daydreamsai · RedBeardEth · Mar 9, 2026 · Mar 7, 2026 · Mar 7, 2026 · Mar 7, 2026
diff --git a/.detect-secrets.cfg b/.detect-secrets.cfg
@@ -7,10 +7,6 @@
 [exclude-files]
 # pnpm lockfiles contain lots of high-entropy package integrity blobs.
 pattern = (^|/)pnpm-lock\.yaml$
-# Generated output and vendored assets.
-pattern = (^|/)(dist|vendor)/
-# Local config file with allowlist patterns.
-pattern = (^|/)\.detect-secrets\.cfg$
 
 [exclude-lines]
 # Fastlane checks for private key marker; not a real key.
@@ -28,3 +24,20 @@ pattern = "talk\.apiKey"
 pattern = === "string"
 # specific optional-chaining password check that didn't match the line above.
 pattern = typeof remote\?\.password === "string"
+# Docker apt signing key fingerprint constant; not a secret.
+pattern = OPENCLAW_DOCKER_GPG_FINGERPRINT=
+# Credential matrix metadata field in docs JSON; not a secret value.
+pattern = "secretShape": "(secret_input|sibling_ref)"
+# Docs line describing API key rotation knobs; not a credential.
+pattern = API key rotation \(provider-specific\): set `\*_API_KEYS`
+# Docs line describing remote password precedence; not a credential.
+pattern = passw[o]rd: `OPENCLAW_GATEWAY_PASSW[O]RD` -> `gateway\.auth\.passw[o]rd` -> `gateway\.remote\.passw[o]rd`
+pattern = passw[o]rd: `OPENCLAW_GATEWAY_PASSW[O]RD` -> `gateway\.remote\.passw[o]rd` -> `gateway\.auth\.passw[o]rd`
+# Test fixture starts a multiline fake private key; detector should ignore the header line.
+pattern = const key = `-----BEGIN PRIVATE KEY-----
+# Docs examples: literal placeholder API key snippets and shell heredoc helper.
+pattern = export CUSTOM_API_K[E]Y="your-key"
+pattern = grep -q 'N[O]DE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache' ~/.bashrc \|\| cat >> ~/.bashrc <<'EOF'
+pattern = env: \{ MISTRAL_API_K[E]Y: "sk-\.\.\." \},
+pattern = "ap[i]Key": "xxxxx",
+pattern = ap[i]Key: "A[I]za\.\.\.",
diff --git a/.github/actions/ensure-base-commit/action.yml b/.github/actions/ensure-base-commit/action.yml
@@ -0,0 +1,47 @@
+name: Ensure base commit
+description: Ensure a shallow checkout has enough history to diff against a base SHA.
+inputs:
+  base-sha:
+    description: Base commit SHA to diff against.
+    required: true
+  fetch-ref:
+    description: Branch or ref to deepen/fetch from origin when base-sha is missing.
+    required: true
+runs:
+  using: composite
+  steps:
+    - name: Ensure base commit is available
+      shell: bash
+      env:
+        BASE_SHA: ${{ inputs.base-sha }}
+        FETCH_REF: ${{ inputs.fetch-ref }}
+      run: |
+        set -euo pipefail
+
+        if [ -z "$BASE_SHA" ] || [[ "$BASE_SHA" =~ ^0+$ ]]; then
+          echo "No concrete base SHA available; skipping targeted fetch."
+          exit 0
+        fi
+
+        if git rev-parse --verify "$BASE_SHA^{commit}" >/dev/null 2>&1; then
+          echo "Base commit already present: $BASE_SHA"
+          exit 0
+        fi
+
+        for deepen_by in 25 100 300; do
+          echo "Base commit missing; deepening $FETCH_REF by $deepen_by."
+          git fetch --no-tags --deepen="$deepen_by" origin "$FETCH_REF" || true
+          if git rev-parse --verify "$BASE_SHA^{commit}" >/dev/null 2>&1; then
+            echo "Resolved base commit after deepening: $BASE_SHA"
+            exit 0
+          fi
+        done
+
+        echo "Base commit still missing; fetching full history for $FETCH_REF."
+        git fetch --no-tags origin "$FETCH_REF" || true
+        if git rev-parse --verify "$BASE_SHA^{commit}" >/dev/null 2>&1; then
+          echo "Resolved base commit after full ref fetch: $BASE_SHA"
+          exit 0
+        fi
+
+        echo "Base commit still unavailable after fetch attempts: $BASE_SHA"
diff --git a/.github/actions/setup-node-env/action.yml b/.github/actions/setup-node-env/action.yml
@@ -61,7 +61,7 @@ runs:
       if: inputs.install-bun == 'true'
       uses: oven-sh/setup-bun@v2
       with:
-        bun-version: "1.3.9+cf6cdbbba"
+        bun-version: "1.3.9"
 
