chore(deps): bump actions/checkout from 4 to 6

.detect-secrets.cfg

@@ -7,10 +7,6 @@
 [exclude-files]
 # pnpm lockfiles contain lots of high-entropy package integrity blobs.
 pattern = (^|/)pnpm-lock\.yaml$
-# Generated output and vendored assets.
-pattern = (^|/)(dist|vendor)/
-# Local config file with allowlist patterns.
-pattern = (^|/)\.detect-secrets\.cfg$
 
 [exclude-lines]
 # Fastlane checks for private key marker; not a real key.
@@ -28,3 +24,5 @@ pattern = "talk\.apiKey"
 pattern = === "string"
 # specific optional-chaining password check that didn't match the line above.
 pattern = typeof remote\?\.password === "string"
+# Docker apt signing key fingerprint constant; not a secret.
+pattern = OPENCLAW_DOCKER_GPG_FINGERPRINT=

.dockerignore

@@ -51,6 +51,10 @@ vendor/
 # Keep the rest of apps/ and vendor/ excluded to avoid a large build context.
 !apps/shared/
 !apps/shared/OpenClawKit/
+!apps/shared/OpenClawKit/Sources/
+!apps/shared/OpenClawKit/Sources/OpenClawKit/
+!apps/shared/OpenClawKit/Sources/OpenClawKit/Resources/
+!apps/shared/OpenClawKit/Sources/OpenClawKit/Resources/tool-display.json
 !apps/shared/OpenClawKit/Tools/
 !apps/shared/OpenClawKit/Tools/CanvasA2UI/
 !apps/shared/OpenClawKit/Tools/CanvasA2UI/**

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -1,5 +1,5 @@
 name: Bug report
-description: Report a defect or unexpected behavior in OpenClaw.
+description: Report defects, including regressions, crashes, and behavior bugs.
 title: "[Bug]: "
 labels:
   - bug
@@ -8,6 +8,17 @@ body:
     attributes:
       value: |
         Thanks for filing this report. Keep it concise, reproducible, and evidence-based.
+  - type: dropdown
+    id: bug_type
+    attributes:
+      label: Bug type
+      description: Choose the category that best matches this report.
+      options:
+        - Regression (worked before, now fails)
+        - Crash (process/app exits or hangs)
+        - Behavior bug (incorrect output/state without crash)
+    validations:
+      required: true
   - type: textarea
     id: summary
     attributes:
@@ -91,5 +102,5 @@ body:
     id: additional_information
     attributes:
       label: Additional information
-      description: Add any context that helps triage but does not fit above.
-      placeholder: Regression started after upgrade from <previous-version>; temporary workaround is ...
+      description: Add any context that helps triage but does not fit above. If this is a regression, include the last known good and first known bad versions.
+      placeholder: Last known good version <...>, first known bad version <...>, temporary workaround is ...

.github/actionlint.yaml

@@ -8,6 +8,7 @@ self-hosted-runner:
     - blacksmith-8vcpu-windows-2025
     - blacksmith-16vcpu-ubuntu-2404
     - blacksmith-16vcpu-windows-2025
+    - blacksmith-32vcpu-windows-2025
     - blacksmith-16vcpu-ubuntu-2404-arm
 
