npm - @captain-app/openclaw - Versions diffs - 2026.2.4 - Mend

@captain-app/openclaw 2026.2.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1686) hide show

package/CHANGELOG.md +1528 -0
package/LICENSE +21 -0
package/README-header.png +0 -0
package/README.md +539 -0
package/assets/avatar-placeholder.svg +19 -0
package/assets/chrome-extension/README.md +22 -0
package/assets/chrome-extension/background.js +438 -0
package/assets/chrome-extension/icons/icon128.png +0 -0
package/assets/chrome-extension/icons/icon16.png +0 -0
package/assets/chrome-extension/icons/icon32.png +0 -0
package/assets/chrome-extension/icons/icon48.png +0 -0
package/assets/chrome-extension/manifest.json +25 -0
package/assets/chrome-extension/options.html +196 -0
package/assets/chrome-extension/options.js +59 -0
package/assets/dmg-background-small.png +0 -0
package/assets/dmg-background.png +0 -0
package/dist/accounts-ClnuDahN.js +250 -0
package/dist/accounts-DzBgAM3C.js +251 -0
package/dist/acp-cli-BEDDkzXH.js +926 -0
package/dist/acp-cli-CwV4mdnW.js +923 -0
package/dist/agent-CArjbSeE.js +695 -0
package/dist/agent-CB7x5HLT.js +695 -0
package/dist/agent-scope-BbT4OG2N.js +545 -0
package/dist/agent-scope-C_O6Vpl0.js +545 -0
package/dist/agent-scope-Csu2B6AM.js +606 -0
package/dist/archive-CWrnG1CH.js +85 -0
package/dist/archive-ccN9aDgq.js +85 -0
package/dist/audit-DXPkQ275.js +1686 -0
package/dist/audit-eH7nwgsM.js +1686 -0
package/dist/auth-health-Bj7Gjbv0.js +149 -0
package/dist/auth-health-CjjJhHey.js +149 -0
package/dist/auth-nnRYiqpH.js +192 -0
package/dist/auth-profiles-DVLfuixr.js +2954 -0
package/dist/auth-y1BLPUhX.js +192 -0
package/dist/boolean-Wzu0-e0P.js +30 -0
package/dist/brew-Cqi8b49_.js +46 -0
package/dist/brew-DyBGNK8A.js +46 -0
package/dist/build-info.json +5 -0
package/dist/call-B7EveN4V.js +252 -0
package/dist/call-vuUQIjOj.js +252 -0
package/dist/canvas-host/a2ui/.bundle.hash +1 -0
package/dist/canvas-host/a2ui/a2ui.bundle.js +17780 -0
package/dist/canvas-host/a2ui/index.html +307 -0
package/dist/channel-options-CJfmOkol.js +32 -0
package/dist/channel-options-lFguMTz1.js +62 -0
package/dist/channel-selection-BmND9mWj.js +51 -0
package/dist/channel-selection-cGhL9G0c.js +51 -0
package/dist/channel-summary-B4G513Eb.js +1154 -0
package/dist/channel-summary-MCwBCa5y.js +1154 -0
package/dist/channels-cli-C2Of1mZG.js +1411 -0
package/dist/channels-cli-DFynrP1H.js +1413 -0
package/dist/channels-status-issues-YohTjZ-I.js +18 -0
package/dist/channels-status-issues-ZcR1U-m5.js +18 -0
package/dist/chrome-B3IuUad-.js +1953 -0
package/dist/chrome-BZ9K48w9.js +1973 -0
package/dist/clack-prompter-B9yLhyOm.js +92 -0
package/dist/clack-prompter-BybM9xdL.js +92 -0
package/dist/cli/daemon-cli.js +2 -0
package/dist/cli-BJZdJwug.js +89 -0
package/dist/cli-BQSoKu3d.js +86 -0
package/dist/cli-utils-CO4jEMn0.js +43 -0
package/dist/cli-utils-gtE-0a0D.js +43 -0
package/dist/client-DPqNOpK3.js +1609 -0
package/dist/client-DySXIFCA.js +1609 -0
package/dist/command-format-CFzL448l.js +52 -0
package/dist/command-format-DELazozB.js +52 -0
package/dist/command-format-ayFsmwwz.js +38 -0
package/dist/command-options-CsjxK4cZ.js +33 -0
package/dist/commands-BRe9VTyU.js +229 -0
package/dist/completion-cli-DlkjK0iC.js +390 -0
package/dist/completion-cli-E6Pt41AL.js +387 -0
package/dist/config-BtSTwPcH.js +4882 -0
package/dist/config-DfMIMT-f.js +4881 -0
package/dist/config-_d7_WcRv.js +5623 -0
package/dist/config-guard-wSnm-U8a.js +5628 -0
package/dist/configure-CPHAFKlg.js +895 -0
package/dist/configure-DK1XgXYx.js +894 -0
package/dist/constants-CNTiY-ZN.js +65 -0
package/dist/constants-hpmbslG7.js +65 -0
package/dist/control-service-CqX5g_ko.js +61 -0
package/dist/control-service-o6xe3hEb.js +61 -0
package/dist/control-ui/apple-touch-icon.png +0 -0
package/dist/control-ui/assets/index-RwcW4Xl0.css +1 -0
package/dist/control-ui/assets/index-ryaCcbyp.js +4584 -0
package/dist/control-ui/assets/index-ryaCcbyp.js.map +1 -0
package/dist/control-ui/favicon-32.png +0 -0
package/dist/control-ui/favicon.ico +0 -0
package/dist/control-ui/favicon.svg +22 -0
package/dist/control-ui/index.html +17 -0
package/dist/cron-cli-BoSaDgvH.js +453 -0
package/dist/cron-cli-qVandvsD.js +456 -0
package/dist/daemon-cli-C4gGWa15.js +760 -0
package/dist/daemon-cli-DV_X0Krf.js +761 -0
package/dist/daemon-runtime-D5hbSrdO.js +460 -0
package/dist/daemon-runtime-DXUfrXBC.js +460 -0
package/dist/deliver-BxK5nI2P.js +2587 -0
package/dist/deliver-Dwzg9LUd.js +2557 -0
package/dist/deliver-qpYZp20m.js +2587 -0
package/dist/deps-CUXtMV9d.js +27 -0
package/dist/deps-WBvZpFV_.js +27 -0
package/dist/devices-cli-B2s18Qrh.js +207 -0
package/dist/devices-cli-D1UEtMUJ.js +204 -0
package/dist/directory-cli-BXQbrkfM.js +247 -0
package/dist/directory-cli-CqA7tRbq.js +244 -0
package/dist/dispatcher-Dyv7T-1r.js +160 -0
package/dist/dns-cli-CWxKD22D.js +198 -0
package/dist/dns-cli-CzKr_Fxj.js +201 -0
package/dist/docs-cli-BNyxUbWr.js +159 -0
package/dist/docs-cli-DYpTbo3i.js +161 -0
package/dist/doctor-C8fDYZLq.js +2583 -0
package/dist/doctor-hYcqp7c0.js +2585 -0
package/dist/entry.js +1326 -0
package/dist/env-l7QVNj6j.js +32 -0
package/dist/errors-CMCg46fK.js +1952 -0
package/dist/exec-B8JKbXKW.js +246 -0
package/dist/exec-BMnoMcZW.js +1099 -0
package/dist/exec-HEWTMJ7j.js +246 -0
package/dist/exec-approvals-DtrnHx6M.js +1026 -0
package/dist/exec-approvals-Y42bE8ud.js +1026 -0
package/dist/exec-approvals-cli-CIedYxP3.js +385 -0
package/dist/exec-approvals-cli-xpbxnj4O.js +388 -0
package/dist/extensionAPI.js +66572 -0
package/dist/format-Dzy9uRLE.js +34 -0
package/dist/format-sj0fELBK.js +34 -0
package/dist/gateway-cli-5A-KNLEC.js +16635 -0
package/dist/gateway-cli-B8kS4chb.js +16637 -0
package/dist/gateway-rpc-15n38Ize.js +28 -0
package/dist/gateway-rpc-TMVRgGfj.js +28 -0
package/dist/github-copilot-auth-DVZj4Zgh.js +1104 -0
package/dist/github-copilot-auth-DeGYyLY9.js +1104 -0
package/dist/github-copilot-token-B3SA95yo.js +103 -0
package/dist/github-copilot-token-C8XFYz0i.js +103 -0
package/dist/github-copilot-token-CnxakiSC.js +103 -0
package/dist/gmail-setup-utils-CWPC386a.js +428 -0
package/dist/gmail-setup-utils-eJVB5Ewp.js +428 -0
package/dist/health-format-B0tMTk3C.js +1189 -0
package/dist/health-format-DaURVaUn.js +1188 -0
package/dist/help-format-CEsRHU2f.js +17 -0
package/dist/help-format-GuCWws6r.js +17 -0
package/dist/helpers-BEJ-phFf.js +25 -0
package/dist/helpers-BtbBZVKZ.js +10 -0
package/dist/helpers-C12w9zxf.js +10 -0
package/dist/helpers-CzjGJZmJ.js +25 -0
package/dist/hooks/bundled/boot-md/HOOK.md +19 -0
package/dist/hooks/bundled/command-logger/HOOK.md +122 -0
package/dist/hooks/bundled/session-memory/HOOK.md +109 -0
package/dist/hooks/bundled/soul-evil/HOOK.md +71 -0
package/dist/hooks-cli-BZCMAnW2.js +1058 -0
package/dist/hooks-cli-D0CEFg3P.js +1061 -0
package/dist/hooks-status-Bn7_O8PM.js +443 -0
package/dist/hooks-status-BrWVfIn0.js +443 -0
package/dist/image-BS022pvv.js +1421 -0
package/dist/image-BzJtY34J.js +629 -0
package/dist/image-CBqmIbQQ.js +629 -0
package/dist/index.js +5809 -0
package/dist/installs-BP4K5L33.js +388 -0
package/dist/installs-DOpTt7VZ.js +388 -0
package/dist/is-main-B4o72sqg.js +25 -0
package/dist/is-main-PYGa3tDA.js +25 -0
package/dist/links-B4nk2iDf.js +15 -0
package/dist/links-DwjRqxgR.js +15 -0
package/dist/loader-Cn4EV_pf.js +63690 -0
package/dist/logging-CS3tbYDj.js +15 -0
package/dist/logging-CY-Q5cwf.js +1 -0
package/dist/logging-DhiLkhLw.js +15 -0
package/dist/logging-pqyrk15z.js +1 -0
package/dist/login-qr-CD164Aw1.js +478 -0
package/dist/login-qr-D7Zdgji2.js +478 -0
package/dist/login-qr-YgILJ4VC.js +475 -0
package/dist/logs-cli-BdS0Uv0I.js +227 -0
package/dist/logs-cli-CqSN1GzB.js +230 -0
package/dist/manager-CfGY5zND.js +2870 -0
package/dist/manager-CjuBqFRL.js +2870 -0
package/dist/manager-CoBEAQKm.js +2872 -0
package/dist/manifest-registry-Bwjq9Iev.js +668 -0
package/dist/manifest-registry-D2Yntqcb.js +668 -0
package/dist/message-channel-Cjsiqxok.js +105 -0
package/dist/message-channel-D6v_oPAg.js +105 -0
package/dist/model-selection-Cv5Ox_tY.js +2956 -0
package/dist/model-selection-Dr-5U5-l.js +2708 -0
package/dist/models-cli-B39ckynD.js +2541 -0
package/dist/models-cli-DoiYsBYw.js +2544 -0
package/dist/net-CFCxaipF.js +137 -0
package/dist/net-DKJPqXuW.js +137 -0
package/dist/node-cli-C_FYF-RA.js +1456 -0
package/dist/node-cli-DWPoNsQS.js +1459 -0
package/dist/node-service-DcJREOww.js +67 -0
package/dist/node-service-DuZ9Us9h.js +67 -0
package/dist/nodes-cli-Elo6tlen.js +1210 -0
package/dist/nodes-cli-zqryRUWB.js +1207 -0
package/dist/nodes-screen-C4aCrxie.js +157 -0
package/dist/nodes-screen-D4PSynkR.js +157 -0
package/dist/note-CQhSvgQv.js +73 -0
package/dist/note-_C44YfAQ.js +73 -0
package/dist/onboard-channels-CHBDi-ZA.js +670 -0
package/dist/onboard-channels-DOEKyxaL.js +670 -0
package/dist/onboard-skills-BUTXREDZ.js +3327 -0
package/dist/onboard-skills-CSLYZmZA.js +3327 -0
package/dist/onboarding-CgKb8b39.js +3232 -0
package/dist/openclaw-root-9ILYSmJ9.js +84 -0
package/dist/openclaw-root-Cvotktkd.js +84 -0
package/dist/pairing-cli-B4UGR2at.js +114 -0
package/dist/pairing-cli-BWDDl8cf.js +117 -0
package/dist/pairing-labels-ClZ-fTWT.js +9 -0
package/dist/pairing-labels-Ds7BPOkj.js +9 -0
package/dist/pairing-store-DDLNuzmx.js +391 -0
package/dist/pairing-store-DRn08lZD.js +391 -0
package/dist/parse-87ybtYW1.js +23 -0
package/dist/parse-OCFfznr3.js +23 -0
package/dist/parse-log-line-C9aL5PUL.js +44 -0
package/dist/parse-log-line-DxRaGzQb.js +44 -0
package/dist/parse-timeout-CFqNj7No.js +16 -0
package/dist/parse-timeout-DV8NQQWk.js +16 -0
package/dist/path-env-C7kiJUgG.js +77 -0
package/dist/path-env-DEj4CiFN.js +77 -0
package/dist/paths-B-q1nXdY.js +43 -0
package/dist/paths-B1kfl4h5.js +164 -0
package/dist/paths-B4kigINg.js +40 -0
package/dist/paths-CHGbP1-A.js +43 -0
package/dist/paths-scjhy7N2.js +180 -0
package/dist/pi-embedded-helpers-C19wUpMB.js +8451 -0
package/dist/pi-embedded-helpers-CT5VuLCb.js +1293 -0
package/dist/pi-embedded-helpers-Dl8e5Rf8.js +1293 -0
package/dist/pi-model-discovery-B6CsmK6Y.js +20 -0
package/dist/pi-model-discovery-DsRqYJLy.js +20 -0
package/dist/pi-model-discovery-EhM2JAQo.js +20 -0
package/dist/pi-tools.policy-BvkSDFDN.js +229 -0
package/dist/plugin-auto-enable-Bd_StZzz.js +461 -0
package/dist/plugin-auto-enable-DBhXb_0x.js +461 -0
package/dist/plugin-sdk/agent-scope-DdwUKIOe.js +606 -0
package/dist/plugin-sdk/chrome-G8apFa5p.js +1953 -0
package/dist/plugin-sdk/command-format-qUVxzqYm.js +52 -0
package/dist/plugin-sdk/config-Cm1M7tgH.js +5623 -0
package/dist/plugin-sdk/deliver-Cl8uowiO.js +2557 -0
package/dist/plugin-sdk/exec-Cm9b2r9Q.js +1107 -0
package/dist/plugin-sdk/github-copilot-token-BHNcM4_B.js +103 -0
package/dist/plugin-sdk/image-7PgoS2VD.js +1421 -0
package/dist/plugin-sdk/index.d.ts +8908 -0
package/dist/plugin-sdk/index.js +70888 -0
package/dist/plugin-sdk/login-qr-qTALvWi2.js +475 -0
package/dist/plugin-sdk/manager-Cs3EQZCb.js +2870 -0
package/dist/plugin-sdk/model-selection-BgC1E1a7.js +2708 -0
package/dist/plugin-sdk/paths-BYpoyRv5.js +164 -0
package/dist/plugin-sdk/paths-DNQE-bvr.js +40 -0
package/dist/plugin-sdk/pi-embedded-helpers-5jNqW_dE.js +8755 -0
package/dist/plugin-sdk/pi-model-discovery-BUGEht9A.js +20 -0
package/dist/plugin-sdk/pw-ai-COTtei4a.js +1649 -0
package/dist/plugin-sdk/qmd-manager-ClSwiAJl.js +615 -0
package/dist/plugin-sdk/redact-2AzjOfk2.js +94 -0
package/dist/plugin-sdk/rolldown-runtime-Cbj13DAv.js +20 -0
package/dist/plugin-sdk/sqlite-gCW7MlLs.js +215 -0
package/dist/plugin-sdk/transcript-events-DGF257vD.js +17 -0
package/dist/plugins-C3Bm-HQV.js +494 -0
package/dist/plugins-QJjTXliB.js +495 -0
package/dist/plugins-cli-DTci0JQb.js +443 -0
package/dist/plugins-cli-wJsN1HHK.js +440 -0
package/dist/ports-CiW9dmMq.js +96 -0
package/dist/program-BWpTHh1I.js +188 -0
package/dist/progress-Bcjniu7m.js +133 -0
package/dist/progress-CvaSPjS9.js +133 -0
package/dist/prompt-style-CFsleyxV.js +9 -0
package/dist/prompt-style-DYJdrXyV.js +9 -0
package/dist/prompts-Bt9fwsg2.js +10 -0
package/dist/prompts-CudpZgTI.js +10 -0
package/dist/pw-ai-08F3GD-3.js +1649 -0
package/dist/pw-ai-ZmHxHQnx.js +1651 -0
package/dist/pw-ai-tNPuRNn3.js +1649 -0
package/dist/qmd-manager-2r-4n3sP.js +617 -0
package/dist/qmd-manager-CF52nuBg.js +615 -0
package/dist/qmd-manager-HEm5H2mk.js +616 -0
package/dist/redact-BICFkpn7.js +97 -0
package/dist/redact-BIMJ3ntQ.js +94 -0
package/dist/redact-KzWHRS5J.js +97 -0
package/dist/register.subclis-D2K25c84.js +348 -0
package/dist/register.subclis-Dd8LbOLi.js +342 -0
package/dist/reply-5UNWRwMn.js +63693 -0
package/dist/restart-sentinel-Cr0vUxB8.js +65 -0
package/dist/restart-sentinel-DUemCjgU.js +65 -0
package/dist/rolldown-runtime-Cbj13DAv.js +20 -0
package/dist/routes-C6UpTPas.js +2410 -0
package/dist/routes-ClNyEvlm.js +2410 -0
package/dist/rpc-D0mf7DIw.js +95 -0
package/dist/rpc-DYdOrgd9.js +95 -0
package/dist/run-main-CojI7gWx.js +194 -0
package/dist/runtime-guard-68M_evhb.js +60 -0
package/dist/runtime-guard-DkjmhnBD.js +60 -0
package/dist/sandbox-Ca81z3Tw.js +2924 -0
package/dist/sandbox-cli-D75GApgp.js +459 -0
package/dist/sandbox-cli-E4SJsC1C.js +462 -0
package/dist/sandbox-knontqD9.js +2925 -0
package/dist/security-cli-BLihvXO-.js +503 -0
package/dist/security-cli-IGQCsK4g.js +506 -0
package/dist/server-context-B9GX5GOI.js +740 -0
package/dist/server-context-BFH7HB_M.js +740 -0
package/dist/server-node-events-CTdHBiEA.js +218 -0
package/dist/server-node-events-DAV14qPr.js +215 -0
package/dist/service-BZNBq9hq.js +680 -0
package/dist/service-C-BLXx9U.js +680 -0
package/dist/service-audit-BfJv4NqZ.js +542 -0
package/dist/service-audit-Bw3M2OEI.js +542 -0
package/dist/shared-5SH-45AX.js +74 -0
package/dist/shared-BxRm5uLU.js +74 -0
package/dist/shared-C80Rmxsd.js +150 -0
package/dist/shared-fGK6_D2v.js +150 -0
package/dist/skills-Bhp0l6UK.js +693 -0
package/dist/skills-Tky2kCMO.js +694 -0
package/dist/skills-cli-6rCClAE4.js +287 -0
package/dist/skills-cli-C4nLCrLw.js +290 -0
package/dist/skills-status-CENcKr3I.js +187 -0
package/dist/skills-status-DX1eUYvk.js +187 -0
package/dist/sqlite-CmdZSZRx.js +197 -0
package/dist/sqlite-Dnmf3LS7.js +215 -0
package/dist/sqlite-QDf0yuU0.js +215 -0
package/dist/status-BSfGAp2D.js +27 -0
package/dist/status-Bp_2NMjt.js +27 -0
package/dist/status-C0ANDr0T.js +3140 -0
package/dist/status-CCHBIZnm.js +21 -0
package/dist/status-Vuqbw2Bb.js +21 -0
package/dist/status.update-BZW5r8Su.js +79 -0
package/dist/status.update-BnD93_O8.js +79 -0
package/dist/subsystem-CAq3uyo7.js +834 -0
package/dist/system-cli-Bb9zmCO1.js +83 -0
package/dist/system-cli-TIIQ04ls.js +80 -0
package/dist/systemd-0Qa_nGqe.js +438 -0
package/dist/systemd-Czb0Xsm7.js +438 -0
package/dist/systemd-hints-CWoEOQRb.js +19 -0
package/dist/systemd-hints-Cv3RN_mZ.js +19 -0
package/dist/systemd-linger-CsdvcIoS.js +75 -0
package/dist/systemd-linger-DKUFHcLn.js +75 -0
package/dist/table-DNPESyNj.js +279 -0
package/dist/table-DS4-gmkV.js +279 -0
package/dist/tailnet-Bg_vE5qi.js +42 -0
package/dist/tailnet-CrNWlQRJ.js +42 -0
package/dist/tailscale-CBv58toW.js +252 -0
package/dist/tailscale-DCnMs7_q.js +225 -0
package/dist/tool-display-BEACy9rK.js +795 -0
package/dist/tool-display-NYQnSpdo.js +795 -0
package/dist/transcript-events-CsB1Saa6.js +17 -0
package/dist/transcript-events-DDYvbmRV.js +17 -0
package/dist/transcript-events-JLH5W4He.js +17 -0
package/dist/tui--NY0rnjr.js +2542 -0
package/dist/tui-DqJfGtvM.js +2543 -0
package/dist/tui-cli-BuHNY6wF.js +54 -0
package/dist/tui-cli-LMFV982e.js +57 -0
package/dist/update-CRpHtCgz.js +317 -0
package/dist/update-D3qruxhj.js +317 -0
package/dist/update-cli-CFF-pslM.js +948 -0
package/dist/update-cli-cn9pEMX7.js +951 -0
package/dist/update-runner-CxGU142L.js +1221 -0
package/dist/update-runner-DNobz_ft.js +1221 -0
package/dist/utils-CKSrBNwq.js +192 -0
package/dist/utils-DX85MiPR.js +188 -0
package/dist/webhooks-cli-BGtt2HAR.js +312 -0
package/dist/webhooks-cli-DHLZrEO_.js +309 -0
package/dist/widearea-dns-BpG7ATO8.js +127 -0
package/dist/widearea-dns-D4wkCJly.js +127 -0
package/dist/ws-3zr8WUwL.js +13 -0
package/dist/ws-log-BXcT2xQk.js +267 -0
package/dist/ws-log-DbDIUsgz.js +267 -0
package/dist/ws-lzrgabja.js +13 -0
package/dist/wsl-D2O2qOrl.js +160 -0
package/docs/.i18n/README.md +31 -0
package/docs/.i18n/glossary.zh-CN.json +190 -0
package/docs/.i18n/zh-CN.tm.jsonl +1329 -0
package/docs/CNAME +1 -0
package/docs/_config.yml +53 -0
package/docs/_layouts/default.html +145 -0
package/docs/assets/markdown.css +179 -0
package/docs/assets/openclaw-logo-text-dark.png +0 -0
package/docs/assets/openclaw-logo-text.png +0 -0
package/docs/assets/pixel-lobster.svg +60 -0
package/docs/assets/showcase/agents-ui.jpg +0 -0
package/docs/assets/showcase/bambu-cli.png +0 -0
package/docs/assets/showcase/codexmonitor.png +0 -0
package/docs/assets/showcase/gohome-grafana.png +0 -0
package/docs/assets/showcase/ios-testflight.jpg +0 -0
package/docs/assets/showcase/oura-health.png +0 -0
package/docs/assets/showcase/padel-cli.svg +11 -0
package/docs/assets/showcase/padel-screenshot.jpg +0 -0
package/docs/assets/showcase/papla-tts.jpg +0 -0
package/docs/assets/showcase/pr-review-telegram.jpg +0 -0
package/docs/assets/showcase/roborock-screenshot.jpg +0 -0
package/docs/assets/showcase/roborock-status.svg +13 -0
package/docs/assets/showcase/roof-camera-sky.jpg +0 -0
package/docs/assets/showcase/snag.png +0 -0
package/docs/assets/showcase/tesco-shop.jpg +0 -0
package/docs/assets/showcase/wienerlinien.png +0 -0
package/docs/assets/showcase/wine-cellar-skill.jpg +0 -0
package/docs/assets/showcase/winix-air-purifier.jpg +0 -0
package/docs/assets/showcase/xuezh-pronunciation.jpeg +0 -0
package/docs/assets/terminal.css +473 -0
package/docs/assets/theme.js +55 -0
package/docs/automation/auth-monitoring.md +44 -0
package/docs/automation/cron-jobs.md +468 -0
package/docs/automation/cron-vs-heartbeat.md +282 -0
package/docs/automation/gmail-pubsub.md +256 -0
package/docs/automation/poll.md +69 -0
package/docs/automation/webhook.md +163 -0
package/docs/bedrock.md +176 -0
package/docs/brave-search.md +41 -0
package/docs/broadcast-groups.md +442 -0
package/docs/channels/bluebubbles.md +338 -0
package/docs/channels/discord.md +475 -0
package/docs/channels/feishu.md +507 -0
package/docs/channels/googlechat.md +250 -0
package/docs/channels/grammy.md +31 -0
package/docs/channels/imessage.md +299 -0
package/docs/channels/index.md +46 -0
