openclaw
diff --git a/‎.agent/workflows/update_clawdbot.md‎
Lines changed: 7 additions & 7 deletions b/‎.agent/workflows/update_clawdbot.md‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎.agents/skills/parallels-discord-roundtrip/SKILL.md‎
Lines changed: 59 additions & 0 deletions b/‎.agents/skills/parallels-discord-roundtrip/SKILL.md‎
Lines changed: 59 additions & 0 deletions
diff --git a/‎.dockerignore‎
Lines changed: 6 additions & 0 deletions b/‎.dockerignore‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎.github/CODEOWNERS‎
Lines changed: 54 additions & 0 deletions b/‎.github/CODEOWNERS‎
Lines changed: 54 additions & 0 deletions
diff --git a/‎.github/FUNDING.yml‎
Lines changed: 0 additions & 1 deletion b/‎.github/FUNDING.yml‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎.github/actions/setup-node-env/action.yml‎
Lines changed: 10 additions & 6 deletions b/‎.github/actions/setup-node-env/action.yml‎
Lines changed: 10 additions & 6 deletions
diff --git a/‎.github/actions/setup-pnpm-store-cache/action.yml‎
Lines changed: 11 additions & 9 deletions b/‎.github/actions/setup-pnpm-store-cache/action.yml‎
Lines changed: 11 additions & 9 deletions
@@ -1,8 +1,8 @@
 ---
-description: Update Clawdbot from upstream when branch has diverged (ahead/behind)
+description: Update OpenClaw from upstream when branch has diverged (ahead/behind)
 ---
 
-# Clawdbot Upstream Sync Workflow
+# OpenClaw Upstream Sync Workflow
 
 Use this workflow when your fork has diverged from upstream (e.g., "18 commits ahead, 29 commits behind").
 
@@ -132,16 +132,16 @@ pnpm mac:package
 
 ```bash
 # Kill running app
-pkill -x "Clawdbot" || true
+pkill -x "OpenClaw" || true
 
 # Move old version
-mv /Applications/Clawdbot.app /tmp/Clawdbot-backup.app
+mv /Applications/OpenClaw.app /tmp/OpenClaw-backup.app
 
 # Install new build
-cp -R dist/Clawdbot.app /Applications/
+cp -R dist/OpenClaw.app /Applications/
 
 # Launch
-open /Applications/Clawdbot.app
+open /Applications/OpenClaw.app
 ```
 
 ---
@@ -235,7 +235,7 @@ If upstream introduced new model configurations:
 # Check for OpenRouter API key requirements
 grep -r "openrouter\|OPENROUTER" src/ --include="*.ts" --include="*.js"
 
