remoteclaw 0.0.0 → 0.1.0-next.aa1fa55

package/dist/redact-snapshot-uT-CXbM8.js

@@ -0,0 +1,2028 @@
+import { t as createSubsystemLogger } from "./subsystem-COd61u0P.js";
+import { g as sensitive } from "./config-ChYRSJQt.js";
+import { z } from "zod";
+
+//#region src/config/schema.irc.ts
+const IRC_FIELD_LABELS = {
+	"channels.irc": "IRC",
+	"channels.irc.dmPolicy": "IRC DM Policy",
+	"channels.irc.nickserv.enabled": "IRC NickServ Enabled",
+	"channels.irc.nickserv.service": "IRC NickServ Service",
+	"channels.irc.nickserv.password": "IRC NickServ Password",
+	"channels.irc.nickserv.passwordFile": "IRC NickServ Password File",
+	"channels.irc.nickserv.register": "IRC NickServ Register",
+	"channels.irc.nickserv.registerEmail": "IRC NickServ Register Email"
+};
+const IRC_FIELD_HELP = {
+	"channels.irc.configWrites": "Allow IRC to write config in response to channel events/commands (default: true).",
+	"channels.irc.dmPolicy": "Direct message access control (\"pairing\" recommended). \"open\" requires channels.irc.allowFrom=[\"*\"].",
+	"channels.irc.nickserv.enabled": "Enable NickServ identify/register after connect (defaults to enabled when password is configured).",
+	"channels.irc.nickserv.service": "NickServ service nick (default: NickServ).",
+	"channels.irc.nickserv.password": "NickServ password used for IDENTIFY/REGISTER (sensitive).",
+	"channels.irc.nickserv.passwordFile": "Optional file path containing NickServ password.",
+	"channels.irc.nickserv.register": "If true, send NickServ REGISTER on every connect. Use once for initial registration, then disable.",
+	"channels.irc.nickserv.registerEmail": "Email used with NickServ REGISTER (required when register=true)."
+};
+
+//#endregion
+//#region src/config/schema.help.ts
+const FIELD_HELP = {
+	meta: "Metadata fields automatically maintained by RemoteClaw to record write/version history for this config file. Keep these values system-managed and avoid manual edits unless debugging migration history.",
+	"meta.lastTouchedVersion": "Auto-set when RemoteClaw writes the config.",
+	"meta.lastTouchedAt": "ISO timestamp of the last config write (auto-set).",
+	env: "Environment import and override settings used to supply runtime variables to the gateway process. Use this section to control shell-env loading and explicit variable injection behavior.",
+	"env.shellEnv": "Shell environment import controls for loading variables from your login shell during startup. Keep this enabled when you depend on profile-defined secrets or PATH customizations.",
+	"env.shellEnv.enabled": "Enables loading environment variables from the user shell profile during startup initialization. Keep enabled for developer machines, or disable in locked-down service environments with explicit env management.",
+	"env.shellEnv.timeoutMs": "Maximum time in milliseconds allowed for shell environment resolution before fallback behavior applies. Use tighter timeouts for faster startup, or increase when shell initialization is heavy.",
+	"env.vars": "Explicit key/value environment variable overrides merged into runtime process environment for RemoteClaw. Use this for deterministic env configuration instead of relying only on shell profile side effects.",
+	wizard: "Setup wizard state tracking fields that record the most recent guided onboarding run details. Keep these fields for observability and troubleshooting of setup flows across upgrades.",
+	"wizard.lastRunAt": "ISO timestamp for when the setup wizard most recently completed on this host. Use this to confirm onboarding recency during support and operational audits.",
+	"wizard.lastRunVersion": "RemoteClaw version recorded at the time of the most recent wizard run on this config. Use this when diagnosing behavior differences across version-to-version onboarding changes.",
+	"wizard.lastRunCommit": "Source commit identifier recorded for the last wizard execution in development builds. Use this to correlate onboarding behavior with exact source state during debugging.",
+	"wizard.lastRunCommand": "Command invocation recorded for the latest wizard run to preserve execution context. Use this to reproduce onboarding steps when verifying setup regressions.",
+	"wizard.lastRunMode": "Wizard execution mode recorded as \"local\" or \"remote\" for the most recent onboarding flow. Use this to understand whether setup targeted direct local runtime or remote gateway topology.",
+	diagnostics: "Diagnostics controls for targeted tracing, telemetry export, and cache inspection during debugging. Keep baseline diagnostics minimal in production and enable deeper signals only when investigating issues.",
+	"diagnostics.otel": "OpenTelemetry export settings for traces, metrics, and logs emitted by gateway components. Use this when integrating with centralized observability backends and distributed tracing pipelines.",
+	"diagnostics.cacheTrace": "Cache-trace logging settings for observing cache decisions and payload context in embedded runs. Enable this temporarily for debugging and disable afterward to reduce sensitive log footprint.",
+	logging: "Logging behavior controls for severity, output destinations, formatting, and sensitive-data redaction. Keep levels and redaction strict enough for production while preserving useful diagnostics.",
+	"logging.level": "Primary log level threshold for runtime logger output: \"silent\", \"fatal\", \"error\", \"warn\", \"info\", \"debug\", or \"trace\". Keep \"info\" or \"warn\" for production, and use debug/trace only during investigation.",
+	"logging.file": "Optional file path for persisted log output in addition to or instead of console logging. Use a managed writable path and align retention/rotation with your operational policy.",
+	"logging.consoleLevel": "Console-specific log threshold: \"silent\", \"fatal\", \"error\", \"warn\", \"info\", \"debug\", or \"trace\" for terminal output control. Use this to keep local console quieter while retaining richer file logging if needed.",
+	"logging.consoleStyle": "Console output format style: \"pretty\", \"compact\", or \"json\" based on operator and ingestion needs. Use json for machine parsing pipelines and pretty/compact for human-first terminal workflows.",
+	"logging.redactSensitive": "Sensitive redaction mode: \"off\" disables built-in masking, while \"tools\" redacts sensitive tool/config payload fields. Keep \"tools\" in shared logs unless you have isolated secure log sinks.",
+	"logging.redactPatterns": "Additional custom redact regex patterns applied to log output before emission/storage. Use this to mask org-specific tokens and identifiers not covered by built-in redaction rules.",
+	update: "Update-channel and startup-check behavior for keeping RemoteClaw runtime versions current. Use conservative channels in production and more experimental channels only in controlled environments.",
+	"update.channel": "Update channel for git + npm installs (\"stable\", \"beta\", or \"dev\").",
+	"update.checkOnStart": "Check for npm updates when the gateway starts (default: true).",
+	"update.auto.enabled": "Enable background auto-update for package installs (default: false).",
+	"update.auto.stableDelayHours": "Minimum delay before stable-channel auto-apply starts (default: 6).",
+	"update.auto.stableJitterHours": "Extra stable-channel rollout spread window in hours (default: 12).",
+	"update.auto.betaCheckIntervalHours": "How often beta-channel checks run in hours (default: 1).",
+	gateway: "Gateway runtime surface for bind mode, auth, control UI, remote transport, and operational safety controls. Keep conservative defaults unless you intentionally expose the gateway beyond trusted local interfaces.",
+	"gateway.port": "TCP port used by the gateway listener for API, control UI, and channel-facing ingress paths. Use a dedicated port and avoid collisions with reverse proxies or local developer services.",
+	"gateway.mode": "Gateway operation mode: \"local\" runs channels and agent runtime on this host, while \"remote\" connects through remote transport. Keep \"local\" unless you intentionally run a split remote gateway topology.",
+	"gateway.bind": "Network bind profile: \"auto\", \"lan\", \"loopback\", \"custom\", or \"tailnet\" to control interface exposure. Keep \"loopback\" or \"auto\" for safest local operation unless external clients must connect.",
+	"gateway.customBindHost": "Explicit bind host/IP used when gateway.bind is set to custom for manual interface targeting. Use a precise address and avoid wildcard binds unless external exposure is required.",
+	"gateway.controlUi": "Control UI hosting settings including enablement, pathing, and browser-origin/auth hardening behavior. Keep UI exposure minimal and pair with strong auth controls before internet-facing deployments.",
+	"gateway.controlUi.enabled": "Enables serving the gateway Control UI from the gateway HTTP process when true. Keep enabled for local administration, and disable when an external control surface replaces it.",
+	"gateway.auth": "Authentication policy for gateway HTTP/WebSocket access including mode, credentials, trusted-proxy behavior, and rate limiting. Keep auth enabled for every non-loopback deployment.",
+	"gateway.auth.mode": "Gateway auth mode: \"none\", \"token\", \"password\", or \"trusted-proxy\" depending on your edge architecture. Use token/password for direct exposure, and trusted-proxy only behind hardened identity-aware proxies.",
+	"gateway.auth.allowTailscale": "Allows trusted Tailscale identity paths to satisfy gateway auth checks when configured. Use this only when your tailnet identity posture is strong and operator workflows depend on it.",
+	"gateway.auth.rateLimit": "Login/auth attempt throttling controls to reduce credential brute-force risk at the gateway boundary. Keep enabled in exposed environments and tune thresholds to your traffic baseline.",
+	"gateway.auth.trustedProxy": "Trusted-proxy auth header mapping for upstream identity providers that inject user claims. Use only with known proxy CIDRs and strict header allowlists to prevent spoofed identity headers.",
+	"gateway.trustedProxies": "CIDR/IP allowlist of upstream proxies permitted to provide forwarded client identity headers. Keep this list narrow so untrusted hops cannot impersonate users.",
+	"gateway.allowRealIpFallback": "Enables x-real-ip fallback when x-forwarded-for is missing in proxy scenarios. Keep disabled unless your ingress stack requires this compatibility behavior.",
+	"gateway.tools": "Gateway-level tool exposure allow/deny policy that can restrict runtime tool availability independent of agent/tool profiles. Use this for coarse emergency controls and production hardening.",
+	"gateway.tools.allow": "Explicit gateway-level tool allowlist when you want a narrow set of tools available at runtime. Use this for locked-down environments where tool scope must be tightly controlled.",
+	"gateway.tools.deny": "Explicit gateway-level tool denylist to block risky tools even if lower-level policies allow them. Use deny rules for emergency response and defense-in-depth hardening.",
+	"gateway.channelHealthCheckMinutes": "Interval in minutes for automatic channel health probing and status updates. Use lower intervals for faster detection, or higher intervals to reduce periodic probe noise.",
+	"gateway.tailscale": "Tailscale integration settings for Serve/Funnel exposure and lifecycle handling on gateway start/exit. Keep off unless your deployment intentionally relies on Tailscale ingress.",
+	"gateway.tailscale.mode": "Tailscale publish mode: \"off\", \"serve\", or \"funnel\" for private or public exposure paths. Use \"serve\" for tailnet-only access and \"funnel\" only when public internet reachability is required.",
+	"gateway.tailscale.resetOnExit": "Resets Tailscale Serve/Funnel state on gateway exit to avoid stale published routes after shutdown. Keep enabled unless another controller manages publish lifecycle outside the gateway.",
+	"gateway.remote": "Remote gateway connection settings for direct or SSH transport when this instance proxies to another runtime host. Use remote mode only when split-host operation is intentionally configured.",
+	"gateway.remote.transport": "Remote connection transport: \"direct\" uses configured URL connectivity, while \"ssh\" tunnels through SSH. Use SSH when you need encrypted tunnel semantics without exposing remote ports.",
+	"gateway.reload": "Live config-reload policy for how edits are applied and when full restarts are triggered. Keep hybrid behavior for safest operational updates unless debugging reload internals.",
+	"gateway.tls": "TLS certificate and key settings for terminating HTTPS directly in the gateway process. Use explicit certificates in production and avoid plaintext exposure on untrusted networks.",
+	"gateway.tls.enabled": "Enables TLS termination at the gateway listener so clients connect over HTTPS/WSS directly. Keep enabled for direct internet exposure or any untrusted network boundary.",
+	"gateway.tls.autoGenerate": "Auto-generates a local TLS certificate/key pair when explicit files are not configured. Use only for local/dev setups and replace with real certificates for production traffic.",
+	"gateway.tls.certPath": "Filesystem path to the TLS certificate file used by the gateway when TLS is enabled. Use managed certificate paths and keep renewal automation aligned with this location.",
+	"gateway.tls.keyPath": "Filesystem path to the TLS private key file used by the gateway when TLS is enabled. Keep this key file permission-restricted and rotate per your security policy.",
+	"gateway.tls.caPath": "Optional CA bundle path for client verification or custom trust-chain requirements at the gateway edge. Use this when private PKI or custom certificate chains are part of deployment.",
+	"gateway.http": "Gateway HTTP API configuration grouping endpoint toggles and transport-facing API exposure controls. Keep only required endpoints enabled to reduce attack surface.",
+	"gateway.http.endpoints": "HTTP endpoint feature toggles under the gateway API surface for compatibility routes and optional integrations. Enable endpoints intentionally and monitor access patterns after rollout.",
+	"gateway.http.securityHeaders": "Optional HTTP response security headers applied by the gateway process itself. Prefer setting these at your reverse proxy when TLS terminates there.",
+	"gateway.http.securityHeaders.strictTransportSecurity": "Value for the Strict-Transport-Security response header. Set only on HTTPS origins that you fully control; use false to explicitly disable.",
+	"gateway.remote.url": "Remote Gateway WebSocket URL (ws:// or wss://).",
+	"gateway.remote.token": "Bearer token used to authenticate this client to a remote gateway in token-auth deployments. Store via secret/env substitution and rotate alongside remote gateway auth changes.",
+	"gateway.remote.password": "Password credential used for remote gateway authentication when password mode is enabled. Keep this secret managed externally and avoid plaintext values in committed config.",
+	"gateway.remote.tlsFingerprint": "Expected sha256 TLS fingerprint for the remote gateway (pin to avoid MITM).",
+	"gateway.remote.sshTarget": "Remote gateway over SSH (tunnels the gateway port to localhost). Format: user@host or user@host:port.",
+	"gateway.remote.sshIdentity": "Optional SSH identity file path (passed to ssh -i).",
+	"talk.provider": "Active Talk provider id (for example \"elevenlabs\").",
+	"talk.providers": "Provider-specific Talk settings keyed by provider id. During migration, prefer this over legacy talk.* keys.",
+	"talk.providers.*.voiceId": "Provider default voice ID for Talk mode.",
+	"talk.providers.*.voiceAliases": "Optional provider voice alias map for Talk directives.",
+	"talk.providers.*.modelId": "Provider default model ID for Talk mode.",
+	"talk.providers.*.outputFormat": "Provider default output format for Talk mode.",
+	"talk.providers.*.apiKey": "Provider API key for Talk mode.",
+	"talk.voiceId": "Legacy ElevenLabs default voice ID for Talk mode. Prefer talk.providers.elevenlabs.voiceId.",
+	"talk.voiceAliases": "Use this legacy ElevenLabs voice alias map (for example {\"Clawd\":\"EXAVITQu4vr4xnSDxMaL\"}) only during migration. Prefer talk.providers.elevenlabs.voiceAliases.",
+	"talk.modelId": "Legacy ElevenLabs model ID for Talk mode (default: eleven_v3). Prefer talk.providers.elevenlabs.modelId.",
+	"talk.outputFormat": "Use this legacy ElevenLabs output format for Talk mode (for example pcm_44100 or mp3_44100_128) only during migration. Prefer talk.providers.elevenlabs.outputFormat.",
+	"talk.apiKey": "Use this legacy ElevenLabs API key for Talk mode only during migration, and keep secrets in env-backed storage. Prefer talk.providers.elevenlabs.apiKey (fallback: ELEVENLABS_API_KEY).",
+	"talk.interruptOnSpeech": "If true (default), stop assistant speech when the user starts speaking in Talk mode. Keep enabled for conversational turn-taking.",
+	"agents.list.*.skills": "Optional allowlist of skills for this agent (omit = all skills; empty = no skills).",
+	"agents.list[].skills": "Optional allowlist of skills for this agent (omit = all skills; empty = no skills).",
+	agents: "Agent runtime configuration root covering defaults and explicit agent entries used for routing and execution context. Keep this section explicit so model/tool behavior stays predictable across multi-agent workflows.",
+	"agents.defaults": "Shared default settings inherited by agents unless overridden per entry in agents.list. Use defaults to enforce consistent baseline behavior and reduce duplicated per-agent configuration.",
+	"agents.list": "Explicit list of configured agents with IDs and optional overrides for model, tools, identity, and workspace. Keep IDs stable over time so bindings, approvals, and session routing remain deterministic.",
+	"agents.list[].identity.avatar": "Avatar image path (relative to the agent workspace only) or a remote URL/data URL.",
+	"agents.defaults.heartbeat.suppressToolErrorWarnings": "Suppress tool error warning payloads during heartbeat runs.",
+	"agents.list[].heartbeat.suppressToolErrorWarnings": "Suppress tool error warning payloads during heartbeat runs.",
+	browser: "Browser runtime controls for local or remote CDP attachment, profile routing, and screenshot/snapshot behavior. Keep defaults unless your automation workflow requires custom browser transport settings.",
+	"browser.enabled": "Enables browser capability wiring in the gateway so browser tools and CDP-driven workflows can run. Disable when browser automation is not needed to reduce surface area and startup work.",
+	"browser.cdpUrl": "Remote CDP websocket URL used to attach to an externally managed browser instance. Use this for centralized browser hosts and keep URL access restricted to trusted network paths.",
+	"browser.color": "Default accent color used for browser profile/UI cues where colored identity hints are displayed. Use consistent colors to help operators identify active browser profile context quickly.",
+	"browser.executablePath": "Explicit browser executable path when auto-discovery is insufficient for your host environment. Use absolute stable paths so launch behavior stays deterministic across restarts.",
+	"browser.headless": "Forces browser launch in headless mode when the local launcher starts browser instances. Keep headless enabled for server environments and disable only when visible UI debugging is required.",
+	"browser.noSandbox": "Disables Chromium sandbox isolation flags for environments where sandboxing fails at runtime. Keep this off whenever possible because process isolation protections are reduced.",
+	"browser.attachOnly": "Restricts browser mode to attach-only behavior without starting local browser processes. Use this when all browser sessions are externally managed by a remote CDP provider.",
+	"browser.defaultProfile": "Default browser profile name selected when callers do not explicitly choose a profile. Use a stable low-privilege profile as the default to reduce accidental cross-context state use.",
+	"browser.profiles": "Named browser profile connection map used for explicit routing to CDP ports or URLs with optional metadata. Keep profile names consistent and avoid overlapping endpoint definitions.",
+	"browser.profiles.*.cdpPort": "Per-profile local CDP port used when connecting to browser instances by port instead of URL. Use unique ports per profile to avoid connection collisions.",
+	"browser.profiles.*.cdpUrl": "Per-profile CDP websocket URL used for explicit remote browser routing by profile name. Use this when profile connections terminate on remote hosts or tunnels.",
+	"browser.profiles.*.driver": "Per-profile browser driver mode: \"clawd\" or \"extension\" depending on connection/runtime strategy. Use the driver that matches your browser control stack to avoid protocol mismatches.",
+	"browser.profiles.*.color": "Per-profile accent color for visual differentiation in dashboards and browser-related UI hints. Use distinct colors for high-signal operator recognition of active profiles.",
+	"browser.evaluateEnabled": "Enables browser-side evaluate helpers for runtime script evaluation capabilities where supported. Keep disabled unless your workflows require evaluate semantics beyond snapshots/navigation.",
+	"browser.snapshotDefaults": "Default snapshot capture configuration used when callers do not provide explicit snapshot options. Tune this for consistent capture behavior across channels and automation paths.",
+	"browser.snapshotDefaults.mode": "Default snapshot extraction mode controlling how page content is transformed for agent consumption. Choose the mode that balances readability, fidelity, and token footprint for your workflows.",
+	"browser.ssrfPolicy": "Server-side request forgery guardrail settings for browser/network fetch paths that could reach internal hosts. Keep restrictive defaults in production and open only explicitly approved targets.",
+	"browser.ssrfPolicy.allowPrivateNetwork": "Legacy alias for browser.ssrfPolicy.dangerouslyAllowPrivateNetwork. Prefer the dangerously-named key so risk intent is explicit.",
+	"browser.ssrfPolicy.dangerouslyAllowPrivateNetwork": "Allows access to private-network address ranges from browser tooling. Default is enabled for trusted-network operator setups; disable to enforce strict public-only resolution checks.",
+	"browser.ssrfPolicy.allowedHostnames": "Explicit hostname allowlist exceptions for SSRF policy checks on browser/network requests. Keep this list minimal and review entries regularly to avoid stale broad access.",
+	"browser.ssrfPolicy.hostnameAllowlist": "Legacy/alternate hostname allowlist field used by SSRF policy consumers for explicit host exceptions. Use stable exact hostnames and avoid wildcard-like broad patterns.",
+	"browser.remoteCdpTimeoutMs": "Timeout in milliseconds for connecting to a remote CDP endpoint before failing the browser attach attempt. Increase for high-latency tunnels, or lower for faster failure detection.",
+	"browser.remoteCdpHandshakeTimeoutMs": "Timeout in milliseconds for post-connect CDP handshake readiness checks against remote browser targets. Raise this for slow-start remote browsers and lower to fail fast in automation loops.",
