fetch-compat.js");
+
+  installGaxiosFetchCompat();
   process.title = "openclaw";
   ensureOpenClawExecMarkerOnProcess();
   installProcessWarningFilter();
diff --git a/src/index.test.ts b/src/index.test.ts
index d53d492c527..e1cd55a39e2 100644
--- a/src/index.test.ts
+++ b/src/index.test.ts
@@ -34,6 +34,20 @@ describe("legacy root entry", () => {
     expect(runtimeMocks.runCli).not.toHaveBeenCalled();
   });
 
+  it("keeps library imports free of global window shims", async () => {
+    const originalWindowDescriptor = Object.getOwnPropertyDescriptor(globalThis, "window");
+    Reflect.deleteProperty(globalThis as object, "window");
+
+    try {
+      await import("./index.js");
+      expect("window" in globalThis).toBe(false);
+    } finally {
+      if (originalWindowDescriptor) {
+        Object.defineProperty(globalThis, "window", originalWindowDescriptor);
+      }
+    }
+  });
+
   it("delegates legacy direct-entry execution to run-main", async () => {
     const mod = await import("./index.js");
     const argv = ["node", "dist/index.js", "status"];
diff --git a/src/index.ts b/src/index.ts
index 83a5caacfa9..92cf6269cc4 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -1,5 +1,4 @@
 #!/usr/bin/env node
-import "./infra/gaxios-fetch-compat.js";
 import process from "node:process";
 import { fileURLToPath } from "node:url";
 import { formatUncaughtError } from "./infra/errors.js";
@@ -33,7 +32,12 @@ export const waitForever = library.waitForever;
 
 // Legacy direct file entrypoint only. Package root exports now live in library.ts.
 export async function runLegacyCliEntry(argv: string[] = process.argv): Promise<void> {
-  const { runCli } = await import("./cli/run-main.js");
+  const [{ installGaxiosFetchCompat }, { runCli }] = await Promise.all([
+    import("./infra/gaxios-fetch-compat.js"),
+    import("./cli/run-main.js"),
+  ]);
+
+  installGaxiosFetchCompat();
   await runCli(argv);
 }
 
diff --git a/src/infra/gaxios-fetch-compat.test.ts b/src/infra/gaxios-fetch-compat.test.ts
new file mode 100644
index 00000000000..4d7559f3eee
--- /dev/null
+++ b/src/infra/gaxios-fetch-compat.test.ts
@@ -0,0 +1,60 @@
+import { HttpsProxyAgent } from "https-proxy-agent";
+import { ProxyAgent } from "undici";
+import { afterEach, describe, expect, it, vi } from "vitest";
+
+describe("gaxios fetch compat", () => {
+  afterEach(() => {
+    vi.resetModules();
+    vi.restoreAllMocks();
+    vi.unstubAllGlobals();
+  });
+
+  it("uses native fetch without defining window or importing node-fetch", async () => {
+    const fetchMock = vi.fn<typeof fetch>(async () => {
+      return new Response("ok", {
+        headers: { "content-type": "text/plain" },
+        status: 200,
+      });
+    });
+
+    vi.stubGlobal("fetch", fetchMock);
+    vi.doMock("node-fetch", () => {
+      throw new Error("node-fetch should not load");
+    });
+
+    const { installGaxiosFetchCompat } = await import("./gaxios-fetch-compat.js");
+    const { Gaxios } = await import("gaxios");
+
+    installGaxiosFetchCompat();
+
+    const res = await new Gaxios().request({
+      responseType: "text",
+      url: "https://example.com",
+    });
+
+    expect(res.data).toBe("ok");
+    expect(fetchMock).toHaveBeenCalledOnce();
+    expect("window" in globalThis).toBe(false);
+  });
+
+  it("translates proxy agents into undici dispatchers for native fetch", async () => {
+    const fetchMock = vi.fn<typeof fetch>(async () => {
+      return new Response("ok", {
+        headers: { "content-type": "text/plain" },
+        status: 200,
+      });
+    });
+    const { createGaxiosCompatFetch } = await import("./gaxios-fetch-compat.js");
+
+    const compatFetch = createGaxiosCompatFetch(fetchMock);
+    await compatFetch("https://example.com", {
+      agent: new HttpsProxyAgent("http://proxy.example:8080"),
+    } as RequestInit);
+
+    expect(fetchMock).toHaveBeenCalledOnce();
+    const [, init] = fetchMock.mock.calls[0] ?? [];
+
+    expect(init).not.toHaveProperty("agent");
+    expect((init as { dispatcher?: unknown })?.dispatcher).toBeInstanceOf(ProxyAgent);
+  });
+});
diff --git a/src/infra/gaxios-fetch-compat.ts b/src/infra/gaxios-fetch-compat.ts
index 2c0d0391a58..e4d3688d7e5 100644
--- a/src/infra/gaxios-fetch-compat.ts
+++ b/src/infra/gaxios-fetch-compat.ts
@@ -1,27 +1,212 @@
-/**
- * Compatibility shim for gaxios@7.x on Node.js 22+.
- *
- * gaxios checks `typeof window !== 'undefined'` to decide between
- * `window.fetch` (browser) and `import('node-fetch')` (Node.js).
- * On Node.js 22+, `globalThis.fetch` is available natively, but gaxios
- * does not check for it before falling back to node-fetch.
- *
- * node-fetch@3.x ESM loading is broken on Node.js 25 (ESM translator
- * calls hasOwnProperty on null, throwing "Cannot convert undefined or
- * null to object"). This causes ALL google-vertex auth requests to fail
- * before any network call is made.
- *
- * Fix: define a minimal `window` shim with `fetch = globalThis.fetch` so
- * gaxios uses the native fetch implementation instead of importing node-fetch.
- *
- * This module must be imported (as a side effect) before any google-auth-library
- * or gaxios request is made.
- */
-if (
-  typeof (globalThis as Record<string, unknown>)["window"] === "undefined" &&
-  typeof globalThis.fetch === "function"
-) {
-  // Tell gaxios it's in a "browser-like" environment with a working fetch.
-  // Only the `fetch` property is needed; gaxios only reads `window.fetch`.
-  (globalThis as Record<string, unknown>)["window"] = { fetch: globalThis.fetch };
+import type { ConnectionOptions } from "node:tls";
+import { Gaxios } from "gaxios";
+import type { Dispatcher } from "undici";
+import { Agent as UndiciAgent, ProxyAgent } from "undici";
+
+type ProxyRule = RegExp | URL | string;
+type TlsCert = ConnectionOptions["cert"];
+type TlsKey = ConnectionOptions["key"];
+
+type GaxiosFetchRequestInit = RequestInit & {
+  agent?: unknown;
+  cert?: TlsCert;
+  dispatcher?: Dispatcher;
+  fetchImplementation?: typeof fetch;
+  key?: TlsKey;
+  noProxy?: ProxyRule[];
+  proxy?: string | URL;
+};
+
+type ProxyAgentLike = {
+  connectOpts?: { cert?: TlsCert; key?: TlsKey };
+  proxy: URL;
+};
+
+type TlsAgentLike = {
+  options?: { cert?: TlsCert; key?: TlsKey };
+};
+
+type GaxiosPrototype = {
+  _defaultAdapter: (this: Gaxios, config: GaxiosFetchRequestInit) => Promise<unknown>;
+};
+
+let installState: "not-installed" | "installed" = "not-installed";
+
+function isRecord(value: unknown): value is Record<string, unknown> {
+  return typeof value === "object" && value !== null;
+}
+
+function hasDispatcher(value: unknown): value is Dispatcher {
+  return isRecord(value) && typeof value.dispatch === "function";
+}
+
+function hasProxyAgentShape(value: unknown): value is ProxyAgentLike {
+  return isRecord(value) && value.proxy instanceof URL;
+}
+
+function hasTlsAgentShape(value: unknown): value is TlsAgentLike {
+  return isRecord(value) && isRecord(value.options);
+}
+
+function resolveTlsOptions(
+  init: GaxiosFetchRequestInit,
+  url: URL,
+): { cert?: TlsCert; key?: TlsKey } {
+  const explicit = {
+    cert: init.cert,
+    key: init.key,
+  };
+  if (explicit.cert !== undefined || explicit.key !== undefined) {
+    return explicit;
+  }
+
+  const agent = typeof init.agent === "function" ? init.agent(url) : init.agent;
+  if (hasProxyAgentShape(agent)) {
+    return {
+      cert: agent.connectOpts?.cert,
+      key: agent.connectOpts?.key,
+    };
+  }
+  if (hasTlsAgentShape(agent)) {
+    return {
+      cert: agent.options?.cert,
+      key: agent.options?.key,
+    };
+  }
+  return {};
+}
+
+function urlMayUseProxy(url: URL, noProxy: ProxyRule[] = []): boolean {
+  const rules = [...noProxy];
+  const envRules = (process.env.NO_PROXY ?? process.env.no_proxy)?.split(",") ?? [];
+  for (const rule of envRules) {
+    const trimmed = rule.trim();
+    if (trimmed.length > 0) {
+      rules.push(trimmed);
+    }
+  }
+
+  for (const rule of rules) {
+    if (rule instanceof RegExp) {
+      if (rule.test(url.toString())) {
+        return false;
+      }
+      continue;
+    }
+    if (rule instanceof URL) {
+      if (rule.origin === url.origin) {
+        return false;
+      }
+      continue;
+    }
+    if (rule.startsWith("*.") || rule.startsWith(".")) {
+      const cleanedRule = rule.replace(/^\*\./, ".");
+      if (url.hostname.endsWith(cleanedRule)) {
+        return false;
+      }
+      continue;
+    }
+    if (rule === url.origin || rule === url.hostname || rule === url.href) {
+      return false;
+    }
+  }
+
+  return true;
+}
+
+function resolveProxyUri(init: GaxiosFetchRequestInit, url: URL): string | undefined {
+  if (init.proxy) {
+    const proxyUri = String(init.proxy);
+    return urlMayUseProxy(url, init.noProxy) ? proxyUri : undefined;
+  }
+
+  const envProxy =
+    process.env.HTTPS_PROXY ??
+    process.env.https_proxy ??
+    process.env.HTTP_PROXY ??
+    process.env.http_proxy;
+  if (!envProxy) {
+    return undefined;
+  }
+
+  return urlMayUseProxy(url, init.noProxy) ? envProxy : undefined;
+}
+
+function buildDispatcher(init: GaxiosFetchRequestInit, url: URL): Dispatcher | undefined {
+  if (init.dispatcher) {
+    return init.dispatcher;
+  }
+
+  const agent = typeof init.agent === "function" ? init.agent(url) : init.agent;
+  if (hasDispatcher(agent)) {
+    return agent;
+  }
+
+  const { cert, key } = resolveTlsOptions(init, url);
+  const proxyUri =
+    resolveProxyUri(init, url) ?? (hasProxyAgentShape(agent) ? String(agent.proxy) : undefined);
+  if (proxyUri) {
+    return new ProxyAgent({
+      requestTls: cert !== undefined || key !== undefined ? { cert, key } : undefined,
+      uri: proxyUri,
+    });
+  }
+
+  if (cert !== undefined || key !== undefined) {
+    return new UndiciAgent({
+      connect: { cert, key },
+    });
+  }
+
+  return undefined;
+}
+
+export function createGaxiosCompatFetch(baseFetch: typeof fetch = globalThis.fetch): typeof fetch {
+  return async (input: RequestInfo | URL, init?: RequestInit): Promise<Response> => {
+    const gaxiosInit = (init ?? {}) as GaxiosFetchRequestInit;
+    const requestUrl =
+      input instanceof Request
+        ? new URL(input.url)
+        : new URL(typeof input === "string" ? input : input.toString());
+    const dispatcher = buildDispatcher(gaxiosInit, requestUrl);
+
+    const nextInit: RequestInit = { ...gaxiosInit };
+    delete (nextInit as GaxiosFetchRequestInit).agent;
+    delete (nextInit as GaxiosFetchRequestInit).cert;
+    delete (nextInit as GaxiosFetchRequestInit).fetchImplementation;
+    delete (nextInit as GaxiosFetchRequestInit).key;
+    delete (nextInit as GaxiosFetchRequestInit).noProxy;
+    delete (nextInit as GaxiosFetchRequestInit).proxy;
+
+    if (dispatcher) {
+      (nextInit as RequestInit & { dispatcher: Dispatcher }).dispatcher = dispatcher;
+    }
+
+    return baseFetch(input, nextInit);
+  };
+}
+
+export function installGaxiosFetchCompat(): void {
+  if (installState === "installed" || typeof globalThis.fetch !== "function") {
+    return;
+  }
+
+  const prototype = Gaxios.prototype as unknown as GaxiosPrototype;
+  const originalDefaultAdapter = prototype._defaultAdapter;
+  const compatFetch = createGaxiosCompatFetch();
+
+  prototype._defaultAdapter = function patchedDefaultAdapter(
+    this: Gaxios,
+    config: GaxiosFetchRequestInit,
+  ): Promise<unknown> {
+    if (config.fetchImplementation) {
+      return originalDefaultAdapter.call(this, config);
+    }
+    return originalDefaultAdapter.call(this, {
+      ...config,
+      fetchImplementation: compatFetch,
+    });
+  };
+
+  installState = "installed";
 }

From 7e74adef916ff75b96e3ab82fdbc2dc3624dca85 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 01:34:22 -0700
Subject: [PATCH 120/133] refactor: shrink public channel plugin sdk surfaces

---
 docs/tools/plugin.md                          |  12 +-
 extensions/discord/index.ts                   |   4 +-
 extensions/discord/src/channel.setup.ts       |   8 +-
 extensions/discord/src/channel.ts             |  24 ++--
 extensions/discord/src/runtime.ts             |   2 +-
 extensions/discord/src/subagent-hooks.ts      |   6 +-
 extensions/imessage/index.ts                  |   4 +-
 extensions/imessage/src/channel.setup.ts      |  10 +-
 extensions/imessage/src/channel.ts            |  10 +-
 extensions/imessage/src/runtime.ts            |   2 +-
 extensions/signal/index.ts                    |   4 +-
 extensions/signal/src/channel.setup.ts        |  10 +-
 extensions/signal/src/channel.ts              |  10 +-
 extensions/signal/src/runtime.ts              |   2 +-
 extensions/slack/index.ts                     |   4 +-
 extensions/slack/src/channel.setup.ts         |  12 +-
 extensions/slack/src/channel.ts               |  24 ++--
 extensions/slack/src/runtime.ts               |   2 +-
 extensions/telegram/index.ts                  |   4 +-
 extensions/telegram/src/channel.setup.ts      |  14 ++-
 extensions/telegram/src/channel.test.ts       |   2 +-
 extensions/telegram/src/channel.ts            |  24 ++--
 extensions/telegram/src/runtime.ts            |   2 +-
 extensions/whatsapp/index.ts                  |   4 +-
 extensions/whatsapp/src/runtime.ts            |   3 +-
 src/agents/pi-embedded-runner/compact.ts      |   4 +-
 src/agents/pi-embedded-runner/run/attempt.ts  |   4 +-
 src/agents/tools/discord-actions-guild.ts     |   4 +-
 src/agents/tools/discord-actions-messaging.ts |  14 ++-
 .../tools/discord-actions-moderation.ts       |   2 +-
 src/agents/tools/discord-actions-presence.ts  |   2 +-
 src/agents/tools/discord-actions.ts           |   2 +-
 src/agents/tools/slack-actions.ts             |   4 +-
 src/agents/tools/telegram-actions.ts          |  15 ++-
 src/agents/tools/whatsapp-actions.ts          |   2 +-
 src/agents/tools/whatsapp-target-auth.ts      |   2 +-
 src/auto-reply/reply/commands-approve.ts      |   2 +-
 src/auto-reply/reply/commands-models.ts       |   2 +-
 .../reply/directive-handling.model.ts         |   2 +-
 src/auto-reply/templating.ts                  |   2 +-
 src/channel-web.ts                            |  16 ++-
 src/channels/plugins/actions/discord.ts       |   2 +-
 src/channels/plugins/actions/signal.ts        |   2 +-
 src/channels/plugins/actions/telegram.ts      |   2 +-
 .../plugins/agent-tools/whatsapp-login.ts     |   2 +-
 src/channels/plugins/group-mentions.ts        |   2 +-
 src/channels/plugins/slack.actions.ts         |   4 +-
 ...ad-only-account-inspect.discord.runtime.ts |   4 +-
 ...read-only-account-inspect.slack.runtime.ts |   4 +-
 ...d-only-account-inspect.telegram.runtime.ts |   4 +-
 src/cli/deps.test.ts                          |  12 +-
 src/cli/deps.ts                               |  14 +--
 src/commands/doctor-config-flow.ts            |   2 +-
 src/config/plugin-auto-enable.ts              |   2 +-
 src/config/schema.help.ts                     |   2 +-
 .../explicit-session-key-normalization.ts     |   2 +-
 src/config/types.discord.ts                   |   2 +-
 src/cron/isolated-agent/delivery-target.ts    |   2 +-
 src/gateway/server-http.ts                    |   2 +-
 src/infra/state-migrations.ts                 |   2 +-
 src/plugin-sdk/discord.ts                     |  88 ---------------
 src/plugin-sdk/imessage.ts                    |  22 ----
 src/plugin-sdk/index.ts                       | 104 ------------------
 src/plugin-sdk/signal.ts                      |  16 +--
 src/plugin-sdk/slack.ts                       |  45 +-------
 src/plugin-sdk/subpaths.test.ts               |  41 +++----
 src/plugin-sdk/telegram.ts                    |  65 -----------
 src/plugin-sdk/whatsapp.ts                    |  55 ---------
 src/security/audit-channel.runtime.ts         |   2 +-
 69 files changed, 218 insertions(+), 570 deletions(-)

diff --git a/docs/tools/plugin.md b/docs/tools/plugin.md
index 246724719ff..9269e8b1faf 100644
--- a/docs/tools/plugin.md
+++ b/docs/tools/plugin.md
@@ -573,12 +573,12 @@ authoring plugins:
 
 - `openclaw/plugin-sdk/core` for generic plugin APIs, provider auth types, and shared helpers such as routing/session utilities and logger-backed runtimes.
 - `openclaw/plugin-sdk/compat` for bundled/internal plugin code that needs broader shared runtime helpers than `core`.
-- `openclaw/plugin-sdk/telegram` for Telegram channel plugins.
-- `openclaw/plugin-sdk/discord` for Discord channel plugins.
-- `openclaw/plugin-sdk/slack` for Slack channel plugins.
-- `openclaw/plugin-sdk/signal` for Signal channel plugins.
-- `openclaw/plugin-sdk/imessage` for iMessage channel plugins.
-- `openclaw/plugin-sdk/whatsapp` for WhatsApp channel plugins.
+- `openclaw/plugin-sdk/telegram` for Telegram channel plugin types and shared channel-facing helpers. Built-in Telegram implementation internals stay private to the bundled extension.
+- `openclaw/plugin-sdk/discord` for Discord channel plugin types and shared channel-facing helpers. Built-in Discord implementation internals stay private to the bundled extension.
+- `openclaw/plugin-sdk/slack` for Slack channel plugin types and shared channel-facing helpers. Built-in Slack implementation internals stay private to the bundled extension.
+- `openclaw/plugin-sdk/signal` for Signal channel plugin types and shared channel-facing helpers. Built-in Signal implementation internals stay private to the bundled extension.
+- `openclaw/plugin-sdk/imessage` for iMessage channel plugin types and shared channel-facing helpers. Built-in iMessage implementation internals stay private to the bundled extension.
+- `openclaw/plugin-sdk/whatsapp` for WhatsApp channel plugin types and shared channel-facing helpers. Built-in WhatsApp implementation internals stay private to the bundled extension.
 - `openclaw/plugin-sdk/line` for LINE channel plugins.
 - `openclaw/plugin-sdk/msteams` for the bundled Microsoft Teams plugin surface.
 - Bundled extension-specific subpaths are also available:
diff --git a/extensions/discord/index.ts b/extensions/discord/index.ts
index b08a27f80b5..04906b6fd5d 100644
--- a/extensions/discord/index.ts
+++ b/extensions/discord/index.ts
@@ -1,5 +1,5 @@
-import type { OpenClawPluginApi } from "openclaw/plugin-sdk/discord";
-import { emptyPluginConfigSchema } from "openclaw/plugin-sdk/discord";
+import type { OpenClawPluginApi } from "openclaw/plugin-sdk";
+import { emptyPluginConfigSchema } from "openclaw/plugin-sdk";
 import { discordPlugin } from "./src/channel.js";
 import { setDiscordRuntime } from "./src/runtime.js";
 import { registerDiscordSubagentHooks } from "./src/subagent-hooks.js";
diff --git a/extensions/discord/src/channel.setup.ts b/extensions/discord/src/channel.setup.ts
index ac79acf443e..ee157e3c9bb 100644
--- a/extensions/discord/src/channel.setup.ts
+++ b/extensions/discord/src/channel.setup.ts
@@ -7,13 +7,15 @@ import {
   buildChannelConfigSchema,
   DiscordConfigSchema,
   getChatChannelMeta,
-  inspectDiscordAccount,
+  type ChannelPlugin,
+} from "openclaw/plugin-sdk/discord";
+import { inspectDiscordAccount } from "./account-inspect.js";
+import {
   listDiscordAccountIds,
   resolveDefaultDiscordAccountId,
   resolveDiscordAccount,
-  type ChannelPlugin,
   type ResolvedDiscordAccount,
-} from "openclaw/plugin-sdk/discord";
+} from "./accounts.js";
 import { createDiscordSetupWizardProxy, discordSetupAdapter } from "./setup-core.js";
 
 async function loadDiscordChannelRuntime() {
diff --git a/extensions/discord/src/channel.ts b/extensions/discord/src/channel.ts
index ac858b9c108..966a5a1cbcd 100644
--- a/extensions/discord/src/channel.ts
+++ b/extensions/discord/src/channel.ts
@@ -17,41 +17,45 @@ import {
   buildComputedAccountStatusSnapshot,
   buildChannelConfigSchema,
   buildTokenChannelStatusSummary,
-  collectDiscordAuditChannelIds,
-  collectDiscordStatusIssues,
   DEFAULT_ACCOUNT_ID,
   DiscordConfigSchema,
   getChatChannelMeta,
-  inspectDiscordAccount,
-  listDiscordAccountIds,
   listDiscordDirectoryGroupsFromConfig,
   listDiscordDirectoryPeersFromConfig,
-  looksLikeDiscordTargetId,
-  normalizeDiscordMessagingTarget,
-  normalizeDiscordOutboundTarget,
   PAIRING_APPROVED_MESSAGE,
   projectCredentialSnapshotFields,
   resolveConfiguredFromCredentialStatuses,
-  resolveDiscordAccount,
-  resolveDefaultDiscordAccountId,
   resolveDiscordGroupRequireMention,
   resolveDiscordGroupToolPolicy,
   type ChannelMessageActionAdapter,
   type ChannelPlugin,
   type OpenClawConfig,
-  type ResolvedDiscordAccount,
 } from "openclaw/plugin-sdk/discord";
 import { resolveOutboundSendDep } from "../../../src/infra/outbound/send-deps.js";
 import { normalizeMessageChannel } from "../../../src/utils/message-channel.js";
+import { inspectDiscordAccount } from "./account-inspect.js";
+import {
+  listDiscordAccountIds,
+  resolveDiscordAccount,
+  resolveDefaultDiscordAccountId,
+  type ResolvedDiscordAccount,
+} from "./accounts.js";
+import { collectDiscordAuditChannelIds } from "./audit.js";
 import {
   isDiscordExecApprovalClientEnabled,
   shouldSuppressLocalDiscordExecApprovalPrompt,
 } from "./exec-approvals.js";
+import {
+  looksLikeDiscordTargetId,
+  normalizeDiscordMessagingTarget,
+  normalizeDiscordOutboundTarget,
+} from "./normalize.js";
 import type { DiscordProbe } from "./probe.js";
 import { resolveDiscordUserAllowlist } from "./resolve-users.js";
 import { getDiscordRuntime } from "./runtime.js";
 import { fetchChannelPermissionsDiscord } from "./send.js";
 import { createDiscordSetupWizardProxy, discordSetupAdapter } from "./setup-core.js";
+import { collectDiscordStatusIssues } from "./status-issues.js";
 import { parseDiscordTarget } from "./targets.js";
 import { DiscordUiContainer } from "./ui.js";
 
diff --git a/extensions/discord/src/runtime.ts b/extensions/discord/src/runtime.ts
index 2cc0074f457..066dcdbad12 100644
--- a/extensions/discord/src/runtime.ts
+++ b/extensions/discord/src/runtime.ts
@@ -1,5 +1,5 @@
+import type { PluginRuntime } from "openclaw/plugin-sdk";
 import { createPluginRuntimeStore } from "openclaw/plugin-sdk/compat";
-import type { PluginRuntime } from "openclaw/plugin-sdk/discord";
 
 const { setRuntime: setDiscordRuntime, getRuntime: getDiscordRuntime } =
   createPluginRuntimeStore<PluginRuntime>("Discord runtime not initialized");
diff --git a/extensions/discord/src/subagent-hooks.ts b/extensions/discord/src/subagent-hooks.ts
index f6e6056538b..f73511dba20 100644
--- a/extensions/discord/src/subagent-hooks.ts
+++ b/extensions/discord/src/subagent-hooks.ts
@@ -1,10 +1,10 @@
-import type { OpenClawPluginApi } from "openclaw/plugin-sdk/discord";
+import type { OpenClawPluginApi } from "openclaw/plugin-sdk";
+import { resolveDiscordAccount } from "./accounts.js";
 import {
   autoBindSpawnedDiscordSubagent,
   listThreadBindingsBySessionKey,
-  resolveDiscordAccount,
   unbindThreadBindingsBySessionKey,
-} from "openclaw/plugin-sdk/discord";
+} from "./monitor/thread-bindings.js";
 
 function summarizeError(err: unknown): string {
   if (err instanceof Error) {
diff --git a/extensions/imessage/index.ts b/extensions/imessage/index.ts
index cf0c6b3d8bd..7eb0e80b070 100644
--- a/extensions/imessage/index.ts
+++ b/extensions/imessage/index.ts
@@ -1,5 +1,5 @@
-import type { OpenClawPluginApi } from "openclaw/plugin-sdk/imessage";
-import { emptyPluginConfigSchema } from "openclaw/plugin-sdk/imessage";
+import type { OpenClawPluginApi } from "openclaw/plugin-sdk";
+import { emptyPluginConfigSchema } from "openclaw/plugin-sdk";
 import { imessagePlugin } from "./src/channel.js";
 import { setIMessageRuntime } from "./src/runtime.js";
 
diff --git a/extensions/imessage/src/channel.setup.ts b/extensions/imessage/src/channel.setup.ts
index 075e50f0dda..a4e58844b3b 100644
--- a/extensions/imessage/src/channel.setup.ts
+++ b/extensions/imessage/src/channel.setup.ts
@@ -9,15 +9,17 @@ import {
   formatTrimmedAllowFromEntries,
   getChatChannelMeta,
   IMessageConfigSchema,
-  listIMessageAccountIds,
-  resolveDefaultIMessageAccountId,
-  resolveIMessageAccount,
   resolveIMessageConfigAllowFrom,
   resolveIMessageConfigDefaultTo,
   setAccountEnabledInConfigSection,
   type ChannelPlugin,
-  type ResolvedIMessageAccount,
 } from "openclaw/plugin-sdk/imessage";
+import {
+  listIMessageAccountIds,
+  resolveDefaultIMessageAccountId,
+  resolveIMessageAccount,
+  type ResolvedIMessageAccount,
+} from "./accounts.js";
 import { createIMessageSetupWizardProxy, imessageSetupAdapter } from "./setup-core.js";
 
 async function loadIMessageChannelRuntime() {
diff --git a/extensions/imessage/src/channel.ts b/extensions/imessage/src/channel.ts
index 2d5b0ba9b39..b0d94a1a437 100644
--- a/extensions/imessage/src/channel.ts
+++ b/extensions/imessage/src/channel.ts
@@ -12,23 +12,25 @@ import {
   formatTrimmedAllowFromEntries,
   getChatChannelMeta,
   IMessageConfigSchema,
-  listIMessageAccountIds,
   looksLikeIMessageTargetId,
   normalizeIMessageMessagingTarget,
   PAIRING_APPROVED_MESSAGE,
   resolveChannelMediaMaxBytes,
-  resolveDefaultIMessageAccountId,
-  resolveIMessageAccount,
   resolveIMessageConfigAllowFrom,
   resolveIMessageConfigDefaultTo,
   resolveIMessageGroupRequireMention,
   resolveIMessageGroupToolPolicy,
   setAccountEnabledInConfigSection,
   type ChannelPlugin,
-  type ResolvedIMessageAccount,
 } from "openclaw/plugin-sdk/imessage";
 import { resolveOutboundSendDep } from "../../../src/infra/outbound/send-deps.js";
 import { buildPassiveProbedChannelStatusSummary } from "../../shared/channel-status-summary.js";
+import {
+  listIMessageAccountIds,
+  resolveDefaultIMessageAccountId,
+  resolveIMessageAccount,
+  type ResolvedIMessageAccount,
+} from "./accounts.js";
 import { getIMessageRuntime } from "./runtime.js";
 import { createIMessageSetupWizardProxy, imessageSetupAdapter } from "./setup-core.js";
 import { normalizeIMessageHandle, parseIMessageTarget } from "./targets.js";
diff --git a/extensions/imessage/src/runtime.ts b/extensions/imessage/src/runtime.ts
index 7bc726cb089..8805ce3141f 100644
--- a/extensions/imessage/src/runtime.ts
+++ b/extensions/imessage/src/runtime.ts
@@ -1,5 +1,5 @@
+import type { PluginRuntime } from "openclaw/plugin-sdk";
 import { createPluginRuntimeStore } from "openclaw/plugin-sdk/compat";
-import type { PluginRuntime } from "openclaw/plugin-sdk/imessage";
 
 const { setRuntime: setIMessageRuntime, getRuntime: getIMessageRuntime } =
   createPluginRuntimeStore<PluginRuntime>("iMessage runtime not initialized");
diff --git a/extensions/signal/index.ts b/extensions/signal/index.ts
index 0a7b988d7f0..e1069e466e2 100644
--- a/extensions/signal/index.ts
+++ b/extensions/signal/index.ts
@@ -1,5 +1,5 @@
-import type { OpenClawPluginApi } from "openclaw/plugin-sdk/signal";
-import { emptyPluginConfigSchema } from "openclaw/plugin-sdk/signal";
+import type { OpenClawPluginApi } from "openclaw/plugin-sdk";
+import { emptyPluginConfigSchema } from "openclaw/plugin-sdk";
 import { signalPlugin } from "./src/channel.js";
 import { setSignalRuntime } from "./src/runtime.js";
 
diff --git a/extensions/signal/src/channel.setup.ts b/extensions/signal/src/channel.setup.ts
index 544efa0f64f..88a7035c199 100644
--- a/extensions/signal/src/channel.setup.ts
+++ b/extensions/signal/src/channel.setup.ts
@@ -8,15 +8,17 @@ import {
   DEFAULT_ACCOUNT_ID,
   deleteAccountFromConfigSection,
   getChatChannelMeta,
-  listSignalAccountIds,
   normalizeE164,
-  resolveDefaultSignalAccountId,
-  resolveSignalAccount,
   setAccountEnabledInConfigSection,
   SignalConfigSchema,
   type ChannelPlugin,
-  type ResolvedSignalAccount,
 } from "openclaw/plugin-sdk/signal";
+import {
+  listSignalAccountIds,
+  resolveDefaultSignalAccountId,
+  resolveSignalAccount,
+  type ResolvedSignalAccount,
+} from "./accounts.js";
 import { createSignalSetupWizardProxy, signalSetupAdapter } from "./setup-core.js";
 
 async function loadSignalChannelRuntime() {
diff --git a/extensions/signal/src/channel.ts b/extensions/signal/src/channel.ts
index bb65502e017..e1675a019d1 100644
--- a/extensions/signal/src/channel.ts
+++ b/extensions/signal/src/channel.ts
@@ -14,23 +14,25 @@ import {
   DEFAULT_ACCOUNT_ID,
   deleteAccountFromConfigSection,
   getChatChannelMeta,
-  listSignalAccountIds,
   looksLikeSignalTargetId,
   normalizeE164,
   normalizeSignalMessagingTarget,
   PAIRING_APPROVED_MESSAGE,
   resolveChannelMediaMaxBytes,
-  resolveDefaultSignalAccountId,
-  resolveSignalAccount,
   setAccountEnabledInConfigSection,
   SignalConfigSchema,
   type ChannelMessageActionAdapter,
   type ChannelPlugin,
-  type ResolvedSignalAccount,
 } from "openclaw/plugin-sdk/signal";
 import { resolveTextChunkLimit } from "../../../src/auto-reply/chunk.js";
 import { resolveMarkdownTableMode } from "../../../src/config/markdown-tables.js";
 import { resolveOutboundSendDep } from "../../../src/infra/outbound/send-deps.js";
+import {
+  listSignalAccountIds,
+  resolveDefaultSignalAccountId,
+  resolveSignalAccount,
+  type ResolvedSignalAccount,
+} from "./accounts.js";
 import { markdownToSignalTextChunks } from "./format.js";
 import {
   looksLikeUuid,
diff --git a/extensions/signal/src/runtime.ts b/extensions/signal/src/runtime.ts
index 480c174ab26..1b004d82b8a 100644
--- a/extensions/signal/src/runtime.ts
+++ b/extensions/signal/src/runtime.ts
@@ -1,5 +1,5 @@
+import type { PluginRuntime } from "openclaw/plugin-sdk";
 import { createPluginRuntimeStore } from "openclaw/plugin-sdk/compat";
-import type { PluginRuntime } from "openclaw/plugin-sdk/signal";
 
 const { setRuntime: setSignalRuntime, getRuntime: getSignalRuntime } =
   createPluginRuntimeStore<PluginRuntime>("Signal runtime not initialized");
diff --git a/extensions/slack/index.ts b/extensions/slack/index.ts
index 57d855141be..6f5945616c7 100644
--- a/extensions/slack/index.ts
+++ b/extensions/slack/index.ts
@@ -1,5 +1,5 @@
-import type { OpenClawPluginApi } from "openclaw/plugin-sdk/slack";
-import { emptyPluginConfigSchema } from "openclaw/plugin-sdk/slack";
+import type { OpenClawPluginApi } from "openclaw/plugin-sdk";
+import { emptyPluginConfigSchema } from "openclaw/plugin-sdk";
 import { slackPlugin } from "./src/channel.js";
 import { setSlackRuntime } from "./src/runtime.js";
 
diff --git a/extensions/slack/src/channel.setup.ts b/extensions/slack/src/channel.setup.ts
index 83cd1625059..b5723ea5130 100644
--- a/extensions/slack/src/channel.setup.ts
+++ b/extensions/slack/src/channel.setup.ts
@@ -6,15 +6,17 @@ import {
 import {
   buildChannelConfigSchema,
   getChatChannelMeta,
-  inspectSlackAccount,
-  isSlackInteractiveRepliesEnabled,
+  SlackConfigSchema,
+  type ChannelPlugin,
+} from "openclaw/plugin-sdk/slack";
+import { inspectSlackAccount } from "./account-inspect.js";
+import {
   listSlackAccountIds,
   resolveDefaultSlackAccountId,
   resolveSlackAccount,
-  SlackConfigSchema,
-  type ChannelPlugin,
   type ResolvedSlackAccount,
-} from "openclaw/plugin-sdk/slack";
+} from "./accounts.js";
+import { isSlackInteractiveRepliesEnabled } from "./interactive-replies.js";
 import { createSlackSetupWizardProxy, slackSetupAdapter } from "./setup-core.js";
 
 async function loadSlackChannelRuntime() {
diff --git a/extensions/slack/src/channel.ts b/extensions/slack/src/channel.ts
index 3b0e347ba24..a07608d836a 100644
--- a/extensions/slack/src/channel.ts
+++ b/extensions/slack/src/channel.ts
@@ -16,12 +16,7 @@ import {
   buildComputedAccountStatusSnapshot,
   buildChannelConfigSchema,
   DEFAULT_ACCOUNT_ID,
-  extractSlackToolSend,
   getChatChannelMeta,
-  handleSlackMessageAction,
-  inspectSlackAccount,
-  listSlackMessageActions,
-  listSlackAccountIds,
   listSlackDirectoryGroupsFromConfig,
   listSlackDirectoryPeersFromConfig,
   looksLikeSlackTargetId,
@@ -29,22 +24,28 @@ import {
   PAIRING_APPROVED_MESSAGE,
   projectCredentialSnapshotFields,
   resolveConfiguredFromRequiredCredentialStatuses,
-  resolveDefaultSlackAccountId,
-  resolveSlackAccount,
-  resolveSlackReplyToMode,
-  isSlackInteractiveRepliesEnabled,
   resolveSlackGroupRequireMention,
   resolveSlackGroupToolPolicy,
-  buildSlackThreadingToolContext,
   SlackConfigSchema,
   type ChannelPlugin,
   type OpenClawConfig,
-  type ResolvedSlackAccount,
 } from "openclaw/plugin-sdk/slack";
 import { resolveOutboundSendDep } from "../../../src/infra/outbound/send-deps.js";
 import { buildPassiveProbedChannelStatusSummary } from "../../shared/channel-status-summary.js";
+import { inspectSlackAccount } from "./account-inspect.js";
+import {
+  listEnabledSlackAccounts,
+  listSlackAccountIds,
+  resolveDefaultSlackAccountId,
+  resolveSlackAccount,
+  resolveSlackReplyToMode,
+  type ResolvedSlackAccount,
+} from "./accounts.js";
 import { parseSlackBlocksInput } from "./blocks-input.js";
 import { createSlackWebClient } from "./client.js";
+import { isSlackInteractiveRepliesEnabled } from "./interactive-replies.js";
+import { handleSlackMessageAction } from "./message-action-dispatch.js";
+import { extractSlackToolSend, listSlackMessageActions } from "./message-actions.js";
 import { normalizeAllowListLower } from "./monitor/allow-list.js";
 import type { SlackProbe } from "./probe.js";
 import { resolveSlackUserAllowlist } from "./resolve-users.js";
@@ -52,6 +53,7 @@ import { getSlackRuntime } from "./runtime.js";
 import { fetchSlackScopes } from "./scopes.js";
 import { createSlackSetupWizardProxy, slackSetupAdapter } from "./setup-core.js";
 import { parseSlackTarget } from "./targets.js";
+import { buildSlackThreadingToolContext } from "./threading-tool-context.js";
 