package/docs/channels/line.md +186 -0
package/docs/channels/location.md +56 -0
package/docs/channels/matrix.md +233 -0
package/docs/channels/mattermost.md +138 -0
package/docs/channels/msteams.md +768 -0
package/docs/channels/nextcloud-talk.md +136 -0
package/docs/channels/nostr.md +233 -0
package/docs/channels/signal.md +202 -0
package/docs/channels/slack.md +548 -0
package/docs/channels/telegram.md +750 -0
package/docs/channels/tlon.md +132 -0
package/docs/channels/troubleshooting.md +29 -0
package/docs/channels/twitch.md +379 -0
package/docs/channels/whatsapp.md +404 -0
package/docs/channels/zalo.md +189 -0
package/docs/channels/zalouser.md +140 -0
package/docs/cli/acp.md +170 -0
package/docs/cli/agent.md +24 -0
package/docs/cli/agents.md +75 -0
package/docs/cli/approvals.md +50 -0
package/docs/cli/browser.md +107 -0
package/docs/cli/channels.md +79 -0
package/docs/cli/config.md +50 -0
package/docs/cli/configure.md +33 -0
package/docs/cli/cron.md +42 -0
package/docs/cli/dashboard.md +16 -0
package/docs/cli/devices.md +67 -0
package/docs/cli/directory.md +63 -0
package/docs/cli/dns.md +23 -0
package/docs/cli/docs.md +15 -0
package/docs/cli/doctor.md +41 -0
package/docs/cli/gateway.md +199 -0
package/docs/cli/health.md +21 -0
package/docs/cli/hooks.md +304 -0
package/docs/cli/index.md +1029 -0
package/docs/cli/logs.md +24 -0
package/docs/cli/memory.md +45 -0
package/docs/cli/message.md +239 -0
package/docs/cli/models.md +79 -0
package/docs/cli/node.md +112 -0
package/docs/cli/nodes.md +73 -0
package/docs/cli/onboard.md +29 -0
package/docs/cli/pairing.md +21 -0
package/docs/cli/plugins.md +62 -0
package/docs/cli/reset.md +17 -0
package/docs/cli/sandbox.md +152 -0
package/docs/cli/security.md +26 -0
package/docs/cli/sessions.md +16 -0
package/docs/cli/setup.md +29 -0
package/docs/cli/skills.md +26 -0
package/docs/cli/status.md +26 -0
package/docs/cli/system.md +60 -0
package/docs/cli/tui.md +23 -0
package/docs/cli/uninstall.md +17 -0
package/docs/cli/update.md +98 -0
package/docs/cli/voicecall.md +34 -0
package/docs/cli/webhooks.md +25 -0
package/docs/concepts/agent-loop.md +146 -0
package/docs/concepts/agent-workspace.md +233 -0
package/docs/concepts/agent.md +123 -0
package/docs/concepts/architecture.md +129 -0
package/docs/concepts/channel-routing.md +114 -0
package/docs/concepts/compaction.md +61 -0
package/docs/concepts/context.md +161 -0
package/docs/concepts/group-messages.md +84 -0
package/docs/concepts/groups.md +373 -0
package/docs/concepts/markdown-formatting.md +130 -0
package/docs/concepts/memory.md +546 -0
package/docs/concepts/messages.md +154 -0
package/docs/concepts/model-failover.md +149 -0
package/docs/concepts/model-providers.md +316 -0
package/docs/concepts/models.md +208 -0
package/docs/concepts/multi-agent.md +376 -0
package/docs/concepts/oauth.md +145 -0
package/docs/concepts/presence.md +102 -0
package/docs/concepts/queue.md +89 -0
package/docs/concepts/retry.md +69 -0
package/docs/concepts/session-pruning.md +122 -0
package/docs/concepts/session-tool.md +193 -0
package/docs/concepts/session.md +188 -0
package/docs/concepts/sessions.md +10 -0
package/docs/concepts/streaming.md +135 -0
package/docs/concepts/system-prompt.md +115 -0
package/docs/concepts/timezone.md +91 -0
package/docs/concepts/typebox.md +289 -0
package/docs/concepts/typing-indicators.md +68 -0
package/docs/concepts/usage-tracking.md +35 -0
package/docs/date-time.md +128 -0
package/docs/debug/node-issue.md +83 -0
package/docs/debugging.md +162 -0
package/docs/diagnostics/flags.md +91 -0
package/docs/docs.json +1587 -0
package/docs/environment.md +81 -0
package/docs/experiments/onboarding-config-protocol.md +40 -0
package/docs/experiments/plans/cron-add-hardening.md +63 -0
package/docs/experiments/plans/group-policy-hardening.md +40 -0
package/docs/experiments/plans/openresponses-gateway.md +123 -0
package/docs/experiments/proposals/model-config.md +36 -0
package/docs/experiments/research/memory.md +228 -0
package/docs/gateway/authentication.md +145 -0
package/docs/gateway/background-process.md +93 -0
package/docs/gateway/bonjour.md +167 -0
package/docs/gateway/bridge-protocol.md +89 -0
package/docs/gateway/cli-backends.md +223 -0
package/docs/gateway/configuration-examples.md +606 -0
package/docs/gateway/configuration.md +3393 -0
package/docs/gateway/discovery.md +116 -0
package/docs/gateway/doctor.md +282 -0
package/docs/gateway/gateway-lock.md +34 -0
package/docs/gateway/health.md +35 -0
package/docs/gateway/heartbeat.md +302 -0
package/docs/gateway/index.md +328 -0
package/docs/gateway/local-models.md +150 -0
package/docs/gateway/logging.md +113 -0
package/docs/gateway/multiple-gateways.md +112 -0
package/docs/gateway/openai-http-api.md +118 -0
package/docs/gateway/openresponses-http-api.md +317 -0
package/docs/gateway/pairing.md +99 -0
package/docs/gateway/protocol.md +221 -0
package/docs/gateway/remote-gateway-readme.md +157 -0
package/docs/gateway/remote.md +127 -0
package/docs/gateway/sandbox-vs-tool-policy-vs-elevated.md +128 -0
package/docs/gateway/sandboxing.md +193 -0
package/docs/gateway/security/formal-verification.md +164 -0
package/docs/gateway/security/index.md +825 -0
package/docs/gateway/tailscale.md +127 -0
package/docs/gateway/tools-invoke-http-api.md +85 -0
package/docs/gateway/troubleshooting.md +767 -0
package/docs/help/faq.md +2830 -0
package/docs/help/index.md +21 -0
package/docs/help/troubleshooting.md +98 -0
package/docs/hooks/soul-evil.md +69 -0
package/docs/hooks.md +913 -0
package/docs/images/feishu-step2-create-app.png +0 -0
package/docs/images/feishu-step3-credentials.png +0 -0
package/docs/images/feishu-step4-permissions.png +0 -0
package/docs/images/feishu-step5-bot-capability.png +0 -0
package/docs/images/feishu-step6-event-subscription.png +0 -0
package/docs/images/groups-flow.svg +52 -0
package/docs/images/mobile-ui-screenshot.png +0 -0
package/docs/index.md +258 -0
package/docs/install/ansible.md +208 -0
package/docs/install/bun.md +59 -0
package/docs/install/development-channels.md +75 -0
package/docs/install/docker.md +567 -0
package/docs/install/index.md +185 -0
package/docs/install/installer.md +123 -0
package/docs/install/migrating.md +192 -0
package/docs/install/nix.md +96 -0
package/docs/install/node.md +78 -0
package/docs/install/uninstall.md +128 -0
package/docs/install/updating.md +228 -0
package/docs/logging.md +350 -0
package/docs/multi-agent-sandbox-tools.md +395 -0
package/docs/network.md +54 -0
package/docs/nodes/audio.md +114 -0
package/docs/nodes/camera.md +156 -0
package/docs/nodes/images.md +72 -0
package/docs/nodes/index.md +341 -0
package/docs/nodes/location-command.md +113 -0
package/docs/nodes/media-understanding.md +379 -0
package/docs/nodes/talk.md +90 -0
package/docs/nodes/voicewake.md +65 -0
package/docs/northflank.mdx +53 -0
package/docs/perplexity.md +80 -0
package/docs/pi-dev.md +70 -0
package/docs/pi.md +612 -0
package/docs/platforms/android.md +148 -0
package/docs/platforms/digitalocean.md +262 -0
package/docs/platforms/exe-dev.md +125 -0
package/docs/platforms/fly.md +486 -0
package/docs/platforms/gcp.md +503 -0
package/docs/platforms/hetzner.md +330 -0
package/docs/platforms/index.md +53 -0
package/docs/platforms/ios.md +107 -0
package/docs/platforms/linux.md +94 -0
package/docs/platforms/mac/bundled-gateway.md +73 -0
package/docs/platforms/mac/canvas.md +125 -0
package/docs/platforms/mac/child-process.md +69 -0
package/docs/platforms/mac/dev-setup.md +102 -0
package/docs/platforms/mac/health.md +34 -0
package/docs/platforms/mac/icon.md +31 -0
package/docs/platforms/mac/logging.md +57 -0
package/docs/platforms/mac/menu-bar.md +81 -0
package/docs/platforms/mac/peekaboo.md +65 -0
package/docs/platforms/mac/permissions.md +44 -0
package/docs/platforms/mac/release.md +85 -0
package/docs/platforms/mac/remote.md +83 -0
package/docs/platforms/mac/signing.md +47 -0
package/docs/platforms/mac/skills.md +33 -0
package/docs/platforms/mac/voice-overlay.md +60 -0
package/docs/platforms/mac/voicewake.md +67 -0
package/docs/platforms/mac/webchat.md +41 -0
package/docs/platforms/mac/xpc.md +61 -0
package/docs/platforms/macos-vm.md +281 -0
package/docs/platforms/macos.md +203 -0
package/docs/platforms/oracle.md +303 -0
package/docs/platforms/raspberry-pi.md +358 -0
package/docs/platforms/windows.md +159 -0
package/docs/plugin.md +664 -0
package/docs/plugins/agent-tools.md +99 -0
package/docs/plugins/manifest.md +71 -0
package/docs/plugins/voice-call.md +284 -0
package/docs/plugins/zalouser.md +81 -0
package/docs/prose.md +134 -0
package/docs/providers/anthropic.md +152 -0
package/docs/providers/claude-max-api-proxy.md +148 -0
package/docs/providers/cloudflare-ai-gateway.md +71 -0
package/docs/providers/deepgram.md +93 -0
package/docs/providers/github-copilot.md +72 -0
package/docs/providers/glm.md +33 -0
package/docs/providers/index.md +63 -0
package/docs/providers/minimax.md +208 -0
package/docs/providers/models.md +51 -0
package/docs/providers/moonshot.md +142 -0
package/docs/providers/ollama.md +223 -0
package/docs/providers/openai.md +62 -0
package/docs/providers/opencode.md +36 -0
package/docs/providers/openrouter.md +37 -0
package/docs/providers/qwen.md +53 -0
package/docs/providers/synthetic.md +99 -0
package/docs/providers/venice.md +267 -0
package/docs/providers/vercel-ai-gateway.md +50 -0
package/docs/providers/xiaomi.md +64 -0
package/docs/providers/zai.md +36 -0
package/docs/railway.mdx +99 -0
package/docs/refactor/clawnet.md +417 -0
package/docs/refactor/exec-host.md +316 -0
package/docs/refactor/outbound-session-mirroring.md +85 -0
package/docs/refactor/plugin-sdk.md +214 -0
package/docs/refactor/strict-config.md +93 -0
package/docs/reference/AGENTS.default.md +124 -0
package/docs/reference/RELEASING.md +120 -0
package/docs/reference/api-usage-costs.md +137 -0
package/docs/reference/device-models.md +47 -0
package/docs/reference/rpc.md +43 -0
package/docs/reference/session-management-compaction.md +285 -0
package/docs/reference/templates/AGENTS.dev.md +83 -0
package/docs/reference/templates/AGENTS.md +218 -0
package/docs/reference/templates/BOOT.md +10 -0
package/docs/reference/templates/BOOTSTRAP.md +61 -0
package/docs/reference/templates/HEARTBEAT.md +11 -0
package/docs/reference/templates/IDENTITY.dev.md +47 -0
package/docs/reference/templates/IDENTITY.md +27 -0
package/docs/reference/templates/SOUL.dev.md +76 -0
package/docs/reference/templates/SOUL.md +42 -0
package/docs/reference/templates/TOOLS.dev.md +24 -0
package/docs/reference/templates/TOOLS.md +46 -0
package/docs/reference/templates/USER.dev.md +18 -0
package/docs/reference/templates/USER.md +22 -0
package/docs/reference/test.md +50 -0
package/docs/reference/transcript-hygiene.md +129 -0
package/docs/render.mdx +165 -0
package/docs/scripts.md +28 -0
package/docs/security/formal-verification.md +164 -0
package/docs/start/getting-started.md +208 -0
package/docs/start/hubs.md +185 -0
package/docs/start/lore.md +219 -0
package/docs/start/onboarding.md +110 -0
package/docs/start/openclaw.md +241 -0
package/docs/start/pairing.md +86 -0
package/docs/start/setup.md +149 -0
package/docs/start/showcase.md +416 -0
package/docs/start/wizard.md +349 -0
package/docs/testing.md +368 -0
package/docs/token-use.md +112 -0
package/docs/tools/agent-send.md +53 -0
package/docs/tools/apply-patch.md +50 -0
package/docs/tools/browser-linux-troubleshooting.md +139 -0
package/docs/tools/browser-login.md +68 -0
package/docs/tools/browser.md +576 -0
package/docs/tools/chrome-extension.md +178 -0
package/docs/tools/clawhub.md +257 -0
package/docs/tools/creating-skills.md +54 -0
package/docs/tools/elevated.md +57 -0
package/docs/tools/exec-approvals.md +246 -0
package/docs/tools/exec.md +179 -0
package/docs/tools/firecrawl.md +61 -0
package/docs/tools/index.md +509 -0
package/docs/tools/llm-task.md +115 -0
package/docs/tools/lobster.md +342 -0
package/docs/tools/reactions.md +22 -0
package/docs/tools/skills-config.md +76 -0
package/docs/tools/skills.md +300 -0
package/docs/tools/slash-commands.md +198 -0
package/docs/tools/subagents.md +151 -0
package/docs/tools/thinking.md +73 -0
package/docs/tools/web.md +261 -0
package/docs/tts.md +396 -0
package/docs/tui.md +159 -0
package/docs/vps.md +43 -0
package/docs/web/control-ui.md +221 -0
package/docs/web/dashboard.md +46 -0
package/docs/web/index.md +116 -0
package/docs/web/webchat.md +49 -0
package/docs/whatsapp-openclaw-ai-zh.jpg +0 -0
package/docs/whatsapp-openclaw.jpg +0 -0
package/docs/zh-CN/AGENTS.md +59 -0
package/docs/zh-CN/automation/auth-monitoring.md +47 -0
package/docs/zh-CN/automation/cron-jobs.md +424 -0
package/docs/zh-CN/automation/cron-vs-heartbeat.md +286 -0
package/docs/zh-CN/automation/gmail-pubsub.md +249 -0
package/docs/zh-CN/automation/poll.md +76 -0
package/docs/zh-CN/automation/webhook.md +163 -0
package/docs/zh-CN/bedrock.md +170 -0
package/docs/zh-CN/brave-search.md +48 -0
package/docs/zh-CN/broadcast-groups.md +449 -0
package/docs/zh-CN/channels/bluebubbles.md +271 -0
package/docs/zh-CN/channels/discord.md +468 -0
package/docs/zh-CN/channels/feishu.md +513 -0
package/docs/zh-CN/channels/googlechat.md +257 -0
package/docs/zh-CN/channels/grammy.md +38 -0
package/docs/zh-CN/channels/imessage.md +302 -0
package/docs/zh-CN/channels/index.md +53 -0
package/docs/zh-CN/channels/line.md +180 -0
package/docs/zh-CN/channels/location.md +63 -0
package/docs/zh-CN/channels/matrix.md +221 -0
package/docs/zh-CN/channels/mattermost.md +144 -0
package/docs/zh-CN/channels/msteams.md +775 -0
package/docs/zh-CN/channels/nextcloud-talk.md +142 -0
package/docs/zh-CN/channels/nostr.md +240 -0
package/docs/zh-CN/channels/signal.md +209 -0
package/docs/zh-CN/channels/slack.md +531 -0
package/docs/zh-CN/channels/telegram.md +751 -0
package/docs/zh-CN/channels/tlon.md +136 -0
package/docs/zh-CN/channels/troubleshooting.md +36 -0
package/docs/zh-CN/channels/twitch.md +385 -0
package/docs/zh-CN/channels/whatsapp.md +411 -0
package/docs/zh-CN/channels/zalo.md +196 -0
package/docs/zh-CN/channels/zalouser.md +147 -0
package/docs/zh-CN/cli/acp.md +173 -0
package/docs/zh-CN/cli/agent.md +30 -0
package/docs/zh-CN/cli/agents.md +82 -0
package/docs/zh-CN/cli/approvals.md +57 -0
package/docs/zh-CN/cli/browser.md +114 -0
package/docs/zh-CN/cli/channels.md +86 -0
package/docs/zh-CN/cli/config.md +57 -0
package/docs/zh-CN/cli/configure.md +38 -0
package/docs/zh-CN/cli/cron.md +43 -0
package/docs/zh-CN/cli/dashboard.md +23 -0
package/docs/zh-CN/cli/devices.md +74 -0
package/docs/zh-CN/cli/directory.md +70 -0
package/docs/zh-CN/cli/dns.md +30 -0
package/docs/zh-CN/cli/docs.md +22 -0
package/docs/zh-CN/cli/doctor.md +48 -0
package/docs/zh-CN/cli/gateway.md +206 -0
package/docs/zh-CN/cli/health.md +28 -0
package/docs/zh-CN/cli/hooks.md +311 -0
package/docs/zh-CN/cli/index.md +1032 -0
package/docs/zh-CN/cli/logs.md +31 -0
package/docs/zh-CN/cli/memory.md +52 -0
package/docs/zh-CN/cli/message.md +246 -0
package/docs/zh-CN/cli/models.md +85 -0
package/docs/zh-CN/cli/node.md +115 -0
package/docs/zh-CN/cli/nodes.md +80 -0
package/docs/zh-CN/cli/onboard.md +36 -0
package/docs/zh-CN/cli/pairing.md +28 -0
package/docs/zh-CN/cli/plugins.md +66 -0
package/docs/zh-CN/cli/reset.md +24 -0
package/docs/zh-CN/cli/sandbox.md +158 -0
package/docs/zh-CN/cli/security.md +33 -0
package/docs/zh-CN/cli/sessions.md +23 -0
package/docs/zh-CN/cli/setup.md +36 -0
package/docs/zh-CN/cli/skills.md +33 -0
package/docs/zh-CN/cli/status.md +33 -0
package/docs/zh-CN/cli/system.md +63 -0
package/docs/zh-CN/cli/tui.md +30 -0
package/docs/zh-CN/cli/uninstall.md +24 -0
package/docs/zh-CN/cli/update.md +101 -0
package/docs/zh-CN/cli/voicecall.md +41 -0
package/docs/zh-CN/cli/webhooks.md +32 -0
package/docs/zh-CN/concepts/agent-loop.md +146 -0
package/docs/zh-CN/concepts/agent-workspace.md +219 -0
package/docs/zh-CN/concepts/agent.md +115 -0
package/docs/zh-CN/concepts/architecture.md +123 -0
package/docs/zh-CN/concepts/channel-routing.md +117 -0
package/docs/zh-CN/concepts/compaction.md +67 -0
package/docs/zh-CN/concepts/context.md +168 -0
package/docs/zh-CN/concepts/group-messages.md +91 -0
package/docs/zh-CN/concepts/groups.md +379 -0
package/docs/zh-CN/concepts/markdown-formatting.md +117 -0
package/docs/zh-CN/concepts/memory.md +412 -0
package/docs/zh-CN/concepts/messages.md +141 -0
package/docs/zh-CN/concepts/model-failover.md +145 -0
package/docs/zh-CN/concepts/model-providers.md +320 -0
package/docs/zh-CN/concepts/models.md +196 -0
package/docs/zh-CN/concepts/multi-agent.md +372 -0
package/docs/zh-CN/concepts/oauth.md +151 -0
package/docs/zh-CN/concepts/presence.md +99 -0
package/docs/zh-CN/concepts/queue.md +94 -0
package/docs/zh-CN/concepts/retry.md +76 -0
package/docs/zh-CN/concepts/session-pruning.md +129 -0
package/docs/zh-CN/concepts/session-tool.md +200 -0
package/docs/zh-CN/concepts/session.md +166 -0
package/docs/zh-CN/concepts/sessions.md +17 -0
package/docs/zh-CN/concepts/streaming.md +133 -0
package/docs/zh-CN/concepts/system-prompt.md +101 -0
package/docs/zh-CN/concepts/timezone.md +96 -0
package/docs/zh-CN/concepts/typebox.md +284 -0
package/docs/zh-CN/concepts/typing-indicators.md +74 -0
package/docs/zh-CN/concepts/usage-tracking.md +42 -0
package/docs/zh-CN/date-time.md +129 -0
package/docs/zh-CN/debug/node-issue.md +90 -0
package/docs/zh-CN/debugging.md +160 -0
package/docs/zh-CN/diagnostics/flags.md +98 -0
package/docs/zh-CN/environment.md +88 -0
package/docs/zh-CN/experiments/onboarding-config-protocol.md +47 -0
package/docs/zh-CN/experiments/plans/cron-add-hardening.md +70 -0
package/docs/zh-CN/experiments/plans/group-policy-hardening.md +45 -0
package/docs/zh-CN/experiments/plans/openresponses-gateway.md +121 -0
package/docs/zh-CN/experiments/proposals/model-config.md +42 -0
package/docs/zh-CN/experiments/research/memory.md +235 -0
package/docs/zh-CN/gateway/authentication.md +142 -0
package/docs/zh-CN/gateway/background-process.md +100 -0
package/docs/zh-CN/gateway/bonjour.md +174 -0
package/docs/zh-CN/gateway/bridge-protocol.md +86 -0
package/docs/zh-CN/gateway/cli-backends.md +213 -0
package/docs/zh-CN/gateway/configuration-examples.md +587 -0
package/docs/zh-CN/gateway/configuration.md +3332 -0
package/docs/zh-CN/gateway/discovery.md +123 -0
package/docs/zh-CN/gateway/doctor.md +238 -0
package/docs/zh-CN/gateway/gateway-lock.md +41 -0
package/docs/zh-CN/gateway/health.md +42 -0
package/docs/zh-CN/gateway/heartbeat.md +274 -0
package/docs/zh-CN/gateway/index.md +335 -0
package/docs/zh-CN/gateway/local-models.md +157 -0