+	"discovery.mdns.mode": "mDNS broadcast mode (\"minimal\" default, \"full\" includes cliPath/sshPort, \"off\" disables mDNS).",
+	discovery: "Service discovery settings for local mDNS advertisement and optional wide-area presence signaling. Keep discovery scoped to expected networks to avoid leaking service metadata.",
+	"discovery.wideArea": "Wide-area discovery configuration group for exposing discovery signals beyond local-link scopes. Enable only in deployments that intentionally aggregate gateway presence across sites.",
+	"discovery.wideArea.enabled": "Enables wide-area discovery signaling when your environment needs non-local gateway discovery. Keep disabled unless cross-network discovery is operationally required.",
+	"discovery.mdns": "mDNS discovery configuration group for local network advertisement and discovery behavior tuning. Keep minimal mode for routine LAN discovery unless extra metadata is required.",
+	tools: "Global tool access policy and capability configuration across web, exec, media, messaging, and elevated surfaces. Use this section to constrain risky capabilities before broad rollout.",
+	"tools.allow": "Absolute tool allowlist that replaces profile-derived defaults for strict environments. Use this only when you intentionally run a tightly curated subset of tool capabilities.",
+	"tools.deny": "Global tool denylist that blocks listed tools even when profile or provider rules would allow them. Use deny rules for emergency lockouts and long-term defense-in-depth.",
+	"tools.exec": "Exec-tool policy grouping for shell execution host, security mode, approval behavior, and runtime bindings. Keep conservative defaults in production and tighten elevated execution paths.",
+	"tools.exec.host": "Selects execution host strategy for shell commands, typically controlling local vs delegated execution environment. Use the safest host mode that still satisfies your automation requirements.",
+	"tools.exec.security": "Execution security posture selector controlling sandbox/approval expectations for command execution. Keep strict security mode for untrusted prompts and relax only for trusted operator workflows.",
+	"tools.exec.ask": "Approval strategy for when exec commands require human confirmation before running. Use stricter ask behavior in shared channels and lower-friction settings in private operator contexts.",
+	"tools.exec.node": "Node binding configuration for exec tooling when command execution is delegated through connected nodes. Use explicit node binding only when multi-node routing is required.",
+	"tools.agentToAgent": "Policy for allowing agent-to-agent tool calls and constraining which target agents can be reached. Keep disabled or tightly scoped unless cross-agent orchestration is intentionally enabled.",
+	"tools.agentToAgent.enabled": "Enables the agent_to_agent tool surface so one agent can invoke another agent at runtime. Keep off in simple deployments and enable only when orchestration value outweighs complexity.",
+	"tools.agentToAgent.allow": "Allowlist of target agent IDs permitted for agent_to_agent calls when orchestration is enabled. Use explicit allowlists to avoid uncontrolled cross-agent call graphs.",
+	"tools.elevated": "Elevated tool access controls for privileged command surfaces that should only be reachable from trusted senders. Keep disabled unless operator workflows explicitly require elevated actions.",
+	"tools.elevated.enabled": "Enables elevated tool execution path when sender and policy checks pass. Keep disabled in public/shared channels and enable only for trusted owner-operated contexts.",
+	"tools.elevated.allowFrom": "Sender allow rules for elevated tools, usually keyed by channel/provider identity formats. Use narrow, explicit identities so elevated commands cannot be triggered by unintended users.",
+	"tools.subagents": "Tool policy wrapper for spawned subagents to restrict or expand tool availability compared to parent defaults. Use this to keep delegated agent capabilities scoped to task intent.",
+	"tools.subagents.tools": "Allow/deny tool policy applied to spawned subagent runtimes for per-subagent hardening. Keep this narrower than parent scope when subagents run semi-autonomous workflows.",
+	"tools.sandbox": "Tool policy wrapper for sandboxed agent executions so sandbox runs can have distinct capability boundaries. Use this to enforce stronger safety in sandbox contexts.",
+	"tools.sandbox.tools": "Allow/deny tool policy applied when agents run in sandboxed execution environments. Keep policies minimal so sandbox tasks cannot escalate into unnecessary external actions.",
+	web: "Web channel runtime settings for heartbeat and reconnect behavior when operating web-based chat surfaces. Use reconnect values tuned to your network reliability profile and expected uptime needs.",
+	"web.enabled": "Enables the web channel runtime and related websocket lifecycle behavior. Keep disabled when web chat is unused to reduce active connection management overhead.",
+	"web.heartbeatSeconds": "Heartbeat interval in seconds for web channel connectivity and liveness maintenance. Use shorter intervals for faster detection, or longer intervals to reduce keepalive chatter.",
+	"web.reconnect": "Reconnect backoff policy for web channel reconnect attempts after transport failure. Keep bounded retries and jitter tuned to avoid thundering-herd reconnect behavior.",
+	"web.reconnect.initialMs": "Initial reconnect delay in milliseconds before the first retry after disconnection. Use modest delays to recover quickly without immediate retry storms.",
+	"web.reconnect.maxMs": "Maximum reconnect backoff cap in milliseconds to bound retry delay growth over repeated failures. Use a reasonable cap so recovery remains timely after prolonged outages.",
+	"web.reconnect.factor": "Exponential backoff multiplier used between reconnect attempts in web channel retry loops. Keep factor above 1 and tune with jitter for stable large-fleet reconnect behavior.",
+	"web.reconnect.jitter": "Randomization factor (0-1) applied to reconnect delays to desynchronize clients after outage events. Keep non-zero jitter in multi-client deployments to reduce synchronized spikes.",
+	"web.reconnect.maxAttempts": "Maximum reconnect attempts before giving up for the current failure sequence (0 means no retries). Use finite caps for controlled failure handling in automation-sensitive environments.",
+	canvasHost: "Canvas host settings for serving canvas assets and local live-reload behavior used by canvas-enabled workflows. Keep disabled unless canvas-hosted assets are actively used.",
+	"canvasHost.enabled": "Enables the canvas host server process and routes for serving canvas files. Keep disabled when canvas workflows are inactive to reduce exposed local services.",
+	"canvasHost.root": "Filesystem root directory served by canvas host for canvas content and static assets. Use a dedicated directory and avoid broad repo roots for least-privilege file exposure.",
+	"canvasHost.port": "TCP port used by the canvas host HTTP server when canvas hosting is enabled. Choose a non-conflicting port and align firewall/proxy policy accordingly.",
+	"canvasHost.liveReload": "Enables automatic live-reload behavior for canvas assets during development workflows. Keep disabled in production-like environments where deterministic output is preferred.",
+	talk: "Talk-mode voice synthesis settings for voice identity, model selection, output format, and interruption behavior. Use this section to tune human-facing voice UX while controlling latency and cost.",
+	"gateway.auth.token": "Required by default for gateway access (unless using Tailscale Serve identity); required for non-loopback binds.",
+	"gateway.auth.password": "Required for Tailscale funnel.",
+	"agents.defaults.sandbox.browser.network": "Docker network for sandbox browser containers (default: remoteclaw-sandbox-browser). Avoid bridge if you need stricter isolation.",
+	"agents.list[].sandbox.browser.network": "Per-agent override for sandbox browser Docker network.",
+	"agents.defaults.sandbox.docker.dangerouslyAllowContainerNamespaceJoin": "DANGEROUS break-glass override that allows sandbox Docker network mode container:<id>. This joins another container namespace and weakens sandbox isolation.",
+	"agents.list[].sandbox.docker.dangerouslyAllowContainerNamespaceJoin": "Per-agent DANGEROUS override for container namespace joins in sandbox Docker network mode.",
+	"agents.defaults.sandbox.browser.cdpSourceRange": "Optional CIDR allowlist for container-edge CDP ingress (for example 172.21.0.1/32).",
+	"agents.list[].sandbox.browser.cdpSourceRange": "Per-agent override for CDP source CIDR allowlist.",
+	"gateway.controlUi.basePath": "Optional URL prefix where the Control UI is served (e.g. /remoteclaw).",
+	"gateway.controlUi.root": "Optional filesystem root for Control UI assets (defaults to dist/control-ui).",
+	"gateway.controlUi.allowedOrigins": "Allowed browser origins for Control UI/WebChat websocket connections (full origins only, e.g. https://control.example.com). Required for non-loopback Control UI deployments unless dangerous Host-header fallback is explicitly enabled.",
+	"gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback": "DANGEROUS toggle that enables Host-header based origin fallback for Control UI/WebChat websocket checks. This mode is supported when your deployment intentionally relies on Host-header origin policy; explicit gateway.controlUi.allowedOrigins remains the recommended hardened default.",
+	"gateway.controlUi.allowInsecureAuth": "Loosens strict browser auth checks for Control UI when you must run a non-standard setup. Keep this off unless you trust your network and proxy path, because impersonation risk is higher.",
+	"gateway.controlUi.dangerouslyDisableDeviceAuth": "Disables Control UI device identity checks and relies on token/password only. Use only for short-lived debugging on trusted networks, then turn it off immediately.",
+	"gateway.http.endpoints.chatCompletions.enabled": "Enable the OpenAI-compatible `POST /v1/chat/completions` endpoint (default: false).",
+	"gateway.reload.mode": "Controls how config edits are applied: \"off\" ignores live edits, \"restart\" always restarts, \"hot\" applies in-process, and \"hybrid\" tries hot then restarts if required. Keep \"hybrid\" for safest routine updates.",
+	"gateway.reload.debounceMs": "Debounce window (ms) before applying config changes.",
+	"gateway.nodes.browser.mode": "Node browser routing (\"auto\" = pick single connected browser node, \"manual\" = require node param, \"off\" = disable).",
+	"gateway.nodes.browser.node": "Pin browser routing to a specific node id or name (optional).",
+	"gateway.nodes.allowCommands": "Extra node.invoke commands to allow beyond the gateway defaults (array of command strings). Enabling dangerous commands here is a security-sensitive override and is flagged by `remoteclaw security audit`.",
+	"gateway.nodes.denyCommands": "Commands to block even if present in node claims or default allowlist.",
+	nodeHost: "Node host controls for features exposed from this gateway node to other nodes or clients. Keep defaults unless you intentionally proxy local capabilities across your node network.",
+	"nodeHost.browserProxy": "Groups browser-proxy settings for exposing local browser control through node routing. Enable only when remote node workflows need your local browser profiles.",
+	"nodeHost.browserProxy.enabled": "Expose the local browser control server through node proxy routing so remote clients can use this host's browser capabilities. Keep disabled unless remote automation explicitly depends on it.",
+	"nodeHost.browserProxy.allowProfiles": "Optional allowlist of browser profile names exposed through node proxy routing. Leave empty to expose all configured profiles, or use a tight list to enforce least-privilege profile access.",
+	media: "Top-level media behavior shared across providers and tools that handle inbound files. Keep defaults unless you need stable filenames for external processing pipelines.",
+	"media.preserveFilenames": "When enabled, uploaded media keeps its original filename instead of a generated temp-safe name. Turn this on when downstream automations depend on stable names, and leave off to reduce accidental filename leakage.",
+	audio: "Global audio ingestion settings used before higher-level tools process speech or media content. Configure this when you need deterministic transcription behavior for voice notes and clips.",
+	"audio.transcription": "Command-based transcription settings for converting audio files into text before agent handling. Keep a simple, deterministic command path here so failures are easy to diagnose in logs.",
+	"audio.transcription.command": "Executable + args used to transcribe audio (first token must be a safe binary/path), for example `[\"whisper-cli\", \"--model\", \"small\", \"{input}\"]`. Prefer a pinned command so runtime environments behave consistently.",
+	"audio.transcription.timeoutSeconds": "Maximum time allowed for the transcription command to finish before it is aborted. Increase this for longer recordings, and keep it tight in latency-sensitive deployments.",
+	bindings: "Static routing bindings that pin inbound conversations to specific agent IDs by match rules. Use bindings for deterministic ownership when dynamic routing should not decide.",
+	"bindings[].agentId": "Target agent ID that receives traffic when the corresponding binding match rule is satisfied. Use valid configured agent IDs only so routing does not fail at runtime.",
+	"bindings[].match": "Match rule object for deciding when a binding applies, including channel and optional account/peer constraints. Keep rules narrow to avoid accidental agent takeover across contexts.",
+	"bindings[].match.channel": "Channel/provider identifier this binding applies to, such as `telegram`, `discord`, or a plugin channel ID. Use the configured channel key exactly so binding evaluation works reliably.",
+	"bindings[].match.accountId": "Optional account selector for multi-account channel setups so the binding applies only to one identity. Use this when account scoping is required for the route and leave unset otherwise.",
+	"bindings[].match.peer": "Optional peer matcher for specific conversations including peer kind and peer id. Use this when only one direct/group/channel target should be pinned to an agent.",
+	"bindings[].match.peer.kind": "Peer conversation type: \"direct\", \"group\", \"channel\", or legacy \"dm\" (deprecated alias for direct). Prefer \"direct\" for new configs and keep kind aligned with channel semantics.",
+	"bindings[].match.peer.id": "Conversation identifier used with peer matching, such as a chat ID, channel ID, or group ID from the provider. Keep this exact to avoid silent non-matches.",
+	"bindings[].match.guildId": "Optional Discord-style guild/server ID constraint for binding evaluation in multi-server deployments. Use this when the same peer identifiers can appear across different guilds.",
+	"bindings[].match.teamId": "Optional team/workspace ID constraint used by providers that scope chats under teams. Add this when you need bindings isolated to one workspace context.",
+	"bindings[].match.roles": "Optional role-based filter list used by providers that attach roles to chat context. Use this to route privileged or operational role traffic to specialized agents.",
+	broadcast: "Broadcast routing map for sending the same outbound message to multiple peer IDs per source conversation. Keep this minimal and audited because one source can fan out to many destinations.",
+	"broadcast.strategy": "Delivery order for broadcast fan-out: \"parallel\" sends to all targets concurrently, while \"sequential\" sends one-by-one. Use \"parallel\" for speed and \"sequential\" for stricter ordering/backpressure control.",
+	"broadcast.*": "Per-source broadcast destination list where each key is a source peer ID and the value is an array of destination peer IDs. Keep lists intentional to avoid accidental message amplification.",
+	"diagnostics.flags": "Enable targeted diagnostics logs by flag (e.g. [\"telegram.http\"]). Supports wildcards like \"telegram.*\" or \"*\".",
+	"diagnostics.enabled": "Master toggle for diagnostics instrumentation output in logs and telemetry wiring paths. Keep enabled for normal observability, and disable only in tightly constrained environments.",
+	"diagnostics.otel.enabled": "Enables OpenTelemetry export pipeline for traces, metrics, and logs based on configured endpoint/protocol settings. Keep disabled unless your collector endpoint and auth are fully configured.",
+	"diagnostics.otel.endpoint": "Collector endpoint URL used for OpenTelemetry export transport, including scheme and port. Use a reachable, trusted collector endpoint and monitor ingestion errors after rollout.",
+	"diagnostics.otel.protocol": "OTel transport protocol for telemetry export: \"http/protobuf\" or \"grpc\" depending on collector support. Use the protocol your observability backend expects to avoid dropped telemetry payloads.",
+	"diagnostics.otel.headers": "Additional HTTP/gRPC metadata headers sent with OpenTelemetry export requests, often used for tenant auth or routing. Keep secrets in env-backed values and avoid unnecessary header sprawl.",
+	"diagnostics.otel.serviceName": "Service name reported in telemetry resource attributes to identify this gateway instance in observability backends. Use stable names so dashboards and alerts remain consistent over deployments.",
+	"diagnostics.otel.traces": "Enable trace signal export to the configured OpenTelemetry collector endpoint. Keep enabled when latency/debug tracing is needed, and disable if you only want metrics/logs.",
+	"diagnostics.otel.metrics": "Enable metrics signal export to the configured OpenTelemetry collector endpoint. Keep enabled for runtime health dashboards, and disable only if metric volume must be minimized.",
+	"diagnostics.otel.logs": "Enable log signal export through OpenTelemetry in addition to local logging sinks. Use this when centralized log correlation is required across services and agents.",
+	"diagnostics.otel.sampleRate": "Trace sampling rate (0-1) controlling how much trace traffic is exported to observability backends. Lower rates reduce overhead/cost, while higher rates improve debugging fidelity.",
+	"diagnostics.otel.flushIntervalMs": "Interval in milliseconds for periodic telemetry flush from buffers to the collector. Increase to reduce export chatter, or lower for faster visibility during active incident response.",
+	"diagnostics.cacheTrace.enabled": "Log cache trace snapshots for embedded agent runs (default: false).",
+	"diagnostics.cacheTrace.filePath": "JSONL output path for cache trace logs (default: $REMOTECLAW_STATE_DIR/logs/cache-trace.jsonl).",
+	"diagnostics.cacheTrace.includeMessages": "Include full message payloads in trace output (default: true).",
+	"diagnostics.cacheTrace.includePrompt": "Include prompt text in trace output (default: true).",
+	"diagnostics.cacheTrace.includeSystem": "Include system prompt in trace output (default: true).",
+	"tools.exec.notifyOnExit": "When true (default), backgrounded exec sessions on exit and node exec lifecycle events enqueue a system event and request a heartbeat.",
+	"tools.exec.notifyOnExitEmptySuccess": "When true, successful backgrounded exec exits with empty output still enqueue a completion system event (default: false).",
+	"tools.exec.pathPrepend": "Directories to prepend to PATH for exec runs (gateway/sandbox).",
+	"tools.exec.safeBins": "Allow stdin-only safe binaries to run without explicit allowlist entries.",
+	"tools.exec.safeBinTrustedDirs": "Additional explicit directories trusted for safe-bin path checks (PATH entries are never auto-trusted).",
+	"tools.exec.safeBinProfiles": "Optional per-binary safe-bin profiles (positional limits + allowed/denied flags).",
+	"tools.profile": "Global tool profile name used to select a predefined tool policy baseline before applying allow/deny overrides. Use this for consistent environment posture across agents and keep profile names stable.",
+	"tools.alsoAllow": "Extra tool allowlist entries merged on top of the selected tool profile and default policy. Keep this list small and explicit so audits can quickly identify intentional policy exceptions.",
+	"tools.byProvider": "Per-provider tool allow/deny overrides keyed by channel/provider ID to tailor capabilities by surface. Use this when one provider needs stricter controls than global tool policy.",
+	"agents.list[].tools.profile": "Per-agent override for tool profile selection when one agent needs a different capability baseline. Use this sparingly so policy differences across agents stay intentional and reviewable.",
+	"agents.list[].tools.alsoAllow": "Per-agent additive allowlist for tools on top of global and profile policy. Keep narrow to avoid accidental privilege expansion on specialized agents.",
+	"agents.list[].tools.byProvider": "Per-agent provider-specific tool policy overrides for channel-scoped capability control. Use this when a single agent needs tighter restrictions on one provider than others.",
+	"tools.exec.approvalRunningNoticeMs": "Delay in milliseconds before showing an in-progress notice after an exec approval is granted. Increase to reduce flicker for fast commands, or lower for quicker operator feedback.",
+	"tools.links.enabled": "Enable automatic link understanding pre-processing so URLs can be summarized before agent reasoning. Keep enabled for richer context, and disable when strict minimal processing is required.",
+	"tools.links.maxLinks": "Maximum number of links expanded per turn during link understanding. Use lower values to control latency/cost in chatty threads and higher values when multi-link context is critical.",
+	"tools.links.timeoutSeconds": "Per-link understanding timeout budget in seconds before unresolved links are skipped. Keep this bounded to avoid long stalls when external sites are slow or unreachable.",
+	"tools.links.models": "Preferred model list for link understanding tasks, evaluated in order as fallbacks when supported. Use lightweight models first for routine summarization and heavier models only when needed.",
+	"tools.links.scope": "Controls when link understanding runs relative to conversation context and message type. Keep scope conservative to avoid unnecessary fetches on messages where links are not actionable.",
+	"tools.media.models": "Shared fallback model list used by media understanding tools when modality-specific model lists are not set. Keep this aligned with available multimodal providers to avoid runtime fallback churn.",
+	"tools.media.concurrency": "Maximum number of concurrent media understanding operations per turn across image, audio, and video tasks. Lower this in resource-constrained deployments to prevent CPU/network saturation.",
+	"tools.media.image.enabled": "Enable image understanding so attached or referenced images can be interpreted into textual context. Disable if you need text-only operation or want to avoid image-processing cost.",
+	"tools.media.image.maxBytes": "Maximum accepted image payload size in bytes before the item is skipped or truncated by policy. Keep limits realistic for your provider caps and infrastructure bandwidth.",