     - name: Runtime versions
       shell: bash

diff --git a/.github/workflows/auto-response.yml b/.github/workflows/auto-response.yml
@@ -35,6 +35,7 @@ jobs:
           github-token: ${{ steps.app-token.outputs.token || steps.app-token-fallback.outputs.token }}
           script: |
             // Labels prefixed with "r:" are auto-response triggers.
+            const activePrLimit = 10;
             const rules = [
               {
                 label: "r: skill",
@@ -48,6 +49,20 @@ jobs:
                 message:
                   "Please use [our support server](https://discord.gg/clawd) and ask in #help or #users-helping-users to resolve this, or follow the stuck FAQ at https://docs.openclaw.ai/help/faq#im-stuck-whats-the-fastest-way-to-get-unstuck.",
               },
+              {
+                label: "r: no-ci-pr",
+                message:
+                  "Please don't make PRs for test failures on main.\n\n" +
+                  "The team is aware of those and will handle them directly on the codebase, not only fixing the tests but also investigating what the root cause is. Having to sift through test-fix-PRs (including some that have been out of date for weeks...) on top of that doesn't help. There are already way too many PRs for humans to manage; please don't make the flood worse.\n\n" +
+                  "Thank you.",
+              },
+              {
+                label: "r: too-many-prs",
+                close: true,
+                message:
+                  `Closing this PR because the author has more than ${activePrLimit} active PRs in this repo. ` +
+                  "Please reduce the active PR queue and reopen or resubmit once it is back under the limit. You can close your own PRs to get back under the limit.",
+              },
               {
                 label: "r: testflight",
                 close: true,

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -21,31 +21,47 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
         with:
-          fetch-depth: 0
+          fetch-depth: 1
+          fetch-tags: false
           submodules: false
 
+      - name: Ensure docs-scope base commit
+        uses: ./.github/actions/ensure-base-commit
+        with:
+          base-sha: ${{ github.event_name == 'push' && github.event.before || github.event.pull_request.base.sha }}
+          fetch-ref: ${{ github.event_name == 'push' && github.ref_name || github.event.pull_request.base.ref }}
+
       - name: Detect docs-only changes
         id: check
         uses: ./.github/actions/detect-docs-changes
 
   # Detect which heavy areas are touched so PRs can skip unrelated expensive jobs.
-  # Push to main keeps broad coverage.
+  # Push to main keeps broad coverage, but this job still needs to run so
+  # downstream jobs that list it in `needs` are not skipped.
   changed-scope:
     needs: [docs-scope]
-    if: github.event_name == 'pull_request' && needs.docs-scope.outputs.docs_only != 'true'
+    if: needs.docs-scope.outputs.docs_only != 'true'
     runs-on: blacksmith-16vcpu-ubuntu-2404
     outputs:
       run_node: ${{ steps.scope.outputs.run_node }}
       run_macos: ${{ steps.scope.outputs.run_macos }}
       run_android: ${{ steps.scope.outputs.run_android }}
+      run_skills_python: ${{ steps.scope.outputs.run_skills_python }}
       run_windows: ${{ steps.scope.outputs.run_windows }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
-          fetch-depth: 0
+          fetch-depth: 1
+          fetch-tags: false
           submodules: false
 
+      - name: Ensure changed-scope base commit
+        uses: ./.github/actions/ensure-base-commit
+        with:
+          base-sha: ${{ github.event_name == 'push' && github.event.before || github.event.pull_request.base.sha }}
+          fetch-ref: ${{ github.event_name == 'push' && github.ref_name || github.event.pull_request.base.ref }}
+
       - name: Detect changed scopes
         id: scope
         shell: bash
@@ -71,6 +87,13 @@ jobs:
         with:
           submodules: false
 
+      - name: Ensure secrets base commit (PR fast path)
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/ensure-base-commit
+        with:
+          base-sha: ${{ github.event.pull_request.base.sha }}
+          fetch-ref: ${{ github.event.pull_request.base.ref }}
+
       - name: Setup Node environment
         uses: ./.github/actions/setup-node-env
         with:
@@ -124,6 +147,9 @@ jobs:
           - runtime: node
             task: test
             command: pnpm canvas:a2ui:bundle && pnpm test
+          - runtime: node
+            task: extensions
+            command: pnpm test:extensions
           - runtime: node
             task: protocol
             command: pnpm protocol:check
@@ -187,46 +213,6 @@ jobs:
       - name: Enforce safe external URL opening policy
         run: pnpm lint:ui:no-raw-window-open
 