package/docs/zh-CN/gateway/logging.md +114 -0
package/docs/zh-CN/gateway/multiple-gateways.md +119 -0
package/docs/zh-CN/gateway/openai-http-api.md +125 -0
package/docs/zh-CN/gateway/openresponses-http-api.md +317 -0
package/docs/zh-CN/gateway/pairing.md +99 -0
package/docs/zh-CN/gateway/protocol.md +220 -0
package/docs/zh-CN/gateway/remote-gateway-readme.md +164 -0
package/docs/zh-CN/gateway/remote.md +133 -0
package/docs/zh-CN/gateway/sandbox-vs-tool-policy-vs-elevated.md +135 -0
package/docs/zh-CN/gateway/sandboxing.md +188 -0
package/docs/zh-CN/gateway/security/formal-verification.md +169 -0
package/docs/zh-CN/gateway/security/index.md +777 -0
package/docs/zh-CN/gateway/tailscale.md +124 -0
package/docs/zh-CN/gateway/tools-invoke-http-api.md +92 -0
package/docs/zh-CN/gateway/troubleshooting.md +771 -0
package/docs/zh-CN/help/faq.md +2628 -0
package/docs/zh-CN/help/index.md +28 -0
package/docs/zh-CN/help/troubleshooting.md +104 -0
package/docs/zh-CN/hooks/soul-evil.md +72 -0
package/docs/zh-CN/hooks.md +919 -0
package/docs/zh-CN/index.md +264 -0
package/docs/zh-CN/install/ansible.md +215 -0
package/docs/zh-CN/install/bun.md +65 -0
package/docs/zh-CN/install/development-channels.md +81 -0
package/docs/zh-CN/install/docker.md +532 -0
package/docs/zh-CN/install/index.md +193 -0
package/docs/zh-CN/install/installer.md +128 -0
package/docs/zh-CN/install/migrating.md +199 -0
package/docs/zh-CN/install/nix.md +99 -0
package/docs/zh-CN/install/node.md +85 -0
package/docs/zh-CN/install/uninstall.md +135 -0
package/docs/zh-CN/install/updating.md +233 -0
package/docs/zh-CN/logging.md +329 -0
package/docs/zh-CN/multi-agent-sandbox-tools.md +401 -0
package/docs/zh-CN/network.md +59 -0
package/docs/zh-CN/nodes/audio.md +120 -0
package/docs/zh-CN/nodes/camera.md +162 -0
package/docs/zh-CN/nodes/images.md +79 -0
package/docs/zh-CN/nodes/index.md +348 -0
package/docs/zh-CN/nodes/location-command.md +120 -0
package/docs/zh-CN/nodes/media-understanding.md +380 -0
package/docs/zh-CN/nodes/talk.md +97 -0
package/docs/zh-CN/nodes/voicewake.md +72 -0
package/docs/zh-CN/northflank.mdx +60 -0
package/docs/zh-CN/perplexity.md +84 -0
package/docs/zh-CN/pi-dev.md +77 -0
package/docs/zh-CN/pi.md +619 -0
package/docs/zh-CN/platforms/android.md +155 -0
package/docs/zh-CN/platforms/digitalocean.md +269 -0
package/docs/zh-CN/platforms/exe-dev.md +127 -0
package/docs/zh-CN/platforms/fly.md +490 -0
package/docs/zh-CN/platforms/gcp.md +510 -0
package/docs/zh-CN/platforms/hetzner.md +337 -0
package/docs/zh-CN/platforms/index.md +60 -0
package/docs/zh-CN/platforms/ios.md +114 -0
package/docs/zh-CN/platforms/linux.md +101 -0
package/docs/zh-CN/platforms/mac/bundled-gateway.md +75 -0
package/docs/zh-CN/platforms/mac/canvas.md +128 -0
package/docs/zh-CN/platforms/mac/child-process.md +73 -0
package/docs/zh-CN/platforms/mac/dev-setup.md +109 -0
package/docs/zh-CN/platforms/mac/health.md +41 -0
package/docs/zh-CN/platforms/mac/icon.md +38 -0
package/docs/zh-CN/platforms/mac/logging.md +64 -0
package/docs/zh-CN/platforms/mac/menu-bar.md +88 -0
package/docs/zh-CN/platforms/mac/peekaboo.md +62 -0
package/docs/zh-CN/platforms/mac/permissions.md +46 -0
package/docs/zh-CN/platforms/mac/release.md +92 -0
package/docs/zh-CN/platforms/mac/remote.md +90 -0
package/docs/zh-CN/platforms/mac/signing.md +54 -0
package/docs/zh-CN/platforms/mac/skills.md +40 -0
package/docs/zh-CN/platforms/mac/voice-overlay.md +67 -0
package/docs/zh-CN/platforms/mac/voicewake.md +74 -0
package/docs/zh-CN/platforms/mac/webchat.md +43 -0
package/docs/zh-CN/platforms/mac/xpc.md +68 -0
package/docs/zh-CN/platforms/macos-vm.md +288 -0
package/docs/zh-CN/platforms/macos.md +193 -0
package/docs/zh-CN/platforms/oracle.md +310 -0
package/docs/zh-CN/platforms/raspberry-pi.md +365 -0
package/docs/zh-CN/platforms/windows.md +156 -0
package/docs/zh-CN/plugin.md +639 -0
package/docs/zh-CN/plugins/agent-tools.md +99 -0
package/docs/zh-CN/plugins/manifest.md +68 -0
package/docs/zh-CN/plugins/voice-call.md +250 -0
package/docs/zh-CN/plugins/zalouser.md +88 -0
package/docs/zh-CN/prose.md +141 -0
package/docs/zh-CN/providers/anthropic.md +159 -0
package/docs/zh-CN/providers/claude-max-api-proxy.md +155 -0
package/docs/zh-CN/providers/deepgram.md +97 -0
package/docs/zh-CN/providers/github-copilot.md +67 -0
package/docs/zh-CN/providers/glm.md +39 -0
package/docs/zh-CN/providers/index.md +68 -0
package/docs/zh-CN/providers/minimax.md +206 -0
package/docs/zh-CN/providers/models.md +55 -0
package/docs/zh-CN/providers/moonshot.md +145 -0
package/docs/zh-CN/providers/ollama.md +230 -0
package/docs/zh-CN/providers/openai.md +68 -0
package/docs/zh-CN/providers/opencode.md +41 -0
package/docs/zh-CN/providers/openrouter.md +43 -0
package/docs/zh-CN/providers/qwen.md +55 -0
package/docs/zh-CN/providers/synthetic.md +102 -0
package/docs/zh-CN/providers/venice.md +274 -0
package/docs/zh-CN/providers/vercel-ai-gateway.md +57 -0
package/docs/zh-CN/providers/xiaomi.md +68 -0
package/docs/zh-CN/providers/zai.md +41 -0
package/docs/zh-CN/railway.mdx +106 -0
package/docs/zh-CN/refactor/clawnet.md +424 -0
package/docs/zh-CN/refactor/exec-host.md +323 -0
package/docs/zh-CN/refactor/outbound-session-mirroring.md +92 -0
package/docs/zh-CN/refactor/plugin-sdk.md +221 -0
package/docs/zh-CN/refactor/strict-config.md +100 -0
package/docs/zh-CN/reference/AGENTS.default.md +131 -0
package/docs/zh-CN/reference/RELEASING.md +123 -0
package/docs/zh-CN/reference/api-usage-costs.md +136 -0
package/docs/zh-CN/reference/device-models.md +54 -0
package/docs/zh-CN/reference/rpc.md +48 -0
package/docs/zh-CN/reference/session-management-compaction.md +287 -0
package/docs/zh-CN/reference/templates/AGENTS.dev.md +89 -0
package/docs/zh-CN/reference/templates/AGENTS.md +225 -0
package/docs/zh-CN/reference/templates/BOOT.md +17 -0
package/docs/zh-CN/reference/templates/BOOTSTRAP.md +68 -0
package/docs/zh-CN/reference/templates/HEARTBEAT.md +18 -0
package/docs/zh-CN/reference/templates/IDENTITY.dev.md +54 -0
package/docs/zh-CN/reference/templates/IDENTITY.md +35 -0
package/docs/zh-CN/reference/templates/SOUL.dev.md +83 -0
package/docs/zh-CN/reference/templates/SOUL.md +49 -0
package/docs/zh-CN/reference/templates/TOOLS.dev.md +31 -0
package/docs/zh-CN/reference/templates/TOOLS.md +53 -0
package/docs/zh-CN/reference/templates/USER.dev.md +25 -0
package/docs/zh-CN/reference/templates/USER.md +30 -0
package/docs/zh-CN/reference/test.md +57 -0
package/docs/zh-CN/reference/transcript-hygiene.md +109 -0
package/docs/zh-CN/render.mdx +169 -0
package/docs/zh-CN/scripts.md +35 -0
package/docs/zh-CN/security/formal-verification.md +171 -0
package/docs/zh-CN/start/getting-started.md +206 -0
package/docs/zh-CN/start/hubs.md +191 -0
package/docs/zh-CN/start/lore.md +226 -0
package/docs/zh-CN/start/onboarding.md +105 -0
package/docs/zh-CN/start/openclaw.md +248 -0
package/docs/zh-CN/start/pairing.md +89 -0
package/docs/zh-CN/start/setup.md +153 -0
package/docs/zh-CN/start/showcase.md +423 -0
package/docs/zh-CN/start/wizard.md +331 -0
package/docs/zh-CN/testing.md +375 -0
package/docs/zh-CN/token-use.md +119 -0
package/docs/zh-CN/tools/agent-send.md +59 -0
package/docs/zh-CN/tools/apply-patch.md +57 -0
package/docs/zh-CN/tools/browser-linux-troubleshooting.md +144 -0
package/docs/zh-CN/tools/browser-login.md +75 -0
package/docs/zh-CN/tools/browser.md +553 -0
package/docs/zh-CN/tools/chrome-extension.md +183 -0
package/docs/zh-CN/tools/clawhub.md +209 -0
package/docs/zh-CN/tools/creating-skills.md +61 -0
package/docs/zh-CN/tools/elevated.md +64 -0
package/docs/zh-CN/tools/exec-approvals.md +234 -0
package/docs/zh-CN/tools/exec.md +169 -0
package/docs/zh-CN/tools/firecrawl.md +68 -0
package/docs/zh-CN/tools/index.md +515 -0
package/docs/zh-CN/tools/llm-task.md +117 -0
package/docs/zh-CN/tools/lobster.md +349 -0
package/docs/zh-CN/tools/reactions.md +29 -0
package/docs/zh-CN/tools/skills-config.md +78 -0
package/docs/zh-CN/tools/skills.md +279 -0
package/docs/zh-CN/tools/slash-commands.md +205 -0
package/docs/zh-CN/tools/subagents.md +156 -0
package/docs/zh-CN/tools/thinking.md +80 -0
package/docs/zh-CN/tools/web.md +257 -0
package/docs/zh-CN/tts.md +375 -0
package/docs/zh-CN/tui.md +166 -0
package/docs/zh-CN/vps.md +47 -0
package/docs/zh-CN/web/control-ui.md +191 -0
package/docs/zh-CN/web/dashboard.md +53 -0
package/docs/zh-CN/web/index.md +118 -0
package/docs/zh-CN/web/webchat.md +56 -0
package/extensions/bluebubbles/README.md +45 -0
package/extensions/bluebubbles/index.ts +19 -0
package/extensions/bluebubbles/node_modules/.bin/openclaw +21 -0
package/extensions/bluebubbles/openclaw.plugin.json +9 -0
package/extensions/bluebubbles/package.json +36 -0
package/extensions/bluebubbles/src/accounts.ts +88 -0
package/extensions/bluebubbles/src/actions.test.ts +650 -0
package/extensions/bluebubbles/src/actions.ts +438 -0
package/extensions/bluebubbles/src/attachments.test.ts +345 -0
package/extensions/bluebubbles/src/attachments.ts +300 -0
package/extensions/bluebubbles/src/channel.ts +414 -0
package/extensions/bluebubbles/src/chat.test.ts +461 -0
package/extensions/bluebubbles/src/chat.ts +378 -0
package/extensions/bluebubbles/src/config-schema.ts +51 -0
package/extensions/bluebubbles/src/media-send.ts +174 -0
package/extensions/bluebubbles/src/monitor.test.ts +2342 -0
package/extensions/bluebubbles/src/monitor.ts +2490 -0
package/extensions/bluebubbles/src/onboarding.ts +352 -0
package/extensions/bluebubbles/src/probe.ts +135 -0
package/extensions/bluebubbles/src/reactions.test.ts +392 -0
package/extensions/bluebubbles/src/reactions.ts +188 -0
package/extensions/bluebubbles/src/runtime.ts +14 -0
package/extensions/bluebubbles/src/send.test.ts +808 -0
package/extensions/bluebubbles/src/send.ts +467 -0
package/extensions/bluebubbles/src/targets.test.ts +183 -0
package/extensions/bluebubbles/src/targets.ts +422 -0
package/extensions/bluebubbles/src/types.ts +127 -0
package/extensions/copilot-proxy/README.md +24 -0
package/extensions/copilot-proxy/index.ts +148 -0
package/extensions/copilot-proxy/node_modules/.bin/openclaw +21 -0
package/extensions/copilot-proxy/openclaw.plugin.json +9 -0
package/extensions/copilot-proxy/package.json +14 -0
package/extensions/diagnostics-otel/index.ts +15 -0
package/extensions/diagnostics-otel/node_modules/.bin/openclaw +21 -0
package/extensions/diagnostics-otel/openclaw.plugin.json +8 -0
package/extensions/diagnostics-otel/package.json +27 -0
package/extensions/diagnostics-otel/src/service.test.ts +226 -0
package/extensions/diagnostics-otel/src/service.ts +635 -0
package/extensions/discord/index.ts +17 -0
package/extensions/discord/node_modules/.bin/openclaw +21 -0
package/extensions/discord/openclaw.plugin.json +9 -0
package/extensions/discord/package.json +14 -0
package/extensions/discord/src/channel.ts +422 -0
package/extensions/discord/src/runtime.ts +14 -0
package/extensions/feishu/README.md +47 -0
package/extensions/feishu/index.ts +15 -0
package/extensions/feishu/node_modules/.bin/openclaw +21 -0
package/extensions/feishu/openclaw.plugin.json +9 -0
package/extensions/feishu/package.json +33 -0
package/extensions/feishu/src/channel.ts +276 -0
package/extensions/feishu/src/config-schema.ts +46 -0
package/extensions/feishu/src/onboarding.ts +278 -0
package/extensions/google-antigravity-auth/README.md +24 -0
package/extensions/google-antigravity-auth/index.ts +461 -0
package/extensions/google-antigravity-auth/node_modules/.bin/openclaw +21 -0
package/extensions/google-antigravity-auth/openclaw.plugin.json +9 -0
package/extensions/google-antigravity-auth/package.json +14 -0
package/extensions/google-gemini-cli-auth/README.md +35 -0
package/extensions/google-gemini-cli-auth/index.ts +88 -0
package/extensions/google-gemini-cli-auth/node_modules/.bin/openclaw +21 -0
package/extensions/google-gemini-cli-auth/oauth.test.ts +240 -0
package/extensions/google-gemini-cli-auth/oauth.ts +662 -0
package/extensions/google-gemini-cli-auth/openclaw.plugin.json +9 -0
package/extensions/google-gemini-cli-auth/package.json +14 -0
package/extensions/googlechat/index.ts +19 -0
package/extensions/googlechat/node_modules/.bin/openclaw +21 -0
package/extensions/googlechat/openclaw.plugin.json +9 -0
package/extensions/googlechat/package.json +39 -0
package/extensions/googlechat/src/accounts.ts +147 -0
package/extensions/googlechat/src/actions.ts +181 -0
package/extensions/googlechat/src/api.test.ts +61 -0
package/extensions/googlechat/src/api.ts +282 -0
package/extensions/googlechat/src/auth.ts +123 -0
package/extensions/googlechat/src/channel.ts +583 -0
package/extensions/googlechat/src/monitor.test.ts +22 -0
package/extensions/googlechat/src/monitor.ts +949 -0
package/extensions/googlechat/src/onboarding.ts +269 -0
package/extensions/googlechat/src/runtime.ts +14 -0
package/extensions/googlechat/src/targets.test.ts +32 -0
package/extensions/googlechat/src/targets.ts +65 -0
package/extensions/googlechat/src/types.config.ts +3 -0
package/extensions/googlechat/src/types.ts +73 -0
package/extensions/imessage/index.ts +17 -0
package/extensions/imessage/node_modules/.bin/openclaw +21 -0
package/extensions/imessage/openclaw.plugin.json +9 -0
package/extensions/imessage/package.json +14 -0
package/extensions/imessage/src/channel.ts +294 -0
package/extensions/imessage/src/runtime.ts +14 -0
package/extensions/line/index.ts +19 -0
package/extensions/line/node_modules/.bin/openclaw +21 -0
package/extensions/line/openclaw.plugin.json +9 -0
package/extensions/line/package.json +29 -0
package/extensions/line/src/card-command.ts +344 -0
package/extensions/line/src/channel.logout.test.ts +99 -0
package/extensions/line/src/channel.sendPayload.test.ts +306 -0
package/extensions/line/src/channel.ts +780 -0
package/extensions/line/src/runtime.ts +14 -0
package/extensions/llm-task/README.md +97 -0
package/extensions/llm-task/index.ts +6 -0
package/extensions/llm-task/node_modules/.bin/openclaw +21 -0
package/extensions/llm-task/openclaw.plugin.json +21 -0
package/extensions/llm-task/package.json +14 -0
package/extensions/llm-task/src/llm-task-tool.test.ts +138 -0
package/extensions/llm-task/src/llm-task-tool.ts +245 -0
package/extensions/lobster/README.md +75 -0
package/extensions/lobster/SKILL.md +97 -0
package/extensions/lobster/index.ts +14 -0
package/extensions/lobster/node_modules/.bin/openclaw +21 -0
package/extensions/lobster/openclaw.plugin.json +10 -0
package/extensions/lobster/package.json +14 -0
package/extensions/lobster/src/lobster-tool.test.ts +247 -0
package/extensions/lobster/src/lobster-tool.ts +328 -0
package/extensions/matrix/CHANGELOG.md +87 -0
package/extensions/matrix/index.ts +17 -0
package/extensions/matrix/node_modules/.bin/markdown-it +21 -0
package/extensions/matrix/node_modules/.bin/openclaw +21 -0
package/extensions/matrix/openclaw.plugin.json +9 -0
package/extensions/matrix/package.json +36 -0
package/extensions/matrix/src/actions.ts +195 -0
package/extensions/matrix/src/channel.directory.test.ts +64 -0
package/extensions/matrix/src/channel.ts +439 -0
package/extensions/matrix/src/config-schema.ts +62 -0
package/extensions/matrix/src/directory-live.ts +188 -0
package/extensions/matrix/src/group-mentions.ts +66 -0
package/extensions/matrix/src/matrix/accounts.test.ts +82 -0
package/extensions/matrix/src/matrix/accounts.ts +65 -0
package/extensions/matrix/src/matrix/actions/client.ts +57 -0
package/extensions/matrix/src/matrix/actions/messages.ts +128 -0
package/extensions/matrix/src/matrix/actions/pins.ts +76 -0
package/extensions/matrix/src/matrix/actions/reactions.ts +96 -0
package/extensions/matrix/src/matrix/actions/room.ts +85 -0
package/extensions/matrix/src/matrix/actions/summary.ts +75 -0
package/extensions/matrix/src/matrix/actions/types.ts +84 -0
package/extensions/matrix/src/matrix/actions.ts +15 -0
package/extensions/matrix/src/matrix/active-client.ts +11 -0
package/extensions/matrix/src/matrix/client/config.ts +160 -0
package/extensions/matrix/src/matrix/client/create-client.ts +123 -0
package/extensions/matrix/src/matrix/client/logging.ts +36 -0
package/extensions/matrix/src/matrix/client/runtime.ts +4 -0
package/extensions/matrix/src/matrix/client/shared.ts +170 -0
package/extensions/matrix/src/matrix/client/storage.ts +131 -0
package/extensions/matrix/src/matrix/client/types.ts +34 -0
package/extensions/matrix/src/matrix/client.test.ts +56 -0
package/extensions/matrix/src/matrix/client.ts +5 -0
package/extensions/matrix/src/matrix/credentials.ts +105 -0
package/extensions/matrix/src/matrix/deps.ts +60 -0
package/extensions/matrix/src/matrix/format.test.ts +33 -0
package/extensions/matrix/src/matrix/format.ts +22 -0
package/extensions/matrix/src/matrix/index.ts +11 -0
package/extensions/matrix/src/matrix/monitor/allowlist.test.ts +45 -0
package/extensions/matrix/src/matrix/monitor/allowlist.ts +103 -0
package/extensions/matrix/src/matrix/monitor/auto-join.ts +71 -0
package/extensions/matrix/src/matrix/monitor/direct.ts +104 -0
package/extensions/matrix/src/matrix/monitor/events.ts +101 -0
package/extensions/matrix/src/matrix/monitor/handler.ts +661 -0
package/extensions/matrix/src/matrix/monitor/index.ts +338 -0
package/extensions/matrix/src/matrix/monitor/location.ts +100 -0
package/extensions/matrix/src/matrix/monitor/media.test.ts +102 -0
package/extensions/matrix/src/matrix/monitor/media.ts +113 -0
package/extensions/matrix/src/matrix/monitor/mentions.ts +31 -0
package/extensions/matrix/src/matrix/monitor/replies.ts +97 -0
package/extensions/matrix/src/matrix/monitor/room-info.ts +55 -0
package/extensions/matrix/src/matrix/monitor/rooms.test.ts +39 -0
package/extensions/matrix/src/matrix/monitor/rooms.ts +47 -0
package/extensions/matrix/src/matrix/monitor/threads.ts +68 -0
package/extensions/matrix/src/matrix/monitor/types.ts +39 -0
package/extensions/matrix/src/matrix/poll-types.test.ts +21 -0
package/extensions/matrix/src/matrix/poll-types.ts +166 -0
package/extensions/matrix/src/matrix/probe.ts +70 -0
package/extensions/matrix/src/matrix/send/client.ts +66 -0
package/extensions/matrix/src/matrix/send/formatting.ts +89 -0
package/extensions/matrix/src/matrix/send/media.ts +229 -0
package/extensions/matrix/src/matrix/send/targets.test.ts +98 -0
package/extensions/matrix/src/matrix/send/targets.ts +136 -0
package/extensions/matrix/src/matrix/send/types.ts +109 -0
package/extensions/matrix/src/matrix/send.test.ts +171 -0
package/extensions/matrix/src/matrix/send.ts +260 -0
package/extensions/matrix/src/onboarding.ts +449 -0
