openclaw
diff --git a/‎.agents/skills/discrawl/SKILL.md‎
Lines changed: 131 additions & 6 deletions b/‎.agents/skills/discrawl/SKILL.md‎
Lines changed: 131 additions & 6 deletions
diff --git a/‎.agents/skills/openclaw-changelog-update/SKILL.md‎
Lines changed: 14 additions & 4 deletions b/‎.agents/skills/openclaw-changelog-update/SKILL.md‎
Lines changed: 14 additions & 4 deletions
diff --git a/‎.agents/skills/release-openclaw-ci/scripts/release-ci-summary.mjs‎
Lines changed: 48 additions & 6 deletions b/‎.agents/skills/release-openclaw-ci/scripts/release-ci-summary.mjs‎
Lines changed: 48 additions & 6 deletions
diff --git a/‎.agents/skills/release-openclaw-maintainer/SKILL.md‎
Lines changed: 15 additions & 3 deletions b/‎.agents/skills/release-openclaw-maintainer/SKILL.md‎
Lines changed: 15 additions & 3 deletions
diff --git a/‎.github/actions/ensure-base-commit/action.yml‎
Lines changed: 8 additions & 2 deletions b/‎.github/actions/ensure-base-commit/action.yml‎
Lines changed: 8 additions & 2 deletions
diff --git a/‎.github/codeql/codeql-network-runtime-boundary-critical-quality.yml‎
Lines changed: 1 addition & 0 deletions b/‎.github/codeql/codeql-network-runtime-boundary-critical-quality.yml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.github/codeql/codeql-network-ssrf-boundary-critical-security.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/codeql/codeql-network-ssrf-boundary-critical-security.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/labeler.yml‎
Lines changed: 6 additions & 0 deletions b/‎.github/labeler.yml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎.github/workflows/auto-response.yml‎
Lines changed: 0 additions & 7 deletions b/‎.github/workflows/auto-response.yml‎
Lines changed: 0 additions & 7 deletions
@@ -1,6 +1,6 @@
 ---
 name: discrawl
-description: "Discord archive: search, sync freshness, DMs, channel slices, SQL counts, and Discrawl repo work."
+description: "Discord archive: search, sync freshness, DMs, summaries, TUI, repo/release work."
 metadata:
   openclaw:
     homepage: https://github.com/openclaw/discrawl
@@ -16,29 +16,154 @@ metadata:
 
 # Discrawl
 
-Use local Discord archive data before live Discord APIs. Check freshness for recent/current questions:
+Use local Discord archive data first for Discord questions. Hit Discord APIs
+only when the archive is stale, missing the requested scope, or the user asks
+for current external context.
+
+## Sources
+
+- DB: platform-native XDG data dir, usually
+  `${XDG_DATA_HOME:-~/.local/share}/discrawl/discrawl.db` on Linux or
+  `~/Library/Application Support/discrawl/discrawl.db` on macOS
+- Config: platform-native XDG config dir, with legacy fallback to
+  `~/.discrawl/config.toml`
+- Cache: platform-native XDG cache dir
+- Logs: platform-native XDG state dir
+- Git share repo: platform-native XDG data dir
+- Repo: `openclaw/discrawl`; use `~/GIT/_Perso/discrawl` only after verifying
+  its remote targets `openclaw/discrawl`, otherwise use a fresh checkout
+- Preferred CLI: `discrawl`; fallback to `go run ./cmd/discrawl` from the repo
+  if the installed binary is stale
+
+## Freshness
+
+For recent/current questions, check freshness before analysis:
 
 ```bash
 discrawl status --json
+```
+
+For precise freshness from the default database:
+
+```bash
+# Discrawl uses macOS ~/Library defaults unless XDG_DATA_HOME is explicitly set.
+case "$(uname -s)" in
+  Darwin)
+    db="$HOME/Library/Application Support/discrawl/discrawl.db"
+    ;;
+  *)
+    db="${XDG_DATA_HOME:-$HOME/.local/share}/discrawl/discrawl.db"
+    ;;
+esac
+sqlite3 "$db" \
+  "select coalesce(max(updated_at),'') from sync_state where scope like 'channel:%';"
+```
+
+Routine diagnostics:
+
+```bash
 discrawl doctor
 ```
 
-Refresh only when stale or asked:
+Desktop-local refresh:
 
 ```bash
 discrawl sync --source wiretap
+```
+
+Bot API latest refresh, when credentials are available:
+
+```bash
 discrawl sync
 ```
 