 const meta = getChatChannelMeta("slack");
 const SLACK_CHANNEL_TYPE_CACHE = new Map<string, "channel" | "group" | "dm" | "unknown">();
diff --git a/extensions/slack/src/runtime.ts b/extensions/slack/src/runtime.ts
index 7961547004c..fd1a2ba17c6 100644
--- a/extensions/slack/src/runtime.ts
+++ b/extensions/slack/src/runtime.ts
@@ -1,5 +1,5 @@
+import type { PluginRuntime } from "openclaw/plugin-sdk";
 import { createPluginRuntimeStore } from "openclaw/plugin-sdk/compat";
-import type { PluginRuntime } from "openclaw/plugin-sdk/slack";
 
 const { setRuntime: setSlackRuntime, getRuntime: getSlackRuntime } =
   createPluginRuntimeStore<PluginRuntime>("Slack runtime not initialized");
diff --git a/extensions/telegram/index.ts b/extensions/telegram/index.ts
index 37367c5280c..a2492fca87d 100644
--- a/extensions/telegram/index.ts
+++ b/extensions/telegram/index.ts
@@ -1,5 +1,5 @@
-import type { ChannelPlugin, OpenClawPluginApi } from "openclaw/plugin-sdk/telegram";
-import { emptyPluginConfigSchema } from "openclaw/plugin-sdk/telegram";
+import type { ChannelPlugin, OpenClawPluginApi } from "openclaw/plugin-sdk";
+import { emptyPluginConfigSchema } from "openclaw/plugin-sdk";
 import { telegramPlugin } from "./src/channel.js";
 import { setTelegramRuntime } from "./src/runtime.js";
 
diff --git a/extensions/telegram/src/channel.setup.ts b/extensions/telegram/src/channel.setup.ts
index 6abc8ba0c62..f28a96afff7 100644
--- a/extensions/telegram/src/channel.setup.ts
+++ b/extensions/telegram/src/channel.setup.ts
@@ -6,17 +6,19 @@ import {
 import {
   buildChannelConfigSchema,
   getChatChannelMeta,
-  inspectTelegramAccount,
-  listTelegramAccountIds,
   normalizeAccountId,
-  resolveDefaultTelegramAccountId,
-  resolveTelegramAccount,
   TelegramConfigSchema,
   type ChannelPlugin,
   type OpenClawConfig,
-  type ResolvedTelegramAccount,
-  type TelegramProbe,
 } from "openclaw/plugin-sdk/telegram";
+import { inspectTelegramAccount } from "./account-inspect.js";
+import {
+  listTelegramAccountIds,
+  resolveDefaultTelegramAccountId,
+  resolveTelegramAccount,
+  type ResolvedTelegramAccount,
+} from "./accounts.js";
+import type { TelegramProbe } from "./probe.js";
 import { telegramSetupAdapter } from "./setup-core.js";
 import { telegramSetupWizard } from "./setup-surface.js";
 
diff --git a/extensions/telegram/src/channel.test.ts b/extensions/telegram/src/channel.test.ts
index 965a66d0f2c..476260f2969 100644
--- a/extensions/telegram/src/channel.test.ts
+++ b/extensions/telegram/src/channel.test.ts
@@ -3,10 +3,10 @@ import type {
   ChannelGatewayContext,
   OpenClawConfig,
   PluginRuntime,
-  ResolvedTelegramAccount,
 } from "openclaw/plugin-sdk/telegram";
 import { describe, expect, it, vi } from "vitest";
 import { createRuntimeEnv } from "../../test-utils/runtime-env.js";
+import type { ResolvedTelegramAccount } from "./accounts.js";
 import { telegramPlugin } from "./channel.js";
 import { setTelegramRuntime } from "./runtime.js";
 
diff --git a/extensions/telegram/src/channel.ts b/extensions/telegram/src/channel.ts
index 37915fa07df..cfb5e8a5f8d 100644
--- a/extensions/telegram/src/channel.ts
+++ b/extensions/telegram/src/channel.ts
@@ -16,32 +16,20 @@ import {
   buildChannelConfigSchema,
   buildTokenChannelStatusSummary,
   clearAccountEntryFields,
-  collectTelegramStatusIssues,
   DEFAULT_ACCOUNT_ID,
   getChatChannelMeta,
-  inspectTelegramAccount,
-  listTelegramAccountIds,
   listTelegramDirectoryGroupsFromConfig,
   listTelegramDirectoryPeersFromConfig,
-  looksLikeTelegramTargetId,
   normalizeAccountId,
-  normalizeTelegramMessagingTarget,
   PAIRING_APPROVED_MESSAGE,
-  parseTelegramReplyToMessageId,
-  parseTelegramThreadId,
   projectCredentialSnapshotFields,
   resolveConfiguredFromCredentialStatuses,
-  resolveDefaultTelegramAccountId,
-  resolveTelegramAccount,
   resolveTelegramGroupRequireMention,
   resolveTelegramGroupToolPolicy,
-  sendTelegramPayloadMessages,
   TelegramConfigSchema,
   type ChannelMessageActionAdapter,
   type ChannelPlugin,
   type OpenClawConfig,
-  type ResolvedTelegramAccount,
-  type TelegramProbe,
 } from "openclaw/plugin-sdk/telegram";
 import { parseTelegramTopicConversation } from "../../../src/acp/conversation-id.js";
 import { resolveExecApprovalCommandDisplay } from "../../../src/infra/exec-approval-command-display.js";
@@ -51,16 +39,28 @@ import {
   resolveOutboundSendDep,
 } from "../../../src/infra/outbound/send-deps.js";
 import { normalizeMessageChannel } from "../../../src/utils/message-channel.js";
+import { inspectTelegramAccount } from "./account-inspect.js";
+import {
+  listTelegramAccountIds,
+  resolveDefaultTelegramAccountId,
+  resolveTelegramAccount,
+  type ResolvedTelegramAccount,
+} from "./accounts.js";
 import { buildTelegramExecApprovalButtons } from "./approval-buttons.js";
 import { buildTelegramGroupPeerId } from "./bot/helpers.js";
 import {
   isTelegramExecApprovalClientEnabled,
   resolveTelegramExecApprovalTarget,
 } from "./exec-approvals.js";
+import { looksLikeTelegramTargetId, normalizeTelegramMessagingTarget } from "./normalize.js";
+import { sendTelegramPayloadMessages } from "./outbound-adapter.js";
+import { parseTelegramReplyToMessageId, parseTelegramThreadId } from "./outbound-params.js";
+import type { TelegramProbe } from "./probe.js";
 import { getTelegramRuntime } from "./runtime.js";
 import { sendTypingTelegram } from "./send.js";
 import { telegramSetupAdapter } from "./setup-core.js";
 import { telegramSetupWizard } from "./setup-surface.js";
+import { collectTelegramStatusIssues } from "./status-issues.js";
 import { parseTelegramTarget } from "./targets.js";
 
 type TelegramSendFn = ReturnType<
diff --git a/extensions/telegram/src/runtime.ts b/extensions/telegram/src/runtime.ts
index 8923cdd3e8d..97ba41a3a4d 100644
--- a/extensions/telegram/src/runtime.ts
+++ b/extensions/telegram/src/runtime.ts
@@ -1,5 +1,5 @@
+import type { PluginRuntime } from "openclaw/plugin-sdk";
 import { createPluginRuntimeStore } from "openclaw/plugin-sdk/compat";
-import type { PluginRuntime } from "openclaw/plugin-sdk/telegram";
 
 const { setRuntime: setTelegramRuntime, getRuntime: getTelegramRuntime } =
   createPluginRuntimeStore<PluginRuntime>("Telegram runtime not initialized");
diff --git a/extensions/whatsapp/index.ts b/extensions/whatsapp/index.ts
index 9279a2c038d..1b19ff6775d 100644
--- a/extensions/whatsapp/index.ts
+++ b/extensions/whatsapp/index.ts
@@ -1,5 +1,5 @@
-import type { OpenClawPluginApi } from "openclaw/plugin-sdk/whatsapp";
-import { emptyPluginConfigSchema } from "openclaw/plugin-sdk/whatsapp";
+import type { OpenClawPluginApi } from "openclaw/plugin-sdk";
+import { emptyPluginConfigSchema } from "openclaw/plugin-sdk";
 import { whatsappPlugin } from "./src/channel.js";
 import { setWhatsAppRuntime } from "./src/runtime.js";
 
diff --git a/extensions/whatsapp/src/runtime.ts b/extensions/whatsapp/src/runtime.ts
index bf415eb17db..c3644a531d2 100644
--- a/extensions/whatsapp/src/runtime.ts
+++ b/extensions/whatsapp/src/runtime.ts
@@ -1,4 +1,5 @@
-import { createPluginRuntimeStore, type PluginRuntime } from "openclaw/plugin-sdk/whatsapp";
+import type { PluginRuntime } from "openclaw/plugin-sdk";
+import { createPluginRuntimeStore } from "openclaw/plugin-sdk/compat";
 
 const { setRuntime: setWhatsAppRuntime, getRuntime: getWhatsAppRuntime } =
   createPluginRuntimeStore<PluginRuntime>("WhatsApp runtime not initialized");
diff --git a/src/agents/pi-embedded-runner/compact.ts b/src/agents/pi-embedded-runner/compact.ts
index 41f681f8de5..67c5b8184b2 100644
--- a/src/agents/pi-embedded-runner/compact.ts
+++ b/src/agents/pi-embedded-runner/compact.ts
@@ -19,11 +19,11 @@ import { createInternalHookEvent, triggerInternalHook } from "../../hooks/intern
 import { getMachineDisplayName } from "../../infra/machine-name.js";
 import { generateSecureToken } from "../../infra/secure-random.js";
 import { getMemorySearchManager } from "../../memory/index.js";
-import { resolveSignalReactionLevel } from "../../plugin-sdk/signal.js";
+import { resolveSignalReactionLevel } from "../../plugin-sdk-internal/signal.js";
 import {
   resolveTelegramInlineButtonsScope,
   resolveTelegramReactionLevel,
-} from "../../plugin-sdk/telegram.js";
+} from "../../plugin-sdk-internal/telegram.js";
 import { getGlobalHookRunner } from "../../plugins/hook-runner-global.js";
 import { prepareProviderRuntimeAuth } from "../../plugins/provider-runtime.js";
 import { type enqueueCommand, enqueueCommandInLane } from "../../process/command-queue.js";
diff --git a/src/agents/pi-embedded-runner/run/attempt.ts b/src/agents/pi-embedded-runner/run/attempt.ts
index 2194e87f9e0..bb2cad960bd 100644
--- a/src/agents/pi-embedded-runner/run/attempt.ts
+++ b/src/agents/pi-embedded-runner/run/attempt.ts
@@ -16,11 +16,11 @@ import {
   ensureGlobalUndiciStreamTimeouts,
 } from "../../../infra/net/undici-global-dispatcher.js";
 import { MAX_IMAGE_BYTES } from "../../../media/constants.js";
-import { resolveSignalReactionLevel } from "../../../plugin-sdk/signal.js";
+import { resolveSignalReactionLevel } from "../../../plugin-sdk-internal/signal.js";
 import {
   resolveTelegramInlineButtonsScope,
   resolveTelegramReactionLevel,
-} from "../../../plugin-sdk/telegram.js";
+} from "../../../plugin-sdk-internal/telegram.js";
 import { getGlobalHookRunner } from "../../../plugins/hook-runner-global.js";
 import type {
   PluginHookAgentContext,
diff --git a/src/agents/tools/discord-actions-guild.ts b/src/agents/tools/discord-actions-guild.ts
index fa427d87650..54386ad4267 100644
--- a/src/agents/tools/discord-actions-guild.ts
+++ b/src/agents/tools/discord-actions-guild.ts
@@ -19,8 +19,8 @@ import {
   setChannelPermissionDiscord,
   uploadEmojiDiscord,
   uploadStickerDiscord,
-} from "../../plugin-sdk/discord.js";
-import { getPresence } from "../../plugin-sdk/discord.js";
+} from "../../plugin-sdk-internal/discord.js";
+import { getPresence } from "../../plugin-sdk-internal/discord.js";
 import {
   type ActionGate,
   jsonResult,
diff --git a/src/agents/tools/discord-actions-messaging.ts b/src/agents/tools/discord-actions-messaging.ts
index 20fdfcc6a02..8a7f93aacbb 100644
--- a/src/agents/tools/discord-actions-messaging.ts
+++ b/src/agents/tools/discord-actions-messaging.ts
@@ -1,7 +1,6 @@
 import type { AgentToolResult } from "@mariozechner/pi-agent-core";
 import type { DiscordActionConfig } from "../../config/config.js";
 import type { OpenClawConfig } from "../../config/config.js";
-import { readBooleanParam } from "../../plugin-sdk/boolean-param.js";
 import {
   createThreadDiscord,
   deleteMessageDiscord,
@@ -23,9 +22,16 @@ import {
   sendStickerDiscord,
   sendVoiceMessageDiscord,
   unpinMessageDiscord,
-} from "../../plugin-sdk/discord.js";
-import type { DiscordSendComponents, DiscordSendEmbeds } from "../../plugin-sdk/discord.js";
-import { readDiscordComponentSpec, resolveDiscordChannelId } from "../../plugin-sdk/discord.js";
+} from "../../plugin-sdk-internal/discord.js";
+import type {
+  DiscordSendComponents,
+  DiscordSendEmbeds,
+} from "../../plugin-sdk-internal/discord.js";
+import {
+  readDiscordComponentSpec,
+  resolveDiscordChannelId,
+} from "../../plugin-sdk-internal/discord.js";
+import { readBooleanParam } from "../../plugin-sdk/boolean-param.js";
 import { resolvePollMaxSelections } from "../../polls.js";
 import { withNormalizedTimestamp } from "../date-time.js";
 import { assertMediaNotDataUrl } from "../sandbox-paths.js";
diff --git a/src/agents/tools/discord-actions-moderation.ts b/src/agents/tools/discord-actions-moderation.ts
index 56d7a80d4c9..63c3cc601bc 100644
--- a/src/agents/tools/discord-actions-moderation.ts
+++ b/src/agents/tools/discord-actions-moderation.ts
@@ -5,7 +5,7 @@ import {
   hasAnyGuildPermissionDiscord,
   kickMemberDiscord,
   timeoutMemberDiscord,
-} from "../../plugin-sdk/discord.js";
+} from "../../plugin-sdk-internal/discord.js";
 import { type ActionGate, jsonResult, readStringParam } from "./common.js";
 import {
   isDiscordModerationAction,
diff --git a/src/agents/tools/discord-actions-presence.ts b/src/agents/tools/discord-actions-presence.ts
index 53c42829bb0..fdfa53e2323 100644
--- a/src/agents/tools/discord-actions-presence.ts
+++ b/src/agents/tools/discord-actions-presence.ts
@@ -1,7 +1,7 @@
 import type { Activity, UpdatePresenceData } from "@buape/carbon/gateway";
 import type { AgentToolResult } from "@mariozechner/pi-agent-core";
 import type { DiscordActionConfig } from "../../config/config.js";
-import { getGateway } from "../../plugin-sdk/discord.js";
+import { getGateway } from "../../plugin-sdk-internal/discord.js";
 import { type ActionGate, jsonResult, readStringParam } from "./common.js";
 
 const ACTIVITY_TYPE_MAP: Record<string, number> = {
diff --git a/src/agents/tools/discord-actions.ts b/src/agents/tools/discord-actions.ts
index b953e56cffd..0e380b8d383 100644
--- a/src/agents/tools/discord-actions.ts
+++ b/src/agents/tools/discord-actions.ts
@@ -1,6 +1,6 @@
 import type { AgentToolResult } from "@mariozechner/pi-agent-core";
 import type { OpenClawConfig } from "../../config/config.js";
-import { createDiscordActionGate } from "../../plugin-sdk/discord.js";
+import { createDiscordActionGate } from "../../plugin-sdk-internal/discord.js";
 import { readStringParam } from "./common.js";
 import { handleDiscordGuildAction } from "./discord-actions-guild.js";
 import { handleDiscordMessagingAction } from "./discord-actions-messaging.js";
diff --git a/src/agents/tools/slack-actions.ts b/src/agents/tools/slack-actions.ts
index e9089cbfdcc..c7fc16ed8b1 100644
--- a/src/agents/tools/slack-actions.ts
+++ b/src/agents/tools/slack-actions.ts
@@ -15,14 +15,14 @@ import {
   removeSlackReaction,
   sendSlackMessage,
   unpinSlackMessage,
-} from "../../plugin-sdk/slack.js";
+} from "../../plugin-sdk-internal/slack.js";
 import {
   parseSlackBlocksInput,
   parseSlackTarget,
   recordSlackThreadParticipation,
   resolveSlackAccount,
   resolveSlackChannelId,
-} from "../../plugin-sdk/slack.js";
+} from "../../plugin-sdk-internal/slack.js";
 import { withNormalizedTimestamp } from "../date-time.js";
 import {
   createActionGate,
diff --git a/src/agents/tools/telegram-actions.ts b/src/agents/tools/telegram-actions.ts
index d648b1e5f41..9f2d48831c3 100644
--- a/src/agents/tools/telegram-actions.ts
+++ b/src/agents/tools/telegram-actions.ts
@@ -1,15 +1,17 @@
 import type { AgentToolResult } from "@mariozechner/pi-agent-core";
 import type { OpenClawConfig } from "../../config/config.js";
-import { readBooleanParam } from "../../plugin-sdk/boolean-param.js";
 import {
   createTelegramActionGate,
   resolveTelegramPollActionGateState,
-} from "../../plugin-sdk/telegram.js";
-import type { TelegramButtonStyle, TelegramInlineButtons } from "../../plugin-sdk/telegram.js";
+} from "../../plugin-sdk-internal/telegram.js";
+import type {
+  TelegramButtonStyle,
+  TelegramInlineButtons,
+} from "../../plugin-sdk-internal/telegram.js";
 import {
   resolveTelegramInlineButtonsScope,
   resolveTelegramTargetChatType,
-} from "../../plugin-sdk/telegram.js";
+} from "../../plugin-sdk-internal/telegram.js";
 import {
   createForumTopicTelegram,
   deleteMessageTelegram,
@@ -19,13 +21,14 @@ import {
   sendMessageTelegram,
   sendPollTelegram,
   sendStickerTelegram,
-} from "../../plugin-sdk/telegram.js";
+} from "../../plugin-sdk-internal/telegram.js";
 import {
   getCacheStats,
   resolveTelegramReactionLevel,
   resolveTelegramToken,
   searchStickers,
-} from "../../plugin-sdk/telegram.js";
+} from "../../plugin-sdk-internal/telegram.js";
+import { readBooleanParam } from "../../plugin-sdk/boolean-param.js";
 import { resolvePollMaxSelections } from "../../polls.js";
 import {
   jsonResult,
diff --git a/src/agents/tools/whatsapp-actions.ts b/src/agents/tools/whatsapp-actions.ts
index a84dc0a3d5b..30f36331d18 100644
--- a/src/agents/tools/whatsapp-actions.ts
+++ b/src/agents/tools/whatsapp-actions.ts
@@ -1,6 +1,6 @@
 import type { AgentToolResult } from "@mariozechner/pi-agent-core";
 import type { OpenClawConfig } from "../../config/config.js";
-import { sendReactionWhatsApp } from "../../plugin-sdk/whatsapp.js";
+import { sendReactionWhatsApp } from "../../plugin-sdk-internal/whatsapp.js";
 import { createActionGate, jsonResult, readReactionParams, readStringParam } from "./common.js";
 import { resolveAuthorizedWhatsAppOutboundTarget } from "./whatsapp-target-auth.js";
 
diff --git a/src/agents/tools/whatsapp-target-auth.ts b/src/agents/tools/whatsapp-target-auth.ts
index edc0052fbab..76e7e15d084 100644
--- a/src/agents/tools/whatsapp-target-auth.ts
+++ b/src/agents/tools/whatsapp-target-auth.ts
@@ -1,5 +1,5 @@
 import type { OpenClawConfig } from "../../config/config.js";
-import { resolveWhatsAppAccount } from "../../plugin-sdk/whatsapp.js";
+import { resolveWhatsAppAccount } from "../../plugin-sdk-internal/whatsapp.js";
 import { resolveWhatsAppOutboundTarget } from "../../whatsapp/resolve-outbound-target.js";
 import { ToolAuthorizationError } from "./common.js";
 
diff --git a/src/auto-reply/reply/commands-approve.ts b/src/auto-reply/reply/commands-approve.ts
index 630ea988c05..5f259c1b45a 100644
--- a/src/auto-reply/reply/commands-approve.ts
+++ b/src/auto-reply/reply/commands-approve.ts
@@ -3,7 +3,7 @@ import { logVerbose } from "../../globals.js";
 import {
   isTelegramExecApprovalApprover,
   isTelegramExecApprovalClientEnabled,
-} from "../../plugin-sdk/telegram.js";
+} from "../../plugin-sdk-internal/telegram.js";
 import { GATEWAY_CLIENT_MODES, GATEWAY_CLIENT_NAMES } from "../../utils/message-channel.js";
 import { requireGatewayClientScopeForInternalChannel } from "./command-gates.js";
 import type { CommandHandler } from "./commands-types.js";
diff --git a/src/auto-reply/reply/commands-models.ts b/src/auto-reply/reply/commands-models.ts
index 25f309361d2..99e02cfa81e 100644
--- a/src/auto-reply/reply/commands-models.ts
+++ b/src/auto-reply/reply/commands-models.ts
@@ -16,7 +16,7 @@ import {
   calculateTotalPages,
   getModelsPageSize,
   type ProviderInfo,
-} from "../../plugin-sdk/telegram.js";
+} from "../../plugin-sdk-internal/telegram.js";
 import type { ReplyPayload } from "../types.js";
 import { rejectUnauthorizedCommand } from "./command-gates.js";
 import type { CommandHandler } from "./commands-types.js";
diff --git a/src/auto-reply/reply/directive-handling.model.ts b/src/auto-reply/reply/directive-handling.model.ts
index 521d3bd6fea..d27bdb25d61 100644
--- a/src/auto-reply/reply/directive-handling.model.ts
+++ b/src/auto-reply/reply/directive-handling.model.ts
@@ -8,7 +8,7 @@ import {
 } from "../../agents/model-selection.js";
 import type { OpenClawConfig } from "../../config/config.js";
 import type { SessionEntry } from "../../config/sessions.js";
-import { buildBrowseProvidersButton } from "../../plugin-sdk/telegram.js";
+import { buildBrowseProvidersButton } from "../../plugin-sdk-internal/telegram.js";
 import { shortenHomePath } from "../../utils.js";
 import { resolveSelectedAndActiveModel } from "../model-runtime.js";
 import type { ReplyPayload } from "../types.js";
diff --git a/src/auto-reply/templating.ts b/src/auto-reply/templating.ts
index a32fdc3ba87..b426b18eab5 100644
--- a/src/auto-reply/templating.ts
+++ b/src/auto-reply/templating.ts
@@ -3,7 +3,7 @@ import type {
   MediaUnderstandingDecision,
   MediaUnderstandingOutput,
 } from "../media-understanding/types.js";
-import type { StickerMetadata } from "../plugin-sdk/telegram.js";
+import type { StickerMetadata } from "../plugin-sdk-internal/telegram.js";
 import type { InputProvenance } from "../sessions/input-provenance.js";
 import type { InternalMessageChannel } from "../utils/message-channel.js";
 import type { CommandArgs } from "./commands-registry.types.js";
diff --git a/src/channel-web.ts b/src/channel-web.ts
index e6df4bda0d7..f7e451b142a 100644
--- a/src/channel-web.ts
+++ b/src/channel-web.ts
@@ -7,11 +7,15 @@ export {
   monitorWebChannel,
   resolveHeartbeatRecipients,
   runWebHeartbeatOnce,
-} from "./plugin-sdk/whatsapp.js";
-export { extractMediaPlaceholder, extractText, monitorWebInbox } from "./plugin-sdk/whatsapp.js";
-export { loginWeb } from "./plugin-sdk/whatsapp.js";
-export { loadWebMedia, optimizeImageToJpeg } from "./plugin-sdk/whatsapp.js";
-export { sendMessageWhatsApp } from "./plugin-sdk/whatsapp.js";
+} from "./plugin-sdk-internal/whatsapp.js";
+export {
+  extractMediaPlaceholder,
+  extractText,
+  monitorWebInbox,
+} from "./plugin-sdk-internal/whatsapp.js";
+export { loginWeb } from "./plugin-sdk-internal/whatsapp.js";
+export { loadWebMedia, optimizeImageToJpeg } from "./plugin-sdk-internal/whatsapp.js";
+export { sendMessageWhatsApp } from "./plugin-sdk-internal/whatsapp.js";
 export {
   createWaSocket,
   formatError,
@@ -22,4 +26,4 @@ export {
   WA_WEB_AUTH_DIR,
   waitForWaConnection,
   webAuthExists,
-} from "./plugin-sdk/whatsapp.js";
+} from "./plugin-sdk-internal/whatsapp.js";
diff --git a/src/channels/plugins/actions/discord.ts b/src/channels/plugins/actions/discord.ts
index 4615a88f3c5..ec11ca6c970 100644
--- a/src/channels/plugins/actions/discord.ts
+++ b/src/channels/plugins/actions/discord.ts
@@ -1,2 +1,2 @@
 // Public entrypoint for the Discord channel action adapter.
-export * from "../../../plugin-sdk/discord.js";
+export * from "../../../plugin-sdk-internal/discord.js";
diff --git a/src/channels/plugins/actions/signal.ts b/src/channels/plugins/actions/signal.ts
index 60a70bac4c0..7db723f305e 100644
--- a/src/channels/plugins/actions/signal.ts
+++ b/src/channels/plugins/actions/signal.ts
@@ -5,7 +5,7 @@ import {
   resolveSignalAccount,
   resolveSignalReactionLevel,
   sendReactionSignal,
-} from "../../../plugin-sdk/signal.js";
+} from "../../../plugin-sdk-internal/signal.js";
 import type { ChannelMessageActionAdapter, ChannelMessageActionName } from "../types.js";
 import { resolveReactionMessageId } from "./reaction-message-id.js";
 
diff --git a/src/channels/plugins/actions/telegram.ts b/src/channels/plugins/actions/telegram.ts
index e811e757b94..e34c4598ade 100644
--- a/src/channels/plugins/actions/telegram.ts
+++ b/src/channels/plugins/actions/telegram.ts
@@ -1,2 +1,2 @@
 // Public entrypoint for the Telegram channel action adapter.
-export * from "../../../plugin-sdk/telegram.js";
+export * from "../../../plugin-sdk-internal/telegram.js";
diff --git a/src/channels/plugins/agent-tools/whatsapp-login.ts b/src/channels/plugins/agent-tools/whatsapp-login.ts
index 2204225bdda..661b49e083b 100644
--- a/src/channels/plugins/agent-tools/whatsapp-login.ts
+++ b/src/channels/plugins/agent-tools/whatsapp-login.ts
@@ -1,2 +1,2 @@
 // Shim: keep legacy import path while the runtime loads the plugin SDK surface.
-export * from "../../../plugin-sdk/whatsapp.js";
+export * from "../../../plugin-sdk-internal/whatsapp.js";
diff --git a/src/channels/plugins/group-mentions.ts b/src/channels/plugins/group-mentions.ts
index f825fc73fe5..94079daed04 100644
--- a/src/channels/plugins/group-mentions.ts
+++ b/src/channels/plugins/group-mentions.ts
@@ -10,7 +10,7 @@ import type {
   GroupToolPolicyConfig,
 } from "../../config/types.tools.js";
 import { resolveExactLineGroupConfigKey } from "../../line/group-keys.js";
-import { inspectSlackAccount } from "../../plugin-sdk/slack.js";
+import { inspectSlackAccount } from "../../plugin-sdk-internal/slack.js";
 import { normalizeAtHashSlug, normalizeHyphenSlug } from "../../shared/string-normalization.js";
 import type { ChannelGroupContext } from "./types.js";
 
diff --git a/src/channels/plugins/slack.actions.ts b/src/channels/plugins/slack.actions.ts
index 8c7f02ee9ec..7e74af7058d 100644
--- a/src/channels/plugins/slack.actions.ts
+++ b/src/channels/plugins/slack.actions.ts
@@ -1,11 +1,11 @@
 import { handleSlackAction, type SlackActionContext } from "../../agents/tools/slack-actions.js";
-import { handleSlackMessageAction } from "../../plugin-sdk/slack-message-actions.js";
 import {
   extractSlackToolSend,
   isSlackInteractiveRepliesEnabled,
   listSlackMessageActions,
   resolveSlackChannelId,
-} from "../../plugin-sdk/slack.js";
+} from "../../plugin-sdk-internal/slack.js";
+import { handleSlackMessageAction } from "../../plugin-sdk/slack-message-actions.js";
 import type { ChannelMessageActionAdapter } from "./types.js";
 
 export function createSlackActions(providerId: string): ChannelMessageActionAdapter {
diff --git a/src/channels/read-only-account-inspect.discord.runtime.ts b/src/channels/read-only-account-inspect.discord.runtime.ts
index 9d2ac6ef427..00d0943b1ec 100644
--- a/src/channels/read-only-account-inspect.discord.runtime.ts
+++ b/src/channels/read-only-account-inspect.discord.runtime.ts
@@ -1,2 +1,2 @@
-export { inspectDiscordAccount } from "../plugin-sdk/discord.js";
-export type { InspectedDiscordAccount } from "../plugin-sdk/discord.js";
+export { inspectDiscordAccount } from "../plugin-sdk-internal/discord.js";
+export type { InspectedDiscordAccount } from "../plugin-sdk-internal/discord.js";
diff --git a/src/channels/read-only-account-inspect.slack.runtime.ts b/src/channels/read-only-account-inspect.slack.runtime.ts
index a7526e2ea95..c3e2bd5d83c 100644
--- a/src/channels/read-only-account-inspect.slack.runtime.ts
+++ b/src/channels/read-only-account-inspect.slack.runtime.ts
@@ -1,2 +1,2 @@
-export { inspectSlackAccount } from "../plugin-sdk/slack.js";
-export type { InspectedSlackAccount } from "../plugin-sdk/slack.js";
+export { inspectSlackAccount } from "../plugin-sdk-internal/slack.js";
+export type { InspectedSlackAccount } from "../plugin-sdk-internal/slack.js";
diff --git a/src/channels/read-only-account-inspect.telegram.runtime.ts b/src/channels/read-only-account-inspect.telegram.runtime.ts
index 0ab48f2c241..1e633a0ff8e 100644
--- a/src/channels/read-only-account-inspect.telegram.runtime.ts
+++ b/src/channels/read-only-account-inspect.telegram.runtime.ts
@@ -1,2 +1,2 @@
-export { inspectTelegramAccount } from "../plugin-sdk/telegram.js";
-export type { InspectedTelegramAccount } from "../plugin-sdk/telegram.js";
+export { inspectTelegramAccount } from "../plugin-sdk-internal/telegram.js";
+export type { InspectedTelegramAccount } from "../plugin-sdk-internal/telegram.js";
diff --git a/src/cli/deps.test.ts b/src/cli/deps.test.ts
index 64b66313907..d13f2998987 100644
--- a/src/cli/deps.test.ts
+++ b/src/cli/deps.test.ts
@@ -19,32 +19,32 @@ const sendFns = vi.hoisted(() => ({
   imessage: vi.fn(async () => ({ messageId: "i1", chatId: "imessage:1" })),
 }));
 
-vi.mock("../plugin-sdk/whatsapp.js", () => {
+vi.mock("../plugin-sdk-internal/whatsapp.js", () => {
   moduleLoads.whatsapp();
   return { sendMessageWhatsApp: sendFns.whatsapp };
 });
 
-vi.mock("../plugin-sdk/telegram.js", () => {
+vi.mock("../plugin-sdk-internal/telegram.js", () => {
   moduleLoads.telegram();
   return { sendMessageTelegram: sendFns.telegram };
 });
 
-vi.mock("../plugin-sdk/discord.js", () => {
+vi.mock("../plugin-sdk-internal/discord.js", () => {
   moduleLoads.discord();
   return { sendMessageDiscord: sendFns.discord };
 });
 
-vi.mock("../plugin-sdk/slack.js", () => {
+vi.mock("../plugin-sdk-internal/slack.js", () => {
   moduleLoads.slack();
   return { sendMessageSlack: sendFns.slack };
 });
 
-vi.mock("../plugin-sdk/signal.js", () => {
+vi.mock("../plugin-sdk-internal/signal.js", () => {
   moduleLoads.signal();
   return { sendMessageSignal: sendFns.signal };
 });
 
-vi.mock("../plugin-sdk/imessage.js", () => {
+vi.mock("../plugin-sdk-internal/imessage.js", () => {
   moduleLoads.imessage();
   return { sendMessageIMessage: sendFns.imessage };
 });
diff --git a/src/cli/deps.ts b/src/cli/deps.ts
index 7ebfbf74f5b..84bb107f97e 100644
--- a/src/cli/deps.ts
+++ b/src/cli/deps.ts
@@ -35,32 +35,32 @@ export function createDefaultDeps(): CliDeps {
   return {
     whatsapp: createLazySender(
       "whatsapp",
-      () => import("../plugin-sdk/whatsapp.js") as Promise<Record<string, unknown>>,
+      () => import("../plugin-sdk-internal/whatsapp.js") as Promise<Record<string, unknown>>,
       "sendMessageWhatsApp",
     ),
     telegram: createLazySender(
       "telegram",
-      () => import("../plugin-sdk/telegram.js") as Promise<Record<string, unknown>>,
+      () => import("../plugin-sdk-internal/telegram.js") as Promise<Record<string, unknown>>,
       "sendMessageTelegram",
     ),
     discord: createLazySender(
       "discord",
-      () => import("../plugin-sdk/discord.js") as Promise<Record<string, unknown>>,
+      () => import("../plugin-sdk-internal/discord.js") as Promise<Record<string, unknown>>,
       "sendMessageDiscord",
     ),
     slack: createLazySender(
       "slack",
-      () => import("../plugin-sdk/slack.js") as Promise<Record<string, unknown>>,
+      () => import("../plugin-sdk-internal/slack.js") as Promise<Record<string, unknown>>,
       "sendMessageSlack",
     ),
     signal: createLazySender(
       "signal",
-      () => import("../plugin-sdk/signal.js") as Promise<Record<string, unknown>>,
+      () => import("../plugin-sdk-internal/signal.js") as Promise<Record<string, unknown>>,
       "sendMessageSignal",
     ),
     imessage: createLazySender(
       "imessage",
-      () => import("../plugin-sdk/imessage.js") as Promise<Record<string, unknown>>,
+      () => import("../plugin-sdk-internal/imessage.js") as Promise<Record<string, unknown>>,
       "sendMessageIMessage",
     ),
   };
@@ -70,4 +70,4 @@ export function createOutboundSendDeps(deps: CliDeps): OutboundSendDeps {
   return createOutboundSendDepsFromCliSource(deps);
 }
 
-export { logWebSelfId } from "../plugin-sdk/whatsapp.js";
+export { logWebSelfId } from "../plugin-sdk-internal/whatsapp.js";
diff --git a/src/commands/doctor-config-flow.ts b/src/commands/doctor-config-flow.ts
index a1cbf5fa6d9..0c52c9b582a 100644
--- a/src/commands/doctor-config-flow.ts
+++ b/src/commands/doctor-config-flow.ts
@@ -29,7 +29,7 @@ import {
   listTelegramAccountIds,
   normalizeTelegramAllowFromEntry,
   resolveTelegramAccount,
-} from "../plugin-sdk/telegram.js";
+} from "../plugin-sdk-internal/telegram.js";
 import {
   formatChannelAccountsDefaultPath,
   formatSetExplicitDefaultInstruction,
diff --git a/src/config/plugin-auto-enable.ts b/src/config/plugin-auto-enable.ts
index 1c93c61c800..7ca736ee448 100644
--- a/src/config/plugin-auto-enable.ts
+++ b/src/config/plugin-auto-enable.ts
@@ -8,7 +8,7 @@ import {
   listChatChannels,
   normalizeChatChannelId,
 } from "../channels/registry.js";
-import { hasAnyWhatsAppAuth } from "../plugin-sdk/whatsapp.js";
+import { hasAnyWhatsAppAuth } from "../plugin-sdk-internal/whatsapp.js";
 import {
   loadPluginManifestRegistry,
   type PluginManifestRegistry,
diff --git a/src/config/schema.help.ts b/src/config/schema.help.ts
index 3d93ee58465..b008b8bf869 100644
--- a/src/config/schema.help.ts
+++ b/src/config/schema.help.ts
@@ -1,7 +1,7 @@
 import {
   DISCORD_DEFAULT_INBOUND_WORKER_TIMEOUT_MS,
   DISCORD_DEFAULT_LISTENER_TIMEOUT_MS,
-} from "../plugin-sdk/discord.js";
+} from "../plugin-sdk-internal/discord.js";
 import { MEDIA_AUDIO_FIELD_HELP } from "./media-audio-field-metadata.js";
 import { IRC_FIELD_HELP } from "./schema.irc.js";
 import { describeTalkSilenceTimeoutDefaults } from "./talk-defaults.js";
diff --git a/src/config/sessions/explicit-session-key-normalization.ts b/src/config/sessions/explicit-session-key-normalization.ts
index 08543e5a6d0..16b43a7c43c 100644
--- a/src/config/sessions/explicit-session-key-normalization.ts
+++ b/src/config/sessions/explicit-session-key-normalization.ts
@@ -1,5 +1,5 @@
 import type { MsgContext } from "../../auto-reply/templating.js";
-import { normalizeExplicitDiscordSessionKey } from "../../plugin-sdk/discord.js";
+import { normalizeExplicitDiscordSessionKey } from "../../plugin-sdk-internal/discord.js";
 
 type ExplicitSessionKeyNormalizer = (sessionKey: string, ctx: MsgContext) => string;
 type ExplicitSessionKeyNormalizerEntry = {
diff --git a/src/config/types.discord.ts b/src/config/types.discord.ts
index c9269c6b8fd..aea4e7f8cfd 100644
--- a/src/config/types.discord.ts
+++ b/src/config/types.discord.ts
@@ -1,4 +1,4 @@
-import type { DiscordPluralKitConfig } from "../plugin-sdk/discord.js";
+import type { DiscordPluralKitConfig } from "../plugin-sdk-internal/discord.js";
 import type {
   BlockStreamingChunkConfig,
   BlockStreamingCoalesceConfig,
diff --git a/src/cron/isolated-agent/delivery-target.ts b/src/cron/isolated-agent/delivery-target.ts
index e903cd15cab..585e273e613 100644
--- a/src/cron/isolated-agent/delivery-target.ts
+++ b/src/cron/isolated-agent/delivery-target.ts
@@ -13,7 +13,7 @@ import {
   resolveSessionDeliveryTarget,
 } from "../../infra/outbound/targets.js";
 import { readChannelAllowFromStoreSync } from "../../pairing/pairing-store.js";
-import { resolveWhatsAppAccount } from "../../plugin-sdk/whatsapp.js";
+import { resolveWhatsAppAccount } from "../../plugin-sdk-internal/whatsapp.js";
 import { buildChannelAccountBindings } from "../../routing/bindings.js";
 import { normalizeAccountId, normalizeAgentId } from "../../routing/session-key.js";
 import { normalizeWhatsAppTarget } from "../../whatsapp/normalize.js";
diff --git a/src/gateway/server-http.ts b/src/gateway/server-http.ts
index 0ad655f4990..fe35da1f356 100644
--- a/src/gateway/server-http.ts
+++ b/src/gateway/server-http.ts
@@ -13,7 +13,7 @@ import { CANVAS_WS_PATH, handleA2uiHttpRequest } from "../canvas-host/a2ui.js";
 import type { CanvasHostHandler } from "../canvas-host/server.js";
 import { loadConfig } from "../config/config.js";
 import type { createSubsystemLogger } from "../logging/subsystem.js";
-import { handleSlackHttpRequest } from "../plugin-sdk/slack.js";
+import { handleSlackHttpRequest } from "../plugin-sdk-internal/slack.js";
 import { safeEqualSecret } from "../security/secret-equal.js";
 import {
   AUTH_RATE_LIMIT_SCOPE_HOOK_AUTH,
diff --git a/src/infra/state-migrations.ts b/src/infra/state-migrations.ts
index b429365a4a4..6646ab02e75 100644
--- a/src/infra/state-migrations.ts
+++ b/src/infra/state-migrations.ts
@@ -15,7 +15,7 @@ import { canonicalizeMainSessionAlias } from "../config/sessions/main-session.js
 import type { SessionScope } from "../config/sessions/types.js";
 import { createSubsystemLogger } from "../logging/subsystem.js";
 import { resolveChannelAllowFromPath } from "../pairing/pairing-store.js";
-import { listTelegramAccountIds } from "../plugin-sdk/telegram.js";
+import { listTelegramAccountIds } from "../plugin-sdk-internal/telegram.js";
 import {
   buildAgentMainSessionKey,
   DEFAULT_ACCOUNT_ID,
diff --git a/src/plugin-sdk/discord.ts b/src/plugin-sdk/discord.ts
index d89f768071b..82ffb8dde5c 100644
--- a/src/plugin-sdk/discord.ts
+++ b/src/plugin-sdk/discord.ts
@@ -1,21 +1,8 @@
 export type { ChannelMessageActionAdapter } from "../channels/plugins/types.js";
 export type { OpenClawConfig } from "../config/config.js";
 export type { DiscordAccountConfig, DiscordActionConfig } from "../config/types.js";
-export type { InspectedDiscordAccount } from "../../extensions/discord/src/account-inspect.js";
-export type { ResolvedDiscordAccount } from "../../extensions/discord/src/accounts.js";
-export type {
-  DiscordSendComponents,
-  DiscordSendEmbeds,
-} from "../../extensions/discord/src/send.shared.js";
 export * from "./channel-plugin-common.js";
 