 # Ignore patterns for known issues

.github/actions/ensure-base-commit/action.yml

@@ -0,0 +1,47 @@
+name: Ensure base commit
+description: Ensure a shallow checkout has enough history to diff against a base SHA.
+inputs:
+  base-sha:
+    description: Base commit SHA to diff against.
+    required: true
+  fetch-ref:
+    description: Branch or ref to deepen/fetch from origin when base-sha is missing.
+    required: true
+runs:
+  using: composite
+  steps:
+    - name: Ensure base commit is available
+      shell: bash
+      env:
+        BASE_SHA: ${{ inputs.base-sha }}
+        FETCH_REF: ${{ inputs.fetch-ref }}
+      run: |
+        set -euo pipefail
+
+        if [ -z "$BASE_SHA" ] || [[ "$BASE_SHA" =~ ^0+$ ]]; then
+          echo "No concrete base SHA available; skipping targeted fetch."
+          exit 0
+        fi
+
+        if git rev-parse --verify "$BASE_SHA^{commit}" >/dev/null 2>&1; then
+          echo "Base commit already present: $BASE_SHA"
+          exit 0
+        fi
+
+        for deepen_by in 25 100 300; do
+          echo "Base commit missing; deepening $FETCH_REF by $deepen_by."
+          git fetch --no-tags --deepen="$deepen_by" origin "$FETCH_REF" || true
+          if git rev-parse --verify "$BASE_SHA^{commit}" >/dev/null 2>&1; then
+            echo "Resolved base commit after deepening: $BASE_SHA"
+            exit 0
+          fi
+        done
+
+        echo "Base commit still missing; fetching full history for $FETCH_REF."
+        git fetch --no-tags origin "$FETCH_REF" || true
+        if git rev-parse --verify "$BASE_SHA^{commit}" >/dev/null 2>&1; then
+          echo "Resolved base commit after full ref fetch: $BASE_SHA"
+          exit 0
+        fi
+
+        echo "Base commit still unavailable after fetch attempts: $BASE_SHA"

.github/actions/setup-node-env/action.yml

@@ -1,7 +1,7 @@
 name: Setup Node environment
 description: >
   Initialize submodules with retry, install Node 22, pnpm, optionally Bun,
-  and run pnpm install. Requires actions/checkout to run first.
+  and optionally run pnpm install. Requires actions/checkout to run first.
 inputs:
   node-version:
     description: Node.js version to install.
@@ -15,6 +15,14 @@ inputs:
     description: Whether to install Bun alongside Node.
     required: false
     default: "true"
+  use-sticky-disk:
+    description: Use Blacksmith sticky disks for pnpm store caching.
+    required: false
+    default: "false"
+  install-deps:
+    description: Whether to run pnpm install after environment setup.
+    required: false
+    default: "true"
   frozen-lockfile:
     description: Whether to use --frozen-lockfile for install.
     required: false
@@ -40,19 +48,20 @@ runs:
       uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
       with:
         node-version: ${{ inputs.node-version }}
-        check-latest: true
+        check-latest: false
 
     - name: Setup pnpm + cache store
       uses: ./.github/actions/setup-pnpm-store-cache
       with:
         pnpm-version: ${{ inputs.pnpm-version }}
         cache-key-suffix: "node22"
+        use-sticky-disk: ${{ inputs.use-sticky-disk }}
 
     - name: Setup Bun
       if: inputs.install-bun == 'true'
       uses: oven-sh/setup-bun@v2
       with:
-        bun-version: "1.3.9+cf6cdbbba"
+        bun-version: "1.3.9"
 
     - name: Runtime versions
       shell: bash
@@ -63,10 +72,12 @@ runs:
         if command -v bun &>/dev/null; then bun -v; fi
 
     - name: Capture node path
+      if: inputs.install-deps == 'true'
       shell: bash
       run: echo "NODE_BIN=$(dirname "$(node -p "process.execPath")")" >> "$GITHUB_ENV"
 
     - name: Install dependencies
+      if: inputs.install-deps == 'true'
       shell: bash
       env:
         CI: "true"

.github/actions/setup-pnpm-store-cache/action.yml

@@ -9,6 +9,18 @@ inputs:
     description: Suffix appended to the cache key.
     required: false
     default: "node22"
+  use-sticky-disk:
+    description: Use Blacksmith sticky disks instead of actions/cache for pnpm store.
+    required: false
+    default: "false"
+  use-restore-keys:
+    description: Whether to use restore-keys fallback for actions/cache.
+    required: false
+    default: "true"
+  use-actions-cache:
+    description: Whether to restore/save pnpm store with actions/cache.
+    required: false
+    default: "true"
 runs:
   using: composite
   steps:
@@ -38,7 +50,22 @@ runs:
       shell: bash
       run: echo "path=$(pnpm store path --silent)" >> "$GITHUB_OUTPUT"
 