package/extensions/matrix/src/outbound.ts +52 -0
package/extensions/matrix/src/resolve-targets.test.ts +48 -0
package/extensions/matrix/src/resolve-targets.ts +135 -0
package/extensions/matrix/src/runtime.ts +14 -0
package/extensions/matrix/src/tool-actions.ts +164 -0
package/extensions/matrix/src/types.ts +95 -0
package/extensions/mattermost/index.ts +17 -0
package/extensions/mattermost/node_modules/.bin/openclaw +21 -0
package/extensions/mattermost/openclaw.plugin.json +9 -0
package/extensions/mattermost/package.json +28 -0
package/extensions/mattermost/src/channel.test.ts +48 -0
package/extensions/mattermost/src/channel.ts +337 -0
package/extensions/mattermost/src/config-schema.ts +55 -0
package/extensions/mattermost/src/group-mentions.ts +15 -0
package/extensions/mattermost/src/mattermost/accounts.ts +128 -0
package/extensions/mattermost/src/mattermost/client.ts +220 -0
package/extensions/mattermost/src/mattermost/index.ts +9 -0
package/extensions/mattermost/src/mattermost/monitor-helpers.ts +166 -0
package/extensions/mattermost/src/mattermost/monitor.ts +987 -0
package/extensions/mattermost/src/mattermost/probe.ts +74 -0
package/extensions/mattermost/src/mattermost/send.ts +231 -0
package/extensions/mattermost/src/normalize.ts +46 -0
package/extensions/mattermost/src/onboarding-helpers.ts +44 -0
package/extensions/mattermost/src/onboarding.ts +186 -0
package/extensions/mattermost/src/runtime.ts +14 -0
package/extensions/mattermost/src/types.ts +50 -0
package/extensions/memory-core/index.ts +38 -0
package/extensions/memory-core/node_modules/.bin/openclaw +21 -0
package/extensions/memory-core/openclaw.plugin.json +9 -0
package/extensions/memory-core/package.json +17 -0
package/extensions/memory-lancedb/config.ts +139 -0
package/extensions/memory-lancedb/index.test.ts +295 -0
package/extensions/memory-lancedb/index.ts +608 -0
package/extensions/memory-lancedb/node_modules/.bin/openai +21 -0
package/extensions/memory-lancedb/node_modules/.bin/openclaw +21 -0
package/extensions/memory-lancedb/openclaw.plugin.json +60 -0
package/extensions/memory-lancedb/package.json +19 -0
package/extensions/minimax-portal-auth/README.md +33 -0
package/extensions/minimax-portal-auth/index.ts +155 -0
package/extensions/minimax-portal-auth/node_modules/.bin/openclaw +21 -0
package/extensions/minimax-portal-auth/oauth.ts +247 -0
package/extensions/minimax-portal-auth/openclaw.plugin.json +9 -0
package/extensions/minimax-portal-auth/package.json +14 -0
package/extensions/msteams/CHANGELOG.md +83 -0
package/extensions/msteams/index.ts +17 -0
package/extensions/msteams/node_modules/.bin/openclaw +21 -0
package/extensions/msteams/openclaw.plugin.json +9 -0
package/extensions/msteams/package.json +39 -0
package/extensions/msteams/src/attachments/download.ts +283 -0
package/extensions/msteams/src/attachments/graph.ts +353 -0
package/extensions/msteams/src/attachments/html.ts +90 -0
package/extensions/msteams/src/attachments/payload.ts +22 -0
package/extensions/msteams/src/attachments/shared.ts +291 -0
package/extensions/msteams/src/attachments/types.ts +37 -0
package/extensions/msteams/src/attachments.test.ts +459 -0
package/extensions/msteams/src/attachments.ts +18 -0
package/extensions/msteams/src/channel.directory.test.ts +48 -0
package/extensions/msteams/src/channel.ts +459 -0
package/extensions/msteams/src/conversation-store-fs.test.ts +88 -0
package/extensions/msteams/src/conversation-store-fs.ts +165 -0
package/extensions/msteams/src/conversation-store-memory.ts +47 -0
package/extensions/msteams/src/conversation-store.ts +41 -0
package/extensions/msteams/src/directory-live.ts +205 -0
package/extensions/msteams/src/errors.test.ts +45 -0
package/extensions/msteams/src/errors.ts +190 -0
package/extensions/msteams/src/file-consent-helpers.test.ts +243 -0
package/extensions/msteams/src/file-consent-helpers.ts +73 -0
package/extensions/msteams/src/file-consent.ts +126 -0
package/extensions/msteams/src/graph-chat.ts +53 -0
package/extensions/msteams/src/graph-upload.ts +453 -0
package/extensions/msteams/src/inbound.test.ts +66 -0
package/extensions/msteams/src/inbound.ts +48 -0
package/extensions/msteams/src/index.ts +4 -0
package/extensions/msteams/src/media-helpers.test.ts +189 -0
package/extensions/msteams/src/media-helpers.ts +86 -0
package/extensions/msteams/src/messenger.test.ts +248 -0
package/extensions/msteams/src/messenger.ts +495 -0
package/extensions/msteams/src/monitor-handler/inbound-media.ts +128 -0
package/extensions/msteams/src/monitor-handler/message-handler.ts +640 -0
package/extensions/msteams/src/monitor-handler.ts +162 -0
package/extensions/msteams/src/monitor-types.ts +5 -0
package/extensions/msteams/src/monitor.ts +295 -0
package/extensions/msteams/src/onboarding.ts +431 -0
package/extensions/msteams/src/outbound.ts +46 -0
package/extensions/msteams/src/pending-uploads.ts +89 -0
package/extensions/msteams/src/policy.test.ts +209 -0
package/extensions/msteams/src/policy.ts +273 -0
package/extensions/msteams/src/polls-store-memory.ts +32 -0
package/extensions/msteams/src/polls-store.test.ts +38 -0
package/extensions/msteams/src/polls.test.ts +72 -0
package/extensions/msteams/src/polls.ts +315 -0
package/extensions/msteams/src/probe.test.ts +58 -0
package/extensions/msteams/src/probe.ts +107 -0
package/extensions/msteams/src/reply-dispatcher.ts +130 -0
package/extensions/msteams/src/resolve-allowlist.ts +297 -0
package/extensions/msteams/src/runtime.ts +14 -0
package/extensions/msteams/src/sdk-types.ts +19 -0
package/extensions/msteams/src/sdk.ts +33 -0
package/extensions/msteams/src/send-context.ts +164 -0
package/extensions/msteams/src/send.ts +519 -0
package/extensions/msteams/src/sent-message-cache.test.ts +15 -0
package/extensions/msteams/src/sent-message-cache.ts +47 -0
package/extensions/msteams/src/storage.ts +25 -0
package/extensions/msteams/src/store-fs.ts +83 -0
package/extensions/msteams/src/token.ts +19 -0
package/extensions/nextcloud-talk/index.ts +17 -0
package/extensions/nextcloud-talk/node_modules/.bin/openclaw +21 -0
package/extensions/nextcloud-talk/openclaw.plugin.json +9 -0
package/extensions/nextcloud-talk/package.json +33 -0
package/extensions/nextcloud-talk/src/accounts.ts +174 -0
package/extensions/nextcloud-talk/src/channel.ts +409 -0
package/extensions/nextcloud-talk/src/config-schema.ts +78 -0
package/extensions/nextcloud-talk/src/format.ts +79 -0
package/extensions/nextcloud-talk/src/inbound.ts +317 -0
package/extensions/nextcloud-talk/src/monitor.ts +246 -0
package/extensions/nextcloud-talk/src/normalize.ts +39 -0
package/extensions/nextcloud-talk/src/onboarding.ts +343 -0
package/extensions/nextcloud-talk/src/policy.test.ts +33 -0
package/extensions/nextcloud-talk/src/policy.ts +180 -0
package/extensions/nextcloud-talk/src/room-info.ts +125 -0
package/extensions/nextcloud-talk/src/runtime.ts +14 -0
package/extensions/nextcloud-talk/src/send.ts +210 -0
package/extensions/nextcloud-talk/src/signature.ts +72 -0
package/extensions/nextcloud-talk/src/types.ts +179 -0
package/extensions/nostr/CHANGELOG.md +74 -0
package/extensions/nostr/README.md +136 -0
package/extensions/nostr/index.ts +68 -0
package/extensions/nostr/node_modules/.bin/openclaw +21 -0
package/extensions/nostr/openclaw.plugin.json +9 -0
package/extensions/nostr/package.json +34 -0
package/extensions/nostr/src/channel.test.ts +151 -0
package/extensions/nostr/src/channel.ts +353 -0
package/extensions/nostr/src/config-schema.ts +90 -0
package/extensions/nostr/src/metrics.ts +478 -0
package/extensions/nostr/src/nostr-bus.fuzz.test.ts +533 -0
package/extensions/nostr/src/nostr-bus.integration.test.ts +448 -0
package/extensions/nostr/src/nostr-bus.test.ts +199 -0
package/extensions/nostr/src/nostr-bus.ts +715 -0
package/extensions/nostr/src/nostr-profile-http.test.ts +378 -0
package/extensions/nostr/src/nostr-profile-http.ts +519 -0
package/extensions/nostr/src/nostr-profile-import.test.ts +119 -0
package/extensions/nostr/src/nostr-profile-import.ts +262 -0
package/extensions/nostr/src/nostr-profile.fuzz.test.ts +477 -0
package/extensions/nostr/src/nostr-profile.test.ts +410 -0
package/extensions/nostr/src/nostr-profile.ts +277 -0
package/extensions/nostr/src/nostr-state-store.test.ts +131 -0
package/extensions/nostr/src/nostr-state-store.ts +226 -0
package/extensions/nostr/src/runtime.ts +14 -0
package/extensions/nostr/src/seen-tracker.ts +303 -0
package/extensions/nostr/src/types.test.ts +157 -0
package/extensions/nostr/src/types.ts +101 -0
package/extensions/nostr/test/setup.ts +5 -0
package/extensions/open-prose/README.md +25 -0
package/extensions/open-prose/index.ts +5 -0
package/extensions/open-prose/node_modules/.bin/openclaw +21 -0
package/extensions/open-prose/openclaw.plugin.json +11 -0
package/extensions/open-prose/package.json +14 -0
package/extensions/open-prose/skills/prose/LICENSE +21 -0
package/extensions/open-prose/skills/prose/SKILL.md +323 -0
package/extensions/open-prose/skills/prose/alt-borges.md +141 -0
package/extensions/open-prose/skills/prose/alts/arabian-nights.md +358 -0
package/extensions/open-prose/skills/prose/alts/borges.md +360 -0
package/extensions/open-prose/skills/prose/alts/folk.md +322 -0
package/extensions/open-prose/skills/prose/alts/homer.md +346 -0
package/extensions/open-prose/skills/prose/alts/kafka.md +373 -0
package/extensions/open-prose/skills/prose/compiler.md +2971 -0
package/extensions/open-prose/skills/prose/examples/01-hello-world.prose +4 -0
package/extensions/open-prose/skills/prose/examples/02-research-and-summarize.prose +6 -0
package/extensions/open-prose/skills/prose/examples/03-code-review.prose +17 -0
package/extensions/open-prose/skills/prose/examples/04-write-and-refine.prose +14 -0
package/extensions/open-prose/skills/prose/examples/05-debug-issue.prose +20 -0
package/extensions/open-prose/skills/prose/examples/06-explain-codebase.prose +17 -0
package/extensions/open-prose/skills/prose/examples/07-refactor.prose +20 -0
package/extensions/open-prose/skills/prose/examples/08-blog-post.prose +20 -0
package/extensions/open-prose/skills/prose/examples/09-research-with-agents.prose +25 -0
package/extensions/open-prose/skills/prose/examples/10-code-review-agents.prose +32 -0
package/extensions/open-prose/skills/prose/examples/11-skills-and-imports.prose +27 -0
package/extensions/open-prose/skills/prose/examples/12-secure-agent-permissions.prose +43 -0
package/extensions/open-prose/skills/prose/examples/13-variables-and-context.prose +51 -0
package/extensions/open-prose/skills/prose/examples/14-composition-blocks.prose +48 -0
package/extensions/open-prose/skills/prose/examples/15-inline-sequences.prose +23 -0
package/extensions/open-prose/skills/prose/examples/16-parallel-reviews.prose +19 -0
package/extensions/open-prose/skills/prose/examples/17-parallel-research.prose +19 -0
package/extensions/open-prose/skills/prose/examples/18-mixed-parallel-sequential.prose +36 -0
package/extensions/open-prose/skills/prose/examples/19-advanced-parallel.prose +71 -0
package/extensions/open-prose/skills/prose/examples/20-fixed-loops.prose +20 -0
package/extensions/open-prose/skills/prose/examples/21-pipeline-operations.prose +35 -0
package/extensions/open-prose/skills/prose/examples/22-error-handling.prose +51 -0
package/extensions/open-prose/skills/prose/examples/23-retry-with-backoff.prose +63 -0
package/extensions/open-prose/skills/prose/examples/24-choice-blocks.prose +86 -0
package/extensions/open-prose/skills/prose/examples/25-conditionals.prose +114 -0
package/extensions/open-prose/skills/prose/examples/26-parameterized-blocks.prose +100 -0
package/extensions/open-prose/skills/prose/examples/27-string-interpolation.prose +105 -0
package/extensions/open-prose/skills/prose/examples/28-automated-pr-review.prose +37 -0
package/extensions/open-prose/skills/prose/examples/28-gas-town.prose +1572 -0
package/extensions/open-prose/skills/prose/examples/29-captains-chair.prose +218 -0
package/extensions/open-prose/skills/prose/examples/30-captains-chair-simple.prose +42 -0
package/extensions/open-prose/skills/prose/examples/31-captains-chair-with-memory.prose +145 -0
package/extensions/open-prose/skills/prose/examples/33-pr-review-autofix.prose +168 -0
package/extensions/open-prose/skills/prose/examples/34-content-pipeline.prose +204 -0
package/extensions/open-prose/skills/prose/examples/35-feature-factory.prose +296 -0
package/extensions/open-prose/skills/prose/examples/36-bug-hunter.prose +237 -0
package/extensions/open-prose/skills/prose/examples/37-the-forge.prose +1474 -0
package/extensions/open-prose/skills/prose/examples/38-skill-scan.prose +455 -0
package/extensions/open-prose/skills/prose/examples/39-architect-by-simulation.prose +277 -0
package/extensions/open-prose/skills/prose/examples/40-rlm-self-refine.prose +32 -0
package/extensions/open-prose/skills/prose/examples/41-rlm-divide-conquer.prose +38 -0
package/extensions/open-prose/skills/prose/examples/42-rlm-filter-recurse.prose +46 -0
package/extensions/open-prose/skills/prose/examples/43-rlm-pairwise.prose +50 -0
package/extensions/open-prose/skills/prose/examples/44-run-endpoint-ux-test.prose +261 -0
package/extensions/open-prose/skills/prose/examples/45-plugin-release.prose +159 -0
package/extensions/open-prose/skills/prose/examples/45-run-endpoint-ux-test-with-remediation.prose +637 -0
package/extensions/open-prose/skills/prose/examples/46-run-endpoint-ux-test-fast.prose +148 -0
package/extensions/open-prose/skills/prose/examples/46-workflow-crystallizer.prose +225 -0
package/extensions/open-prose/skills/prose/examples/47-language-self-improvement.prose +356 -0
package/extensions/open-prose/skills/prose/examples/48-habit-miner.prose +445 -0
package/extensions/open-prose/skills/prose/examples/49-prose-run-retrospective.prose +210 -0
package/extensions/open-prose/skills/prose/examples/README.md +391 -0
package/extensions/open-prose/skills/prose/examples/roadmap/README.md +22 -0
package/extensions/open-prose/skills/prose/examples/roadmap/iterative-refinement.prose +20 -0
package/extensions/open-prose/skills/prose/examples/roadmap/parallel-review.prose +18 -0
package/extensions/open-prose/skills/prose/examples/roadmap/simple-pipeline.prose +17 -0
package/extensions/open-prose/skills/prose/examples/roadmap/syntax/open-prose-syntax.prose +223 -0
package/extensions/open-prose/skills/prose/guidance/antipatterns.md +951 -0
package/extensions/open-prose/skills/prose/guidance/patterns.md +700 -0
package/extensions/open-prose/skills/prose/guidance/system-prompt.md +180 -0
package/extensions/open-prose/skills/prose/help.md +144 -0
package/extensions/open-prose/skills/prose/lib/README.md +108 -0
package/extensions/open-prose/skills/prose/lib/calibrator.prose +215 -0
package/extensions/open-prose/skills/prose/lib/cost-analyzer.prose +174 -0
package/extensions/open-prose/skills/prose/lib/error-forensics.prose +250 -0
package/extensions/open-prose/skills/prose/lib/inspector.prose +196 -0
package/extensions/open-prose/skills/prose/lib/profiler.prose +460 -0
package/extensions/open-prose/skills/prose/lib/program-improver.prose +275 -0
package/extensions/open-prose/skills/prose/lib/project-memory.prose +118 -0
package/extensions/open-prose/skills/prose/lib/user-memory.prose +93 -0
package/extensions/open-prose/skills/prose/lib/vm-improver.prose +243 -0
package/extensions/open-prose/skills/prose/primitives/session.md +593 -0
package/extensions/open-prose/skills/prose/prose.md +1237 -0
package/extensions/open-prose/skills/prose/state/filesystem.md +498 -0
package/extensions/open-prose/skills/prose/state/in-context.md +384 -0
package/extensions/open-prose/skills/prose/state/postgres.md +880 -0
package/extensions/open-prose/skills/prose/state/sqlite.md +574 -0
package/extensions/qwen-portal-auth/README.md +24 -0
package/extensions/qwen-portal-auth/index.ts +130 -0
package/extensions/qwen-portal-auth/oauth.ts +190 -0
package/extensions/qwen-portal-auth/openclaw.plugin.json +9 -0
package/extensions/signal/index.ts +17 -0
package/extensions/signal/node_modules/.bin/openclaw +21 -0
package/extensions/signal/openclaw.plugin.json +9 -0
package/extensions/signal/package.json +14 -0
package/extensions/signal/src/channel.ts +315 -0
package/extensions/signal/src/runtime.ts +14 -0
package/extensions/slack/index.ts +17 -0
package/extensions/slack/node_modules/.bin/openclaw +21 -0
package/extensions/slack/openclaw.plugin.json +9 -0
package/extensions/slack/package.json +14 -0
package/extensions/slack/src/channel.ts +604 -0
package/extensions/slack/src/runtime.ts +14 -0
package/extensions/telegram/index.ts +17 -0
package/extensions/telegram/node_modules/.bin/openclaw +21 -0
package/extensions/telegram/openclaw.plugin.json +9 -0
package/extensions/telegram/package.json +14 -0
package/extensions/telegram/src/channel.ts +482 -0
package/extensions/telegram/src/runtime.ts +14 -0
package/extensions/tlon/README.md +5 -0
package/extensions/tlon/index.ts +17 -0
package/extensions/tlon/node_modules/.bin/openclaw +21 -0
package/extensions/tlon/openclaw.plugin.json +9 -0
package/extensions/tlon/package.json +33 -0
package/extensions/tlon/src/channel.ts +392 -0
package/extensions/tlon/src/config-schema.test.ts +31 -0
package/extensions/tlon/src/config-schema.ts +43 -0
package/extensions/tlon/src/monitor/discovery.ts +76 -0
package/extensions/tlon/src/monitor/history.ts +90 -0
package/extensions/tlon/src/monitor/index.ts +553 -0
package/extensions/tlon/src/monitor/processed-messages.test.ts +23 -0
package/extensions/tlon/src/monitor/processed-messages.ts +46 -0
package/extensions/tlon/src/monitor/utils.ts +105 -0
package/extensions/tlon/src/onboarding.ts +214 -0
package/extensions/tlon/src/runtime.ts +14 -0
package/extensions/tlon/src/targets.ts +89 -0
package/extensions/tlon/src/types.ts +92 -0
package/extensions/tlon/src/urbit/auth.ts +18 -0
package/extensions/tlon/src/urbit/http-api.ts +38 -0
package/extensions/tlon/src/urbit/send.test.ts +38 -0
package/extensions/tlon/src/urbit/send.ts +131 -0
package/extensions/tlon/src/urbit/sse-client.test.ts +40 -0
package/extensions/tlon/src/urbit/sse-client.ts +395 -0
package/extensions/twitch/CHANGELOG.md +45 -0
package/extensions/twitch/README.md +89 -0
package/extensions/twitch/index.ts +20 -0
package/extensions/twitch/node_modules/.bin/openclaw +21 -0
package/extensions/twitch/openclaw.plugin.json +9 -0
package/extensions/twitch/package.json +20 -0
package/extensions/twitch/src/access-control.test.ts +489 -0