+	"tools.media.image.maxChars": "Maximum characters returned from image understanding output after model response normalization. Use tighter limits to reduce prompt bloat and larger limits for detail-heavy OCR tasks.",
+	"tools.media.image.prompt": "Instruction template used for image understanding requests to shape extraction style and detail level. Keep prompts deterministic so outputs stay consistent across turns and channels.",
+	"tools.media.image.timeoutSeconds": "Timeout in seconds for each image understanding request before it is aborted. Increase for high-resolution analysis and lower it for latency-sensitive operator workflows.",
+	"tools.media.image.attachments": "Attachment handling policy for image inputs, including which message attachments qualify for image analysis. Use restrictive settings in untrusted channels to reduce unexpected processing.",
+	"tools.media.image.models": "Ordered model preferences specifically for image understanding when you want to override shared media models. Put the most reliable multimodal model first to reduce fallback attempts.",
+	"tools.media.image.scope": "Scope selector for when image understanding is attempted (for example only explicit requests versus broader auto-detection). Keep narrow scope in busy channels to control token and API spend.",
+	"tools.media.audio.enabled": "Enable audio understanding so voice notes or audio clips can be transcribed/summarized for agent context. Disable when audio ingestion is outside policy or unnecessary for your workflows.",
+	"tools.media.audio.maxBytes": "Maximum accepted audio payload size in bytes before processing is rejected or clipped by policy. Set this based on expected recording length and upstream provider limits.",
+	"tools.media.audio.maxChars": "Maximum characters retained from audio understanding output to prevent oversized transcript injection. Increase for long-form dictation, or lower to keep conversational turns compact.",
+	"tools.media.audio.prompt": "Instruction template guiding audio understanding output style, such as concise summary versus near-verbatim transcript. Keep wording consistent so downstream automations can rely on output format.",
+	"tools.media.audio.timeoutSeconds": "Timeout in seconds for audio understanding execution before the operation is cancelled. Use longer timeouts for long recordings and tighter ones for interactive chat responsiveness.",
+	"tools.media.audio.language": "Preferred language hint for audio understanding/transcription when provider support is available. Set this to improve recognition accuracy for known primary languages.",
+	"tools.media.audio.attachments": "Attachment policy for audio inputs indicating which uploaded files are eligible for audio processing. Keep restrictive defaults in mixed-content channels to avoid unintended audio workloads.",
+	"tools.media.audio.models": "Ordered model preferences specifically for audio understanding, used before shared media model fallback. Choose models optimized for transcription quality in your primary language/domain.",
+	"tools.media.audio.scope": "Scope selector for when audio understanding runs across inbound messages and attachments. Keep focused scopes in high-volume channels to reduce cost and avoid accidental transcription.",
+	"tools.media.video.enabled": "Enable video understanding so clips can be summarized into text for downstream reasoning and responses. Disable when processing video is out of policy or too expensive for your deployment.",
+	"tools.media.video.maxBytes": "Maximum accepted video payload size in bytes before policy rejection or trimming occurs. Tune this to provider and infrastructure limits to avoid repeated timeout/failure loops.",
+	"tools.media.video.maxChars": "Maximum characters retained from video understanding output to control prompt growth. Raise for dense scene descriptions and lower when concise summaries are preferred.",
+	"tools.media.video.prompt": "Instruction template for video understanding describing desired summary granularity and focus areas. Keep this stable so output quality remains predictable across model/provider fallbacks.",
+	"tools.media.video.timeoutSeconds": "Timeout in seconds for each video understanding request before cancellation. Use conservative values in interactive channels and longer values for offline or batch-heavy processing.",
+	"tools.media.video.attachments": "Attachment eligibility policy for video analysis, defining which message files can trigger video processing. Keep this explicit in shared channels to prevent accidental large media workloads.",
+	"tools.media.video.models": "Ordered model preferences specifically for video understanding before shared media fallback applies. Prioritize models with strong multimodal video support to minimize degraded summaries.",
+	"tools.media.video.scope": "Scope selector controlling when video understanding is attempted across incoming events. Narrow scope in noisy channels, and broaden only where video interpretation is core to workflow.",
+	"skills.load.watch": "Enable filesystem watching for skill-definition changes so updates can be applied without full process restart. Keep enabled in development workflows and disable in immutable production images.",
+	"skills.load.watchDebounceMs": "Debounce window in milliseconds for coalescing rapid skill file changes before reload logic runs. Increase to reduce reload churn on frequent writes, or lower for faster edit feedback.",
+	approvals: "Approval routing controls for forwarding exec approval requests to chat destinations outside the originating session. Keep this disabled unless operators need explicit out-of-band approval visibility.",
+	"approvals.exec": "Groups exec-approval forwarding behavior including enablement, routing mode, filters, and explicit targets. Configure here when approval prompts must reach operational channels instead of only the origin thread.",
+	"approvals.exec.enabled": "Enables forwarding of exec approval requests to configured delivery destinations (default: false). Keep disabled in low-risk setups and enable only when human approval responders need channel-visible prompts.",
+	"approvals.exec.mode": "Controls where approval prompts are sent: \"session\" uses origin chat, \"targets\" uses configured targets, and \"both\" sends to both paths. Use \"session\" as baseline and expand only when operational workflow requires redundancy.",
+	"approvals.exec.agentFilter": "Optional allowlist of agent IDs eligible for forwarded approvals, for example `[\"primary\", \"ops-agent\"]`. Use this to limit forwarding blast radius and avoid notifying channels for unrelated agents.",
+	"approvals.exec.sessionFilter": "Optional session-key filters matched as substring or regex-style patterns, for example `[\"discord:\", \"^agent:ops:\"]`. Use narrow patterns so only intended approval contexts are forwarded to shared destinations.",
+	"approvals.exec.targets": "Explicit delivery targets used when forwarding mode includes targets, each with channel and destination details. Keep target lists least-privilege and validate each destination before enabling broad forwarding.",
+	"approvals.exec.targets[].channel": "Channel/provider ID used for forwarded approval delivery, such as discord, slack, or a plugin channel id. Use valid channel IDs only so approvals do not silently fail due to unknown routes.",
+	"approvals.exec.targets[].to": "Destination identifier inside the target channel (channel ID, user ID, or thread root depending on provider). Verify semantics per provider because destination format differs across channel integrations.",
+	"approvals.exec.targets[].accountId": "Optional account selector for multi-account channel setups when approvals must route through a specific account context. Use this only when the target channel has multiple configured identities.",
+	"approvals.exec.targets[].threadId": "Optional thread/topic target for channels that support threaded delivery of forwarded approvals. Use this to keep approval traffic contained in operational threads instead of main channels.",
+	"tools.fs.workspaceOnly": "Restrict filesystem tools to the workspace directory (default: false).",
+	"tools.sessions.visibility": "Controls which sessions can be targeted by sessions_list/sessions_history/sessions_send. (\"tree\" default = current session + spawned subagent sessions; \"self\" = only current; \"agent\" = any session in the current agent id; \"all\" = any session; cross-agent still requires tools.agentToAgent).",
+	"tools.message.allowCrossContextSend": "Legacy override: allow cross-context sends across all providers.",
+	"tools.message.crossContext.allowWithinProvider": "Allow sends to other channels within the same provider (default: true).",
+	"tools.message.crossContext.allowAcrossProviders": "Allow sends across different providers (default: false).",
+	"tools.message.crossContext.marker.enabled": "Add a visible origin marker when sending cross-context (default: true).",
+	"tools.message.crossContext.marker.prefix": "Text prefix for cross-context markers (supports \"{channel}\").",
+	"tools.message.crossContext.marker.suffix": "Text suffix for cross-context markers (supports \"{channel}\").",
+	"tools.message.broadcast.enabled": "Enable broadcast action (default: true).",
+	models: "Model catalog root for provider definitions, merge/replace behavior, and optional Bedrock discovery integration. Keep provider definitions explicit and validated before relying on production failover paths.",
+	"models.mode": "Controls provider catalog behavior: \"merge\" keeps built-ins and overlays your custom providers, while \"replace\" uses only your configured providers. Keep \"merge\" unless you intentionally want a strict custom list.",
+	"models.providers": "Provider map keyed by provider ID containing connection/auth settings and concrete model definitions. Use stable provider keys so references from agents and tooling remain portable across environments.",
+	"models.providers.*.baseUrl": "Base URL for the provider endpoint used to serve model requests for that provider entry. Use HTTPS endpoints and keep URLs environment-specific through config templating where needed.",
+	"models.providers.*.apiKey": "Provider credential used for API-key based authentication when the provider requires direct key auth. Use secret/env substitution and avoid storing real keys in committed config files.",
+	"models.providers.*.auth": "Selects provider auth style: \"api-key\" for API key auth, \"token\" for bearer token auth, \"oauth\" for OAuth credentials, and \"aws-sdk\" for AWS credential resolution. Match this to your provider requirements.",
+	"models.providers.*.api": "Provider API adapter selection controlling request/response compatibility handling for model calls. Use the adapter that matches your upstream provider protocol to avoid feature mismatch.",
+	"models.providers.*.headers": "Static HTTP headers merged into provider requests for tenant routing, proxy auth, or custom gateway requirements. Use this sparingly and keep sensitive header values in secrets.",
+	"models.providers.*.authHeader": "When true, credentials are sent via the HTTP Authorization header even if alternate auth is possible. Use this only when your provider or proxy explicitly requires Authorization forwarding.",
+	"models.providers.*.models": "Declared model list for a provider including identifiers, metadata, and optional compatibility/cost hints. Keep IDs exact to provider catalog values so selection and fallback resolve correctly.",
+	"models.bedrockDiscovery": "Automatic AWS Bedrock model discovery settings used to synthesize provider model entries from account visibility. Keep discovery scoped and refresh intervals conservative to reduce API churn.",
+	"models.bedrockDiscovery.enabled": "Enables periodic Bedrock model discovery and catalog refresh for Bedrock-backed providers. Keep disabled unless Bedrock is actively used and IAM permissions are correctly configured.",
+	"models.bedrockDiscovery.region": "AWS region used for Bedrock discovery calls when discovery is enabled for your deployment. Use the region where your Bedrock models are provisioned to avoid empty discovery results.",
+	"models.bedrockDiscovery.providerFilter": "Optional provider allowlist filter for Bedrock discovery so only selected providers are refreshed. Use this to limit discovery scope in multi-provider environments.",
+	"models.bedrockDiscovery.refreshInterval": "Refresh cadence for Bedrock discovery polling in seconds to detect newly available models over time. Use longer intervals in production to reduce API cost and control-plane noise.",
+	"models.bedrockDiscovery.defaultContextWindow": "Fallback context-window value applied to discovered models when provider metadata lacks explicit limits. Use realistic defaults to avoid oversized prompts that exceed true provider constraints.",
+	"models.bedrockDiscovery.defaultMaxTokens": "Fallback max-token value applied to discovered models without explicit output token limits. Use conservative defaults to reduce truncation surprises and unexpected token spend.",
+	auth: "Authentication profile root used for multi-profile provider credentials and cooldown-based failover ordering. Keep profiles minimal and explicit so automatic failover behavior stays auditable.",
+	"channels.slack.allowBots": "Allow bot-authored messages to trigger Slack replies (default: false).",
+	"channels.slack.thread.historyScope": "Scope for Slack thread history context (\"thread\" isolates per thread; \"channel\" reuses channel history).",
+	"channels.slack.thread.inheritParent": "If true, Slack thread sessions inherit the parent channel transcript (default: false).",
+	"channels.slack.thread.initialHistoryLimit": "Maximum number of existing Slack thread messages to fetch when starting a new thread session (default: 20, set to 0 to disable).",
+	"channels.mattermost.botToken": "Bot token from Mattermost System Console -> Integrations -> Bot Accounts.",
+	"channels.mattermost.baseUrl": "Base URL for your Mattermost server (e.g., https://chat.example.com).",
+	"channels.mattermost.chatmode": "Reply to channel messages on mention (\"oncall\"), on trigger chars (\">\" or \"!\") (\"onchar\"), or on every message (\"onmessage\").",
+	"channels.mattermost.oncharPrefixes": "Trigger prefixes for onchar mode (default: [\">\", \"!\"]).",
+	"channels.mattermost.requireMention": "Require @mention in channels before responding (default: true).",
+	"auth.profiles": "Named auth profiles (provider + mode + optional email).",
+	"auth.order": "Ordered auth profile IDs per provider (used for automatic failover).",
+	"auth.cooldowns": "Cooldown/backoff controls for temporary profile suppression after billing-related failures and retry windows. Use these to prevent rapid re-selection of profiles that are still blocked.",
+	"auth.cooldowns.billingBackoffHours": "Base backoff (hours) when a profile fails due to billing/insufficient credits (default: 5).",
+	"auth.cooldowns.billingBackoffHoursByProvider": "Optional per-provider overrides for billing backoff (hours).",
+	"auth.cooldowns.billingMaxHours": "Cap (hours) for billing backoff (default: 24).",
+	"auth.cooldowns.failureWindowHours": "Failure window (hours) for backoff counters (default: 24).",
+	"agents.defaults.boot": "Boot prompt configuration for gateway startup runs. Set `prompt` for an inline prompt or `file` for a path relative to the workspace directory. If neither is set, boot is skipped.",
+	"agents.defaults.boot.prompt": "Inline boot prompt text. Takes precedence over `file` if both are set.",
+	"agents.defaults.boot.file": "Path to a boot prompt file (relative to workspace directory). Read at runtime on each gateway startup.",
+	"agents.list[].boot": "Per-agent boot prompt override. Same shape as `agents.defaults.boot`.",
+	"agents.list[].boot.prompt": "Per-agent inline boot prompt text.",
+	"agents.list[].boot.file": "Per-agent boot prompt file path (relative to agent workspace directory).",
+	"agents.defaults.bootstrapMaxChars": "Max characters of each workspace bootstrap file injected into the system prompt before truncation (default: 20000).",
+	"agents.defaults.bootstrapTotalMaxChars": "Max total characters across all injected workspace bootstrap files (default: 150000).",
+	"agents.defaults.repoRoot": "Optional repository root shown in the system prompt runtime line (overrides auto-detect).",
+	"agents.defaults.envelopeTimezone": "Timezone for message envelopes (\"utc\", \"local\", \"user\", or an IANA timezone string).",
+	"agents.defaults.envelopeTimestamp": "Include absolute timestamps in message envelopes (\"on\" or \"off\").",
+	"agents.defaults.envelopeElapsed": "Include elapsed time in message envelopes (\"on\" or \"off\").",
+	"agents.defaults.models": "Configured model catalog (keys are full provider/model IDs).",
+	ui: "UI presentation settings for accenting and assistant identity shown in control surfaces. Use this for branding and readability customization without changing runtime behavior.",
+	"ui.seamColor": "Primary accent/seam color used by UI surfaces for emphasis, badges, and visual identity cues. Use high-contrast values that remain readable across light/dark themes.",
+	"ui.assistant": "Assistant display identity settings for name and avatar shown in UI surfaces. Keep these values aligned with your operator-facing persona and support expectations.",
+	"ui.assistant.name": "Display name shown for the assistant in UI views, chat chrome, and status contexts. Keep this stable so operators can reliably identify which assistant persona is active.",
+	"ui.assistant.avatar": "Assistant avatar image source used in UI surfaces (URL, path, or data URI depending on runtime support). Use trusted assets and consistent branding dimensions for clean rendering.",
+	plugins: "Plugin system controls for enabling extensions, constraining load scope, configuring entries, and tracking installs. Keep plugin policy explicit and least-privilege in production environments.",
+	"plugins.enabled": "Enable or disable plugin/extension loading globally during startup and config reload (default: true). Keep enabled only when extension capabilities are required by your deployment.",
+	"plugins.allow": "Optional allowlist of plugin IDs; when set, only listed plugins are eligible to load. Use this to enforce approved extension inventories in controlled environments.",
+	"plugins.deny": "Optional denylist of plugin IDs that are blocked even if allowlists or paths include them. Use deny rules for emergency rollback and hard blocks on risky plugins.",
+	"plugins.load": "Plugin loader configuration group for specifying filesystem paths where plugins are discovered. Keep load paths explicit and reviewed to avoid accidental untrusted extension loading.",
+	"plugins.load.paths": "Additional plugin files or directories scanned by the loader beyond built-in defaults. Use dedicated extension directories and avoid broad paths with unrelated executable content.",
+	"plugins.slots": "Selects which plugins own exclusive runtime slots so only one plugin provides a given capability. Use explicit slot ownership to avoid overlapping providers with conflicting behavior.",
+	"plugins.entries": "Per-plugin settings keyed by plugin ID including enablement and plugin-specific runtime configuration payloads. Use this for scoped plugin tuning without changing global loader policy.",
+	"plugins.entries.*.enabled": "Per-plugin enablement override for a specific entry, applied on top of global plugin policy (restart required). Use this to stage plugin rollout gradually across environments.",
+	"plugins.entries.*.apiKey": "Optional API key field consumed by plugins that accept direct key configuration in entry settings. Use secret/env substitution and avoid committing real credentials into config files.",
+	"plugins.entries.*.env": "Per-plugin environment variable map injected for that plugin runtime context only. Use this to scope provider credentials to one plugin instead of sharing global process environment.",
+	"plugins.entries.*.config": "Plugin-defined configuration payload interpreted by that plugin's own schema and validation rules. Use only documented fields from the plugin to prevent ignored or invalid settings.",
+	"plugins.installs": "CLI-managed install metadata (used by `remoteclaw plugins update` to locate install sources).",
+	"plugins.installs.*.source": "Install source (\"npm\", \"archive\", or \"path\").",
+	"plugins.installs.*.spec": "Original npm spec used for install (if source is npm).",
+	"plugins.installs.*.sourcePath": "Original archive/path used for install (if any).",
+	"plugins.installs.*.installPath": "Resolved install directory (usually ~/.remoteclaw/extensions/<id>).",
+	"plugins.installs.*.version": "Version recorded at install time (if available).",
+	"plugins.installs.*.resolvedName": "Resolved npm package name from the fetched artifact.",
+	"plugins.installs.*.resolvedVersion": "Resolved npm package version from the fetched artifact (useful for non-pinned specs).",
+	"plugins.installs.*.resolvedSpec": "Resolved exact npm spec (<name>@<version>) from the fetched artifact.",
+	"plugins.installs.*.integrity": "Resolved npm dist integrity hash for the fetched artifact (if reported by npm).",
+	"plugins.installs.*.shasum": "Resolved npm dist shasum for the fetched artifact (if reported by npm).",
+	"plugins.installs.*.resolvedAt": "ISO timestamp when npm package metadata was last resolved for this install record.",
+	"plugins.installs.*.installedAt": "ISO timestamp of last install/update.",
+	"agents.list.*.identity.avatar": "Agent avatar (workspace-relative path, http(s) URL, or data URI).",
+	"agents.defaults.model.primary": "Primary model (provider/model).",
+	"agents.defaults.model.fallbacks": "Ordered fallback models (provider/model). Used when the primary model fails.",
+	"agents.defaults.imageModel.primary": "Optional image model (provider/model) used when the primary model lacks image input.",
+	"agents.defaults.imageModel.fallbacks": "Ordered fallback image models (provider/model).",
+	"agents.defaults.imageMaxDimensionPx": "Max image side length in pixels when sanitizing transcript/tool-result image payloads (default: 1200).",
+	"agents.defaults.cliBackends": "Optional CLI backends for text-only fallback (claude-cli, etc.).",
+	"agents.defaults.compaction": "Compaction tuning for when context nears token limits, including history share, reserve headroom, and pre-compaction memory flush behavior. Use this when long-running sessions need stable continuity under tight context windows.",
+	"agents.defaults.compaction.mode": "Compaction strategy mode: \"default\" uses baseline behavior, while \"safeguard\" applies stricter guardrails to preserve recent context. Keep \"default\" unless you observe aggressive history loss near limit boundaries.",
+	"agents.defaults.compaction.reserveTokens": "Token headroom reserved for reply generation and tool output after compaction runs. Use higher reserves for verbose/tool-heavy sessions, and lower reserves when maximizing retained history matters more.",
+	"agents.defaults.compaction.keepRecentTokens": "Minimum token budget preserved from the most recent conversation window during compaction. Use higher values to protect immediate context continuity and lower values to keep more long-tail history.",