-export {
-  createDiscordActionGate,
-  listDiscordAccountIds,
-  resolveDefaultDiscordAccountId,
-  resolveDiscordAccount,
-} from "../../extensions/discord/src/accounts.js";
-export { inspectDiscordAccount } from "../../extensions/discord/src/account-inspect.js";
 export {
   projectCredentialSnapshotFields,
   resolveConfiguredFromCredentialStatuses,
@@ -24,19 +11,6 @@ export {
   listDiscordDirectoryGroupsFromConfig,
   listDiscordDirectoryPeersFromConfig,
 } from "../channels/plugins/directory-config.js";
-export {
-  looksLikeDiscordTargetId,
-  normalizeDiscordMessagingTarget,
-  normalizeDiscordOutboundTarget,
-} from "../../extensions/discord/src/normalize.js";
-export { collectDiscordAuditChannelIds } from "../../extensions/discord/src/audit.js";
-export { collectDiscordStatusIssues } from "../../extensions/discord/src/status-issues.js";
-export {
-  DISCORD_DEFAULT_INBOUND_WORKER_TIMEOUT_MS,
-  DISCORD_DEFAULT_LISTENER_TIMEOUT_MS,
-} from "../../extensions/discord/src/monitor/timeouts.js";
-export { normalizeExplicitDiscordSessionKey } from "../../extensions/discord/src/session-key-normalization.js";
-export type { DiscordPluralKitConfig } from "../../extensions/discord/src/pluralkit.js";
 
 export {
   resolveDefaultGroupPolicy,
@@ -46,70 +20,8 @@ export {
   resolveDiscordGroupRequireMention,
   resolveDiscordGroupToolPolicy,
 } from "../channels/plugins/group-mentions.js";
-export { discordSetupWizard } from "../../extensions/discord/src/setup-surface.js";
-export { discordSetupAdapter } from "../../extensions/discord/src/setup-core.js";
 export { DiscordConfigSchema } from "../config/zod-schema.providers-core.js";
 
-export {
-  autoBindSpawnedDiscordSubagent,
-  listThreadBindingsBySessionKey,
-  unbindThreadBindingsBySessionKey,
-} from "../../extensions/discord/src/monitor/thread-bindings.js";
-export { getGateway } from "../../extensions/discord/src/monitor/gateway-registry.js";
-export { getPresence } from "../../extensions/discord/src/monitor/presence-cache.js";
-export { readDiscordComponentSpec } from "../../extensions/discord/src/components.js";
-export { resolveDiscordChannelId } from "../../extensions/discord/src/targets.js";
-export {
-  addRoleDiscord,
-  banMemberDiscord,
-  createChannelDiscord,
-  createScheduledEventDiscord,
-  createThreadDiscord,
-  deleteChannelDiscord,
-  deleteMessageDiscord,
-  editChannelDiscord,
-  editMessageDiscord,
-  fetchChannelInfoDiscord,
-  fetchChannelPermissionsDiscord,
-  fetchMemberInfoDiscord,
-  fetchMessageDiscord,
-  fetchReactionsDiscord,
-  fetchRoleInfoDiscord,
-  fetchVoiceStatusDiscord,
-  hasAnyGuildPermissionDiscord,
-  kickMemberDiscord,
-  listGuildChannelsDiscord,
-  listGuildEmojisDiscord,
-  listPinsDiscord,
-  listScheduledEventsDiscord,
-  listThreadsDiscord,
-  moveChannelDiscord,
-  pinMessageDiscord,
-  reactMessageDiscord,
-  readMessagesDiscord,
-  removeChannelPermissionDiscord,
-  removeOwnReactionsDiscord,
-  removeReactionDiscord,
-  removeRoleDiscord,
-  searchMessagesDiscord,
-  sendDiscordComponentMessage,
-  sendMessageDiscord,
-  sendPollDiscord,
-  sendStickerDiscord,
-  sendVoiceMessageDiscord,
-  setChannelPermissionDiscord,
-  timeoutMemberDiscord,
-  unpinMessageDiscord,
-  uploadEmojiDiscord,
-  uploadStickerDiscord,
-} from "../../extensions/discord/src/send.js";
-export { discordMessageActions } from "../../extensions/discord/src/channel-actions.js";
-export type {
-  ThreadBindingManager,
-  ThreadBindingRecord,
-  ThreadBindingTargetKind,
-} from "../../extensions/discord/src/monitor/thread-bindings.js";
-
 export {
   buildComputedAccountStatusSnapshot,
   buildTokenChannelStatusSummary,
diff --git a/src/plugin-sdk/imessage.ts b/src/plugin-sdk/imessage.ts
index 0fe2e278d40..f896799b323 100644
--- a/src/plugin-sdk/imessage.ts
+++ b/src/plugin-sdk/imessage.ts
@@ -1,11 +1,5 @@
-export type { ResolvedIMessageAccount } from "../../extensions/imessage/src/accounts.js";
 export type { IMessageAccountConfig } from "../config/types.js";
 export * from "./channel-plugin-common.js";
-export {
-  listIMessageAccountIds,
-  resolveDefaultIMessageAccountId,
-  resolveIMessageAccount,
-} from "../../extensions/imessage/src/accounts.js";
 export {
   formatTrimmedAllowFromEntries,
   resolveIMessageConfigAllowFrom,
@@ -15,20 +9,6 @@ export {
   looksLikeIMessageTargetId,
   normalizeIMessageMessagingTarget,
 } from "../channels/plugins/normalize/imessage.js";
-export {
-  createAllowedChatSenderMatcher,
-  parseChatAllowTargetPrefixes,
-  parseChatTargetPrefixesOrThrow,
-  resolveServicePrefixedChatTarget,
-  resolveServicePrefixedAllowTarget,
-  resolveServicePrefixedOrChatAllowTarget,
-  resolveServicePrefixedTarget,
-} from "../../extensions/imessage/src/target-parsing-helpers.js";
-export type {
-  ChatSenderAllowParams,
-  ParsedChatTarget,
-} from "../../extensions/imessage/src/target-parsing-helpers.js";
-export { sendMessageIMessage } from "../../extensions/imessage/src/send.js";
 
 export {
   resolveAllowlistProviderRuntimeGroupPolicy,
@@ -38,8 +18,6 @@ export {
   resolveIMessageGroupRequireMention,
   resolveIMessageGroupToolPolicy,
 } from "../channels/plugins/group-mentions.js";
-export { imessageSetupWizard } from "../../extensions/imessage/src/setup-surface.js";
-export { imessageSetupAdapter } from "../../extensions/imessage/src/setup-core.js";
 export { IMessageConfigSchema } from "../config/zod-schema.providers-core.js";
 
 export { resolveChannelMediaMaxBytes } from "../channels/plugins/media-limits.js";
diff --git a/src/plugin-sdk/index.ts b/src/plugin-sdk/index.ts
index 4afc94eebab..e43be3bfadd 100644
--- a/src/plugin-sdk/index.ts
+++ b/src/plugin-sdk/index.ts
@@ -661,110 +661,6 @@ export { extractOriginalFilename } from "../media/store.js";
 export { listSkillCommandsForAgents } from "../auto-reply/skill-commands.js";
 export type { SkillCommandSpec } from "../agents/skills.js";
 
-// Channel: Discord
-export {
-  autoBindSpawnedDiscordSubagent,
-  collectDiscordAuditChannelIds,
-  collectDiscordStatusIssues,
-  discordSetupAdapter,
-  discordSetupWizard,
-  inspectDiscordAccount,
-  listDiscordAccountIds,
-  looksLikeDiscordTargetId,
-  normalizeDiscordMessagingTarget,
-  normalizeDiscordOutboundTarget,
-  resolveDefaultDiscordAccountId,
-  resolveDiscordAccount,
-  type InspectedDiscordAccount,
-  type ResolvedDiscordAccount,
-  type ThreadBindingManager,
-  type ThreadBindingRecord,
-  type ThreadBindingTargetKind,
-  listThreadBindingsBySessionKey,
-  unbindThreadBindingsBySessionKey,
-} from "./discord.js";
-
-// Channel: iMessage
-export {
-  createAllowedChatSenderMatcher,
-  imessageSetupAdapter,
-  imessageSetupWizard,
-  listIMessageAccountIds,
-  looksLikeIMessageTargetId,
-  normalizeIMessageMessagingTarget,
-  parseChatAllowTargetPrefixes,
-  parseChatTargetPrefixesOrThrow,
-  resolveServicePrefixedChatTarget,
-  resolveServicePrefixedAllowTarget,
-  resolveServicePrefixedOrChatAllowTarget,
-  resolveServicePrefixedTarget,
-  resolveDefaultIMessageAccountId,
-  resolveIMessageAccount,
-  type ChatSenderAllowParams,
-  type ParsedChatTarget,
-  type ResolvedIMessageAccount,
-} from "./imessage.js";
-
-// Channel: Slack
-export {
-  buildSlackThreadingToolContext,
-  extractSlackToolSend,
-  inspectSlackAccount,
-  listEnabledSlackAccounts,
-  listSlackAccountIds,
-  listSlackMessageActions,
-  looksLikeSlackTargetId,
-  normalizeSlackMessagingTarget,
-  resolveDefaultSlackAccountId,
-  resolveSlackAccount,
-  resolveSlackReplyToMode,
-  slackSetupAdapter,
-  slackSetupWizard,
-  type InspectedSlackAccount,
-  type ResolvedSlackAccount,
-} from "./slack.js";
-
-// Channel: Telegram
-export {
-  buildBrowseProvidersButton,
-  buildModelsKeyboard,
-  buildProviderKeyboard,
-  calculateTotalPages,
-  fetchTelegramChatId,
-  getModelsPageSize,
-  inspectTelegramAccount,
-  isNumericTelegramUserId,
-  isTelegramExecApprovalApprover,
-  isTelegramExecApprovalClientEnabled,
-  listTelegramAccountIds,
-  looksLikeTelegramTargetId,
-  normalizeTelegramAllowFromEntry,
-  normalizeTelegramMessagingTarget,
-  parseTelegramReplyToMessageId,
-  parseTelegramThreadId,
-  resolveDefaultTelegramAccountId,
-  resolveTelegramAccount,
-  telegramSetupAdapter,
-  telegramSetupWizard,
-  type ResolvedTelegramAccount,
-  type InspectedTelegramAccount,
-  type ProviderInfo,
-  type TelegramProbe,
-  collectTelegramStatusIssues,
-} from "./telegram.js";
-
-// Channel: Signal
-export {
-  listSignalAccountIds,
-  looksLikeSignalTargetId,
-  normalizeSignalMessagingTarget,
-  resolveDefaultSignalAccountId,
-  resolveSignalAccount,
-  signalSetupAdapter,
-  signalSetupWizard,
-  type ResolvedSignalAccount,
-} from "./signal.js";
-
 // Channel: WhatsApp — WhatsApp-specific exports moved to extensions/whatsapp/src/
 export { isWhatsAppGroupJid, normalizeWhatsAppTarget } from "../whatsapp/normalize.js";
 export { resolveWhatsAppOutboundTarget } from "../whatsapp/resolve-outbound-target.js";
diff --git a/src/plugin-sdk/signal.ts b/src/plugin-sdk/signal.ts
index 3683115143e..86f83b06318 100644
--- a/src/plugin-sdk/signal.ts
+++ b/src/plugin-sdk/signal.ts
@@ -1,19 +1,7 @@
 export type { ChannelMessageActionAdapter } from "../channels/plugins/types.js";
-export type { ResolvedSignalAccount } from "../../extensions/signal/src/accounts.js";
 export type { SignalAccountConfig } from "../config/types.js";
 export * from "./channel-plugin-common.js";
-export {
-  listEnabledSignalAccounts,
-  listSignalAccountIds,
-  resolveDefaultSignalAccountId,
-  resolveSignalAccount,
-} from "../../extensions/signal/src/accounts.js";
-export { resolveSignalReactionLevel } from "../../extensions/signal/src/reaction-level.js";
-export {
-  removeReactionSignal,
-  sendReactionSignal,
-} from "../../extensions/signal/src/send-reactions.js";
-export { sendMessageSignal } from "../../extensions/signal/src/send.js";
+
 export {
   looksLikeSignalTargetId,
   normalizeSignalMessagingTarget,
@@ -23,8 +11,6 @@ export {
   resolveAllowlistProviderRuntimeGroupPolicy,
   resolveDefaultGroupPolicy,
 } from "../config/runtime-group-policy.js";
-export { signalSetupWizard } from "../../extensions/signal/src/setup-surface.js";
-export { signalSetupAdapter } from "../../extensions/signal/src/setup-core.js";
 export { SignalConfigSchema } from "../config/zod-schema.providers-core.js";
 
 export { normalizeE164 } from "../utils.js";
diff --git a/src/plugin-sdk/slack.ts b/src/plugin-sdk/slack.ts
index 8ac3915ec31..93ad140bfad 100644
--- a/src/plugin-sdk/slack.ts
+++ b/src/plugin-sdk/slack.ts
@@ -1,17 +1,7 @@
 export type { OpenClawConfig } from "../config/config.js";
 export type { SlackAccountConfig } from "../config/types.slack.js";
-export type { InspectedSlackAccount } from "../../extensions/slack/src/account-inspect.js";
-export type { ResolvedSlackAccount } from "../../extensions/slack/src/accounts.js";
 export * from "./channel-plugin-common.js";
-export {
-  listEnabledSlackAccounts,
-  listSlackAccountIds,
-  resolveDefaultSlackAccountId,
-  resolveSlackAccount,
-  resolveSlackReplyToMode,
-} from "../../extensions/slack/src/accounts.js";
-export { isSlackInteractiveRepliesEnabled } from "../../extensions/slack/src/interactive-replies.js";
-export { inspectSlackAccount } from "../../extensions/slack/src/account-inspect.js";
+
 export {
   projectCredentialSnapshotFields,
   resolveConfiguredFromCredentialStatuses,
@@ -25,34 +15,6 @@ export {
   looksLikeSlackTargetId,
   normalizeSlackMessagingTarget,
 } from "../channels/plugins/normalize/slack.js";
-export { parseSlackTarget, resolveSlackChannelId } from "./slack-targets.js";
-export {
-  extractSlackToolSend,
-  listSlackMessageActions,
-} from "../../extensions/slack/src/message-actions.js";
-export { buildSlackThreadingToolContext } from "../../extensions/slack/src/threading-tool-context.js";
-export { parseSlackBlocksInput } from "../../extensions/slack/src/blocks-input.js";
-export { handleSlackHttpRequest } from "../../extensions/slack/src/http/index.js";
-export { sendMessageSlack } from "../../extensions/slack/src/send.js";
-export {
-  deleteSlackMessage,
-  downloadSlackFile,
-  editSlackMessage,
-  getSlackMemberInfo,
-  listSlackEmojis,
-  listSlackPins,
-  listSlackReactions,
-  pinSlackMessage,
-  reactSlackMessage,
-  readSlackMessages,
-  removeOwnSlackReactions,
-  removeSlackReaction,
-  sendSlackMessage,
-  unpinSlackMessage,
-} from "../../extensions/slack/src/actions.js";
-export { recordSlackThreadParticipation } from "../../extensions/slack/src/sent-thread-cache.js";
-export { buildComputedAccountStatusSnapshot } from "./status-helpers.js";
-
 export {
   resolveDefaultGroupPolicy,
   resolveOpenProviderRuntimeGroupPolicy,
@@ -61,8 +23,5 @@ export {
   resolveSlackGroupRequireMention,
   resolveSlackGroupToolPolicy,
 } from "../channels/plugins/group-mentions.js";
-export { slackSetupAdapter } from "../../extensions/slack/src/setup-core.js";
-export { slackSetupWizard } from "../../extensions/slack/src/setup-surface.js";
 export { SlackConfigSchema } from "../config/zod-schema.providers-core.js";
-
-export { handleSlackMessageAction } from "./slack-message-actions.js";
+export { buildComputedAccountStatusSnapshot } from "./status-helpers.js";
diff --git a/src/plugin-sdk/subpaths.test.ts b/src/plugin-sdk/subpaths.test.ts
index 5c26ebf44ca..5e3f62849d7 100644
--- a/src/plugin-sdk/subpaths.test.ts
+++ b/src/plugin-sdk/subpaths.test.ts
@@ -20,6 +20,8 @@ const bundledExtensionSubpathLoaders = pluginSdkSubpaths.map((id: string) => ({
   load: () => importPluginSdkSubpath(`openclaw/plugin-sdk/${id}`),
 }));
 
+const asExports = (mod: object) => mod as Record<string, unknown>;
+
 describe("plugin-sdk subpath exports", () => {
   it("exports compat helpers", () => {
     expect(typeof compatSdk.emptyPluginConfigSchema).toBe("function");
@@ -34,37 +36,38 @@ describe("plugin-sdk subpath exports", () => {
   });
 
   it("exports Discord helpers", () => {
-    expect(typeof discordSdk.resolveDiscordAccount).toBe("function");
-    expect(typeof discordSdk.inspectDiscordAccount).toBe("function");
-    expect(typeof discordSdk.discordSetupWizard).toBe("object");
-    expect(typeof discordSdk.discordSetupAdapter).toBe("object");
+    expect(typeof discordSdk.buildChannelConfigSchema).toBe("function");
+    expect(typeof discordSdk.DiscordConfigSchema).toBe("object");
+    expect(typeof discordSdk.projectCredentialSnapshotFields).toBe("function");
+    expect("resolveDiscordAccount" in asExports(discordSdk)).toBe(false);
   });
 
   it("exports Slack helpers", () => {
-    expect(typeof slackSdk.resolveSlackAccount).toBe("function");
-    expect(typeof slackSdk.inspectSlackAccount).toBe("function");
-    expect(typeof slackSdk.handleSlackMessageAction).toBe("function");
-    expect(typeof slackSdk.slackSetupWizard).toBe("object");
-    expect(typeof slackSdk.slackSetupAdapter).toBe("object");
+    expect(typeof slackSdk.buildChannelConfigSchema).toBe("function");
+    expect(typeof slackSdk.SlackConfigSchema).toBe("object");
+    expect(typeof slackSdk.looksLikeSlackTargetId).toBe("function");
+    expect("resolveSlackAccount" in asExports(slackSdk)).toBe(false);
   });
 
   it("exports Telegram helpers", () => {
-    expect(typeof telegramSdk.resolveTelegramAccount).toBe("function");
-    expect(typeof telegramSdk.inspectTelegramAccount).toBe("function");
-    expect(typeof telegramSdk.telegramSetupWizard).toBe("object");
-    expect(typeof telegramSdk.telegramSetupAdapter).toBe("object");
+    expect(typeof telegramSdk.buildChannelConfigSchema).toBe("function");
+    expect(typeof telegramSdk.TelegramConfigSchema).toBe("object");
+    expect(typeof telegramSdk.projectCredentialSnapshotFields).toBe("function");
+    expect("resolveTelegramAccount" in asExports(telegramSdk)).toBe(false);
   });
 
   it("exports Signal helpers", () => {
-    expect(typeof signalSdk.resolveSignalAccount).toBe("function");
-    expect(typeof signalSdk.signalSetupWizard).toBe("object");
-    expect(typeof signalSdk.signalSetupAdapter).toBe("object");
+    expect(typeof signalSdk.buildBaseAccountStatusSnapshot).toBe("function");
+    expect(typeof signalSdk.SignalConfigSchema).toBe("object");
+    expect(typeof signalSdk.normalizeSignalMessagingTarget).toBe("function");
+    expect("resolveSignalAccount" in asExports(signalSdk)).toBe(false);
   });
 
   it("exports iMessage helpers", () => {
-    expect(typeof imessageSdk.resolveIMessageAccount).toBe("function");
-    expect(typeof imessageSdk.imessageSetupWizard).toBe("object");
-    expect(typeof imessageSdk.imessageSetupAdapter).toBe("object");
+    expect(typeof imessageSdk.IMessageConfigSchema).toBe("object");
+    expect(typeof imessageSdk.resolveIMessageConfigAllowFrom).toBe("function");
+    expect(typeof imessageSdk.looksLikeIMessageTargetId).toBe("function");
+    expect("resolveIMessageAccount" in asExports(imessageSdk)).toBe(false);
   });
 
   it("exports IRC helpers", async () => {
diff --git a/src/plugin-sdk/telegram.ts b/src/plugin-sdk/telegram.ts
index 52d0269f712..397a48fa019 100644
--- a/src/plugin-sdk/telegram.ts
+++ b/src/plugin-sdk/telegram.ts
@@ -8,16 +8,8 @@ export type { OpenClawConfig } from "../config/config.js";
 export type { PluginRuntime } from "../plugins/runtime/types.js";
 export type { OpenClawPluginApi } from "../plugins/types.js";
 export type { TelegramAccountConfig, TelegramActionConfig } from "../config/types.js";
-export type { InspectedTelegramAccount } from "../../extensions/telegram/src/account-inspect.js";
-export type { ResolvedTelegramAccount } from "../../extensions/telegram/src/accounts.js";
-export type { TelegramProbe } from "../../extensions/telegram/src/probe.js";
-export type {
-  TelegramButtonStyle,
-  TelegramInlineButtons,
-} from "../../extensions/telegram/src/button-types.js";
 
 export { emptyPluginConfigSchema } from "../plugins/config-schema.js";
-
 export { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../routing/session-key.js";
 
 export {
@@ -32,17 +24,8 @@ export {
 } from "../channels/plugins/config-helpers.js";
 export { formatPairingApproveHint } from "../channels/plugins/helpers.js";
 export { PAIRING_APPROVED_MESSAGE } from "../channels/plugins/pairing-message.js";
-
 export { getChatChannelMeta } from "../channels/registry.js";
 
-export {
-  createTelegramActionGate,
-  listTelegramAccountIds,
-  resolveDefaultTelegramAccountId,
-  resolveTelegramPollActionGateState,
-  resolveTelegramAccount,
-} from "../../extensions/telegram/src/accounts.js";
-export { inspectTelegramAccount } from "../../extensions/telegram/src/account-inspect.js";
 export {
   projectCredentialSnapshotFields,
   resolveConfiguredFromCredentialStatuses,
@@ -51,52 +34,6 @@ export {
   listTelegramDirectoryGroupsFromConfig,
   listTelegramDirectoryPeersFromConfig,
 } from "../channels/plugins/directory-config.js";
-export {
-  looksLikeTelegramTargetId,
-  normalizeTelegramMessagingTarget,
-} from "../../extensions/telegram/src/normalize.js";
-export {
-  parseTelegramReplyToMessageId,
-  parseTelegramThreadId,
-} from "../../extensions/telegram/src/outbound-params.js";
-export {
-  isNumericTelegramUserId,
-  normalizeTelegramAllowFromEntry,
-} from "../../extensions/telegram/src/allow-from.js";
-export { fetchTelegramChatId } from "../../extensions/telegram/src/api-fetch.js";
-export {
-  resolveTelegramInlineButtonsScope,
-  resolveTelegramTargetChatType,
-} from "../../extensions/telegram/src/inline-buttons.js";
-export { resolveTelegramReactionLevel } from "../../extensions/telegram/src/reaction-level.js";
-export {
-  createForumTopicTelegram,
-  deleteMessageTelegram,
-  editForumTopicTelegram,
-  editMessageTelegram,
-  reactMessageTelegram,
-  sendMessageTelegram,
-  sendPollTelegram,
-  sendStickerTelegram,
-} from "../../extensions/telegram/src/send.js";
-export { getCacheStats, searchStickers } from "../../extensions/telegram/src/sticker-cache.js";
-export { resolveTelegramToken } from "../../extensions/telegram/src/token.js";
-export { telegramMessageActions } from "../../extensions/telegram/src/channel-actions.js";
-export { collectTelegramStatusIssues } from "../../extensions/telegram/src/status-issues.js";
-export { sendTelegramPayloadMessages } from "../../extensions/telegram/src/outbound-adapter.js";
-export {
-  buildBrowseProvidersButton,
-  buildModelsKeyboard,
-  buildProviderKeyboard,
-  calculateTotalPages,
-  getModelsPageSize,
-  type ProviderInfo,
-} from "../../extensions/telegram/src/model-buttons.js";
-export {
-  isTelegramExecApprovalApprover,
-  isTelegramExecApprovalClientEnabled,
-} from "../../extensions/telegram/src/exec-approvals.js";
-export type { StickerMetadata } from "../../extensions/telegram/src/bot/types.js";
 
 export {
   resolveAllowlistProviderRuntimeGroupPolicy,
@@ -106,8 +43,6 @@ export {
   resolveTelegramGroupRequireMention,
   resolveTelegramGroupToolPolicy,
 } from "../channels/plugins/group-mentions.js";
-export { telegramSetupWizard } from "../../extensions/telegram/src/setup-surface.js";
-export { telegramSetupAdapter } from "../../extensions/telegram/src/setup-core.js";
 export { TelegramConfigSchema } from "../config/zod-schema.providers-core.js";
 
 export { buildTokenChannelStatusSummary } from "./status-helpers.js";
diff --git a/src/plugin-sdk/whatsapp.ts b/src/plugin-sdk/whatsapp.ts
index 56db52bfc13..7e4debbef43 100644
--- a/src/plugin-sdk/whatsapp.ts
+++ b/src/plugin-sdk/whatsapp.ts
@@ -6,7 +6,6 @@ export type { PluginRuntime } from "../plugins/runtime/types.js";
 export type { OpenClawPluginApi } from "../plugins/types.js";
 
 export { emptyPluginConfigSchema } from "../plugins/config-schema.js";
-
 export { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../routing/session-key.js";
 
 export {
@@ -15,7 +14,6 @@ export {
 } from "../channels/plugins/setup-helpers.js";
 export { buildChannelConfigSchema } from "../channels/plugins/config-schema.js";
 export { formatPairingApproveHint } from "../channels/plugins/helpers.js";
-
 export { getChatChannelMeta } from "../channels/registry.js";
 export {
   formatWhatsAppConfigAllowFromEntries,
@@ -26,58 +24,6 @@ export {
   listWhatsAppDirectoryGroupsFromConfig,
   listWhatsAppDirectoryPeersFromConfig,
 } from "../channels/plugins/directory-config.js";
-export {
-  hasAnyWhatsAppAuth,
-  listEnabledWhatsAppAccounts,
-  resolveWhatsAppAccount,
-} from "../../extensions/whatsapp/src/accounts.js";
-export {
-  WA_WEB_AUTH_DIR,
-  logWebSelfId,
-  logoutWeb,
-  pickWebChannel,
-  webAuthExists,
-} from "../../extensions/whatsapp/src/auth-store.js";
-export {
-  DEFAULT_WEB_MEDIA_BYTES,
-  HEARTBEAT_PROMPT,
-  HEARTBEAT_TOKEN,
-  monitorWebChannel,
-  resolveHeartbeatRecipients,
-  runWebHeartbeatOnce,
-} from "../../extensions/whatsapp/src/auto-reply.js";
-export type {
-  WebChannelStatus,
-  WebMonitorTuning,
-} from "../../extensions/whatsapp/src/auto-reply.js";
-export {
-  extractMediaPlaceholder,
-  extractText,
-  monitorWebInbox,
-} from "../../extensions/whatsapp/src/inbound.js";
-export type {
-  WebInboundMessage,
-  WebListenerCloseReason,
-} from "../../extensions/whatsapp/src/inbound.js";
-export { loginWeb } from "../../extensions/whatsapp/src/login.js";
-export {
-  getDefaultLocalRoots,
-  loadWebMedia,
-  loadWebMediaRaw,
-  optimizeImageToJpeg,
-} from "../../extensions/whatsapp/src/media.js";
-export {
-  sendMessageWhatsApp,
-  sendPollWhatsApp,
-  sendReactionWhatsApp,
-} from "../../extensions/whatsapp/src/send.js";
-export {
-  createWaSocket,
-  formatError,
-  getStatusCode,
-  waitForWaConnection,
-} from "../../extensions/whatsapp/src/session.js";
-export { createWhatsAppLoginTool } from "../../extensions/whatsapp/src/agent-tools-login.js";
 export { normalizeWhatsAppAllowFromEntries } from "../channels/plugins/normalize/whatsapp.js";
 export {
   collectAllowlistProviderGroupPolicyWarnings,
@@ -104,5 +50,4 @@ export { WhatsAppConfigSchema } from "../config/zod-schema.providers-whatsapp.js
 
 export { createActionGate, readStringParam } from "../agents/tools/common.js";
 export { createPluginRuntimeStore } from "./runtime-store.js";
-
 export { normalizeE164 } from "../utils.js";
diff --git a/src/security/audit-channel.runtime.ts b/src/security/audit-channel.runtime.ts
index 867f0a91162..c3435fc2a64 100644
--- a/src/security/audit-channel.runtime.ts
+++ b/src/security/audit-channel.runtime.ts
@@ -6,4 +6,4 @@ export {
 export {
   isNumericTelegramUserId,
   normalizeTelegramAllowFromEntry,
-} from "../plugin-sdk/telegram.js";
+} from "../plugin-sdk-internal/telegram.js";

From 4c8678c0b4a0bf62a0f223b0fdd74592529edb07 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 01:34:35 -0700
Subject: [PATCH 121/133] refactor: add private channel sdk bridges

---
 .../slack/src/message-action-dispatch.ts      | 331 ++++++++++++++++++
 src/plugin-sdk-internal/discord.ts            | 116 ++++++
 src/plugin-sdk-internal/imessage.ts           |  46 +++
 src/plugin-sdk-internal/signal.ts             |  38 ++
 src/plugin-sdk-internal/slack.ts              |  68 ++++
 src/plugin-sdk-internal/telegram.ts           | 113 ++++++
 src/plugin-sdk-internal/whatsapp.ts           | 108 ++++++
 7 files changed, 820 insertions(+)
 create mode 100644 extensions/slack/src/message-action-dispatch.ts
 create mode 100644 src/plugin-sdk-internal/discord.ts
 create mode 100644 src/plugin-sdk-internal/imessage.ts
 create mode 100644 src/plugin-sdk-internal/signal.ts
 create mode 100644 src/plugin-sdk-internal/slack.ts
 create mode 100644 src/plugin-sdk-internal/telegram.ts
 create mode 100644 src/plugin-sdk-internal/whatsapp.ts