package/extensions/twitch/src/access-control.ts +166 -0
package/extensions/twitch/src/actions.ts +173 -0
package/extensions/twitch/src/client-manager-registry.ts +115 -0
package/extensions/twitch/src/config-schema.ts +82 -0
package/extensions/twitch/src/config.test.ts +87 -0
package/extensions/twitch/src/config.ts +116 -0
package/extensions/twitch/src/monitor.ts +261 -0
package/extensions/twitch/src/onboarding.test.ts +311 -0
package/extensions/twitch/src/onboarding.ts +417 -0
package/extensions/twitch/src/outbound.test.ts +373 -0
package/extensions/twitch/src/outbound.ts +184 -0
package/extensions/twitch/src/plugin.test.ts +39 -0
package/extensions/twitch/src/plugin.ts +274 -0
package/extensions/twitch/src/probe.test.ts +195 -0
package/extensions/twitch/src/probe.ts +120 -0
package/extensions/twitch/src/resolver.ts +137 -0
package/extensions/twitch/src/runtime.ts +14 -0
package/extensions/twitch/src/send.test.ts +289 -0
package/extensions/twitch/src/send.ts +136 -0
package/extensions/twitch/src/status.test.ts +270 -0
package/extensions/twitch/src/status.ts +178 -0
package/extensions/twitch/src/token.test.ts +171 -0
package/extensions/twitch/src/token.ts +91 -0
package/extensions/twitch/src/twitch-client.test.ts +589 -0
package/extensions/twitch/src/twitch-client.ts +277 -0
package/extensions/twitch/src/types.ts +141 -0
package/extensions/twitch/src/utils/markdown.ts +98 -0
package/extensions/twitch/src/utils/twitch.ts +78 -0
package/extensions/twitch/test/setup.ts +7 -0
package/extensions/voice-call/CHANGELOG.md +109 -0
package/extensions/voice-call/README.md +139 -0
package/extensions/voice-call/index.ts +493 -0
package/extensions/voice-call/node_modules/.bin/openclaw +21 -0
package/extensions/voice-call/openclaw.plugin.json +559 -0
package/extensions/voice-call/package.json +19 -0
package/extensions/voice-call/src/allowlist.ts +19 -0
package/extensions/voice-call/src/cli.ts +279 -0
package/extensions/voice-call/src/config.test.ts +234 -0
package/extensions/voice-call/src/config.ts +523 -0
package/extensions/voice-call/src/core-bridge.ts +159 -0
package/extensions/voice-call/src/manager/context.ts +21 -0
package/extensions/voice-call/src/manager/events.ts +188 -0
package/extensions/voice-call/src/manager/lookup.ts +35 -0
package/extensions/voice-call/src/manager/outbound.ts +275 -0
package/extensions/voice-call/src/manager/state.ts +48 -0
package/extensions/voice-call/src/manager/store.ts +91 -0
package/extensions/voice-call/src/manager/timers.ts +89 -0
package/extensions/voice-call/src/manager/twiml.ts +9 -0
package/extensions/voice-call/src/manager.test.ts +194 -0
package/extensions/voice-call/src/manager.ts +887 -0
package/extensions/voice-call/src/media-stream.test.ts +96 -0
package/extensions/voice-call/src/media-stream.ts +411 -0
package/extensions/voice-call/src/providers/base.ts +67 -0
package/extensions/voice-call/src/providers/index.ts +10 -0
package/extensions/voice-call/src/providers/mock.ts +165 -0
package/extensions/voice-call/src/providers/plivo.test.ts +27 -0
package/extensions/voice-call/src/providers/plivo.ts +515 -0
package/extensions/voice-call/src/providers/stt-openai-realtime.ts +311 -0
package/extensions/voice-call/src/providers/telnyx.ts +371 -0
package/extensions/voice-call/src/providers/tts-openai.ts +259 -0
package/extensions/voice-call/src/providers/twilio/api.ts +42 -0
package/extensions/voice-call/src/providers/twilio/webhook.ts +32 -0
package/extensions/voice-call/src/providers/twilio.test.ts +60 -0
package/extensions/voice-call/src/providers/twilio.ts +626 -0
package/extensions/voice-call/src/response-generator.ts +158 -0
package/extensions/voice-call/src/runtime.ts +212 -0
package/extensions/voice-call/src/telephony-audio.ts +90 -0
package/extensions/voice-call/src/telephony-tts.ts +104 -0
package/extensions/voice-call/src/tunnel.ts +314 -0
package/extensions/voice-call/src/types.ts +272 -0
package/extensions/voice-call/src/utils.ts +14 -0
package/extensions/voice-call/src/voice-mapping.ts +67 -0
package/extensions/voice-call/src/webhook-security.test.ts +377 -0
package/extensions/voice-call/src/webhook-security.ts +689 -0
package/extensions/voice-call/src/webhook.ts +491 -0
package/extensions/whatsapp/index.ts +17 -0
package/extensions/whatsapp/node_modules/.bin/openclaw +21 -0
package/extensions/whatsapp/openclaw.plugin.json +9 -0
package/extensions/whatsapp/package.json +14 -0
package/extensions/whatsapp/src/channel.ts +508 -0
package/extensions/whatsapp/src/runtime.ts +14 -0
package/extensions/zalo/CHANGELOG.md +89 -0
package/extensions/zalo/README.md +50 -0
package/extensions/zalo/index.ts +19 -0
package/extensions/zalo/node_modules/.bin/openclaw +21 -0
package/extensions/zalo/openclaw.plugin.json +9 -0
package/extensions/zalo/package.json +36 -0
package/extensions/zalo/src/accounts.ts +80 -0
package/extensions/zalo/src/actions.ts +67 -0
package/extensions/zalo/src/api.ts +208 -0
package/extensions/zalo/src/channel.directory.test.ts +43 -0
package/extensions/zalo/src/channel.ts +414 -0
package/extensions/zalo/src/config-schema.ts +24 -0
package/extensions/zalo/src/monitor.ts +753 -0
package/extensions/zalo/src/monitor.webhook.test.ts +73 -0
package/extensions/zalo/src/onboarding.ts +401 -0
package/extensions/zalo/src/probe.ts +46 -0
package/extensions/zalo/src/proxy.ts +21 -0
package/extensions/zalo/src/runtime.ts +14 -0
package/extensions/zalo/src/send.ts +124 -0
package/extensions/zalo/src/status-issues.ts +53 -0
package/extensions/zalo/src/token.ts +63 -0
package/extensions/zalo/src/types.ts +42 -0
package/extensions/zalouser/CHANGELOG.md +61 -0
package/extensions/zalouser/README.md +225 -0
package/extensions/zalouser/index.ts +31 -0
package/extensions/zalouser/node_modules/.bin/openclaw +21 -0
package/extensions/zalouser/openclaw.plugin.json +9 -0
package/extensions/zalouser/package.json +36 -0
package/extensions/zalouser/src/accounts.ts +135 -0
package/extensions/zalouser/src/channel.test.ts +18 -0
package/extensions/zalouser/src/channel.ts +686 -0
package/extensions/zalouser/src/config-schema.ts +27 -0
package/extensions/zalouser/src/monitor.ts +590 -0
package/extensions/zalouser/src/onboarding.ts +504 -0
package/extensions/zalouser/src/probe.ts +28 -0
package/extensions/zalouser/src/runtime.ts +14 -0
package/extensions/zalouser/src/send.ts +160 -0
package/extensions/zalouser/src/status-issues.test.ts +57 -0
package/extensions/zalouser/src/status-issues.ts +89 -0
package/extensions/zalouser/src/tool.ts +164 -0
package/extensions/zalouser/src/types.ts +108 -0
package/extensions/zalouser/src/zca.ts +202 -0
package/openclaw.mjs +14 -0
package/package.json +245 -0
package/skills/1password/SKILL.md +70 -0
package/skills/1password/references/cli-examples.md +29 -0
package/skills/1password/references/get-started.md +17 -0
package/skills/apple-notes/SKILL.md +77 -0
package/skills/apple-reminders/SKILL.md +96 -0
package/skills/bear-notes/SKILL.md +107 -0
package/skills/bird/SKILL.md +224 -0
package/skills/blogwatcher/SKILL.md +69 -0
package/skills/blucli/SKILL.md +47 -0
package/skills/bluebubbles/SKILL.md +131 -0
package/skills/camsnap/SKILL.md +45 -0
package/skills/canvas/SKILL.md +198 -0
package/skills/clawhub/SKILL.md +77 -0
package/skills/coding-agent/SKILL.md +284 -0
package/skills/discord/SKILL.md +578 -0
package/skills/eightctl/SKILL.md +50 -0
package/skills/food-order/SKILL.md +48 -0
package/skills/gemini/SKILL.md +43 -0
package/skills/ghostly-projects/SKILL.md +160 -0
package/skills/gifgrep/SKILL.md +79 -0
package/skills/github/SKILL.md +77 -0
package/skills/gog/SKILL.md +116 -0
package/skills/goplaces/SKILL.md +52 -0
package/skills/healthcheck/SKILL.md +245 -0
package/skills/himalaya/SKILL.md +257 -0
package/skills/himalaya/references/configuration.md +184 -0
package/skills/himalaya/references/message-composition.md +199 -0
package/skills/imsg/SKILL.md +74 -0
package/skills/linear/SKILL.md +111 -0
package/skills/linear/linear.sh +204 -0
package/skills/local-places/SERVER_README.md +101 -0
package/skills/local-places/SKILL.md +102 -0
package/skills/local-places/pyproject.toml +21 -0
package/skills/local-places/src/local_places/__init__.py +2 -0
package/skills/local-places/src/local_places/google_places.py +314 -0
package/skills/local-places/src/local_places/main.py +65 -0
package/skills/local-places/src/local_places/schemas.py +107 -0
package/skills/mcporter/SKILL.md +61 -0
package/skills/model-usage/SKILL.md +69 -0
package/skills/model-usage/references/codexbar-cli.md +33 -0
package/skills/model-usage/scripts/model_usage.py +310 -0
package/skills/nano-banana-pro/SKILL.md +58 -0
package/skills/nano-banana-pro/scripts/generate_image.py +184 -0
package/skills/nano-pdf/SKILL.md +38 -0
package/skills/notion/SKILL.md +172 -0
package/skills/obsidian/SKILL.md +81 -0
package/skills/openai-image-gen/SKILL.md +89 -0
package/skills/openai-image-gen/scripts/gen.py +240 -0
package/skills/openai-whisper/SKILL.md +38 -0
package/skills/openai-whisper-api/SKILL.md +52 -0
package/skills/openai-whisper-api/scripts/transcribe.sh +85 -0
package/skills/openhue/SKILL.md +51 -0
package/skills/oracle/SKILL.md +125 -0
package/skills/ordercli/SKILL.md +78 -0
package/skills/peekaboo/SKILL.md +190 -0
package/skills/sag/SKILL.md +87 -0
package/skills/session-logs/SKILL.md +115 -0
package/skills/sherpa-onnx-tts/SKILL.md +103 -0
package/skills/sherpa-onnx-tts/bin/sherpa-onnx-tts +178 -0
package/skills/skill-creator/SKILL.md +370 -0
package/skills/skill-creator/license.txt +202 -0
package/skills/skill-creator/scripts/init_skill.py +378 -0
package/skills/skill-creator/scripts/package_skill.py +111 -0
package/skills/skill-creator/scripts/quick_validate.py +101 -0
package/skills/slack/SKILL.md +144 -0
package/skills/songsee/SKILL.md +49 -0
package/skills/sonoscli/SKILL.md +46 -0
package/skills/spotify-player/SKILL.md +64 -0
package/skills/summarize/SKILL.md +87 -0
package/skills/things-mac/SKILL.md +86 -0
package/skills/tmux/SKILL.md +135 -0
package/skills/tmux/scripts/find-sessions.sh +112 -0
package/skills/tmux/scripts/wait-for-text.sh +83 -0
package/skills/trello/SKILL.md +95 -0
package/skills/video-frames/SKILL.md +46 -0
package/skills/video-frames/scripts/frame.sh +81 -0
package/skills/voice-call/SKILL.md +45 -0
package/skills/wacli/SKILL.md +72 -0
package/skills/weather/SKILL.md +54 -0

package/dist/audit-eH7nwgsM.js ADDED Viewed

@@ -0,0 +1,1686 @@
+import { g as resolveStateDir, m as resolveOAuthDir, o as resolveConfigPath } from "./paths-scjhy7N2.js";
+import { N as normalizeAgentId, c as resolveDefaultAgentId } from "./agent-scope-BbT4OG2N.js";
+import { n as runExec } from "./exec-HEWTMJ7j.js";
+import { t as formatCliCommand } from "./command-format-DELazozB.js";
+import { D as MAX_INCLUDE_DEPTH, E as INCLUDE_KEY, r as createConfigIO } from "./config-BtSTwPcH.js";
+import { n as listChannelPlugins } from "./plugins-QJjTXliB.js";
+import { $ as resolveSandboxToolPolicyForAgent, Z as resolveSandboxConfigForAgent, at as resolveToolProfilePolicy } from "./sandbox-knontqD9.js";
+import { a as resolveProfile, i as resolveBrowserConfig } from "./server-context-B9GX5GOI.js";
+import { m as GATEWAY_CLIENT_NAMES, p as GATEWAY_CLIENT_MODES } from "./message-channel-D6v_oPAg.js";
+import { t as GatewayClient } from "./client-DySXIFCA.js";
+import { t as buildGatewayConnectionDetails } from "./call-B7EveN4V.js";
+import { i as readChannelAllowFromStore } from "./pairing-store-DDLNuzmx.js";
+import { c as resolveNativeSkillsEnabled, n as isToolAllowedByPolicies, s as resolveNativeCommandsEnabled } from "./pi-tools.policy-BvkSDFDN.js";
+import { t as resolveChannelDefaultAccountId } from "./helpers-BtbBZVKZ.js";
+import { i as resolveGatewayAuth } from "./auth-y1BLPUhX.js";
+import os from "node:os";
+import path from "node:path";
+import JSON5 from "json5";
+import fs from "node:fs/promises";
+import { randomUUID } from "node:crypto";
+//#region src/gateway/probe.ts
+function formatError(err) {
+	if (err instanceof Error) return err.message;
+	return String(err);
+}
+async function probeGateway(opts) {
+	const startedAt = Date.now();
+	const instanceId = randomUUID();
+	let connectLatencyMs = null;
+	let connectError = null;
+	let close = null;
+	return await new Promise((resolve) => {
+		let settled = false;
+		const settle = (result) => {
+			if (settled) return;
+			settled = true;
+			clearTimeout(timer);
+			client.stop();
+			resolve({
+				url: opts.url,
+				...result
+			});
+		};
+		const client = new GatewayClient({
+			url: opts.url,
+			token: opts.auth?.token,
+			password: opts.auth?.password,
+			clientName: GATEWAY_CLIENT_NAMES.CLI,
+			clientVersion: "dev",
+			mode: GATEWAY_CLIENT_MODES.PROBE,
+			instanceId,
+			onConnectError: (err) => {
+				connectError = formatError(err);
+			},
+			onClose: (code, reason) => {
+				close = {
+					code,
+					reason
+				};
+			},
+			onHelloOk: async () => {
+				connectLatencyMs = Date.now() - startedAt;
+				try {
+					const [health, status, presence, configSnapshot] = await Promise.all([
+						client.request("health"),
+						client.request("status"),
+						client.request("system-presence"),
+						client.request("config.get", {})
+					]);
+					settle({
+						ok: true,
+						connectLatencyMs,
+						error: null,
+						close,
+						health,
+						status,
+						presence: Array.isArray(presence) ? presence : null,
+						configSnapshot
+					});
+				} catch (err) {
+					settle({
+						ok: false,
+						connectLatencyMs,
+						error: formatError(err),
+						close,
+						health: null,
+						status: null,
+						presence: null,
+						configSnapshot: null
+					});
+				}
+			}
+		});
+		const timer = setTimeout(() => {
+			settle({
+				ok: false,
+				connectLatencyMs,
+				error: connectError ? `connect failed: ${connectError}` : "timeout",
+				close,
+				health: null,
+				status: null,
+				presence: null,
+				configSnapshot: null
+			});
+		}, Math.max(250, opts.timeoutMs));
+		client.start();
+	});
+}
+//#endregion
+//#region src/security/windows-acl.ts
+const INHERIT_FLAGS = new Set([
+	"I",
+	"OI",
+	"CI",
+	"IO",
+	"NP"
+]);
+const WORLD_PRINCIPALS = new Set([
+	"everyone",
+	"users",
+	"builtin\\users",
+	"authenticated users",
+	"nt authority\\authenticated users"
+]);
+const TRUSTED_BASE = new Set([
+	"nt authority\\system",
+	"system",
+	"builtin\\administrators",
+	"creator owner"
+]);
+const WORLD_SUFFIXES = ["\\users", "\\authenticated users"];
+const TRUSTED_SUFFIXES = ["\\administrators", "\\system"];
+const normalize = (value) => value.trim().toLowerCase();
+function resolveWindowsUserPrincipal(env) {
+	const username = env?.USERNAME?.trim() || os.userInfo().username?.trim();
+	if (!username) return null;
+	const domain = env?.USERDOMAIN?.trim();
+	return domain ? `${domain}\\${username}` : username;
+}
+function buildTrustedPrincipals(env) {
+	const trusted = new Set(TRUSTED_BASE);
+	const principal = resolveWindowsUserPrincipal(env);
+	if (principal) {
+		trusted.add(normalize(principal));
+		const userOnly = principal.split("\\").at(-1);
+		if (userOnly) trusted.add(normalize(userOnly));
+	}
+	return trusted;
+}
+function classifyPrincipal(principal, env) {
+	const normalized = normalize(principal);
+	if (buildTrustedPrincipals(env).has(normalized) || TRUSTED_SUFFIXES.some((s) => normalized.endsWith(s))) return "trusted";
+	if (WORLD_PRINCIPALS.has(normalized) || WORLD_SUFFIXES.some((s) => normalized.endsWith(s))) return "world";
+	return "group";
+}
+function rightsFromTokens(tokens) {
+	const upper = tokens.join("").toUpperCase();
+	const canWrite = upper.includes("F") || upper.includes("M") || upper.includes("W") || upper.includes("D");
+	return {
+		canRead: upper.includes("F") || upper.includes("M") || upper.includes("R"),
+		canWrite
+	};
+}
+function parseIcaclsOutput(output, targetPath) {
+	const entries = [];
+	const normalizedTarget = targetPath.trim();
+	const lowerTarget = normalizedTarget.toLowerCase();
+	const quotedTarget = `"${normalizedTarget}"`;
+	const quotedLower = quotedTarget.toLowerCase();
+	for (const rawLine of output.split(/\r?\n/)) {
+		const line = rawLine.trimEnd();
+		if (!line.trim()) continue;
+		const trimmed = line.trim();
+		const lower = trimmed.toLowerCase();
+		if (lower.startsWith("successfully processed") || lower.startsWith("processed") || lower.startsWith("failed processing") || lower.startsWith("no mapping between account names")) continue;
+		let entry = trimmed;
+		if (lower.startsWith(lowerTarget)) entry = trimmed.slice(normalizedTarget.length).trim();
+		else if (lower.startsWith(quotedLower)) entry = trimmed.slice(quotedTarget.length).trim();
+		if (!entry) continue;
+		const idx = entry.indexOf(":");
+		if (idx === -1) continue;
+		const principal = entry.slice(0, idx).trim();
+		const rawRights = entry.slice(idx + 1).trim();
+		const tokens = rawRights.match(/\(([^)]+)\)/g)?.map((token) => token.slice(1, -1).trim()).filter(Boolean) ?? [];
+		if (tokens.some((token) => token.toUpperCase() === "DENY")) continue;
+		const rights = tokens.filter((token) => !INHERIT_FLAGS.has(token.toUpperCase()));
+		if (rights.length === 0) continue;
+		const { canRead, canWrite } = rightsFromTokens(rights);
+		entries.push({
+			principal,
+			rights,
+			rawRights,
+			canRead,
+			canWrite
+		});
+	}
+	return entries;
+}
+function summarizeWindowsAcl(entries, env) {
+	const trusted = [];
+	const untrustedWorld = [];
+	const untrustedGroup = [];
+	for (const entry of entries) {
+		const classification = classifyPrincipal(entry.principal, env);
+		if (classification === "trusted") trusted.push(entry);
+		else if (classification === "world") untrustedWorld.push(entry);
+		else untrustedGroup.push(entry);
+	}
+	return {
+		trusted,
+		untrustedWorld,
+		untrustedGroup
+	};
+}
+async function inspectWindowsAcl(targetPath, opts) {
+	const exec = opts?.exec ?? runExec;
+	try {
+		const { stdout, stderr } = await exec("icacls", [targetPath]);
+		const entries = parseIcaclsOutput(`${stdout}\n${stderr}`.trim(), targetPath);
+		const { trusted, untrustedWorld, untrustedGroup } = summarizeWindowsAcl(entries, opts?.env);
+		return {
+			ok: true,
+			entries,
+			trusted,
+			untrustedWorld,
+			untrustedGroup
+		};
+	} catch (err) {
+		return {
+			ok: false,
+			entries: [],
+			trusted: [],
+			untrustedWorld: [],
+			untrustedGroup: [],
+			error: String(err)
+		};
+	}
+}
+function formatWindowsAclSummary(summary) {
+	if (!summary.ok) return "unknown";