+	"agents.defaults.compaction.reserveTokensFloor": "Minimum floor enforced for reserveTokens in Pi compaction paths (0 disables the floor guard). Use a non-zero floor to avoid over-aggressive compression under fluctuating token estimates.",
+	"agents.defaults.compaction.maxHistoryShare": "Maximum fraction of total context budget allowed for retained history after compaction (range 0.1-0.9). Use lower shares for more generation headroom or higher shares for deeper historical continuity.",
+	"agents.defaults.humanDelay.mode": "Delay style for block replies (\"off\", \"natural\", \"custom\").",
+	"agents.defaults.humanDelay.minMs": "Minimum delay in ms for custom humanDelay (default: 800).",
+	"agents.defaults.humanDelay.maxMs": "Maximum delay in ms for custom humanDelay (default: 2500).",
+	commands: "Controls chat command surfaces, owner gating, and elevated command access behavior across providers. Keep defaults unless you need stricter operator controls or broader command availability.",
+	"commands.native": "Registers native slash/menu commands with channels that support command registration (Discord, Slack, Telegram). Keep enabled for discoverability unless you intentionally run text-only command workflows.",
+	"commands.text": "Enables text-command parsing in chat input in addition to native command surfaces where available. Keep this enabled for compatibility across channels that do not support native command registration.",
+	"commands.bash": "Allow bash chat command (`!`; `/bash` alias) to run host shell commands (default: false; requires tools.elevated).",
+	"commands.bashForegroundMs": "How long bash waits before backgrounding (default: 2000; 0 backgrounds immediately).",
+	"commands.config": "Allow /config chat command to read/write config on disk (default: false).",
+	"commands.debug": "Allow /debug chat command for runtime-only overrides (default: false).",
+	"commands.restart": "Allow /restart and gateway restart tool actions (default: true).",
+	"commands.useAccessGroups": "Enforce access-group allowlists/policies for commands.",
+	"commands.ownerAllowFrom": "Explicit owner allowlist for owner-only tools/commands. Use channel-native IDs (optionally prefixed like \"whatsapp:+15551234567\"). '*' is ignored.",
+	"commands.ownerDisplay": "Controls how owner IDs are rendered in the system prompt. Allowed values: raw, hash. Default: raw.",
+	"commands.ownerDisplaySecret": "Optional secret used to HMAC hash owner IDs when ownerDisplay=hash. Prefer env substitution.",
+	"commands.allowFrom": "Defines elevated command allow rules by channel and sender for owner-level command surfaces. Use narrow provider-specific identities so privileged commands are not exposed to broad chat audiences.",
+	session: "Global session routing, reset, delivery policy, and maintenance controls for conversation history behavior. Keep defaults unless you need stricter isolation, retention, or delivery constraints.",
+	"session.scope": "Sets base session grouping strategy: \"per-sender\" isolates by sender and \"global\" shares one session per channel context. Keep \"per-sender\" for safer multi-user behavior unless deliberate shared context is required.",
+	"session.dmScope": "DM session scoping: \"main\" keeps continuity, while \"per-peer\", \"per-channel-peer\", and \"per-account-channel-peer\" increase isolation. Use isolated modes for shared inboxes or multi-account deployments.",
+	"session.identityLinks": "Maps canonical identities to provider-prefixed peer IDs so equivalent users resolve to one DM thread (example: telegram:123456). Use this when the same human appears across multiple channels or accounts.",
+	"session.resetTriggers": "Lists message triggers that force a session reset when matched in inbound content. Use sparingly for explicit reset phrases so context is not dropped unexpectedly during normal conversation.",
+	"session.idleMinutes": "Applies a legacy idle reset window in minutes for session reuse behavior across inactivity gaps. Use this only for compatibility and prefer structured reset policies under session.reset/session.resetByType.",
+	"session.reset": "Defines the default reset policy object used when no type-specific or channel-specific override applies. Set this first, then layer resetByType or resetByChannel only where behavior must differ.",
+	"session.reset.mode": "Selects reset strategy: \"daily\" resets at a configured hour and \"idle\" resets after inactivity windows. Keep one clear mode per policy to avoid surprising context turnover patterns.",
+	"session.reset.atHour": "Sets local-hour boundary (0-23) for daily reset mode so sessions roll over at predictable times. Use with mode=daily and align to operator timezone expectations for human-readable behavior.",
+	"session.reset.idleMinutes": "Sets inactivity window before reset for idle mode and can also act as secondary guard with daily mode. Use larger values to preserve continuity or smaller values for fresher short-lived threads.",
+	"session.resetByType": "Overrides reset behavior by chat type (direct, group, thread) when defaults are not sufficient. Use this when group/thread traffic needs different reset cadence than direct messages.",
+	"session.resetByType.direct": "Defines reset policy for direct chats and supersedes the base session.reset configuration for that type. Use this as the canonical direct-message override instead of the legacy dm alias.",
+	"session.resetByType.dm": "Deprecated alias for direct reset behavior kept for backward compatibility with older configs. Use session.resetByType.direct instead so future tooling and validation remain consistent.",
+	"session.resetByType.group": "Defines reset policy for group chat sessions where continuity and noise patterns differ from DMs. Use shorter idle windows for busy groups if context drift becomes a problem.",
+	"session.resetByType.thread": "Defines reset policy for thread-scoped sessions, including focused channel thread workflows. Use this when thread sessions should expire faster or slower than other chat types.",
+	"session.resetByChannel": "Provides channel-specific reset overrides keyed by provider/channel id for fine-grained behavior control. Use this only when one channel needs exceptional reset behavior beyond type-level policies.",
+	"session.store": "Sets the session storage file path used to persist session records across restarts. Use an explicit path only when you need custom disk layout, backup routing, or mounted-volume storage.",
+	"session.typingIntervalSeconds": "Controls interval for repeated typing indicators while replies are being prepared in typing-capable channels. Increase to reduce chatty updates or decrease for more active typing feedback.",
+	"session.typingMode": "Controls typing behavior timing: \"never\", \"instant\", \"thinking\", or \"message\" based emission points. Keep conservative modes in high-volume channels to avoid unnecessary typing noise.",
+	"session.mainKey": "Overrides the canonical main session key used for continuity when dmScope or routing logic points to \"main\". Use a stable value only if you intentionally need custom session anchoring.",
+	"session.sendPolicy": "Controls cross-session send permissions using allow/deny rules evaluated against channel, chatType, and key prefixes. Use this to fence where session tools can deliver messages in complex environments.",
+	"session.sendPolicy.default": "Sets fallback action when no sendPolicy rule matches: \"allow\" or \"deny\". Keep \"allow\" for simpler setups, or choose \"deny\" when you require explicit allow rules for every destination.",
+	"session.sendPolicy.rules": "Ordered allow/deny rules evaluated before the default action, for example `{ action: \"deny\", match: { channel: \"discord\" } }`. Put most specific rules first so broad rules do not shadow exceptions.",
+	"session.sendPolicy.rules[].action": "Defines rule decision as \"allow\" or \"deny\" when the corresponding match criteria are satisfied. Use deny-first ordering when enforcing strict boundaries with explicit allow exceptions.",
+	"session.sendPolicy.rules[].match": "Defines optional rule match conditions that can combine channel, chatType, and key-prefix constraints. Keep matches narrow so policy intent stays readable and debugging remains straightforward.",
+	"session.sendPolicy.rules[].match.channel": "Matches rule application to a specific channel/provider id (for example discord, telegram, slack). Use this when one channel should permit or deny delivery independently of others.",
+	"session.sendPolicy.rules[].match.chatType": "Matches rule application to chat type (direct, group, thread) so behavior varies by conversation form. Use this when DM and group destinations require different safety boundaries.",
+	"session.sendPolicy.rules[].match.keyPrefix": "Matches a normalized session-key prefix after internal key normalization steps in policy consumers. Use this for general prefix controls, and prefer rawKeyPrefix when exact full-key matching is required.",
+	"session.sendPolicy.rules[].match.rawKeyPrefix": "Matches the raw, unnormalized session-key prefix for exact full-key policy targeting. Use this when normalized keyPrefix is too broad and you need agent-prefixed or transport-specific precision.",
+	"session.agentToAgent": "Groups controls for inter-agent session exchanges, including loop prevention limits on reply chaining. Keep defaults unless you run advanced agent-to-agent automation with strict turn caps.",
+	"session.agentToAgent.maxPingPongTurns": "Max reply-back turns between requester and target agents during agent-to-agent exchanges (0-5). Use lower values to hard-limit chatter loops and preserve predictable run completion.",
+	"session.threadBindings": "Shared defaults for thread-bound session routing behavior across providers that support thread focus workflows. Configure global defaults here and override per channel only when behavior differs.",
+	"session.threadBindings.enabled": "Global master switch for thread-bound session routing features and focused thread delivery behavior. Keep enabled for modern thread workflows unless you need to disable thread binding globally.",
+	"session.threadBindings.ttlHours": "Default auto-unfocus TTL in hours for thread-bound sessions across providers/channels (0 disables). Keep 24h-like values for practical focus windows unless your team needs longer-lived thread binding.",
+	"session.maintenance": "Automatic session-store maintenance controls for pruning age, entry caps, and file rotation behavior. Start in warn mode to observe impact, then enforce once thresholds are tuned.",
+	"session.maintenance.mode": "Determines whether maintenance policies are only reported (\"warn\") or actively applied (\"enforce\"). Keep \"warn\" during rollout and switch to \"enforce\" after validating safe thresholds.",
+	"session.maintenance.pruneAfter": "Removes entries older than this duration (for example `30d` or `12h`) during maintenance passes. Use this as the primary age-retention control and align it with data retention policy.",
+	"session.maintenance.pruneDays": "Deprecated age-retention field kept for compatibility with legacy configs using day counts. Use session.maintenance.pruneAfter instead so duration syntax and behavior are consistent.",
+	"session.maintenance.maxEntries": "Caps total session entry count retained in the store to prevent unbounded growth over time. Use lower limits for constrained environments, or higher limits when longer history is required.",
+	"session.maintenance.rotateBytes": "Rotates the session store when file size exceeds a threshold such as `10mb` or `1gb`. Use this to bound single-file growth and keep backup/restore operations manageable.",
+	"session.maintenance.resetArchiveRetention": "Retention for reset transcript archives (`*.reset.<timestamp>`). Accepts a duration (for example `30d`), or `false` to disable cleanup. Defaults to pruneAfter so reset artifacts do not grow forever.",
+	"session.maintenance.maxDiskBytes": "Optional per-agent sessions-directory disk budget (for example `500mb`). Use this to cap session storage per agent; when exceeded, warn mode reports pressure and enforce mode performs oldest-first cleanup.",
+	"session.maintenance.highWaterBytes": "Target size after disk-budget cleanup (high-water mark). Defaults to 80% of maxDiskBytes; set explicitly for tighter reclaim behavior on constrained disks.",
+	cron: "Global scheduler settings for stored cron jobs, run concurrency, delivery fallback, and run-session retention. Keep defaults unless you are scaling job volume or integrating external webhook receivers.",
+	"cron.enabled": "Enables cron job execution for stored schedules managed by the gateway. Keep enabled for normal reminder/automation flows, and disable only to pause all cron execution without deleting jobs.",
+	"cron.store": "Path to the cron job store file used to persist scheduled jobs across restarts. Set an explicit path only when you need custom storage layout, backups, or mounted volumes.",
+	"cron.maxConcurrentRuns": "Limits how many cron jobs can execute at the same time when multiple schedules fire together. Use lower values to protect CPU/memory under heavy automation load, or raise carefully for higher throughput.",
+	"cron.webhook": "Deprecated legacy fallback webhook URL used only for old jobs with `notify=true`. Migrate to per-job delivery using `delivery.mode=\"webhook\"` plus `delivery.to`, and avoid relying on this global field.",
+	"cron.webhookToken": "Bearer token attached to cron webhook POST deliveries when webhook mode is used. Prefer secret/env substitution and rotate this token regularly if shared webhook endpoints are internet-reachable.",
+	"cron.sessionRetention": "Controls how long completed cron run sessions are kept before pruning (`24h`, `7d`, `1h30m`, or `false` to disable pruning; default: `24h`). Use shorter retention to reduce storage growth on high-frequency schedules.",
+	"cron.runLog": "Pruning controls for per-job cron run history files under `cron/runs/<jobId>.jsonl`, including size and line retention.",
+	"cron.runLog.maxBytes": "Maximum bytes per cron run-log file before pruning rewrites to the last keepLines entries (for example `2mb`, default `2000000`).",
+	"cron.runLog.keepLines": "How many trailing run-log lines to retain when a file exceeds maxBytes (default `2000`). Increase for longer forensic history or lower for smaller disks.",
+	hooks: "Inbound webhook automation surface for mapping external events into wake or agent actions in RemoteClaw. Keep this locked down with explicit token/session/agent controls before exposing it beyond trusted networks.",
+	"hooks.enabled": "Enables the hooks endpoint and mapping execution pipeline for inbound webhook requests. Keep disabled unless you are actively routing external events into the gateway.",
+	"hooks.path": "HTTP path used by the hooks endpoint (for example `/hooks`) on the gateway control server. Use a non-guessable path and combine it with token validation for defense in depth.",
+	"hooks.token": "Shared bearer token checked by hooks ingress for request authentication before mappings run. Use environment substitution and rotate regularly when webhook endpoints are internet-accessible.",
+	"hooks.defaultSessionKey": "Fallback session key used for hook deliveries when a request does not provide one through allowed channels. Use a stable but scoped key to avoid mixing unrelated automation conversations.",
+	"hooks.allowRequestSessionKey": "Allows callers to supply a session key in hook requests when true, enabling caller-controlled routing. Keep false unless trusted integrators explicitly need custom session threading.",
+	"hooks.allowedSessionKeyPrefixes": "Allowlist of accepted session-key prefixes for inbound hook requests when caller-provided keys are enabled. Use narrow prefixes to prevent arbitrary session-key injection.",
+	"hooks.allowedAgentIds": "Allowlist of agent IDs that hook mappings are allowed to target when selecting execution agents. Use this to constrain automation events to dedicated service agents.",
+	"hooks.maxBodyBytes": "Maximum accepted webhook payload size in bytes before the request is rejected. Keep this bounded to reduce abuse risk and protect memory usage under bursty integrations.",
+	"hooks.presets": "Named hook preset bundles applied at load time to seed standard mappings and behavior defaults. Keep preset usage explicit so operators can audit which automations are active.",
+	"hooks.transformsDir": "Base directory for hook transform modules referenced by mapping transform.module paths. Use a controlled repo directory so dynamic imports remain reviewable and predictable.",
+	"hooks.mappings": "Ordered mapping rules that match inbound hook requests and choose wake or agent actions with optional delivery routing. Use specific mappings first to avoid broad pattern rules capturing everything.",
+	"hooks.mappings[].id": "Optional stable identifier for a hook mapping entry used for auditing, troubleshooting, and targeted updates. Use unique IDs so logs and config diffs can reference mappings unambiguously.",
+	"hooks.mappings[].match": "Grouping object for mapping match predicates such as path and source before action routing is applied. Keep match criteria specific so unrelated webhook traffic does not trigger automations.",
+	"hooks.mappings[].match.path": "Path match condition for a hook mapping, usually compared against the inbound request path. Use this to split automation behavior by webhook endpoint path families.",
+	"hooks.mappings[].match.source": "Source match condition for a hook mapping, typically set by trusted upstream metadata or adapter logic. Use stable source identifiers so routing remains deterministic across retries.",
+	"hooks.mappings[].action": "Mapping action type: \"wake\" triggers agent wake flow, while \"agent\" sends directly to agent handling. Use \"agent\" for immediate execution and \"wake\" when heartbeat-driven processing is preferred.",
+	"hooks.mappings[].wakeMode": "Wake scheduling mode: \"now\" wakes immediately, while \"next-heartbeat\" defers until the next heartbeat cycle. Use deferred mode for lower-priority automations that can tolerate slight delay.",
+	"hooks.mappings[].name": "Human-readable mapping display name used in diagnostics and operator-facing config UIs. Keep names concise and descriptive so routing intent is obvious during incident review.",
+	"hooks.mappings[].agentId": "Target agent ID for mapping execution when action routing should not use defaults. Use dedicated automation agents to isolate webhook behavior from interactive operator sessions.",
+	"hooks.mappings[].sessionKey": "Explicit session key override for mapping-delivered messages to control thread continuity. Use stable scoped keys so repeated events correlate without leaking into unrelated conversations.",
+	"hooks.mappings[].messageTemplate": "Template for synthesizing structured mapping input into the final message content sent to the target action path. Keep templates deterministic so downstream parsing and behavior remain stable.",
+	"hooks.mappings[].textTemplate": "Text-only fallback template used when rich payload rendering is not desired or not supported. Use this to provide a concise, consistent summary string for chat delivery surfaces.",
+	"hooks.mappings[].deliver": "Controls whether mapping execution results are delivered back to a channel destination versus being processed silently. Disable delivery for background automations that should not post user-facing output.",
+	"hooks.mappings[].allowUnsafeExternalContent": "When true, mapping content may include less-sanitized external payload data in generated messages. Keep false by default and enable only for trusted sources with reviewed transform logic.",
+	"hooks.mappings[].channel": "Delivery channel override for mapping outputs (for example \"last\", \"telegram\", \"discord\", \"slack\", \"signal\", \"imessage\", or \"msteams\"). Keep channel overrides explicit to avoid accidental cross-channel sends.",
+	"hooks.mappings[].to": "Destination identifier inside the selected channel when mapping replies should route to a fixed target. Verify provider-specific destination formats before enabling production mappings.",
+	"hooks.mappings[].model": "Optional model override for mapping-triggered runs when automation should use a different model than agent defaults. Use this sparingly so behavior remains predictable across mapping executions.",
+	"hooks.mappings[].thinking": "Optional thinking-effort override for mapping-triggered runs to tune latency versus reasoning depth. Keep low or minimal for high-volume hooks unless deeper reasoning is clearly required.",
+	"hooks.mappings[].timeoutSeconds": "Maximum runtime allowed for mapping action execution before timeout handling applies. Use tighter limits for high-volume webhook sources to prevent queue pileups.",
+	"hooks.mappings[].transform": "Transform configuration block defining module/export preprocessing before mapping action handling. Use transforms only from reviewed code paths and keep behavior deterministic for repeatable automation.",
+	"hooks.mappings[].transform.module": "Relative transform module path loaded from hooks.transformsDir to rewrite incoming payloads before delivery. Keep modules local, reviewed, and free of path traversal patterns.",
+	"hooks.mappings[].transform.export": "Named export to invoke from the transform module; defaults to module default export when omitted. Set this when one file hosts multiple transform handlers.",
+	"hooks.gmail": "Gmail push integration settings used for Pub/Sub notifications and optional local callback serving. Keep this scoped to dedicated Gmail automation accounts where possible.",
+	"hooks.gmail.account": "Google account identifier used for Gmail watch/subscription operations in this hook integration. Use a dedicated automation mailbox account to isolate operational permissions.",
+	"hooks.gmail.label": "Optional Gmail label filter limiting which labeled messages trigger hook events. Keep filters narrow to avoid flooding automations with unrelated inbox traffic.",
+	"hooks.gmail.topic": "Google Pub/Sub topic name used by Gmail watch to publish change notifications for this account. Ensure the topic IAM grants Gmail publish access before enabling watches.",
+	"hooks.gmail.subscription": "Pub/Sub subscription consumed by the gateway to receive Gmail change notifications from the configured topic. Keep subscription ownership clear so multiple consumers do not race unexpectedly.",
+	"hooks.gmail.hookUrl": "Public callback URL Gmail or intermediaries invoke to deliver notifications into this hook pipeline. Keep this URL protected with token validation and restricted network exposure.",
+	"hooks.gmail.includeBody": "When true, fetch and include email body content for downstream mapping/agent processing. Keep false unless body text is required, because this increases payload size and sensitivity.",
+	"hooks.gmail.allowUnsafeExternalContent": "Allows less-sanitized external Gmail content to pass into processing when enabled. Keep disabled for safer defaults, and enable only for trusted mail streams with controlled transforms.",