diff --git a/extensions/slack/src/message-action-dispatch.ts b/extensions/slack/src/message-action-dispatch.ts
new file mode 100644
index 00000000000..b251d0b80eb
--- /dev/null
+++ b/extensions/slack/src/message-action-dispatch.ts
@@ -0,0 +1,331 @@
+import type { AgentToolResult } from "@mariozechner/pi-agent-core";
+import type { ChannelMessageActionContext } from "openclaw/plugin-sdk";
+import { parseSlackBlocksInput } from "./blocks-input.js";
+import { buildSlackInteractiveBlocks } from "./blocks-render.js";
+
+type SlackActionInvoke = (
+  action: Record<string, unknown>,
+  cfg: ChannelMessageActionContext["cfg"],
+  toolContext?: ChannelMessageActionContext["toolContext"],
+) => Promise<AgentToolResult<unknown>>;
+
+type InteractiveButtonStyle = "primary" | "secondary" | "success" | "danger";
+
+type InteractiveReplyButton = {
+  label: string;
+  value: string;
+  style?: InteractiveButtonStyle;
+};
+
+type InteractiveReplyOption = {
+  label: string;
+  value: string;
+};
+
+type InteractiveReplyBlock =
+  | { type: "text"; text: string }
+  | { type: "buttons"; buttons: InteractiveReplyButton[] }
+  | { type: "select"; placeholder?: string; options: InteractiveReplyOption[] };
+
+type InteractiveReply = {
+  blocks: InteractiveReplyBlock[];
+};
+
+function readTrimmedString(value: unknown): string | undefined {
+  if (typeof value !== "string") {
+    return undefined;
+  }
+  const trimmed = value.trim();
+  return trimmed || undefined;
+}
+
+function normalizeButtonStyle(value: unknown): InteractiveButtonStyle | undefined {
+  const style = readTrimmedString(value)?.toLowerCase();
+  return style === "primary" || style === "secondary" || style === "success" || style === "danger"
+    ? style
+    : undefined;
+}
+
+function normalizeInteractiveButton(raw: unknown): InteractiveReplyButton | undefined {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+    return undefined;
+  }
+  const record = raw as Record<string, unknown>;
+  const label = readTrimmedString(record.label) ?? readTrimmedString(record.text);
+  const value =
+    readTrimmedString(record.value) ??
+    readTrimmedString(record.callbackData) ??
+    readTrimmedString(record.callback_data);
+  if (!label || !value) {
+    return undefined;
+  }
+  return { label, value, style: normalizeButtonStyle(record.style) };
+}
+
+function normalizeInteractiveOption(raw: unknown): InteractiveReplyOption | undefined {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+    return undefined;
+  }
+  const record = raw as Record<string, unknown>;
+  const label = readTrimmedString(record.label) ?? readTrimmedString(record.text);
+  const value = readTrimmedString(record.value);
+  return label && value ? { label, value } : undefined;
+}
+
+function normalizeInteractiveReply(raw: unknown): InteractiveReply | undefined {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+    return undefined;
+  }
+  const record = raw as Record<string, unknown>;
+  const blocks = Array.isArray(record.blocks)
+    ? record.blocks
+        .map((entry) => {
+          if (!entry || typeof entry !== "object" || Array.isArray(entry)) {
+            return undefined;
+          }
+          const block = entry as Record<string, unknown>;
+          const type = readTrimmedString(block.type)?.toLowerCase();
+          if (type === "text") {
+            const text = readTrimmedString(block.text);
+            return text ? ({ type: "text", text } as const) : undefined;
+          }
+          if (type === "buttons") {
+            const buttons = Array.isArray(block.buttons)
+              ? block.buttons
+                  .map((button) => normalizeInteractiveButton(button))
+                  .filter((button): button is InteractiveReplyButton => Boolean(button))
+              : [];
+            return buttons.length > 0 ? ({ type: "buttons", buttons } as const) : undefined;
+          }
+          if (type === "select") {
+            const options = Array.isArray(block.options)
+              ? block.options
+                  .map((option) => normalizeInteractiveOption(option))
+                  .filter((option): option is InteractiveReplyOption => Boolean(option))
+              : [];
+            return options.length > 0
+              ? ({
+                  type: "select",
+                  placeholder: readTrimmedString(block.placeholder),
+                  options,
+                } as const)
+              : undefined;
+          }
+          return undefined;
+        })
+        .filter((entry): entry is InteractiveReplyBlock => Boolean(entry))
+    : [];
+  return blocks.length > 0 ? { blocks } : undefined;
+}
+
+function readStringParam(
+  params: Record<string, unknown>,
+  key: string,
+  options: { required?: boolean; trim?: boolean; label?: string; allowEmpty?: boolean } = {},
+): string | undefined {
+  const { required = false, trim = true, label = key, allowEmpty = false } = options;
+  const raw = params[key];
+  if (typeof raw !== "string") {
+    if (required) {
+      throw new Error(`${label} required`);
+    }
+    return undefined;
+  }
+  const value = trim ? raw.trim() : raw;
+  if (!value && !allowEmpty) {
+    if (required) {
+      throw new Error(`${label} required`);
+    }
+    return undefined;
+  }
+  return value;
+}
+
+function readNumberParam(
+  params: Record<string, unknown>,
+  key: string,
+  options: { required?: boolean; label?: string; integer?: boolean; strict?: boolean } = {},
+): number | undefined {
+  const { required = false, label = key, integer = false, strict = false } = options;
+  const raw = params[key];
+  let value: number | undefined;
+  if (typeof raw === "number" && Number.isFinite(raw)) {
+    value = raw;
+  } else if (typeof raw === "string") {
+    const trimmed = raw.trim();
+    if (trimmed) {
+      const parsed = strict ? Number(trimmed) : Number.parseFloat(trimmed);
+      if (Number.isFinite(parsed)) {
+        value = parsed;
+      }
+    }
+  }
+  if (value === undefined) {
+    if (required) {
+      throw new Error(`${label} required`);
+    }
+    return undefined;
+  }
+  return integer ? Math.trunc(value) : value;
+}
+
+function readSlackBlocksParam(actionParams: Record<string, unknown>) {
+  return parseSlackBlocksInput(actionParams.blocks) as Record<string, unknown>[] | undefined;
+}
+
+export async function handleSlackMessageAction(params: {
+  providerId: string;
+  ctx: ChannelMessageActionContext;
+  invoke: SlackActionInvoke;
+  normalizeChannelId?: (channelId: string) => string;
+  includeReadThreadId?: boolean;
+}): Promise<AgentToolResult<unknown>> {
+  const { providerId, ctx, invoke, normalizeChannelId, includeReadThreadId = false } = params;
+  const { action, cfg, params: actionParams } = ctx;
+  const accountId = ctx.accountId ?? undefined;
+  const resolveChannelId = () => {
+    const channelId =
+      readStringParam(actionParams, "channelId") ??
+      readStringParam(actionParams, "to", { required: true });
+    return normalizeChannelId ? normalizeChannelId(channelId) : channelId;
+  };
+
+  if (action === "send") {
+    const to = readStringParam(actionParams, "to", { required: true });
+    const content = readStringParam(actionParams, "message", { allowEmpty: true });
+    const mediaUrl = readStringParam(actionParams, "media", { trim: false });
+    const interactive = normalizeInteractiveReply(actionParams.interactive);
+    const interactiveBlocks = interactive ? buildSlackInteractiveBlocks(interactive) : undefined;
+    const blocks = readSlackBlocksParam(actionParams) ?? interactiveBlocks;
+    if (!content && !mediaUrl && !blocks) {
+      throw new Error("Slack send requires message, blocks, or media.");
+    }
+    if (mediaUrl && blocks) {
+      throw new Error("Slack send does not support blocks with media.");
+    }
+    const threadId = readStringParam(actionParams, "threadId");
+    const replyTo = readStringParam(actionParams, "replyTo");
+    return await invoke(
+      {
+        action: "sendMessage",
+        to,
+        content: content ?? "",
+        mediaUrl: mediaUrl ?? undefined,
+        accountId,
+        threadTs: threadId ?? replyTo ?? undefined,
+        ...(blocks ? { blocks } : {}),
+      },
+      cfg,
+      ctx.toolContext,
+    );
+  }
+
+  if (action === "react") {
+    const messageId = readStringParam(actionParams, "messageId", { required: true });
+    const emoji = readStringParam(actionParams, "emoji", { allowEmpty: true });
+    const remove = typeof actionParams.remove === "boolean" ? actionParams.remove : undefined;
+    return await invoke(
+      { action: "react", channelId: resolveChannelId(), messageId, emoji, remove, accountId },
+      cfg,
+    );
+  }
+
+  if (action === "reactions") {
+    const messageId = readStringParam(actionParams, "messageId", { required: true });
+    const limit = readNumberParam(actionParams, "limit", { integer: true });
+    return await invoke(
+      { action: "reactions", channelId: resolveChannelId(), messageId, limit, accountId },
+      cfg,
+    );
+  }
+
+  if (action === "read") {
+    const limit = readNumberParam(actionParams, "limit", { integer: true });
+    const readAction: Record<string, unknown> = {
+      action: "readMessages",
+      channelId: resolveChannelId(),
+      limit,
+      before: readStringParam(actionParams, "before"),
+      after: readStringParam(actionParams, "after"),
+      accountId,
+    };
+    if (includeReadThreadId) {
+      readAction.threadId = readStringParam(actionParams, "threadId");
+    }
+    return await invoke(readAction, cfg);
+  }
+
+  if (action === "edit") {
+    const messageId = readStringParam(actionParams, "messageId", { required: true });
+    const content = readStringParam(actionParams, "message", { allowEmpty: true });
+    const blocks = readSlackBlocksParam(actionParams);
+    if (!content && !blocks) {
+      throw new Error("Slack edit requires message or blocks.");
+    }
+    return await invoke(
+      {
+        action: "editMessage",
+        channelId: resolveChannelId(),
+        messageId,
+        content: content ?? "",
+        blocks,
+        accountId,
+      },
+      cfg,
+    );
+  }
+
+  if (action === "delete") {
+    const messageId = readStringParam(actionParams, "messageId", { required: true });
+    return await invoke(
+      { action: "deleteMessage", channelId: resolveChannelId(), messageId, accountId },
+      cfg,
+    );
+  }
+
+  if (action === "pin" || action === "unpin" || action === "list-pins") {
+    const messageId =
+      action === "list-pins"
+        ? undefined
+        : readStringParam(actionParams, "messageId", { required: true });
+    return await invoke(
+      {
+        action: action === "pin" ? "pinMessage" : action === "unpin" ? "unpinMessage" : "listPins",
+        channelId: resolveChannelId(),
+        messageId,
+        accountId,
+      },
+      cfg,
+    );
+  }
+
+  if (action === "member-info") {
+    const userId = readStringParam(actionParams, "userId", { required: true });
+    return await invoke({ action: "memberInfo", userId, accountId }, cfg);
+  }
+
+  if (action === "emoji-list") {
+    const limit = readNumberParam(actionParams, "limit", { integer: true });
+    return await invoke({ action: "emojiList", limit, accountId }, cfg);
+  }
+
+  if (action === "download-file") {
+    const fileId = readStringParam(actionParams, "fileId", { required: true });
+    const channelId =
+      readStringParam(actionParams, "channelId") ?? readStringParam(actionParams, "to");
+    const threadId =
+      readStringParam(actionParams, "threadId") ?? readStringParam(actionParams, "replyTo");
+    return await invoke(
+      {
+        action: "downloadFile",
+        fileId,
+        channelId: channelId ?? undefined,
+        threadId: threadId ?? undefined,
+        accountId,
+      },
+      cfg,
+    );
+  }
+
+  throw new Error(`Action ${action} is not supported for provider ${providerId}.`);
+}
diff --git a/src/plugin-sdk-internal/discord.ts b/src/plugin-sdk-internal/discord.ts
new file mode 100644
index 00000000000..9a29900c717
--- /dev/null
+++ b/src/plugin-sdk-internal/discord.ts
@@ -0,0 +1,116 @@
+export type { ChannelMessageActionAdapter } from "../channels/plugins/types.js";
+export type { OpenClawConfig } from "../config/config.js";
+export type { DiscordAccountConfig, DiscordActionConfig } from "../config/types.js";
+export type { InspectedDiscordAccount } from "../../extensions/discord/src/account-inspect.js";
+export type { ResolvedDiscordAccount } from "../../extensions/discord/src/accounts.js";
+export type {
+  DiscordSendComponents,
+  DiscordSendEmbeds,
+} from "../../extensions/discord/src/send.shared.js";
+export * from "../plugin-sdk/channel-plugin-common.js";
+
+export {
+  createDiscordActionGate,
+  listDiscordAccountIds,
+  resolveDefaultDiscordAccountId,
+  resolveDiscordAccount,
+} from "../../extensions/discord/src/accounts.js";
+export { inspectDiscordAccount } from "../../extensions/discord/src/account-inspect.js";
+export {
+  projectCredentialSnapshotFields,
+  resolveConfiguredFromCredentialStatuses,
+} from "../channels/account-snapshot-fields.js";
+export {
+  listDiscordDirectoryGroupsFromConfig,
+  listDiscordDirectoryPeersFromConfig,
+} from "../channels/plugins/directory-config.js";
+export {
+  looksLikeDiscordTargetId,
+  normalizeDiscordMessagingTarget,
+  normalizeDiscordOutboundTarget,
+} from "../../extensions/discord/src/normalize.js";
+export { collectDiscordAuditChannelIds } from "../../extensions/discord/src/audit.js";
+export { collectDiscordStatusIssues } from "../../extensions/discord/src/status-issues.js";
+export {
+  DISCORD_DEFAULT_INBOUND_WORKER_TIMEOUT_MS,
+  DISCORD_DEFAULT_LISTENER_TIMEOUT_MS,
+} from "../../extensions/discord/src/monitor/timeouts.js";
+export { normalizeExplicitDiscordSessionKey } from "../../extensions/discord/src/session-key-normalization.js";
+export type { DiscordPluralKitConfig } from "../../extensions/discord/src/pluralkit.js";
+
+export {
+  resolveDefaultGroupPolicy,
+  resolveOpenProviderRuntimeGroupPolicy,
+} from "../config/runtime-group-policy.js";
+export {
+  resolveDiscordGroupRequireMention,
+  resolveDiscordGroupToolPolicy,
+} from "../channels/plugins/group-mentions.js";
+export { discordSetupWizard } from "../../extensions/discord/src/setup-surface.js";
+export { discordSetupAdapter } from "../../extensions/discord/src/setup-core.js";
+export { DiscordConfigSchema } from "../config/zod-schema.providers-core.js";
+
+export {
+  autoBindSpawnedDiscordSubagent,
+  listThreadBindingsBySessionKey,
+  unbindThreadBindingsBySessionKey,
+} from "../../extensions/discord/src/monitor/thread-bindings.js";
+export { getGateway } from "../../extensions/discord/src/monitor/gateway-registry.js";
+export { getPresence } from "../../extensions/discord/src/monitor/presence-cache.js";
+export { readDiscordComponentSpec } from "../../extensions/discord/src/components.js";
+export { resolveDiscordChannelId } from "../../extensions/discord/src/targets.js";
+export {
+  addRoleDiscord,
+  banMemberDiscord,
+  createChannelDiscord,
+  createScheduledEventDiscord,
+  createThreadDiscord,
+  deleteChannelDiscord,
+  deleteMessageDiscord,
+  editChannelDiscord,
+  editMessageDiscord,
+  fetchChannelInfoDiscord,
+  fetchChannelPermissionsDiscord,
+  fetchMemberInfoDiscord,
+  fetchMessageDiscord,
+  fetchReactionsDiscord,
+  fetchRoleInfoDiscord,
+  fetchVoiceStatusDiscord,
+  hasAnyGuildPermissionDiscord,
+  kickMemberDiscord,
+  listGuildChannelsDiscord,
+  listGuildEmojisDiscord,
+  listPinsDiscord,
+  listScheduledEventsDiscord,
+  listThreadsDiscord,
+  moveChannelDiscord,
+  pinMessageDiscord,
+  reactMessageDiscord,
+  readMessagesDiscord,
+  removeChannelPermissionDiscord,
+  removeOwnReactionsDiscord,
+  removeReactionDiscord,
+  removeRoleDiscord,
+  searchMessagesDiscord,
+  sendDiscordComponentMessage,
+  sendMessageDiscord,
+  sendPollDiscord,
+  sendStickerDiscord,
+  sendVoiceMessageDiscord,
+  setChannelPermissionDiscord,
+  timeoutMemberDiscord,
+  unpinMessageDiscord,
+  uploadEmojiDiscord,
+  uploadStickerDiscord,
+} from "../../extensions/discord/src/send.js";
+export { discordMessageActions } from "../../extensions/discord/src/channel-actions.js";
+export type {
+  ThreadBindingManager,
+  ThreadBindingRecord,
+  ThreadBindingTargetKind,
+} from "../../extensions/discord/src/monitor/thread-bindings.js";
+
+export {
+  buildComputedAccountStatusSnapshot,
+  buildTokenChannelStatusSummary,
+} from "../plugin-sdk/status-helpers.js";
diff --git a/src/plugin-sdk-internal/imessage.ts b/src/plugin-sdk-internal/imessage.ts
new file mode 100644
index 00000000000..170dd7ff188
--- /dev/null
+++ b/src/plugin-sdk-internal/imessage.ts
@@ -0,0 +1,46 @@
+export type { ResolvedIMessageAccount } from "../../extensions/imessage/src/accounts.js";
+export type { IMessageAccountConfig } from "../config/types.js";
+export * from "../plugin-sdk/channel-plugin-common.js";
+export {
+  listIMessageAccountIds,
+  resolveDefaultIMessageAccountId,
+  resolveIMessageAccount,
+} from "../../extensions/imessage/src/accounts.js";
+export {
+  formatTrimmedAllowFromEntries,
+  resolveIMessageConfigAllowFrom,
+  resolveIMessageConfigDefaultTo,
+} from "../plugin-sdk/channel-config-helpers.js";
+export {
+  looksLikeIMessageTargetId,
+  normalizeIMessageMessagingTarget,
+} from "../channels/plugins/normalize/imessage.js";
+export {
+  createAllowedChatSenderMatcher,
+  parseChatAllowTargetPrefixes,
+  parseChatTargetPrefixesOrThrow,
+  resolveServicePrefixedChatTarget,
+  resolveServicePrefixedAllowTarget,
+  resolveServicePrefixedOrChatAllowTarget,
+  resolveServicePrefixedTarget,
+} from "../../extensions/imessage/src/target-parsing-helpers.js";
+export type {
+  ChatSenderAllowParams,
+  ParsedChatTarget,
+} from "../../extensions/imessage/src/target-parsing-helpers.js";
+export { sendMessageIMessage } from "../../extensions/imessage/src/send.js";
+
+export {
+  resolveAllowlistProviderRuntimeGroupPolicy,
+  resolveDefaultGroupPolicy,
+} from "../config/runtime-group-policy.js";
+export {
+  resolveIMessageGroupRequireMention,
+  resolveIMessageGroupToolPolicy,
+} from "../channels/plugins/group-mentions.js";
+export { imessageSetupWizard } from "../../extensions/imessage/src/setup-surface.js";
+export { imessageSetupAdapter } from "../../extensions/imessage/src/setup-core.js";
+export { IMessageConfigSchema } from "../config/zod-schema.providers-core.js";
+
+export { resolveChannelMediaMaxBytes } from "../channels/plugins/media-limits.js";
+export { collectStatusIssuesFromLastError } from "../plugin-sdk/status-helpers.js";
diff --git a/src/plugin-sdk-internal/signal.ts b/src/plugin-sdk-internal/signal.ts
new file mode 100644
index 00000000000..4594420af8d
--- /dev/null
+++ b/src/plugin-sdk-internal/signal.ts
@@ -0,0 +1,38 @@
+export type { ChannelMessageActionAdapter } from "../channels/plugins/types.js";
+export type { ResolvedSignalAccount } from "../../extensions/signal/src/accounts.js";
+export type { SignalAccountConfig } from "../config/types.js";
+export * from "../plugin-sdk/channel-plugin-common.js";
+export {
+  listEnabledSignalAccounts,
+  listSignalAccountIds,
+  resolveDefaultSignalAccountId,
+  resolveSignalAccount,
+} from "../../extensions/signal/src/accounts.js";
+export { resolveSignalReactionLevel } from "../../extensions/signal/src/reaction-level.js";
+export {
+  removeReactionSignal,
+  sendReactionSignal,
+} from "../../extensions/signal/src/send-reactions.js";
+export { sendMessageSignal } from "../../extensions/signal/src/send.js";
+export {
+  looksLikeSignalTargetId,
+  normalizeSignalMessagingTarget,
+} from "../channels/plugins/normalize/signal.js";
+
+export {
+  resolveAllowlistProviderRuntimeGroupPolicy,
+  resolveDefaultGroupPolicy,
+} from "../config/runtime-group-policy.js";
+export { signalSetupWizard } from "../../extensions/signal/src/setup-surface.js";
+export { signalSetupAdapter } from "../../extensions/signal/src/setup-core.js";
+export { SignalConfigSchema } from "../config/zod-schema.providers-core.js";
+
+export { normalizeE164 } from "../utils.js";
+export { resolveChannelMediaMaxBytes } from "../channels/plugins/media-limits.js";
+
+export {
+  buildBaseAccountStatusSnapshot,
+  buildBaseChannelStatusSummary,
+  collectStatusIssuesFromLastError,
+  createDefaultChannelRuntimeState,
+} from "../plugin-sdk/status-helpers.js";
diff --git a/src/plugin-sdk-internal/slack.ts b/src/plugin-sdk-internal/slack.ts
new file mode 100644
index 00000000000..abde5688cdb
--- /dev/null
+++ b/src/plugin-sdk-internal/slack.ts
@@ -0,0 +1,68 @@
+export type { OpenClawConfig } from "../config/config.js";
+export type { SlackAccountConfig } from "../config/types.slack.js";
+export type { InspectedSlackAccount } from "../../extensions/slack/src/account-inspect.js";
+export type { ResolvedSlackAccount } from "../../extensions/slack/src/accounts.js";
+export * from "../plugin-sdk/channel-plugin-common.js";
+export {
+  listEnabledSlackAccounts,
+  listSlackAccountIds,
+  resolveDefaultSlackAccountId,
+  resolveSlackAccount,
+  resolveSlackReplyToMode,
+} from "../../extensions/slack/src/accounts.js";
+export { isSlackInteractiveRepliesEnabled } from "../../extensions/slack/src/interactive-replies.js";
+export { inspectSlackAccount } from "../../extensions/slack/src/account-inspect.js";
+export {
+  projectCredentialSnapshotFields,
+  resolveConfiguredFromCredentialStatuses,
+  resolveConfiguredFromRequiredCredentialStatuses,
+} from "../channels/account-snapshot-fields.js";
+export {
+  listSlackDirectoryGroupsFromConfig,
+  listSlackDirectoryPeersFromConfig,
+} from "../channels/plugins/directory-config.js";
+export {
+  looksLikeSlackTargetId,
+  normalizeSlackMessagingTarget,
+} from "../channels/plugins/normalize/slack.js";
+export { parseSlackTarget, resolveSlackChannelId } from "../plugin-sdk/slack-targets.js";
+export {
+  extractSlackToolSend,
+  listSlackMessageActions,
+} from "../../extensions/slack/src/message-actions.js";
+export { buildSlackThreadingToolContext } from "../../extensions/slack/src/threading-tool-context.js";
+export { parseSlackBlocksInput } from "../../extensions/slack/src/blocks-input.js";
+export { handleSlackHttpRequest } from "../../extensions/slack/src/http/index.js";
+export { sendMessageSlack } from "../../extensions/slack/src/send.js";
+export {
+  deleteSlackMessage,
+  downloadSlackFile,
+  editSlackMessage,
+  getSlackMemberInfo,
+  listSlackEmojis,
+  listSlackPins,
+  listSlackReactions,
+  pinSlackMessage,
+  reactSlackMessage,
+  readSlackMessages,
+  removeOwnSlackReactions,
+  removeSlackReaction,
+  sendSlackMessage,
+  unpinSlackMessage,
+} from "../../extensions/slack/src/actions.js";
+export { recordSlackThreadParticipation } from "../../extensions/slack/src/sent-thread-cache.js";
+export { buildComputedAccountStatusSnapshot } from "../plugin-sdk/status-helpers.js";
+
+export {
+  resolveDefaultGroupPolicy,
+  resolveOpenProviderRuntimeGroupPolicy,
+} from "../config/runtime-group-policy.js";
+export {
+  resolveSlackGroupRequireMention,
+  resolveSlackGroupToolPolicy,
+} from "../channels/plugins/group-mentions.js";
+export { slackSetupAdapter } from "../../extensions/slack/src/setup-core.js";
+export { slackSetupWizard } from "../../extensions/slack/src/setup-surface.js";
+export { SlackConfigSchema } from "../config/zod-schema.providers-core.js";
+
+export { handleSlackMessageAction } from "../plugin-sdk/slack-message-actions.js";
diff --git a/src/plugin-sdk-internal/telegram.ts b/src/plugin-sdk-internal/telegram.ts
new file mode 100644
index 00000000000..bb983d690d1
--- /dev/null
+++ b/src/plugin-sdk-internal/telegram.ts
@@ -0,0 +1,113 @@
+export type {
+  ChannelAccountSnapshot,
+  ChannelGatewayContext,
+  ChannelMessageActionAdapter,
+} from "../channels/plugins/types.js";
+export type { ChannelPlugin } from "../channels/plugins/types.plugin.js";
+export type { OpenClawConfig } from "../config/config.js";
+export type { PluginRuntime } from "../plugins/runtime/types.js";
+export type { OpenClawPluginApi } from "../plugins/types.js";
+export type { TelegramAccountConfig, TelegramActionConfig } from "../config/types.js";
+export type { InspectedTelegramAccount } from "../../extensions/telegram/src/account-inspect.js";
+export type { ResolvedTelegramAccount } from "../../extensions/telegram/src/accounts.js";
+export type { TelegramProbe } from "../../extensions/telegram/src/probe.js";
+export type {
+  TelegramButtonStyle,
+  TelegramInlineButtons,
+} from "../../extensions/telegram/src/button-types.js";
+
+export { emptyPluginConfigSchema } from "../plugins/config-schema.js";
+
+export { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../routing/session-key.js";
+
+export {
+  applyAccountNameToChannelSection,
+  migrateBaseNameToDefaultAccount,
+} from "../channels/plugins/setup-helpers.js";
+export { buildChannelConfigSchema } from "../channels/plugins/config-schema.js";
+export {
+  deleteAccountFromConfigSection,
+  clearAccountEntryFields,
+  setAccountEnabledInConfigSection,
+} from "../channels/plugins/config-helpers.js";
+export { formatPairingApproveHint } from "../channels/plugins/helpers.js";
+export { PAIRING_APPROVED_MESSAGE } from "../channels/plugins/pairing-message.js";
+
+export { getChatChannelMeta } from "../channels/registry.js";
+
+export {
+  createTelegramActionGate,
+  listTelegramAccountIds,
+  resolveDefaultTelegramAccountId,
+  resolveTelegramPollActionGateState,
+  resolveTelegramAccount,
+} from "../../extensions/telegram/src/accounts.js";
+export { inspectTelegramAccount } from "../../extensions/telegram/src/account-inspect.js";
+export {
+  projectCredentialSnapshotFields,
+  resolveConfiguredFromCredentialStatuses,
+} from "../channels/account-snapshot-fields.js";
+export {
+  listTelegramDirectoryGroupsFromConfig,
+  listTelegramDirectoryPeersFromConfig,
+} from "../channels/plugins/directory-config.js";
+export {
+  looksLikeTelegramTargetId,
+  normalizeTelegramMessagingTarget,
+} from "../../extensions/telegram/src/normalize.js";
+export {
+  parseTelegramReplyToMessageId,
+  parseTelegramThreadId,
+} from "../../extensions/telegram/src/outbound-params.js";
+export {
+  isNumericTelegramUserId,
+  normalizeTelegramAllowFromEntry,
+} from "../../extensions/telegram/src/allow-from.js";
+export { fetchTelegramChatId } from "../../extensions/telegram/src/api-fetch.js";
+export {
+  resolveTelegramInlineButtonsScope,
+  resolveTelegramTargetChatType,
+} from "../../extensions/telegram/src/inline-buttons.js";
+export { resolveTelegramReactionLevel } from "../../extensions/telegram/src/reaction-level.js";
+export {
+  createForumTopicTelegram,
+  deleteMessageTelegram,
+  editForumTopicTelegram,
+  editMessageTelegram,
+  reactMessageTelegram,
+  sendMessageTelegram,
+  sendPollTelegram,
+  sendStickerTelegram,
+} from "../../extensions/telegram/src/send.js";
+export { getCacheStats, searchStickers } from "../../extensions/telegram/src/sticker-cache.js";
+export { resolveTelegramToken } from "../../extensions/telegram/src/token.js";
+export { telegramMessageActions } from "../../extensions/telegram/src/channel-actions.js";
+export { collectTelegramStatusIssues } from "../../extensions/telegram/src/status-issues.js";
+export { sendTelegramPayloadMessages } from "../../extensions/telegram/src/outbound-adapter.js";
+export {
+  buildBrowseProvidersButton,
+  buildModelsKeyboard,
+  buildProviderKeyboard,
+  calculateTotalPages,
+  getModelsPageSize,
+  type ProviderInfo,
+} from "../../extensions/telegram/src/model-buttons.js";
+export {
+  isTelegramExecApprovalApprover,
+  isTelegramExecApprovalClientEnabled,
+} from "../../extensions/telegram/src/exec-approvals.js";
+export type { StickerMetadata } from "../../extensions/telegram/src/bot/types.js";
+
+export {
+  resolveAllowlistProviderRuntimeGroupPolicy,
+  resolveDefaultGroupPolicy,
+} from "../config/runtime-group-policy.js";
+export {
+  resolveTelegramGroupRequireMention,
+  resolveTelegramGroupToolPolicy,
+} from "../channels/plugins/group-mentions.js";
+export { telegramSetupWizard } from "../../extensions/telegram/src/setup-surface.js";
+export { telegramSetupAdapter } from "../../extensions/telegram/src/setup-core.js";
+export { TelegramConfigSchema } from "../config/zod-schema.providers-core.js";
+
+export { buildTokenChannelStatusSummary } from "../plugin-sdk/status-helpers.js";
diff --git a/src/plugin-sdk-internal/whatsapp.ts b/src/plugin-sdk-internal/whatsapp.ts
new file mode 100644
index 00000000000..a1871198c70
--- /dev/null
+++ b/src/plugin-sdk-internal/whatsapp.ts
@@ -0,0 +1,108 @@
+export type { ChannelMessageActionName } from "../channels/plugins/types.js";
+export type { ChannelPlugin } from "../channels/plugins/types.plugin.js";
+export type { OpenClawConfig } from "../config/config.js";
+export type { DmPolicy, GroupPolicy, WhatsAppAccountConfig } from "../config/types.js";
+export type { PluginRuntime } from "../plugins/runtime/types.js";
+export type { OpenClawPluginApi } from "../plugins/types.js";
+
+export { emptyPluginConfigSchema } from "../plugins/config-schema.js";
+
+export { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../routing/session-key.js";
+
+export {
+  applyAccountNameToChannelSection,
+  migrateBaseNameToDefaultAccount,
+} from "../channels/plugins/setup-helpers.js";
+export { buildChannelConfigSchema } from "../channels/plugins/config-schema.js";
+export { formatPairingApproveHint } from "../channels/plugins/helpers.js";
+
+export { getChatChannelMeta } from "../channels/registry.js";
+export {
+  formatWhatsAppConfigAllowFromEntries,
+  resolveWhatsAppConfigAllowFrom,
+  resolveWhatsAppConfigDefaultTo,
+} from "../plugin-sdk/channel-config-helpers.js";
+export {
+  listWhatsAppDirectoryGroupsFromConfig,
+  listWhatsAppDirectoryPeersFromConfig,
+} from "../channels/plugins/directory-config.js";
+export {
+  hasAnyWhatsAppAuth,
+  listEnabledWhatsAppAccounts,
+  resolveWhatsAppAccount,
+} from "../../extensions/whatsapp/src/accounts.js";
+export {
+  WA_WEB_AUTH_DIR,
+  logWebSelfId,
+  logoutWeb,
+  pickWebChannel,
+  webAuthExists,
+} from "../../extensions/whatsapp/src/auth-store.js";
+export {
+  DEFAULT_WEB_MEDIA_BYTES,
+  HEARTBEAT_PROMPT,
+  HEARTBEAT_TOKEN,
+  monitorWebChannel,
+  resolveHeartbeatRecipients,
+  runWebHeartbeatOnce,
+} from "../../extensions/whatsapp/src/auto-reply.js";
+export type {
+  WebChannelStatus,
+  WebMonitorTuning,
+} from "../../extensions/whatsapp/src/auto-reply.js";
+export {
+  extractMediaPlaceholder,
+  extractText,
+  monitorWebInbox,
+} from "../../extensions/whatsapp/src/inbound.js";
+export type {
+  WebInboundMessage,
+  WebListenerCloseReason,
+} from "../../extensions/whatsapp/src/inbound.js";
+export { loginWeb } from "../../extensions/whatsapp/src/login.js";
+export {
+  getDefaultLocalRoots,
+  loadWebMedia,
+  loadWebMediaRaw,
+  optimizeImageToJpeg,
+} from "../../extensions/whatsapp/src/media.js";
+export {
+  sendMessageWhatsApp,
+  sendPollWhatsApp,
+  sendReactionWhatsApp,
+} from "../../extensions/whatsapp/src/send.js";
+export {
+  createWaSocket,
+  formatError,
+  getStatusCode,
+  waitForWaConnection,
+} from "../../extensions/whatsapp/src/session.js";
+export { createWhatsAppLoginTool } from "../../extensions/whatsapp/src/agent-tools-login.js";
+export { normalizeWhatsAppAllowFromEntries } from "../channels/plugins/normalize/whatsapp.js";
+export {
+  collectAllowlistProviderGroupPolicyWarnings,
+  collectOpenGroupPolicyRouteAllowlistWarnings,
+} from "../channels/plugins/group-policy-warnings.js";
+export { buildAccountScopedDmSecurityPolicy } from "../channels/plugins/helpers.js";
+export { resolveWhatsAppOutboundTarget } from "../whatsapp/resolve-outbound-target.js";
+
+export {
+  resolveAllowlistProviderRuntimeGroupPolicy,
+  resolveDefaultGroupPolicy,
+} from "../config/runtime-group-policy.js";
+export {
+  resolveWhatsAppGroupRequireMention,
+  resolveWhatsAppGroupToolPolicy,
+} from "../channels/plugins/group-mentions.js";
+export {
+  createWhatsAppOutboundBase,
+  resolveWhatsAppGroupIntroHint,
+  resolveWhatsAppMentionStripRegexes,
+} from "../channels/plugins/whatsapp-shared.js";
+export { resolveWhatsAppHeartbeatRecipients } from "../channels/plugins/whatsapp-heartbeat.js";
+export { WhatsAppConfigSchema } from "../config/zod-schema.providers-whatsapp.js";
+
+export { createActionGate, readStringParam } from "../agents/tools/common.js";
+export { createPluginRuntimeStore } from "../plugin-sdk/runtime-store.js";
+
+export { normalizeE164 } from "../utils.js";

From f49fc633aca36ba6d0c0b219fa3c02ec9a635d8b Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 08:36:33 +0000
Subject: [PATCH 122/133] fix: restore effective setup wizard lazy import

---
 extensions/telegram/src/setup-core.ts                | 2 +-
 src/channels/plugins/setup-wizard-helpers.runtime.ts | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)
 create mode 100644 src/channels/plugins/setup-wizard-helpers.runtime.ts

diff --git a/extensions/telegram/src/setup-core.ts b/extensions/telegram/src/setup-core.ts
index cb688b67012..dedf2ca8527 100644
--- a/extensions/telegram/src/setup-core.ts
+++ b/extensions/telegram/src/setup-core.ts
@@ -88,7 +88,7 @@ export async function promptTelegramAllowFromForAccount(params: {
     );
   }
   const { promptResolvedAllowFrom } =
-    await import("../../../src/channels/plugins/setup-wizard-helpers.js");
+    await import("../../../src/channels/plugins/setup-wizard-helpers.runtime.js");
   const unique = await promptResolvedAllowFrom({
     prompter: params.prompter,
     existing: resolved.config.allowFrom ?? [],
diff --git a/src/channels/plugins/setup-wizard-helpers.runtime.ts b/src/channels/plugins/setup-wizard-helpers.runtime.ts
new file mode 100644
index 00000000000..8c1808f5d40
--- /dev/null
+++ b/src/channels/plugins/setup-wizard-helpers.runtime.ts
@@ -0,0 +1 @@
+export { promptResolvedAllowFrom } from "./setup-wizard-helpers.js";

From 09e8d1e96ffa8e6ff0a7a0d172ce36fed92df39d Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 08:42:35 +0000
Subject: [PATCH 123/133] docs: add frontmatter to parallels discord skill

---
 .agents/skills/parallels-discord-roundtrip/SKILL.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.agents/skills/parallels-discord-roundtrip/SKILL.md b/.agents/skills/parallels-discord-roundtrip/SKILL.md
index 1986bc67187..8fda0da1a23 100644
--- a/.agents/skills/parallels-discord-roundtrip/SKILL.md
+++ b/.agents/skills/parallels-discord-roundtrip/SKILL.md
@@ -1,3 +1,8 @@
+---
+name: parallels-discord-roundtrip
+description: Run the macOS Parallels smoke harness with Discord end-to-end roundtrip verification, including guest send, host verification, host reply, and guest readback.
+---
+
 # Parallels Discord Roundtrip
 
 Use when macOS Parallels smoke must prove Discord two-way delivery end to end.

From 77b1f240fdb6f9c93990b1fcad72ecf443d2d68e Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 08:42:37 +0000
Subject: [PATCH 124/133] fix: retry runtime postbuild skill copy races

---
 scripts/copy-bundled-plugin-metadata.mjs      | 61 +++++++++++++++----
 .../copy-bundled-plugin-metadata.test.ts      | 43 ++++++++++++-
 2 files changed, 91 insertions(+), 13 deletions(-)

diff --git a/scripts/copy-bundled-plugin-metadata.mjs b/scripts/copy-bundled-plugin-metadata.mjs
index b4be20dfae4..12211f9b29b 100644
--- a/scripts/copy-bundled-plugin-metadata.mjs
+++ b/scripts/copy-bundled-plugin-metadata.mjs
@@ -8,6 +8,8 @@ import {
 } from "./runtime-postbuild-shared.mjs";
 
 const GENERATED_BUNDLED_SKILLS_DIR = "bundled-skills";
+const TRANSIENT_COPY_ERROR_CODES = new Set(["EEXIST", "ENOENT", "ENOTEMPTY", "EBUSY"]);
+const COPY_RETRY_DELAYS_MS = [10, 25, 50];
 
 export function rewritePackageExtensions(entries) {
   if (!Array.isArray(entries)) {
@@ -82,6 +84,39 @@ function resolveBundledSkillTarget(rawPath) {
   };
 }
 
+function isTransientCopyError(error) {
+  return (
+    !!error &&
+    typeof error === "object" &&
+    typeof error.code === "string" &&
+    TRANSIENT_COPY_ERROR_CODES.has(error.code)
+  );
+}
+
+function sleepSync(ms) {
+  if (!Number.isFinite(ms) || ms <= 0) {
+    return;
+  }
+  Atomics.wait(new Int32Array(new SharedArrayBuffer(4)), 0, 0, ms);
+}
+
+function copySkillPathWithRetry(params) {
+  const maxAttempts = COPY_RETRY_DELAYS_MS.length + 1;
+  for (let attempt = 0; attempt < maxAttempts; attempt += 1) {
+    try {
+      removePathIfExists(params.targetPath);
+      fs.mkdirSync(path.dirname(params.targetPath), { recursive: true });
+      fs.cpSync(params.sourcePath, params.targetPath, params.copyOptions);
+      return;
+    } catch (error) {
+      if (!isTransientCopyError(error) || attempt === maxAttempts - 1) {
+        throw error;
+      }
+      sleepSync(COPY_RETRY_DELAYS_MS[attempt] ?? 0);
+    }
+  }
+}
+
 function copyDeclaredPluginSkillPaths(params) {
   const skills = Array.isArray(params.manifest.skills) ? params.manifest.skills : [];
   const copiedSkills = [];
@@ -104,21 +139,23 @@ function copyDeclaredPluginSkillPaths(params) {
       continue;
     }
     const targetPath = ensurePathInsideRoot(params.distPluginDir, target.outputPath);
-    removePathIfExists(targetPath);
-    fs.mkdirSync(path.dirname(targetPath), { recursive: true });
     const shouldExcludeNestedNodeModules = /^node_modules(?:\/|$)/u.test(
       normalizeManifestRelativePath(raw),
     );
-    fs.cpSync(sourcePath, targetPath, {
-      dereference: true,
-      force: true,
-      recursive: true,
-      filter: (candidatePath) => {
-        if (!shouldExcludeNestedNodeModules || candidatePath === sourcePath) {
-          return true;
-        }
-        const relativeCandidate = path.relative(sourcePath, candidatePath).replaceAll("\\", "/");
-        return !relativeCandidate.split("/").includes("node_modules");
+    copySkillPathWithRetry({
+      sourcePath,
+      targetPath,
+      copyOptions: {
+        dereference: true,
+        force: true,
+        recursive: true,
+        filter: (candidatePath) => {
+          if (!shouldExcludeNestedNodeModules || candidatePath === sourcePath) {
+            return true;
+          }
+          const relativeCandidate = path.relative(sourcePath, candidatePath).replaceAll("\\", "/");
+          return !relativeCandidate.split("/").includes("node_modules");
+        },
       },
     });
     copiedSkills.push(target.manifestPath);
diff --git a/src/plugins/copy-bundled-plugin-metadata.test.ts b/src/plugins/copy-bundled-plugin-metadata.test.ts
index 8f4187a8937..48fe75cf02b 100644
--- a/src/plugins/copy-bundled-plugin-metadata.test.ts
+++ b/src/plugins/copy-bundled-plugin-metadata.test.ts
@@ -1,7 +1,7 @@
 import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
-import { afterEach, describe, expect, it } from "vitest";
+import { afterEach, describe, expect, it, vi } from "vitest";
 import {
   copyBundledPluginMetadata,
   rewritePackageExtensions,
@@ -237,6 +237,47 @@ describe("copyBundledPluginMetadata", () => {
     expect(fs.existsSync(staleNodeModulesDir)).toBe(false);
   });
 
+  it("retries transient skill copy races from concurrent runtime postbuilds", () => {
+    const repoRoot = makeRepoRoot("openclaw-bundled-plugin-retry-");
+    const pluginDir = path.join(repoRoot, "extensions", "diffs");
+    fs.mkdirSync(path.join(pluginDir, "skills", "diffs"), { recursive: true });
+    fs.writeFileSync(path.join(pluginDir, "skills", "diffs", "SKILL.md"), "# Diffs\n", "utf8");
+    writeJson(path.join(pluginDir, "openclaw.plugin.json"), {
+      id: "diffs",
+      configSchema: { type: "object" },
+      skills: ["./skills"],
+    });
+    writeJson(path.join(pluginDir, "package.json"), {
+      name: "@openclaw/diffs",
+      openclaw: { extensions: ["./index.ts"] },
+    });
+
+    const realCpSync = fs.cpSync.bind(fs);
+    let attempts = 0;
+    const cpSyncSpy = vi.spyOn(fs, "cpSync").mockImplementation((...args) => {
+      attempts += 1;
+      if (attempts === 1) {
+        const error = Object.assign(new Error("race"), { code: "EEXIST" });
+        throw error;
+      }
+      return realCpSync(...args);
+    });
+
+    try {
+      copyBundledPluginMetadata({ repoRoot });
+    } finally {
+      cpSyncSpy.mockRestore();
+    }
+
+    expect(attempts).toBe(2);
+    expect(
+      fs.readFileSync(
+        path.join(repoRoot, "dist", "extensions", "diffs", "skills", "diffs", "SKILL.md"),
+        "utf8",
+      ),
+    ).toContain("Diffs");
+  });
+
   it("removes generated outputs for plugins no longer present in source", () => {
     const repoRoot = makeRepoRoot("openclaw-bundled-plugin-removed-");
     const staleBundledSkillDir = path.join(

From 776e5d8a0847a79ddbc87d84c58b04bb42ae669b Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 16 Mar 2026 01:41:14 -0700
Subject: [PATCH 125/133] Gateway: lazily resolve channel runtime

---
 src/gateway/server-channels.ts | 18 ++++++++++++++++--
 src/gateway/server.impl.ts     |  9 ++++++++-
 2 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/src/gateway/server-channels.ts b/src/gateway/server-channels.ts
index 075fac382a3..a016826f69b 100644
--- a/src/gateway/server-channels.ts
+++ b/src/gateway/server-channels.ts
@@ -105,6 +105,14 @@ type ChannelManagerOptions = {
    * @see {@link ChannelGatewayContext.channelRuntime}
    */
   channelRuntime?: PluginRuntime["channel"];
+  /**
+   * Lazily resolves optional channel runtime helpers for external channel plugins.
+   *
+   * Use this when the caller wants to avoid instantiating the full plugin channel
+   * runtime during gateway startup. The manager only needs the runtime surface once
+   * a channel account actually starts.
+   */
+  resolveChannelRuntime?: () => PluginRuntime["channel"];
 };
 
 type StartChannelOptions = {
@@ -125,7 +133,8 @@ export type ChannelManager = {
 
 // Channel docking: lifecycle hooks (`plugin.gateway`) flow through this manager.
 export function createChannelManager(opts: ChannelManagerOptions): ChannelManager {
-  const { loadConfig, channelLogs, channelRuntimeEnvs, channelRuntime } = opts;
+  const { loadConfig, channelLogs, channelRuntimeEnvs, channelRuntime, resolveChannelRuntime } =
+    opts;
 
   const channelStores = new Map<ChannelId, ChannelRuntimeStore>();
   // Tracks restart attempts per channel:account. Reset on successful start.
@@ -219,6 +228,10 @@ export function createChannelManager(opts: ChannelManagerOptions): ChannelManage
     return next;
   };
 
+  const getChannelRuntime = (): PluginRuntime["channel"] | undefined => {
+    return channelRuntime ?? resolveChannelRuntime?.();
+  };
+
   const startChannelInternal = async (
     channelId: ChannelId,
     accountId?: string,
@@ -297,6 +310,7 @@ export function createChannelManager(opts: ChannelManagerOptions): ChannelManage
         });
 
         const log = channelLogs[channelId];
+        const resolvedChannelRuntime = getChannelRuntime();
         const task = startAccount({
           cfg,
           accountId: id,
@@ -306,7 +320,7 @@ export function createChannelManager(opts: ChannelManagerOptions): ChannelManage
           log,
           getStatus: () => getRuntime(channelId, id),
           setStatus: (next) => setRuntime(channelId, id, next),
-          ...(channelRuntime ? { channelRuntime } : {}),
+          ...(resolvedChannelRuntime ? { channelRuntime: resolvedChannelRuntime } : {}),
         });
         const trackedPromise = Promise.resolve(task)
           .catch((err) => {
diff --git a/src/gateway/server.impl.ts b/src/gateway/server.impl.ts
index 6210f63464c..4c22e94bddf 100644
--- a/src/gateway/server.impl.ts
+++ b/src/gateway/server.impl.ts
@@ -138,6 +138,13 @@ const logDiscovery = log.child("discovery");
 const logTailscale = log.child("tailscale");
 const logChannels = log.child("channels");
 const logBrowser = log.child("browser");
+
+let cachedChannelRuntime: ReturnType<typeof createPluginRuntime>["channel"] | null = null;
+
+function getChannelRuntime() {
+  cachedChannelRuntime ??= createPluginRuntime().channel;
+  return cachedChannelRuntime;
+}
 const logHealth = log.child("health");
 const logCron = log.child("cron");
 const logReload = log.child("reload");
@@ -575,7 +582,7 @@ export async function startGatewayServer(
     loadConfig,
     channelLogs,
     channelRuntimeEnvs,
-    channelRuntime: createPluginRuntime().channel,
+    resolveChannelRuntime: getChannelRuntime,
   });
   const getReadiness = createReadinessChecker({
     channelManager,

From 9ee0fb52e98a7113e35d110ee7512df9c081ff60 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 16 Mar 2026 01:41:58 -0700
Subject: [PATCH 126/133] Gateway: cover lazy channel runtime resolution

---
 src/gateway/server-channels.test.ts | 29 ++++++++++++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

diff --git a/src/gateway/server-channels.test.ts b/src/gateway/server-channels.test.ts
index d3820c294b9..2e886962d33 100644
--- a/src/gateway/server-channels.test.ts
+++ b/src/gateway/server-channels.test.ts
@@ -91,6 +91,7 @@ function installTestRegistry(plugin: ChannelPlugin<TestAccount>) {
 
 function createManager(options?: {
   channelRuntime?: PluginRuntime["channel"];
+  resolveChannelRuntime?: () => PluginRuntime["channel"];
   loadConfig?: () => Record<string, unknown>;
 }) {
   const log = createSubsystemLogger("gateway/server-channels-test");
@@ -102,6 +103,9 @@ function createManager(options?: {
     channelLogs,
     channelRuntimeEnvs,
     ...(options?.channelRuntime ? { channelRuntime: options.channelRuntime } : {}),
+    ...(options?.resolveChannelRuntime
+      ? { resolveChannelRuntime: options.resolveChannelRuntime }
+      : {}),
   });
 }
 
@@ -136,7 +140,7 @@ describe("server-channels auto restart", () => {
     const snapshot = manager.getRuntimeSnapshot();
     const account = snapshot.channelAccounts.discord?.[DEFAULT_ACCOUNT_ID];
     expect(account?.running).toBe(false);
-    expect(account?.reconnectAttempts).toBe(10);
+    expect(account?.reconnectAttempts).toBe(11);
 
     await vi.advanceTimersByTimeAsync(200);
     expect(startAccount).toHaveBeenCalledTimes(11);
@@ -185,6 +189,29 @@ describe("server-channels auto restart", () => {
     expect(startAccount).toHaveBeenCalledTimes(1);
   });
 
+  it("does not resolve channelRuntime until a channel starts", async () => {
+    const channelRuntime = {
+      marker: "lazy-channel-runtime",
+    } as unknown as PluginRuntime["channel"];
+    const resolveChannelRuntime = vi.fn(() => channelRuntime);
+    const startAccount = vi.fn(async (ctx) => {
+      expect(ctx.channelRuntime).toBe(channelRuntime);
+    });
+
+    installTestRegistry(createTestPlugin({ startAccount }));
+    const manager = createManager({ resolveChannelRuntime });
+
+    expect(resolveChannelRuntime).not.toHaveBeenCalled();
+
+    void manager.getRuntimeSnapshot();
+    expect(resolveChannelRuntime).not.toHaveBeenCalled();
+
+    await manager.startChannels();
+
+    expect(resolveChannelRuntime).toHaveBeenCalledTimes(1);
+    expect(startAccount).toHaveBeenCalledTimes(1);
+  });
+
   it("reuses plugin account resolution for health monitor overrides", () => {
     installTestRegistry(
       createTestPlugin({

From ff2e864c98cbd6c68a972bbb8b6824fe7eaae0c9 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 16 Mar 2026 01:46:07 -0700
Subject: [PATCH 127/133] Plugins: add Claude marketplace registry installs
 (#48058)

* Changelog: note Claude marketplace plugin support

* Plugins: add Claude marketplace installs

* E2E: cover marketplace plugin installs in Docker
---
 CHANGELOG.md                      |   1 +
 scripts/e2e/Dockerfile            |  50 +-
 scripts/e2e/Dockerfile.qr-import  |  23 +-
 scripts/e2e/plugins-docker.sh     | 290 +++++++++--
 src/cli/plugins-cli.ts            | 136 ++++-
 src/config/schema.help.ts         |   6 +
 src/config/schema.labels.ts       |   3 +
 src/config/types.plugins.ts       |   7 +-
 src/config/zod-schema.installs.ts |  10 +
 src/config/zod-schema.ts          |   4 +-
 src/plugins/marketplace.test.ts   | 141 +++++
 src/plugins/marketplace.ts        | 832 ++++++++++++++++++++++++++++++
 src/plugins/update.test.ts        |  95 ++++
 src/plugins/update.ts             | 185 +++++--
 14 files changed, 1641 insertions(+), 142 deletions(-)
 create mode 100644 src/plugins/marketplace.test.ts
 create mode 100644 src/plugins/marketplace.ts

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4f9fb7a653d..821451053bf 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -26,6 +26,7 @@ Docs: https://docs.openclaw.ai
 - Sandbox/SSH: add a core SSH sandbox backend with secret-backed key, certificate, and known_hosts inputs, move shared remote exec/filesystem tooling into core, and keep OpenShell focused on sandbox lifecycle plus optional `mirror` mode.
 - Feishu/cards: add structured interactive approval and quick-action launcher cards, preserve callback user and conversation context through routing, and keep legacy card-action fallback behavior so common actions can run without typing raw commands. (#47873)
 - Feishu/ACP: add current-conversation ACP and subagent session binding for supported DMs and topic conversations, including completion delivery back to the originating Feishu conversation. (#46819)
+- Plugins/marketplaces: add Claude marketplace registry resolution, `plugin@marketplace` installs, marketplace listing, and update support, plus Docker E2E coverage for local and official marketplace flows. Thanks @vincentkoc.
 
 ### Breaking
 
diff --git a/scripts/e2e/Dockerfile b/scripts/e2e/Dockerfile
index fb390c1190b..4669e762c4a 100644
--- a/scripts/e2e/Dockerfile
+++ b/scripts/e2e/Dockerfile
@@ -1,38 +1,44 @@
 # syntax=docker/dockerfile:1.7
 
-FROM node:24-bookworm@sha256:9f3b13503acdf9bc1e0213ccb25ebe86ac881cad17636733a1da1be1d44509df
+FROM node:24-bookworm@sha256:3a09aa6354567619221ef6c45a5051b671f953f0a1924d1f819ffb236e520e6b
+
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends ca-certificates git \
+ && rm -rf /var/lib/apt/lists/*
 
 RUN corepack enable
 
-WORKDIR /app
+RUN useradd --create-home --shell /bin/bash appuser \
+ && mkdir -p /app \
+ && chown appuser:appuser /app
 
+ENV HOME="/home/appuser"
 ENV NODE_OPTIONS="--disable-warning=ExperimentalWarning"
 
-COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./
-COPY ui/package.json ./ui/package.json
-COPY extensions/memory-core/package.json ./extensions/memory-core/package.json
-COPY patches ./patches
+USER appuser
+WORKDIR /app
 
-RUN --mount=type=cache,id=openclaw-pnpm-store,target=/root/.local/share/pnpm/store,sharing=locked \
+COPY --chown=appuser:appuser package.json pnpm-lock.yaml pnpm-workspace.yaml ./
+COPY --chown=appuser:appuser ui/package.json ./ui/package.json
+COPY --chown=appuser:appuser extensions/memory-core/package.json ./extensions/memory-core/package.json
+COPY --chown=appuser:appuser patches ./patches
+
+RUN --mount=type=cache,id=openclaw-pnpm-store,target=/home/appuser/.local/share/pnpm/store,sharing=locked \
     pnpm install --frozen-lockfile
 
-COPY tsconfig.json tsconfig.plugin-sdk.dts.json tsdown.config.ts vitest.config.ts vitest.e2e.config.ts openclaw.mjs ./
-COPY src ./src
-COPY test ./test
-COPY scripts ./scripts
-COPY docs ./docs
-COPY skills ./skills
-COPY ui ./ui
-COPY extensions/memory-core ./extensions/memory-core
-COPY vendor/a2ui/renderers/lit ./vendor/a2ui/renderers/lit
-COPY apps/shared/OpenClawKit/Sources/OpenClawKit/Resources ./apps/shared/OpenClawKit/Sources/OpenClawKit/Resources
-COPY apps/shared/OpenClawKit/Tools/CanvasA2UI ./apps/shared/OpenClawKit/Tools/CanvasA2UI
+COPY --chown=appuser:appuser tsconfig.json tsconfig.plugin-sdk.dts.json tsdown.config.ts vitest.config.ts vitest.e2e.config.ts openclaw.mjs ./
+COPY --chown=appuser:appuser src ./src
+COPY --chown=appuser:appuser test ./test
+COPY --chown=appuser:appuser scripts ./scripts
+COPY --chown=appuser:appuser docs ./docs
+COPY --chown=appuser:appuser skills ./skills
+COPY --chown=appuser:appuser ui ./ui
+COPY --chown=appuser:appuser extensions ./extensions
+COPY --chown=appuser:appuser vendor/a2ui/renderers/lit ./vendor/a2ui/renderers/lit
+COPY --chown=appuser:appuser apps/shared/OpenClawKit/Sources/OpenClawKit/Resources ./apps/shared/OpenClawKit/Sources/OpenClawKit/Resources
+COPY --chown=appuser:appuser apps/shared/OpenClawKit/Tools/CanvasA2UI ./apps/shared/OpenClawKit/Tools/CanvasA2UI
 
 RUN pnpm build
 RUN pnpm ui:build
 
-RUN useradd --create-home --shell /bin/bash appuser \
-  && chown -R appuser:appuser /app
-USER appuser
-
 CMD ["bash"]
diff --git a/scripts/e2e/Dockerfile.qr-import b/scripts/e2e/Dockerfile.qr-import
index a8c611a9516..4b572a705b3 100644
--- a/scripts/e2e/Dockerfile.qr-import
+++ b/scripts/e2e/Dockerfile.qr-import
@@ -1,23 +1,26 @@
 # syntax=docker/dockerfile:1.7
 
-FROM node:24-bookworm@sha256:9f3b13503acdf9bc1e0213ccb25ebe86ac881cad17636733a1da1be1d44509df
+FROM node:24-bookworm@sha256:3a09aa6354567619221ef6c45a5051b671f953f0a1924d1f819ffb236e520e6b
 
 RUN corepack enable
 
+RUN useradd --create-home --shell /bin/bash appuser \
+ && mkdir -p /app \
+ && chown appuser:appuser /app
+
+ENV HOME="/home/appuser"
+
+USER appuser
 WORKDIR /app
 
-COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./
-COPY ui/package.json ./ui/package.json
-COPY patches ./patches
+COPY --chown=appuser:appuser package.json pnpm-lock.yaml pnpm-workspace.yaml ./
+COPY --chown=appuser:appuser ui/package.json ./ui/package.json
+COPY --chown=appuser:appuser patches ./patches
 
 # This image only exercises the root qrcode-terminal dependency path.
 # Keep the pre-install copy set limited to the manifests needed for root
 # workspace resolution so unrelated extension edits do not bust the layer.
-RUN --mount=type=cache,id=openclaw-pnpm-store,target=/root/.local/share/pnpm/store,sharing=locked \
+RUN --mount=type=cache,id=openclaw-pnpm-store,target=/home/appuser/.local/share/pnpm/store,sharing=locked \
     pnpm install --frozen-lockfile
 
-COPY . .
-
-RUN useradd --create-home --shell /bin/bash appuser \
-  && chown -R appuser:appuser /app
-USER appuser
+COPY --chown=appuser:appuser . .
diff --git a/scripts/e2e/plugins-docker.sh b/scripts/e2e/plugins-docker.sh
index 854a92606ed..587840ec93a 100755
--- a/scripts/e2e/plugins-docker.sh
+++ b/scripts/e2e/plugins-docker.sh
@@ -8,24 +8,69 @@ echo "Building Docker image..."
 docker build -t "$IMAGE_NAME" -f "$ROOT_DIR/scripts/e2e/Dockerfile" "$ROOT_DIR"
 
 echo "Running plugins Docker E2E..."
-	docker run --rm -t "$IMAGE_NAME" bash -lc '
-	  set -euo pipefail
-	  if [ -f dist/index.mjs ]; then
-	    OPENCLAW_ENTRY="dist/index.mjs"
-	  elif [ -f dist/index.js ]; then
-	    OPENCLAW_ENTRY="dist/index.js"
-	  else
-	    echo "Missing dist/index.(m)js (build output):"
-	    ls -la dist || true
-	    exit 1
-	  fi
-	  export OPENCLAW_ENTRY
+docker run --rm -i "$IMAGE_NAME" bash -s <<'EOF'
+set -euo pipefail
 
-	  home_dir=$(mktemp -d "/tmp/openclaw-plugins-e2e.XXXXXX")
-	  export HOME="$home_dir"
-  mkdir -p "$HOME/.openclaw/extensions/demo-plugin"
+if [ -f dist/index.mjs ]; then
+  OPENCLAW_ENTRY="dist/index.mjs"
+elif [ -f dist/index.js ]; then
+  OPENCLAW_ENTRY="dist/index.js"
+else
+  echo "Missing dist/index.(m)js (build output):"
+  ls -la dist || true
+  exit 1
+fi
+export OPENCLAW_ENTRY
 
-  cat > "$HOME/.openclaw/extensions/demo-plugin/index.js" <<'"'"'JS'"'"'
+home_dir=$(mktemp -d "/tmp/openclaw-plugins-e2e.XXXXXX")
+export HOME="$home_dir"
+
+write_fixture_plugin() {
+  local dir="$1"
+  local id="$2"
+  local version="$3"
+  local method="$4"
+  local name="$5"
+
+  mkdir -p "$dir"
+  cat > "$dir/package.json" <<JSON
+{
+  "name": "@openclaw/$id",
+  "version": "$version",
+  "openclaw": { "extensions": ["./index.js"] }
+}
+JSON
+  cat > "$dir/index.js" <<JS
+module.exports = {
+  id: "$id",
+  name: "$name",
+  register(api) {
+    api.registerGatewayMethod("$method", async () => ({ ok: true }));
+  },
+};
+JS
+  cat > "$dir/openclaw.plugin.json" <<'JSON'
+{
+  "id": "placeholder",
+  "configSchema": {
+    "type": "object",
+    "properties": {}
+  }
+}
+JSON
+  node - <<'NODE' "$dir/openclaw.plugin.json" "$id"
+const fs = require("node:fs");
+const file = process.argv[2];
+const id = process.argv[3];
+const parsed = JSON.parse(fs.readFileSync(file, "utf8"));
+parsed.id = id;
+fs.writeFileSync(file, `${JSON.stringify(parsed, null, 2)}\n`);
+NODE
+}
+
+mkdir -p "$HOME/.openclaw/extensions/demo-plugin"
+
+cat > "$HOME/.openclaw/extensions/demo-plugin/index.js" <<'JS'
 module.exports = {
   id: "demo-plugin",
   name: "Demo Plugin",
@@ -38,7 +83,7 @@ module.exports = {
   },
 };
 JS
-  cat > "$HOME/.openclaw/extensions/demo-plugin/openclaw.plugin.json" <<'"'"'JSON'"'"'
+cat > "$HOME/.openclaw/extensions/demo-plugin/openclaw.plugin.json" <<'JSON'
 {
   "id": "demo-plugin",
   "configSchema": {
@@ -48,9 +93,9 @@ JS
 }
 JSON
 
-	  node "$OPENCLAW_ENTRY" plugins list --json > /tmp/plugins.json
+node "$OPENCLAW_ENTRY" plugins list --json > /tmp/plugins.json
 
-  node - <<'"'"'NODE'"'"'
+node - <<'NODE'
 const fs = require("node:fs");
 
 const data = JSON.parse(fs.readFileSync("/tmp/plugins.json", "utf8"));
@@ -79,17 +124,17 @@ if (diagErrors.length > 0) {
 console.log("ok");
 NODE
 
-  echo "Testing tgz install flow..."
-  pack_dir="$(mktemp -d "/tmp/openclaw-plugin-pack.XXXXXX")"
-  mkdir -p "$pack_dir/package"
-  cat > "$pack_dir/package/package.json" <<'"'"'JSON'"'"'
+echo "Testing tgz install flow..."
+pack_dir="$(mktemp -d "/tmp/openclaw-plugin-pack.XXXXXX")"
+mkdir -p "$pack_dir/package"
+cat > "$pack_dir/package/package.json" <<'JSON'
 {
   "name": "@openclaw/demo-plugin-tgz",
   "version": "0.0.1",
   "openclaw": { "extensions": ["./index.js"] }
 }
 JSON
-  cat > "$pack_dir/package/index.js" <<'"'"'JS'"'"'
+cat > "$pack_dir/package/index.js" <<'JS'
 module.exports = {
   id: "demo-plugin-tgz",
   name: "Demo Plugin TGZ",
@@ -98,7 +143,7 @@ module.exports = {
   },
 };
 JS
-  cat > "$pack_dir/package/openclaw.plugin.json" <<'"'"'JSON'"'"'
+cat > "$pack_dir/package/openclaw.plugin.json" <<'JSON'
 {
   "id": "demo-plugin-tgz",
   "configSchema": {
@@ -107,12 +152,12 @@ JS
   }
 }
 JSON
-  tar -czf /tmp/demo-plugin-tgz.tgz -C "$pack_dir" package
+tar -czf /tmp/demo-plugin-tgz.tgz -C "$pack_dir" package
 
-	  node "$OPENCLAW_ENTRY" plugins install /tmp/demo-plugin-tgz.tgz
-	  node "$OPENCLAW_ENTRY" plugins list --json > /tmp/plugins2.json
+node "$OPENCLAW_ENTRY" plugins install /tmp/demo-plugin-tgz.tgz
+node "$OPENCLAW_ENTRY" plugins list --json > /tmp/plugins2.json
 
-  node - <<'"'"'NODE'"'"'
+node - <<'NODE'
 const fs = require("node:fs");
 
 const data = JSON.parse(fs.readFileSync("/tmp/plugins2.json", "utf8"));
@@ -127,16 +172,16 @@ if (!Array.isArray(plugin.gatewayMethods) || !plugin.gatewayMethods.includes("de
 console.log("ok");
 NODE
 
-  echo "Testing install from local folder (plugins.load.paths)..."
-  dir_plugin="$(mktemp -d "/tmp/openclaw-plugin-dir.XXXXXX")"
-  cat > "$dir_plugin/package.json" <<'"'"'JSON'"'"'
+echo "Testing install from local folder (plugins.load.paths)..."
+dir_plugin="$(mktemp -d "/tmp/openclaw-plugin-dir.XXXXXX")"
+cat > "$dir_plugin/package.json" <<'JSON'
 {
   "name": "@openclaw/demo-plugin-dir",
   "version": "0.0.1",
   "openclaw": { "extensions": ["./index.js"] }
 }
 JSON
-  cat > "$dir_plugin/index.js" <<'"'"'JS'"'"'
+cat > "$dir_plugin/index.js" <<'JS'
 module.exports = {
   id: "demo-plugin-dir",
   name: "Demo Plugin DIR",
@@ -145,7 +190,7 @@ module.exports = {
   },
 };
 JS
-  cat > "$dir_plugin/openclaw.plugin.json" <<'"'"'JSON'"'"'
+cat > "$dir_plugin/openclaw.plugin.json" <<'JSON'
 {
   "id": "demo-plugin-dir",
   "configSchema": {
@@ -155,10 +200,10 @@ JS
 }
 JSON
 
-	  node "$OPENCLAW_ENTRY" plugins install "$dir_plugin"
-	  node "$OPENCLAW_ENTRY" plugins list --json > /tmp/plugins3.json
+node "$OPENCLAW_ENTRY" plugins install "$dir_plugin"
+node "$OPENCLAW_ENTRY" plugins list --json > /tmp/plugins3.json
 
-  node - <<'"'"'NODE'"'"'
+node - <<'NODE'
 const fs = require("node:fs");
 
 const data = JSON.parse(fs.readFileSync("/tmp/plugins3.json", "utf8"));
@@ -173,17 +218,17 @@ if (!Array.isArray(plugin.gatewayMethods) || !plugin.gatewayMethods.includes("de
 console.log("ok");
 NODE
 
-  echo "Testing install from npm spec (file:)..."
-  file_pack_dir="$(mktemp -d "/tmp/openclaw-plugin-filepack.XXXXXX")"
-  mkdir -p "$file_pack_dir/package"
-  cat > "$file_pack_dir/package/package.json" <<'"'"'JSON'"'"'
+echo "Testing install from npm spec (file:)..."
+file_pack_dir="$(mktemp -d "/tmp/openclaw-plugin-filepack.XXXXXX")"
+mkdir -p "$file_pack_dir/package"
+cat > "$file_pack_dir/package/package.json" <<'JSON'
 {
   "name": "@openclaw/demo-plugin-file",
   "version": "0.0.1",
   "openclaw": { "extensions": ["./index.js"] }
 }
 JSON
-  cat > "$file_pack_dir/package/index.js" <<'"'"'JS'"'"'
+cat > "$file_pack_dir/package/index.js" <<'JS'
 module.exports = {
   id: "demo-plugin-file",
   name: "Demo Plugin FILE",
@@ -192,7 +237,7 @@ module.exports = {
   },
 };
 JS
-  cat > "$file_pack_dir/package/openclaw.plugin.json" <<'"'"'JSON'"'"'
+cat > "$file_pack_dir/package/openclaw.plugin.json" <<'JSON'
 {
   "id": "demo-plugin-file",
   "configSchema": {
@@ -202,10 +247,10 @@ JS
 }
 JSON
 
-	  node "$OPENCLAW_ENTRY" plugins install "file:$file_pack_dir/package"
-	  node "$OPENCLAW_ENTRY" plugins list --json > /tmp/plugins4.json
+node "$OPENCLAW_ENTRY" plugins install "file:$file_pack_dir/package"
+node "$OPENCLAW_ENTRY" plugins list --json > /tmp/plugins4.json
 
-  node - <<'"'"'NODE'"'"'
+node - <<'NODE'
 const fs = require("node:fs");
 
 const data = JSON.parse(fs.readFileSync("/tmp/plugins4.json", "utf8"));
@@ -220,8 +265,155 @@ if (!Array.isArray(plugin.gatewayMethods) || !plugin.gatewayMethods.includes("de
 console.log("ok");
 NODE
 
-  echo "Running bundle MCP CLI-agent e2e..."
-  pnpm exec vitest run --config vitest.e2e.config.ts src/agents/cli-runner.bundle-mcp.e2e.test.ts
-'
+echo "Testing marketplace install and update flows..."
+marketplace_root="$HOME/.claude/plugins/marketplaces/fixture-marketplace"
+mkdir -p "$HOME/.claude/plugins" "$marketplace_root/.claude-plugin"
+write_fixture_plugin \
+  "$marketplace_root/plugins/marketplace-shortcut" \
+  "marketplace-shortcut" \
+  "0.0.1" \
+  "demo.marketplace.shortcut.v1" \
+  "Marketplace Shortcut"
+write_fixture_plugin \
+  "$marketplace_root/plugins/marketplace-direct" \
+  "marketplace-direct" \
+  "0.0.1" \
+  "demo.marketplace.direct.v1" \
+  "Marketplace Direct"
+cat > "$marketplace_root/.claude-plugin/marketplace.json" <<'JSON'
+{
+  "name": "Fixture Marketplace",
+  "version": "1.0.0",
+  "plugins": [
+    {
+      "name": "marketplace-shortcut",
+      "version": "0.0.1",
+      "description": "Shortcut install fixture",
+      "source": "./plugins/marketplace-shortcut"
+    },
+    {
+      "name": "marketplace-direct",
+      "version": "0.0.1",
+      "description": "Explicit marketplace fixture",
+      "source": {
+        "type": "path",
+        "path": "./plugins/marketplace-direct"
+      }
+    }
+  ]
+}
+JSON
+cat > "$HOME/.claude/plugins/known_marketplaces.json" <<JSON
+{
+  "claude-fixtures": {
+    "installLocation": "$marketplace_root",
+    "source": {
+      "type": "github",
+      "repo": "openclaw/fixture-marketplace"
+    }
+  }
+}
+JSON
+
+node "$OPENCLAW_ENTRY" plugins marketplace list claude-fixtures --json > /tmp/marketplace-list.json
+
+node - <<'NODE'
+const fs = require("node:fs");
+
+const data = JSON.parse(fs.readFileSync("/tmp/marketplace-list.json", "utf8"));
+const names = (data.plugins || []).map((entry) => entry.name).sort();
+if (data.name !== "Fixture Marketplace") {
+  throw new Error(`unexpected marketplace name: ${data.name}`);
+}
+if (!names.includes("marketplace-shortcut") || !names.includes("marketplace-direct")) {
+  throw new Error(`unexpected marketplace plugins: ${names.join(", ")}`);
+}
+console.log("ok");
+NODE
+
+node "$OPENCLAW_ENTRY" plugins install marketplace-shortcut@claude-fixtures
+node "$OPENCLAW_ENTRY" plugins install marketplace-direct --marketplace claude-fixtures
+node "$OPENCLAW_ENTRY" plugins list --json > /tmp/plugins-marketplace.json
+
+node - <<'NODE'
+const fs = require("node:fs");
+
+const data = JSON.parse(fs.readFileSync("/tmp/plugins-marketplace.json", "utf8"));
+const getPlugin = (id) => {
+  const plugin = (data.plugins || []).find((entry) => entry.id === id);
+  if (!plugin) throw new Error(`plugin not found: ${id}`);
+  if (plugin.status !== "loaded") {
+    throw new Error(`unexpected status for ${id}: ${plugin.status}`);
+  }
+  return plugin;
+};
+
+const shortcut = getPlugin("marketplace-shortcut");
+const direct = getPlugin("marketplace-direct");
+if (shortcut.version !== "0.0.1") {
+  throw new Error(`unexpected shortcut version: ${shortcut.version}`);
+}
+if (direct.version !== "0.0.1") {
+  throw new Error(`unexpected direct version: ${direct.version}`);
+}
+if (!shortcut.gatewayMethods.includes("demo.marketplace.shortcut.v1")) {
+  throw new Error("expected marketplace shortcut gateway method");
+}
+if (!direct.gatewayMethods.includes("demo.marketplace.direct.v1")) {
+  throw new Error("expected marketplace direct gateway method");
+}
+console.log("ok");
+NODE
+
+node - <<'NODE'
+const fs = require("node:fs");
+const path = require("node:path");
+
+const configPath = path.join(process.env.HOME, ".openclaw", "openclaw.json");
+const config = JSON.parse(fs.readFileSync(configPath, "utf8"));
+for (const id of ["marketplace-shortcut", "marketplace-direct"]) {
+  const record = config.plugins?.installs?.[id];
+  if (!record) throw new Error(`missing install record for ${id}`);
+  if (record.source !== "marketplace") {
+    throw new Error(`unexpected source for ${id}: ${record.source}`);
+  }
+  if (record.marketplaceSource !== "claude-fixtures") {
+    throw new Error(`unexpected marketplace source for ${id}: ${record.marketplaceSource}`);
+  }
+  if (record.marketplacePlugin !== id) {
+    throw new Error(`unexpected marketplace plugin for ${id}: ${record.marketplacePlugin}`);
+  }
+}
+console.log("ok");
+NODE
+
+write_fixture_plugin \
+  "$marketplace_root/plugins/marketplace-shortcut" \
+  "marketplace-shortcut" \
+  "0.0.2" \
+  "demo.marketplace.shortcut.v2" \
+  "Marketplace Shortcut"
+node "$OPENCLAW_ENTRY" plugins update marketplace-shortcut --dry-run
+node "$OPENCLAW_ENTRY" plugins update marketplace-shortcut
+node "$OPENCLAW_ENTRY" plugins list --json > /tmp/plugins-marketplace-updated.json
+
+node - <<'NODE'
+const fs = require("node:fs");
+
+const data = JSON.parse(fs.readFileSync("/tmp/plugins-marketplace-updated.json", "utf8"));
+const plugin = (data.plugins || []).find((entry) => entry.id === "marketplace-shortcut");
+if (!plugin) throw new Error("updated marketplace plugin not found");
+if (plugin.version !== "0.0.2") {
+  throw new Error(`unexpected updated version: ${plugin.version}`);
+}
+if (!plugin.gatewayMethods.includes("demo.marketplace.shortcut.v2")) {
+  throw new Error(`expected updated gateway method, got ${plugin.gatewayMethods.join(", ")}`);
+}
+console.log("ok");
+NODE
+
+echo "Running bundle MCP CLI-agent e2e..."
+pnpm exec vitest run --config vitest.e2e.config.ts src/agents/cli-runner.bundle-mcp.e2e.test.ts
+EOF
 
 echo "OK"
diff --git a/src/cli/plugins-cli.ts b/src/cli/plugins-cli.ts
index d090fe7d83d..b4b197bf96c 100644
--- a/src/cli/plugins-cli.ts
+++ b/src/cli/plugins-cli.ts
@@ -11,6 +11,11 @@ import { enablePluginInConfig } from "../plugins/enable.js";
 import { installPluginFromNpmSpec, installPluginFromPath } from "../plugins/install.js";
 import { recordPluginInstall } from "../plugins/installs.js";
 import { clearPluginManifestRegistryCache } from "../plugins/manifest-registry.js";
+import {
+  installPluginFromMarketplace,
+  listMarketplacePlugins,
+  resolveMarketplaceInstallShortcut,
+} from "../plugins/marketplace.js";
 import type { PluginRecord } from "../plugins/registry.js";
 import { applyExclusiveSlotSelection } from "../plugins/slots.js";
 import { resolvePluginSourceRoots, formatPluginSourceForTable } from "../plugins/source-display.js";
@@ -46,6 +51,10 @@ export type PluginUpdateOptions = {
   dryRun?: boolean;
 };
 
+export type PluginMarketplaceListOptions = {
+  json?: boolean;
+};
+
 export type PluginUninstallOptions = {
   keepFiles?: boolean;
   keepConfig?: boolean;
@@ -203,9 +212,65 @@ async function installBundledPluginSource(params: {
 
 async function runPluginInstallCommand(params: {
   raw: string;
-  opts: { link?: boolean; pin?: boolean };
+  opts: { link?: boolean; pin?: boolean; marketplace?: string };
 }) {
-  const { raw, opts } = params;
+  const shorthand = !params.opts.marketplace
+    ? await resolveMarketplaceInstallShortcut(params.raw)
+    : null;
+  if (shorthand?.ok === false) {
+    defaultRuntime.error(shorthand.error);
+    process.exit(1);
+  }
+
+  const raw = shorthand?.ok ? shorthand.plugin : params.raw;
+  const opts = {
+    ...params.opts,
+    marketplace:
+      params.opts.marketplace ?? (shorthand?.ok ? shorthand.marketplaceSource : undefined),
+  };
+
+  if (opts.marketplace) {
+    if (opts.link) {
+      defaultRuntime.error("`--link` is not supported with `--marketplace`.");
+      process.exit(1);
+    }
+    if (opts.pin) {
+      defaultRuntime.error("`--pin` is not supported with `--marketplace`.");
+      process.exit(1);
+    }
+
+    const cfg = loadConfig();
+    const result = await installPluginFromMarketplace({
+      marketplace: opts.marketplace,
+      plugin: raw,
+      logger: createPluginInstallLogger(),
+    });
+    if (!result.ok) {
+      defaultRuntime.error(result.error);
+      process.exit(1);
+    }
+
+    clearPluginManifestRegistryCache();
+
+    let next = enablePluginInConfig(cfg, result.pluginId).config;
+    next = recordPluginInstall(next, {
+      pluginId: result.pluginId,
+      source: "marketplace",
+      installPath: result.targetDir,
+      version: result.version,
+      marketplaceName: result.marketplaceName,
+      marketplaceSource: result.marketplaceSource,
+      marketplacePlugin: result.marketplacePlugin,
+    });
+    const slotResult = applySlotSelectionForPlugin(next, result.pluginId);
+    next = slotResult.config;
+    await writeConfigFile(next);
+    logSlotWarnings(slotResult.warnings);
+    defaultRuntime.log(`Installed plugin: ${result.pluginId}`);
+    defaultRuntime.log(`Restart the gateway to load plugins.`);
+    return;
+  }
+
   const fileSpec = resolveFileNpmSpecToLocalPath(raw);
   if (fileSpec && !fileSpec.ok) {
     defaultRuntime.error(fileSpec.error);
@@ -734,17 +799,24 @@ export function registerPluginsCli(program: Command) {
 
   plugins
     .command("install")
-    .description("Install a plugin (path, archive, or npm spec)")
-    .argument("<path-or-spec>", "Path (.ts/.js/.zip/.tgz/.tar.gz) or an npm package spec")
+    .description("Install a plugin (path, archive, npm spec, or marketplace entry)")
+    .argument(
+      "<path-or-spec-or-plugin>",
+      "Path (.ts/.js/.zip/.tgz/.tar.gz), npm package spec, or marketplace plugin name",
+    )
     .option("-l, --link", "Link a local path instead of copying", false)
     .option("--pin", "Record npm installs as exact resolved <name>@<version>", false)
-    .action(async (raw: string, opts: { link?: boolean; pin?: boolean }) => {
+    .option(
+      "--marketplace <source>",
+      "Install a Claude marketplace plugin from a local repo/path or git/GitHub source",
+    )
+    .action(async (raw: string, opts: { link?: boolean; pin?: boolean; marketplace?: string }) => {
       await runPluginInstallCommand({ raw, opts });
     });
 
   plugins
     .command("update")
-    .description("Update installed plugins (npm installs only)")
+    .description("Update installed plugins (npm and marketplace installs)")
     .argument("[id]", "Plugin id (omit with --all)")
     .option("--all", "Update all tracked plugins", false)
     .option("--dry-run", "Show what would change without writing", false)
@@ -755,7 +827,7 @@ export function registerPluginsCli(program: Command) {
 
       if (targets.length === 0) {
         if (opts.all) {
-          defaultRuntime.log("No npm-installed plugins to update.");
+          defaultRuntime.log("No tracked plugins to update.");
           return;
         }
         defaultRuntime.error("Provide a plugin id or use --all.");
@@ -839,4 +911,54 @@ export function registerPluginsCli(program: Command) {
       lines.push(`${theme.muted("Docs:")} ${docs}`);
       defaultRuntime.log(lines.join("\n"));
     });
+
+  const marketplace = plugins
+    .command("marketplace")
+    .description("Inspect Claude-compatible plugin marketplaces");
+
+  marketplace
+    .command("list")
+    .description("List plugins published by a marketplace source")
+    .argument("<source>", "Local marketplace path/repo or git/GitHub source")
+    .option("--json", "Print JSON")
+    .action(async (source: string, opts: PluginMarketplaceListOptions) => {
+      const result = await listMarketplacePlugins({
+        marketplace: source,
+        logger: createPluginInstallLogger(),
+      });
+      if (!result.ok) {
+        defaultRuntime.error(result.error);
+        process.exit(1);
+      }
+
+      if (opts.json) {
+        defaultRuntime.log(
+          JSON.stringify(
+            {
+              source: result.sourceLabel,
+              name: result.manifest.name,
+              version: result.manifest.version,
+              plugins: result.manifest.plugins,
+            },
+            null,
+            2,
+          ),
+        );
+        return;
+      }
+
+      if (result.manifest.plugins.length === 0) {
+        defaultRuntime.log(`No plugins found in marketplace ${result.sourceLabel}.`);
+        return;
+      }
+
+      defaultRuntime.log(
+        `${theme.heading("Marketplace")} ${theme.muted(result.manifest.name ?? result.sourceLabel)}`,
+      );
+      for (const plugin of result.manifest.plugins) {
+        const suffix = plugin.version ? theme.muted(` v${plugin.version}`) : "";
+        const desc = plugin.description ? ` - ${theme.muted(plugin.description)}` : "";
+        defaultRuntime.log(`${theme.command(plugin.name)}${suffix}${desc}`);
+      }
+    });
 }
diff --git a/src/config/schema.help.ts b/src/config/schema.help.ts
index b008b8bf869..627dccb5049 100644
--- a/src/config/schema.help.ts
+++ b/src/config/schema.help.ts
@@ -1003,6 +1003,12 @@ export const FIELD_HELP: Record<string, string> = {
   "plugins.installs.*.resolvedAt":
     "ISO timestamp when npm package metadata was last resolved for this install record.",
   "plugins.installs.*.installedAt": "ISO timestamp of last install/update.",
+  "plugins.installs.*.marketplaceName":
+    "Marketplace display name recorded for marketplace-backed plugin installs (if available).",
+  "plugins.installs.*.marketplaceSource":
+    "Original marketplace source used to resolve the install (for example a repo path or Git URL).",
+  "plugins.installs.*.marketplacePlugin":
+    "Plugin entry name inside the source marketplace, used for later updates.",
   "agents.list.*.identity.avatar":
     "Agent avatar (workspace-relative path, http(s) URL, or data URI).",
   "agents.defaults.model.primary": "Primary model (provider/model).",
diff --git a/src/config/schema.labels.ts b/src/config/schema.labels.ts
index 6843b8f410f..9541ad3b10a 100644
--- a/src/config/schema.labels.ts
+++ b/src/config/schema.labels.ts
@@ -871,4 +871,7 @@ export const FIELD_LABELS: Record<string, string> = {
   "plugins.installs.*.shasum": "Plugin Resolved Shasum",
   "plugins.installs.*.resolvedAt": "Plugin Resolution Time",
   "plugins.installs.*.installedAt": "Plugin Install Time",
+  "plugins.installs.*.marketplaceName": "Plugin Marketplace Name",
+  "plugins.installs.*.marketplaceSource": "Plugin Marketplace Source",
+  "plugins.installs.*.marketplacePlugin": "Plugin Marketplace Plugin",
 };
diff --git a/src/config/types.plugins.ts b/src/config/types.plugins.ts
index 323946dd541..62d750b0470 100644
--- a/src/config/types.plugins.ts
+++ b/src/config/types.plugins.ts
@@ -19,7 +19,12 @@ export type PluginsLoadConfig = {
   paths?: string[];
 };
 