+	const untrusted = [...summary.untrustedWorld, ...summary.untrustedGroup];
+	if (untrusted.length === 0) return "trusted-only";
+	return untrusted.map((entry) => `${entry.principal}:${entry.rawRights}`).join(", ");
+}
+function formatIcaclsResetCommand(targetPath, opts) {
+	const user = resolveWindowsUserPrincipal(opts.env) ?? "%USERNAME%";
+	const grant = opts.isDir ? "(OI)(CI)F" : "F";
+	return `icacls "${targetPath}" /inheritance:r /grant:r "${user}:${grant}" /grant:r "SYSTEM:${grant}"`;
+}
+function createIcaclsResetCommand(targetPath, opts) {
+	const user = resolveWindowsUserPrincipal(opts.env);
+	if (!user) return null;
+	const grant = opts.isDir ? "(OI)(CI)F" : "F";
+	return {
+		command: "icacls",
+		args: [
+			targetPath,
+			"/inheritance:r",
+			"/grant:r",
+			`${user}:${grant}`,
+			"/grant:r",
+			`SYSTEM:${grant}`
+		],
+		display: formatIcaclsResetCommand(targetPath, opts)
+	};
+}
+//#endregion
+//#region src/security/audit-fs.ts
+async function safeStat(targetPath) {
+	try {
+		const lst = await fs.lstat(targetPath);
+		return {
+			ok: true,
+			isSymlink: lst.isSymbolicLink(),
+			isDir: lst.isDirectory(),
+			mode: typeof lst.mode === "number" ? lst.mode : null,
+			uid: typeof lst.uid === "number" ? lst.uid : null,
+			gid: typeof lst.gid === "number" ? lst.gid : null
+		};
+	} catch (err) {
+		return {
+			ok: false,
+			isSymlink: false,
+			isDir: false,
+			mode: null,
+			uid: null,
+			gid: null,
+			error: String(err)
+		};
+	}
+}
+async function inspectPathPermissions(targetPath, opts) {
+	const st = await safeStat(targetPath);
+	if (!st.ok) return {
+		ok: false,
+		isSymlink: false,
+		isDir: false,
+		mode: null,
+		bits: null,
+		source: "unknown",
+		worldWritable: false,
+		groupWritable: false,
+		worldReadable: false,
+		groupReadable: false,
+		error: st.error
+	};
+	const bits = modeBits(st.mode);
+	if ((opts?.platform ?? process.platform) === "win32") {
+		const acl = await inspectWindowsAcl(targetPath, {
+			env: opts?.env,
+			exec: opts?.exec
+		});
+		if (!acl.ok) return {
+			ok: true,
+			isSymlink: st.isSymlink,
+			isDir: st.isDir,
+			mode: st.mode,
+			bits,
+			source: "unknown",
+			worldWritable: false,
+			groupWritable: false,
+			worldReadable: false,
+			groupReadable: false,
+			error: acl.error
+		};
+		return {
+			ok: true,
+			isSymlink: st.isSymlink,
+			isDir: st.isDir,
+			mode: st.mode,
+			bits,
+			source: "windows-acl",
+			worldWritable: acl.untrustedWorld.some((entry) => entry.canWrite),
+			groupWritable: acl.untrustedGroup.some((entry) => entry.canWrite),
+			worldReadable: acl.untrustedWorld.some((entry) => entry.canRead),
+			groupReadable: acl.untrustedGroup.some((entry) => entry.canRead),
+			aclSummary: formatWindowsAclSummary(acl)
+		};
+	}
+	return {
+		ok: true,
+		isSymlink: st.isSymlink,
+		isDir: st.isDir,
+		mode: st.mode,
+		bits,
+		source: "posix",
+		worldWritable: isWorldWritable(bits),
+		groupWritable: isGroupWritable(bits),
+		worldReadable: isWorldReadable(bits),
+		groupReadable: isGroupReadable(bits)
+	};
+}
+function formatPermissionDetail(targetPath, perms) {
+	if (perms.source === "windows-acl") return `${targetPath} acl=${perms.aclSummary ?? "unknown"}`;
+	return `${targetPath} mode=${formatOctal(perms.bits)}`;
+}
+function formatPermissionRemediation(params) {
+	if (params.perms.source === "windows-acl") return formatIcaclsResetCommand(params.targetPath, {
+		isDir: params.isDir,
+		env: params.env
+	});
+	return `chmod ${params.posixMode.toString(8).padStart(3, "0")} ${params.targetPath}`;
+}
+function modeBits(mode) {
+	if (mode == null) return null;
+	return mode & 511;
+}
+function formatOctal(bits) {
+	if (bits == null) return "unknown";
+	return bits.toString(8).padStart(3, "0");
+}
+function isWorldWritable(bits) {
+	if (bits == null) return false;
+	return (bits & 2) !== 0;
+}
+function isGroupWritable(bits) {
+	if (bits == null) return false;
+	return (bits & 16) !== 0;
+}
+function isWorldReadable(bits) {
+	if (bits == null) return false;
+	return (bits & 4) !== 0;
+}
+function isGroupReadable(bits) {
+	if (bits == null) return false;
+	return (bits & 32) !== 0;
+}
+//#endregion
+//#region src/security/audit-extra.ts
+const SMALL_MODEL_PARAM_B_MAX = 300;
+function expandTilde(p, env) {
+	if (!p.startsWith("~")) return p;
+	const home = typeof env.HOME === "string" && env.HOME.trim() ? env.HOME.trim() : null;
+	if (!home) return null;
+	if (p === "~") return home;
+	if (p.startsWith("~/") || p.startsWith("~\\")) return path.join(home, p.slice(2));
+	return null;
+}
+function summarizeGroupPolicy(cfg) {
+	const channels = cfg.channels;
+	if (!channels || typeof channels !== "object") return {
+		open: 0,
+		allowlist: 0,
+		other: 0
+	};
+	let open = 0;
+	let allowlist = 0;
+	let other = 0;
+	for (const value of Object.values(channels)) {
+		if (!value || typeof value !== "object") continue;
+		const policy = value.groupPolicy;
+		if (policy === "open") open += 1;
+		else if (policy === "allowlist") allowlist += 1;
+		else other += 1;
+	}
+	return {
+		open,
+		allowlist,
+		other
+	};
+}
+function collectAttackSurfaceSummaryFindings(cfg) {
+	const group = summarizeGroupPolicy(cfg);
+	const elevated = cfg.tools?.elevated?.enabled !== false;
+	const hooksEnabled = cfg.hooks?.enabled === true;
+	const browserEnabled = cfg.browser?.enabled ?? true;
+	return [{
+		checkId: "summary.attack_surface",
+		severity: "info",
+		title: "Attack surface summary",
+		detail: `groups: open=${group.open}, allowlist=${group.allowlist}\ntools.elevated: ${elevated ? "enabled" : "disabled"}\nhooks: ${hooksEnabled ? "enabled" : "disabled"}\nbrowser control: ${browserEnabled ? "enabled" : "disabled"}`
+	}];
+}
+function isProbablySyncedPath(p) {
+	const s = p.toLowerCase();
+	return s.includes("icloud") || s.includes("dropbox") || s.includes("google drive") || s.includes("googledrive") || s.includes("onedrive");
+}
+function collectSyncedFolderFindings(params) {
+	const findings = [];
+	if (isProbablySyncedPath(params.stateDir) || isProbablySyncedPath(params.configPath)) findings.push({
+		checkId: "fs.synced_dir",
+		severity: "warn",
+		title: "State/config path looks like a synced folder",
+		detail: `stateDir=${params.stateDir}, configPath=${params.configPath}. Synced folders (iCloud/Dropbox/OneDrive/Google Drive) can leak tokens and transcripts onto other devices.`,
+		remediation: `Keep OPENCLAW_STATE_DIR on a local-only volume and re-run "${formatCliCommand("openclaw security audit --fix")}".`
+	});
+	return findings;
+}
+function looksLikeEnvRef(value) {
+	const v = value.trim();
+	return v.startsWith("${") && v.endsWith("}");
+}
+function collectSecretsInConfigFindings(cfg) {
+	const findings = [];
+	const password = typeof cfg.gateway?.auth?.password === "string" ? cfg.gateway.auth.password.trim() : "";
+	if (password && !looksLikeEnvRef(password)) findings.push({
+		checkId: "config.secrets.gateway_password_in_config",
+		severity: "warn",
+		title: "Gateway password is stored in config",
+		detail: "gateway.auth.password is set in the config file; prefer environment variables for secrets when possible.",
+		remediation: "Prefer OPENCLAW_GATEWAY_PASSWORD (env) and remove gateway.auth.password from disk."
+	});
+	const hooksToken = typeof cfg.hooks?.token === "string" ? cfg.hooks.token.trim() : "";
+	if (cfg.hooks?.enabled === true && hooksToken && !looksLikeEnvRef(hooksToken)) findings.push({
+		checkId: "config.secrets.hooks_token_in_config",
+		severity: "info",
+		title: "Hooks token is stored in config",
+		detail: "hooks.token is set in the config file; keep config perms tight and treat it like an API secret."
+	});
+	return findings;
+}
+function collectHooksHardeningFindings(cfg) {
+	const findings = [];
+	if (cfg.hooks?.enabled !== true) return findings;
+	const token = typeof cfg.hooks?.token === "string" ? cfg.hooks.token.trim() : "";
+	if (token && token.length < 24) findings.push({
+		checkId: "hooks.token_too_short",
+		severity: "warn",
+		title: "Hooks token looks short",
+		detail: `hooks.token is ${token.length} chars; prefer a long random token.`
+	});
+	const gatewayAuth = resolveGatewayAuth({
+		authConfig: cfg.gateway?.auth,
+		tailscaleMode: cfg.gateway?.tailscale?.mode ?? "off"
+	});
+	const gatewayToken = gatewayAuth.mode === "token" && typeof gatewayAuth.token === "string" && gatewayAuth.token.trim() ? gatewayAuth.token.trim() : null;
+	if (token && gatewayToken && token === gatewayToken) findings.push({
+		checkId: "hooks.token_reuse_gateway_token",
+		severity: "warn",
+		title: "Hooks token reuses the Gateway token",
+		detail: "hooks.token matches gateway.auth token; compromise of hooks expands blast radius to the Gateway API.",
+		remediation: "Use a separate hooks.token dedicated to hook ingress."
+	});
+	if ((typeof cfg.hooks?.path === "string" ? cfg.hooks.path.trim() : "") === "/") findings.push({
+		checkId: "hooks.path_root",
+		severity: "critical",
+		title: "Hooks base path is '/'",
+		detail: "hooks.path='/' would shadow other HTTP endpoints and is unsafe.",
+		remediation: "Use a dedicated path like '/hooks'."
+	});
+	return findings;
+}
+function addModel(models, raw, source) {
+	if (typeof raw !== "string") return;
+	const id = raw.trim();
+	if (!id) return;
+	models.push({
+		id,
+		source
+	});
+}
+function collectModels(cfg) {
+	const out = [];
+	addModel(out, cfg.agents?.defaults?.model?.primary, "agents.defaults.model.primary");
+	for (const f of cfg.agents?.defaults?.model?.fallbacks ?? []) addModel(out, f, "agents.defaults.model.fallbacks");
+	addModel(out, cfg.agents?.defaults?.imageModel?.primary, "agents.defaults.imageModel.primary");
+	for (const f of cfg.agents?.defaults?.imageModel?.fallbacks ?? []) addModel(out, f, "agents.defaults.imageModel.fallbacks");
+	const list = Array.isArray(cfg.agents?.list) ? cfg.agents?.list : [];
+	for (const agent of list ?? []) {
+		if (!agent || typeof agent !== "object") continue;
+		const id = typeof agent.id === "string" ? agent.id : "";
+		const model = agent.model;
+		if (typeof model === "string") addModel(out, model, `agents.list.${id}.model`);
+		else if (model && typeof model === "object") {
+			addModel(out, model.primary, `agents.list.${id}.model.primary`);
+			const fallbacks = model.fallbacks;
+			if (Array.isArray(fallbacks)) for (const f of fallbacks) addModel(out, f, `agents.list.${id}.model.fallbacks`);
+		}
+	}
+	return out;
+}
+const LEGACY_MODEL_PATTERNS = [
+	{
+		id: "openai.gpt35",
+		re: /\bgpt-3\.5\b/i,
+		label: "GPT-3.5 family"
+	},
+	{
+		id: "anthropic.claude2",
+		re: /\bclaude-(instant|2)\b/i,
+		label: "Claude 2/Instant family"
+	},
+	{
+		id: "openai.gpt4_legacy",
+		re: /\bgpt-4-(0314|0613)\b/i,
+		label: "Legacy GPT-4 snapshots"
+	}
+];
+const WEAK_TIER_MODEL_PATTERNS = [{
+	id: "anthropic.haiku",
+	re: /\bhaiku\b/i,
+	label: "Haiku tier (smaller model)"
+}];
+function inferParamBFromIdOrName(text) {
+	const matches = text.toLowerCase().matchAll(/(?:^|[^a-z0-9])[a-z]?(\d+(?:\.\d+)?)b(?:[^a-z0-9]|$)/g);
+	let best = null;
+	for (const match of matches) {
+		const numRaw = match[1];
+		if (!numRaw) continue;
+		const value = Number(numRaw);
+		if (!Number.isFinite(value) || value <= 0) continue;
+		if (best === null || value > best) best = value;
+	}
+	return best;
+}
+function isGptModel(id) {
+	return /\bgpt-/i.test(id);
+}
+function isGpt5OrHigher(id) {
+	return /\bgpt-5(?:\b|[.-])/i.test(id);
+}
+function isClaudeModel(id) {
+	return /\bclaude-/i.test(id);
+}
+function isClaude45OrHigher(id) {
+	return /\bclaude-[^\s/]*?(?:-4-?5\b|4\.5\b)/i.test(id);
+}
+function collectModelHygieneFindings(cfg) {
+	const findings = [];
+	const models = collectModels(cfg);
+	if (models.length === 0) return findings;
+	const weakMatches = /* @__PURE__ */ new Map();
+	const addWeakMatch = (model, source, reason) => {
+		const key = `${model}@@${source}`;
+		const existing = weakMatches.get(key);
+		if (!existing) {
+			weakMatches.set(key, {
+				model,
+				source,
+				reasons: [reason]
+			});
+			return;
+		}
+		if (!existing.reasons.includes(reason)) existing.reasons.push(reason);
+	};
+	for (const entry of models) {
+		for (const pat of WEAK_TIER_MODEL_PATTERNS) if (pat.re.test(entry.id)) {
+			addWeakMatch(entry.id, entry.source, pat.label);
+			break;
+		}
+		if (isGptModel(entry.id) && !isGpt5OrHigher(entry.id)) addWeakMatch(entry.id, entry.source, "Below GPT-5 family");
+		if (isClaudeModel(entry.id) && !isClaude45OrHigher(entry.id)) addWeakMatch(entry.id, entry.source, "Below Claude 4.5");
+	}
+	const matches = [];
+	for (const entry of models) for (const pat of LEGACY_MODEL_PATTERNS) if (pat.re.test(entry.id)) {
+		matches.push({
+			model: entry.id,
+			source: entry.source,
+			reason: pat.label
+		});
+		break;
+	}
+	if (matches.length > 0) {
+		const lines = matches.slice(0, 12).map((m) => `- ${m.model} (${m.reason}) @ ${m.source}`).join("\n");
+		const more = matches.length > 12 ? `\n…${matches.length - 12} more` : "";
+		findings.push({
+			checkId: "models.legacy",
+			severity: "warn",
+			title: "Some configured models look legacy",
+			detail: "Older/legacy models can be less robust against prompt injection and tool misuse.\n" + lines + more,
+			remediation: "Prefer modern, instruction-hardened models for any bot that can run tools."
+		});
+	}
+	if (weakMatches.size > 0) {
+		const lines = Array.from(weakMatches.values()).slice(0, 12).map((m) => `- ${m.model} (${m.reasons.join("; ")}) @ ${m.source}`).join("\n");
+		const more = weakMatches.size > 12 ? `\n…${weakMatches.size - 12} more` : "";
+		findings.push({
+			checkId: "models.weak_tier",
+			severity: "warn",
+			title: "Some configured models are below recommended tiers",
+			detail: "Smaller/older models are generally more susceptible to prompt injection and tool misuse.\n" + lines + more,
+			remediation: "Use the latest, top-tier model for any bot with tools or untrusted inboxes. Avoid Haiku tiers; prefer GPT-5+ and Claude 4.5+."
+		});
+	}
+	return findings;
+}
+function extractAgentIdFromSource(source) {
+	return source.match(/^agents\.list\.([^.]*)\./)?.[1] ?? null;
+}
+function pickToolPolicy(config) {
+	if (!config) return null;
+	const allow = Array.isArray(config.allow) ? config.allow : void 0;
+	const deny = Array.isArray(config.deny) ? config.deny : void 0;
+	if (!allow && !deny) return null;
+	return {
+		allow,
+		deny
+	};
+}
+function resolveToolPolicies(params) {
+	const policies = [];
+	const profilePolicy = resolveToolProfilePolicy(params.agentTools?.profile ?? params.cfg.tools?.profile);
+	if (profilePolicy) policies.push(profilePolicy);
+	const globalPolicy = pickToolPolicy(params.cfg.tools ?? void 0);
+	if (globalPolicy) policies.push(globalPolicy);
+	const agentPolicy = pickToolPolicy(params.agentTools);
+	if (agentPolicy) policies.push(agentPolicy);
+	if (params.sandboxMode === "all") {
+		const sandboxPolicy = resolveSandboxToolPolicyForAgent(params.cfg, params.agentId ?? void 0);
+		policies.push(sandboxPolicy);
+	}
+	return policies;
+}
+function hasWebSearchKey(cfg, env) {
+	const search = cfg.tools?.web?.search;
+	return Boolean(search?.apiKey || search?.perplexity?.apiKey || env.BRAVE_API_KEY || env.PERPLEXITY_API_KEY || env.OPENROUTER_API_KEY);
+}
+function isWebSearchEnabled(cfg, env) {
+	const enabled = cfg.tools?.web?.search?.enabled;
+	if (enabled === false) return false;
+	if (enabled === true) return true;
+	return hasWebSearchKey(cfg, env);
+}
+function isWebFetchEnabled(cfg) {
+	if (cfg.tools?.web?.fetch?.enabled === false) return false;
+	return true;
+}
+function isBrowserEnabled(cfg) {
+	try {
+		return resolveBrowserConfig(cfg.browser, cfg).enabled;
+	} catch {
+		return true;
+	}
+}
+function collectSmallModelRiskFindings(params) {
+	const findings = [];
+	const models = collectModels(params.cfg).filter((entry) => !entry.source.includes("imageModel"));
+	if (models.length === 0) return findings;
+	const smallModels = models.map((entry) => {
+		const paramB = inferParamBFromIdOrName(entry.id);
+		if (!paramB || paramB > SMALL_MODEL_PARAM_B_MAX) return null;
+		return {
+			...entry,
+			paramB
+		};
+	}).filter((entry) => Boolean(entry));
+	if (smallModels.length === 0) return findings;
+	let hasUnsafe = false;
+	const modelLines = [];
+	const exposureSet = /* @__PURE__ */ new Set();
+	for (const entry of smallModels) {
+		const agentId = extractAgentIdFromSource(entry.source);
+		const sandboxMode = resolveSandboxConfigForAgent(params.cfg, agentId ?? void 0).mode;
+		const agentTools = agentId && params.cfg.agents?.list ? params.cfg.agents.list.find((agent) => agent?.id === agentId)?.tools : void 0;
+		const policies = resolveToolPolicies({
+			cfg: params.cfg,
+			agentTools,
+			sandboxMode,
+			agentId
+		});
+		const exposed = [];
+		if (isWebSearchEnabled(params.cfg, params.env)) {
+			if (isToolAllowedByPolicies("web_search", policies)) exposed.push("web_search");
+		}
+		if (isWebFetchEnabled(params.cfg)) {
+			if (isToolAllowedByPolicies("web_fetch", policies)) exposed.push("web_fetch");
+		}
+		if (isBrowserEnabled(params.cfg)) {
+			if (isToolAllowedByPolicies("browser", policies)) exposed.push("browser");
+		}
+		for (const tool of exposed) exposureSet.add(tool);
+		const sandboxLabel = sandboxMode === "all" ? "sandbox=all" : `sandbox=${sandboxMode}`;
+		const exposureLabel = exposed.length > 0 ? ` web=[${exposed.join(", ")}]` : " web=[off]";
+		const safe = sandboxMode === "all" && exposed.length === 0;
+		if (!safe) hasUnsafe = true;
+		const statusLabel = safe ? "ok" : "unsafe";
+		modelLines.push(`- ${entry.id} (${entry.paramB}B) @ ${entry.source} (${statusLabel}; ${sandboxLabel};${exposureLabel})`);
+	}
+	const exposureList = Array.from(exposureSet);
+	const exposureDetail = exposureList.length > 0 ? `Uncontrolled input tools allowed: ${exposureList.join(", ")}.` : "No web/browser tools detected for these models.";
+	findings.push({
+		checkId: "models.small_params",
+		severity: hasUnsafe ? "critical" : "info",
+		title: "Small models require sandboxing and web tools disabled",
+		detail: `Small models (<=${SMALL_MODEL_PARAM_B_MAX}B params) detected:\n` + modelLines.join("\n") + `\n` + exposureDetail + "\nSmall models are not recommended for untrusted inputs.",
+		remediation: "If you must use small models, enable sandboxing for all sessions (agents.defaults.sandbox.mode=\"all\") and disable web_search/web_fetch/browser (tools.deny=[\"group:web\",\"browser\"])."