-  # Report-only dead-code scans. Runs after scope detection and stores machine-readable
-  # results as artifacts for later triage before we enable hard gates.
-  # Temporarily disabled in CI while we process initial findings.
-  deadcode:
-    name: dead-code report
-    needs: [docs-scope, changed-scope]
-    # if: needs.docs-scope.outputs.docs_only != 'true' && (github.event_name == 'push' || needs.changed-scope.outputs.run_node == 'true')
-    if: false
-    runs-on: blacksmith-16vcpu-ubuntu-2404
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - tool: knip
-            command: pnpm deadcode:report:ci:knip
-          - tool: ts-prune
-            command: pnpm deadcode:report:ci:ts-prune
-          - tool: ts-unused-exports
-            command: pnpm deadcode:report:ci:ts-unused
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          submodules: false
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          install-bun: "false"
-          use-sticky-disk: "true"
-
-      - name: Run ${{ matrix.tool }} dead-code scan
-        run: ${{ matrix.command }}
-
-      - name: Upload dead-code results
-        uses: actions/upload-artifact@v4
-        with:
-          name: dead-code-${{ matrix.tool }}-${{ github.run_id }}
-          path: .artifacts/deadcode
-
   # Validate docs (format, lint, broken links) only when docs files changed.
   check-docs:
     needs: [docs-scope]
@@ -249,7 +235,7 @@ jobs:
 
   skills-python:
     needs: [docs-scope, changed-scope]
-    if: needs.docs-scope.outputs.docs_only != 'true' && (github.event_name == 'push' || needs.changed-scope.outputs.run_node == 'true')
+    if: needs.docs-scope.outputs.docs_only != 'true' && (github.event_name == 'push' || needs.changed-scope.outputs.run_node == 'true' || needs.changed-scope.outputs.run_skills_python == 'true')
     runs-on: blacksmith-16vcpu-ubuntu-2404
     steps:
       - name: Checkout
@@ -289,20 +275,53 @@ jobs:
           install-deps: "false"
 
       - name: Setup Python
+        id: setup-python
         uses: actions/setup-python@v5
         with:
           python-version: "3.12"
+          cache: "pip"
+          cache-dependency-path: |
+            pyproject.toml
+            .pre-commit-config.yaml
+            .github/workflows/ci.yml
+
+      - name: Restore pre-commit cache
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/pre-commit
+          key: pre-commit-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('.pre-commit-config.yaml') }}
 
       - name: Install pre-commit
         run: |
           python -m pip install --upgrade pip
-          python -m pip install pre-commit detect-secrets==1.5.0
+          python -m pip install pre-commit
 
       - name: Detect secrets
         run: |
-          if ! detect-secrets scan --baseline .secrets.baseline; then
-            echo "::error::Secret scanning failed. See docs/gateway/security.md#secret-scanning-detect-secrets"
-            exit 1
+          set -euo pipefail
+
+          if [ "${{ github.event_name }}" = "push" ]; then
+            echo "Running full detect-secrets scan on push."
+            pre-commit run --all-files detect-secrets
+            exit 0
+          fi
+
+          BASE="${{ github.event.pull_request.base.sha }}"
+          changed_files=()
+          if git rev-parse --verify "$BASE^{commit}" >/dev/null 2>&1; then
+            while IFS= read -r path; do
+              [ -n "$path" ] || continue
+              [ -f "$path" ] || continue
+              changed_files+=("$path")
+            done < <(git diff --name-only --diff-filter=ACMR "$BASE" HEAD)
+          fi
+
+          if [ "${#changed_files[@]}" -gt 0 ]; then
+            echo "Running detect-secrets on ${#changed_files[@]} changed file(s)."
+            pre-commit run detect-secrets --files "${changed_files[@]}"
+          else
+            echo "Falling back to full detect-secrets scan."
+            pre-commit run --all-files detect-secrets
           fi
 
       - name: Detect committed private keys
@@ -414,9 +433,11 @@ jobs:
           cache-key-suffix: "node22"
           # Sticky disk mount currently retries/fails on every shard and adds ~50s
           # before install while still yielding zero pnpm store reuse.
+          # Try exact-key actions/cache restores instead to recover store reuse
+          # without the sticky-disk mount penalty.
           use-sticky-disk: "false"
           use-restore-keys: "false"
-          use-actions-cache: "false"
+          use-actions-cache: "true"
 
       - name: Runtime versions
         run: |
@@ -435,7 +456,9 @@ jobs:
           which node
           node -v
           pnpm -v
-          pnpm install --frozen-lockfile --prefer-offline --ignore-scripts=false --config.engine-strict=false --config.enable-pre-post-scripts=true || pnpm install --frozen-lockfile --prefer-offline --ignore-scripts=false --config.engine-strict=false --config.enable-pre-post-scripts=true
+          # Persist Windows-native postinstall outputs in the pnpm store so restored
+          # caches can skip repeated rebuild/download work on later shards/runs.
+          pnpm install --frozen-lockfile --prefer-offline --ignore-scripts=false --config.engine-strict=false --config.enable-pre-post-scripts=true --config.side-effects-cache=true || pnpm install --frozen-lockfile --prefer-offline --ignore-scripts=false --config.engine-strict=false --config.enable-pre-post-scripts=true --config.side-effects-cache=true
 
       - name: Configure test shard (Windows)
         if: matrix.task == 'test'