npm - @totalreclaw/totalreclaw - Versions diffs - 3.3.1-rc.2 → 3.3.1-rc.4 - Mend

@totalreclaw/totalreclaw 3.3.1-rc.2 → 3.3.1-rc.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -4,6 +4,58 @@ All notable changes to `@totalreclaw/totalreclaw` (the OpenClaw plugin) are docu
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [3.3.1-rc.4] — 2026-04-22
+Phrase-safety hardening: `totalreclaw_onboard` agent tool removed. Paired with Hermes Python `2.3.1rc4` (which ports the QR-pair flow to Python so Hermes users gain a phrase-safe agent setup path too).
+### Removed (phrase-safety enforcement — BREAKING for agent tool callers)
+- **`totalreclaw_onboard` agent tool — REMOVED.** rc.3 shipped a `totalreclaw_onboard` tool that generated a fresh BIP-39 mnemonic in-process, wrote it to `credentials.json`, and returned `{scope_address, credentials_path}`. `emitPhrase: false` kept the mnemonic out of the tool's return payload, but NOTHING ARCHITECTURALLY PREVENTED leakage — a future patch could regress the flag, a different code path could echo the mnemonic in a log/error, or the mere existence of the tool signalled to agents that phrase generation inside chat is fine (it isn't). Per `project_phrase_safety_rule.md`: "recovery phrase MUST NEVER cross the LLM context in ANY form." rc.4 removes the registration. The underlying `runNonInteractiveOnboard` code path stays reachable via the CLI `openclaw totalreclaw onboard` — that path runs in the user's own terminal, OUTSIDE any agent shell, so phrase stdout never feeds back into LLM context.
+### Changed
+- **`SKILL.md` — setup section rewritten.** `totalreclaw_pair` is now the canonical setup surface for all users (local or remote). The CLI wizard (`openclaw totalreclaw onboard`) is explicitly documented as user-terminal-only — agents MUST NOT invoke it via their shell tool. Tool surface table updated: `totalreclaw_onboard` removed, `totalreclaw_pair` promoted to canonical. `totalreclaw_onboarding_start` remains as a pointer-only tool for users who explicitly prefer local-terminal setup.
+- **`index.ts` — `totalreclaw_pair` tool description updated.** Removed backref to `totalreclaw_onboard`; now instructs agents to always prefer pair, with `totalreclaw_onboarding_start` as the fallback pointer for local-terminal-only users.
+- **`docs/guides/openclaw-setup.md` — QR pairing is now documented as the default setup flow.** CLI wizard moved to a user-terminal-only subsection with a prominent "do NOT run this through an agent shell" warning.
+### Tests
+- **`phrase-safety-registry.test.ts`** — new. Text-scans `index.ts` for `api.registerTool({ name: '...' })` literals and asserts: (a) `totalreclaw_onboard` is NOT in the list; (b) `totalreclaw_pair` IS in the list; (c) no name contains phrase-adjacent tokens (`onboard_generate`, `generate_phrase`, `generate_mnemonic`, `restore_phrase`, `restore_mnemonic`, `mnemonic`). Runs as part of `npm test`.
+## [3.3.1-rc.3] — 2026-04-22
+Patch RC bundling two stability fixes, one new RC-gated tool, two SKILL.md addendums, and a configurable LLM retry budget. All prior rc.1 + rc.2 fixes are preserved.
+### Changed
+- **`llm-client.ts` — configurable `ZAI_BASE_URL` + auto-fallback on "Insufficient balance" 429.** rc.2 QA surfaced that GLM Coding Plan keys hitting the STANDARD zai endpoint (and PAYG keys hitting CODING) return HTTP 429 with body `"Insufficient balance or no resource package. Please recharge."` — misleading because the key itself is valid. rc.3: (a) accepts `ZAI_BASE_URL` env override via `config.ts` / `getZaiBaseUrl()`; (b) auto-detects the error signature and flips CODING ↔ STANDARD once per call (logged at INFO). SKILL.md now documents "GLM Coding Plan → leave unset; PAYG → set `ZAI_BASE_URL=https://api.z.ai/api/paas/v4`."
+- **`llm-client.ts` — retry budget 7s → ~62s (configurable).** rc.1/rc.2 QA: 5–9 of 10 extraction windows returned 0 facts against multi-minute upstream 429 storms. The 3-attempt 1s/2s/4s backoff couldn't outlast a 9-minute outage. rc.3: 5 attempts, 2s/4s/8s/16s/32s backoff, total ~62s. Configurable via `TOTALRECLAW_LLM_RETRY_BUDGET_MS` env (default 60_000). First retry logs at INFO, rest at DEBUG (debounced — no spam during long outages). On exhaustion throws `LLMUpstreamOutageError` (structured, `attempts` + `lastStatus`) so extraction callers can recognise vs bail silently. Non-retryable errors (401/403/404/parse) still propagate as plain `Error`.
+- **`subgraph-store.ts` — per-account submission mutex.** rc.2 logged 16 AA25 `invalid account nonce` events from concurrent `submitFactBatchOnChain` / `submitFactOnChain` calls racing at the `eth_call getNonce(sender, 0)` step. rc.3 wraps both submission entry points in a per-`sender` `Map<scopeAddress, Promise>` chain so only one UserOp is in flight per Smart Account at a time. The existing AA25-retry-with-fresh-nonce path is unchanged and still catches relay-side zombie UserOps.
+### Added
+- **`totalreclaw_report_qa_bug`** (RC-gated tool) — lets agents file structured QA-bug issues to `p-diogo/totalreclaw-internal` without the maintainer opening a fresh issue per RC finding. Only registered when the plugin version matches the `-rc.` token (via `readPluginVersion` in `fs-helpers.ts` + `isRcBuild` in the new `qa-bug-report.ts`). Handler POSTs to `https://api.github.com/repos/.../issues` with `Authorization: Bearer <token>` where `token = CONFIG.qaGithubToken` (reads `TOTALRECLAW_QA_GITHUB_TOKEN` or `GITHUB_TOKEN`). Secrets (BIP-39 phrases, `sk-*`, `AIzaSy*`, Telegram bot tokens, bearer tokens, 64+ char hex blobs, 0x-private-keys, `token=`/`secret=` qualifiers) are redacted fail-close in `redactSecrets()` before POST. Stable builds never expose this tool. See SKILL.md "Filing QA bugs (RC builds only)" for trigger rules — always ask user before filing, never the same bug twice.
+- **`skill/plugin/qa-bug-report.ts`** — new pure-logic + HTTP module. Exports `isRcBuild`, `redactSecrets`, `validateQaBugArgs`, `buildIssueBody`, `postQaBugIssue`. Unit-tested in `qa-bug-report.test.ts`.
+- **`skill/plugin/nonce-serialization.test.ts`** — exercises the per-`sender` mutex primitive: same-sender serializes, different-sender runs in parallel, case-insensitive keying, first-call failure releases the lock for the next.
+- **`fs-helpers.ts` — `readPluginVersion(packageJsonDir)`** — scanner-safe helper used by the RC gate. Resolves via `path.dirname(fileURLToPath(import.meta.url))` in `index.ts` and returns the `version` field from `package.json` next to the module.
+### SKILL.md
+- **First-person recall rule.** rc.2 debug found agents skipped `totalreclaw_recall` in 5/5 attempts on "Where do I live?". SKILL.md now hard-rules it: any first-person factual query ("where do I live/work", "what do I prefer", "my [noun]", etc.) MUST call recall first. If recall returns 0, say "I don't have anything about that yet" rather than invent.
+- **QA bug triggers.** New "Filing QA bugs (RC builds only)" section with the four triggers (repeated tool failure, user friction signals, setup errors, docs-vs-reality mismatch). Offer to file, never auto-file, never same bug twice.
+- **zai endpoint + retry budget** documented in a new "zai provider configuration" section.
+### Tests
+- `llm-client-retry.test.ts` extended from 29 → 59 assertions. Covers: balance-error detection, CODING↔STANDARD fallback URL helper, `ZAI_BASE_URL` env override, full fallback happy/sad paths, `LLMUpstreamOutageError` surfacing, budget short-circuit.
+- `qa-bug-report.test.ts` — 57 assertions covering isRcBuild, redactSecrets (BIP-39 / sk- / AIza / Telegram / Bearer / hex / private-key / preservation of UUIDs+SHAs+addresses), validateQaBugArgs, buildIssueBody, postQaBugIssue success + all failure paths.
+- `nonce-serialization.test.ts` — 9 assertions.
+- All existing tests (`llm-client.test.ts`, `manifest-shape.test.ts`, etc.) unchanged and green.
+### Scanner
+- `check-scanner.mjs` still passes (0 flags). The `TOTALRECLAW_QA_GITHUB_TOKEN` + `ZAI_BASE_URL` + `TOTALRECLAW_LLM_RETRY_BUDGET_MS` env reads live in `config.ts` (the env-harvesting-free house). `llm-client.ts`, `index.ts`, and `qa-bug-report.ts` all stay off `process.env`.
 ## [3.3.1-rc.2] — 2026-04-22
 Follow-up RC for the 3.3.1-rc.1 QA NO-GO

package/SKILL.md CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 name: totalreclaw
 description: "End-to-end encrypted memory for AI agents — portable, yours forever. XChaCha20-Poly1305 E2EE: server never sees plaintext."
-version: 3.3.1-rc.2
+version: 3.3.1-rc.4
 author: TotalReclaw Team
 license: MIT
 homepage: https://totalreclaw.xyz
@@ -30,14 +30,26 @@ You are operating inside a host that has the TotalReclaw memory plugin loaded. T
 Before any memory tool, check `~/.totalreclaw/credentials.json`:
-- **Missing, empty, malformed, or no `mnemonic` key** -> NOT set up. You MUST NOT generate a phrase in chat, and you MUST NOT ask the user to paste one. Route:
-  - Local gateway: call `totalreclaw_onboarding_start` (or `totalreclaw_onboard` if available); both return a pointer to `openclaw totalreclaw onboard`.
-  - Remote gateway (VPS / Docker / no TTY): call `totalreclaw_pair` (v3.3.1+), OR instruct the user to run `openclaw totalreclaw pair generate --json`. Present the returned `{url, pin, qr_ascii}` to the user. The phrase is entered in their browser, never in this conversation.
+- **Missing, empty, malformed, or no `mnemonic` key** -> NOT set up. Follow the "Setting up a user's TotalReclaw recovery phrase" section below. You MUST NOT generate a phrase in chat, and you MUST NOT ask the user to paste one.
 - **Present with a valid `mnemonic`** -> active. Use the tools below.
+## Setting up a user's TotalReclaw recovery phrase
+**Agent path (default, only secure path): call the `totalreclaw_pair` tool.** It returns a URL + 6-digit PIN. Tell the user:
+> "Open <URL> in your browser, enter your phrase (or let the browser generate one), and confirm PIN <PIN>. Your phrase is encrypted in the browser and uploaded end-to-end-encrypted to this gateway — it never crosses this chat."
+Browser-side crypto handles the phrase; this chat never sees it. After the user confirms "pairing complete" in their browser, the credentials are already on disk — no gateway restart needed for OpenClaw because routes are registered on plugin install and the pair HTTP handler writes credentials in-process.
+**NEVER** invoke `openclaw totalreclaw onboard`, `totalreclaw setup`, or any phrase-generating CLI via your shell tool. Those commands are for users to run in their own terminal — not for you. Agent shell stdout is captured into LLM context; running them leaks the phrase.
+**NEVER** ask the user to paste their phrase into chat. If they do, immediately tell them to rotate by generating a new wallet via `totalreclaw_pair` with `mode=generate`; the pasted phrase is compromised.
+**If the user explicitly prefers local-terminal setup** (no browser, no QR URL to open), point them at `totalreclaw_onboarding_start` — which returns a pointer to the CLI wizard they run THEMSELVES. You do not run it.
 ## Core rules
-1. **Phrase safety (NON-NEGOTIABLE).** The recovery phrase is a secret. Never generate one in chat, never echo one back, never log one in reasoning / tool payloads, never pass one to another tool. Direct users to `cat ~/.totalreclaw/credentials.json | jq -r .mnemonic`.
+1. **Phrase safety (NON-NEGOTIABLE, ABSOLUTE).** The recovery phrase is a secret. Never generate one in chat, never echo one back, never log one in reasoning / tool payloads, never pass one to another tool, never invoke a phrase-generating CLI via your shell tool. A leaked phrase = compromised vault, no rotation possible. Governed by `project_phrase_safety_rule.md` (memory file in p-diogo/totalreclaw-internal).
 2. **Use the tools, not inline state.** `totalreclaw_remember` stores; `totalreclaw_recall` retrieves. Don't re-ask the user for past facts; don't paraphrase memories as your own recollection.
 3. **Gateway restart is required after install.** If tools fail right after `openclaw plugins install @totalreclaw/totalreclaw`, tell the user to run `openclaw restart` or `docker restart openclaw-qa`.
@@ -55,6 +67,20 @@ Before any memory tool, check `~/.totalreclaw/credentials.json`:
 - **"Import my Mem0 / ChatGPT / Claude / Gemini history"**: `totalreclaw_import_from` with `dry_run=true` first. Show the estimate, confirm, then run without `dry_run`. For >50 chunks, use `totalreclaw_import_batch` and report progress.
 - **"Upgrade" / "I want Pro"**: `totalreclaw_upgrade` returns a Stripe URL. After upgrade, offer `totalreclaw_migrate` (dry-run first) to move testnet memories to mainnet.
+### First-person queries — ALWAYS call `totalreclaw_recall` first
+Any user message that references THEIR OWN facts triggers a recall call BEFORE you answer. Triggers (non-exhaustive — err on the side of calling recall):
+- "where do I live / work" / "what's my address / city"
+- "what do I prefer / like / hate / use"
+- "do I have / own / know"
+- "when did I / have I ever"
+- "who is my / my [relation/role]"
+- "what was my / my [object/preference]"
+- any question pattern containing "my / I / me" + a fact-shaped noun (address, job, favourite, project, partner, pet, etc.)
+Call `totalreclaw_recall(query=<semantic version of the question>)` FIRST, THEN answer based on returned facts. Do NOT answer from memory or invent; if recall returns 0 results, say "I don't have anything about that yet." rc.2 QA debug found 5/5 failures to call recall on "where do I live?" — the phrasing was enough to make agents skip the tool. This rule is hard: first-person factual queries are a recall trigger, full stop.