-Query with bounded slices:
+Use `--full` only for deliberate historical backfills:
+
+```bash
+discrawl sync --full
+```
+
+If SQLite reports busy/locked, check for stray `discrawl` processes before retrying.
+
+## Query Workflow
+
+1. Resolve scope: guild, channel, DM, author, keyword, date range.
+2. Check freshness for recent/current requests.
+3. Prefer CLI search/messages for slices; use read-only SQL for exact counts.
+4. Report absolute date spans, counts, channel/DM names, and known gaps.
+
+Use root or subcommand help for syntax: `discrawl --help`,
+`discrawl help search`, `discrawl search --help`. Use
+`DISCRAWL_NO_AUTO_UPDATE=1` for read smokes when you do not want git-share
+updates.
+
+Common commands:
 
 ```bash
 DISCRAWL_NO_AUTO_UPDATE=1 discrawl search --limit 20 "query"
 discrawl messages --channel '#maintainers' --days 7 --all
 discrawl dms --last 20
+discrawl tui --dm
 DISCRAWL_NO_AUTO_UPDATE=1 discrawl --json sql "select count(*) from messages;"
 ```
 
-Report absolute date spans, channel/DM names, counts, and known gaps. Use read-only SQL for exact counts/rankings. Never use `--unsafe --confirm` unless the user explicitly requests a reviewed DB mutation.
+## SQL
+
+Use `discrawl sql` for exact counts, joins, and ranking queries when normal
+CLI reads are too coarse. The command is read-only by default, accepts SQL as
+args or stdin, and supports `--json` for agent parsing.
+
+Useful examples:
+
+```bash
+DISCRAWL_NO_AUTO_UPDATE=1 discrawl --json sql "select count(*) as messages from messages;"
+DISCRAWL_NO_AUTO_UPDATE=1 discrawl --json sql "select coalesce(nullif(c.name, ''), m.channel_id) as channel, count(*) as messages from messages m left join channels c on c.id = m.channel_id group by m.channel_id order by messages desc limit 20;"
+DISCRAWL_NO_AUTO_UPDATE=1 discrawl --json sql "select coalesce(nullif(mm.display_name, ''), nullif(mm.global_name, ''), nullif(mm.username, ''), m.author_id) as author, count(*) as messages from messages m left join members mm on mm.guild_id = m.guild_id and mm.user_id = m.author_id group by m.guild_id, m.author_id order by messages desc limit 20;"
+```
+
+Never use `--unsafe --confirm` unless the user explicitly asks for a database
+mutation and the write has been reviewed.
+
+When the installed CLI lacks a new feature, build or run from a verified
+`openclaw/discrawl` checkout before concluding the feature is missing.
+
+## Discord Boundaries
+
+Bot API sync requires configured Discord bot credentials; do not invent token
+availability. Desktop wiretap mode reads local Discord Desktop artifacts and
+must not extract credentials, use user tokens, call Discord as the user, or
+write to Discord application storage. Wiretap/Desktop cache DMs are local-only
+and must not be described as part of the published Git snapshot. Git-share
+snapshots must not include secrets or `@me` DM rows.
+
+## Verification
+
+For repo edits, prefer existing Go gates:
+
+```bash
+GOWORK=off go test ./...
+```
+
+Then run targeted CLI smoke for the touched surface, for example:
+
+```bash
+discrawl doctor
+discrawl status --json
+DISCRAWL_NO_AUTO_UPDATE=1 discrawl search --limit 5 "test"
+```
+
+## ClawSweeper Sandbox
+
+Use the sandbox reader only:
+
+```bash
+discrawl-sandbox search --limit 20 "query"
+discrawl-sandbox messages --channel clawtributors --days 7 --all
+discrawl-sandbox status --json
+```
 
-Boundaries: bot sync needs configured Discord bot credentials. Wiretap reads local Discord Desktop artifacts only; do not extract user tokens, call Discord as the user, or write to Discord storage. Git-share snapshots must not include secrets or `@me` DM rows.
+This reader imports `https://github.com/openclaw/discord-store.git` into
+`/root/clawsweeper-sandbox-workspace/.discrawl/discrawl.db` with
+`discord.token_source = "none"`. The published Git snapshot is public-channel
+filtered; do not use `/root/.discrawl/config.toml` or the rich writer DB from
+sandboxed public Discord sessions.
@@ -6,14 +6,16 @@ description: Regenerate OpenClaw release changelog sections from git history bef
 # OpenClaw Changelog Update
 
 Use this for release changelog rewrites and GitHub release-note source text.
-Use it with `release-openclaw-maintainer`; this skill owns changelog content,
-ordering, and audit discipline.
+This is mandatory before every beta, beta rerun, stable release, or stable
+rerun. Use it with `release-openclaw-maintainer`; this skill owns changelog
+content, ordering, grouping, and attribution discipline.
 
 ## Goal
 
 Rewrite the target `CHANGELOG.md` version section from history, not from stale
-draft notes. Produce user-facing release notes sorted by user interest while
-preserving issue/PR refs and thanks.
+draft notes. Produce grouped user-facing release notes sorted by user interest
+while preserving every relevant issue/PR ref and every human `Thanks @...`
+attribution.
 
 ## Inputs
 
@@ -44,10 +46,18 @@ preserving issue/PR refs and thanks.
    - `### Highlights`: 5-8 bullets, broad user wins first
    - `### Changes`: new capabilities and behavior changes
    - `### Fixes`: user-facing fixes first, grouped by impact and surface
+   - group related changes/fixes by surface and user impact; avoid one bullet
+     per tiny commit when several commits tell one user-facing story
 6. Preserve attribution:
    - keep `#issue`, `(#PR)`, `Fixes #...`, and `Thanks @...`
    - every human-authored merged PR represented by a user-facing entry needs
      its PR ref and `Thanks @author`, even when the PR had no linked issue
+   - when grouping multiple PRs/issues in one bullet, include every relevant
+     PR/issue ref and every human contributor handle in that same bullet
+   - multiple `Thanks @...` handles in one bullet are expected; do not drop or
+     collapse contributor credit just because the note is grouped
+   - if one grouped bullet covers both direct commits and PRs, keep all PR refs
+     and thanks, plus any issue refs from the direct commits
    - do not add GHSA references, advisory IDs, or security advisory slugs to
      changelog entries or GitHub release-note text unless explicitly requested
    - never thank bots, `@openclaw`, `@clawsweeper`, or `@steipete`
 
@@ -21,6 +21,30 @@ function jsonGh(args) {
   return JSON.parse(gh(args));
 }
 
+function githubRestJson(pathSuffix) {
+  const result = execFileSync(
+    "bash",
+    [
+      "-lc",
+      [
+        "set -euo pipefail",
+        'token="$(gh auth token)"',
+        'curl -fsS -H "Authorization: Bearer ${token}" -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" "${OPENCLAW_GITHUB_REST_URL}"',
+      ].join("\n"),
+    ],
+    {
+      encoding: "utf8",
+      env: {
+        ...process.env,
+        OPENCLAW_GITHUB_REST_URL: `https://api.github.com/repos/${repo}/${pathSuffix}`,
+      },
+      maxBuffer: 16 * 1024 * 1024,
+      stdio: ["ignore", "pipe", "pipe"],
+    },
+  );
+  return JSON.parse(result);
+}
+
 function rate() {
   try {
     return jsonGh(["api", "rate_limit"]).resources.core;
@@ -59,12 +83,30 @@ for (const job of parent.jobs ?? []) {
 }
 
 const since = parent.createdAt;
-const runList = gh([
-  "api",
-  `repos/${repo}/actions/runs?per_page=100`,
-  "--jq",
-  `.workflow_runs[] | select(.created_at >= "${since}") | select(.name=="CI" or .name=="OpenClaw Release Checks" or .name=="Plugin Prerelease" or .name=="NPM Telegram Beta E2E" or .name=="Full Release Validation") | [.id,.name,.status,.conclusion,.head_sha,.html_url] | @tsv`,
-]).trim();
+const runsQuery = new URLSearchParams({
+  per_page: "100",
+  created: `>=${since}`,
+  exclude_pull_requests: "true",
+});
+const childWorkflowNames = new Set([
+  "CI",
+  "OpenClaw Release Checks",
+  "Plugin Prerelease",
+  "NPM Telegram Beta E2E",
+  "Full Release Validation",
+]);
+const runs = githubRestJson(`actions/runs?${runsQuery.toString()}`).workflow_runs ?? [];
+const runList = runs
+  .filter(
+    (run) =>
+      run.created_at >= since &&
+      run.head_sha === parent.headSha &&
+      childWorkflowNames.has(run.name),
+  )
+  .map((run) =>
+    [run.id, run.name, run.status, run.conclusion ?? "", run.head_sha, run.html_url].join("\t"),
+  )
+  .join("\n");
 
 if (!runList) {
   console.log("children: none found yet");
 
@@ -69,9 +69,13 @@ Use this skill for release and publish-time workflow. Load `$release-private` if
   or clawgrit reports. Report regressions explicitly. A major regression is a
   release blocker unless the operator waives it or the data clearly proves
   infrastructure noise.
-- Generate the changelog before version/tag preparation so the top changelog
-  section is deduped and ordered by user impact. Use
-  `$openclaw-changelog-update` for the rewrite.
+- Generate the changelog before every beta, beta rerun, stable release, or
+  stable rerun, before version/tag preparation. Use
+  `$openclaw-changelog-update` for the rewrite. Do not continue release prep if
+  the target `CHANGELOG.md` section does not have `### Highlights`,
+  `### Changes`, and `### Fixes`, grouped by user-facing surface while
+  preserving every relevant PR/issue ref and every human `Thanks @...`
+  attribution in the grouped bullet.
 - Do not create beta-specific `CHANGELOG.md` headings. Beta releases use the
   stable base version section, for example `v2026.4.20-beta.1` uses
   `## 2026.4.20` release notes.
@@ -144,6 +148,9 @@ Use this skill for release and publish-time workflow. Load `$release-private` if
   section from history, not existing notes. Use the last reachable stable or
   beta release tag as the base, then inspect every commit through the target
   release SHA.
+- The changelog rewrite is not optional for beta reruns: any `beta.N` after a
+  rebase or backport must refresh the same stable-base `## YYYY.M.D` section
+  before the new version/tag commit.
 - Include both merged PR commits and direct commits on `main`. Direct commits
   matter: infer notes from their subject, body, touched files, linked issues,
   tests, and nearby code when no PR body exists.
@@ -157,6 +164,11 @@ Use this skill for release and publish-time workflow. Load `$release-private` if
 - Add missed user-facing changes, remove internal-only noise, dedupe overlapping
   PR/direct-commit entries, and sort each section from most to least interesting
   for users.
+- Group related highlights, changes, and fixes by user-facing surface and
+  impact, but never lose traceability: each grouped bullet keeps every relevant
+  `#issue`, `(#PR)`, `Fixes #...`, and every human `Thanks @...` handle.
+  Multiple thanks in one bullet are expected when multiple contributor PRs are
+  grouped.
 - Changelog entries should be user-facing, not internal release-process notes.
 - GitHub release and prerelease bodies must use the full matching
   `CHANGELOG.md` version section, not highlights or an excerpt. When creating
 
@@ -38,9 +38,15 @@ runs:
           exit 0
         fi
 
+        fetch_base_ref() {
+          timeout --signal=TERM --kill-after=10s 30s git \
+            -c protocol.version=2 \
+            fetch "$@"
+        }
+
         for deepen_by in 25 100 300; do
           echo "Base commit missing; deepening $FETCH_REF by $deepen_by."
-          if ! git fetch --no-tags --deepen="$deepen_by" origin -- "$FETCH_REF"; then
+          if ! fetch_base_ref --no-tags --deepen="$deepen_by" origin -- "$FETCH_REF"; then
             echo "::warning title=ensure-base-commit fetch failed::Failed to deepen $FETCH_REF by $deepen_by while looking for $BASE_SHA"
           fi
           if git rev-parse --verify "$BASE_SHA^{commit}" >/dev/null 2>&1; then
@@ -50,7 +56,7 @@ runs:
         done
 
         echo "Base commit still missing; fetching full history for $FETCH_REF."
-        if ! git fetch --no-tags origin -- "$FETCH_REF"; then
+        if ! fetch_base_ref --no-tags origin -- "$FETCH_REF"; then
           echo "::warning title=ensure-base-commit fetch failed::Failed to fetch full history for $FETCH_REF while looking for $BASE_SHA"
         fi
         if git rev-parse --verify "$BASE_SHA^{commit}" >/dev/null 2>&1; then
 
@@ -9,6 +9,7 @@ queries:
 paths:
   - src
   - extensions
+  - packages/net-policy/src
 
 paths-ignore:
   - "**/node_modules"
 
@@ -15,14 +15,14 @@ query-filters:
 
 paths:
   - src/infra/net
-  - src/shared/net
   - src/agents/tools/web-fetch.ts
   - src/agents/tools/web-guarded-fetch.ts
   - src/agents/tools/web-shared.ts
   - src/plugin-sdk/ssrf-policy.ts
   - src/web-fetch
   - src/web/provider-runtime-shared.ts
   - packages/memory-host-sdk/src/host/ssrf-policy.ts
+  - packages/net-policy/src
 
 paths-ignore:
   - "**/node_modules"
 
@@ -47,6 +47,12 @@
           - "extensions/meeting-notes/**"
           - "docs/plugins/meeting-notes.md"
           - "src/meeting-notes/**"
+"plugin: workboard":
+  - changed-files:
+      - any-glob-to-any-file:
+          - "extensions/workboard/**"
+          - "docs/plugins/workboard.md"
+          - "docs/plugins/reference/workboard.md"
 "plugin: migrate-hermes":
   - changed-files:
       - any-glob-to-any-file:
 
@@ -19,13 +19,6 @@ permissions: {}
 
 jobs:
   auto-response:
-    if: >-
-      ${{
-        !(
-          (github.event.action == 'labeled' || github.event.action == 'unlabeled') &&
-          github.event.label.name == 'dependency-guard-backfill'
-        )
-      }}
     permissions:
       contents: read
       issues: write