-# Update clawdbot.json with fallback chains
+# Update openclaw.json with fallback chains
 # Add model fallback configurations as needed
 ```
 
 
@@ -0,0 +1,59 @@
+---
+name: parallels-discord-roundtrip
+description: Run the macOS Parallels smoke harness with Discord end-to-end roundtrip verification, including guest send, host verification, host reply, and guest readback.
+---
+
+# Parallels Discord Roundtrip
+
+Use when macOS Parallels smoke must prove Discord two-way delivery end to end.
+
+## Goal
+
+Cover:
+
+- install on fresh macOS snapshot
+- onboard + gateway health
+- guest `message send` to Discord
+- host sees that message on Discord
+- host posts a new Discord message
+- guest `message read` sees that new message
+
+## Inputs
+
+- host env var with Discord bot token
+- Discord guild ID
+- Discord channel ID
+- `OPENAI_API_KEY`
+
+## Preferred run
+
+```bash
+export OPENCLAW_PARALLELS_DISCORD_TOKEN="$(
+  ssh peters-mac-studio-1 'jq -r ".channels.discord.token" ~/.openclaw/openclaw.json' | tr -d '\n'
+)"
+
+pnpm test:parallels:macos \
+  --discord-token-env OPENCLAW_PARALLELS_DISCORD_TOKEN \
+  --discord-guild-id 1456350064065904867 \
+  --discord-channel-id 1456744319972282449 \
+  --json
+```
+
+## Notes
+
+- Snapshot target: closest to `macOS 26.3.1 fresh`.
+- Harness configures Discord inside the guest; no checked-in token/config.
+- Use the `openclaw` wrapper for guest `message send/read`; `node openclaw.mjs message ...` does not expose the lazy message subcommands the same way.
+- Write `channels.discord.guilds` in one JSON object (`--strict-json`), not dotted `config set channels.discord.guilds.<snowflake>...` paths; numeric snowflakes get treated like array indexes.
+- Avoid `prlctl enter` / expect for long Discord setup scripts; it line-wraps/corrupts long commands. Use `prlctl exec --current-user /bin/sh -lc ...` for the Discord config phase.
+- Harness cleanup deletes the temporary Discord smoke messages at exit.
+- Per-phase logs: `/tmp/openclaw-parallels-smoke.*`
+- Machine summary: pass `--json`
+- If roundtrip flakes, inspect `fresh.discord-roundtrip.log` and `discord-last-readback.json` in the run dir first.
+
+## Pass criteria
+
+- fresh lane or upgrade lane requested passes
+- summary reports `discord=pass` for that lane
+- guest outbound nonce appears in channel history
+- host inbound nonce appears in `openclaw message read` output
@@ -1,5 +1,11 @@
 .git
 .worktrees
+
+# Sensitive files – docker-setup.sh writes .env with OPENCLAW_GATEWAY_TOKEN
+# into the project root; keep it out of the build context.
+.env
+.env.*
+
 .bun-cache
 .bun
 .tmp
 
@@ -0,0 +1,54 @@
+# Protect the ownership rules themselves.
+/.github/CODEOWNERS @steipete
+
+# WARNING: GitHub CODEOWNERS uses last-match-wins semantics.
+# If you add overlapping rules below the secops block, include @openclaw/secops
+# on those entries too or you can silently remove required secops review.
+# Security-sensitive code, config, and docs require secops review.
+/SECURITY.md @openclaw/secops
+/.github/dependabot.yml @openclaw/secops
+/.github/codeql/ @openclaw/secops
+/.github/workflows/codeql.yml @openclaw/secops
+/src/security/ @openclaw/secops
+/src/secrets/ @openclaw/secops
+/src/config/*secret*.ts @openclaw/secops
+/src/config/**/*secret*.ts @openclaw/secops
+/src/gateway/*auth*.ts @openclaw/secops
+/src/gateway/**/*auth*.ts @openclaw/secops
+/src/gateway/*secret*.ts @openclaw/secops
+/src/gateway/**/*secret*.ts @openclaw/secops
+/src/gateway/security-path*.ts @openclaw/secops
+/src/gateway/resolve-configured-secret-input-string*.ts @openclaw/secops
+/src/gateway/protocol/**/*secret*.ts @openclaw/secops
+/src/gateway/server-methods/secrets*.ts @openclaw/secops
+/src/agents/*auth*.ts @openclaw/secops
+/src/agents/**/*auth*.ts @openclaw/secops
+/src/agents/auth-profiles*.ts @openclaw/secops
+/src/agents/auth-health*.ts @openclaw/secops
+/src/agents/auth-profiles/ @openclaw/secops
+/src/agents/sandbox.ts @openclaw/secops
+/src/agents/sandbox-*.ts @openclaw/secops
+/src/agents/sandbox/ @openclaw/secops
+/src/infra/secret-file*.ts @openclaw/secops
+/src/cron/stagger.ts @openclaw/secops
+/src/cron/service/jobs.ts @openclaw/secops
+/docs/security/ @openclaw/secops
+/docs/gateway/authentication.md @openclaw/secops
+/docs/gateway/sandbox-vs-tool-policy-vs-elevated.md @openclaw/secops
+/docs/gateway/sandboxing.md @openclaw/secops
+/docs/gateway/secrets-plan-contract.md @openclaw/secops
+/docs/gateway/secrets.md @openclaw/secops
+/docs/gateway/security/ @openclaw/secops
+/docs/cli/approvals.md @openclaw/secops
+/docs/cli/sandbox.md @openclaw/secops
+/docs/cli/security.md @openclaw/secops
+/docs/cli/secrets.md @openclaw/secops
+/docs/reference/secretref-credential-surface.md @openclaw/secops
+/docs/reference/secretref-user-supplied-credentials-matrix.json @openclaw/secops
+
+# Release workflow and its supporting release-path checks.
+/.github/workflows/openclaw-npm-release.yml @openclaw/openclaw-release-managers
+/docs/reference/RELEASING.md @openclaw/openclaw-release-managers
+/scripts/openclaw-npm-publish.sh @openclaw/openclaw-release-managers
+/scripts/openclaw-npm-release-check.ts @openclaw/openclaw-release-managers
+/scripts/release-check.ts @openclaw/openclaw-release-managers
@@ -1,12 +1,16 @@
 name: Setup Node environment
 description: >
-  Initialize submodules with retry, install Node 22, pnpm, optionally Bun,
+  Initialize submodules with retry, install Node 24 by default, pnpm, optionally Bun,
   and optionally run pnpm install. Requires actions/checkout to run first.
 inputs:
   node-version:
     description: Node.js version to install.
     required: false
-    default: "22.x"
+    default: "24.x"
+  cache-key-suffix:
+    description: Suffix appended to the pnpm store cache key.
+    required: false
+    default: "node24"
   pnpm-version:
     description: pnpm version for corepack.
     required: false
@@ -16,7 +20,7 @@ inputs:
     required: false
     default: "true"
   use-sticky-disk:
-    description: Use Blacksmith sticky disks for pnpm store caching.
+    description: Request Blacksmith sticky-disk pnpm caching on trusted runs; pull_request runs fall back to actions/cache.
     required: false
     default: "false"
   install-deps:
@@ -45,7 +49,7 @@ runs:
         exit 1
 
     - name: Setup Node.js
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      uses: actions/setup-node@v6
       with:
         node-version: ${{ inputs.node-version }}
         check-latest: false
@@ -54,12 +58,12 @@ runs:
       uses: ./.github/actions/setup-pnpm-store-cache
       with:
         pnpm-version: ${{ inputs.pnpm-version }}
-        cache-key-suffix: "node22"
+        cache-key-suffix: ${{ inputs.cache-key-suffix }}
         use-sticky-disk: ${{ inputs.use-sticky-disk }}
 
     - name: Setup Bun
       if: inputs.install-bun == 'true'
-      uses: oven-sh/setup-bun@v2
+      uses: oven-sh/setup-bun@v2.1.3
       with:
         bun-version: "1.3.9"
 
 
@@ -8,17 +8,17 @@ inputs:
   cache-key-suffix:
     description: Suffix appended to the cache key.
     required: false
-    default: "node22"
+    default: "node24"
   use-sticky-disk:
-    description: Use Blacksmith sticky disks instead of actions/cache for pnpm store.
+    description: Use Blacksmith sticky disks instead of actions/cache for pnpm store on trusted runs; pull_request runs fall back to actions/cache.
     required: false
     default: "false"
   use-restore-keys:
     description: Whether to use restore-keys fallback for actions/cache.
     required: false
     default: "true"
   use-actions-cache:
-    description: Whether to restore/save pnpm store with actions/cache.
+    description: Whether to restore/save pnpm store with actions/cache, including pull_request fallback when sticky disks are disabled.
     required: false
     default: "true"
 runs:
@@ -51,22 +51,24 @@ runs:
       run: echo "path=$(pnpm store path --silent)" >> "$GITHUB_OUTPUT"
 
     - name: Mount pnpm store sticky disk
-      if: inputs.use-sticky-disk == 'true'
+      # Keep persistent sticky-disk state off untrusted PR runs.
+      if: inputs.use-sticky-disk == 'true' && github.event_name != 'pull_request'
       uses: useblacksmith/stickydisk@v1
       with:
-        key: ${{ github.repository }}-pnpm-store-${{ runner.os }}-${{ inputs.cache-key-suffix }}
+        key: ${{ github.repository }}-pnpm-store-${{ runner.os }}-${{ github.ref_name }}-${{ inputs.cache-key-suffix }}-${{ hashFiles('pnpm-lock.yaml') }}
         path: ${{ steps.pnpm-store.outputs.path }}
 
     - name: Restore pnpm store cache (exact key only)
-      if: inputs.use-actions-cache == 'true' && inputs.use-sticky-disk != 'true' && inputs.use-restore-keys != 'true'
-      uses: actions/cache@v4
+      # PRs that request sticky disks still need a safe cache restore path.
+      if: inputs.use-actions-cache == 'true' && (inputs.use-sticky-disk != 'true' || github.event_name == 'pull_request') && inputs.use-restore-keys != 'true'
+      uses: actions/cache@v5
       with:
         path: ${{ steps.pnpm-store.outputs.path }}
         key: ${{ runner.os }}-pnpm-store-${{ inputs.cache-key-suffix }}-${{ hashFiles('pnpm-lock.yaml') }}
 
     - name: Restore pnpm store cache (with fallback keys)
-      if: inputs.use-actions-cache == 'true' && inputs.use-sticky-disk != 'true' && inputs.use-restore-keys == 'true'
-      uses: actions/cache@v4
+      if: inputs.use-actions-cache == 'true' && (inputs.use-sticky-disk != 'true' || github.event_name == 'pull_request') && inputs.use-restore-keys == 'true'
+      uses: actions/cache@v5
       with:
         path: ${{ steps.pnpm-store.outputs.path }}
         key: ${{ runner.os }}-pnpm-store-${{ inputs.cache-key-suffix }}-${{ hashFiles('pnpm-lock.yaml') }}