 ## Tool surface
 Tools work only when credentials are active AND the gateway has been restarted post-install. If a tool returns "onboarding required", route back to onboarding.
@@ -73,8 +99,8 @@ Tools work only when credentials are active AND the gateway has been restarted p
 | `totalreclaw_migrate` | optional `confirm` (dry-run by default) |
 | `totalreclaw_import_from` / `totalreclaw_import_batch` | `source`, `file_path` or `content`, `dry_run` |
 | `totalreclaw_consolidate` | optional `dry_run` |
-| `totalreclaw_onboarding_start` / `totalreclaw_onboard` | (none) — returns CLI pointer |
-| `totalreclaw_pair` | optional `mode` (`generate` / `import`) — returns `{url, pin, qr_ascii, expires_at_ms}` |
+| `totalreclaw_onboarding_start` | (none) — returns CLI pointer for users who prefer local-terminal setup |
+| `totalreclaw_pair` | optional `mode` (`generate` / `import`) — returns `{url, pin, qr_ascii, expires_at_ms}`. CANONICAL setup surface |
 ## Taxonomy
@@ -89,6 +115,19 @@ Tools work only when credentials are active AND the gateway has been restarted p
 - "No LLM available for auto-extraction" (startup only, v3.3.1+) -> provider key not reachable. Point at `~/.openclaw/agents/<agent>/agent/auth-profiles.json` or the `plugins.entries.totalreclaw.config.extraction.llm` override.
 - Silent extraction failures -> suggest `openclaw totalreclaw status` or check `~/.totalreclaw/billing-cache.json` for rate-limit signals.
+## zai provider configuration (3.3.1-rc.3+)
+zai exposes two endpoints:
+- **Coding plan (subscription)**: `https://api.z.ai/api/coding/paas/v4` — default.
+- **PAYG**: `https://api.z.ai/api/paas/v4` — for pay-as-you-go balances.
+A coding-plan key hitting the PAYG endpoint (or vice-versa) returns `Insufficient balance or no resource package. Please recharge.` rc.3 auto-detects this and flips to the other endpoint on one retry per call, but users can avoid the first-call tax by setting `ZAI_BASE_URL` explicitly:
+- GLM Coding Plan users: leave `ZAI_BASE_URL` unset, or set to `https://api.z.ai/api/coding/paas/v4`.
+- PAYG users: set `ZAI_BASE_URL=https://api.z.ai/api/paas/v4`.
+Retry budget: the extraction LLM retries up to 5 attempts with 2s→4s→8s→16s→32s backoff (total ~62s). Configurable via `TOTALRECLAW_LLM_RETRY_BUDGET_MS` (default 60000).
 ## Minimum viable interaction pattern
 ```
@@ -114,3 +153,21 @@ User: "Set me up for TotalReclaw."
 - Do NOT call `totalreclaw_remember` for transient in-session context.
 - Do NOT paste recovery phrases or API keys into chat.
 - Do NOT run `npx @totalreclaw/mcp-server setup` — deprecated path that corrupts credentials.
+## Filing QA bugs (RC builds only)
+If `totalreclaw_report_qa_bug` tool is available (this means you're in an RC build — stable users never see the tool), OFFER to file a bug when ANY of these triggers fire. Never auto-file; always ask the user once per issue.
+Triggers:
+1. A tool call fails 2+ times in a row with the same error signature.
+2. User expresses friction: "this doesn't work" / "error" / "stuck" / "broken" / "not what I expected" / "wrong version" / explicit "file a bug".
+3. Setup flow hits an error that you can't resolve via the docs.
+4. Docs don't match reality (user guide says X; actual behavior is Y).
+Offer: "This looks worth reporting so the maintainer can fix it. Want me to file a QA bug? I'll capture the symptom + repro."
+On user yes → call `totalreclaw_report_qa_bug` with the redacted details. Required fields: `integration` (plugin/hermes/nanoclaw/mcp/relay/clawhub/docs/other), `rc_version` (exact version string), `severity` (blocker/high/medium/low), `title` (<60 chars), `symptom`, `expected`, `repro`, `logs`, `environment`.
+On user no / ambiguous → proceed without filing.
+Do NOT offer the same bug twice in a session. Do NOT include secrets (recovery phrases, API keys, bot tokens) in any field — the tool redacts automatically, but don't pass raw values anyway. The tool requires `TOTALRECLAW_QA_GITHUB_TOKEN` (or `GITHUB_TOKEN`) to be set on the host; if the tool returns a missing-token error, tell the user the operator needs to export one with `repo` scope.

package/config.ts CHANGED Viewed

@@ -157,6 +157,37 @@ export const CONFIG = {
     cerebras: process.env.CEREBRAS_API_KEY || '',
   } as Record<string, string>,
+  // 3.3.1-rc.3: zai base-URL override. Read via a getter so tests can
+  // mutate `process.env.ZAI_BASE_URL` between calls — the value is NOT
+  // frozen at module load. Default is the coding endpoint; the rc.3
+  // auto-fallback flips to the standard endpoint on an "Insufficient
+  // balance" 429.
+  get zaiBaseUrl(): string {
+    const override = process.env.ZAI_BASE_URL;
+    if (override && override.trim()) return override.trim().replace(/\/+$/, '');
+    return 'https://api.z.ai/api/coding/paas/v4';
+  },
+  // 3.3.1-rc.3: retry budget for chatCompletion. Default 60s covers
+  // multi-minute upstream outages. Read as a plain value (not getter)
+  // so tests that patch env need to reload the module — but the default
+  // suffices for production.
+  llmRetryBudgetMs: (() => {
+    const raw = process.env.TOTALRECLAW_LLM_RETRY_BUDGET_MS;
+    const parsed = raw ? parseInt(raw, 10) : NaN;
+    return Number.isFinite(parsed) && parsed > 0 ? parsed : 60_000;
+  })(),
+  // 3.3.1-rc.3: GitHub personal-access token used by the RC-gated
+  // `totalreclaw_report_qa_bug` tool. `TOTALRECLAW_QA_GITHUB_TOKEN` is
+  // the dedicated variable; `GITHUB_TOKEN` is a fallback for CI-style
+  // setups where the same token is shared across tools. Read via getter
+  // so operators can set the var after the process starts (e.g. via a
+  // dotenv reload) and the next tool call picks it up.
+  get qaGithubToken(): string {
+    return process.env.TOTALRECLAW_QA_GITHUB_TOKEN || process.env.GITHUB_TOKEN || '';
+  },
   // Paths
   home,
   billingCachePath: path.join(home, '.totalreclaw', 'billing-cache.json'),

package/fs-helpers.ts CHANGED Viewed

@@ -107,6 +107,38 @@ export function ensureMemoryHeaderFile(
   }
 }
+// ---------------------------------------------------------------------------
+// Plugin version — 3.3.1-rc.3 helper for RC gating
+// ---------------------------------------------------------------------------
+/**
+ * Read the plugin's own version string from `package.json`.
+ *
+ * Behaviour:
+ *   - Resolves `package.json` next to the caller-provided directory
+ *     (typically `path.dirname(fileURLToPath(import.meta.url))` from the
+ *     caller).
+ *   - Returns the `version` field, or `null` on any I/O / parse error.
+ *
+ * Used by the RC-gated `totalreclaw_report_qa_bug` tool registration in
+ * `index.ts`: if the version contains `-rc.`, register the tool; if not,
+ * skip it entirely so stable users never see it.
+ *
+ * Scanner-safe: pure filesystem. No outbound-request word markers in this
+ * helper — see the file-header guardrail.
+ */
+export function readPluginVersion(packageJsonDir: string): string | null {
+  try {
+    const pkgPath = path.join(packageJsonDir, 'package.json');
+    if (!fs.existsSync(pkgPath)) return null;
+    const raw = fs.readFileSync(pkgPath, 'utf-8');
+    const parsed = JSON.parse(raw) as { version?: string };
+    return typeof parsed.version === 'string' ? parsed.version : null;
+  } catch {
+    return null;
+  }
+}
 // ---------------------------------------------------------------------------
 // credentials.json load / write / delete
 // ---------------------------------------------------------------------------

package/index.ts CHANGED Viewed

@@ -150,8 +150,10 @@ import {
   deleteFileIfExists,
   resolveOnboardingState,
   writeOnboardingState,
+  readPluginVersion,
   type OnboardingState,
 } from './fs-helpers.js';
+import { isRcBuild } from './qa-bug-report.js';
 import { decideToolGate, isGatedToolName } from './tool-gating.js';
 import { detectFirstRun, buildWelcomePrepend, type GatewayMode } from './first-run.js';
 import { buildPairRoutes } from './pair-http.js';
@@ -2794,6 +2796,31 @@ const plugin = {
   },
   register(api: OpenClawPluginApi) {
+    // ---------------------------------------------------------------
+    // RC-build detection (3.3.1-rc.3)
+    // ---------------------------------------------------------------
+    //
+    // `isRcBuild` reads the plugin's own version string. When true, the
+    // `totalreclaw_report_qa_bug` tool is registered at the end of this
+    // function — stable builds never see it. The version is resolved via
+    // `readPluginVersion` from fs-helpers.ts (scanner-safe, pure-fs).
+    let rcMode = false;
+    try {
+      // `import.meta.url` is ESM-only; fallback to `__dirname` for the CJS
+      // build path. `require` comes from Node core and is available in both
+      // module formats. `fileURLToPath` / `path.dirname` are pure-sync.
+      const url = require('node:url') as typeof import('node:url');
+      const nodePath = require('node:path') as typeof import('node:path');
+      const pluginDir = nodePath.dirname(url.fileURLToPath(import.meta.url));
+      const version = readPluginVersion(pluginDir);
+      rcMode = isRcBuild(version);
+      if (rcMode) {
+        api.logger.info(`TotalReclaw: RC build detected (version=${version}). RC-gated tools will be registered.`);
+      }
+    } catch {
+      rcMode = false;
+    }
     // ---------------------------------------------------------------
     // LLM client initialization (auto-detect provider from OpenClaw config)
     // ---------------------------------------------------------------
@@ -5022,143 +5049,34 @@ const plugin = {
     );
     // ---------------------------------------------------------------
-    // Tool: totalreclaw_onboard (3.3.1-rc.2 — agent-callable onboard)
+    // Tool: totalreclaw_onboard — REMOVED in 3.3.1-rc.4 (phrase-safety).
     //
-    // Lets the agent drive the non-interactive onboard flow without
-    // shelling out to `openclaw totalreclaw onboard` (subprocess work
-    // is not available inside the plugin runtime and the OpenClaw
-    // security scanner blocks the standard subprocess module).
+    // rc.3 shipped a `totalreclaw_onboard` agent tool that generated a
+    // fresh BIP-39 mnemonic in-process, wrote it to credentials.json,
+    // and returned `{scope_address, credentials_path}` to the agent.
+    // `emitPhrase: false` kept the mnemonic OUT of the tool's return
+    // payload, but NOTHING ARCHITECTURALLY PREVENTED leakage — a future
+    // patch could regress the flag, a different code path could echo
+    // the mnemonic in a log/error message the agent captures, or the
+    // mere existence of the tool implied to agents that "generating a
+    // phrase here is fine" (it isn't).
     //
-    // Security envelope (same as the CLI path):
-    //   - NEVER accepts a recovery phrase through chat (mode=restore
-    //     is rejected here — that still requires the local CLI wizard).
-    //   - The generated phrase is written to ~/.totalreclaw/credentials.json
-    //     (mode 0600) by `runNonInteractiveOnboard`. We explicitly pass
-    //     `emitPhrase: false` so the phrase NEVER appears in the tool
-    //     return value.
-    //   - Returns only: scope_address + credentials_path + ok/error.
+    // Per ``project_phrase_safety_rule.md``
+    // (memory file in p-diogo/totalreclaw-internal — absolute rule:
+    // "recovery phrase MUST NEVER cross the LLM context in ANY form"),
+    // phrase-generating agent tools are forbidden. The ONLY approved
+    // agent-facilitated setup surface is ``totalreclaw_pair`` (browser-
+    // side crypto keeps the phrase out of the LLM round-trip by
+    // construction). The underlying ``runNonInteractiveOnboard`` code
+    // path is still reachable via the CLI ``openclaw totalreclaw onboard``
+    // — that path runs in the user's own terminal, OUTSIDE any agent
+    // shell, so phrase stdout never feeds back into LLM context.
+    //
+    // Audit assertion: ``tool-gating.test.ts`` enforces the removal —
+    // any future re-registration of ``totalreclaw_onboard`` (or any
+    // phrase-generating variant like ``totalreclaw_onboard_generate``,
+    // ``totalreclaw_restore_phrase``) fails CI.
     // ---------------------------------------------------------------
-    api.registerTool(
-      {
-        name: 'totalreclaw_onboard',
-        label: 'Onboard (generate new recovery phrase)',
-        description:
-          'Generate a NEW TotalReclaw recovery phrase on this machine without the user ' +
-          'leaving chat. The phrase is written ONLY to ~/.totalreclaw/credentials.json (mode ' +
-          '0600) and NEVER returned through this tool — the response contains just the derived ' +
-          'Smart Account (scope) address and the credentials path so the user can retrieve ' +
-          'their phrase locally (e.g. `cat ~/.totalreclaw/credentials.json | jq -r .mnemonic`).\n\n' +
-          'Use when a fresh user asks you to set up TotalReclaw or enable memory. Refuses if ' +
-          'onboarding is already active (the user can delete the credentials file to re-onboard, ' +
-          'but we will NOT silently overwrite). For RESTORE (import an existing phrase), tell ' +
-          'the user to run `openclaw totalreclaw onboard --mode restore` in their local ' +
-          'terminal — this tool refuses to accept phrases through chat.',
-        parameters: {
-          type: 'object',
-          properties: {
-            mode: {
-              type: 'string',
-              enum: ['generate'],
-              description:
-                'Only "generate" is supported via this tool (creates a fresh 12-word BIP-39 ' +
-                'phrase). "restore" requires the local CLI wizard because pasting a phrase ' +
-                'through chat ships it to the LLM provider, defeating end-to-end encryption.',
-              default: 'generate',
-            },
-          },
-          additionalProperties: false,
-        },
-        async execute(_toolCallId: string, params: Record<string, unknown>) {
-          const mode = params?.mode;
-          if (mode !== undefined && mode !== 'generate') {
-            return {
-              content: [{
-                type: 'text',
-                text:
-                  'Only mode="generate" is supported through chat. For RESTORE (import an ' +
-                  'existing recovery phrase), ask the user to run `openclaw totalreclaw onboard ' +
-                  '--mode restore` in their local terminal — the phrase is read from stdin and ' +
-                  'never touches the LLM provider or the transcript.',
-              }],
-            };
-          }
-          try {
-            const result: NonInteractiveOnboardResult = await runNonInteractiveOnboard({
-              credentialsPath: CREDENTIALS_PATH,
-              statePath: CONFIG.onboardingStatePath,
-              mode: 'generate',
-              emitPhrase: false, // NEVER include the phrase in agent-visible output.
-              deriveScopeAddress: async (mnemonic: string) => {
-                try {
-                  return await deriveSmartAccountAddress(mnemonic, CONFIG.chainId);
-                } catch (err) {
-                  api.logger.warn(
-                    `totalreclaw_onboard: scope-address derivation failed: ${
-                      err instanceof Error ? err.message : String(err)
-                    }`,
-                  );
-                  return undefined;
-                }
-              },
-            });
-            if (!result.ok) {
-              // already-active, write-failed, etc. Never leaks the phrase.
-              api.logger.info(`totalreclaw_onboard: ok=false error=${result.error}`);
-              return {
-                content: [{
-                  type: 'text',
-                  text:
-                    result.error === 'already-active'
-                      ? 'TotalReclaw is already set up on this machine. Memory tools are unblocked. To re-onboard, delete ~/.totalreclaw/credentials.json first.'
-                      : `Onboard failed: ${result.error_detail ?? result.error}`,
-                }],
-                details: {
-                  ok: false,
-                  error: result.error,
-                  action: result.action,
-                },
-              };
-            }
-            api.logger.info(
-              `totalreclaw_onboard: generated phrase, scope=${result.scope_address?.slice(0, 10) ?? 'unknown'}…, credentials=${result.credentials_path}`,
-            );
-            // Crucially: the mnemonic field is NEVER emitted in details
-            // (emitPhrase=false enforces that on the result object).
-            return {
-              content: [{
-                type: 'text',
-                text:
-                  `TotalReclaw setup complete. A new 12-word recovery phrase was generated and ` +
-                  `saved to ${result.credentials_path} (mode 0600). ` +
-                  (result.scope_address
-                    ? `Your on-chain scope (Smart Account) address is ${result.scope_address}. `
-                    : '') +
-                  `To view your recovery phrase, run on the user's local terminal:\n\n` +
-                  `    cat ${result.credentials_path} | jq -r .mnemonic\n\n` +
-                  `IMPORTANT: the recovery phrase is the ONLY way to recover memories on another ` +
-                  `device. Tell the user to store it safely — a password manager or a paper backup. ` +
-                  `TotalReclaw cannot recover it if lost.`,
-              }],
-              details: {
-                ok: true,
-                action: 'generate',
-                scope_address: result.scope_address,
-                credentials_path: result.credentials_path,
-                // Deliberately NO mnemonic field.
-              },
-            };
-          } catch (err: unknown) {
-            const message = err instanceof Error ? err.message : String(err);
-            api.logger.error(`totalreclaw_onboard failed: ${message}`);
-            return {
-              content: [{ type: 'text', text: `Onboard failed: ${humanizeError(message)}` }],
-              details: { ok: false, error: 'unexpected', error_detail: message },
-            };
-          }
-        },
-      },
-      { name: 'totalreclaw_onboard' },
-    );
     // ---------------------------------------------------------------
     // Tool: totalreclaw_pair (3.3.1-rc.2 — agent-callable pair-generate)
@@ -5179,10 +5097,12 @@ const plugin = {
           '6-digit PIN, and an ASCII QR code that the agent relays to the user. The recovery ' +
           'phrase itself is generated/entered in the BROWSER and uploaded end-to-end encrypted ' +
           'to this gateway — it NEVER touches the LLM provider or the chat transcript.\n\n' +
-          'Use when a user wants to set up TotalReclaw on a machine they don\'t have terminal ' +
-          'access to (a VPS, a friend\'s computer), or when they prefer a phone-mediated flow. ' +
-          'For local-machine setup with a terminal, prefer `totalreclaw_onboard` (generate) or ' +
-          '`totalreclaw_onboarding_start` (pointer to local CLI for restore).',
+          'This is the CANONICAL agent-facilitated setup surface — use it whenever the user ' +
+          'asks you to set up TotalReclaw, regardless of whether they have terminal access. ' +
+          'Browser-side crypto keeps the recovery phrase out of the LLM context entirely. ' +
+          'If a user explicitly prefers local-terminal setup with no browser, point them at ' +
+          '`totalreclaw_onboarding_start` (a pointer to the CLI wizard they run on their own ' +
+          'terminal, NOT through your shell tool).',
         parameters: {
           type: 'object',
           properties: {
@@ -5280,6 +5200,135 @@ const plugin = {
       { name: 'totalreclaw_pair' },
     );
+    // ---------------------------------------------------------------
+    // Tool: totalreclaw_report_qa_bug (3.3.1-rc.3 — RC-gated)
+    //
+    // Lets the agent file a structured QA-bug issue to
+    // `p-diogo/totalreclaw-internal` during RC testing. Only registered
+    // when the plugin version contains `-rc.` — stable users never see it.
+    //
+    // Secrets (recovery phrases, API keys, Telegram bot tokens) are
+    // redacted inside `postQaBugIssue` before the POST. The agent should
+    // still avoid passing raw secrets — see SKILL.md addendum.
+    // ---------------------------------------------------------------
+    if (rcMode) {
+      api.registerTool(
+        {
+          name: 'totalreclaw_report_qa_bug',
+          label: 'File a QA bug issue (RC builds only)',
+          description:
+            'File a structured QA bug report to the internal tracker. RC-only; never available in stable builds. ' +
+            'Do NOT call auto-file — ask the user first before invoking. The tool redacts recovery phrases, API keys, ' +
+            'and Telegram bot tokens from all free-text fields before posting, but the agent SHOULD still avoid ' +
+            'passing raw secrets.',
+          parameters: {
+            type: 'object',
+            properties: {
+              integration: {
+                type: 'string',
+                enum: ['plugin', 'hermes', 'nanoclaw', 'mcp', 'relay', 'clawhub', 'docs', 'other'],
+                description: 'Which TotalReclaw surface is affected.',
+              },
+              rc_version: {
+                type: 'string',
+                description: 'Exact RC version string (e.g. "3.3.1-rc.3" or "2.3.1rc3").',
+              },
+              severity: {
+                type: 'string',
+                enum: ['blocker', 'high', 'medium', 'low'],
+                description: 'blocker=release blocked, high=major UX failure, medium=annoying, low=polish.',
+              },
+              title: {
+                type: 'string',
+                description: 'Short summary, <60 chars. Prefix "[qa-bug]" is added automatically.',
+                maxLength: 60,
+              },
+              symptom: {
+                type: 'string',
+                description: 'What happened (redacted automatically).',
+              },
+              expected: {
+                type: 'string',
+                description: 'What should have happened.',
+              },
+              repro: {
+                type: 'string',
+                description: 'Reproduction steps (redacted automatically).',
+              },
+              logs: {
+                type: 'string',
+                description: 'Log excerpts / error messages (redacted automatically).',
+              },
+              environment: {
+                type: 'string',
+                description: 'Host, Docker/native, OpenClaw version, LLM provider, etc.',
+              },
+            },
+            required: [
+              'integration',
+              'rc_version',
+              'severity',
+              'title',
+              'symptom',
+              'expected',
+              'repro',
+              'logs',
+              'environment',
+            ],
+            additionalProperties: false,
+          },
+          async execute(_toolCallId: string, params: Record<string, unknown>) {
+            try {
+              const { postQaBugIssue } = await import('./qa-bug-report.js');
+              // The token is resolved via CONFIG (config.ts) so index.ts
+              // stays clean of env-harvesting triggers.
+              const token = CONFIG.qaGithubToken;
+              if (!token) {
+                return {
+                  content: [{
+                    type: 'text',
+                    text:
+                      'Cannot file QA bug: no GitHub token found. The operator must export ' +
+                      'TOTALRECLAW_QA_GITHUB_TOKEN (or GITHUB_TOKEN) with `repo` scope to enable ' +
+                      'agent-filed bug reports during RC testing.',
+                  }],
+                  details: { error: 'missing_github_token' },
+                };
+              }
+              const result = await postQaBugIssue(
+                params as unknown as import('./qa-bug-report.js').QaBugArgs,
+                {
+                  githubToken: token,
+                  logger: api.logger,
+                },
+              );
+              return {
+                content: [{
+                  type: 'text',
+                  text: `Filed QA bug #${result.issue_number}: ${result.issue_url}`,
+                }],
+                details: { issue_url: result.issue_url, issue_number: result.issue_number },
+              };
+            } catch (err: unknown) {
+              const message = err instanceof Error ? err.message : String(err);
+              api.logger.error(`totalreclaw_report_qa_bug failed: ${message}`);
+              return {
+                content: [{
+                  type: 'text',
+                  text: `Failed to file QA bug: ${message}`,
+                }],
+                details: { error: message },
+              };
+            }
+          },
+        },
+        { name: 'totalreclaw_report_qa_bug' },
+      );
+      api.logger.info(
+        'totalreclaw_report_qa_bug registered (RC build — this tool is hidden in stable releases).',
+      );
+    }
     // ---------------------------------------------------------------
     // Hook: before_tool_call (3.2.0 memory-tool gate)
     // ---------------------------------------------------------------