+	});
+	return findings;
+}
+async function collectPluginsTrustFindings(params) {
+	const findings = [];
+	const extensionsDir = path.join(params.stateDir, "extensions");
+	const st = await safeStat(extensionsDir);
+	if (!st.ok || !st.isDir) return findings;
+	const pluginDirs = (await fs.readdir(extensionsDir, { withFileTypes: true }).catch(() => [])).filter((e) => e.isDirectory()).map((e) => e.name).filter(Boolean);
+	if (pluginDirs.length === 0) return findings;
+	const allow = params.cfg.plugins?.allow;
+	if (!(Array.isArray(allow) && allow.length > 0)) {
+		const hasString = (value) => typeof value === "string" && value.trim().length > 0;
+		const hasAccountStringKey = (account, key) => Boolean(account && typeof account === "object" && hasString(account[key]));
+		const discordConfigured = hasString(params.cfg.channels?.discord?.token) || Boolean(params.cfg.channels?.discord?.accounts && Object.values(params.cfg.channels.discord.accounts).some((a) => hasAccountStringKey(a, "token"))) || hasString(process.env.DISCORD_BOT_TOKEN);
+		const telegramConfigured = hasString(params.cfg.channels?.telegram?.botToken) || hasString(params.cfg.channels?.telegram?.tokenFile) || Boolean(params.cfg.channels?.telegram?.accounts && Object.values(params.cfg.channels.telegram.accounts).some((a) => hasAccountStringKey(a, "botToken") || hasAccountStringKey(a, "tokenFile"))) || hasString(process.env.TELEGRAM_BOT_TOKEN);
+		const slackConfigured = hasString(params.cfg.channels?.slack?.botToken) || hasString(params.cfg.channels?.slack?.appToken) || Boolean(params.cfg.channels?.slack?.accounts && Object.values(params.cfg.channels.slack.accounts).some((a) => hasAccountStringKey(a, "botToken") || hasAccountStringKey(a, "appToken"))) || hasString(process.env.SLACK_BOT_TOKEN) || hasString(process.env.SLACK_APP_TOKEN);
+		const skillCommandsLikelyExposed = discordConfigured && resolveNativeSkillsEnabled({
+			providerId: "discord",
+			providerSetting: params.cfg.channels?.discord?.commands?.nativeSkills,
+			globalSetting: params.cfg.commands?.nativeSkills
+		}) || telegramConfigured && resolveNativeSkillsEnabled({
+			providerId: "telegram",
+			providerSetting: params.cfg.channels?.telegram?.commands?.nativeSkills,
+			globalSetting: params.cfg.commands?.nativeSkills
+		}) || slackConfigured && resolveNativeSkillsEnabled({
+			providerId: "slack",
+			providerSetting: params.cfg.channels?.slack?.commands?.nativeSkills,
+			globalSetting: params.cfg.commands?.nativeSkills
+		});
+		findings.push({
+			checkId: "plugins.extensions_no_allowlist",
+			severity: skillCommandsLikelyExposed ? "critical" : "warn",
+			title: "Extensions exist but plugins.allow is not set",
+			detail: `Found ${pluginDirs.length} extension(s) under ${extensionsDir}. Without plugins.allow, any discovered plugin id may load (depending on config and plugin behavior).` + (skillCommandsLikelyExposed ? "\nNative skill commands are enabled on at least one configured chat surface; treat unpinned/unallowlisted extensions as high risk." : ""),
+			remediation: "Set plugins.allow to an explicit list of plugin ids you trust."
+		});
+	}
+	return findings;
+}
+function resolveIncludePath(baseConfigPath, includePath) {
+	return path.normalize(path.isAbsolute(includePath) ? includePath : path.resolve(path.dirname(baseConfigPath), includePath));
+}
+function listDirectIncludes(parsed) {
+	const out = [];
+	const visit = (value) => {
+		if (!value) return;
+		if (Array.isArray(value)) {
+			for (const item of value) visit(item);
+			return;
+		}
+		if (typeof value !== "object") return;
+		const rec = value;
+		const includeVal = rec[INCLUDE_KEY];
+		if (typeof includeVal === "string") out.push(includeVal);
+		else if (Array.isArray(includeVal)) {
+			for (const item of includeVal) if (typeof item === "string") out.push(item);
+		}
+		for (const v of Object.values(rec)) visit(v);
+	};
+	visit(parsed);
+	return out;
+}
+async function collectIncludePathsRecursive(params) {
+	const visited = /* @__PURE__ */ new Set();
+	const result = [];
+	const walk = async (basePath, parsed, depth) => {
+		if (depth > MAX_INCLUDE_DEPTH) return;
+		for (const raw of listDirectIncludes(parsed)) {
+			const resolved = resolveIncludePath(basePath, raw);
+			if (visited.has(resolved)) continue;
+			visited.add(resolved);
+			result.push(resolved);
+			const rawText = await fs.readFile(resolved, "utf-8").catch(() => null);
+			if (!rawText) continue;
+			const nestedParsed = (() => {
+				try {
+					return JSON5.parse(rawText);
+				} catch {
+					return null;
+				}
+			})();
+			if (nestedParsed) await walk(resolved, nestedParsed, depth + 1);
+		}
+	};
+	await walk(params.configPath, params.parsed, 0);
+	return result;
+}
+async function collectIncludeFilePermFindings(params) {
+	const findings = [];
+	if (!params.configSnapshot.exists) return findings;
+	const configPath = params.configSnapshot.path;
+	const includePaths = await collectIncludePathsRecursive({
+		configPath,
+		parsed: params.configSnapshot.parsed
+	});
+	if (includePaths.length === 0) return findings;
+	for (const p of includePaths) {
+		const perms = await inspectPathPermissions(p, {
+			env: params.env,
+			platform: params.platform,
+			exec: params.execIcacls
+		});
+		if (!perms.ok) continue;
+		if (perms.worldWritable || perms.groupWritable) findings.push({
+			checkId: "fs.config_include.perms_writable",
+			severity: "critical",
+			title: "Config include file is writable by others",
+			detail: `${formatPermissionDetail(p, perms)}; another user could influence your effective config.`,
+			remediation: formatPermissionRemediation({
+				targetPath: p,
+				perms,
+				isDir: false,
+				posixMode: 384,
+				env: params.env
+			})
+		});
+		else if (perms.worldReadable) findings.push({
+			checkId: "fs.config_include.perms_world_readable",
+			severity: "critical",
+			title: "Config include file is world-readable",
+			detail: `${formatPermissionDetail(p, perms)}; include files can contain tokens and private settings.`,
+			remediation: formatPermissionRemediation({
+				targetPath: p,
+				perms,
+				isDir: false,
+				posixMode: 384,
+				env: params.env
+			})
+		});
+		else if (perms.groupReadable) findings.push({
+			checkId: "fs.config_include.perms_group_readable",
+			severity: "warn",
+			title: "Config include file is group-readable",
+			detail: `${formatPermissionDetail(p, perms)}; include files can contain tokens and private settings.`,
+			remediation: formatPermissionRemediation({
+				targetPath: p,
+				perms,
+				isDir: false,
+				posixMode: 384,
+				env: params.env
+			})
+		});
+	}
+	return findings;
+}
+async function collectStateDeepFilesystemFindings(params) {
+	const findings = [];
+	const oauthDir = resolveOAuthDir(params.env, params.stateDir);
+	const oauthPerms = await inspectPathPermissions(oauthDir, {
+		env: params.env,
+		platform: params.platform,
+		exec: params.execIcacls
+	});
+	if (oauthPerms.ok && oauthPerms.isDir) {
+		if (oauthPerms.worldWritable || oauthPerms.groupWritable) findings.push({
+			checkId: "fs.credentials_dir.perms_writable",
+			severity: "critical",
+			title: "Credentials dir is writable by others",
+			detail: `${formatPermissionDetail(oauthDir, oauthPerms)}; another user could drop/modify credential files.`,
+			remediation: formatPermissionRemediation({
+				targetPath: oauthDir,
+				perms: oauthPerms,
+				isDir: true,
+				posixMode: 448,
+				env: params.env
+			})
+		});
+		else if (oauthPerms.groupReadable || oauthPerms.worldReadable) findings.push({
+			checkId: "fs.credentials_dir.perms_readable",
+			severity: "warn",
+			title: "Credentials dir is readable by others",
+			detail: `${formatPermissionDetail(oauthDir, oauthPerms)}; credentials and allowlists can be sensitive.`,
+			remediation: formatPermissionRemediation({
+				targetPath: oauthDir,
+				perms: oauthPerms,
+				isDir: true,
+				posixMode: 448,
+				env: params.env
+			})
+		});
+	}
+	const agentIds = Array.isArray(params.cfg.agents?.list) ? params.cfg.agents?.list.map((a) => a && typeof a === "object" && typeof a.id === "string" ? a.id.trim() : "").filter(Boolean) : [];
+	const defaultAgentId = resolveDefaultAgentId(params.cfg);
+	const ids = Array.from(new Set([defaultAgentId, ...agentIds])).map((id) => normalizeAgentId(id));
+	for (const agentId of ids) {
+		const agentDir = path.join(params.stateDir, "agents", agentId, "agent");
+		const authPath = path.join(agentDir, "auth-profiles.json");
+		const authPerms = await inspectPathPermissions(authPath, {
+			env: params.env,
+			platform: params.platform,
+			exec: params.execIcacls
+		});
+		if (authPerms.ok) {
+			if (authPerms.worldWritable || authPerms.groupWritable) findings.push({
+				checkId: "fs.auth_profiles.perms_writable",
+				severity: "critical",
+				title: "auth-profiles.json is writable by others",
+				detail: `${formatPermissionDetail(authPath, authPerms)}; another user could inject credentials.`,
+				remediation: formatPermissionRemediation({
+					targetPath: authPath,
+					perms: authPerms,
+					isDir: false,
+					posixMode: 384,
+					env: params.env
+				})
+			});
+			else if (authPerms.worldReadable || authPerms.groupReadable) findings.push({
+				checkId: "fs.auth_profiles.perms_readable",
+				severity: "warn",
+				title: "auth-profiles.json is readable by others",
+				detail: `${formatPermissionDetail(authPath, authPerms)}; auth-profiles.json contains API keys and OAuth tokens.`,
+				remediation: formatPermissionRemediation({
+					targetPath: authPath,
+					perms: authPerms,
+					isDir: false,
+					posixMode: 384,
+					env: params.env
+				})
+			});
+		}
+		const storePath = path.join(params.stateDir, "agents", agentId, "sessions", "sessions.json");
+		const storePerms = await inspectPathPermissions(storePath, {
+			env: params.env,
+			platform: params.platform,
+			exec: params.execIcacls
+		});
+		if (storePerms.ok) {
+			if (storePerms.worldReadable || storePerms.groupReadable) findings.push({
+				checkId: "fs.sessions_store.perms_readable",
+				severity: "warn",
+				title: "sessions.json is readable by others",
+				detail: `${formatPermissionDetail(storePath, storePerms)}; routing and transcript metadata can be sensitive.`,
+				remediation: formatPermissionRemediation({
+					targetPath: storePath,
+					perms: storePerms,
+					isDir: false,
+					posixMode: 384,
+					env: params.env
+				})
+			});
+		}
+	}
+	const logFile = typeof params.cfg.logging?.file === "string" ? params.cfg.logging.file.trim() : "";
+	if (logFile) {
+		const expanded = logFile.startsWith("~") ? expandTilde(logFile, params.env) : logFile;
+		if (expanded) {
+			const logPath = path.resolve(expanded);
+			const logPerms = await inspectPathPermissions(logPath, {
+				env: params.env,
+				platform: params.platform,
+				exec: params.execIcacls
+			});
+			if (logPerms.ok) {
+				if (logPerms.worldReadable || logPerms.groupReadable) findings.push({
+					checkId: "fs.log_file.perms_readable",
+					severity: "warn",
+					title: "Log file is readable by others",
+					detail: `${formatPermissionDetail(logPath, logPerms)}; logs can contain private messages and tool output.`,
+					remediation: formatPermissionRemediation({
+						targetPath: logPath,
+						perms: logPerms,
+						isDir: false,
+						posixMode: 384,
+						env: params.env
+					})
+				});
+			}
+		}
+	}
+	return findings;
+}
+function listGroupPolicyOpen(cfg) {
+	const out = [];
+	const channels = cfg.channels;
+	if (!channels || typeof channels !== "object") return out;
+	for (const [channelId, value] of Object.entries(channels)) {
+		if (!value || typeof value !== "object") continue;
+		const section = value;
+		if (section.groupPolicy === "open") out.push(`channels.${channelId}.groupPolicy`);
+		const accounts = section.accounts;
+		if (accounts && typeof accounts === "object") for (const [accountId, accountVal] of Object.entries(accounts)) {
+			if (!accountVal || typeof accountVal !== "object") continue;
+			if (accountVal.groupPolicy === "open") out.push(`channels.${channelId}.accounts.${accountId}.groupPolicy`);
+		}
+	}
+	return out;
+}
+function collectExposureMatrixFindings(cfg) {
+	const findings = [];
+	const openGroups = listGroupPolicyOpen(cfg);
+	if (openGroups.length === 0) return findings;
+	if (cfg.tools?.elevated?.enabled !== false) findings.push({
+		checkId: "security.exposure.open_groups_with_elevated",
+		severity: "critical",
+		title: "Open groupPolicy with elevated tools enabled",
+		detail: `Found groupPolicy="open" at:\n${openGroups.map((p) => `- ${p}`).join("\n")}\nWith tools.elevated enabled, a prompt injection in those rooms can become a high-impact incident.`,
+		remediation: `Set groupPolicy="allowlist" and keep elevated allowlists extremely tight.`
+	});
+	return findings;
+}
+async function readConfigSnapshotForAudit(params) {
+	return await createConfigIO({
+		env: params.env,
+		configPath: params.configPath
+	}).readConfigFileSnapshot();
+}
+//#endregion
+//#region src/security/audit.ts
+function countBySeverity(findings) {
+	let critical = 0;
+	let warn = 0;
+	let info = 0;
+	for (const f of findings) if (f.severity === "critical") critical += 1;
+	else if (f.severity === "warn") warn += 1;
+	else info += 1;
+	return {
+		critical,
+		warn,
+		info
+	};
+}
+function normalizeAllowFromList(list) {
+	if (!Array.isArray(list)) return [];
+	return list.map((v) => String(v).trim()).filter(Boolean);
+}
+function classifyChannelWarningSeverity(message) {
+	const s = message.toLowerCase();
+	if (s.includes("dms: open") || s.includes("grouppolicy=\"open\"") || s.includes("dmpolicy=\"open\"")) return "critical";
+	if (s.includes("allows any") || s.includes("anyone can dm") || s.includes("public")) return "critical";
+	if (s.includes("locked") || s.includes("disabled")) return "info";
+	return "warn";
+}
+async function collectFilesystemFindings(params) {
+	const findings = [];
+	const stateDirPerms = await inspectPathPermissions(params.stateDir, {
+		env: params.env,
+		platform: params.platform,
+		exec: params.execIcacls
+	});
+	if (stateDirPerms.ok) {
+		if (stateDirPerms.isSymlink) findings.push({
+			checkId: "fs.state_dir.symlink",
+			severity: "warn",
+			title: "State dir is a symlink",
+			detail: `${params.stateDir} is a symlink; treat this as an extra trust boundary.`
+		});
+		if (stateDirPerms.worldWritable) findings.push({
+			checkId: "fs.state_dir.perms_world_writable",
+			severity: "critical",
+			title: "State dir is world-writable",
+			detail: `${formatPermissionDetail(params.stateDir, stateDirPerms)}; other users can write into your OpenClaw state.`,
+			remediation: formatPermissionRemediation({
+				targetPath: params.stateDir,
+				perms: stateDirPerms,
+				isDir: true,
+				posixMode: 448,
+				env: params.env
+			})
+		});
+		else if (stateDirPerms.groupWritable) findings.push({
+			checkId: "fs.state_dir.perms_group_writable",
+			severity: "warn",
+			title: "State dir is group-writable",
+			detail: `${formatPermissionDetail(params.stateDir, stateDirPerms)}; group users can write into your OpenClaw state.`,
+			remediation: formatPermissionRemediation({
+				targetPath: params.stateDir,
+				perms: stateDirPerms,
+				isDir: true,
+				posixMode: 448,
+				env: params.env
+			})
+		});
+		else if (stateDirPerms.groupReadable || stateDirPerms.worldReadable) findings.push({
+			checkId: "fs.state_dir.perms_readable",
+			severity: "warn",
+			title: "State dir is readable by others",
+			detail: `${formatPermissionDetail(params.stateDir, stateDirPerms)}; consider restricting to 700.`,
+			remediation: formatPermissionRemediation({
+				targetPath: params.stateDir,
+				perms: stateDirPerms,
+				isDir: true,
+				posixMode: 448,
+				env: params.env
+			})
+		});
+	}
+	const configPerms = await inspectPathPermissions(params.configPath, {
+		env: params.env,
+		platform: params.platform,
+		exec: params.execIcacls
+	});
+	if (configPerms.ok) {
+		if (configPerms.isSymlink) findings.push({
+			checkId: "fs.config.symlink",
+			severity: "warn",
+			title: "Config file is a symlink",
+			detail: `${params.configPath} is a symlink; make sure you trust its target.`
+		});
+		if (configPerms.worldWritable || configPerms.groupWritable) findings.push({
+			checkId: "fs.config.perms_writable",
+			severity: "critical",
+			title: "Config file is writable by others",
+			detail: `${formatPermissionDetail(params.configPath, configPerms)}; another user could change gateway/auth/tool policies.`,
+			remediation: formatPermissionRemediation({
+				targetPath: params.configPath,
+				perms: configPerms,
+				isDir: false,
+				posixMode: 384,
+				env: params.env
+			})
+		});
+		else if (configPerms.worldReadable) findings.push({
+			checkId: "fs.config.perms_world_readable",
+			severity: "critical",
+			title: "Config file is world-readable",
+			detail: `${formatPermissionDetail(params.configPath, configPerms)}; config can contain tokens and private settings.`,
+			remediation: formatPermissionRemediation({
+				targetPath: params.configPath,
+				perms: configPerms,
+				isDir: false,
+				posixMode: 384,
+				env: params.env
+			})
+		});
+		else if (configPerms.groupReadable) findings.push({
+			checkId: "fs.config.perms_group_readable",
+			severity: "warn",
+			title: "Config file is group-readable",
+			detail: `${formatPermissionDetail(params.configPath, configPerms)}; config can contain tokens and private settings.`,
+			remediation: formatPermissionRemediation({
+				targetPath: params.configPath,
+				perms: configPerms,
+				isDir: false,
+				posixMode: 384,
+				env: params.env
+			})
+		});
+	}
+	return findings;
+}
+function collectGatewayConfigFindings(cfg, env) {
+	const findings = [];
+	const bind = typeof cfg.gateway?.bind === "string" ? cfg.gateway.bind : "loopback";
+	const tailscaleMode = cfg.gateway?.tailscale?.mode ?? "off";
+	const auth = resolveGatewayAuth({
+		authConfig: cfg.gateway?.auth,
+		tailscaleMode,
+		env
+	});
+	const controlUiEnabled = cfg.gateway?.controlUi?.enabled !== false;
+	const trustedProxies = Array.isArray(cfg.gateway?.trustedProxies) ? cfg.gateway.trustedProxies : [];
+	const hasToken = typeof auth.token === "string" && auth.token.trim().length > 0;
+	const hasPassword = typeof auth.password === "string" && auth.password.trim().length > 0;
+	const hasSharedSecret = auth.mode === "token" && hasToken || auth.mode === "password" && hasPassword;
+	const hasTailscaleAuth = auth.allowTailscale && tailscaleMode === "serve";
+	const hasGatewayAuth = hasSharedSecret || hasTailscaleAuth;
+	if (bind !== "loopback" && !hasSharedSecret) findings.push({
+		checkId: "gateway.bind_no_auth",
+		severity: "critical",
+		title: "Gateway binds beyond loopback without auth",
+		detail: `gateway.bind="${bind}" but no gateway.auth token/password is configured.`,
+		remediation: `Set gateway.auth (token recommended) or bind to loopback.`
+	});
+	if (bind === "loopback" && controlUiEnabled && trustedProxies.length === 0) findings.push({
+		checkId: "gateway.trusted_proxies_missing",
+		severity: "warn",
+		title: "Reverse proxy headers are not trusted",
+		detail: "gateway.bind is loopback and gateway.trustedProxies is empty. If you expose the Control UI through a reverse proxy, configure trusted proxies so local-client checks cannot be spoofed.",
+		remediation: "Set gateway.trustedProxies to your proxy IPs or keep the Control UI local-only."
+	});
+	if (bind === "loopback" && controlUiEnabled && !hasGatewayAuth) findings.push({
+		checkId: "gateway.loopback_no_auth",
+		severity: "critical",
+		title: "Gateway auth missing on loopback",
+		detail: "gateway.bind is loopback but no gateway auth secret is configured. If the Control UI is exposed through a reverse proxy, unauthenticated access is possible.",
+		remediation: "Set gateway.auth (token recommended) or keep the Control UI local-only."
+	});
+	if (tailscaleMode === "funnel") findings.push({
+		checkId: "gateway.tailscale_funnel",
+		severity: "critical",
+		title: "Tailscale Funnel exposure enabled",
+		detail: `gateway.tailscale.mode="funnel" exposes the Gateway publicly; keep auth strict and treat it as internet-facing.`,
+		remediation: `Prefer tailscale.mode="serve" (tailnet-only) or set tailscale.mode="off".`
+	});
+	else if (tailscaleMode === "serve") findings.push({
+		checkId: "gateway.tailscale_serve",
+		severity: "info",
+		title: "Tailscale Serve exposure enabled",
+		detail: `gateway.tailscale.mode="serve" exposes the Gateway to your tailnet (loopback behind Tailscale).`
+	});
+	if (cfg.gateway?.controlUi?.allowInsecureAuth === true) findings.push({
+		checkId: "gateway.control_ui.insecure_auth",
+		severity: "critical",
+		title: "Control UI allows insecure HTTP auth",
+		detail: "gateway.controlUi.allowInsecureAuth=true allows token-only auth over HTTP and skips device identity.",
+		remediation: "Disable it or switch to HTTPS (Tailscale Serve) or localhost."
+	});
+	if (cfg.gateway?.controlUi?.dangerouslyDisableDeviceAuth === true) findings.push({
+		checkId: "gateway.control_ui.device_auth_disabled",
+		severity: "critical",
+		title: "DANGEROUS: Control UI device auth disabled",
+		detail: "gateway.controlUi.dangerouslyDisableDeviceAuth=true disables device identity checks for the Control UI.",
+		remediation: "Disable it unless you are in a short-lived break-glass scenario."
+	});
+	const token = typeof auth.token === "string" && auth.token.trim().length > 0 ? auth.token.trim() : null;
+	if (auth.mode === "token" && token && token.length < 24) findings.push({
+		checkId: "gateway.token_too_short",
+		severity: "warn",
+		title: "Gateway token looks short",
+		detail: `gateway auth token is ${token.length} chars; prefer a long random token.`
+	});
+	return findings;
+}
+function collectBrowserControlFindings(cfg) {
+	const findings = [];
+	let resolved;
+	try {
+		resolved = resolveBrowserConfig(cfg.browser, cfg);
+	} catch (err) {
+		findings.push({
+			checkId: "browser.control_invalid_config",
+			severity: "warn",
+			title: "Browser control config looks invalid",
+			detail: String(err),
+			remediation: `Fix browser.cdpUrl in ${resolveConfigPath()} and re-run "${formatCliCommand("openclaw security audit --deep")}".`
+		});
+		return findings;
+	}
+	if (!resolved.enabled) return findings;
+	for (const name of Object.keys(resolved.profiles)) {
+		const profile = resolveProfile(resolved, name);
+		if (!profile || profile.cdpIsLoopback) continue;
+		let url;
+		try {
+			url = new URL(profile.cdpUrl);
+		} catch {
+			continue;
+		}
+		if (url.protocol === "http:") findings.push({
+			checkId: "browser.remote_cdp_http",
+			severity: "warn",
+			title: "Remote CDP uses HTTP",
+			detail: `browser profile "${name}" uses http CDP (${profile.cdpUrl}); this is OK only if it's tailnet-only or behind an encrypted tunnel.`,
+			remediation: `Prefer HTTPS/TLS or a tailnet-only endpoint for remote CDP.`
+		});
+	}
+	return findings;
+}
+function collectLoggingFindings(cfg) {
+	if (cfg.logging?.redactSensitive !== "off") return [];
+	return [{
+		checkId: "logging.redact_off",
+		severity: "warn",
+		title: "Tool summary redaction is disabled",
+		detail: `logging.redactSensitive="off" can leak secrets into logs and status output.`,
+		remediation: `Set logging.redactSensitive="tools".`
+	}];
+}
+function collectElevatedFindings(cfg) {
+	const findings = [];
+	const enabled = cfg.tools?.elevated?.enabled;
+	const allowFrom = cfg.tools?.elevated?.allowFrom ?? {};
+	const anyAllowFromKeys = Object.keys(allowFrom).length > 0;
+	if (enabled === false) return findings;
+	if (!anyAllowFromKeys) return findings;
+	for (const [provider, list] of Object.entries(allowFrom)) {
+		const normalized = normalizeAllowFromList(list);
+		if (normalized.includes("*")) findings.push({
+			checkId: `tools.elevated.allowFrom.${provider}.wildcard`,
+			severity: "critical",
+			title: "Elevated exec allowlist contains wildcard",
+			detail: `tools.elevated.allowFrom.${provider} includes "*" which effectively approves everyone on that channel for elevated mode.`
+		});
+		else if (normalized.length > 25) findings.push({
+			checkId: `tools.elevated.allowFrom.${provider}.large`,
+			severity: "warn",
+			title: "Elevated exec allowlist is large",
+			detail: `tools.elevated.allowFrom.${provider} has ${normalized.length} entries; consider tightening elevated access.`
+		});
+	}
+	return findings;
+}
+async function collectChannelSecurityFindings(params) {
+	const findings = [];
+	const coerceNativeSetting = (value) => {
+		if (value === true) return true;
+		if (value === false) return false;
+		if (value === "auto") return "auto";
+	};
+	const warnDmPolicy = async (input) => {
+		const policyPath = input.policyPath ?? `${input.allowFromPath}policy`;
+		const configAllowFrom = normalizeAllowFromList(input.allowFrom);
+		const hasWildcard = configAllowFrom.includes("*");
+		const dmScope = params.cfg.session?.dmScope ?? "main";
+		const storeAllowFrom = await readChannelAllowFromStore(input.provider).catch(() => []);
+		const normalizeEntry = input.normalizeEntry ?? ((value) => value);
+		const normalizedCfg = configAllowFrom.filter((value) => value !== "*").map((value) => normalizeEntry(value)).map((value) => value.trim()).filter(Boolean);
+		const normalizedStore = storeAllowFrom.map((value) => normalizeEntry(value)).map((value) => value.trim()).filter(Boolean);
+		const allowCount = Array.from(new Set([...normalizedCfg, ...normalizedStore])).length;
+		const isMultiUserDm = hasWildcard || allowCount > 1;
+		if (input.dmPolicy === "open") {
+			const allowFromKey = `${input.allowFromPath}allowFrom`;
+			findings.push({
+				checkId: `channels.${input.provider}.dm.open`,
+				severity: "critical",
+				title: `${input.label} DMs are open`,
+				detail: `${policyPath}="open" allows anyone to DM the bot.`,
+				remediation: `Use pairing/allowlist; if you really need open DMs, ensure ${allowFromKey} includes "*".`
+			});
+			if (!hasWildcard) findings.push({
+				checkId: `channels.${input.provider}.dm.open_invalid`,
+				severity: "warn",
+				title: `${input.label} DM config looks inconsistent`,
+				detail: `"open" requires ${allowFromKey} to include "*".`
+			});
+		}
+		if (input.dmPolicy === "disabled") {
+			findings.push({
+				checkId: `channels.${input.provider}.dm.disabled`,
+				severity: "info",
+				title: `${input.label} DMs are disabled`,
+				detail: `${policyPath}="disabled" ignores inbound DMs.`
+			});
+			return;
+		}
+		if (dmScope === "main" && isMultiUserDm) findings.push({
+			checkId: `channels.${input.provider}.dm.scope_main_multiuser`,
+			severity: "warn",
+			title: `${input.label} DMs share the main session`,
+			detail: "Multiple DM senders currently share the main session, which can leak context across users.",
+			remediation: "Set session.dmScope=\"per-channel-peer\" (or \"per-account-channel-peer\" for multi-account channels) to isolate DM sessions per sender."
+		});
+	};
+	for (const plugin of params.plugins) {
+		if (!plugin.security) continue;
+		const accountIds = plugin.config.listAccountIds(params.cfg);
+		const defaultAccountId = resolveChannelDefaultAccountId({
+			plugin,
+			cfg: params.cfg,
+			accountIds
+		});
+		const account = plugin.config.resolveAccount(params.cfg, defaultAccountId);
+		if (!(plugin.config.isEnabled ? plugin.config.isEnabled(account, params.cfg) : true)) continue;
+		if (!(plugin.config.isConfigured ? await plugin.config.isConfigured(account, params.cfg) : true)) continue;
+		if (plugin.id === "discord") {
+			const discordCfg = account?.config ?? {};
+			const nativeEnabled = resolveNativeCommandsEnabled({
+				providerId: "discord",
+				providerSetting: coerceNativeSetting(discordCfg.commands?.native),
+				globalSetting: params.cfg.commands?.native
+			});
+			const nativeSkillsEnabled = resolveNativeSkillsEnabled({
+				providerId: "discord",
+				providerSetting: coerceNativeSetting(discordCfg.commands?.nativeSkills),
+				globalSetting: params.cfg.commands?.nativeSkills
+			});
+			if (nativeEnabled || nativeSkillsEnabled) {
+				const defaultGroupPolicy = params.cfg.channels?.defaults?.groupPolicy;
+				const groupPolicy = discordCfg.groupPolicy ?? defaultGroupPolicy ?? "allowlist";
+				const guildEntries = discordCfg.guilds ?? {};
+				const guildsConfigured = Object.keys(guildEntries).length > 0;
+				const hasAnyUserAllowlist = Object.values(guildEntries).some((guild) => {
+					if (!guild || typeof guild !== "object") return false;
+					const g = guild;
+					if (Array.isArray(g.users) && g.users.length > 0) return true;
+					const channels = g.channels;
+					if (!channels || typeof channels !== "object") return false;
+					return Object.values(channels).some((channel) => {
+						if (!channel || typeof channel !== "object") return false;
+						const c = channel;
+						return Array.isArray(c.users) && c.users.length > 0;
+					});
+				});
+				const dmAllowFromRaw = discordCfg.dm?.allowFrom;
+				const dmAllowFrom = Array.isArray(dmAllowFromRaw) ? dmAllowFromRaw : [];
+				const storeAllowFrom = await readChannelAllowFromStore("discord").catch(() => []);
+				const ownerAllowFromConfigured = normalizeAllowFromList([...dmAllowFrom, ...storeAllowFrom]).length > 0;
+				const useAccessGroups = params.cfg.commands?.useAccessGroups !== false;
+				if (!useAccessGroups && groupPolicy !== "disabled" && guildsConfigured && !hasAnyUserAllowlist) findings.push({
+					checkId: "channels.discord.commands.native.unrestricted",
+					severity: "critical",
+					title: "Discord slash commands are unrestricted",
+					detail: "commands.useAccessGroups=false disables sender allowlists for Discord slash commands unless a per-guild/channel users allowlist is configured; with no users allowlist, any user in allowed guild channels can invoke /… commands.",
+					remediation: "Set commands.useAccessGroups=true (recommended), or configure channels.discord.guilds.<id>.users (or channels.discord.guilds.<id>.channels.<channel>.users)."
+				});
+				else if (useAccessGroups && groupPolicy !== "disabled" && guildsConfigured && !ownerAllowFromConfigured && !hasAnyUserAllowlist) findings.push({
+					checkId: "channels.discord.commands.native.no_allowlists",
+					severity: "warn",
+					title: "Discord slash commands have no allowlists",
+					detail: "Discord slash commands are enabled, but neither an owner allowFrom list nor any per-guild/channel users allowlist is configured; /… commands will be rejected for everyone.",
+					remediation: "Add your user id to channels.discord.dm.allowFrom (or approve yourself via pairing), or configure channels.discord.guilds.<id>.users."
+				});
+			}
+		}
+		if (plugin.id === "slack") {
+			const slackCfg = account?.config ?? {};
+			const nativeEnabled = resolveNativeCommandsEnabled({
+				providerId: "slack",
+				providerSetting: coerceNativeSetting(slackCfg.commands?.native),
+				globalSetting: params.cfg.commands?.native
+			});
+			const nativeSkillsEnabled = resolveNativeSkillsEnabled({
+				providerId: "slack",
+				providerSetting: coerceNativeSetting(slackCfg.commands?.nativeSkills),
+				globalSetting: params.cfg.commands?.nativeSkills
+			});
+			if (nativeEnabled || nativeSkillsEnabled || slackCfg.slashCommand?.enabled === true) if (!(params.cfg.commands?.useAccessGroups !== false)) findings.push({
+				checkId: "channels.slack.commands.slash.useAccessGroups_off",
+				severity: "critical",
+				title: "Slack slash commands bypass access groups",
+				detail: "Slack slash/native commands are enabled while commands.useAccessGroups=false; this can allow unrestricted /… command execution from channels/users you didn't explicitly authorize.",
+				remediation: "Set commands.useAccessGroups=true (recommended)."
+			});
+			else {
+				const dmAllowFromRaw = account?.dm?.allowFrom;
+				const dmAllowFrom = Array.isArray(dmAllowFromRaw) ? dmAllowFromRaw : [];
+				const storeAllowFrom = await readChannelAllowFromStore("slack").catch(() => []);
+				const ownerAllowFromConfigured = normalizeAllowFromList([...dmAllowFrom, ...storeAllowFrom]).length > 0;
+				const channels = slackCfg.channels ?? {};
+				const hasAnyChannelUsersAllowlist = Object.values(channels).some((value) => {
+					if (!value || typeof value !== "object") return false;
+					const channel = value;
+					return Array.isArray(channel.users) && channel.users.length > 0;
+				});
+				if (!ownerAllowFromConfigured && !hasAnyChannelUsersAllowlist) findings.push({
+					checkId: "channels.slack.commands.slash.no_allowlists",
+					severity: "warn",
+					title: "Slack slash commands have no allowlists",
+					detail: "Slack slash/native commands are enabled, but neither an owner allowFrom list nor any channels.<id>.users allowlist is configured; /… commands will be rejected for everyone.",
+					remediation: "Approve yourself via pairing (recommended), or set channels.slack.dm.allowFrom and/or channels.slack.channels.<id>.users."
+				});
+			}
+		}
+		const dmPolicy = plugin.security.resolveDmPolicy?.({
+			cfg: params.cfg,
+			accountId: defaultAccountId,
+			account
+		});
+		if (dmPolicy) await warnDmPolicy({
+			label: plugin.meta.label ?? plugin.id,
+			provider: plugin.id,
+			dmPolicy: dmPolicy.policy,
+			allowFrom: dmPolicy.allowFrom,
+			policyPath: dmPolicy.policyPath,
+			allowFromPath: dmPolicy.allowFromPath,
+			normalizeEntry: dmPolicy.normalizeEntry
+		});
+		if (plugin.security.collectWarnings) {
+			const warnings = await plugin.security.collectWarnings({
+				cfg: params.cfg,
+				accountId: defaultAccountId,
+				account
+			});
+			for (const message of warnings ?? []) {
+				const trimmed = String(message).trim();
+				if (!trimmed) continue;
+				findings.push({
+					checkId: `channels.${plugin.id}.warning.${findings.length + 1}`,
+					severity: classifyChannelWarningSeverity(trimmed),
+					title: `${plugin.meta.label ?? plugin.id} security warning`,
+					detail: trimmed.replace(/^-\s*/, "")
+				});
+			}
+		}
+		if (plugin.id === "telegram") {
+			if (!(params.cfg.commands?.text !== false)) continue;
+			const telegramCfg = account?.config ?? {};
+			const defaultGroupPolicy = params.cfg.channels?.defaults?.groupPolicy;
+			const groupPolicy = telegramCfg.groupPolicy ?? defaultGroupPolicy ?? "allowlist";
+			const groups = telegramCfg.groups;
+			const groupsConfigured = Boolean(groups) && Object.keys(groups ?? {}).length > 0;
+			if (!(groupPolicy === "open" || groupPolicy === "allowlist" && groupsConfigured)) continue;
+			const storeAllowFrom = await readChannelAllowFromStore("telegram").catch(() => []);
+			const storeHasWildcard = storeAllowFrom.some((v) => String(v).trim() === "*");
+			const groupAllowFrom = Array.isArray(telegramCfg.groupAllowFrom) ? telegramCfg.groupAllowFrom : [];
+			const groupAllowFromHasWildcard = groupAllowFrom.some((v) => String(v).trim() === "*");
+			const anyGroupOverride = Boolean(groups && Object.values(groups).some((value) => {
+				if (!value || typeof value !== "object") return false;
+				const group = value;
+				if ((Array.isArray(group.allowFrom) ? group.allowFrom : []).length > 0) return true;
+				const topics = group.topics;
+				if (!topics || typeof topics !== "object") return false;
+				return Object.values(topics).some((topicValue) => {
+					if (!topicValue || typeof topicValue !== "object") return false;
+					const topic = topicValue;
+					return (Array.isArray(topic.allowFrom) ? topic.allowFrom : []).length > 0;
+				});
+			}));
+			const hasAnySenderAllowlist = storeAllowFrom.length > 0 || groupAllowFrom.length > 0 || anyGroupOverride;
+			if (storeHasWildcard || groupAllowFromHasWildcard) {
+				findings.push({
+					checkId: "channels.telegram.groups.allowFrom.wildcard",
+					severity: "critical",
+					title: "Telegram group allowlist contains wildcard",
+					detail: "Telegram group sender allowlist contains \"*\", which allows any group member to run /… commands and control directives.",
+					remediation: "Remove \"*\" from channels.telegram.groupAllowFrom and pairing store; prefer explicit user ids/usernames."
+				});
+				continue;
+			}
+			if (!hasAnySenderAllowlist) {
+				const providerSetting = telegramCfg.commands?.nativeSkills;
+				const skillsEnabled = resolveNativeSkillsEnabled({
+					providerId: "telegram",
+					providerSetting,
+					globalSetting: params.cfg.commands?.nativeSkills
+				});
+				findings.push({
+					checkId: "channels.telegram.groups.allowFrom.missing",
+					severity: "critical",
+					title: "Telegram group commands have no sender allowlist",
+					detail: `Telegram group access is enabled but no sender allowlist is configured; this allows any group member to invoke /… commands` + (skillsEnabled ? " (including skill commands)." : "."),
+					remediation: "Approve yourself via pairing (recommended), or set channels.telegram.groupAllowFrom (or per-group groups.<id>.allowFrom)."
+				});
+			}
+		}
+	}
+	return findings;
+}
+async function maybeProbeGateway(params) {
+	const url = buildGatewayConnectionDetails({ config: params.cfg }).url;
+	const isRemoteMode = params.cfg.gateway?.mode === "remote";
+	const remoteUrlRaw = typeof params.cfg.gateway?.remote?.url === "string" ? params.cfg.gateway.remote.url.trim() : "";
+	const remoteUrlMissing = isRemoteMode && !remoteUrlRaw;
+	const resolveAuth = (mode) => {
+		const authToken = params.cfg.gateway?.auth?.token;
+		const authPassword = params.cfg.gateway?.auth?.password;
+		const remote = params.cfg.gateway?.remote;
+		return {
+			token: mode === "remote" ? typeof remote?.token === "string" && remote.token.trim() ? remote.token.trim() : void 0 : process.env.OPENCLAW_GATEWAY_TOKEN?.trim() || (typeof authToken === "string" && authToken.trim() ? authToken.trim() : void 0),
+			password: process.env.OPENCLAW_GATEWAY_PASSWORD?.trim() || (mode === "remote" ? typeof remote?.password === "string" && remote.password.trim() ? remote.password.trim() : void 0 : typeof authPassword === "string" && authPassword.trim() ? authPassword.trim() : void 0)
+		};
+	};
+	const auth = !isRemoteMode || remoteUrlMissing ? resolveAuth("local") : resolveAuth("remote");
+	const res = await params.probe({
+		url,
+		auth,
+		timeoutMs: params.timeoutMs
+	}).catch((err) => ({
+		ok: false,
+		url,
+		connectLatencyMs: null,
+		error: String(err),
+		close: null,
+		health: null,
+		status: null,
+		presence: null,
+		configSnapshot: null
+	}));
+	return { gateway: {
+		attempted: true,
+		url,
+		ok: res.ok,
+		error: res.ok ? null : res.error,
+		close: res.close ? {
+			code: res.close.code,
+			reason: res.close.reason
+		} : null
+	} };
+}
+async function runSecurityAudit(opts) {
+	const findings = [];
+	const cfg = opts.config;
+	const env = opts.env ?? process.env;
+	const platform = opts.platform ?? process.platform;
+	const execIcacls = opts.execIcacls;
+	const stateDir = opts.stateDir ?? resolveStateDir(env);
+	const configPath = opts.configPath ?? resolveConfigPath(env, stateDir);
+	findings.push(...collectAttackSurfaceSummaryFindings(cfg));
+	findings.push(...collectSyncedFolderFindings({
+		stateDir,
+		configPath
+	}));
+	findings.push(...collectGatewayConfigFindings(cfg, env));
+	findings.push(...collectBrowserControlFindings(cfg));
+	findings.push(...collectLoggingFindings(cfg));
+	findings.push(...collectElevatedFindings(cfg));
+	findings.push(...collectHooksHardeningFindings(cfg));
+	findings.push(...collectSecretsInConfigFindings(cfg));
+	findings.push(...collectModelHygieneFindings(cfg));
+	findings.push(...collectSmallModelRiskFindings({
+		cfg,
+		env
+	}));
+	findings.push(...collectExposureMatrixFindings(cfg));
+	const configSnapshot = opts.includeFilesystem !== false ? await readConfigSnapshotForAudit({
+		env,
+		configPath
+	}).catch(() => null) : null;
+	if (opts.includeFilesystem !== false) {
+		findings.push(...await collectFilesystemFindings({
+			stateDir,
+			configPath,
+			env,
+			platform,
+			execIcacls
+		}));
+		if (configSnapshot) findings.push(...await collectIncludeFilePermFindings({
+			configSnapshot,
+			env,
+			platform,
+			execIcacls
+		}));
+		findings.push(...await collectStateDeepFilesystemFindings({
+			cfg,
+			env,
+			stateDir,
+			platform,
+			execIcacls
+		}));
+		findings.push(...await collectPluginsTrustFindings({
+			cfg,
+			stateDir
+		}));
+	}
+	if (opts.includeChannelSecurity !== false) {
+		const plugins = opts.plugins ?? listChannelPlugins();
+		findings.push(...await collectChannelSecurityFindings({
+			cfg,
+			plugins
+		}));
+	}
+	const deep = opts.deep === true ? await maybeProbeGateway({
+		cfg,
+		timeoutMs: Math.max(250, opts.deepTimeoutMs ?? 5e3),
+		probe: opts.probeGatewayFn ?? probeGateway
+	}) : void 0;
+	if (deep?.gateway?.attempted && !deep.gateway.ok) findings.push({
+		checkId: "gateway.probe_failed",
+		severity: "warn",
+		title: "Gateway probe failed (deep)",
+		detail: deep.gateway.error ?? "gateway unreachable",
+		remediation: `Run "${formatCliCommand("openclaw status --all")}" to debug connectivity/auth, then re-run "${formatCliCommand("openclaw security audit --deep")}".`
+	});
+	const summary = countBySeverity(findings);
+	return {
+		ts: Date.now(),
+		summary,
+		findings,
+		deep
+	};
+}
+//#endregion
+export { probeGateway as i, createIcaclsResetCommand as n, formatIcaclsResetCommand as r, runSecurityAudit as t };