-    - name: Restore pnpm store cache
+    - name: Mount pnpm store sticky disk
+      if: inputs.use-sticky-disk == 'true'
+      uses: useblacksmith/stickydisk@v1
+      with:
+        key: ${{ github.repository }}-pnpm-store-${{ runner.os }}-${{ inputs.cache-key-suffix }}
+        path: ${{ steps.pnpm-store.outputs.path }}
+
+    - name: Restore pnpm store cache (exact key only)
+      if: inputs.use-actions-cache == 'true' && inputs.use-sticky-disk != 'true' && inputs.use-restore-keys != 'true'
+      uses: actions/cache@v4
+      with:
+        path: ${{ steps.pnpm-store.outputs.path }}
+        key: ${{ runner.os }}-pnpm-store-${{ inputs.cache-key-suffix }}-${{ hashFiles('pnpm-lock.yaml') }}
+
+    - name: Restore pnpm store cache (with fallback keys)
+      if: inputs.use-actions-cache == 'true' && inputs.use-sticky-disk != 'true' && inputs.use-restore-keys == 'true'
       uses: actions/cache@v4
       with:
         path: ${{ steps.pnpm-store.outputs.path }}

.github/dependabot.yml

@@ -7,16 +7,17 @@ registries:
   npm-npmjs:
     type: npm-registry
     url: https://registry.npmjs.org
+    token: ${{secrets.NPM_NPMJS_TOKEN}}
     replaces-base: true
 
 updates:
   # npm dependencies (root)
   - package-ecosystem: npm
     directory: /
     schedule:
-      interval: weekly
+      interval: daily
     cooldown:
-      default-days: 7
+      default-days: 2
     groups:
       production:
         dependency-type: production
@@ -36,9 +37,9 @@ updates:
   - package-ecosystem: github-actions
     directory: /
     schedule:
-      interval: weekly
+      interval: daily
     cooldown:
-      default-days: 7
+      default-days: 2
     groups:
       actions:
         patterns:
@@ -52,9 +53,9 @@ updates:
   - package-ecosystem: swift
     directory: /apps/macos
     schedule:
-      interval: weekly
+      interval: daily
     cooldown:
-      default-days: 7
+      default-days: 2
     groups:
       swift-deps:
         patterns:
@@ -68,9 +69,9 @@ updates:
   - package-ecosystem: swift
     directory: /apps/shared/MoltbotKit
     schedule:
-      interval: weekly
+      interval: daily
     cooldown:
-      default-days: 7
+      default-days: 2
     groups:
       swift-deps:
         patterns:
@@ -84,9 +85,9 @@ updates:
   - package-ecosystem: swift
     directory: /Swabble
     schedule:
-      interval: weekly
+      interval: daily
     cooldown:
-      default-days: 7
+      default-days: 2
     groups:
       swift-deps:
         patterns:
@@ -100,9 +101,9 @@ updates:
   - package-ecosystem: gradle
     directory: /apps/android
     schedule:
-      interval: weekly
+      interval: daily
     cooldown:
-      default-days: 7
+      default-days: 2
     groups:
       android-deps:
         patterns:
@@ -118,7 +119,7 @@ updates:
     schedule:
       interval: weekly
     cooldown:
-      default-days: 7
+      default-days: 2
     groups:
       docker-images:
         patterns:

.github/labeler.yml

@@ -240,6 +240,10 @@
   - changed-files:
       - any-glob-to-any-file:
           - "extensions/device-pair/**"
+"extensions: acpx":
+  - changed-files:
+      - any-glob-to-any-file:
+          - "extensions/acpx/**"
 "extensions: minimax-portal-auth":
   - changed-files:
       - any-glob-to-any-file: