Add ephemeral Control UI Activity tab

[BunsDev]

Summary

• Adds a Control UI Activity tab at /activity under the Control nav group.
• Derives browser-local activity entries from the existing session.tool / tool-event path without adding a new Gateway event family, SSE endpoint, protocol version, TUI pane, observer stream, verbose setting, or durable store.
• Stores only sanitized summaries, hidden-argument counts, and redacted/truncated output previews in Activity state; raw tool arguments and raw results stay out of the Activity model.
• Adds filtering, tool-name selection, Clear, Expand all, Collapse all, keyboard-native disclosure rows, auto-follow scrolling, navigation, i18n bundles, docs, changelog, and focused tests.

Fixes #12831.

Follow-ups intentionally left open as distinct scope: #54577 timeline CLI/export, #37816 Telegram durable activity, and #47386 WebChat summary mode.

Verification

• pnpm ui:i18n:sync
• git diff --check
• node scripts/run-vitest.mjs ui/src/ui/app-tool-stream.node.test.ts ui/src/ui/app-gateway.node.test.ts ui/src/ui/chat/build-chat-items.test.ts ui/src/ui/views/chat.test.ts ui/src/ui/navigation.test.ts src/gateway/server-chat.agent-events.test.ts src/gateway/server-methods/chat.directive-tags.test.ts
• node scripts/run-vitest.mjs ui/src/ui/navigation-groups.test.ts ui/src/ui/navigation.test.ts ui/src/ui/app-tool-stream.node.test.ts ui/src/ui/app-scroll.test.ts
• Browser smoke against Vite Control UI plus a local fake Gateway WebSocket emitting a live session.tool event; verified the Activity tab rendered one event, argument values stayed hidden, and output showed redacted/truncated preview text without the raw command, token, or path.
• node scripts/crabbox-wrapper.mjs run --provider blacksmith-testbox --blacksmith-workflow .github/workflows/ci-check-testbox.yml --blacksmith-job check --shell -- "pnpm check:changed" (tbx_01ksd3qkr8ydn75jfttp6hvkpd, https://github.com/openclaw/openclaw/actions/runs/26362948981)
• UI polish pass: node scripts/run-vitest.mjs ui/src/ui/views/activity.test.ts ui/src/ui/app-tool-stream.node.test.ts ui/src/ui/app-gateway.node.test.ts ui/src/ui/navigation.test.ts ui/src/ui/navigation-groups.test.ts ui/src/ui/app-scroll.test.ts (131 tests), targeted oxlint, desktop/mobile Playwright smoke for Activity layout, semantic list labels, mobile disclosure chevron, and no horizontal overflow.
• Header de-dup polish: node scripts/run-vitest.mjs ui/src/ui/views/activity.test.ts ui/src/ui/app-tool-stream.node.test.ts ui/src/ui/app-gateway.node.test.ts ui/src/ui/navigation.test.ts ui/src/ui/navigation-groups.test.ts ui/src/ui/app-scroll.test.ts (132 tests), targeted oxlint, git diff --check, and desktop/mobile Playwright smoke confirmed the shell is the only Activity heading, toolbar count remains visible, list semantics remain intact, and mobile has no horizontal overflow.
• Final broad proof after header polish: node scripts/crabbox-wrapper.mjs run --provider blacksmith-testbox --blacksmith-workflow .github/workflows/ci-check-testbox.yml --blacksmith-job check --shell -- "pnpm check:changed" (tbx_01ksen33c79b8rywayf6cxww4r, https://github.com/openclaw/openclaw/actions/runs/26382677304)

Real behavior proof

Behavior addressed: Control UI now exposes an ephemeral Activity tab that observes live tool activity from the existing session.tool / tool-event delivery while keeping Chat tool-call hiding independent from the sanitized Activity summaries.

Real environment tested: Local Vite Control UI in a browser connected to a local fake Gateway WebSocket that emitted the client session.tool delivery shape; Blacksmith Testbox ran the repo changed-check lane on the rebased pushed diff.

Exact steps or command run after this patch: Started pnpm --dir ui dev, connected /activity?gatewayUrl=ws://127.0.0.1:18889#token=smoke, emitted a live session.tool event with argument fields plus sensitive-looking output, exercised the Activity filters/disclosure controls/scroll area, ran the focused Vitest commands above, regenerated i18n, ran git diff --check, and ran Testbox pnpm check:changed.