+	"hooks.gmail.serve": "Local callback server settings block for directly receiving Gmail notifications without a separate ingress layer. Enable only when this process should terminate webhook traffic itself.",
+	"hooks.gmail.pushToken": "Shared secret token required on Gmail push hook callbacks before processing notifications. Use env substitution and rotate if callback endpoints are exposed externally.",
+	"hooks.gmail.maxBytes": "Maximum Gmail payload bytes processed per event when includeBody is enabled. Keep conservative limits to reduce oversized message processing cost and risk.",
+	"hooks.gmail.renewEveryMinutes": "Renewal cadence in minutes for Gmail watch subscriptions to prevent expiration. Set below provider expiration windows and monitor renew failures in logs.",
+	"hooks.gmail.serve.bind": "Bind address for the local Gmail callback HTTP server used when serving hooks directly. Keep loopback-only unless external ingress is intentionally required.",
+	"hooks.gmail.serve.port": "Port for the local Gmail callback HTTP server when serve mode is enabled. Use a dedicated port to avoid collisions with gateway/control interfaces.",
+	"hooks.gmail.serve.path": "HTTP path on the local Gmail callback server where push notifications are accepted. Keep this consistent with subscription configuration to avoid dropped events.",
+	"hooks.gmail.tailscale.mode": "Tailscale exposure mode for Gmail callbacks: \"off\", \"serve\", or \"funnel\". Use \"serve\" for private tailnet delivery and \"funnel\" only when public internet ingress is required.",
+	"hooks.gmail.tailscale": "Tailscale exposure configuration block for publishing Gmail callbacks through Serve/Funnel routes. Use private tailnet modes before enabling any public ingress path.",
+	"hooks.gmail.tailscale.path": "Path published by Tailscale Serve/Funnel for Gmail callback forwarding when enabled. Keep it aligned with Gmail webhook config so requests reach the expected handler.",
+	"hooks.gmail.tailscale.target": "Local service target forwarded by Tailscale Serve/Funnel (for example http://127.0.0.1:8787). Use explicit loopback targets to avoid ambiguous routing.",
+	"hooks.gmail.model": "Optional model override for Gmail-triggered runs when mailbox automations should use dedicated model behavior. Keep unset to inherit agent defaults unless mailbox tasks need specialization.",
+	"hooks.gmail.thinking": "Thinking effort override for Gmail-driven agent runs: \"off\", \"minimal\", \"low\", \"medium\", or \"high\". Keep modest defaults for routine inbox automations to control cost and latency.",
+	"hooks.internal": "Internal hook runtime settings for bundled/custom event handlers loaded from module paths. Use this for trusted in-process automations and keep handler loading tightly scoped.",
+	"hooks.internal.enabled": "Enables processing for internal hook handlers and configured entries in the internal hook runtime. Keep disabled unless internal hook handlers are intentionally configured.",
+	"hooks.internal.handlers": "List of internal event handlers mapping event names to modules and optional exports. Keep handler definitions explicit so event-to-code routing is auditable.",
+	"hooks.internal.handlers[].event": "Internal event name that triggers this handler module when emitted by the runtime. Use stable event naming conventions to avoid accidental overlap across handlers.",
+	"hooks.internal.handlers[].module": "Safe relative module path for the internal hook handler implementation loaded at runtime. Keep module files in reviewed directories and avoid dynamic path composition.",
+	"hooks.internal.handlers[].export": "Optional named export for the internal hook handler function when module default export is not used. Set this when one module ships multiple handler entrypoints.",
+	"hooks.internal.entries": "Configured internal hook entry records used to register concrete runtime handlers and metadata. Keep entries explicit and versioned so production behavior is auditable.",
+	"hooks.internal.load": "Internal hook loader settings controlling where handler modules are discovered at startup. Use constrained load roots to reduce accidental module conflicts or shadowing.",
+	"hooks.internal.load.extraDirs": "Additional directories searched for internal hook modules beyond default load paths. Keep this minimal and controlled to reduce accidental module shadowing.",
+	"hooks.internal.installs": "Install metadata for internal hook modules, including source and resolved artifacts for repeatable deployments. Use this as operational provenance and avoid manual drift edits.",
+	messages: "Message formatting, acknowledgment, queueing, debounce, and status reaction behavior for inbound/outbound chat flows. Use this section when channel responsiveness or message UX needs adjustment.",
+	"messages.messagePrefix": "Prefix text prepended to inbound user messages before they are handed to the agent runtime. Use this sparingly for channel context markers and keep it stable across sessions.",
+	"messages.responsePrefix": "Prefix text prepended to outbound assistant replies before sending to channels. Use for lightweight branding/context tags and avoid long prefixes that reduce content density.",
+	"messages.groupChat": "Group-message handling controls including mention triggers and history window sizing. Keep mention patterns narrow so group channels do not trigger on every message.",
+	"messages.groupChat.mentionPatterns": "Regex-like patterns used to detect explicit mentions/trigger phrases in group chats. Use precise patterns to reduce false positives in high-volume channels.",
+	"messages.groupChat.historyLimit": "Maximum number of prior group messages loaded as context per turn for group sessions. Use higher values for richer continuity, or lower values for faster and cheaper responses.",
+	"messages.queue": "Inbound message queue strategy used to buffer bursts before processing turns. Tune this for busy channels where sequential processing or batching behavior matters.",
+	"messages.queue.mode": "Queue behavior mode: \"steer\", \"followup\", \"collect\", \"steer-backlog\", \"steer+backlog\", \"queue\", or \"interrupt\". Keep conservative modes unless you intentionally need aggressive interruption/backlog semantics.",
+	"messages.queue.byChannel": "Per-channel queue mode overrides keyed by provider id (for example telegram, discord, slack). Use this when one channel’s traffic pattern needs different queue behavior than global defaults.",
+	"messages.queue.debounceMs": "Global queue debounce window in milliseconds before processing buffered inbound messages. Use higher values to coalesce rapid bursts, or lower values for reduced response latency.",
+	"messages.queue.debounceMsByChannel": "Per-channel debounce overrides for queue behavior keyed by provider id. Use this to tune burst handling independently for chat surfaces with different pacing.",
+	"messages.queue.cap": "Maximum number of queued inbound items retained before drop policy applies. Keep caps bounded in noisy channels so memory usage remains predictable.",
+	"messages.queue.drop": "Drop strategy when queue cap is exceeded: \"old\", \"new\", or \"summarize\". Use summarize when preserving intent matters, or old/new when deterministic dropping is preferred.",
+	"messages.inbound": "Direct inbound debounce settings used before queue/turn processing starts. Configure this for provider-specific rapid message bursts from the same sender.",
+	"messages.inbound.byChannel": "Per-channel inbound debounce overrides keyed by provider id in milliseconds. Use this where some providers send message fragments more aggressively than others.",
+	"messages.removeAckAfterReply": "Removes the acknowledgment reaction after final reply delivery when enabled. Keep enabled for cleaner UX in channels where persistent ack reactions create clutter.",
+	"messages.tts": "Text-to-speech policy for reading agent replies aloud on supported voice or audio surfaces. Keep disabled unless voice playback is part of your operator/user workflow.",
+	channels: "Channel provider configurations plus shared defaults that control access policies, heartbeat visibility, and per-surface behavior. Keep defaults centralized and override per provider only where required.",
+	"channels.telegram": "Telegram channel provider configuration including auth tokens, retry behavior, and message rendering controls. Use this section to tune bot behavior for Telegram-specific API semantics.",
+	"channels.slack": "Slack channel provider configuration for bot/app tokens, streaming behavior, and DM policy controls. Keep token handling and thread behavior explicit to avoid noisy workspace interactions.",
+	"channels.discord": "Discord channel provider configuration for bot auth, retry policy, streaming, thread bindings, and optional voice capabilities. Keep privileged intents and advanced features disabled unless needed.",
+	"channels.whatsapp": "WhatsApp channel provider configuration for access policy and message batching behavior. Use this section to tune responsiveness and direct-message routing safety for WhatsApp chats.",
+	"channels.signal": "Signal channel provider configuration including account identity and DM policy behavior. Keep account mapping explicit so routing remains stable across multi-device setups.",
+	"channels.imessage": "iMessage channel provider configuration for CLI integration and DM access policy handling. Use explicit CLI paths when runtime environments have non-standard binary locations.",
+	"channels.bluebubbles": "BlueBubbles channel provider configuration used for Apple messaging bridge integrations. Keep DM policy aligned with your trusted sender model in shared deployments.",
+	"channels.msteams": "Microsoft Teams channel provider configuration and provider-specific policy toggles. Use this section to isolate Teams behavior from other enterprise chat providers.",
+	"channels.mattermost": "Mattermost channel provider configuration for bot credentials, base URL, and message trigger modes. Keep mention/trigger rules strict in high-volume team channels.",
+	"channels.irc": "IRC channel provider configuration and compatibility settings for classic IRC transport workflows. Use this section when bridging legacy chat infrastructure into RemoteClaw.",
+	"channels.defaults": "Default channel behavior applied across providers when provider-specific settings are not set. Use this to enforce consistent baseline policy before per-provider tuning.",
+	"channels.defaults.groupPolicy": "Default group policy across channels: \"open\", \"disabled\", or \"allowlist\". Keep \"allowlist\" for safer production setups unless broad group participation is intentional.",
+	"channels.defaults.heartbeat": "Default heartbeat visibility settings for status messages emitted by providers/channels. Tune this globally to reduce noisy healthy-state updates while keeping alerts visible.",
+	"channels.defaults.heartbeat.showOk": "Shows healthy/OK heartbeat status entries when true in channel status outputs. Keep false in noisy environments and enable only when operators need explicit healthy confirmations.",
+	"channels.defaults.heartbeat.showAlerts": "Shows degraded/error heartbeat alerts when true so operator channels surface problems promptly. Keep enabled in production so broken channel states are visible.",
+	"channels.defaults.heartbeat.useIndicator": "Enables concise indicator-style heartbeat rendering instead of verbose status text where supported. Use indicator mode for dense dashboards with many active channels.",
+	"channels.telegram.configWrites": "Allow Telegram to write config in response to channel events/commands (default: true).",
+	"channels.telegram.botToken": "Telegram bot token used to authenticate Bot API requests for this account/provider config. Use secret/env substitution and rotate tokens if exposure is suspected.",
+	"channels.telegram.capabilities.inlineButtons": "Enable Telegram inline button components for supported command and interaction surfaces. Disable if your deployment needs plain-text-only compatibility behavior.",
+	"channels.slack.configWrites": "Allow Slack to write config in response to channel events/commands (default: true).",
+	"channels.slack.botToken": "Slack bot token used for standard chat actions in the configured workspace. Keep this credential scoped and rotate if workspace app permissions change.",
+	"channels.slack.appToken": "Slack app-level token used for Socket Mode connections and event transport when enabled. Use least-privilege app scopes and store this token as a secret.",
+	"channels.slack.userToken": "Optional Slack user token for workflows requiring user-context API access beyond bot permissions. Use sparingly and audit scopes because this token can carry broader authority.",
+	"channels.slack.userTokenReadOnly": "When true, treat configured Slack user token usage as read-only helper behavior where possible. Keep enabled if you only need supplemental reads without user-context writes.",
+	"channels.mattermost.configWrites": "Allow Mattermost to write config in response to channel events/commands (default: true).",
+	"channels.discord.configWrites": "Allow Discord to write config in response to channel events/commands (default: true).",
+	"channels.discord.token": "Discord bot token used for gateway and REST API authentication for this provider account. Keep this secret out of committed config and rotate immediately after any leak.",
+	"channels.discord.proxy": "Proxy URL for Discord gateway + API requests (app-id lookup and allowlist resolution). Set per account via channels.discord.accounts.<id>.proxy.",
+	"channels.whatsapp.configWrites": "Allow WhatsApp to write config in response to channel events/commands (default: true).",
+	"channels.signal.configWrites": "Allow Signal to write config in response to channel events/commands (default: true).",
+	"channels.signal.account": "Signal account identifier (phone/number handle) used to bind this channel config to a specific Signal identity. Keep this aligned with your linked device/session state.",
+	"channels.imessage.configWrites": "Allow iMessage to write config in response to channel events/commands (default: true).",
+	"channels.imessage.cliPath": "Filesystem path to the iMessage bridge CLI binary used for send/receive operations. Set explicitly when the binary is not on PATH in service runtime environments.",
+	"channels.msteams.configWrites": "Allow Microsoft Teams to write config in response to channel events/commands (default: true).",
+	"channels.modelByChannel": "Map provider -> channel id -> model override (values are provider/model or aliases).",
+	...IRC_FIELD_HELP,
+	"channels.discord.commands.native": "Override native commands for Discord (bool or \"auto\").",
+	"channels.telegram.commands.native": "Override native commands for Telegram (bool or \"auto\").",
+	"channels.slack.commands.native": "Override native commands for Slack (bool or \"auto\").",
+	"channels.slack.streaming": "Unified Slack stream preview mode: \"off\" | \"partial\" | \"block\" | \"progress\". Legacy boolean/streamMode keys are auto-mapped.",
+	"channels.slack.nativeStreaming": "Enable native Slack text streaming (chat.startStream/chat.appendStream/chat.stopStream) when channels.slack.streaming is partial (default: true).",
+	"channels.slack.streamMode": "Legacy Slack preview mode alias (replace | status_final | append); auto-migrated to channels.slack.streaming.",
+	"channels.telegram.customCommands": "Additional Telegram bot menu commands (merged with native; conflicts ignored).",
+	"messages.suppressToolErrors": "When true, suppress ⚠️ tool-error warnings from being shown to the user. The agent already sees errors in context and can retry. Default: false.",
+	"messages.ackReaction": "Emoji reaction used to acknowledge inbound messages (empty disables).",
+	"messages.ackReactionScope": "When to send ack reactions (\"group-mentions\", \"group-all\", \"direct\", \"all\").",
+	"messages.statusReactions": "Lifecycle status reactions that update the emoji on the trigger message as the agent progresses (queued → thinking → tool → done/error).",
+	"messages.statusReactions.enabled": "Enable lifecycle status reactions for Telegram. When enabled, the ack reaction becomes the initial 'queued' state and progresses through thinking, tool, done/error automatically. Default: false.",
+	"messages.statusReactions.emojis": "Override default status reaction emojis. Keys: thinking, tool, coding, web, done, error, stallSoft, stallHard. Must be valid Telegram reaction emojis.",
+	"messages.statusReactions.timing": "Override default timing. Keys: debounceMs (700), stallSoftMs (25000), stallHardMs (60000), doneHoldMs (1500), errorHoldMs (2500).",
+	"messages.inbound.debounceMs": "Debounce window (ms) for batching rapid inbound messages from the same sender (0 to disable).",
+	"channels.telegram.dmPolicy": "Direct message access control (\"pairing\" recommended). \"open\" requires channels.telegram.allowFrom=[\"*\"].",
+	"channels.telegram.streaming": "Unified Telegram stream preview mode: \"off\" | \"partial\" | \"block\" | \"progress\". \"progress\" maps to \"partial\" on Telegram. Legacy boolean/streamMode keys are auto-mapped.",
+	"channels.discord.streaming": "Unified Discord stream preview mode: \"off\" | \"partial\" | \"block\" | \"progress\". \"progress\" maps to \"partial\" on Discord. Legacy boolean/streamMode keys are auto-mapped.",
+	"channels.discord.streamMode": "Legacy Discord preview mode alias (off | partial | block); auto-migrated to channels.discord.streaming.",
+	"channels.discord.draftChunk.minChars": "Minimum chars before emitting a Discord stream preview update when channels.discord.streaming=\"block\" (default: 200).",
+	"channels.discord.draftChunk.maxChars": "Target max size for a Discord stream preview chunk when channels.discord.streaming=\"block\" (default: 800; clamped to channels.discord.textChunkLimit).",
+	"channels.discord.draftChunk.breakPreference": "Preferred breakpoints for Discord draft chunks (paragraph | newline | sentence). Default: paragraph.",
+	"channels.telegram.retry.attempts": "Max retry attempts for outbound Telegram API calls (default: 3).",
+	"channels.telegram.retry.minDelayMs": "Minimum retry delay in ms for Telegram outbound calls.",
+	"channels.telegram.retry.maxDelayMs": "Maximum retry delay cap in ms for Telegram outbound calls.",
+	"channels.telegram.retry.jitter": "Jitter factor (0-1) applied to Telegram retry delays.",
+	"channels.telegram.network.autoSelectFamily": "Override Node autoSelectFamily for Telegram (true=enable, false=disable).",
+	"channels.telegram.timeoutSeconds": "Max seconds before Telegram API requests are aborted (default: 500 per grammY).",
+	"channels.whatsapp.dmPolicy": "Direct message access control (\"pairing\" recommended). \"open\" requires channels.whatsapp.allowFrom=[\"*\"].",
+	"channels.whatsapp.selfChatMode": "Same-phone setup (bot uses your personal WhatsApp number).",
+	"channels.whatsapp.debounceMs": "Debounce window (ms) for batching rapid consecutive messages from the same sender (0 to disable).",
+	"channels.signal.dmPolicy": "Direct message access control (\"pairing\" recommended). \"open\" requires channels.signal.allowFrom=[\"*\"].",
+	"channels.imessage.dmPolicy": "Direct message access control (\"pairing\" recommended). \"open\" requires channels.imessage.allowFrom=[\"*\"].",
+	"channels.bluebubbles.dmPolicy": "Direct message access control (\"pairing\" recommended). \"open\" requires channels.bluebubbles.allowFrom=[\"*\"].",
+	"channels.discord.dmPolicy": "Direct message access control (\"pairing\" recommended). \"open\" requires channels.discord.allowFrom=[\"*\"].",
+	"channels.discord.dm.policy": "Direct message access control (\"pairing\" recommended). \"open\" requires channels.discord.allowFrom=[\"*\"] (legacy: channels.discord.dm.allowFrom).",
+	"channels.discord.retry.attempts": "Max retry attempts for outbound Discord API calls (default: 3).",
+	"channels.discord.retry.minDelayMs": "Minimum retry delay in ms for Discord outbound calls.",
+	"channels.discord.retry.maxDelayMs": "Maximum retry delay cap in ms for Discord outbound calls.",
+	"channels.discord.retry.jitter": "Jitter factor (0-1) applied to Discord retry delays.",
+	"channels.discord.maxLinesPerMessage": "Soft max line count per Discord message (default: 17).",
+	"channels.discord.threadBindings.enabled": "Enable Discord thread binding features (/focus, bound-thread routing/delivery, and thread-bound subagent sessions). Overrides session.threadBindings.enabled when set.",
+	"channels.discord.threadBindings.ttlHours": "Auto-unfocus TTL in hours for Discord thread-bound sessions (/focus and spawned thread sessions). Set 0 to disable (default: 24). Overrides session.threadBindings.ttlHours when set.",
+	"channels.discord.threadBindings.spawnSubagentSessions": "Allow subagent spawns with thread=true to auto-create and bind Discord threads (default: false; opt-in). Set true to enable thread-bound subagent spawns for this account/channel.",
+	"channels.discord.ui.components.accentColor": "Accent color for Discord component containers (hex). Set per account via channels.discord.accounts.<id>.ui.components.accentColor.",
+	"channels.discord.voice.enabled": "Enable Discord voice channel conversations (default: true). Omit channels.discord.voice to keep voice support disabled for the account.",
+	"channels.discord.voice.autoJoin": "Voice channels to auto-join on startup (list of guildId/channelId entries).",
+	"channels.discord.voice.daveEncryption": "Toggle DAVE end-to-end encryption for Discord voice joins (default: true in @discordjs/voice; Discord may require this).",
+	"channels.discord.voice.decryptionFailureTolerance": "Consecutive decrypt failures before DAVE attempts session recovery (passed to @discordjs/voice; default: 24).",
+	"channels.discord.voice.tts": "Optional TTS overrides for Discord voice playback (merged with messages.tts).",
+	"channels.discord.intents.presence": "Enable the Guild Presences privileged intent. Must also be enabled in the Discord Developer Portal. Allows tracking user activities (e.g. Spotify). Default: false.",
+	"channels.discord.intents.guildMembers": "Enable the Guild Members privileged intent. Must also be enabled in the Discord Developer Portal. Default: false.",
+	"channels.discord.pluralkit.enabled": "Resolve PluralKit proxied messages and treat system members as distinct senders.",
+	"channels.discord.pluralkit.token": "Optional PluralKit token for resolving private systems or members.",
+	"channels.discord.activity": "Discord presence activity text (defaults to custom status).",
+	"channels.discord.status": "Discord presence status (online, dnd, idle, invisible).",
+	"channels.discord.activityType": "Discord presence activity type (0=Playing,1=Streaming,2=Listening,3=Watching,4=Custom,5=Competing).",
+	"channels.discord.activityUrl": "Discord presence streaming URL (required for activityType=1).",
+	"channels.slack.dm.policy": "Direct message access control (\"pairing\" recommended). \"open\" requires channels.slack.allowFrom=[\"*\"] (legacy: channels.slack.dm.allowFrom).",
+	"channels.slack.dmPolicy": "Direct message access control (\"pairing\" recommended). \"open\" requires channels.slack.allowFrom=[\"*\"]."