-export type PluginInstallRecord = InstallRecordBase;
+export type PluginInstallRecord = Omit<InstallRecordBase, "source"> & {
+  source: InstallRecordBase["source"] | "marketplace";
+  marketplaceName?: string;
+  marketplaceSource?: string;
+  marketplacePlugin?: string;
+};
 
 export type PluginsConfig = {
   /** Enable or disable plugin loading. */
diff --git a/src/config/zod-schema.installs.ts b/src/config/zod-schema.installs.ts
index 7853948a10c..7270e5c5d28 100644
--- a/src/config/zod-schema.installs.ts
+++ b/src/config/zod-schema.installs.ts
@@ -6,6 +6,8 @@ export const InstallSourceSchema = z.union([
   z.literal("path"),
 ]);
 
+export const PluginInstallSourceSchema = z.union([InstallSourceSchema, z.literal("marketplace")]);
+
 export const InstallRecordShape = {
   source: InstallSourceSchema,
   spec: z.string().optional(),
@@ -20,3 +22,11 @@ export const InstallRecordShape = {
   resolvedAt: z.string().optional(),
   installedAt: z.string().optional(),
 } as const;
+
+export const PluginInstallRecordShape = {
+  ...InstallRecordShape,
+  source: PluginInstallSourceSchema,
+  marketplaceName: z.string().optional(),
+  marketplaceSource: z.string().optional(),
+  marketplacePlugin: z.string().optional(),
+} as const;
diff --git a/src/config/zod-schema.ts b/src/config/zod-schema.ts
index 345c86b3097..d1bce17b575 100644
--- a/src/config/zod-schema.ts
+++ b/src/config/zod-schema.ts
@@ -11,7 +11,7 @@ import {
   SecretsConfigSchema,
 } from "./zod-schema.core.js";
 import { HookMappingSchema, HooksGmailSchema, InternalHooksSchema } from "./zod-schema.hooks.js";
-import { InstallRecordShape } from "./zod-schema.installs.js";
+import { PluginInstallRecordShape } from "./zod-schema.installs.js";
 import { ChannelsSchema } from "./zod-schema.providers.js";
 import { sensitive } from "./zod-schema.sensitive.js";
 import {
@@ -905,7 +905,7 @@ export const OpenClawSchema = z
             z.string(),
             z
               .object({
-                ...InstallRecordShape,
+                ...PluginInstallRecordShape,
               })
               .strict(),
           )
diff --git a/src/plugins/marketplace.test.ts b/src/plugins/marketplace.test.ts
new file mode 100644
index 00000000000..14d3bda0323
--- /dev/null
+++ b/src/plugins/marketplace.test.ts
@@ -0,0 +1,141 @@
+import fs from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+import { afterEach, describe, expect, it, vi } from "vitest";
+import { withEnvAsync } from "../test-utils/env.js";
+
+const installPluginFromPathMock = vi.fn();
+
+vi.mock("./install.js", () => ({
+  installPluginFromPath: (...args: unknown[]) => installPluginFromPathMock(...args),
+}));
+
+async function withTempDir<T>(fn: (dir: string) => Promise<T>): Promise<T> {
+  const dir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-marketplace-test-"));
+  try {
+    return await fn(dir);
+  } finally {
+    await fs.rm(dir, { recursive: true, force: true });
+  }
+}
+
+describe("marketplace plugins", () => {
+  afterEach(() => {
+    installPluginFromPathMock.mockReset();
+  });
+
+  it("lists plugins from a local marketplace root", async () => {
+    await withTempDir(async (rootDir) => {
+      await fs.mkdir(path.join(rootDir, ".claude-plugin"), { recursive: true });
+      await fs.writeFile(
+        path.join(rootDir, ".claude-plugin", "marketplace.json"),
+        JSON.stringify({
+          name: "Example Marketplace",
+          version: "1.0.0",
+          plugins: [
+            {
+              name: "frontend-design",
+              version: "0.1.0",
+              description: "Design system bundle",
+              source: "./plugins/frontend-design",
+            },
+          ],
+        }),
+      );
+
+      const { listMarketplacePlugins } = await import("./marketplace.js");
+      const result = await listMarketplacePlugins({ marketplace: rootDir });
+      expect(result).toEqual({
+        ok: true,
+        sourceLabel: expect.stringContaining(".claude-plugin/marketplace.json"),
+        manifest: {
+          name: "Example Marketplace",
+          version: "1.0.0",
+          plugins: [
+            {
+              name: "frontend-design",
+              version: "0.1.0",
+              description: "Design system bundle",
+              source: { kind: "path", path: "./plugins/frontend-design" },
+            },
+          ],
+        },
+      });
+    });
+  });
+
+  it("resolves relative plugin paths against the marketplace root", async () => {
+    await withTempDir(async (rootDir) => {
+      const pluginDir = path.join(rootDir, "plugins", "frontend-design");
+      await fs.mkdir(path.join(rootDir, ".claude-plugin"), { recursive: true });
+      await fs.mkdir(pluginDir, { recursive: true });
+      await fs.writeFile(
+        path.join(rootDir, ".claude-plugin", "marketplace.json"),
+        JSON.stringify({
+          plugins: [
+            {
+              name: "frontend-design",
+              source: "./plugins/frontend-design",
+            },
+          ],
+        }),
+      );
+      installPluginFromPathMock.mockResolvedValue({
+        ok: true,
+        pluginId: "frontend-design",
+        targetDir: "/tmp/frontend-design",
+        version: "0.1.0",
+        extensions: ["index.ts"],
+      });
+
+      const { installPluginFromMarketplace } = await import("./marketplace.js");
+      const result = await installPluginFromMarketplace({
+        marketplace: path.join(rootDir, ".claude-plugin", "marketplace.json"),
+        plugin: "frontend-design",
+      });
+
+      expect(installPluginFromPathMock).toHaveBeenCalledWith(
+        expect.objectContaining({
+          path: pluginDir,
+        }),
+      );
+      expect(result).toMatchObject({
+        ok: true,
+        pluginId: "frontend-design",
+        marketplacePlugin: "frontend-design",
+        marketplaceSource: path.join(rootDir, ".claude-plugin", "marketplace.json"),
+      });
+    });
+  });
+
+  it("resolves Claude-style plugin@marketplace shortcuts from known_marketplaces.json", async () => {
+    await withTempDir(async (homeDir) => {
+      await fs.mkdir(path.join(homeDir, ".claude", "plugins"), { recursive: true });
+      await fs.writeFile(
+        path.join(homeDir, ".claude", "plugins", "known_marketplaces.json"),
+        JSON.stringify({
+          "claude-plugins-official": {
+            source: {
+              source: "github",
+              repo: "anthropics/claude-plugins-official",
+            },
+            installLocation: path.join(homeDir, ".claude", "plugins", "marketplaces", "official"),
+          },
+        }),
+      );
+
+      const { resolveMarketplaceInstallShortcut } = await import("./marketplace.js");
+      const shortcut = await withEnvAsync(
+        { HOME: homeDir },
+        async () => await resolveMarketplaceInstallShortcut("superpowers@claude-plugins-official"),
+      );
+
+      expect(shortcut).toEqual({
+        ok: true,
+        plugin: "superpowers",
+        marketplaceName: "claude-plugins-official",
+        marketplaceSource: "claude-plugins-official",
+      });
+    });
+  });
+});
diff --git a/src/plugins/marketplace.ts b/src/plugins/marketplace.ts
new file mode 100644
index 00000000000..4999c3c8828
--- /dev/null
+++ b/src/plugins/marketplace.ts
@@ -0,0 +1,832 @@
+import fs from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+import { resolveArchiveKind } from "../infra/archive.js";
+import { runCommandWithTimeout } from "../process/exec.js";
+import { resolveUserPath } from "../utils.js";
+import { installPluginFromPath, type InstallPluginResult } from "./install.js";
+
+const DEFAULT_GIT_TIMEOUT_MS = 120_000;
+const MARKETPLACE_MANIFEST_CANDIDATES = [
+  path.join(".claude-plugin", "marketplace.json"),
+  "marketplace.json",
+] as const;
+const CLAUDE_KNOWN_MARKETPLACES_PATH = path.join(
+  "~",
+  ".claude",
+  "plugins",
+  "known_marketplaces.json",
+);
+
+type MarketplaceLogger = {
+  info?: (message: string) => void;
+  warn?: (message: string) => void;
+};
+
+type MarketplaceEntrySource =
+  | { kind: "path"; path: string }
+  | { kind: "github"; repo: string; path?: string; ref?: string }
+  | { kind: "git"; url: string; path?: string; ref?: string }
+  | { kind: "git-subdir"; url: string; path: string; ref?: string }
+  | { kind: "url"; url: string };
+
+export type MarketplacePluginEntry = {
+  name: string;
+  version?: string;
+  description?: string;
+  source: MarketplaceEntrySource;
+};
+
+export type MarketplaceManifest = {
+  name?: string;
+  version?: string;
+  plugins: MarketplacePluginEntry[];
+};
+
+type LoadedMarketplace = {
+  manifest: MarketplaceManifest;
+  rootDir: string;
+  sourceLabel: string;
+  cleanup?: () => Promise<void>;
+};
+
+type KnownMarketplaceRecord = {
+  installLocation?: string;
+  source?: unknown;
+};
+
+export type MarketplacePluginListResult =
+  | {
+      ok: true;
+      manifest: MarketplaceManifest;
+      sourceLabel: string;
+    }
+  | {
+      ok: false;
+      error: string;
+    };
+
+export type MarketplaceInstallResult =
+  | ({
+      ok: true;
+      marketplaceName?: string;
+      marketplaceVersion?: string;
+      marketplacePlugin: string;
+      marketplaceSource: string;
+      marketplaceEntryVersion?: string;
+    } & Extract<InstallPluginResult, { ok: true }>)
+  | Extract<InstallPluginResult, { ok: false }>;
+
+export type MarketplaceShortcutResolution =
+  | {
+      ok: true;
+      plugin: string;
+      marketplaceName: string;
+      marketplaceSource: string;
+    }
+  | {
+      ok: false;
+      error: string;
+    }
+  | null;
+
+function isHttpUrl(value: string): boolean {
+  return /^https?:\/\//i.test(value);
+}
+
+function isGitUrl(value: string): boolean {
+  return (
+    /^git@/i.test(value) || /^ssh:\/\//i.test(value) || /^https?:\/\/.+\.git(?:#.*)?$/i.test(value)
+  );
+}
+
+function looksLikeGitHubRepoShorthand(value: string): boolean {
+  return /^[A-Za-z0-9_.-]+\/[A-Za-z0-9_.-]+(?:#.+)?$/.test(value.trim());
+}
+
+function splitRef(value: string): { base: string; ref?: string } {
+  const trimmed = value.trim();
+  const hashIndex = trimmed.lastIndexOf("#");
+  if (hashIndex <= 0 || hashIndex >= trimmed.length - 1) {
+    return { base: trimmed };
+  }
+  return {
+    base: trimmed.slice(0, hashIndex),
+    ref: trimmed.slice(hashIndex + 1).trim() || undefined,
+  };
+}
+
+function toOptionalString(value: unknown): string | undefined {
+  if (typeof value !== "string") {
+    return undefined;
+  }
+  const trimmed = value.trim();
+  return trimmed.length > 0 ? trimmed : undefined;
+}
+
+function normalizeEntrySource(
+  raw: unknown,
+): { ok: true; source: MarketplaceEntrySource } | { ok: false; error: string } {
+  if (typeof raw === "string") {
+    const trimmed = raw.trim();
+    if (!trimmed) {
+      return { ok: false, error: "empty plugin source" };
+    }
+    if (isHttpUrl(trimmed)) {
+      return { ok: true, source: { kind: "url", url: trimmed } };
+    }
+    return { ok: true, source: { kind: "path", path: trimmed } };
+  }
+
+  if (!raw || typeof raw !== "object") {
+    return { ok: false, error: "plugin source must be a string or object" };
+  }
+
+  const rec = raw as Record<string, unknown>;
+  const kind = toOptionalString(rec.type) ?? toOptionalString(rec.source);
+  if (!kind) {
+    return { ok: false, error: 'plugin source object missing "type" or "source"' };
+  }
+
+  if (kind === "path") {
+    const sourcePath = toOptionalString(rec.path);
+    if (!sourcePath) {
+      return { ok: false, error: 'path source missing "path"' };
+    }
+    return { ok: true, source: { kind: "path", path: sourcePath } };
+  }
+
+  if (kind === "github") {
+    const repo = toOptionalString(rec.repo) ?? toOptionalString(rec.url);
+    if (!repo) {
+      return { ok: false, error: 'github source missing "repo"' };
+    }
+    return {
+      ok: true,
+      source: {
+        kind: "github",
+        repo,
+        path: toOptionalString(rec.path),
+        ref: toOptionalString(rec.ref) ?? toOptionalString(rec.branch) ?? toOptionalString(rec.tag),
+      },
+    };
+  }
+
+  if (kind === "git") {
+    const url = toOptionalString(rec.url) ?? toOptionalString(rec.repo);
+    if (!url) {
+      return { ok: false, error: 'git source missing "url"' };
+    }
+    return {
+      ok: true,
+      source: {
+        kind: "git",
+        url,
+        path: toOptionalString(rec.path),
+        ref: toOptionalString(rec.ref) ?? toOptionalString(rec.branch) ?? toOptionalString(rec.tag),
+      },
+    };
+  }
+
+  if (kind === "git-subdir") {
+    const url = toOptionalString(rec.url) ?? toOptionalString(rec.repo);
+    const sourcePath = toOptionalString(rec.path) ?? toOptionalString(rec.subdir);
+    if (!url) {
+      return { ok: false, error: 'git-subdir source missing "url"' };
+    }
+    if (!sourcePath) {
+      return { ok: false, error: 'git-subdir source missing "path"' };
+    }
+    return {
+      ok: true,
+      source: {
+        kind: "git-subdir",
+        url,
+        path: sourcePath,
+        ref: toOptionalString(rec.ref) ?? toOptionalString(rec.branch) ?? toOptionalString(rec.tag),
+      },
+    };
+  }
+
+  if (kind === "url") {
+    const url = toOptionalString(rec.url);
+    if (!url) {
+      return { ok: false, error: 'url source missing "url"' };
+    }
+    return { ok: true, source: { kind: "url", url } };
+  }
+
+  return { ok: false, error: `unsupported plugin source kind: ${kind}` };
+}
+
+function marketplaceEntrySourceToInput(source: MarketplaceEntrySource): string {
+  switch (source.kind) {
+    case "path":
+      return source.path;
+    case "github":
+      return `${source.repo}${source.ref ? `#${source.ref}` : ""}`;
+    case "git":
+      return `${source.url}${source.ref ? `#${source.ref}` : ""}`;
+    case "git-subdir":
+      return `${source.url}${source.ref ? `#${source.ref}` : ""}`;
+    case "url":
+      return source.url;
+  }
+}
+
+function parseMarketplaceManifest(
+  raw: string,
+  sourceLabel: string,
+): { ok: true; manifest: MarketplaceManifest } | { ok: false; error: string } {
+  let parsed: unknown;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (err) {
+    return { ok: false, error: `invalid marketplace JSON at ${sourceLabel}: ${String(err)}` };
+  }
+
+  if (!parsed || typeof parsed !== "object") {
+    return { ok: false, error: `invalid marketplace JSON at ${sourceLabel}: expected object` };
+  }
+
+  const rec = parsed as Record<string, unknown>;
+  if (!Array.isArray(rec.plugins)) {
+    return { ok: false, error: `invalid marketplace JSON at ${sourceLabel}: missing plugins[]` };
+  }
+
+  const plugins: MarketplacePluginEntry[] = [];
+  for (const entry of rec.plugins) {
+    if (!entry || typeof entry !== "object") {
+      return { ok: false, error: `invalid marketplace entry in ${sourceLabel}: expected object` };
+    }
+    const plugin = entry as Record<string, unknown>;
+    const name = toOptionalString(plugin.name);
+    if (!name) {
+      return { ok: false, error: `invalid marketplace entry in ${sourceLabel}: missing name` };
+    }
+    const normalizedSource = normalizeEntrySource(plugin.source);
+    if (!normalizedSource.ok) {
+      return {
+        ok: false,
+        error: `invalid marketplace entry "${name}" in ${sourceLabel}: ${normalizedSource.error}`,
+      };
+    }
+    plugins.push({
+      name,
+      version: toOptionalString(plugin.version),
+      description: toOptionalString(plugin.description),
+      source: normalizedSource.source,
+    });
+  }
+
+  return {
+    ok: true,
+    manifest: {
+      name: toOptionalString(rec.name),
+      version: toOptionalString(rec.version),
+      plugins,
+    },
+  };
+}
+
+async function pathExists(target: string): Promise<boolean> {
+  try {
+    await fs.access(target);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+async function readClaudeKnownMarketplaces(): Promise<Record<string, KnownMarketplaceRecord>> {
+  const knownPath = resolveUserPath(CLAUDE_KNOWN_MARKETPLACES_PATH);
+  if (!(await pathExists(knownPath))) {
+    return {};
+  }
+
+  let parsed: unknown;
+  try {
+    parsed = JSON.parse(await fs.readFile(knownPath, "utf-8"));
+  } catch {
+    return {};
+  }
+
+  if (!parsed || typeof parsed !== "object") {
+    return {};
+  }
+
+  const entries = parsed as Record<string, unknown>;
+  const result: Record<string, KnownMarketplaceRecord> = {};
+  for (const [name, value] of Object.entries(entries)) {
+    if (!value || typeof value !== "object") {
+      continue;
+    }
+    const record = value as Record<string, unknown>;
+    result[name] = {
+      installLocation: toOptionalString(record.installLocation),
+      source: record.source,
+    };
+  }
+  return result;
+}
+
+function deriveMarketplaceRootFromManifestPath(manifestPath: string): string {
+  const manifestDir = path.dirname(manifestPath);
+  return path.basename(manifestDir) === ".claude-plugin" ? path.dirname(manifestDir) : manifestDir;
+}
+
+async function resolveLocalMarketplaceSource(
+  input: string,
+): Promise<
+  { ok: true; rootDir: string; manifestPath: string } | { ok: false; error: string } | null
+> {
+  const resolved = resolveUserPath(input);
+  if (!(await pathExists(resolved))) {
+    return null;
+  }
+
+  const stat = await fs.stat(resolved);
+  if (stat.isFile()) {
+    return {
+      ok: true,
+      rootDir: deriveMarketplaceRootFromManifestPath(resolved),
+      manifestPath: resolved,
+    };
+  }
+
+  if (!stat.isDirectory()) {
+    return { ok: false, error: `unsupported marketplace source: ${resolved}` };
+  }
+
+  const rootDir = path.basename(resolved) === ".claude-plugin" ? path.dirname(resolved) : resolved;
+  for (const candidate of MARKETPLACE_MANIFEST_CANDIDATES) {
+    const manifestPath = path.join(rootDir, candidate);
+    if (await pathExists(manifestPath)) {
+      return { ok: true, rootDir, manifestPath };
+    }
+  }
+
+  return { ok: false, error: `marketplace manifest not found under ${resolved}` };
+}
+
+function normalizeGitCloneSource(
+  source: string,
+): { url: string; ref?: string; label: string } | null {
+  const split = splitRef(source);
+  if (looksLikeGitHubRepoShorthand(split.base)) {
+    return {
+      url: `https://github.com/${split.base}.git`,
+      ref: split.ref,
+      label: split.base,
+    };
+  }
+
+  if (isGitUrl(source)) {
+    return {
+      url: split.base,
+      ref: split.ref,
+      label: split.base,
+    };
+  }
+
+  if (isHttpUrl(source)) {
+    try {
+      const url = new URL(split.base);
+      if (url.hostname !== "github.com") {
+        return null;
+      }
+      const parts = url.pathname.replace(/\/+$/, "").split("/").filter(Boolean);
+      if (parts.length < 2) {
+        return null;
+      }
+      const repo = `${parts[0]}/${parts[1]?.replace(/\.git$/i, "")}`;
+      return {
+        url: `https://github.com/${repo}.git`,
+        ref: split.ref,
+        label: repo,
+      };
+    } catch {
+      return null;
+    }
+  }
+
+  return null;
+}
+
+async function cloneMarketplaceRepo(params: {
+  source: string;
+  timeoutMs?: number;
+  logger?: MarketplaceLogger;
+}): Promise<
+  | { ok: true; rootDir: string; cleanup: () => Promise<void>; label: string }
+  | { ok: false; error: string }
+> {
+  const normalized = normalizeGitCloneSource(params.source);
+  if (!normalized) {
+    return { ok: false, error: `unsupported marketplace source: ${params.source}` };
+  }
+
+  const tmpDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-marketplace-"));
+  const repoDir = path.join(tmpDir, "repo");
+  const argv = ["git", "clone", "--depth", "1"];
+  if (normalized.ref) {
+    argv.push("--branch", normalized.ref);
+  }
+  argv.push(normalized.url, repoDir);
+  params.logger?.info?.(`Cloning marketplace source ${normalized.label}...`);
+  const res = await runCommandWithTimeout(argv, {
+    timeoutMs: params.timeoutMs ?? DEFAULT_GIT_TIMEOUT_MS,
+  });
+  if (res.code !== 0) {
+    await fs.rm(tmpDir, { recursive: true, force: true }).catch(() => undefined);
+    const detail = res.stderr.trim() || res.stdout.trim() || "git clone failed";
+    return {
+      ok: false,
+      error: `failed to clone marketplace source ${normalized.label}: ${detail}`,
+    };
+  }
+
+  return {
+    ok: true,
+    rootDir: repoDir,
+    label: normalized.label,
+    cleanup: async () => {
+      await fs.rm(tmpDir, { recursive: true, force: true }).catch(() => undefined);
+    },
+  };
+}
+
+async function loadMarketplace(params: {
+  source: string;
+  logger?: MarketplaceLogger;
+  timeoutMs?: number;
+}): Promise<{ ok: true; marketplace: LoadedMarketplace } | { ok: false; error: string }> {
+  const knownMarketplaces = await readClaudeKnownMarketplaces();
+  const known = knownMarketplaces[params.source];
+  if (known) {
+    if (known.installLocation) {
+      const local = await resolveLocalMarketplaceSource(known.installLocation);
+      if (local?.ok) {
+        const raw = await fs.readFile(local.manifestPath, "utf-8");
+        const parsed = parseMarketplaceManifest(raw, local.manifestPath);
+        if (!parsed.ok) {
+          return parsed;
+        }
+        return {
+          ok: true,
+          marketplace: {
+            manifest: parsed.manifest,
+            rootDir: local.rootDir,
+            sourceLabel: params.source,
+          },
+        };
+      }
+    }
+
+    const normalizedSource = normalizeEntrySource(known.source);
+    if (normalizedSource.ok) {
+      return await loadMarketplace({
+        source: marketplaceEntrySourceToInput(normalizedSource.source),
+        logger: params.logger,
+        timeoutMs: params.timeoutMs,
+      });
+    }
+  }
+
+  const local = await resolveLocalMarketplaceSource(params.source);
+  if (local?.ok === false) {
+    return local;
+  }
+
+  if (local?.ok) {
+    const raw = await fs.readFile(local.manifestPath, "utf-8");
+    const parsed = parseMarketplaceManifest(raw, local.manifestPath);
+    if (!parsed.ok) {
+      return parsed;
+    }
+    return {
+      ok: true,
+      marketplace: {
+        manifest: parsed.manifest,
+        rootDir: local.rootDir,
+        sourceLabel: local.manifestPath,
+      },
+    };
+  }
+
+  const cloned = await cloneMarketplaceRepo({
+    source: params.source,
+    timeoutMs: params.timeoutMs,
+    logger: params.logger,
+  });
+  if (!cloned.ok) {
+    return cloned;
+  }
+
+  let manifestPath: string | undefined;
+  for (const candidate of MARKETPLACE_MANIFEST_CANDIDATES) {
+    const next = path.join(cloned.rootDir, candidate);
+    if (await pathExists(next)) {
+      manifestPath = next;
+      break;
+    }
+  }
+  if (!manifestPath) {
+    await cloned.cleanup();
+    return { ok: false, error: `marketplace manifest not found in ${cloned.label}` };
+  }
+
+  const raw = await fs.readFile(manifestPath, "utf-8");
+  const parsed = parseMarketplaceManifest(raw, manifestPath);
+  if (!parsed.ok) {
+    await cloned.cleanup();
+    return parsed;
+  }
+
+  return {
+    ok: true,
+    marketplace: {
+      manifest: parsed.manifest,
+      rootDir: cloned.rootDir,
+      sourceLabel: cloned.label,
+      cleanup: cloned.cleanup,
+    },
+  };
+}
+
+async function downloadUrlToTempFile(url: string): Promise<
+  | {
+      ok: true;
+      path: string;
+      cleanup: () => Promise<void>;
+    }
+  | {
+      ok: false;
+      error: string;
+    }
+> {
+  const response = await fetch(url);
+  if (!response.ok) {
+    return { ok: false, error: `failed to download ${url}: HTTP ${response.status}` };
+  }
+
+  const pathname = new URL(url).pathname;
+  const fileName = path.basename(pathname) || "plugin.tgz";
+  const tmpDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-marketplace-download-"));
+  const targetPath = path.join(tmpDir, fileName);
+  await fs.writeFile(targetPath, Buffer.from(await response.arrayBuffer()));
+  return {
+    ok: true,
+    path: targetPath,
+    cleanup: async () => {
+      await fs.rm(tmpDir, { recursive: true, force: true }).catch(() => undefined);
+    },
+  };
+}
+
+function ensureInsideMarketplaceRoot(
+  rootDir: string,
+  candidate: string,
+): { ok: true; path: string } | { ok: false; error: string } {
+  const resolved = path.resolve(rootDir, candidate);
+  const relative = path.relative(rootDir, resolved);
+  if (relative === ".." || relative.startsWith(`..${path.sep}`)) {
+    return {
+      ok: false,
+      error: `plugin source escapes marketplace root: ${candidate}`,
+    };
+  }
+  return { ok: true, path: resolved };
+}
+
+async function resolveMarketplaceEntryInstallPath(params: {
+  source: MarketplaceEntrySource;
+  marketplaceRootDir: string;
+  logger?: MarketplaceLogger;
+  timeoutMs?: number;
+}): Promise<
+  | {
+      ok: true;
+      path: string;
+      cleanup?: () => Promise<void>;
+    }
+  | {
+      ok: false;
+      error: string;
+    }
+> {
+  if (params.source.kind === "path") {
+    if (isHttpUrl(params.source.path)) {
+      if (resolveArchiveKind(params.source.path)) {
+        return await downloadUrlToTempFile(params.source.path);
+      }
+      return {
+        ok: false,
+        error: `unsupported remote plugin path source: ${params.source.path}`,
+      };
+    }
+    const resolved = path.isAbsolute(params.source.path)
+      ? { ok: true as const, path: params.source.path }
+      : ensureInsideMarketplaceRoot(params.marketplaceRootDir, params.source.path);
+    if (!resolved.ok) {
+      return resolved;
+    }
+    return { ok: true, path: resolved.path };
+  }
+
+  if (
+    params.source.kind === "github" ||
+    params.source.kind === "git" ||
+    params.source.kind === "git-subdir"
+  ) {
+    const sourceSpec =
+      params.source.kind === "github"
+        ? `${params.source.repo}${params.source.ref ? `#${params.source.ref}` : ""}`
+        : `${params.source.url}${params.source.ref ? `#${params.source.ref}` : ""}`;
+    const cloned = await cloneMarketplaceRepo({
+      source: sourceSpec,
+      timeoutMs: params.timeoutMs,
+      logger: params.logger,
+    });
+    if (!cloned.ok) {
+      return cloned;
+    }
+    const subPath =
+      params.source.kind === "github" || params.source.kind === "git"
+        ? params.source.path?.trim() || "."
+        : params.source.path.trim();
+    const target = ensureInsideMarketplaceRoot(cloned.rootDir, subPath);
+    if (!target.ok) {
+      await cloned.cleanup();
+      return target;
+    }
+    return {
+      ok: true,
+      path: target.path,
+      cleanup: cloned.cleanup,
+    };
+  }
+
+  if (resolveArchiveKind(params.source.url)) {
+    return await downloadUrlToTempFile(params.source.url);
+  }
+
+  if (!normalizeGitCloneSource(params.source.url)) {
+    return {
+      ok: false,
+      error: `unsupported URL plugin source: ${params.source.url}`,
+    };
+  }
+
+  const cloned = await cloneMarketplaceRepo({
+    source: params.source.url,
+    timeoutMs: params.timeoutMs,
+    logger: params.logger,
+  });
+  if (!cloned.ok) {
+    return cloned;
+  }
+  return {
+    ok: true,
+    path: cloned.rootDir,
+    cleanup: cloned.cleanup,
+  };
+}
+
+export async function listMarketplacePlugins(params: {
+  marketplace: string;
+  logger?: MarketplaceLogger;
+  timeoutMs?: number;
+}): Promise<MarketplacePluginListResult> {
+  const loaded = await loadMarketplace({
+    source: params.marketplace,
+    logger: params.logger,
+    timeoutMs: params.timeoutMs,
+  });
+  if (!loaded.ok) {
+    return loaded;
+  }
+  try {
+    return {
+      ok: true,
+      manifest: loaded.marketplace.manifest,
+      sourceLabel: loaded.marketplace.sourceLabel,
+    };
+  } finally {
+    await loaded.marketplace.cleanup?.();
+  }
+}
+
+export async function resolveMarketplaceInstallShortcut(
+  raw: string,
+): Promise<MarketplaceShortcutResolution> {
+  const trimmed = raw.trim();
+  const atIndex = trimmed.lastIndexOf("@");
+  if (atIndex <= 0 || atIndex >= trimmed.length - 1) {
+    return null;
+  }
+
+  const plugin = trimmed.slice(0, atIndex).trim();
+  const marketplaceName = trimmed.slice(atIndex + 1).trim();
+  if (!plugin || !marketplaceName || plugin.includes("/")) {
+    return null;
+  }
+
+  const knownMarketplaces = await readClaudeKnownMarketplaces();
+  const known = knownMarketplaces[marketplaceName];
+  if (!known) {
+    return null;
+  }
+
+  if (known.installLocation) {
+    return {
+      ok: true,
+      plugin,
+      marketplaceName,
+      marketplaceSource: marketplaceName,
+    };
+  }
+
+  const normalizedSource = normalizeEntrySource(known.source);
+  if (!normalizedSource.ok) {
+    return {
+      ok: false,
+      error: `known Claude marketplace "${marketplaceName}" has an invalid source: ${normalizedSource.error}`,
+    };
+  }
+
+  return {
+    ok: true,
+    plugin,
+    marketplaceName,
+    marketplaceSource: marketplaceName,
+  };
+}
+
+export async function installPluginFromMarketplace(params: {
+  marketplace: string;
+  plugin: string;
+  logger?: MarketplaceLogger;
+  timeoutMs?: number;
+  mode?: "install" | "update";
+  dryRun?: boolean;
+  expectedPluginId?: string;
+}): Promise<MarketplaceInstallResult> {
+  const loaded = await loadMarketplace({
+    source: params.marketplace,
+    logger: params.logger,
+    timeoutMs: params.timeoutMs,
+  });
+  if (!loaded.ok) {
+    return loaded;
+  }
+
+  let installCleanup: (() => Promise<void>) | undefined;
+  try {
+    const entry = loaded.marketplace.manifest.plugins.find(
+      (plugin) => plugin.name === params.plugin,
+    );
+    if (!entry) {
+      const known = loaded.marketplace.manifest.plugins.map((plugin) => plugin.name).toSorted();
+      return {
+        ok: false,
+        error:
+          `plugin "${params.plugin}" not found in marketplace ${loaded.marketplace.sourceLabel}` +
+          (known.length > 0 ? ` (available: ${known.join(", ")})` : ""),
+      };
+    }
+
+    const resolved = await resolveMarketplaceEntryInstallPath({
+      source: entry.source,
+      marketplaceRootDir: loaded.marketplace.rootDir,
+      logger: params.logger,
+      timeoutMs: params.timeoutMs,
+    });
+    if (!resolved.ok) {
+      return resolved;
+    }
+    installCleanup = resolved.cleanup;
+
+    const result = await installPluginFromPath({
+      path: resolved.path,
+      logger: params.logger,
+      mode: params.mode,
+      dryRun: params.dryRun,
+      expectedPluginId: params.expectedPluginId,
+    });
+    if (!result.ok) {
+      return result;
+    }
+    return {
+      ...result,
+      marketplaceName: loaded.marketplace.manifest.name,
+      marketplaceVersion: loaded.marketplace.manifest.version,
+      marketplacePlugin: entry.name,
+      marketplaceSource: params.marketplace,
+      marketplaceEntryVersion: entry.version,
+    };
+  } finally {
+    await installCleanup?.();
+    await loaded.marketplace.cleanup?.();
+  }
+}
diff --git a/src/plugins/update.test.ts b/src/plugins/update.test.ts
index 4d3b72ed65d..e3c21e8d7ef 100644
--- a/src/plugins/update.test.ts
+++ b/src/plugins/update.test.ts
@@ -1,6 +1,7 @@
 import { beforeEach, describe, expect, it, vi } from "vitest";
 
 const installPluginFromNpmSpecMock = vi.fn();
+const installPluginFromMarketplaceMock = vi.fn();
 const resolveBundledPluginSourcesMock = vi.fn();
 
 vi.mock("./install.js", () => ({
@@ -11,6 +12,10 @@ vi.mock("./install.js", () => ({
   },
 }));
 
+vi.mock("./marketplace.js", () => ({
+  installPluginFromMarketplace: (...args: unknown[]) => installPluginFromMarketplaceMock(...args),
+}));
+
 vi.mock("./bundled-sources.js", () => ({
   resolveBundledPluginSources: (...args: unknown[]) => resolveBundledPluginSourcesMock(...args),
 }));
@@ -18,6 +23,7 @@ vi.mock("./bundled-sources.js", () => ({
 describe("updateNpmInstalledPlugins", () => {
   beforeEach(() => {
     installPluginFromNpmSpecMock.mockReset();
+    installPluginFromMarketplaceMock.mockReset();
     resolveBundledPluginSourcesMock.mockReset();
   });
 
