openclaw
diff --git a/‎AGENTS.md‎
Lines changed: 1 addition & 1 deletion b/‎AGENTS.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/channels/whatsapp.md‎
Lines changed: 21 additions & 2 deletions b/‎docs/channels/whatsapp.md‎
Lines changed: 21 additions & 2 deletions
diff --git a/‎docs/cli/channels.md‎
Lines changed: 2 additions & 0 deletions b/‎docs/cli/channels.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎docs/platforms/mac/remote.md‎
Lines changed: 1 addition & 0 deletions b/‎docs/platforms/mac/remote.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎extensions/whatsapp/src/auth-store.test.ts‎
Lines changed: 120 additions & 3 deletions b/‎extensions/whatsapp/src/auth-store.test.ts‎
Lines changed: 120 additions & 3 deletions
@@ -109,7 +109,7 @@ Skills own workflows; root owns hard policy and routing.
 - `ship` that fixes an issue: after push, comment proof + commit link, then close the issue.
 - GH comments with backticks, `$`, or shell snippets: use heredoc/body file, not inline double-quoted `--body`.
 - PR create: real body required. Include Summary + Verification; mention refs, behavior, and proof.
-- Real behavior proof section is parsed. Use exact `field: value` labels: `Behavior addressed`, `Real environment tested`, `Exact steps or command run after this patch`, `Evidence after fix`, `Observed result after fix`, `What was not tested`.
+- External/contributor PRs must include a `## Real behavior proof` section in the PR body. The `pull_request_target` proof check parses it and fails immediately when it is missing. Use exact `field: value` labels: `Behavior addressed`, `Real environment tested`, `Exact steps or command run after this patch`, `Evidence after fix`, `Observed result after fix`, `What was not tested`.
 - PR artifacts/screenshots: attach to PR/comment/external artifact store. Do not commit `.github/pr-assets`.
 - CI polling: exact SHA, relevant checks only, minimal fields. Skip routine noise (`Auto response`, `Labeler`, docs agents, performance/stale). Logs only after failure/completion or concrete need.
 - Maintainers: may skip/ignore `Real behavior proof` when local tests or Crabbox verified behavior; record proof in PR verification.
 
@@ -60,7 +60,7 @@ fallback. Pin an exact version only when you need a reproducible install.
 
   </Step>
 
-  <Step title="Link WhatsApp (QR)">
+  <Step title="Link WhatsApp">
 
 ```bash
 openclaw channels login --channel whatsapp
@@ -74,6 +74,12 @@ openclaw channels login --channel whatsapp
 
 ```bash
 openclaw channels login --channel whatsapp --account work
+```
+
+    If the phone cannot scan a QR code, request a phone-code login instead. Use the full phone number with country code; punctuation is accepted and normalized before OpenClaw asks WhatsApp for the code. Omit optional national trunk prefixes such as `(0)`.
+
+```bash
+openclaw channels login --channel whatsapp --account work --phone-number 15551234567
 ```
 
     To attach an existing/custom WhatsApp Web auth directory before login:
@@ -590,18 +596,31 @@ Behavior notes:
 ## Troubleshooting
 
 <AccordionGroup>
-  <Accordion title="Not linked (QR required)">
+  <Accordion title="Not linked (QR or phone code required)">
     Symptom: channel status reports not linked.
 
     Fix:
 
     ```bash
     openclaw channels login --channel whatsapp
+    # or, when QR scanning is unavailable:
+    openclaw channels login --channel whatsapp --phone-number 15551234567
     openclaw channels status
     ```
 
   </Accordion>
 
+  <Accordion title="QR scanner unavailable">
+    Use WhatsApp's phone-code linked-device flow:
+
+    ```bash
+    openclaw channels login --channel whatsapp --phone-number 15551234567
+    ```
+
+    Open WhatsApp on the phone, go to _Linked Devices_, choose _Link with phone number_, then enter the code printed by OpenClaw. After the phone accepts it, OpenClaw saves the same WhatsApp Web credentials used by QR login. Enter the international number only, without optional trunk-prefix notation such as `(0)`.
+
+  </Accordion>
+
   <Accordion title="Linked but disconnected / reconnect loop">
     Symptom: linked account with repeated disconnects or reconnect attempts.
 
 
@@ -100,10 +100,12 @@ If your config was already in a mixed state (named accounts present and top-leve
 
 ```bash
 openclaw channels login --channel whatsapp
+openclaw channels login --channel whatsapp --phone-number 15551234567
 openclaw channels logout --channel whatsapp
 ```
 
 - `channels login` supports `--verbose`.
+- Channels that support phone-code login can also consume `--phone-number <number>`. WhatsApp normalizes punctuation and sends digits with country code to WhatsApp's linked-device code flow. Omit optional national trunk prefixes such as `(0)`.
 - `channels login` and `logout` can infer the channel when only one supported login target is configured.
 - `channels logout` prefers the live Gateway path when reachable, so logout stops any active listener before clearing channel auth state. If a local Gateway is not reachable, it falls back to local auth cleanup.
 - Run `channels login` from a terminal on the gateway host. Agent `exec` blocks this interactive login flow; channel-native agent login tools, such as `whatsapp_login`, should be used from chat when available.
 
@@ -96,6 +96,7 @@ the selected transport when it starts.
 ## WhatsApp login flow (remote)
 
 - Run `openclaw channels login --verbose` **on the remote host**. Scan the QR with WhatsApp on your phone.
+- If QR scanning is unavailable, run `openclaw channels login --verbose --phone-number 15551234567` on the remote host, then enter the printed code in WhatsApp under _Linked Devices_ → _Link with phone number_.
 - Re-run login on that host if auth expires. Health check will surface link problems.
 
 ## Troubleshooting
 
@@ -3,6 +3,7 @@ import fs from "node:fs/promises";
 import path from "node:path";
 import { beforeEach, describe, expect, it, vi } from "vitest";
 import {
+  clearStalePhoneCodePairingAuthIfNeeded,
   getWebAuthAgeMs,
   hasWebCredsSync,
   logoutWeb,
@@ -150,11 +151,18 @@ describe("auth-store", () => {
 
   it("reports linked auth state and snapshot from the shared read helper", async () => {
     const authDir = createTempAuthDir("openclaw-wa-auth-linked");
+    const credsPath = path.join(authDir, "creds.json");
     fsSync.writeFileSync(
-      path.join(authDir, "creds.json"),
-      JSON.stringify({ me: { id: "15551234567@s.whatsapp.net" } }),
+      credsPath,
+      JSON.stringify({
+        account: { details: "present" },
+        me: { id: "15551234567@s.whatsapp.net" },
+        platform: "chrome",
+      }),
       "utf-8",
     );
+    const stablePast = new Date(Date.now() - 1000);
+    fsSync.utimesSync(credsPath, stablePast, stablePast);
 
     await expect(readWebAuthState(authDir)).resolves.toBe("linked");
     const snapshot = await readWebAuthSnapshot(authDir);
@@ -229,11 +237,120 @@ describe("auth-store", () => {
     },
   );
 
+  it("does not report phone-code pairing attempts as linked auth", async () => {
+    const authDir = createTempAuthDir("openclaw-wa-auth-pairing-partial");
+    fsSync.writeFileSync(
+      path.join(authDir, "creds.json"),
+      JSON.stringify({
+        me: { id: "15551234567@s.whatsapp.net" },
+        pairingCode: "ABCDEFGH",
+        registered: false,
+      }),
+      "utf-8",
+    );
+
+    await expect(webAuthExists(authDir)).resolves.toBe(false);
+    await expect(readWebAuthState(authDir)).resolves.toBe("not-linked");
+    expect(hasWebCredsSync(authDir)).toBe(false);
+  });
+
+  it("clears stale partial phone-code pairing credentials before login", async () => {
+    await withOwnedOAuthAuthDir("openclaw-wa-auth-clear-pairing-partial", async (authDir) => {
+      fsSync.writeFileSync(
+        path.join(authDir, "creds.json"),
+        JSON.stringify({
+          me: { id: "15551234567@s.whatsapp.net" },
+          pairingCode: "ABCDEFGH",
+          registered: false,
+        }),
+        "utf-8",
+      );
+      fsSync.writeFileSync(path.join(authDir, "pre-key-1.json"), "{}", "utf-8");
+      const runtime = {
+        log: vi.fn(),
+        error: vi.fn(),
+        exit: vi.fn(),
+      };
+
+      await expect(
+        clearStalePhoneCodePairingAuthIfNeeded({ authDir, runtime: runtime as never }),
+      ).resolves.toBe(true);
+
+      expect(fsSync.existsSync(authDir)).toBe(false);
+      expect(runtime.log).toHaveBeenCalledWith(
+        expect.stringContaining("Cleared stale partial WhatsApp phone-code pairing credentials"),
+      );
+    });
+  });
+
+  it("restores valid backup before clearing partial phone-code pairing credentials", async () => {
+    await withOwnedOAuthAuthDir("openclaw-wa-auth-clear-pairing-with-backup", async (authDir) => {
+      const credsPath = path.join(authDir, "creds.json");
+      const backupPath = path.join(authDir, "creds.json.bak");
+      const backupCreds = {
+        account: { details: "present" },
+        me: { id: "15551234567@s.whatsapp.net" },
+        platform: "chrome",
+        registered: false,
+      };
+      fsSync.writeFileSync(
+        credsPath,
+        JSON.stringify({
+          me: { id: "15551234567@s.whatsapp.net" },
+          pairingCode: "ABCDEFGH",
+          registered: false,
+        }),
+        "utf-8",
+      );
+      fsSync.writeFileSync(backupPath, JSON.stringify(backupCreds), "utf-8");
+      const runtime = {
+        log: vi.fn(),
+        error: vi.fn(),
+        exit: vi.fn(),
+      };
+
+      await expect(
+        clearStalePhoneCodePairingAuthIfNeeded({ authDir, runtime: runtime as never }),
+      ).resolves.toBe(true);
+
+      expect(fsSync.existsSync(authDir)).toBe(true);
+      expect(JSON.parse(fsSync.readFileSync(credsPath, "utf-8"))).toEqual(backupCreds);
+      expect(JSON.parse(fsSync.readFileSync(backupPath, "utf-8"))).toEqual(backupCreds);
+      expect(hasWebCredsSync(authDir)).toBe(true);
+      expect(runtime.log).toHaveBeenCalledWith(
+        expect.stringContaining("Restored WhatsApp Web credentials from backup"),
+      );
+    });
+  });
+
+  it("keeps fully linked credentials during partial-pairing cleanup", async () => {
+    await withOwnedOAuthAuthDir("openclaw-wa-auth-keep-linked", async (authDir) => {
+      fsSync.writeFileSync(
+        path.join(authDir, "creds.json"),
+        JSON.stringify({
+          account: { details: "present" },
+          me: { id: "15551234567@s.whatsapp.net" },
+          platform: "chrome",
+          registered: false,
+        }),
+        "utf-8",
+      );
+
+      await expect(clearStalePhoneCodePairingAuthIfNeeded({ authDir })).resolves.toBe(false);
+      expect(fsSync.existsSync(path.join(authDir, "creds.json"))).toBe(true);
+      expect(hasWebCredsSync(authDir)).toBe(true);
+    });
+  });
+
   it("reports unstable auth state when the shared barrier read times out", async () => {
     const authDir = createTempAuthDir("openclaw-wa-auth-unstable-state");
     fsSync.writeFileSync(
       path.join(authDir, "creds.json"),
-      JSON.stringify({ me: { id: "15551234567@s.whatsapp.net" } }),
+      JSON.stringify({
+        account: { details: "present" },
+        me: { id: "15551234567@s.whatsapp.net" },
+        platform: "chrome",
+      }),
       "utf-8",
     );
     hoisted.waitForCredsSaveQueueWithTimeout