+};
+
+//#endregion
+//#region src/config/schema.labels.ts
+const FIELD_LABELS = {
+	meta: "Metadata",
+	"meta.lastTouchedVersion": "Config Last Touched Version",
+	"meta.lastTouchedAt": "Config Last Touched At",
+	env: "Environment",
+	"env.shellEnv": "Shell Environment Import",
+	"env.shellEnv.enabled": "Shell Environment Import Enabled",
+	"env.shellEnv.timeoutMs": "Shell Environment Import Timeout (ms)",
+	"env.vars": "Environment Variable Overrides",
+	wizard: "Setup Wizard State",
+	"wizard.lastRunAt": "Wizard Last Run Timestamp",
+	"wizard.lastRunVersion": "Wizard Last Run Version",
+	"wizard.lastRunCommit": "Wizard Last Run Commit",
+	"wizard.lastRunCommand": "Wizard Last Run Command",
+	"wizard.lastRunMode": "Wizard Last Run Mode",
+	diagnostics: "Diagnostics",
+	"diagnostics.otel": "OpenTelemetry",
+	"diagnostics.cacheTrace": "Cache Trace",
+	logging: "Logging",
+	"logging.level": "Log Level",
+	"logging.file": "Log File Path",
+	"logging.consoleLevel": "Console Log Level",
+	"logging.consoleStyle": "Console Log Style",
+	"logging.redactSensitive": "Sensitive Data Redaction Mode",
+	"logging.redactPatterns": "Custom Redaction Patterns",
+	update: "Updates",
+	"update.channel": "Update Channel",
+	"update.checkOnStart": "Update Check on Start",
+	"update.auto.enabled": "Auto Update Enabled",
+	"update.auto.stableDelayHours": "Auto Update Stable Delay (hours)",
+	"update.auto.stableJitterHours": "Auto Update Stable Jitter (hours)",
+	"update.auto.betaCheckIntervalHours": "Auto Update Beta Check Interval (hours)",
+	"diagnostics.enabled": "Diagnostics Enabled",
+	"diagnostics.flags": "Diagnostics Flags",
+	"diagnostics.otel.enabled": "OpenTelemetry Enabled",
+	"diagnostics.otel.endpoint": "OpenTelemetry Endpoint",
+	"diagnostics.otel.protocol": "OpenTelemetry Protocol",
+	"diagnostics.otel.headers": "OpenTelemetry Headers",
+	"diagnostics.otel.serviceName": "OpenTelemetry Service Name",
+	"diagnostics.otel.traces": "OpenTelemetry Traces Enabled",
+	"diagnostics.otel.metrics": "OpenTelemetry Metrics Enabled",
+	"diagnostics.otel.logs": "OpenTelemetry Logs Enabled",
+	"diagnostics.otel.sampleRate": "OpenTelemetry Trace Sample Rate",
+	"diagnostics.otel.flushIntervalMs": "OpenTelemetry Flush Interval (ms)",
+	"diagnostics.cacheTrace.enabled": "Cache Trace Enabled",
+	"diagnostics.cacheTrace.filePath": "Cache Trace File Path",
+	"diagnostics.cacheTrace.includeMessages": "Cache Trace Include Messages",
+	"diagnostics.cacheTrace.includePrompt": "Cache Trace Include Prompt",
+	"diagnostics.cacheTrace.includeSystem": "Cache Trace Include System",
+	"agents.list.*.identity.avatar": "Identity Avatar",
+	"agents.list.*.skills": "Agent Skill Filter",
+	agents: "Agents",
+	"agents.defaults": "Agent Defaults",
+	"agents.list": "Agent List",
+	gateway: "Gateway",
+	"gateway.port": "Gateway Port",
+	"gateway.mode": "Gateway Mode",
+	"gateway.bind": "Gateway Bind Mode",
+	"gateway.customBindHost": "Gateway Custom Bind Host",
+	"gateway.controlUi": "Control UI",
+	"gateway.controlUi.enabled": "Control UI Enabled",
+	"gateway.auth": "Gateway Auth",
+	"gateway.auth.mode": "Gateway Auth Mode",
+	"gateway.auth.allowTailscale": "Gateway Auth Allow Tailscale Identity",
+	"gateway.auth.rateLimit": "Gateway Auth Rate Limit",
+	"gateway.auth.trustedProxy": "Gateway Trusted Proxy Auth",
+	"gateway.trustedProxies": "Gateway Trusted Proxy CIDRs",
+	"gateway.allowRealIpFallback": "Gateway Allow x-real-ip Fallback",
+	"gateway.tools": "Gateway Tool Exposure Policy",
+	"gateway.tools.allow": "Gateway Tool Allowlist",
+	"gateway.tools.deny": "Gateway Tool Denylist",
+	"gateway.channelHealthCheckMinutes": "Gateway Channel Health Check Interval (min)",
+	"gateway.tailscale": "Gateway Tailscale",
+	"gateway.tailscale.mode": "Gateway Tailscale Mode",
+	"gateway.tailscale.resetOnExit": "Gateway Tailscale Reset on Exit",
+	"gateway.remote": "Remote Gateway",
+	"gateway.remote.transport": "Remote Gateway Transport",
+	"gateway.reload": "Config Reload",
+	"gateway.tls": "Gateway TLS",
+	"gateway.tls.enabled": "Gateway TLS Enabled",
+	"gateway.tls.autoGenerate": "Gateway TLS Auto-Generate Cert",
+	"gateway.tls.certPath": "Gateway TLS Certificate Path",
+	"gateway.tls.keyPath": "Gateway TLS Key Path",
+	"gateway.tls.caPath": "Gateway TLS CA Path",
+	"gateway.http": "Gateway HTTP API",
+	"gateway.http.endpoints": "Gateway HTTP Endpoints",
+	"gateway.http.securityHeaders": "Gateway HTTP Security Headers",
+	"gateway.http.securityHeaders.strictTransportSecurity": "Strict Transport Security Header",
+	"gateway.remote.url": "Remote Gateway URL",
+	"gateway.remote.sshTarget": "Remote Gateway SSH Target",
+	"gateway.remote.sshIdentity": "Remote Gateway SSH Identity",
+	"gateway.remote.token": "Remote Gateway Token",
+	"gateway.remote.password": "Remote Gateway Password",
+	"gateway.remote.tlsFingerprint": "Remote Gateway TLS Fingerprint",
+	"gateway.auth.token": "Gateway Token",
+	"gateway.auth.password": "Gateway Password",
+	browser: "Browser",
+	"browser.enabled": "Browser Enabled",
+	"browser.cdpUrl": "Browser CDP URL",
+	"browser.color": "Browser Accent Color",
+	"browser.executablePath": "Browser Executable Path",
+	"browser.headless": "Browser Headless Mode",
+	"browser.noSandbox": "Browser No-Sandbox Mode",
+	"browser.attachOnly": "Browser Attach-only Mode",
+	"browser.defaultProfile": "Browser Default Profile",
+	"browser.profiles": "Browser Profiles",
+	"browser.profiles.*.cdpPort": "Browser Profile CDP Port",
+	"browser.profiles.*.cdpUrl": "Browser Profile CDP URL",
+	"browser.profiles.*.driver": "Browser Profile Driver",
+	"browser.profiles.*.color": "Browser Profile Accent Color",
+	tools: "Tools",
+	"tools.allow": "Tool Allowlist",
+	"tools.deny": "Tool Denylist",
+	"tools.exec": "Exec Tool",
+	"tools.media.image.enabled": "Enable Image Understanding",
+	"tools.media.image.maxBytes": "Image Understanding Max Bytes",
+	"tools.media.image.maxChars": "Image Understanding Max Chars",
+	"tools.media.image.prompt": "Image Understanding Prompt",
+	"tools.media.image.timeoutSeconds": "Image Understanding Timeout (sec)",
+	"tools.media.image.attachments": "Image Understanding Attachment Policy",
+	"tools.media.image.models": "Image Understanding Models",
+	"tools.media.image.scope": "Image Understanding Scope",
+	"tools.media.models": "Media Understanding Shared Models",
+	"tools.media.concurrency": "Media Understanding Concurrency",
+	"tools.media.audio.enabled": "Enable Audio Understanding",
+	"tools.media.audio.maxBytes": "Audio Understanding Max Bytes",
+	"tools.media.audio.maxChars": "Audio Understanding Max Chars",
+	"tools.media.audio.prompt": "Audio Understanding Prompt",
+	"tools.media.audio.timeoutSeconds": "Audio Understanding Timeout (sec)",
+	"tools.media.audio.language": "Audio Understanding Language",
+	"tools.media.audio.attachments": "Audio Understanding Attachment Policy",
+	"tools.media.audio.models": "Audio Understanding Models",
+	"tools.media.audio.scope": "Audio Understanding Scope",
+	"tools.media.video.enabled": "Enable Video Understanding",
+	"tools.media.video.maxBytes": "Video Understanding Max Bytes",
+	"tools.media.video.maxChars": "Video Understanding Max Chars",
+	"tools.media.video.prompt": "Video Understanding Prompt",
+	"tools.media.video.timeoutSeconds": "Video Understanding Timeout (sec)",
+	"tools.media.video.attachments": "Video Understanding Attachment Policy",
+	"tools.media.video.models": "Video Understanding Models",
+	"tools.media.video.scope": "Video Understanding Scope",
+	"tools.links.enabled": "Enable Link Understanding",
+	"tools.links.maxLinks": "Link Understanding Max Links",
+	"tools.links.timeoutSeconds": "Link Understanding Timeout (sec)",
+	"tools.links.models": "Link Understanding Models",
+	"tools.links.scope": "Link Understanding Scope",
+	"tools.profile": "Tool Profile",
+	"tools.alsoAllow": "Tool Allowlist Additions",
+	"agents.list[].tools.profile": "Agent Tool Profile",
+	"agents.list[].tools.alsoAllow": "Agent Tool Allowlist Additions",
+	"tools.byProvider": "Tool Policy by Provider",
+	"agents.list[].tools.byProvider": "Agent Tool Policy by Provider",
+	"tools.fs.workspaceOnly": "Workspace-only FS tools",
+	"tools.sessions.visibility": "Session Tools Visibility",
+	"tools.exec.notifyOnExit": "Exec Notify On Exit",
+	"tools.exec.notifyOnExitEmptySuccess": "Exec Notify On Empty Success",
+	"tools.exec.approvalRunningNoticeMs": "Exec Approval Running Notice (ms)",
+	"tools.exec.host": "Exec Host",
+	"tools.exec.security": "Exec Security",
+	"tools.exec.ask": "Exec Ask",
+	"tools.exec.node": "Exec Node Binding",
+	"tools.agentToAgent": "Agent-to-Agent Tool Access",
+	"tools.agentToAgent.enabled": "Enable Agent-to-Agent Tool",
+	"tools.agentToAgent.allow": "Agent-to-Agent Target Allowlist",
+	"tools.elevated": "Elevated Tool Access",
+	"tools.elevated.enabled": "Enable Elevated Tool Access",
+	"tools.elevated.allowFrom": "Elevated Tool Allow Rules",
+	"tools.subagents": "Subagent Tool Policy",
+	"tools.subagents.tools": "Subagent Tool Allow/Deny Policy",
+	"tools.sandbox": "Sandbox Tool Policy",
+	"tools.sandbox.tools": "Sandbox Tool Allow/Deny Policy",
+	"tools.exec.pathPrepend": "Exec PATH Prepend",
+	"tools.exec.safeBins": "Exec Safe Bins",
+	"tools.exec.safeBinTrustedDirs": "Exec Safe Bin Trusted Dirs",
+	"tools.exec.safeBinProfiles": "Exec Safe Bin Profiles",
+	approvals: "Approvals",
+	"approvals.exec": "Exec Approval Forwarding",
+	"approvals.exec.enabled": "Forward Exec Approvals",
+	"approvals.exec.mode": "Approval Forwarding Mode",
+	"approvals.exec.agentFilter": "Approval Agent Filter",
+	"approvals.exec.sessionFilter": "Approval Session Filter",
+	"approvals.exec.targets": "Approval Forwarding Targets",
+	"approvals.exec.targets[].channel": "Approval Target Channel",
+	"approvals.exec.targets[].to": "Approval Target Destination",
+	"approvals.exec.targets[].accountId": "Approval Target Account ID",
+	"approvals.exec.targets[].threadId": "Approval Target Thread ID",
+	"tools.message.allowCrossContextSend": "Allow Cross-Context Messaging",
+	"tools.message.crossContext.allowWithinProvider": "Allow Cross-Context (Same Provider)",
+	"tools.message.crossContext.allowAcrossProviders": "Allow Cross-Context (Across Providers)",
+	"tools.message.crossContext.marker.enabled": "Cross-Context Marker",
+	"tools.message.crossContext.marker.prefix": "Cross-Context Marker Prefix",
+	"tools.message.crossContext.marker.suffix": "Cross-Context Marker Suffix",
+	"tools.message.broadcast.enabled": "Enable Message Broadcast",
+	"gateway.controlUi.basePath": "Control UI Base Path",
+	"gateway.controlUi.root": "Control UI Assets Root",
+	"gateway.controlUi.allowedOrigins": "Control UI Allowed Origins",
+	"gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback": "Dangerously Allow Host-Header Origin Fallback",
+	"gateway.controlUi.allowInsecureAuth": "Insecure Control UI Auth Toggle",
+	"gateway.controlUi.dangerouslyDisableDeviceAuth": "Dangerously Disable Control UI Device Auth",
+	"gateway.http.endpoints.chatCompletions.enabled": "OpenAI Chat Completions Endpoint",
+	"gateway.reload.mode": "Config Reload Mode",
+	"gateway.reload.debounceMs": "Config Reload Debounce (ms)",
+	"gateway.nodes.browser.mode": "Gateway Node Browser Mode",
+	"gateway.nodes.browser.node": "Gateway Node Browser Pin",
+	"gateway.nodes.allowCommands": "Gateway Node Allowlist (Extra Commands)",
+	"gateway.nodes.denyCommands": "Gateway Node Denylist",
+	nodeHost: "Node Host",
+	"nodeHost.browserProxy": "Node Browser Proxy",
+	"nodeHost.browserProxy.enabled": "Node Browser Proxy Enabled",
+	"nodeHost.browserProxy.allowProfiles": "Node Browser Proxy Allowed Profiles",
+	media: "Media",
+	"media.preserveFilenames": "Preserve Media Filenames",
+	audio: "Audio",
+	"audio.transcription": "Audio Transcription",
+	"audio.transcription.command": "Audio Transcription Command",
+	"audio.transcription.timeoutSeconds": "Audio Transcription Timeout (sec)",
+	bindings: "Bindings",
+	"bindings[].agentId": "Binding Agent ID",
+	"bindings[].match": "Binding Match Rule",
+	"bindings[].match.channel": "Binding Channel",
+	"bindings[].match.accountId": "Binding Account ID",
+	"bindings[].match.peer": "Binding Peer Match",
+	"bindings[].match.peer.kind": "Binding Peer Kind",
+	"bindings[].match.peer.id": "Binding Peer ID",
+	"bindings[].match.guildId": "Binding Guild ID",
+	"bindings[].match.teamId": "Binding Team ID",
+	"bindings[].match.roles": "Binding Roles",
+	broadcast: "Broadcast",
+	"broadcast.strategy": "Broadcast Strategy",
+	"broadcast.*": "Broadcast Destination List",
+	"skills.load.watch": "Watch Skills",
+	"skills.load.watchDebounceMs": "Skills Watch Debounce (ms)",
+	"agents.defaults.repoRoot": "Repo Root",
+	"agents.defaults.boot": "Boot Prompt",
+	"agents.defaults.boot.prompt": "Boot Prompt Text",
+	"agents.defaults.boot.file": "Boot Prompt File",
+	"agents.list[].boot": "Agent Boot Prompt",
+	"agents.list[].boot.prompt": "Agent Boot Prompt Text",
+	"agents.list[].boot.file": "Agent Boot Prompt File",
+	"agents.defaults.bootstrapMaxChars": "Bootstrap Max Chars",
+	"agents.defaults.bootstrapTotalMaxChars": "Bootstrap Total Max Chars",
+	"agents.defaults.envelopeTimezone": "Envelope Timezone",
+	"agents.defaults.envelopeTimestamp": "Envelope Timestamp",
+	"agents.defaults.envelopeElapsed": "Envelope Elapsed",
+	auth: "Auth",
+	"auth.profiles": "Auth Profiles",
+	"auth.order": "Auth Profile Order",
+	"auth.cooldowns": "Auth Cooldowns",
+	models: "Models",
+	"models.mode": "Model Catalog Mode",
+	"models.providers": "Model Providers",
+	"models.providers.*.baseUrl": "Model Provider Base URL",
+	"models.providers.*.apiKey": "Model Provider API Key",
+	"models.providers.*.auth": "Model Provider Auth Mode",
+	"models.providers.*.api": "Model Provider API Adapter",
+	"models.providers.*.headers": "Model Provider Headers",
+	"models.providers.*.authHeader": "Model Provider Authorization Header",
+	"models.providers.*.models": "Model Provider Model List",
+	"models.bedrockDiscovery": "Bedrock Model Discovery",
+	"models.bedrockDiscovery.enabled": "Bedrock Discovery Enabled",
+	"models.bedrockDiscovery.region": "Bedrock Discovery Region",
+	"models.bedrockDiscovery.providerFilter": "Bedrock Discovery Provider Filter",
+	"models.bedrockDiscovery.refreshInterval": "Bedrock Discovery Refresh Interval (s)",
+	"models.bedrockDiscovery.defaultContextWindow": "Bedrock Default Context Window",
+	"models.bedrockDiscovery.defaultMaxTokens": "Bedrock Default Max Tokens",
+	"auth.cooldowns.billingBackoffHours": "Billing Backoff (hours)",
+	"auth.cooldowns.billingBackoffHoursByProvider": "Billing Backoff Overrides",
+	"auth.cooldowns.billingMaxHours": "Billing Backoff Cap (hours)",
+	"auth.cooldowns.failureWindowHours": "Failover Window (hours)",
+	"agents.defaults.models": "Models",
+	"agents.defaults.model.primary": "Primary Model",
+	"agents.defaults.model.fallbacks": "Model Fallbacks",
+	"agents.defaults.imageModel.primary": "Image Model",
+	"agents.defaults.imageModel.fallbacks": "Image Model Fallbacks",
+	"agents.defaults.imageMaxDimensionPx": "Image Max Dimension (px)",
+	"agents.defaults.humanDelay.mode": "Human Delay Mode",
+	"agents.defaults.humanDelay.minMs": "Human Delay Min (ms)",
+	"agents.defaults.humanDelay.maxMs": "Human Delay Max (ms)",
+	"agents.defaults.cliBackends": "CLI Backends",
+	"agents.defaults.compaction": "Compaction",
+	"agents.defaults.compaction.mode": "Compaction Mode",
+	"agents.defaults.compaction.reserveTokens": "Compaction Reserve Tokens",
+	"agents.defaults.compaction.keepRecentTokens": "Compaction Keep Recent Tokens",
+	"agents.defaults.compaction.reserveTokensFloor": "Compaction Reserve Token Floor",
+	"agents.defaults.compaction.maxHistoryShare": "Compaction Max History Share",
+	"agents.defaults.heartbeat.suppressToolErrorWarnings": "Heartbeat Suppress Tool Error Warnings",
+	"agents.defaults.sandbox.browser.network": "Sandbox Browser Network",
+	"agents.defaults.sandbox.browser.cdpSourceRange": "Sandbox Browser CDP Source Port Range",
+	"agents.defaults.sandbox.docker.dangerouslyAllowContainerNamespaceJoin": "Sandbox Docker Allow Container Namespace Join",
+	commands: "Commands",
+	"commands.native": "Native Commands",
+	"commands.text": "Text Commands",
+	"commands.bash": "Allow Bash Chat Command",
+	"commands.bashForegroundMs": "Bash Foreground Window (ms)",
+	"commands.config": "Allow /config",
+	"commands.debug": "Allow /debug",
+	"commands.restart": "Allow Restart",
+	"commands.useAccessGroups": "Use Access Groups",
+	"commands.ownerAllowFrom": "Command Owners",
+	"commands.ownerDisplay": "Owner ID Display",
+	"commands.ownerDisplaySecret": "Owner ID Hash Secret",
+	"commands.allowFrom": "Command Elevated Access Rules",
+	ui: "UI",
+	"ui.seamColor": "Accent Color",
+	"ui.assistant": "Assistant Appearance",
+	"ui.assistant.name": "Assistant Name",
+	"ui.assistant.avatar": "Assistant Avatar",
+	"browser.evaluateEnabled": "Browser Evaluate Enabled",
+	"browser.snapshotDefaults": "Browser Snapshot Defaults",
+	"browser.snapshotDefaults.mode": "Browser Snapshot Mode",
+	"browser.ssrfPolicy": "Browser SSRF Policy",
+	"browser.ssrfPolicy.allowPrivateNetwork": "Browser Allow Private Network",
+	"browser.ssrfPolicy.dangerouslyAllowPrivateNetwork": "Browser Dangerously Allow Private Network",
+	"browser.ssrfPolicy.allowedHostnames": "Browser Allowed Hostnames",
+	"browser.ssrfPolicy.hostnameAllowlist": "Browser Hostname Allowlist",
+	"browser.remoteCdpTimeoutMs": "Remote CDP Timeout (ms)",
+	"browser.remoteCdpHandshakeTimeoutMs": "Remote CDP Handshake Timeout (ms)",
+	session: "Session",
+	"session.scope": "Session Scope",
+	"session.dmScope": "DM Session Scope",
+	"session.identityLinks": "Session Identity Links",
+	"session.resetTriggers": "Session Reset Triggers",
+	"session.idleMinutes": "Session Idle Minutes",
+	"session.reset": "Session Reset Policy",
+	"session.reset.mode": "Session Reset Mode",
+	"session.reset.atHour": "Session Daily Reset Hour",
+	"session.reset.idleMinutes": "Session Reset Idle Minutes",
+	"session.resetByType": "Session Reset by Chat Type",
+	"session.resetByType.direct": "Session Reset (Direct)",
+	"session.resetByType.dm": "Session Reset (DM Deprecated Alias)",
+	"session.resetByType.group": "Session Reset (Group)",
+	"session.resetByType.thread": "Session Reset (Thread)",
+	"session.resetByChannel": "Session Reset by Channel",
+	"session.store": "Session Store Path",
+	"session.typingIntervalSeconds": "Session Typing Interval (seconds)",
+	"session.typingMode": "Session Typing Mode",
+	"session.mainKey": "Session Main Key",
+	"session.sendPolicy": "Session Send Policy",
+	"session.sendPolicy.default": "Session Send Policy Default Action",
+	"session.sendPolicy.rules": "Session Send Policy Rules",
+	"session.sendPolicy.rules[].action": "Session Send Rule Action",
+	"session.sendPolicy.rules[].match": "Session Send Rule Match",
+	"session.sendPolicy.rules[].match.channel": "Session Send Rule Channel",
+	"session.sendPolicy.rules[].match.chatType": "Session Send Rule Chat Type",
+	"session.sendPolicy.rules[].match.keyPrefix": "Session Send Rule Key Prefix",
+	"session.sendPolicy.rules[].match.rawKeyPrefix": "Session Send Rule Raw Key Prefix",
+	"session.agentToAgent": "Session Agent-to-Agent",
+	"session.agentToAgent.maxPingPongTurns": "Agent-to-Agent Ping-Pong Turns",
+	"session.threadBindings": "Session Thread Bindings",
+	"session.threadBindings.enabled": "Thread Binding Enabled",
+	"session.threadBindings.ttlHours": "Thread Binding TTL (hours)",
+	"session.maintenance": "Session Maintenance",
+	"session.maintenance.mode": "Session Maintenance Mode",
+	"session.maintenance.pruneAfter": "Session Prune After",
+	"session.maintenance.pruneDays": "Session Prune Days (Deprecated)",
+	"session.maintenance.maxEntries": "Session Max Entries",
+	"session.maintenance.rotateBytes": "Session Rotate Size",
+	"session.maintenance.resetArchiveRetention": "Session Reset Archive Retention",
+	"session.maintenance.maxDiskBytes": "Session Max Disk Budget",
+	"session.maintenance.highWaterBytes": "Session Disk High-water Target",
+	cron: "Cron",
+	"cron.enabled": "Cron Enabled",
+	"cron.store": "Cron Store Path",
+	"cron.maxConcurrentRuns": "Cron Max Concurrent Runs",
+	"cron.webhook": "Cron Legacy Webhook (Deprecated)",
+	"cron.webhookToken": "Cron Webhook Bearer Token",
+	"cron.sessionRetention": "Cron Session Retention",
+	"cron.runLog": "Cron Run Log Pruning",
+	"cron.runLog.maxBytes": "Cron Run Log Max Bytes",
+	"cron.runLog.keepLines": "Cron Run Log Keep Lines",
+	hooks: "Hooks",
+	"hooks.enabled": "Hooks Enabled",
+	"hooks.path": "Hooks Endpoint Path",
+	"hooks.token": "Hooks Auth Token",
+	"hooks.defaultSessionKey": "Hooks Default Session Key",
+	"hooks.allowRequestSessionKey": "Hooks Allow Request Session Key",
+	"hooks.allowedSessionKeyPrefixes": "Hooks Allowed Session Key Prefixes",
+	"hooks.allowedAgentIds": "Hooks Allowed Agent IDs",
+	"hooks.maxBodyBytes": "Hooks Max Body Bytes",
+	"hooks.presets": "Hooks Presets",
+	"hooks.transformsDir": "Hooks Transforms Directory",
+	"hooks.mappings": "Hook Mappings",
+	"hooks.mappings[].id": "Hook Mapping ID",
+	"hooks.mappings[].match": "Hook Mapping Match",
+	"hooks.mappings[].match.path": "Hook Mapping Match Path",
+	"hooks.mappings[].match.source": "Hook Mapping Match Source",
+	"hooks.mappings[].action": "Hook Mapping Action",
+	"hooks.mappings[].wakeMode": "Hook Mapping Wake Mode",
+	"hooks.mappings[].name": "Hook Mapping Name",
+	"hooks.mappings[].agentId": "Hook Mapping Agent ID",
+	"hooks.mappings[].sessionKey": "Hook Mapping Session Key",
+	"hooks.mappings[].messageTemplate": "Hook Mapping Message Template",
+	"hooks.mappings[].textTemplate": "Hook Mapping Text Template",
+	"hooks.mappings[].deliver": "Hook Mapping Deliver Reply",
+	"hooks.mappings[].allowUnsafeExternalContent": "Hook Mapping Allow Unsafe External Content",
+	"hooks.mappings[].channel": "Hook Mapping Delivery Channel",
+	"hooks.mappings[].to": "Hook Mapping Delivery Destination",
+	"hooks.mappings[].model": "Hook Mapping Model Override",
+	"hooks.mappings[].thinking": "Hook Mapping Thinking Override",
+	"hooks.mappings[].timeoutSeconds": "Hook Mapping Timeout (sec)",
+	"hooks.mappings[].transform": "Hook Mapping Transform",
+	"hooks.mappings[].transform.module": "Hook Transform Module",
+	"hooks.mappings[].transform.export": "Hook Transform Export",
+	"hooks.gmail": "Gmail Hook",
+	"hooks.gmail.account": "Gmail Hook Account",
+	"hooks.gmail.label": "Gmail Hook Label",
+	"hooks.gmail.topic": "Gmail Hook Pub/Sub Topic",
+	"hooks.gmail.subscription": "Gmail Hook Subscription",
+	"hooks.gmail.pushToken": "Gmail Hook Push Token",
+	"hooks.gmail.hookUrl": "Gmail Hook Callback URL",
+	"hooks.gmail.includeBody": "Gmail Hook Include Body",
+	"hooks.gmail.maxBytes": "Gmail Hook Max Body Bytes",
+	"hooks.gmail.renewEveryMinutes": "Gmail Hook Renew Interval (min)",
+	"hooks.gmail.allowUnsafeExternalContent": "Gmail Hook Allow Unsafe External Content",
+	"hooks.gmail.serve": "Gmail Hook Local Server",
+	"hooks.gmail.serve.bind": "Gmail Hook Server Bind Address",
+	"hooks.gmail.serve.port": "Gmail Hook Server Port",
+	"hooks.gmail.serve.path": "Gmail Hook Server Path",
+	"hooks.gmail.tailscale": "Gmail Hook Tailscale",
+	"hooks.gmail.tailscale.mode": "Gmail Hook Tailscale Mode",
+	"hooks.gmail.tailscale.path": "Gmail Hook Tailscale Path",
+	"hooks.gmail.tailscale.target": "Gmail Hook Tailscale Target",
+	"hooks.gmail.model": "Gmail Hook Model Override",
+	"hooks.gmail.thinking": "Gmail Hook Thinking Override",
+	"hooks.internal": "Internal Hooks",
+	"hooks.internal.enabled": "Internal Hooks Enabled",
+	"hooks.internal.handlers": "Internal Hook Handlers",
+	"hooks.internal.handlers[].event": "Internal Hook Event",
+	"hooks.internal.handlers[].module": "Internal Hook Module",
+	"hooks.internal.handlers[].export": "Internal Hook Export",
+	"hooks.internal.entries": "Internal Hook Entries",
+	"hooks.internal.load": "Internal Hook Loader",
+	"hooks.internal.load.extraDirs": "Internal Hook Extra Directories",
+	"hooks.internal.installs": "Internal Hook Install Records",
+	web: "Web Channel",
+	"web.enabled": "Web Channel Enabled",
+	"web.heartbeatSeconds": "Web Channel Heartbeat Interval (sec)",
+	"web.reconnect": "Web Channel Reconnect Policy",
+	"web.reconnect.initialMs": "Web Reconnect Initial Delay (ms)",
+	"web.reconnect.maxMs": "Web Reconnect Max Delay (ms)",
+	"web.reconnect.factor": "Web Reconnect Backoff Factor",
+	"web.reconnect.jitter": "Web Reconnect Jitter",
+	"web.reconnect.maxAttempts": "Web Reconnect Max Attempts",
+	discovery: "Discovery",
+	"discovery.wideArea": "Wide-area Discovery",
+	"discovery.wideArea.enabled": "Wide-area Discovery Enabled",
+	"discovery.mdns": "mDNS Discovery",
+	canvasHost: "Canvas Host",
+	"canvasHost.enabled": "Canvas Host Enabled",
+	"canvasHost.root": "Canvas Host Root Directory",
+	"canvasHost.port": "Canvas Host Port",
+	"canvasHost.liveReload": "Canvas Host Live Reload",
+	talk: "Talk",
+	"talk.voiceId": "Talk Voice ID",
+	"talk.voiceAliases": "Talk Voice Aliases",
+	"talk.modelId": "Talk Model ID",
+	"talk.outputFormat": "Talk Output Format",
+	"talk.interruptOnSpeech": "Talk Interrupt on Speech",
+	messages: "Messages",
+	"messages.messagePrefix": "Inbound Message Prefix",
+	"messages.responsePrefix": "Outbound Response Prefix",
+	"messages.groupChat": "Group Chat Rules",
+	"messages.groupChat.mentionPatterns": "Group Mention Patterns",
+	"messages.groupChat.historyLimit": "Group History Limit",
+	"messages.queue": "Inbound Queue",
+	"messages.queue.mode": "Queue Mode",
+	"messages.queue.byChannel": "Queue Mode by Channel",
+	"messages.queue.debounceMs": "Queue Debounce (ms)",
+	"messages.queue.debounceMsByChannel": "Queue Debounce by Channel (ms)",
+	"messages.queue.cap": "Queue Capacity",
+	"messages.queue.drop": "Queue Drop Strategy",
+	"messages.inbound": "Inbound Debounce",
+	"messages.suppressToolErrors": "Suppress Tool Error Warnings",
+	"messages.ackReaction": "Ack Reaction Emoji",
+	"messages.ackReactionScope": "Ack Reaction Scope",
+	"messages.removeAckAfterReply": "Remove Ack Reaction After Reply",
+	"messages.statusReactions": "Status Reactions",
+	"messages.statusReactions.enabled": "Enable Status Reactions",
+	"messages.statusReactions.emojis": "Status Reaction Emojis",
+	"messages.statusReactions.timing": "Status Reaction Timing",
+	"messages.inbound.debounceMs": "Inbound Message Debounce (ms)",
+	"messages.inbound.byChannel": "Inbound Debounce by Channel (ms)",
+	"messages.tts": "Message Text-to-Speech",
+	"talk.provider": "Talk Active Provider",
+	"talk.providers": "Talk Provider Settings",
+	"talk.providers.*.voiceId": "Talk Provider Voice ID",
+	"talk.providers.*.voiceAliases": "Talk Provider Voice Aliases",
+	"talk.providers.*.modelId": "Talk Provider Model ID",
+	"talk.providers.*.outputFormat": "Talk Provider Output Format",
+	"talk.providers.*.apiKey": "Talk Provider API Key",
+	"talk.apiKey": "Talk API Key",
+	channels: "Channels",
+	"channels.defaults": "Channel Defaults",
+	"channels.defaults.groupPolicy": "Default Group Policy",
+	"channels.defaults.heartbeat": "Default Heartbeat Visibility",
+	"channels.defaults.heartbeat.showOk": "Heartbeat Show OK",
+	"channels.defaults.heartbeat.showAlerts": "Heartbeat Show Alerts",
+	"channels.defaults.heartbeat.useIndicator": "Heartbeat Use Indicator",
+	"channels.whatsapp": "WhatsApp",
+	"channels.telegram": "Telegram",
+	"channels.telegram.customCommands": "Telegram Custom Commands",
+	"channels.discord": "Discord",
+	"channels.slack": "Slack",
+	"channels.mattermost": "Mattermost",
+	"channels.signal": "Signal",
+	"channels.imessage": "iMessage",
+	"channels.bluebubbles": "BlueBubbles",
+	"channels.msteams": "MS Teams",
+	"channels.modelByChannel": "Channel Model Overrides",
+	...IRC_FIELD_LABELS,
+	"channels.telegram.botToken": "Telegram Bot Token",
+	"channels.telegram.dmPolicy": "Telegram DM Policy",
+	"channels.telegram.configWrites": "Telegram Config Writes",
+	"channels.telegram.commands.native": "Telegram Native Commands",
+	"channels.telegram.streaming": "Telegram Streaming Mode",
+	"channels.telegram.retry.attempts": "Telegram Retry Attempts",
+	"channels.telegram.retry.minDelayMs": "Telegram Retry Min Delay (ms)",
+	"channels.telegram.retry.maxDelayMs": "Telegram Retry Max Delay (ms)",
+	"channels.telegram.retry.jitter": "Telegram Retry Jitter",
+	"channels.telegram.network.autoSelectFamily": "Telegram autoSelectFamily",
+	"channels.telegram.timeoutSeconds": "Telegram API Timeout (seconds)",
+	"channels.telegram.capabilities.inlineButtons": "Telegram Inline Buttons",
+	"channels.whatsapp.dmPolicy": "WhatsApp DM Policy",
+	"channels.whatsapp.selfChatMode": "WhatsApp Self-Phone Mode",
+	"channels.whatsapp.debounceMs": "WhatsApp Message Debounce (ms)",
+	"channels.whatsapp.configWrites": "WhatsApp Config Writes",
+	"channels.signal.dmPolicy": "Signal DM Policy",
+	"channels.signal.configWrites": "Signal Config Writes",
+	"channels.imessage.dmPolicy": "iMessage DM Policy",
+	"channels.imessage.configWrites": "iMessage Config Writes",
+	"channels.bluebubbles.dmPolicy": "BlueBubbles DM Policy",
+	"channels.msteams.configWrites": "MS Teams Config Writes",
+	"channels.irc.configWrites": "IRC Config Writes",
+	"channels.discord.dmPolicy": "Discord DM Policy",
+	"channels.discord.dm.policy": "Discord DM Policy",
+	"channels.discord.configWrites": "Discord Config Writes",
+	"channels.discord.proxy": "Discord Proxy URL",
+	"channels.discord.commands.native": "Discord Native Commands",
+	"channels.discord.streaming": "Discord Streaming Mode",
+	"channels.discord.streamMode": "Discord Stream Mode (Legacy)",
+	"channels.discord.draftChunk.minChars": "Discord Draft Chunk Min Chars",
+	"channels.discord.draftChunk.maxChars": "Discord Draft Chunk Max Chars",
+	"channels.discord.draftChunk.breakPreference": "Discord Draft Chunk Break Preference",
+	"channels.discord.retry.attempts": "Discord Retry Attempts",
+	"channels.discord.retry.minDelayMs": "Discord Retry Min Delay (ms)",
+	"channels.discord.retry.maxDelayMs": "Discord Retry Max Delay (ms)",
+	"channels.discord.retry.jitter": "Discord Retry Jitter",
+	"channels.discord.maxLinesPerMessage": "Discord Max Lines Per Message",
+	"channels.discord.threadBindings.enabled": "Discord Thread Binding Enabled",
+	"channels.discord.threadBindings.ttlHours": "Discord Thread Binding TTL (hours)",
+	"channels.discord.threadBindings.spawnSubagentSessions": "Discord Thread-Bound Subagent Spawn",
+	"channels.discord.ui.components.accentColor": "Discord Component Accent Color",
+	"channels.discord.intents.presence": "Discord Presence Intent",
+	"channels.discord.intents.guildMembers": "Discord Guild Members Intent",
+	"channels.discord.voice.enabled": "Discord Voice Enabled",
+	"channels.discord.voice.autoJoin": "Discord Voice Auto-Join",
+	"channels.discord.voice.daveEncryption": "Discord Voice DAVE Encryption",
+	"channels.discord.voice.decryptionFailureTolerance": "Discord Voice Decrypt Failure Tolerance",
+	"channels.discord.voice.tts": "Discord Voice Text-to-Speech",
+	"channels.discord.pluralkit.enabled": "Discord PluralKit Enabled",
+	"channels.discord.pluralkit.token": "Discord PluralKit Token",
+	"channels.discord.activity": "Discord Presence Activity",
+	"channels.discord.status": "Discord Presence Status",
+	"channels.discord.activityType": "Discord Presence Activity Type",
+	"channels.discord.activityUrl": "Discord Presence Activity URL",
+	"channels.slack.dm.policy": "Slack DM Policy",
+	"channels.slack.dmPolicy": "Slack DM Policy",
+	"channels.slack.configWrites": "Slack Config Writes",
+	"channels.slack.commands.native": "Slack Native Commands",
+	"channels.slack.allowBots": "Slack Allow Bot Messages",
+	"channels.discord.token": "Discord Bot Token",
+	"channels.slack.botToken": "Slack Bot Token",
+	"channels.slack.appToken": "Slack App Token",
+	"channels.slack.userToken": "Slack User Token",
+	"channels.slack.userTokenReadOnly": "Slack User Token Read Only",
+	"channels.slack.streaming": "Slack Streaming Mode",
+	"channels.slack.nativeStreaming": "Slack Native Streaming",
+	"channels.slack.streamMode": "Slack Stream Mode (Legacy)",
+	"channels.slack.thread.historyScope": "Slack Thread History Scope",
+	"channels.slack.thread.inheritParent": "Slack Thread Parent Inheritance",
+	"channels.slack.thread.initialHistoryLimit": "Slack Thread Initial History Limit",
+	"channels.mattermost.botToken": "Mattermost Bot Token",
+	"channels.mattermost.baseUrl": "Mattermost Base URL",
+	"channels.mattermost.configWrites": "Mattermost Config Writes",
+	"channels.mattermost.chatmode": "Mattermost Chat Mode",
+	"channels.mattermost.oncharPrefixes": "Mattermost Onchar Prefixes",
+	"channels.mattermost.requireMention": "Mattermost Require Mention",
+	"channels.signal.account": "Signal Account",
+	"channels.imessage.cliPath": "iMessage CLI Path",
+	"agents.list[].skills": "Agent Skill Filter",
+	"agents.list[].identity.avatar": "Agent Avatar",
+	"agents.list[].heartbeat.suppressToolErrorWarnings": "Agent Heartbeat Suppress Tool Error Warnings",
+	"agents.list[].sandbox.browser.network": "Agent Sandbox Browser Network",
+	"agents.list[].sandbox.browser.cdpSourceRange": "Agent Sandbox Browser CDP Source Port Range",
+	"agents.list[].sandbox.docker.dangerouslyAllowContainerNamespaceJoin": "Agent Sandbox Docker Allow Container Namespace Join",
+	"discovery.mdns.mode": "mDNS Discovery Mode",
+	plugins: "Plugins",
+	"plugins.enabled": "Enable Plugins",
+	"plugins.allow": "Plugin Allowlist",
+	"plugins.deny": "Plugin Denylist",
+	"plugins.load": "Plugin Loader",
+	"plugins.load.paths": "Plugin Load Paths",
+	"plugins.slots": "Plugin Slots",
+	"plugins.slots.memory": "Memory Plugin",
+	"plugins.entries": "Plugin Entries",
+	"plugins.entries.*.enabled": "Plugin Enabled",
+	"plugins.entries.*.apiKey": "Plugin API Key",
+	"plugins.entries.*.env": "Plugin Environment Variables",
+	"plugins.entries.*.config": "Plugin Config",
+	"plugins.installs": "Plugin Install Records",
+	"plugins.installs.*.source": "Plugin Install Source",
+	"plugins.installs.*.spec": "Plugin Install Spec",
+	"plugins.installs.*.sourcePath": "Plugin Install Source Path",
+	"plugins.installs.*.installPath": "Plugin Install Path",
+	"plugins.installs.*.version": "Plugin Install Version",
+	"plugins.installs.*.resolvedName": "Plugin Resolved Package Name",
+	"plugins.installs.*.resolvedVersion": "Plugin Resolved Package Version",
+	"plugins.installs.*.resolvedSpec": "Plugin Resolved Package Spec",
+	"plugins.installs.*.integrity": "Plugin Resolved Integrity",
+	"plugins.installs.*.shasum": "Plugin Resolved Shasum",
+	"plugins.installs.*.resolvedAt": "Plugin Resolution Time",
+	"plugins.installs.*.installedAt": "Plugin Install Time"
+};
+
+//#endregion
+//#region src/config/schema.tags.ts
+const CONFIG_TAGS = [
+	"security",
+	"auth",
+	"network",
+	"access",
+	"privacy",
+	"observability",
+	"performance",
+	"reliability",
+	"storage",
+	"models",
+	"media",
+	"automation",
+	"channels",
+	"tools",
+	"advanced"
+];
+const TAG_PRIORITY = {
+	security: 0,
+	auth: 1,
+	access: 2,
+	network: 3,
+	privacy: 4,
+	observability: 5,
+	reliability: 6,
+	performance: 7,
+	storage: 8,
+	models: 9,
+	media: 10,
+	automation: 11,
+	channels: 12,
+	tools: 13,
+	advanced: 14
+};
+const TAG_OVERRIDES = {
+	"gateway.auth.token": [
+		"security",
+		"auth",
+		"access",
+		"network"
+	],
+	"gateway.auth.password": [
+		"security",
+		"auth",
+		"access",
+		"network"
+	],
+	"gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback": [
+		"security",
+		"access",
+		"network",
+		"advanced"
+	],
+	"gateway.controlUi.dangerouslyDisableDeviceAuth": [
+		"security",
+		"access",
+		"network",
+		"advanced"
+	],
+	"gateway.controlUi.allowInsecureAuth": [
+		"security",
+		"access",
+		"network",
+		"advanced"
+	]
+};
+const PREFIX_RULES = [
+	{
+		prefix: "channels.",
+		tags: ["channels", "network"]
+	},
+	{
+		prefix: "tools.",
+		tags: ["tools"]
+	},
+	{
+		prefix: "gateway.",
+		tags: ["network"]
+	},
+	{
+		prefix: "nodehost.",
+		tags: ["network"]
+	},
+	{
+		prefix: "discovery.",
+		tags: ["network"]
+	},
+	{
+		prefix: "auth.",
+		tags: ["auth", "access"]
+	},
+	{
+		prefix: "memory.",
+		tags: ["storage"]
+	},
+	{
+		prefix: "models.",
+		tags: ["models"]
+	},
+	{
+		prefix: "diagnostics.",
+		tags: ["observability"]
+	},
+	{
+		prefix: "logging.",
+		tags: ["observability"]
+	},
+	{
+		prefix: "cron.",
+		tags: ["automation"]
+	},
+	{
+		prefix: "talk.",
+		tags: ["media"]
+	},
+	{
+		prefix: "audio.",
+		tags: ["media"]
+	}
+];
+const KEYWORD_RULES = [
+	{
+		pattern: /(token|password|secret|api[_.-]?key|tlsfingerprint)/i,
+		tags: ["security", "auth"]
+	},
+	{
+		pattern: /(allow|deny|owner|permission|policy|access)/i,
+		tags: ["access"]
+	},
+	{
+		pattern: /(timeout|debounce|interval|concurrency|max|limit|cachettl)/i,
+		tags: ["performance"]
+	},
+	{
+		pattern: /(retry|backoff|fallback|circuit|health|reload|probe)/i,
+		tags: ["reliability"]
+	},
+	{
+		pattern: /(path|dir|file|store|db|session|cache)/i,
+		tags: ["storage"]
+	},
+	{
+		pattern: /(telemetry|trace|metrics|logs|diagnostic)/i,
+		tags: ["observability"]
+	},
+	{
+		pattern: /(experimental|dangerously|insecure)/i,
+		tags: ["advanced", "security"]
+	},
+	{
+		pattern: /(privacy|redact|sanitize|anonym|pseudonym)/i,
+		tags: ["privacy"]
+	}
+];
+const MODEL_PATH_PATTERN = /(^|\.)(model|models|modelid|imagemodel)(\.|$)/i;
+const MEDIA_PATH_PATTERN = /(tools\.media\.|^audio\.|^talk\.|image|video|stt|tts)/i;
+const AUTOMATION_PATH_PATTERN = /(cron|heartbeat|schedule|onstart|watchdebounce)/i;
+const AUTH_KEYWORD_PATTERN = /(token|password|secret|api[_.-]?key|credential|oauth)/i;
+function normalizeTag(tag) {
+	const normalized = tag.trim().toLowerCase();
+	return CONFIG_TAGS.includes(normalized) ? normalized : null;
+}
+function normalizeTags(tags) {
+	const out = /* @__PURE__ */ new Set();
+	for (const tag of tags) {
+		const normalized = normalizeTag(tag);
+		if (normalized) out.add(normalized);
+	}
+	return [...out].toSorted((a, b) => TAG_PRIORITY[a] - TAG_PRIORITY[b]);
+}
+function patternToRegExp(pattern) {
+	const escaped = pattern.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, "[^.]+");
+	return new RegExp(`^${escaped}$`, "i");
+}
+function resolveOverride(path) {
+	const direct = TAG_OVERRIDES[path];
+	if (direct) return direct;
+	for (const [pattern, tags] of Object.entries(TAG_OVERRIDES)) {
+		if (!pattern.includes("*")) continue;
+		if (patternToRegExp(pattern).test(path)) return tags;
+	}
+}
+function addTags(set, tags) {
+	for (const tag of tags) set.add(tag);
+}
+function deriveTagsForPath(path, hint) {
+	const lowerPath = path.toLowerCase();
+	const override = resolveOverride(path);
+	if (override) return normalizeTags(override);
+	const tags = /* @__PURE__ */ new Set();
+	for (const rule of PREFIX_RULES) if (lowerPath.startsWith(rule.prefix)) addTags(tags, rule.tags);
+	for (const rule of KEYWORD_RULES) if (rule.pattern.test(path)) addTags(tags, rule.tags);