@@ -213,6 +219,95 @@ describe("updateNpmInstalledPlugins", () => {
     });
     expect(result.config.plugins?.installs?.["voice-call"]).toBeUndefined();
   });
+
+  it("checks marketplace installs during dry-run updates", async () => {
+    installPluginFromMarketplaceMock.mockResolvedValue({
+      ok: true,
+      pluginId: "claude-bundle",
+      targetDir: "/tmp/claude-bundle",
+      version: "1.2.0",
+      extensions: ["index.ts"],
+      marketplaceSource: "vincentkoc/claude-marketplace",
+      marketplacePlugin: "claude-bundle",
+    });
+
+    const { updateNpmInstalledPlugins } = await import("./update.js");
+    const result = await updateNpmInstalledPlugins({
+      config: {
+        plugins: {
+          installs: {
+            "claude-bundle": {
+              source: "marketplace",
+              marketplaceSource: "vincentkoc/claude-marketplace",
+              marketplacePlugin: "claude-bundle",
+              installPath: "/tmp/claude-bundle",
+            },
+          },
+        },
+      },
+      pluginIds: ["claude-bundle"],
+      dryRun: true,
+    });
+
+    expect(installPluginFromMarketplaceMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        marketplace: "vincentkoc/claude-marketplace",
+        plugin: "claude-bundle",
+        expectedPluginId: "claude-bundle",
+        dryRun: true,
+      }),
+    );
+    expect(result.outcomes).toEqual([
+      {
+        pluginId: "claude-bundle",
+        status: "updated",
+        currentVersion: undefined,
+        nextVersion: "1.2.0",
+        message: "Would update claude-bundle: unknown -> 1.2.0.",
+      },
+    ]);
+  });
+
+  it("updates marketplace installs and preserves source metadata", async () => {
+    installPluginFromMarketplaceMock.mockResolvedValue({
+      ok: true,
+      pluginId: "claude-bundle",
+      targetDir: "/tmp/claude-bundle",
+      version: "1.3.0",
+      extensions: ["index.ts"],
+      marketplaceName: "Vincent's Claude Plugins",
+      marketplaceSource: "vincentkoc/claude-marketplace",
+      marketplacePlugin: "claude-bundle",
+    });
+
+    const { updateNpmInstalledPlugins } = await import("./update.js");
+    const result = await updateNpmInstalledPlugins({
+      config: {
+        plugins: {
+          installs: {
+            "claude-bundle": {
+              source: "marketplace",
+              marketplaceName: "Vincent's Claude Plugins",
+              marketplaceSource: "vincentkoc/claude-marketplace",
+              marketplacePlugin: "claude-bundle",
+              installPath: "/tmp/claude-bundle",
+            },
+          },
+        },
+      },
+      pluginIds: ["claude-bundle"],
+    });
+
+    expect(result.changed).toBe(true);
+    expect(result.config.plugins?.installs?.["claude-bundle"]).toMatchObject({
+      source: "marketplace",
+      installPath: "/tmp/claude-bundle",
+      version: "1.3.0",
+      marketplaceName: "Vincent's Claude Plugins",
+      marketplaceSource: "vincentkoc/claude-marketplace",
+      marketplacePlugin: "claude-bundle",
+    });
+  });
 });
 
 describe("syncPluginsForUpdateChannel", () => {
diff --git a/src/plugins/update.ts b/src/plugins/update.ts
index af6434e84cc..83733159cac 100644
--- a/src/plugins/update.ts
+++ b/src/plugins/update.ts
@@ -12,6 +12,7 @@ import {
   resolvePluginInstallDir,
 } from "./install.js";
 import { buildNpmResolutionInstallFields, recordPluginInstall } from "./installs.js";
+import { installPluginFromMarketplace } from "./marketplace.js";
 
 export type PluginUpdateLogger = {
   info?: (message: string) => void;
@@ -70,6 +71,19 @@ function formatNpmInstallFailure(params: {
   return `Failed to ${params.phase} ${params.pluginId}: ${params.result.error}`;
 }
 
+function formatMarketplaceInstallFailure(params: {
+  pluginId: string;
+  marketplaceSource: string;
+  marketplacePlugin: string;
+  phase: "check" | "update";
+  error: string;
+}): string {
+  return (
+    `Failed to ${params.phase} ${params.pluginId}: ` +
+    `${params.error} (marketplace plugin ${params.marketplacePlugin} from ${params.marketplaceSource}).`
+  );
+}
+
 type InstallIntegrityDrift = {
   spec: string;
   expectedIntegrity: string;
@@ -306,7 +320,7 @@ export async function updateNpmInstalledPlugins(params: {
       continue;
     }
 
-    if (record.source !== "npm") {
+    if (record.source !== "npm" && record.source !== "marketplace") {
       outcomes.push({
         pluginId,
         status: "skipped",
@@ -315,7 +329,7 @@ export async function updateNpmInstalledPlugins(params: {
       continue;
     }
 
-    if (!record.spec) {
+    if (record.source === "npm" && !record.spec) {
       outcomes.push({
         pluginId,
         status: "skipped",
@@ -324,6 +338,18 @@ export async function updateNpmInstalledPlugins(params: {
       continue;
     }
 
+    if (
+      record.source === "marketplace" &&
+      (!record.marketplaceSource || !record.marketplacePlugin)
+    ) {
+      outcomes.push({
+        pluginId,
+        status: "skipped",
+        message: `Skipping "${pluginId}" (missing marketplace source metadata).`,
+      });
+      continue;
+    }
+
     let installPath: string;
     try {
       installPath = record.installPath ?? resolvePluginInstallDir(pluginId);
@@ -338,22 +364,34 @@ export async function updateNpmInstalledPlugins(params: {
     const currentVersion = await readInstalledPackageVersion(installPath);
 
     if (params.dryRun) {
-      let probe: Awaited<ReturnType<typeof installPluginFromNpmSpec>>;
+      let probe:
+        | Awaited<ReturnType<typeof installPluginFromNpmSpec>>
+        | Awaited<ReturnType<typeof installPluginFromMarketplace>>;
       try {
-        probe = await installPluginFromNpmSpec({
-          spec: record.spec,
-          mode: "update",
-          dryRun: true,
-          expectedPluginId: pluginId,
-          expectedIntegrity: expectedIntegrityForUpdate(record.spec, record.integrity),
-          onIntegrityDrift: createPluginUpdateIntegrityDriftHandler({
-            pluginId,
-            dryRun: true,
-            logger,
-            onIntegrityDrift: params.onIntegrityDrift,
-          }),
-          logger,
-        });
+        probe =
+          record.source === "npm"
+            ? await installPluginFromNpmSpec({
+                spec: record.spec!,
+                mode: "update",
+                dryRun: true,
+                expectedPluginId: pluginId,
+                expectedIntegrity: expectedIntegrityForUpdate(record.spec, record.integrity),
+                onIntegrityDrift: createPluginUpdateIntegrityDriftHandler({
+                  pluginId,
+                  dryRun: true,
+                  logger,
+                  onIntegrityDrift: params.onIntegrityDrift,
+                }),
+                logger,
+              })
+            : await installPluginFromMarketplace({
+                marketplace: record.marketplaceSource!,
+                plugin: record.marketplacePlugin!,
+                mode: "update",
+                dryRun: true,
+                expectedPluginId: pluginId,
+                logger,
+              });
       } catch (err) {
         outcomes.push({
           pluginId,
@@ -366,12 +404,21 @@ export async function updateNpmInstalledPlugins(params: {
         outcomes.push({
           pluginId,
           status: "error",
-          message: formatNpmInstallFailure({
-            pluginId,
-            spec: record.spec,
-            phase: "check",
-            result: probe,
-          }),
+          message:
+            record.source === "npm"
+              ? formatNpmInstallFailure({
+                  pluginId,
+                  spec: record.spec!,
+                  phase: "check",
+                  result: probe,
+                })
+              : formatMarketplaceInstallFailure({
+                  pluginId,
+                  marketplaceSource: record.marketplaceSource!,
+                  marketplacePlugin: record.marketplacePlugin!,
+                  phase: "check",
+                  error: probe.error,
+                }),
         });
         continue;
       }
@@ -398,21 +445,32 @@ export async function updateNpmInstalledPlugins(params: {
       continue;
     }
 
-    let result: Awaited<ReturnType<typeof installPluginFromNpmSpec>>;
+    let result:
+      | Awaited<ReturnType<typeof installPluginFromNpmSpec>>
+      | Awaited<ReturnType<typeof installPluginFromMarketplace>>;
     try {
-      result = await installPluginFromNpmSpec({
-        spec: record.spec,
-        mode: "update",
-        expectedPluginId: pluginId,
-        expectedIntegrity: expectedIntegrityForUpdate(record.spec, record.integrity),
-        onIntegrityDrift: createPluginUpdateIntegrityDriftHandler({
-          pluginId,
-          dryRun: false,
-          logger,
-          onIntegrityDrift: params.onIntegrityDrift,
-        }),
-        logger,
-      });
+      result =
+        record.source === "npm"
+          ? await installPluginFromNpmSpec({
+              spec: record.spec!,
+              mode: "update",
+              expectedPluginId: pluginId,
+              expectedIntegrity: expectedIntegrityForUpdate(record.spec, record.integrity),
+              onIntegrityDrift: createPluginUpdateIntegrityDriftHandler({
+                pluginId,
+                dryRun: false,
+                logger,
+                onIntegrityDrift: params.onIntegrityDrift,
+              }),
+              logger,
+            })
+          : await installPluginFromMarketplace({
+              marketplace: record.marketplaceSource!,
+              plugin: record.marketplacePlugin!,
+              mode: "update",
+              expectedPluginId: pluginId,
+              logger,
+            });
     } catch (err) {
       outcomes.push({
         pluginId,
@@ -425,12 +483,21 @@ export async function updateNpmInstalledPlugins(params: {
       outcomes.push({
         pluginId,
         status: "error",
-        message: formatNpmInstallFailure({
-          pluginId,
-          spec: record.spec,
-          phase: "update",
-          result: result,
-        }),
+        message:
+          record.source === "npm"
+            ? formatNpmInstallFailure({
+                pluginId,
+                spec: record.spec!,
+                phase: "update",
+                result: result,
+              })
+            : formatMarketplaceInstallFailure({
+                pluginId,
+                marketplaceSource: record.marketplaceSource!,
+                marketplacePlugin: record.marketplacePlugin!,
+                phase: "update",
+                error: result.error,
+              }),
       });
       continue;
     }
@@ -441,14 +508,30 @@ export async function updateNpmInstalledPlugins(params: {
     }
 
     const nextVersion = result.version ?? (await readInstalledPackageVersion(result.targetDir));
-    next = recordPluginInstall(next, {
-      pluginId: resolvedPluginId,
-      source: "npm",
-      spec: record.spec,
-      installPath: result.targetDir,
-      version: nextVersion,
-      ...buildNpmResolutionInstallFields(result.npmResolution),
-    });
+    if (record.source === "npm") {
+      next = recordPluginInstall(next, {
+        pluginId: resolvedPluginId,
+        source: "npm",
+        spec: record.spec,
+        installPath: result.targetDir,
+        version: nextVersion,
+        ...buildNpmResolutionInstallFields(result.npmResolution),
+      });
+    } else {
+      const marketplaceResult = result as Extract<
+        Awaited<ReturnType<typeof installPluginFromMarketplace>>,
+        { ok: true }
+      >;
+      next = recordPluginInstall(next, {
+        pluginId: resolvedPluginId,
+        source: "marketplace",
+        installPath: result.targetDir,
+        version: nextVersion,
+        marketplaceName: marketplaceResult.marketplaceName ?? record.marketplaceName,
+        marketplaceSource: record.marketplaceSource,
+        marketplacePlugin: record.marketplacePlugin,
+      });
+    }
     changed = true;
 
     const currentLabel = currentVersion ?? "unknown";

From 30c31d4efd2facab4dcb7e85263ea785294dc5f2 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 16 Mar 2026 01:36:39 -0700
Subject: [PATCH 128/133] UI: keep thinking helpers browser-safe

---
 src/auto-reply/thinking.shared.ts        | 226 +++++++++++++++++++++
 src/auto-reply/thinking.ts               | 239 ++++-------------------
 ui/src/ui/chat/slash-command-executor.ts |   2 +-
 3 files changed, 265 insertions(+), 202 deletions(-)
 create mode 100644 src/auto-reply/thinking.shared.ts

diff --git a/src/auto-reply/thinking.shared.ts b/src/auto-reply/thinking.shared.ts
new file mode 100644
index 00000000000..bbde5b90ce5
--- /dev/null
+++ b/src/auto-reply/thinking.shared.ts
@@ -0,0 +1,226 @@
+export type ThinkLevel = "off" | "minimal" | "low" | "medium" | "high" | "xhigh" | "adaptive";
+export type VerboseLevel = "off" | "on" | "full";
+export type NoticeLevel = "off" | "on" | "full";
+export type ElevatedLevel = "off" | "on" | "ask" | "full";
+export type ElevatedMode = "off" | "ask" | "full";
+export type ReasoningLevel = "off" | "on" | "stream";
+export type UsageDisplayLevel = "off" | "tokens" | "full";
+export type ThinkingCatalogEntry = {
+  provider: string;
+  id: string;
+  reasoning?: boolean;
+};
+
+const BASE_THINKING_LEVELS: ThinkLevel[] = ["off", "minimal", "low", "medium", "high", "adaptive"];
+
+export function normalizeProviderId(provider?: string | null): string {
+  if (!provider) {
+    return "";
+  }
+  const normalized = provider.trim().toLowerCase();
+  if (normalized === "z.ai" || normalized === "z-ai") {
+    return "zai";
+  }
+  if (normalized === "bedrock" || normalized === "aws-bedrock") {
+    return "amazon-bedrock";
+  }
+  return normalized;
+}
+
+export function isBinaryThinkingProvider(provider?: string | null): boolean {
+  return normalizeProviderId(provider) === "zai";
+}
+
+// Normalize user-provided thinking level strings to the canonical enum.
+export function normalizeThinkLevel(raw?: string | null): ThinkLevel | undefined {
+  if (!raw) {
+    return undefined;
+  }
+  const key = raw.trim().toLowerCase();
+  const collapsed = key.replace(/[\s_-]+/g, "");
+  if (collapsed === "adaptive" || collapsed === "auto") {
+    return "adaptive";
+  }
+  if (collapsed === "xhigh" || collapsed === "extrahigh") {
+    return "xhigh";
+  }
+  if (["off"].includes(key)) {
+    return "off";
+  }
+  if (["on", "enable", "enabled"].includes(key)) {
+    return "low";
+  }
+  if (["min", "minimal"].includes(key)) {
+    return "minimal";
+  }
+  if (["low", "thinkhard", "think-hard", "think_hard"].includes(key)) {
+    return "low";
+  }
+  if (["mid", "med", "medium", "thinkharder", "think-harder", "harder"].includes(key)) {
+    return "medium";
+  }
+  if (
+    ["high", "ultra", "ultrathink", "think-hard", "thinkhardest", "highest", "max"].includes(key)
+  ) {
+    return "high";
+  }
+  if (["think"].includes(key)) {
+    return "minimal";
+  }
+  return undefined;
+}
+
+export function listThinkingLevels(
+  _provider?: string | null,
+  _model?: string | null,
+): ThinkLevel[] {
+  return [...BASE_THINKING_LEVELS];
+}
+
+export function listThinkingLevelLabels(provider?: string | null, model?: string | null): string[] {
+  if (isBinaryThinkingProvider(provider)) {
+    return ["off", "on"];
+  }
+  return listThinkingLevels(provider, model);
+}
+
+export function formatThinkingLevels(
+  provider?: string | null,
+  model?: string | null,
+  separator = ", ",
+): string {
+  return listThinkingLevelLabels(provider, model).join(separator);
+}
+
+export function formatXHighModelHint(): string {
+  return "provider models that advertise xhigh reasoning";
+}
+
+export function resolveThinkingDefaultForModel(params: {
+  provider: string;
+  model: string;
+  catalog?: ThinkingCatalogEntry[];
+}): ThinkLevel {
+  const candidate = params.catalog?.find(
+    (entry) => entry.provider === params.provider && entry.id === params.model,
+  );
+  if (candidate?.reasoning) {
+    return "low";
+  }
+  return "off";
+}
+
+type OnOffFullLevel = "off" | "on" | "full";
+
+function normalizeOnOffFullLevel(raw?: string | null): OnOffFullLevel | undefined {
+  if (!raw) {
+    return undefined;
+  }
+  const key = raw.toLowerCase();
+  if (["off", "false", "no", "0"].includes(key)) {
+    return "off";
+  }
+  if (["full", "all", "everything"].includes(key)) {
+    return "full";
+  }
+  if (["on", "minimal", "true", "yes", "1"].includes(key)) {
+    return "on";
+  }
+  return undefined;
+}
+
+export function normalizeVerboseLevel(raw?: string | null): VerboseLevel | undefined {
+  return normalizeOnOffFullLevel(raw);
+}
+
+export function normalizeNoticeLevel(raw?: string | null): NoticeLevel | undefined {
+  return normalizeOnOffFullLevel(raw);
+}
+
+export function normalizeUsageDisplay(raw?: string | null): UsageDisplayLevel | undefined {
+  if (!raw) {
+    return undefined;
+  }
+  const key = raw.toLowerCase();
+  if (["off", "false", "no", "0", "disable", "disabled"].includes(key)) {
+    return "off";
+  }
+  if (["on", "true", "yes", "1", "enable", "enabled"].includes(key)) {
+    return "tokens";
+  }
+  if (["tokens", "token", "tok", "minimal", "min"].includes(key)) {
+    return "tokens";
+  }
+  if (["full", "session"].includes(key)) {
+    return "full";
+  }
+  return undefined;
+}
+
+export function resolveResponseUsageMode(raw?: string | null): UsageDisplayLevel {
+  return normalizeUsageDisplay(raw) ?? "off";
+}
+
+export function normalizeFastMode(raw?: string | boolean | null): boolean | undefined {
+  if (typeof raw === "boolean") {
+    return raw;
+  }
+  if (!raw) {
+    return undefined;
+  }
+  const key = raw.toLowerCase();
+  if (["off", "false", "no", "0", "disable", "disabled", "normal"].includes(key)) {
+    return false;
+  }
+  if (["on", "true", "yes", "1", "enable", "enabled", "fast"].includes(key)) {
+    return true;
+  }
+  return undefined;
+}
+
+export function normalizeElevatedLevel(raw?: string | null): ElevatedLevel | undefined {
+  if (!raw) {
+    return undefined;
+  }
+  const key = raw.toLowerCase();
+  if (["off", "false", "no", "0"].includes(key)) {
+    return "off";
+  }
+  if (["full", "auto", "auto-approve", "autoapprove"].includes(key)) {
+    return "full";
+  }
+  if (["ask", "prompt", "approval", "approve"].includes(key)) {
+    return "ask";
+  }
+  if (["on", "true", "yes", "1"].includes(key)) {
+    return "on";
+  }
+  return undefined;
+}
+
+export function resolveElevatedMode(level?: ElevatedLevel | null): ElevatedMode {
+  if (!level || level === "off") {
+    return "off";
+  }
+  if (level === "full") {
+    return "full";
+  }
+  return "ask";
+}
+
+export function normalizeReasoningLevel(raw?: string | null): ReasoningLevel | undefined {
+  if (!raw) {
+    return undefined;
+  }
+  const key = raw.toLowerCase();
+  if (["off", "false", "no", "0", "hide", "hidden", "disable", "disabled"].includes(key)) {
+    return "off";
+  }
+  if (["on", "true", "yes", "1", "show", "visible", "enable", "enabled"].includes(key)) {
+    return "on";
+  }
+  if (["stream", "streaming", "draft", "live"].includes(key)) {
+    return "stream";
+  }
+  return undefined;
+}
diff --git a/src/auto-reply/thinking.ts b/src/auto-reply/thinking.ts
index f43ca7bc34b..c83ce53b6f2 100644
--- a/src/auto-reply/thinking.ts
+++ b/src/auto-reply/thinking.ts
@@ -1,36 +1,39 @@
+import {
+  formatThinkingLevels as formatThinkingLevelsFallback,
+  isBinaryThinkingProvider as isBinaryThinkingProviderFallback,
+  listThinkingLevelLabels as listThinkingLevelLabelsFallback,
+  listThinkingLevels as listThinkingLevelsFallback,
+  normalizeProviderId,
+  resolveThinkingDefaultForModel as resolveThinkingDefaultForModelFallback,
+} from "./thinking.shared.js";
+export {
+  formatXHighModelHint,
+  normalizeElevatedLevel,
+  normalizeFastMode,
+  normalizeNoticeLevel,
+  normalizeReasoningLevel,
+  normalizeThinkLevel,
+  normalizeUsageDisplay,
+  normalizeVerboseLevel,
+  resolveResponseUsageMode,
+  resolveElevatedMode,
+} from "./thinking.shared.js";
+export type {
+  ElevatedLevel,
+  ElevatedMode,
+  NoticeLevel,
+  ReasoningLevel,
+  ThinkLevel,
+  ThinkingCatalogEntry,
+  UsageDisplayLevel,
+  VerboseLevel,
+} from "./thinking.shared.js";
 import {
   resolveProviderBinaryThinking,
   resolveProviderDefaultThinkingLevel,
   resolveProviderXHighThinking,
 } from "../plugins/provider-runtime.js";
 
-export type ThinkLevel = "off" | "minimal" | "low" | "medium" | "high" | "xhigh" | "adaptive";
-export type VerboseLevel = "off" | "on" | "full";
-export type NoticeLevel = "off" | "on" | "full";
-export type ElevatedLevel = "off" | "on" | "ask" | "full";
-export type ElevatedMode = "off" | "ask" | "full";
-export type ReasoningLevel = "off" | "on" | "stream";
-export type UsageDisplayLevel = "off" | "tokens" | "full";
-export type ThinkingCatalogEntry = {
-  provider: string;
-  id: string;
-  reasoning?: boolean;
-};
-
-function normalizeProviderId(provider?: string | null): string {
-  if (!provider) {
-    return "";
-  }
-  const normalized = provider.trim().toLowerCase();
-  if (normalized === "z.ai" || normalized === "z-ai") {
-    return "zai";
-  }
-  if (normalized === "bedrock" || normalized === "aws-bedrock") {
-    return "amazon-bedrock";
-  }
-  return normalized;
-}
-
 export function isBinaryThinkingProvider(provider?: string | null, model?: string | null): boolean {
   const normalizedProvider = normalizeProviderId(provider);
   if (!normalizedProvider) {
@@ -47,46 +50,7 @@ export function isBinaryThinkingProvider(provider?: string | null, model?: strin
   if (typeof pluginDecision === "boolean") {
     return pluginDecision;
   }
-  return false;
-}
-
-// Normalize user-provided thinking level strings to the canonical enum.
-export function normalizeThinkLevel(raw?: string | null): ThinkLevel | undefined {
-  if (!raw) {
-    return undefined;
-  }
-  const key = raw.trim().toLowerCase();
-  const collapsed = key.replace(/[\s_-]+/g, "");
-  if (collapsed === "adaptive" || collapsed === "auto") {
-    return "adaptive";
-  }
-  if (collapsed === "xhigh" || collapsed === "extrahigh") {
-    return "xhigh";
-  }
-  if (["off"].includes(key)) {
-    return "off";
-  }
-  if (["on", "enable", "enabled"].includes(key)) {
-    return "low";
-  }
-  if (["min", "minimal"].includes(key)) {
-    return "minimal";
-  }
-  if (["low", "thinkhard", "think-hard", "think_hard"].includes(key)) {
-    return "low";
-  }
-  if (["mid", "med", "medium", "thinkharder", "think-harder", "harder"].includes(key)) {
-    return "medium";
-  }
-  if (
-    ["high", "ultra", "ultrathink", "think-hard", "thinkhardest", "highest", "max"].includes(key)
-  ) {
-    return "high";
-  }
-  if (["think"].includes(key)) {
-    return "minimal";
-  }
-  return undefined;
+  return isBinaryThinkingProviderFallback(provider, model);
 }
 
 export function supportsXHighThinking(provider?: string | null, model?: string | null): boolean {
@@ -111,11 +75,10 @@ export function supportsXHighThinking(provider?: string | null, model?: string |
 }
 
 export function listThinkingLevels(provider?: string | null, model?: string | null): ThinkLevel[] {
-  const levels: ThinkLevel[] = ["off", "minimal", "low", "medium", "high"];
+  const levels = listThinkingLevelsFallback(provider, model);
   if (supportsXHighThinking(provider, model)) {
-    levels.push("xhigh");
+    levels.splice(levels.length - 1, 0, "xhigh");
   }
-  levels.push("adaptive");
   return levels;
 }
 
@@ -123,7 +86,7 @@ export function listThinkingLevelLabels(provider?: string | null, model?: string
   if (isBinaryThinkingProvider(provider, model)) {
     return ["off", "on"];
   }
-  return listThinkingLevels(provider, model);
+  return listThinkingLevelLabelsFallback(provider, model);
 }
 
 export function formatThinkingLevels(
@@ -131,11 +94,9 @@ export function formatThinkingLevels(
   model?: string | null,
   separator = ", ",
 ): string {
-  return listThinkingLevelLabels(provider, model).join(separator);
-}
-
-export function formatXHighModelHint(): string {
-  return "provider models that advertise xhigh reasoning";
+  return supportsXHighThinking(provider, model)
+    ? listThinkingLevelLabels(provider, model).join(separator)
+    : formatThinkingLevelsFallback(provider, model, separator);
 }
 
 export function resolveThinkingDefaultForModel(params: {
@@ -158,129 +119,5 @@ export function resolveThinkingDefaultForModel(params: {
   if (pluginDecision) {
     return pluginDecision;
   }
-  if (candidate?.reasoning) {
-    return "low";
-  }
-  return "off";
-}
-
-type OnOffFullLevel = "off" | "on" | "full";
-
-function normalizeOnOffFullLevel(raw?: string | null): OnOffFullLevel | undefined {
-  if (!raw) {
-    return undefined;
-  }
-  const key = raw.toLowerCase();
-  if (["off", "false", "no", "0"].includes(key)) {
-    return "off";
-  }
-  if (["full", "all", "everything"].includes(key)) {
-    return "full";
-  }
-  if (["on", "minimal", "true", "yes", "1"].includes(key)) {
-    return "on";
-  }
-  return undefined;
-}
-
-// Normalize verbose flags used to toggle agent verbosity.
-export function normalizeVerboseLevel(raw?: string | null): VerboseLevel | undefined {
-  return normalizeOnOffFullLevel(raw);
-}
-
-// Normalize system notice flags used to toggle system notifications.
-export function normalizeNoticeLevel(raw?: string | null): NoticeLevel | undefined {
-  return normalizeOnOffFullLevel(raw);
-}
-
-// Normalize response-usage display modes used to toggle per-response usage footers.
-export function normalizeUsageDisplay(raw?: string | null): UsageDisplayLevel | undefined {
-  if (!raw) {
-    return undefined;
-  }
-  const key = raw.toLowerCase();
-  if (["off", "false", "no", "0", "disable", "disabled"].includes(key)) {
-    return "off";
-  }
-  if (["on", "true", "yes", "1", "enable", "enabled"].includes(key)) {
-    return "tokens";
-  }
-  if (["tokens", "token", "tok", "minimal", "min"].includes(key)) {
-    return "tokens";
-  }
-  if (["full", "session"].includes(key)) {
-    return "full";
-  }
-  return undefined;
-}
-
-export function resolveResponseUsageMode(raw?: string | null): UsageDisplayLevel {
-  return normalizeUsageDisplay(raw) ?? "off";
-}
-
-// Normalize fast-mode flags used to toggle low-latency model behavior.
-export function normalizeFastMode(raw?: string | boolean | null): boolean | undefined {
-  if (typeof raw === "boolean") {
-    return raw;
-  }
-  if (!raw) {
-    return undefined;
-  }
-  const key = raw.toLowerCase();
-  if (["off", "false", "no", "0", "disable", "disabled", "normal"].includes(key)) {
-    return false;
-  }
-  if (["on", "true", "yes", "1", "enable", "enabled", "fast"].includes(key)) {
-    return true;
-  }
-  return undefined;
-}
-
-// Normalize elevated flags used to toggle elevated bash permissions.
-export function normalizeElevatedLevel(raw?: string | null): ElevatedLevel | undefined {
-  if (!raw) {
-    return undefined;
-  }
-  const key = raw.toLowerCase();
-  if (["off", "false", "no", "0"].includes(key)) {
-    return "off";
-  }
-  if (["full", "auto", "auto-approve", "autoapprove"].includes(key)) {
-    return "full";
-  }
-  if (["ask", "prompt", "approval", "approve"].includes(key)) {
-    return "ask";
-  }
-  if (["on", "true", "yes", "1"].includes(key)) {
-    return "on";
-  }
-  return undefined;
-}
-
-export function resolveElevatedMode(level?: ElevatedLevel | null): ElevatedMode {
-  if (!level || level === "off") {
-    return "off";
-  }
-  if (level === "full") {
-    return "full";
-  }
-  return "ask";
-}
-
-// Normalize reasoning visibility flags used to toggle reasoning exposure.
-export function normalizeReasoningLevel(raw?: string | null): ReasoningLevel | undefined {
-  if (!raw) {
-    return undefined;
-  }
-  const key = raw.toLowerCase();
-  if (["off", "false", "no", "0", "hide", "hidden", "disable", "disabled"].includes(key)) {
-    return "off";
-  }
-  if (["on", "true", "yes", "1", "show", "visible", "enable", "enabled"].includes(key)) {
-    return "on";
-  }
-  if (["stream", "streaming", "draft", "live"].includes(key)) {
-    return "stream";
-  }
-  return undefined;
+  return resolveThinkingDefaultForModelFallback(params);
 }
diff --git a/ui/src/ui/chat/slash-command-executor.ts b/ui/src/ui/chat/slash-command-executor.ts
index 1db10dd93d6..b1d06d5e2b2 100644
--- a/ui/src/ui/chat/slash-command-executor.ts
+++ b/ui/src/ui/chat/slash-command-executor.ts
@@ -9,7 +9,7 @@ import {
   normalizeThinkLevel,
   normalizeVerboseLevel,
   resolveThinkingDefaultForModel,
-} from "../../../../src/auto-reply/thinking.js";
+} from "../../../../src/auto-reply/thinking.shared.js";
 import {
   DEFAULT_AGENT_ID,
   DEFAULT_MAIN_KEY,

From c06101b8adad665347ed3cd3f141c6bf94b5062f Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 16 Mar 2026 01:47:44 -0700
Subject: [PATCH 129/133] Infra: restore check after gaxios compat

---
 package.json                                  |  1 +
 pnpm-lock.yaml                                |  5 +++++
 src/auto-reply/thinking.ts                    |  3 ++-
 src/infra/bonjour.ts                          |  2 +-
 .../contracts/auth-choice.contract.test.ts    | 21 ++++++++++++-------
 5 files changed, 23 insertions(+), 9 deletions(-)

diff --git a/package.json b/package.json
index 0a345f172a0..f85bdb6e463 100644
--- a/package.json
+++ b/package.json
@@ -382,6 +382,7 @@
     "dotenv": "^17.3.1",
     "express": "^5.2.1",
     "file-type": "^21.3.2",
+    "gaxios": "^7.1.3",
     "grammy": "^1.41.1",
     "hono": "4.12.7",
     "https-proxy-agent": "^8.0.0",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index a8168f1b74d..90ebda912b0 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -125,6 +125,9 @@ importers:
       file-type:
         specifier: 21.3.2
         version: 21.3.2
+      gaxios:
+        specifier: ^7.1.3
+        version: 7.1.3
       grammy:
         specifier: ^1.41.1
         version: 1.41.1
@@ -271,6 +274,8 @@ importers:
         specifier: 0.3.0
         version: 0.3.0(zod@4.3.6)
 
+  extensions/amazon-bedrock: {}
+
   extensions/anthropic: {}
 
   extensions/bluebubbles:
diff --git a/src/auto-reply/thinking.ts b/src/auto-reply/thinking.ts
index c83ce53b6f2..1f2f1738b1f 100644
--- a/src/auto-reply/thinking.ts
+++ b/src/auto-reply/thinking.ts
@@ -6,6 +6,7 @@ import {
   normalizeProviderId,
   resolveThinkingDefaultForModel as resolveThinkingDefaultForModelFallback,
 } from "./thinking.shared.js";
+import type { ThinkLevel, ThinkingCatalogEntry } from "./thinking.shared.js";
 export {
   formatXHighModelHint,
   normalizeElevatedLevel,
@@ -50,7 +51,7 @@ export function isBinaryThinkingProvider(provider?: string | null, model?: strin
   if (typeof pluginDecision === "boolean") {
     return pluginDecision;
   }
-  return isBinaryThinkingProviderFallback(provider, model);
+  return isBinaryThinkingProviderFallback(provider);
 }
 
 export function supportsXHighThinking(provider?: string | null, model?: string | null): boolean {
diff --git a/src/infra/bonjour.ts b/src/infra/bonjour.ts
index c99d45d85f4..457853a9b45 100644
--- a/src/infra/bonjour.ts
+++ b/src/infra/bonjour.ts
@@ -185,7 +185,7 @@ export async function startGatewayBonjourAdvertiser(
     if (!cycle) {
       return;
     }
-    const responder = cycle.responder as {
+    const responder = cycle.responder as unknown as {
       advertiseService?: (...args: unknown[]) => unknown;
       announce?: (...args: unknown[]) => unknown;
       probe?: (...args: unknown[]) => unknown;
diff --git a/src/plugins/contracts/auth-choice.contract.test.ts b/src/plugins/contracts/auth-choice.contract.test.ts
index 6ffa2a22055..fa4f4daa0ad 100644
--- a/src/plugins/contracts/auth-choice.contract.test.ts
+++ b/src/plugins/contracts/auth-choice.contract.test.ts
@@ -14,13 +14,20 @@ import {
 import { createCapturedPluginRegistration } from "../../test-utils/plugin-registration.js";
 import type { OpenClawPluginApi, ProviderPlugin } from "../types.js";
 
+type ResolvePluginProviders =
+  typeof import("../../commands/auth-choice.apply.plugin-provider.runtime.js").resolvePluginProviders;
+type ResolveProviderPluginChoice =
+  typeof import("../../commands/auth-choice.apply.plugin-provider.runtime.js").resolveProviderPluginChoice;
+type RunProviderModelSelectedHook =
+  typeof import("../../commands/auth-choice.apply.plugin-provider.runtime.js").runProviderModelSelectedHook;
+
 const loginQwenPortalOAuthMock = vi.hoisted(() => vi.fn());
 const githubCopilotLoginCommandMock = vi.hoisted(() => vi.fn());
-const resolvePluginProvidersMock = vi.hoisted(() => vi.fn<() => ProviderPlugin[]>(() => []));
-const resolveProviderPluginChoiceMock = vi.hoisted(() =>
-  vi.fn<() => { provider: ProviderPlugin; method: ProviderPlugin["auth"][number] } | null>(),
+const resolvePluginProvidersMock = vi.hoisted(() => vi.fn<ResolvePluginProviders>(() => []));
+const resolveProviderPluginChoiceMock = vi.hoisted(() => vi.fn<ResolveProviderPluginChoice>());
+const runProviderModelSelectedHookMock = vi.hoisted(() =>
+  vi.fn<RunProviderModelSelectedHook>(async () => {}),
 );
-const runProviderModelSelectedHookMock = vi.hoisted(() => vi.fn(async () => {}));
 
 vi.mock("../../../extensions/qwen-portal-auth/oauth.js", () => ({
   loginQwenPortalOAuth: loginQwenPortalOAuthMock,
@@ -31,9 +38,9 @@ vi.mock("../../providers/github-copilot-auth.js", () => ({
 }));
 
 vi.mock("../../commands/auth-choice.apply.plugin-provider.runtime.js", () => ({
-  resolvePluginProviders: (...args: unknown[]) => resolvePluginProvidersMock(...args),
-  resolveProviderPluginChoice: (...args: unknown[]) => resolveProviderPluginChoiceMock(...args),
-  runProviderModelSelectedHook: (...args: unknown[]) => runProviderModelSelectedHookMock(...args),
+  resolvePluginProviders: resolvePluginProvidersMock,
+  resolveProviderPluginChoice: resolveProviderPluginChoiceMock,
+  runProviderModelSelectedHook: runProviderModelSelectedHookMock,
 }));
 
 type StoredAuthProfile = {

From c9423dce1ebc3e3e8df729d59618287be0b5d3c0 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 16 Mar 2026 01:49:04 -0700
Subject: [PATCH 130/133] Docs: refresh generated config baseline

---
 docs/.generated/config-baseline.json  | 69 +++++++++++++++++++++++++++
 docs/.generated/config-baseline.jsonl |  7 ++-
 2 files changed, 75 insertions(+), 1 deletion(-)

diff --git a/docs/.generated/config-baseline.json b/docs/.generated/config-baseline.json
index c976fbac1af..bf67b685710 100644
--- a/docs/.generated/config-baseline.json
+++ b/docs/.generated/config-baseline.json
@@ -44995,6 +44995,75 @@
       "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
       "hasChildren": false
     },
+    {
+      "path": "plugins.entries.amazon-bedrock",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/amazon-bedrock-provider",
+      "help": "OpenClaw Amazon Bedrock provider plugin (plugin: amazon-bedrock)",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.amazon-bedrock.config",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "@openclaw/amazon-bedrock-provider Config",
+      "help": "Plugin-defined config payload for amazon-bedrock.",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.amazon-bedrock.enabled",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Enable @openclaw/amazon-bedrock-provider",
+      "hasChildren": false
+    },
+    {
+      "path": "plugins.entries.amazon-bedrock.hooks",
+      "kind": "plugin",
+      "type": "object",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "advanced"
+      ],
+      "label": "Plugin Hook Policy",
+      "help": "Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.",
+      "hasChildren": true
+    },
+    {
+      "path": "plugins.entries.amazon-bedrock.hooks.allowPromptInjection",
+      "kind": "plugin",
+      "type": "boolean",
+      "required": false,
+      "deprecated": false,
+      "sensitive": false,
+      "tags": [
+        "access"
+      ],
+      "label": "Allow Prompt Injection Hooks",
+      "help": "Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.",
+      "hasChildren": false
+    },
     {
       "path": "plugins.entries.anthropic",
       "kind": "plugin",
diff --git a/docs/.generated/config-baseline.jsonl b/docs/.generated/config-baseline.jsonl
index 522e41beb37..34c4f9d5378 100644
--- a/docs/.generated/config-baseline.jsonl
+++ b/docs/.generated/config-baseline.jsonl
@@ -1,4 +1,4 @@
-{"generatedBy":"scripts/generate-config-doc-baseline.ts","recordType":"meta","totalPaths":5094}
+{"generatedBy":"scripts/generate-config-doc-baseline.ts","recordType":"meta","totalPaths":5098}
 {"recordType":"path","path":"acp","kind":"core","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"ACP","help":"ACP runtime controls for enabling dispatch, selecting backends, constraining allowed agent targets, and tuning streamed turn projection behavior.","hasChildren":true}
 {"recordType":"path","path":"acp.allowedAgents","kind":"core","type":"array","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"ACP Allowed Agents","help":"Allowlist of ACP target agent ids permitted for ACP runtime sessions. Empty means no additional allowlist restriction.","hasChildren":true}
 {"recordType":"path","path":"acp.allowedAgents.*","kind":"core","type":"string","required":false,"deprecated":false,"sensitive":false,"tags":[],"hasChildren":false}
@@ -3986,6 +3986,11 @@
 {"recordType":"path","path":"plugins.entries.acpx.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable ACPX Runtime","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.acpx.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
 {"recordType":"path","path":"plugins.entries.acpx.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.amazon-bedrock","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/amazon-bedrock-provider","help":"OpenClaw Amazon Bedrock provider plugin (plugin: amazon-bedrock)","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.amazon-bedrock.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/amazon-bedrock-provider Config","help":"Plugin-defined config payload for amazon-bedrock.","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.amazon-bedrock.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/amazon-bedrock-provider","hasChildren":false}
+{"recordType":"path","path":"plugins.entries.amazon-bedrock.hooks","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Plugin Hook Policy","help":"Per-plugin typed hook policy controls for core-enforced safety gates. Use this to constrain high-impact hook categories without disabling the entire plugin.","hasChildren":true}
+{"recordType":"path","path":"plugins.entries.amazon-bedrock.hooks.allowPromptInjection","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["access"],"label":"Allow Prompt Injection Hooks","help":"Controls whether this plugin may mutate prompts through typed hooks. Set false to block `before_prompt_build` and ignore prompt-mutating fields from legacy `before_agent_start`, while preserving legacy `modelOverride` and `providerOverride` behavior.","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.anthropic","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/anthropic-provider","help":"OpenClaw Anthropic provider plugin (plugin: anthropic)","hasChildren":true}
 {"recordType":"path","path":"plugins.entries.anthropic.config","kind":"plugin","type":"object","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"@openclaw/anthropic-provider Config","help":"Plugin-defined config payload for anthropic.","hasChildren":false}
 {"recordType":"path","path":"plugins.entries.anthropic.enabled","kind":"plugin","type":"boolean","required":false,"deprecated":false,"sensitive":false,"tags":["advanced"],"label":"Enable @openclaw/anthropic-provider","hasChildren":false}

From 43c156e43b060870ce5d0157f5a28e050914bcea Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 08:50:10 +0000
Subject: [PATCH 131/133] docs: reorder unreleased changelog entries

---
 CHANGELOG.md | 134 +++++++++++++++++++++++++--------------------------
 1 file changed, 66 insertions(+), 68 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 821451053bf..df03ad8fc5d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,27 +6,27 @@ Docs: https://docs.openclaw.ai
 
 ### Changes
 
-- Android/mobile: add a system-aware dark theme across onboarding and post-onboarding screens so the app follows the device theme through setup, chat, and voice flows. (#46249) Thanks @sibbl.
 - Commands/btw: add `/btw` side questions for quick tool-less answers about the current session without changing future session context, with dismissible in-session TUI answers and explicit BTW replies on external channels. (#45444) Thanks @ngutman.
-- Gateway/health monitor: add configurable stale-event thresholds and restart limits, plus per-channel and per-account `healthMonitor.enabled` overrides, while keeping the existing global disable path on `gateway.channelHealthCheckMinutes=0`. (#42107) Thanks @rstar327.
-- Feishu/cards: add identity-aware structured card headers and note footers for Feishu replies and direct sends, while keeping that presentation wired through the shared outbound identity path. (#29938) Thanks @nszhsl.
-- Feishu/streaming: add `onReasoningStream` and `onReasoningEnd` support to streaming cards, so `/reasoning stream` renders thinking tokens as markdown blockquotes in the same card — matching the Telegram channel's reasoning lane behavior. (#46029)
-- Web tools/Firecrawl: add Firecrawl as an `onboard`/configure search provider via a bundled plugin, expose explicit `firecrawl_search` and `firecrawl_scrape` tools, and align core `web_fetch` fallback behavior with Firecrawl base-URL/env fallback plus guarded endpoint fetches.
-- Refactor/channels: remove the legacy channel shim directories and point channel-specific imports directly at the extension-owned implementations. (#45967) thanks @scoootscooob.
-- Android/nodes: add `callLog.search` plus shared Call Log permission wiring so Android nodes can search recent call history through the gateway. (#44073) Thanks @lxk7280.
-- Docs/Zalo: clarify the Marketplace-bot support matrix and config guidance so the Zalo channel docs match current Bot Creator behavior more closely. (#47552) Thanks @No898.
-- Install/update: allow package-manager installs from GitHub `main` via `openclaw update --tag main`, installer `--version main`, or direct npm/pnpm git specs.
-- Plugins/providers: move OpenRouter, GitHub Copilot, and OpenAI Codex provider/runtime logic into bundled plugins, including dynamic model fallback, runtime auth exchange, stream wrappers, capability hints, and cache-TTL policy.
-- Plugins/MiniMax: merge the bundled MiniMax API and MiniMax OAuth plugin surfaces into a single default-on `minimax` plugin, while keeping legacy `minimax-portal-auth` config ids aliased for compatibility.
-- Plugins/bundles: add compatible Codex, Claude, and Cursor bundle discovery/install support, map bundle skills into OpenClaw skills, and apply Claude bundle `settings.json` defaults to embedded Pi with shell overrides sanitized.
-- Plugins/agent integrations: broaden the plugin surface for app-server integrations with channel-aware commands, interactive callbacks, inbound claims, and Discord/Telegram conversation binding support. (#45318) Thanks @huntharo and @vincentkoc.
-- Telegram/actions: add `topic-edit` for forum-topic renames and icon updates while sharing the same Telegram topic-edit transport used by the plugin runtime. (#47798) Thanks @obviyus.
-- secrets: harden read-only SecretRef command paths and diagnostics. (#47794) Thanks @joshavant.
 - Sandbox/runtime: add pluggable sandbox backends, ship an OpenShell backend with `mirror` and `remote` workspace modes, and make sandbox list/recreate/prune backend-aware instead of Docker-only.
 - Sandbox/SSH: add a core SSH sandbox backend with secret-backed key, certificate, and known_hosts inputs, move shared remote exec/filesystem tooling into core, and keep OpenShell focused on sandbox lifecycle plus optional `mirror` mode.
-- Feishu/cards: add structured interactive approval and quick-action launcher cards, preserve callback user and conversation context through routing, and keep legacy card-action fallback behavior so common actions can run without typing raw commands. (#47873)
+- Web tools/Firecrawl: add Firecrawl as an `onboard`/configure search provider via a bundled plugin, expose explicit `firecrawl_search` and `firecrawl_scrape` tools, and align core `web_fetch` fallback behavior with Firecrawl base-URL/env fallback plus guarded endpoint fetches.
+- Plugins/bundles: add compatible Codex, Claude, and Cursor bundle discovery/install support, map bundle skills into OpenClaw skills, and apply Claude bundle `settings.json` defaults to embedded Pi with shell overrides sanitized.
+- Plugins/providers: move OpenRouter, GitHub Copilot, and OpenAI Codex provider/runtime logic into bundled plugins, including dynamic model fallback, runtime auth exchange, stream wrappers, capability hints, and cache-TTL policy.
+- Plugins/agent integrations: broaden the plugin surface for app-server integrations with channel-aware commands, interactive callbacks, inbound claims, and Discord/Telegram conversation binding support. (#45318) Thanks @huntharo and @vincentkoc.
+- Install/update: allow package-manager installs from GitHub `main` via `openclaw update --tag main`, installer `--version main`, or direct npm/pnpm git specs.
+- Gateway/health monitor: add configurable stale-event thresholds and restart limits, plus per-channel and per-account `healthMonitor.enabled` overrides, while keeping the existing global disable path on `gateway.channelHealthCheckMinutes=0`. (#42107) Thanks @rstar327.
+- Android/mobile: add a system-aware dark theme across onboarding and post-onboarding screens so the app follows the device theme through setup, chat, and voice flows. (#46249) Thanks @sibbl.
 - Feishu/ACP: add current-conversation ACP and subagent session binding for supported DMs and topic conversations, including completion delivery back to the originating Feishu conversation. (#46819)
 - Plugins/marketplaces: add Claude marketplace registry resolution, `plugin@marketplace` installs, marketplace listing, and update support, plus Docker E2E coverage for local and official marketplace flows. Thanks @vincentkoc.
+- Feishu/cards: add structured interactive approval and quick-action launcher cards, preserve callback user and conversation context through routing, and keep legacy card-action fallback behavior so common actions can run without typing raw commands. (#47873)
+- Feishu/streaming: add `onReasoningStream` and `onReasoningEnd` support to streaming cards, so `/reasoning stream` renders thinking tokens as markdown blockquotes in the same card — matching the Telegram channel's reasoning lane behavior. (#46029)
+- Feishu/cards: add identity-aware structured card headers and note footers for Feishu replies and direct sends, while keeping that presentation wired through the shared outbound identity path. (#29938) Thanks @nszhsl.
+- Android/nodes: add `callLog.search` plus shared Call Log permission wiring so Android nodes can search recent call history through the gateway. (#44073) Thanks @lxk7280.
+- Plugins/MiniMax: merge the bundled MiniMax API and MiniMax OAuth plugin surfaces into a single default-on `minimax` plugin, while keeping legacy `minimax-portal-auth` config ids aliased for compatibility.
+- Telegram/actions: add `topic-edit` for forum-topic renames and icon updates while sharing the same Telegram topic-edit transport used by the plugin runtime. (#47798) Thanks @obviyus.
+- Refactor/channels: remove the legacy channel shim directories and point channel-specific imports directly at the extension-owned implementations. (#45967) thanks @scoootscooob.
+- Docs/Zalo: clarify the Marketplace-bot support matrix and config guidance so the Zalo channel docs match current Bot Creator behavior more closely. (#47552) Thanks @No898.
+- secrets: harden read-only SecretRef command paths and diagnostics. (#47794) Thanks @joshavant.
 
 ### Breaking
 
@@ -34,66 +34,64 @@ Docs: https://docs.openclaw.ai
 
 ### Fixes
 
-- Group mention gating: reject invalid and unsafe nested-repetition `mentionPatterns`, reuse the shared safe config-regex compiler across mention stripping and detection, and cache strip-time regex compilation so noisy groups avoid repeated recompiles.
-- Control UI/chat sessions: show human-readable labels in the grouped session dropdown again, keep unique scoped fallbacks when metadata is missing, and disambiguate duplicate labels only when needed. (#45130) thanks @luzhidong.
-- Control UI: scope persisted session selection per gateway, prevent stale session bleed across tokenized gateway opens, and cap stored gateway session history. (#47453) Thanks @sallyom.
-- Slack/interactive replies: preserve `channelData.slack.blocks` through live DM delivery and preview-finalized edits so Block Kit button and select directives render instead of falling back to raw text. (#45890) Thanks @vincentkoc.
-- Feishu/topic threads: fetch full thread context, including prior bot replies, when starting a topic-thread session so follow-up turns in Feishu topics keep the right conversation state. (#45254) Thanks @Coobiw.
-- Feishu/media: keep native image, file, audio, and video/media handling aligned across outbound sends, inbound downloads, thread replies, directory/action aliases, and capability docs so unsupported areas are explicit instead of implied.
-- Feishu/actions: expand the runtime action surface with message read/edit, explicit thread replies, pinning, and operator-facing chat/member inspection so Feishu can operate more of the workspace directly.
-- Configure/startup: move outbound send-deps resolution into a lightweight helper so `openclaw configure` no longer stalls after the banner while eagerly loading channel plugins. (#46301) thanks @scoootscooob.
-- Control UI/dashboard: preserve structured gateway shutdown reasons across restart disconnects so config-triggered restarts no longer fall back to `disconnected (1006): no reason`. (#46532) Thanks @vincentkoc.
-- Android/chat: theme the thinking dropdown and TLS trust dialogs explicitly so popup surfaces match the active app theme instead of falling back to mismatched Material defaults.
-- Z.AI/onboarding: detect a working default model even for explicit `zai-coding-*` endpoint choices, so Coding Plan setup can keep the selected endpoint while defaulting to `glm-5` when available or `glm-4.7` as fallback. (#45969)
-- Models/OpenRouter runtime capabilities: fetch uncatalogued OpenRouter model metadata on first use so newly added vision models keep image input instead of silently degrading to text-only, with top-level capability field fallbacks for `/api/v1/models`. (#45824) Thanks @DJjjjhao.
-- Z.AI/onboarding: add `glm-5-turbo` to the default Z.AI provider catalog so onboarding-generated configs expose the new model alongside the existing GLM defaults. (#46670) Thanks @tomsun28.
-- Zalo Personal/group gating: stop reapplying `dmPolicy.allowFrom` as a sender gate for already-allowlisted groups when `groupAllowFrom` is unset, so any member of an allowed group can trigger replies while DMs stay restricted. (#40146)
-- Channels/plugins: keep shared interactive payloads merge-ready by fixing Slack custom callback routing and repeat-click dedupe, allowing interactive-only sends, and preserving ordered Discord shared text blocks. (#47715) Thanks @vincentkoc.
+- Google auth/Node 25: patch `gaxios` to use native fetch without injecting `globalThis.window`, while translating proxy and mTLS transport settings so Google Vertex and Google Chat auth keep working on Node 25. (#47914) Thanks @pdd-cli.
+- Gateway/startup: load bundled channel plugins from compiled `dist/extensions` entries in built installs, so gateway boot no longer recompiles bundled extension TypeScript on every startup and WhatsApp-class cold starts drop back to seconds instead of tens of seconds or worse.
+- Plugins/context engines: enforce owner-aware context-engine registration on both loader and public SDK paths so plugins cannot spoof privileged ownership, claim the core `legacy` engine id, or overwrite an existing engine id through direct SDK imports. (#47595) Thanks @vincentkoc.
 - Browser/remote CDP: honor strict browser SSRF policy during remote CDP reachability and `/json/version` discovery checks, redact sensitive `cdpUrl` tokens from status output, and warn when remote CDP targets private/internal hosts.
-- Plugins/install precedence: keep bundled plugins ahead of auto-discovered globals by default, but let an explicitly installed plugin record win its own duplicate-id tie so installed channel plugins load from `~/.openclaw/extensions` after `openclaw plugins install`.
-- ACP/acpx: resolve the bundled plugin root from the actual plugin directory so plugin-local installs stay under `dist/extensions/acpx` instead of escaping to `dist/extensions` and failing runtime setup.
-- Gateway/auth: ignore spoofed loopback hops in trusted forwarding chains and block device approvals that request scopes above the caller session. Thanks @vincentkoc.
-- Gateway/config views: strip embedded credentials from URL-based endpoint fields before returning read-only account and config snapshots. Thanks @vincentkoc.
-- Tools/apply-patch: revalidate workspace-only delete and directory targets immediately before mutating host paths. Thanks @vincentkoc.
-- Webhooks/runtime: move auth earlier and tighten pre-auth body limits and timeouts across bundled webhook handlers, including slow-body handling for Mattermost slash commands. Thanks @vincentkoc.
 - Gateway/plugins: pin runtime webhook routes to the gateway startup registry so channel webhooks keep working across plugin-registry churn, and make plugin auth + dispatch resolve routes from the same live HTTP-route registry. Fixes #46924 and #47041.
-- Subagents/follow-ups: require the same controller ownership checks for `/subagents send` as other control actions, so leaf sessions cannot message nested child runs they do not control. Thanks @vincentkoc.
-- Inbound policy hardening: tighten callback and webhook sender checks across Mattermost and Google Chat, match Nextcloud Talk rooms by stable room token, and treat explicit empty Twitch allowlists as deny-all. (#46787) Thanks @zpbrent, @ijxpwastaken and @vincentkoc.
-- macOS/canvas actions: keep unattended local agent actions on trusted in-app canvas surfaces only, and stop exposing the deep-link fallback key to arbitrary page scripts. (#46790) Thanks @vincentkoc.
-- Agents/compaction: extend the enclosing run deadline once while compaction is actively in flight, and abort the underlying SDK compaction on timeout/cancel so large-session compactions stop freezing mid-run. (#46889) Thanks @asyncjason.
-- Models/openai-completions: default non-native OpenAI-compatible providers to omit tool-definition `strict` fields unless users explicitly opt back in, so tool calling keeps working on providers that reject that option. (#45497) Thanks @sahancava.
-- WhatsApp/reconnect: restore the append recency filter in the extension inbox monitor and handle protobuf `Long` timestamps correctly, so fresh post-reconnect append messages are processed while stale history sync stays suppressed. (#42588) thanks @MonkeyLeeT.
-- WhatsApp/login: wait for pending creds writes before reopening after Baileys `515` pairing restarts in both QR login and `channels login` flows, and keep the restart coverage pinned to the real wrapped error shape plus per-account creds queues. (#27910) Thanks @asyncjason.
-- Agents/openai-compatible tool calls: deduplicate repeated tool call ids across live assistant messages and replayed history so OpenAI-compatible backends no longer reject duplicate `tool_call_id` values with HTTP 400. (#40996) Thanks @xaeon2026.
-- Security/device pairing: harden `device.token.rotate` deny handling by keeping public failures generic while logging internal deny reasons and preserving approved-baseline enforcement. (`GHSA-7jrw-x62h-64p8`)
-- Slack/interactive replies: preserve `channelData.slack.blocks` through live DM delivery and preview-finalized edits so Block Kit button and select directives render instead of falling back to raw text. (#45890) Thanks @vincentkoc.
+- Gateway/auth: ignore spoofed loopback hops in trusted forwarding chains and block device approvals that request scopes above the caller session. Thanks @vincentkoc.
 - Gateway/restart: defer externally signaled unmanaged restarts through the in-process idle drain, and preserve the restored subagent run as remap fallback during orphan recovery so resumed sessions do not duplicate work. (#47719) Thanks @joeykrug.
-- Zalo/plugin runtime: export `resolveClientIp` from `openclaw/plugin-sdk/zalo` so installed builds no longer crash on startup when the webhook monitor loads from the packaged extension instead of the monorepo source tree. (#46549) Thanks @No898.
-- CI/channel test routing: move the built-in channel suites into `test:channels` and keep them out of `test:extensions`, so extension CI no longer fails after the channel migration while targeted test routing still sends Slack, Signal, and iMessage suites to the right lane. (#46066) Thanks @scoootscooob.
-- Browser/profiles: drop the auto-created `chrome-relay` browser profile; users who need the Chrome extension relay must now create their own profile via `openclaw browser create-profile`. (#45777) Thanks @odysseus0.
-- Docs/Mintlify: fix MDX marker syntax on Perplexity, Model Providers, Moonshot, and exec approvals pages so local docs preview no longer breaks rendering or leaves stale pages unpublished. (#46695) Thanks @velvet-shark.
-- Email/webhook wrapping: sanitize sender and subject metadata before external-content wrapping so metadata fields cannot break the wrapper structure. Thanks @vincentkoc.
-- Node/startup: remove leftover debug `console.log("node host PATH: ...")` that printed the resolved PATH on every `openclaw node run` invocation. (#46411)
-- Nodes/pending actions: re-check queued foreground actions against the current node command policy before returning them to the node. (#46815) Thanks @zpbrent and @vincentkoc.
-- ACP/approvals: use canonical tool identity for prompting decisions and fail closed when conflicting tool identity hints are present. (#46817) Thanks @zpbrent and @vincentkoc.
-- Telegram/message send: forward `--force-document` through the `sendPayload` path as well as `sendMedia`, so Telegram payload sends with `channelData` keep uploading images as documents instead of silently falling back to compressed photo sends. (#47119) Thanks @thepagent.
-- Telegram/message chunking: preserve spaces, paragraph separators, and word boundaries when HTML overflow rechunking splits formatted replies. (#47274)
-- Plugins/scoped ids: preserve scoped plugin ids during install and config keying, and keep bundled plugins ahead of discovered duplicate ids by default so `@scope/name` plugins no longer collide with unscoped installs. Thanks @vincentkoc.
-- CLI: avoid loading provider discovery during startup model normalization. (#46522) Thanks @ItsAditya-xyz and @vincentkoc.
-- Tlon: honor explicit empty allowlists and defer cite expansion. (#46788) Thanks @zpbrent and @vincentkoc.
-- ACP: require admin scope for mutating internal actions. (#46789) Thanks @tdjackey and @vincentkoc.
-- Gateway/config validation: stop treating the implicit default memory slot as a required explicit plugin config, so startup no longer fails with `plugins.slots.memory: plugin not found: memory-core` when `memory-core` was only inferred. (#47494) Thanks @ngutman.
+- Control UI/session routing: preserve established external delivery routes when webchat views or sends in externally originated sessions, so subagent completions still return to the original channel instead of the dashboard. (#47797) Thanks @brokemac79.
+- Configure/startup: move outbound send-deps resolution into a lightweight helper so `openclaw configure` no longer stalls after the banner while eagerly loading channel plugins. (#46301) thanks @scoootscooob.
 - CLI/startup: lazy-load channel add and root help startup paths to trim avoidable RSS and help latency on constrained hosts. (#46784) Thanks @vincentkoc.
 - CLI/onboarding: import static provider definitions directly for onboarding model/config helpers so those paths no longer pull provider discovery just for built-in defaults. (#47467) Thanks @vincentkoc.
 - CLI/auth choice: lazy-load plugin/provider fallback resolution so mapped auth choices stay on the static path and only unknown choices pay the heavy provider load. (#47495) Thanks @vincentkoc.
-- CLI/completion: reduce recursive completion-script string churn and fix nested PowerShell command-path matching so generated nested completions resolve on PowerShell too. (#45537) Thanks @yiShanXin and @vincentkoc.
-- Gateway/startup: load bundled channel plugins from compiled `dist/extensions` entries in built installs, so gateway boot no longer recompiles bundled extension TypeScript on every startup and WhatsApp-class cold starts drop back to seconds instead of tens of seconds or worse.
+- CLI: avoid loading provider discovery during startup model normalization. (#46522) Thanks @ItsAditya-xyz and @vincentkoc.
+- Security/device pairing: harden `device.token.rotate` deny handling by keeping public failures generic while logging internal deny reasons and preserving approved-baseline enforcement. (`GHSA-7jrw-x62h-64p8`)
+- Inbound policy hardening: tighten callback and webhook sender checks across Mattermost and Google Chat, match Nextcloud Talk rooms by stable room token, and treat explicit empty Twitch allowlists as deny-all. (#46787) Thanks @zpbrent, @ijxpwastaken and @vincentkoc.
+- Webhooks/runtime: move auth earlier and tighten pre-auth body limits and timeouts across bundled webhook handlers, including slow-body handling for Mattermost slash commands. Thanks @vincentkoc.
+- Email/webhook wrapping: sanitize sender and subject metadata before external-content wrapping so metadata fields cannot break the wrapper structure. Thanks @vincentkoc.
+- Tools/apply-patch: revalidate workspace-only delete and directory targets immediately before mutating host paths. Thanks @vincentkoc.
+- Gateway/config views: strip embedded credentials from URL-based endpoint fields before returning read-only account and config snapshots. Thanks @vincentkoc.
+- ACP/approvals: use canonical tool identity for prompting decisions and fail closed when conflicting tool identity hints are present. (#46817) Thanks @zpbrent and @vincentkoc.
+- ACP: require admin scope for mutating internal actions. (#46789) Thanks @tdjackey and @vincentkoc.
+- Subagents/follow-ups: require the same controller ownership checks for `/subagents send` as other control actions, so leaf sessions cannot message nested child runs they do not control. Thanks @vincentkoc.
+- macOS/canvas actions: keep unattended local agent actions on trusted in-app canvas surfaces only, and stop exposing the deep-link fallback key to arbitrary page scripts. (#46790) Thanks @vincentkoc.
+- Agents/compaction: extend the enclosing run deadline once while compaction is actively in flight, and abort the underlying SDK compaction on timeout/cancel so large-session compactions stop freezing mid-run. (#46889) Thanks @asyncjason.
+- Agents/openai-compatible tool calls: deduplicate repeated tool call ids across live assistant messages and replayed history so OpenAI-compatible backends no longer reject duplicate `tool_call_id` values with HTTP 400. (#40996) Thanks @xaeon2026.
+- Models/openai-completions: default non-native OpenAI-compatible providers to omit tool-definition `strict` fields unless users explicitly opt back in, so tool calling keeps working on providers that reject that option. (#45497) Thanks @sahancava.
+- Models/OpenRouter runtime capabilities: fetch uncatalogued OpenRouter model metadata on first use so newly added vision models keep image input instead of silently degrading to text-only, with top-level capability field fallbacks for `/api/v1/models`. (#45824) Thanks @DJjjjhao.
+- Channels/plugins: keep shared interactive payloads merge-ready by fixing Slack custom callback routing and repeat-click dedupe, allowing interactive-only sends, and preserving ordered Discord shared text blocks. (#47715) Thanks @vincentkoc.
+- Slack/interactive replies: preserve `channelData.slack.blocks` through live DM delivery and preview-finalized edits so Block Kit button and select directives render instead of falling back to raw text. (#45890) Thanks @vincentkoc.
+- Slack/interactive replies: preserve `channelData.slack.blocks` through live DM delivery and preview-finalized edits so Block Kit button and select directives render instead of falling back to raw text. (#45890) Thanks @vincentkoc.
+- Feishu/actions: expand the runtime action surface with message read/edit, explicit thread replies, pinning, and operator-facing chat/member inspection so Feishu can operate more of the workspace directly.
+- Feishu/topic threads: fetch full thread context, including prior bot replies, when starting a topic-thread session so follow-up turns in Feishu topics keep the right conversation state. (#45254) Thanks @Coobiw.
+- Feishu/media: keep native image, file, audio, and video/media handling aligned across outbound sends, inbound downloads, thread replies, directory/action aliases, and capability docs so unsupported areas are explicit instead of implied.
+- WhatsApp/reconnect: restore the append recency filter in the extension inbox monitor and handle protobuf `Long` timestamps correctly, so fresh post-reconnect append messages are processed while stale history sync stays suppressed. (#42588) thanks @MonkeyLeeT.
+- WhatsApp/login: wait for pending creds writes before reopening after Baileys `515` pairing restarts in both QR login and `channels login` flows, and keep the restart coverage pinned to the real wrapped error shape plus per-account creds queues. (#27910) Thanks @asyncjason.
+- Telegram/message send: forward `--force-document` through the `sendPayload` path as well as `sendMedia`, so Telegram payload sends with `channelData` keep uploading images as documents instead of silently falling back to compressed photo sends. (#47119) Thanks @thepagent.
+- Telegram/message chunking: preserve spaces, paragraph separators, and word boundaries when HTML overflow rechunking splits formatted replies. (#47274)
+- Z.AI/onboarding: detect a working default model even for explicit `zai-coding-*` endpoint choices, so Coding Plan setup can keep the selected endpoint while defaulting to `glm-5` when available or `glm-4.7` as fallback. (#45969)
+- Z.AI/onboarding: add `glm-5-turbo` to the default Z.AI provider catalog so onboarding-generated configs expose the new model alongside the existing GLM defaults. (#46670) Thanks @tomsun28.
+- Zalo Personal/group gating: stop reapplying `dmPolicy.allowFrom` as a sender gate for already-allowlisted groups when `groupAllowFrom` is unset, so any member of an allowed group can trigger replies while DMs stay restricted. (#40146)
+- Zalo/plugin runtime: export `resolveClientIp` from `openclaw/plugin-sdk/zalo` so installed builds no longer crash on startup when the webhook monitor loads from the packaged extension instead of the monorepo source tree. (#46549) Thanks @No898.
+- Plugins/install precedence: keep bundled plugins ahead of auto-discovered globals by default, but let an explicitly installed plugin record win its own duplicate-id tie so installed channel plugins load from `~/.openclaw/extensions` after `openclaw plugins install`.
+- Plugins/scoped ids: preserve scoped plugin ids during install and config keying, and keep bundled plugins ahead of discovered duplicate ids by default so `@scope/name` plugins no longer collide with unscoped installs. Thanks @vincentkoc.
 - Gateway/watch mode: restart on bundled-plugin package and manifest metadata changes, rebuild `dist` for extension source and `tsdown.config.ts` changes, and still ignore extension docs. (#47571) thanks @gumadeiras.
 - Gateway/watch mode: recreate bundled plugin runtime metadata after clean or stale `dist` states, so `pnpm gateway:watch` no longer fails on missing `dist/extensions/*/openclaw.plugin.json` manifests after a rebuild. Thanks @gumadeiras.
-- Plugins/context engines: enforce owner-aware context-engine registration on both loader and public SDK paths so plugins cannot spoof privileged ownership, claim the core `legacy` engine id, or overwrite an existing engine id through direct SDK imports. (#47595) Thanks @vincentkoc.
-- Windows/gateway status: accept `schtasks` `Last Result` output as an alias for `Last Run Result`, so running scheduled-task installs no longer show `Runtime: unknown`. (#47844) Thanks @MoerAI.
-- Control UI/session routing: preserve established external delivery routes when webchat views or sends in externally originated sessions, so subagent completions still return to the original channel instead of the dashboard. (#47797) Thanks @brokemac79.
-- Google auth/Node 25: patch `gaxios` to use native fetch without injecting `globalThis.window`, while translating proxy and mTLS transport settings so Google Vertex and Google Chat auth keep working on Node 25. (#47914) Thanks @pdd-cli.
+- Control UI/chat sessions: show human-readable labels in the grouped session dropdown again, keep unique scoped fallbacks when metadata is missing, and disambiguate duplicate labels only when needed. (#45130) thanks @luzhidong.
+- Control UI: scope persisted session selection per gateway, prevent stale session bleed across tokenized gateway opens, and cap stored gateway session history. (#47453) Thanks @sallyom.
+- Control UI/dashboard: preserve structured gateway shutdown reasons across restart disconnects so config-triggered restarts no longer fall back to `disconnected (1006): no reason`. (#46532) Thanks @vincentkoc.
+- Android/chat: theme the thinking dropdown and TLS trust dialogs explicitly so popup surfaces match the active app theme instead of falling back to mismatched Material defaults.
+- Group mention gating: reject invalid and unsafe nested-repetition `mentionPatterns`, reuse the shared safe config-regex compiler across mention stripping and detection, and cache strip-time regex compilation so noisy groups avoid repeated recompiles.
+- Browser/profiles: drop the auto-created `chrome-relay` browser profile; users who need the Chrome extension relay must now create their own profile via `openclaw browser create-profile`. (#45777) Thanks @odysseus0.
+- CI/channel test routing: move the built-in channel suites into `test:channels` and keep them out of `test:extensions`, so extension CI no longer fails after the channel migration while targeted test routing still sends Slack, Signal, and iMessage suites to the right lane. (#46066) Thanks @scoootscooob.
+- Docs/Mintlify: fix MDX marker syntax on Perplexity, Model Providers, Moonshot, and exec approvals pages so local docs preview no longer breaks rendering or leaves stale pages unpublished. (#46695) Thanks @velvet-shark.
+- Gateway/config validation: stop treating the implicit default memory slot as a required explicit plugin config, so startup no longer fails with `plugins.slots.memory: plugin not found: memory-core` when `memory-core` was only inferred. (#47494) Thanks @ngutman.
+- Tlon: honor explicit empty allowlists and defer cite expansion. (#46788) Thanks @zpbrent and @vincentkoc.
+- Nodes/pending actions: re-check queued foreground actions against the current node command policy before returning them to the node. (#46815) Thanks @zpbrent and @vincentkoc.
+- Node/startup: remove leftover debug `console.log("node host PATH: ...")` that printed the resolved PATH on every `openclaw node run` invocation. (#46411)
+- CLI/completion: reduce recursive completion-script string churn and fix nested PowerShell command-path matching so generated nested completions resolve on PowerShell too. (#45537) Thanks @yiShanXin and @vincentkoc.
 
 ## 2026.3.13
 

From 6f5369c7e8a15199265966b0774fb203cb7feb22 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Mar 2026 08:50:27 +0000
Subject: [PATCH 132/133] fix: split browser-safe thinking helpers

---
 extensions/slack/src/message-action-dispatch.ts |  3 +++
 src/auto-reply/thinking.test.ts                 | 13 +++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/extensions/slack/src/message-action-dispatch.ts b/extensions/slack/src/message-action-dispatch.ts
index b251d0b80eb..58fc4d77184 100644
--- a/extensions/slack/src/message-action-dispatch.ts
+++ b/extensions/slack/src/message-action-dispatch.ts
@@ -187,6 +187,9 @@ export async function handleSlackMessageAction(params: {
     const channelId =
       readStringParam(actionParams, "channelId") ??
       readStringParam(actionParams, "to", { required: true });
+    if (!channelId) {
+      throw new Error("channelId required");
+    }
     return normalizeChannelId ? normalizeChannelId(channelId) : channelId;
   };
 
diff --git a/src/auto-reply/thinking.test.ts b/src/auto-reply/thinking.test.ts
index 35d1c289271..a6867d1d9b8 100644
--- a/src/auto-reply/thinking.test.ts
+++ b/src/auto-reply/thinking.test.ts
@@ -118,6 +118,10 @@ describe("listThinkingLevelLabels", () => {
     expect(listThinkingLevelLabels("zai", "glm-4.7")).toEqual(["off", "on"]);
   });
 
+  it("keeps built-in binary thinking fallback without provider runtime", () => {
+    expect(listThinkingLevelLabels("zai", "glm-4.7")).toEqual(["off", "on"]);
+  });
+
   it("returns full levels for non-ZAI", () => {
     expect(listThinkingLevelLabels("openai", "gpt-4.1-mini")).toContain("low");
     expect(listThinkingLevelLabels("openai", "gpt-4.1-mini")).not.toContain("on");
@@ -157,6 +161,15 @@ describe("resolveThinkingDefaultForModel", () => {
     ).toBe("adaptive");
   });
 
+  it("keeps built-in adaptive defaults without provider runtime", () => {
+    expect(
+      resolveThinkingDefaultForModel({ provider: "anthropic", model: "claude-opus-4-6" }),
+    ).toBe("adaptive");
+    expect(
+      resolveThinkingDefaultForModel({ provider: "aws-bedrock", model: "claude-sonnet-4-6" }),
+    ).toBe("adaptive");
+  });
+
   it("defaults reasoning-capable catalog models to low", () => {
     expect(
       resolveThinkingDefaultForModel({

From 2a85fa7db18f9296c4486abc61d2b35e213f3c3e Mon Sep 17 00:00:00 2001
From: Nimrod Gutman <nimrod.gutman@gmail.com>
Date: Mon, 16 Mar 2026 10:57:08 +0200
Subject: [PATCH 133/133] fix(macos): restore debug build helpers (#48046)

---
 .../CanvasA2UIActionMessageHandler.swift      | 37 +++++++++++
 apps/macos/Sources/OpenClaw/CronModels.swift  | 65 +++++++++++++++++++
 2 files changed, 102 insertions(+)

diff --git a/apps/macos/Sources/OpenClaw/CanvasA2UIActionMessageHandler.swift b/apps/macos/Sources/OpenClaw/CanvasA2UIActionMessageHandler.swift
index c81d4b59705..0599f4ab3a6 100644
--- a/apps/macos/Sources/OpenClaw/CanvasA2UIActionMessageHandler.swift
+++ b/apps/macos/Sources/OpenClaw/CanvasA2UIActionMessageHandler.swift
@@ -8,6 +8,24 @@ final class CanvasA2UIActionMessageHandler: NSObject, WKScriptMessageHandler {
     static let messageName = "openclawCanvasA2UIAction"
     static let allMessageNames = [messageName]
 
+    // Compatibility helper for debug/test shims. Runtime dispatch remains
+    // limited to in-app canvas schemes in `didReceive`.
+    static func isLocalNetworkCanvasURL(_ url: URL) -> Bool {
+        guard let scheme = url.scheme?.lowercased(), scheme == "http" || scheme == "https" else {
+            return false
+        }
+        guard let host = url.host?.lowercased(), !host.isEmpty else {
+            return false
+        }
+        if host == "localhost" {
+            return true
+        }
+        guard let ip = Self.parseIPv4(host) else {
+            return false
+        }
+        return Self.isLocalNetworkIPv4(ip)
+    }
+
     private let sessionKey: String
 
     init(sessionKey: String) {
@@ -104,5 +122,24 @@ final class CanvasA2UIActionMessageHandler: NSObject, WKScriptMessageHandler {
             }
         }
     }
+
+    private static func parseIPv4(_ host: String) -> (UInt8, UInt8, UInt8, UInt8)? {
+        let parts = host.split(separator: ".", omittingEmptySubsequences: false)
+        guard parts.count == 4 else { return nil }
+        let bytes = parts.compactMap { UInt8($0) }
+        guard bytes.count == 4 else { return nil }
+        return (bytes[0], bytes[1], bytes[2], bytes[3])
+    }
+
+    private static func isLocalNetworkIPv4(_ ip: (UInt8, UInt8, UInt8, UInt8)) -> Bool {
+        let (a, b, _, _) = ip
+        if a == 10 { return true }
+        if a == 172, (16...31).contains(Int(b)) { return true }
+        if a == 192, b == 168 { return true }
+        if a == 127 { return true }
+        if a == 169, b == 254 { return true }
+        if a == 100, (64...127).contains(Int(b)) { return true }
+        return false
+    }
     // Formatting helpers live in OpenClawKit (`OpenClawCanvasA2UIAction`).
 }
diff --git a/apps/macos/Sources/OpenClaw/CronModels.swift b/apps/macos/Sources/OpenClaw/CronModels.swift
index 40079453974..78016ff9f88 100644
--- a/apps/macos/Sources/OpenClaw/CronModels.swift
+++ b/apps/macos/Sources/OpenClaw/CronModels.swift
@@ -254,6 +254,71 @@ struct CronJob: Identifiable, Codable, Equatable {
         case state
     }
 
+    init(
+        id: String,
+        agentId: String?,
+        name: String,
+        description: String?,
+        enabled: Bool,
+        deleteAfterRun: Bool?,
+        createdAtMs: Int,
+        updatedAtMs: Int,
+        schedule: CronSchedule,
+        sessionTarget: CronSessionTarget,
+        wakeMode: CronWakeMode,
+        payload: CronPayload,
+        delivery: CronDelivery?,
+        state: CronJobState)
+    {
+        self.init(
+            id: id,
+            agentId: agentId,
+            name: name,
+            description: description,
+            enabled: enabled,
+            deleteAfterRun: deleteAfterRun,
+            createdAtMs: createdAtMs,
+            updatedAtMs: updatedAtMs,
+            schedule: schedule,
+            sessionTarget: .predefined(sessionTarget),
+            wakeMode: wakeMode,
+            payload: payload,
+            delivery: delivery,
+            state: state)
+    }
+
+    init(
+        id: String,
+        agentId: String?,
+        name: String,
+        description: String?,
+        enabled: Bool,
+        deleteAfterRun: Bool?,
+        createdAtMs: Int,
+        updatedAtMs: Int,
+        schedule: CronSchedule,
+        sessionTarget: CronCustomSessionTarget,
+        wakeMode: CronWakeMode,
+        payload: CronPayload,
+        delivery: CronDelivery?,
+        state: CronJobState)
+    {
+        self.id = id
+        self.agentId = agentId
+        self.name = name
+        self.description = description
+        self.enabled = enabled
+        self.deleteAfterRun = deleteAfterRun
+        self.createdAtMs = createdAtMs
+        self.updatedAtMs = updatedAtMs
+        self.schedule = schedule
+        self.sessionTargetRaw = sessionTarget.rawValue
+        self.wakeMode = wakeMode
+        self.payload = payload
+        self.delivery = delivery
+        self.state = state
+    }
+
     /// Parsed session target (predefined or custom session ID)
     var parsedSessionTarget: CronCustomSessionTarget {
         CronCustomSessionTarget.from(self.sessionTargetRaw)