Evidence after fix: The Activity tab displayed the live tool event as a sanitized row with hidden argument count and redacted preview (Authorization: [redacted] file=[redacted path] ok); no raw command, token, absolute path, args JSON, or full result was visible in the Activity UI or stored in Activity state by the new model tests.

Observed result after fix: Activity survives in-app navigation through browser memory, resets on session switch and reload by design, supports Clear, filtering, expand/collapse, and scroll auto-follow, and leaves #54577, #37816, and #47386 as separate follow-up tracks.

What was not tested: A real production Gateway session with real user tool calls was not used; the browser smoke used a local fake Gateway event with the same Control UI session.tool delivery shape.

[clawsweeper]

Codex review: needs changes before merge. Reviewed May 25, 2026, 12:19 AM ET / 04:19 UTC.

Summary
Adds a browser-local Control UI /activity tab that renders sanitized live tool activity summaries from existing session.tool and tool events, plus navigation, i18n, docs, changelog, and tests.

PR surface: Source +2273, Tests +274, Docs +9. Total +2556 across 76 files.

Reproducibility: yes. source inspection gives a high-confidence reproduction path: emit a session.tool result whose text contains OPENAI_API_KEY=... or GITHUB_TOKEN=... and the current redactor will not match that prefixed key name before storing the preview.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🦞 diamond lobster
Patch quality: 🧂 unranked krab
Result: blocked by patch quality or review findings.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Extend Activity preview redaction for prefixed environment secret names and common token signatures.
• Add regression tests covering the missed secret formats, then rerun the focused Activity/tool-stream tests and changed check.

Risk before merge

• Merging as-is could expose common prefixed secret environment variables in the new Activity output preview despite the tab being described as redaction-first.
• The proof uses a fake Gateway event shape rather than a real production Gateway session; the code/tests make the delivery path credible, but maintainer security review still needs the redaction fix.

Maintainer options:

1. Harden preview redaction first (recommended)
   Broaden Activity preview redaction to cover prefixed env-var secret names and common token value signatures, then add focused regression tests before merge.
2. Accept sanitized-preview risk
   Maintainers could intentionally accept the current best-effort redaction boundary, but that means Activity may show some secrets in tool output previews.
3. Pause the preview surface
   If maintainers want a stricter privacy posture, pause or scope the PR to hidden arguments only until output-preview policy is settled.

Copy recommended automerge instruction

@clawsweeper automerge

Special instructions:
Extend Activity output redaction to cover prefixed env-var secret names such as OPENAI_API_KEY, GITHUB_TOKEN, and AWS_SECRET_ACCESS_KEY plus common token value signatures; add regression coverage in ui/src/ui/app-tool-stream.node.test.ts; keep Activity storing only sanitized previews.

Next step before merge
A narrow automated repair can harden the Activity preview redactor and add focused regression coverage without changing the product direction.

Security
Needs attention: The diff introduces a concrete secret-exposure risk in the new Activity output preview redaction path.

Review findings

• [P1] Redact prefixed secret names before previewing output — ui/src/ui/activity-model.ts:45-46

Review details

Best possible solution:

Keep the ephemeral Activity tab design, but harden preview redaction and regression coverage for common secret formats before merging the user-visible feature.

Do we have a high-confidence way to reproduce the issue?

Yes, source inspection gives a high-confidence reproduction path: emit a session.tool result whose text contains OPENAI_API_KEY=... or GITHUB_TOKEN=... and the current redactor will not match that prefixed key name before storing the preview.

Is this the best way to solve the issue?

No, not yet; reusing session.tool for an ephemeral browser-local tab is a maintainable shape, but the output-preview redaction boundary needs broader coverage before this is the best mergeable solution.

Full review comments:

• [P1] Redact prefixed secret names before previewing output — ui/src/ui/activity-model.ts:45-46
  The redactor only matches bare names like token= or api_key= because the key pattern starts at a word boundary. Common tool output such as OPENAI_API_KEY=..., GITHUB_TOKEN=..., or AWS_SECRET_ACCESS_KEY=... will still be stored and rendered in outputPreview, so broaden this coverage and add regression tests before exposing previews.
  Confidence: 0.92

Overall correctness: patch is incorrect
Overall confidence: 0.9

Codex review notes: model gpt-5.5, reasoning high; reviewed against deb54b5dab08.

Label changes

Label justifications:

• P2: This is a normal-priority Control UI feature with limited surface area, but the output-preview redaction gap needs fixing before merge.
• merge-risk: 🚨 security-boundary: The PR creates a new UI path that renders tool output previews, so incomplete redaction can expose credentials or sensitive paths.
• rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🦞 diamond lobster and patch quality is 🧂 unranked krab.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Sufficient (live_output): The PR body includes after-fix browser smoke proof against a local fake Gateway event shape plus focused tests and Testbox changed-check proof.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix browser smoke proof against a local fake Gateway event shape plus focused tests and Testbox changed-check proof.

Evidence reviewed

PR surface:

Source +2273, Tests +274, Docs +9. Total +2556 across 76 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	69	2365	92	+2273
Tests	5	275	1	+274
Docs	2	10	1	+9
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	76	2650	94	+2556

Security concerns:

• [high] Prefixed secret names are not redacted — ui/src/ui/activity-model.ts:45
  The current key regex misses common prefixed environment variable secret names while the feature renders redacted tool-result previews in the browser.
  Confidence: 0.92

Acceptance criteria:

• node scripts/run-vitest.mjs ui/src/ui/app-tool-stream.node.test.ts ui/src/ui/views/activity.test.ts
• git diff --check
• node scripts/crabbox-wrapper.mjs run --provider blacksmith-testbox --blacksmith-workflow .github/workflows/ci-check-testbox.yml --blacksmith-job check --shell -- "pnpm check:changed"

What I checked:

• Activity model stores sanitized output previews: The PR adds buildOutputPreview() and stores its redacted/truncated text as outputPreview on ActivityEntry, so redaction coverage is the security boundary for anything rendered in the new tab. (ui/src/ui/activity-model.ts:119, 0aa9aa421151)
• Secret redaction gap: The key-name regex is anchored to a word boundary before bare names like token or api_key, which does not cover common prefixed environment variable names such as OPENAI_API_KEY, GITHUB_TOKEN, or AWS_SECRET_ACCESS_KEY. (ui/src/ui/activity-model.ts:45, 0aa9aa421151)
• Activity hooks into existing tool delivery: The PR calls updateActivityFromToolEvent() from the existing handleAgentEvent() tool stream path after session filtering, avoiding a new Gateway event family. (ui/src/ui/app-tool-stream.ts:677, 0aa9aa421151)
• Existing session.tool contract: Current Gateway code already mirrors tool lifecycle events to session.tool subscribers, matching the PR's stated choice to reuse existing delivery. (src/gateway/server-chat.ts:988, 9db04a27eb20)
• Focused tests cover some redaction cases: The new tests cover bearer headers, bare token=..., and absolute path redaction, but they do not cover prefixed secret environment variable names. (ui/src/ui/app-tool-stream.node.test.ts:328, 0aa9aa421151)
• Real behavior proof in PR body: The PR body reports a local Vite Control UI browser smoke against a fake Gateway WebSocket emitting session.tool, plus focused Vitest runs, git diff --check, and Blacksmith Testbox changed-check run tbx_01ksen33c79b8rywayf6cxww4r. (0aa9aa421151)

Likely related people:

• vincentkoc: Blame on the current Control UI tool stream and Gateway event flow points to the recent runtime chunk split that owns much of the surrounding UI/gateway path. (role: recent area contributor; confidence: high; commits: 8bf4f7d4a88d; files: ui/src/ui/app-tool-stream.ts, ui/src/ui/app-gateway.ts, src/gateway/server-chat.ts)
• galiniliev: Recent session.tool history shows work on Gateway session-tool mirroring and backoff behavior, which is the event source this PR consumes. (role: adjacent gateway event contributor; confidence: high; commits: 42bdc949f297; files: src/gateway/server-chat.ts, src/gateway/server-chat.agent-events.test.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[Copilot]

Pull request overview

Adds a new Control UI Activity tab (/activity) that shows an ephemeral, browser-local stream of tool activity derived from existing session.tool events, with redaction/truncation to avoid persisting raw tool args/results in Activity state.

Changes:

• Introduces an Activity view + model (bounded in-memory entries, redacted output previews, filters, expand/collapse, auto-follow scrolling).
• Wires Activity into Control UI navigation/rendering/lifecycle + tool-event handling (reusing existing tool stream path).
• Updates tests, styles, docs, changelog, and Control UI i18n bundles/metadata.

Reviewed changes

Copilot reviewed 74 out of 74 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
ui/src/ui/views/activity.ts	New Activity tab UI (filters, list rendering, expand/collapse, durations).
ui/src/ui/navigation.ts	Adds activity tab to Control group, paths, and icon mapping.
ui/src/ui/navigation.test.ts	Updates navigation unit tests for the new tab.
ui/src/ui/icons.ts	Adds an activity SVG icon.
ui/src/ui/app.ts	Adds Activity state + scroll handlers to the main app element.
ui/src/ui/app-view-state.ts	Extends AppViewState with Activity state + handlers.
ui/src/ui/app-tool-stream.ts	Updates tool event handling to also update Activity entries.
ui/src/ui/app-tool-stream.node.test.ts	Adds tests ensuring Activity summaries don’t store raw args and previews are redacted/truncated; validates bounded list.
ui/src/ui/app-settings.ts	Adds an activity case to tab refresh routing (no-op).
ui/src/ui/app-scroll.ts	Adds Activity scroll scheduling + scroll-state tracking.
ui/src/ui/app-render.ts	Lazy-loads and renders Activity tab; wires UI callbacks to state.
ui/src/ui/app-render.helpers.ts	Resets Activity state on session switch.
ui/src/ui/app-lifecycle.ts	Cancels Activity scroll frames on disconnect; schedules auto-follow on updates.
ui/src/ui/app-gateway.node.test.ts	Extends gateway tests to assert Activity updates from session.tool delivery.
ui/src/ui/activity-model.ts	New Activity entry model: redaction, preview building, ring buffer, tool-event projection.
ui/src/styles/activity.css	New styles for Activity page/stream.
ui/src/styles.css	Imports Activity styles into global UI styles.
ui/src/i18n/locales/en.ts	Adds Activity translation keys (source).
ui/src/i18n/locales/ar.ts	Adds Activity keys (some untranslated / fallback).
ui/src/i18n/locales/de.ts	Adds Activity keys (some untranslated / fallback).
ui/src/i18n/locales/es.ts	Adds Activity keys (some untranslated / fallback).
ui/src/i18n/locales/fa.ts	Adds Activity keys (some untranslated / fallback).
ui/src/i18n/locales/fr.ts	Adds Activity keys (some untranslated / fallback).
ui/src/i18n/locales/id.ts	Adds Activity keys (some untranslated / fallback).
ui/src/i18n/locales/it.ts	Adds Activity keys (some untranslated / fallback).
ui/src/i18n/locales/ja-JP.ts	Adds Activity keys (some untranslated / fallback).
ui/src/i18n/locales/ko.ts	Adds Activity keys (some untranslated / fallback).
ui/src/i18n/locales/nl.ts	Adds Activity keys (some untranslated / fallback).
ui/src/i18n/locales/pl.ts	Adds Activity keys (some untranslated / fallback).
ui/src/i18n/locales/pt-BR.ts	Adds Activity keys (some untranslated / fallback).
ui/src/i18n/locales/th.ts	Adds Activity keys (some untranslated / fallback).
ui/src/i18n/locales/tr.ts	Adds Activity keys (some untranslated / fallback).
ui/src/i18n/locales/uk.ts	Adds Activity keys (some untranslated / fallback).
ui/src/i18n/locales/vi.ts	Adds Activity keys (some untranslated / fallback).
ui/src/i18n/locales/zh-CN.ts	Adds Activity keys (some untranslated / fallback).
ui/src/i18n/locales/zh-TW.ts	Adds Activity keys (some untranslated / fallback).
ui/src/i18n/.i18n/ar.meta.json	Updates generated i18n metadata for new keys.
ui/src/i18n/.i18n/de.meta.json	Updates generated i18n metadata for new keys.
ui/src/i18n/.i18n/es.tm.jsonl	Updates translation memory entries for Activity keys.
ui/src/i18n/.i18n/es.meta.json	Updates generated i18n metadata for new keys.
ui/src/i18n/.i18n/fa.meta.json	Updates generated i18n metadata for new keys.
ui/src/i18n/.i18n/fr.meta.json	Updates generated i18n metadata for new keys.
ui/src/i18n/.i18n/id.meta.json	Updates generated i18n metadata for new keys.
ui/src/i18n/.i18n/it.meta.json	Updates generated i18n metadata for new keys.
ui/src/i18n/.i18n/ja-JP.meta.json	Updates generated i18n metadata for new keys.
ui/src/i18n/.i18n/ko.meta.json	Updates generated i18n metadata for new keys.
ui/src/i18n/.i18n/nl.meta.json	Updates generated i18n metadata for new keys.
ui/src/i18n/.i18n/pl.tm.jsonl	Updates translation memory entries for Activity keys.
ui/src/i18n/.i18n/pl.meta.json	Updates generated i18n metadata for new keys.
ui/src/i18n/.i18n/pt-BR.tm.jsonl	Updates translation memory entries for Activity keys.
ui/src/i18n/.i18n/pt-BR.meta.json	Updates generated i18n metadata for new keys.
ui/src/i18n/.i18n/th.meta.json	Updates generated i18n metadata for new keys.
ui/src/i18n/.i18n/tr.tm.jsonl	Updates translation memory entries for Activity keys.
ui/src/i18n/.i18n/tr.meta.json	Updates generated i18n metadata for new keys.
ui/src/i18n/.i18n/uk.meta.json	Updates generated i18n metadata for new keys.
ui/src/i18n/.i18n/vi.meta.json	Updates generated i18n metadata for new keys.
ui/src/i18n/.i18n/zh-CN.tm.jsonl	Updates translation memory entries for Activity keys.
ui/src/i18n/.i18n/zh-CN.meta.json	Updates generated i18n metadata for new keys.
ui/src/i18n/.i18n/zh-TW.tm.jsonl	Updates translation memory entries for Activity keys.
ui/src/i18n/.i18n/zh-TW.meta.json	Updates generated i18n metadata for new keys.
docs/web/control-ui.md	Documents the new Activity tab behavior and privacy properties.
CHANGELOG.md	Adds a changelog entry for the new Activity tab and adjusts formatting.

[clawsweeper]

ClawSweeper PR egg

🔥 Warming up: real-behavior proof passed; findings, security review, or rank-up moves are still in progress.

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh gh pr view 86059 --json number,title,author,assignees,url,headRefName,baseRefName,state,isDraft,mergeStateStatus,reviewDecision,latestReviews (http block)
• https://api.github.com/repos/openclaw/openclaw/issues/86059/timeline
  • Triggering command: /usr/bin/gh gh api repos/openclaw/openclaw/issues/86059/timeline --paginate -H Accept: application/vnd.github+json --jq [.[] | select(.event=="assigned") | {assignee:.assignee.login, assigner:.assigner.login, actor:.actor.login, created_at}] (http block)
• https://api.github.com/repos/openclaw/openclaw/pulls/86059/reviews
  • Triggering command: /usr/bin/gh gh api repos/openclaw/openclaw/pulls/86059/reviews --paginate (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[BunsDev]

Maintainer verification before merge:

• Head: 0aa9aa42115170b5f59235a42513db710c93fc8d
• GitHub readiness: mergeStateStatus=CLEAN, mergeable=MERGEABLE, checks 64 success / 8 skipped / 0 failed
• Review threads: all resolved
• Focused local proof: node scripts/run-vitest.mjs ui/src/ui/views/activity.test.ts ui/src/ui/app-tool-stream.node.test.ts ui/src/ui/app-gateway.node.test.ts ui/src/ui/navigation.test.ts ui/src/ui/navigation-groups.test.ts ui/src/ui/app-scroll.test.ts passed 132 tests
• Local static proof: git diff --check passed; targeted oxlint passed with OPENCLAW_OXLINT_SKIP_PREPARE=1 node scripts/run-oxlint.mjs ui/src/ui/views/activity.ts ui/src/ui/views/activity.test.ts ui/src/styles/activity.css ui/src/i18n/locales/en.ts
• Browser proof: desktop/mobile Playwright smoke verified no duplicate in-route Activity header, toolbar count visible, Activity stream list semantics intact, disclosure chevron visible on mobile, and no horizontal overflow; console had 0 errors
• Broad proof: node scripts/crabbox-wrapper.mjs run --provider blacksmith-testbox --blacksmith-workflow .github/workflows/ci-check-testbox.yml --blacksmith-job check --shell -- "pnpm check:changed" passed as tbx_01ksen33c79b8rywayf6cxww4r / https://github.com/openclaw/openclaw/actions/runs/26382677304
• Known proof gap: the browser smoke used a local fake Gateway event with the Control UI session.tool delivery shape rather than a real production Gateway session.