+	if (MODEL_PATH_PATTERN.test(path)) tags.add("models");
+	if (MEDIA_PATH_PATTERN.test(path)) tags.add("media");
+	if (AUTOMATION_PATH_PATTERN.test(path)) tags.add("automation");
+	if (hint?.sensitive) {
+		tags.add("security");
+		if (AUTH_KEYWORD_PATTERN.test(path)) tags.add("auth");
+	}
+	if (hint?.advanced) tags.add("advanced");
+	if (tags.size === 0) tags.add("advanced");
+	return normalizeTags([...tags]);
+}
+function applyDerivedTags(hints) {
+	const next = {};
+	for (const [path, hint] of Object.entries(hints)) {
+		const existingTags = Array.isArray(hint?.tags) ? hint.tags : [];
+		const tags = normalizeTags([...deriveTagsForPath(path, hint), ...existingTags]);
+		next[path] = {
+			...hint,
+			tags
+		};
+	}
+	return next;
+}
+
+//#endregion
+//#region src/config/schema.hints.ts
+const log$1 = createSubsystemLogger("config/schema");
+const GROUP_LABELS = {
+	wizard: "Wizard",
+	update: "Update",
+	diagnostics: "Diagnostics",
+	logging: "Logging",
+	gateway: "Gateway",
+	nodeHost: "Node Host",
+	agents: "Agents",
+	tools: "Tools",
+	bindings: "Bindings",
+	audio: "Audio",
+	models: "Models",
+	messages: "Messages",
+	commands: "Commands",
+	session: "Session",
+	cron: "Cron",
+	hooks: "Hooks",
+	ui: "UI",
+	browser: "Browser",
+	talk: "Talk",
+	channels: "Messaging Channels",
+	skills: "Skills",
+	plugins: "Plugins",
+	discovery: "Discovery",
+	presence: "Presence",
+	voicewake: "Voice Wake"
+};
+const GROUP_ORDER = {
+	wizard: 20,
+	update: 25,
+	diagnostics: 27,
+	gateway: 30,
+	nodeHost: 35,
+	agents: 40,
+	tools: 50,
+	bindings: 55,
+	audio: 60,
+	models: 70,
+	messages: 80,
+	commands: 85,
+	session: 90,
+	cron: 100,
+	hooks: 110,
+	ui: 120,
+	browser: 130,
+	talk: 140,
+	channels: 150,
+	skills: 200,
+	plugins: 205,
+	discovery: 210,
+	presence: 220,
+	voicewake: 230,
+	logging: 900
+};
+const FIELD_PLACEHOLDERS = {
+	"gateway.remote.url": "ws://host:18789",
+	"gateway.remote.tlsFingerprint": "sha256:ab12cd34…",
+	"gateway.remote.sshTarget": "user@host",
+	"gateway.controlUi.basePath": "/remoteclaw",
+	"gateway.controlUi.root": "dist/control-ui",
+	"gateway.controlUi.allowedOrigins": "https://control.example.com",
+	"channels.mattermost.baseUrl": "https://chat.example.com",
+	"agents.list[].identity.avatar": "avatars/remoteclaw.png"
+};
+const NORMALIZED_SENSITIVE_KEY_WHITELIST_SUFFIXES = [
+	"maxtokens",
+	"maxoutputtokens",
+	"maxinputtokens",
+	"maxcompletiontokens",
+	"contexttokens",
+	"totaltokens",
+	"tokencount",
+	"tokenlimit",
+	"tokenbudget",
+	"passwordFile"
+].map((suffix) => suffix.toLowerCase());
+const SENSITIVE_PATTERNS = [
+	/token$/i,
+	/password/i,
+	/secret/i,
+	/api.?key/i
+];
+function isWhitelistedSensitivePath(path) {
+	const lowerPath = path.toLowerCase();
+	return NORMALIZED_SENSITIVE_KEY_WHITELIST_SUFFIXES.some((suffix) => lowerPath.endsWith(suffix));
+}
+function matchesSensitivePattern(path) {
+	return SENSITIVE_PATTERNS.some((pattern) => pattern.test(path));
+}
+function isSensitiveConfigPath(path) {
+	return !isWhitelistedSensitivePath(path) && matchesSensitivePattern(path);
+}
+function buildBaseHints() {
+	const hints = {};
+	for (const [group, label] of Object.entries(GROUP_LABELS)) hints[group] = {
+		label,
+		group: label,
+		order: GROUP_ORDER[group]
+	};
+	for (const [path, label] of Object.entries(FIELD_LABELS)) {
+		const current = hints[path];
+		hints[path] = current ? {
+			...current,
+			label
+		} : { label };
+	}
+	for (const [path, help] of Object.entries(FIELD_HELP)) {
+		const current = hints[path];
+		hints[path] = current ? {
+			...current,
+			help
+		} : { help };
+	}
+	for (const [path, placeholder] of Object.entries(FIELD_PLACEHOLDERS)) {
+		const current = hints[path];
+		hints[path] = current ? {
+			...current,
+			placeholder
+		} : { placeholder };
+	}
+	return applyDerivedTags(hints);
+}
+function applySensitiveHints(hints, allowedKeys) {
+	const next = { ...hints };
+	for (const key of Object.keys(next)) {
+		if (allowedKeys && !allowedKeys.has(key)) continue;
+		if (next[key]?.sensitive !== void 0) continue;
+		if (isSensitiveConfigPath(key)) next[key] = {
+			...next[key],
+			sensitive: true
+		};
+	}
+	return next;
+}
+function isUnwrappable(object) {
+	return !!object && typeof object === "object" && "unwrap" in object && typeof object.unwrap === "function" && !(object instanceof z.ZodArray);
+}
+function mapSensitivePaths(schema, path, hints) {
+	let next = { ...hints };
+	let currentSchema = schema;
+	let isSensitive = sensitive.has(currentSchema);
+	while (isUnwrappable(currentSchema)) {
+		currentSchema = currentSchema.unwrap();
+		isSensitive ||= sensitive.has(currentSchema);
+	}
+	if (isSensitive) next[path] = {
+		...next[path],
+		sensitive: true
+	};
+	else if (isSensitiveConfigPath(path) && !next[path]?.sensitive) log$1.warn(`possibly sensitive key found: (${path})`);
+	if (currentSchema instanceof z.ZodObject) {
+		const shape = currentSchema.shape;
+		for (const key in shape) {
+			const nextPath = path ? `${path}.${key}` : key;
+			next = mapSensitivePaths(shape[key], nextPath, next);
+		}
+		const catchallSchema = currentSchema._def.catchall;
+		if (catchallSchema && !(catchallSchema instanceof z.ZodNever)) next = mapSensitivePaths(catchallSchema, path ? `${path}.*` : "*", next);
+	} else if (currentSchema instanceof z.ZodArray) {
+		const nextPath = path ? `${path}[]` : "[]";
+		next = mapSensitivePaths(currentSchema.element, nextPath, next);
+	} else if (currentSchema instanceof z.ZodRecord) {
+		const nextPath = path ? `${path}.*` : "*";
+		next = mapSensitivePaths(currentSchema._def.valueType, nextPath, next);
+	} else if (currentSchema instanceof z.ZodUnion || currentSchema instanceof z.ZodDiscriminatedUnion) for (const option of currentSchema.options) next = mapSensitivePaths(option, path, next);
+	else if (currentSchema instanceof z.ZodIntersection) {
+		next = mapSensitivePaths(currentSchema._def.left, path, next);
+		next = mapSensitivePaths(currentSchema._def.right, path, next);
+	}
+	return next;
+}
+
+//#endregion
+//#region src/config/redact-snapshot.ts
+const log = createSubsystemLogger("config/redaction");
+const ENV_VAR_PLACEHOLDER_PATTERN = /^\$\{[^}]*\}$/;
+function isSensitivePath(path) {
+	if (path.endsWith("[]")) return isSensitiveConfigPath(path.slice(0, -2));
+	else return isSensitiveConfigPath(path);
+}
+function isEnvVarPlaceholder(value) {
+	return ENV_VAR_PLACEHOLDER_PATTERN.test(value.trim());
+}
+function isExplicitlyNonSensitivePath(hints, paths) {
+	if (!hints) return false;
+	return paths.some((path) => hints[path]?.sensitive === false);
+}
+/**
+* Sentinel value used to replace sensitive config fields in gateway responses.
+* Write-side handlers (config.set, config.apply, config.patch) detect this
+* sentinel and restore the original value from the on-disk config, so a
+* round-trip through the Web UI does not corrupt credentials.
+*/
+const REDACTED_SENTINEL = "__REMOTECLAW_REDACTED__";
+function buildRedactionLookup(hints) {
+	let result = /* @__PURE__ */ new Set();
+	for (const [path, hint] of Object.entries(hints)) {
+		if (!hint.sensitive) continue;
+		const parts = path.split(".");
+		let joinedPath = parts.shift() ?? "";
+		result.add(joinedPath);
+		if (joinedPath.endsWith("[]")) result.add(joinedPath.slice(0, -2));
+		for (const part of parts) {
+			if (part.endsWith("[]")) result.add(`${joinedPath}.${part.slice(0, -2)}`);
+			joinedPath = `${joinedPath}.${part}`;
+			result.add(joinedPath);
+		}
+	}
+	if (result.size !== 0) result.add("");
+	return result;
+}
+/**
+* Deep-walk an object and replace string values at sensitive paths
+* with the redaction sentinel.
+*/
+function redactObject(obj, hints) {
+	if (hints) {
+		const lookup = buildRedactionLookup(hints);
+		return lookup.has("") ? redactObjectWithLookup(obj, lookup, "", [], hints) : redactObjectGuessing(obj, "", [], hints);
+	} else return redactObjectGuessing(obj, "", []);
+}
+/**
+* Collect all sensitive string values from a config object.
+* Used for text-based redaction of the raw JSON5 source.
+*/
+function collectSensitiveValues(obj, hints) {
+	const result = [];
+	if (hints) {
+		const lookup = buildRedactionLookup(hints);
+		if (lookup.has("")) redactObjectWithLookup(obj, lookup, "", result, hints);
+		else redactObjectGuessing(obj, "", result, hints);
+	} else redactObjectGuessing(obj, "", result);
+	return result;
+}
+/**
+* Worker for redactObject() and collectSensitiveValues().
+* Used when there are ConfigUiHints available.
+*/
+function redactObjectWithLookup(obj, lookup, prefix, values, hints) {
+	if (obj === null || obj === void 0) return obj;
+	if (Array.isArray(obj)) {
+		const path = `${prefix}[]`;
+		if (!lookup.has(path)) return redactObjectGuessing(obj, prefix, values, hints);
+		return obj.map((item) => {
+			if (typeof item === "string" && !isEnvVarPlaceholder(item)) {
+				values.push(item);
+				return REDACTED_SENTINEL;
+			}
+			return redactObjectWithLookup(item, lookup, path, values, hints);
+		});
+	}
+	if (typeof obj === "object") {
+		const result = {};
+		for (const [key, value] of Object.entries(obj)) {
+			const path = prefix ? `${prefix}.${key}` : key;
+			const wildcardPath = prefix ? `${prefix}.*` : "*";
+			let matched = false;
+			for (const candidate of [path, wildcardPath]) {
+				result[key] = value;
+				if (lookup.has(candidate)) {
+					matched = true;
+					if (typeof value === "string" && !isEnvVarPlaceholder(value)) {
+						result[key] = REDACTED_SENTINEL;
+						values.push(value);
+					} else if (typeof value === "object" && value !== null) result[key] = redactObjectWithLookup(value, lookup, candidate, values, hints);
+					break;
+				}
+			}
+			if (!matched) {
+				const markedNonSensitive = isExplicitlyNonSensitivePath(hints, [path, wildcardPath]);
+				if (typeof value === "string" && !markedNonSensitive && isSensitivePath(path) && !isEnvVarPlaceholder(value)) {
+					result[key] = REDACTED_SENTINEL;
+					values.push(value);
+				} else if (typeof value === "object" && value !== null) result[key] = redactObjectGuessing(value, path, values, hints);
+			}
+		}
+		return result;
+	}
+	return obj;
+}
+/**
+* Worker for redactObject() and collectSensitiveValues().
+* Used when ConfigUiHints are NOT available.
+*/
+function redactObjectGuessing(obj, prefix, values, hints) {
+	if (obj === null || obj === void 0) return obj;
+	if (Array.isArray(obj)) return obj.map((item) => {
+		const path = `${prefix}[]`;
+		if (!isExplicitlyNonSensitivePath(hints, [path]) && isSensitivePath(path) && typeof item === "string" && !isEnvVarPlaceholder(item)) {
+			values.push(item);
+			return REDACTED_SENTINEL;
+		}
+		return redactObjectGuessing(item, path, values, hints);
+	});
+	if (typeof obj === "object") {
+		const result = {};
+		for (const [key, value] of Object.entries(obj)) {
+			const dotPath = prefix ? `${prefix}.${key}` : key;
+			if (!isExplicitlyNonSensitivePath(hints, [dotPath, prefix ? `${prefix}.*` : "*"]) && isSensitivePath(dotPath) && typeof value === "string" && !isEnvVarPlaceholder(value)) {
+				result[key] = REDACTED_SENTINEL;
+				values.push(value);
+			} else if (typeof value === "object" && value !== null) result[key] = redactObjectGuessing(value, dotPath, values, hints);
+			else result[key] = value;
+		}
+		return result;
+	}
+	return obj;
+}
+/**
+* Replace known sensitive values in a raw JSON5 string with the sentinel.
+* Values are replaced longest-first to avoid partial matches.
+*/
+function redactRawText(raw, config, hints) {
+	const sensitiveValues = collectSensitiveValues(config, hints);
+	sensitiveValues.sort((a, b) => b.length - a.length);
+	let result = raw;
+	for (const value of sensitiveValues) result = result.replaceAll(value, REDACTED_SENTINEL);
+	return result;
+}
+/**
+* Returns a copy of the config snapshot with all sensitive fields
+* replaced by {@link REDACTED_SENTINEL}. The `hash` is preserved
+* (it tracks config identity, not content).
+*
+* Both `config` (the parsed object) and `raw` (the JSON5 source) are scrubbed
+* so no credential can leak through either path.
+*
+* When `uiHints` are provided, sensitivity is determined from the schema hints.
+* Without hints, falls back to regex-based detection via `isSensitivePath()`.
+*/
+/**
+* Redact sensitive fields from a plain config object (not a full snapshot).
+* Used by write endpoints (config.set, config.patch, config.apply) to avoid
+* leaking credentials in their responses.
+*/
+function redactConfigObject(value, uiHints) {
+	return redactObject(value, uiHints);
+}
+function redactConfigSnapshot(snapshot, uiHints) {
+	if (!snapshot.valid) return {
+		...snapshot,
+		config: {},
+		raw: null,
+		parsed: null,
+		resolved: {}
+	};
+	const redactedConfig = redactObject(snapshot.config, uiHints);
+	const redactedRaw = snapshot.raw ? redactRawText(snapshot.raw, snapshot.config, uiHints) : null;
+	const redactedParsed = snapshot.parsed ? redactObject(snapshot.parsed, uiHints) : snapshot.parsed;
+	const redactedResolved = redactConfigObject(snapshot.resolved, uiHints);
+	return {
+		...snapshot,
+		config: redactedConfig,
+		raw: redactedRaw,
+		parsed: redactedParsed,
+		resolved: redactedResolved
+	};
+}
+/**
+* Deep-walk `incoming` and replace any {@link REDACTED_SENTINEL} values
+* (on sensitive paths) with the corresponding value from `original`.
+*
+* This is called by config.set / config.apply / config.patch before writing,
+* so that credentials survive a Web UI round-trip unmodified.
+*/
+function restoreRedactedValues(incoming, original, hints) {
+	if (incoming === null || incoming === void 0) return {
+		ok: false,
+		error: "no input"
+	};
+	if (typeof incoming !== "object") return {
+		ok: false,
+		error: "input not an object"
+	};
+	try {
+		if (hints) {
+			const lookup = buildRedactionLookup(hints);
+			if (lookup.has("")) return {
+				ok: true,
+				result: restoreRedactedValuesWithLookup(incoming, original, lookup, "", hints)
+			};
+			else return {
+				ok: true,
+				result: restoreRedactedValuesGuessing(incoming, original, "", hints)
+			};
+		} else return {
+			ok: true,
+			result: restoreRedactedValuesGuessing(incoming, original, "")
+		};
+	} catch (err) {
+		if (err instanceof RedactionError) return {
+			ok: false,
+			humanReadableMessage: `Sentinel value "${REDACTED_SENTINEL}" in key ${err.key} is not valid as real data`
+		};
+		throw err;
+	}
+}
+var RedactionError = class extends Error {
+	constructor(key) {
+		super("internal error class---should never escape");
+		this.key = key;
+		this.name = "RedactionError";
+	}
+};
+function restoreOriginalValueOrThrow(params) {
+	if (params.key in params.original) return params.original[params.key];
+	log.warn(`Cannot un-redact config key ${params.path} as it doesn't have any value`);
+	throw new RedactionError(params.path);
+}
+function mapRedactedArray(params) {
+	const originalArray = Array.isArray(params.original) ? params.original : [];
+	if (params.incoming.length < originalArray.length) log.warn(`Redacted config array key ${params.path} has been truncated`);
+	return params.incoming.map((item, index) => params.mapItem(item, index, originalArray));
+}
+function toObjectRecord(value) {
+	if (value && typeof value === "object" && !Array.isArray(value)) return value;
+	return {};
+}
+function shouldPassThroughRestoreValue(incoming) {
+	return incoming === null || incoming === void 0 || typeof incoming !== "object";
+}
+function toRestoreArrayContext(incoming, prefix) {
+	if (!Array.isArray(incoming)) return null;
+	return {
+		incoming,
+		path: `${prefix}[]`
+	};
+}
+function restoreArrayItemWithLookup(params) {
+	if (params.item === REDACTED_SENTINEL) return params.originalArray[params.index];
+	return restoreRedactedValuesWithLookup(params.item, params.originalArray[params.index], params.lookup, params.path, params.hints);
+}
+function restoreArrayItemWithGuessing(params) {
+	if (!isExplicitlyNonSensitivePath(params.hints, [params.path]) && isSensitivePath(params.path) && params.item === REDACTED_SENTINEL) return params.originalArray[params.index];
+	return restoreRedactedValuesGuessing(params.item, params.originalArray[params.index], params.path, params.hints);
+}
+function restoreGuessingArray(incoming, original, path, hints) {
+	return mapRedactedArray({
+		incoming,
+		original,
+		path,
+		mapItem: (item, index, originalArray) => restoreArrayItemWithGuessing({
+			item,
+			index,
+			originalArray,
+			path,
+			hints
+		})
+	});
+}
+/**
+* Worker for restoreRedactedValues().
+* Used when there are ConfigUiHints available.
+*/
+function restoreRedactedValuesWithLookup(incoming, original, lookup, prefix, hints) {
+	if (shouldPassThroughRestoreValue(incoming)) return incoming;
+	const arrayContext = toRestoreArrayContext(incoming, prefix);
+	if (arrayContext) {
+		const { incoming: incomingArray, path } = arrayContext;
+		if (!lookup.has(path)) return restoreRedactedValuesGuessing(incomingArray, original, prefix, hints);
+		return mapRedactedArray({
+			incoming: incomingArray,
+			original,
+			path,
+			mapItem: (item, index, originalArray) => restoreArrayItemWithLookup({
+				item,
+				index,
+				originalArray,
+				lookup,
+				path,
+				hints
+			})
+		});
+	}
+	const orig = toObjectRecord(original);
+	const result = {};
+	for (const [key, value] of Object.entries(incoming)) {
+		result[key] = value;
+		const path = prefix ? `${prefix}.${key}` : key;
+		const wildcardPath = prefix ? `${prefix}.*` : "*";
+		let matched = false;
+		for (const candidate of [path, wildcardPath]) if (lookup.has(candidate)) {
+			matched = true;
+			if (value === REDACTED_SENTINEL) result[key] = restoreOriginalValueOrThrow({
+				key,
+				path: candidate,
+				original: orig
+			});
+			else if (typeof value === "object" && value !== null) result[key] = restoreRedactedValuesWithLookup(value, orig[key], lookup, candidate, hints);
+			break;
+		}
+		if (!matched) {
+			if (!isExplicitlyNonSensitivePath(hints, [path, wildcardPath]) && isSensitivePath(path) && value === REDACTED_SENTINEL) result[key] = restoreOriginalValueOrThrow({
+				key,
+				path,
+				original: orig
+			});
+			else if (typeof value === "object" && value !== null) result[key] = restoreRedactedValuesGuessing(value, orig[key], path, hints);
+		}
+	}
+	return result;
+}
+/**
+* Worker for restoreRedactedValues().
+* Used when ConfigUiHints are NOT available.
+*/
+function restoreRedactedValuesGuessing(incoming, original, prefix, hints) {
+	if (shouldPassThroughRestoreValue(incoming)) return incoming;
+	const arrayContext = toRestoreArrayContext(incoming, prefix);
+	if (arrayContext) {
+		const { incoming: incomingArray, path } = arrayContext;
+		return restoreGuessingArray(incomingArray, original, path, hints);
+	}
+	const orig = toObjectRecord(original);
+	const result = {};
+	for (const [key, value] of Object.entries(incoming)) {
+		const path = prefix ? `${prefix}.${key}` : key;
+		if (!isExplicitlyNonSensitivePath(hints, [path, prefix ? `${prefix}.*` : "*"]) && isSensitivePath(path) && value === REDACTED_SENTINEL) result[key] = restoreOriginalValueOrThrow({
+			key,
+			path,
+			original: orig
+		});
+		else if (typeof value === "object" && value !== null) result[key] = restoreRedactedValuesGuessing(value, orig[key], path, hints);
+		else result[key] = value;
+	}
+	return result;
+}
+
+//#endregion
+export { buildBaseHints as a, applySensitiveHints as i, redactConfigSnapshot as n, mapSensitivePaths as o, restoreRedactedValues as r, applyDerivedTags as s, redactConfigObject as t };