fix: avoid node invoke deadlock in macOS gateway (#1752) (thanks @ngutman)

Fixes #1743

The settings page was unable to scroll because .config-layout has
overflow:hidden which blocks child scrolling. Added min-height:0 and
overflow-y:auto to .config-main to enable scrolling within the grid
layout.

.detect-secrets.cfg

@@ -7,6 +7,10 @@
 [exclude-files]
 # pnpm lockfiles contain lots of high-entropy package integrity blobs.
 pattern = (^|/)pnpm-lock\.yaml$
+# Generated output and vendored assets.
+pattern = (^|/)(dist|vendor)/
+# Local config file with allowlist patterns.
+pattern = (^|/)\.detect-secrets\.cfg$
 
 [exclude-lines]
 # Fastlane checks for private key marker; not a real key.

.github/actionlint.yaml

@@ -0,0 +1,17 @@
+# actionlint configuration
+# https://github.com/rhysd/actionlint/blob/main/docs/config.md
+
+self-hosted-runner:
+  labels:
+    # Blacksmith CI runners
+    - blacksmith-4vcpu-ubuntu-2404
+    - blacksmith-4vcpu-windows-2025
+
+# Ignore patterns for known issues
+paths:
+  .github/workflows/**/*.yml:
+    ignore:
+      # Ignore shellcheck warnings (we run shellcheck separately)
+      - 'shellcheck reported issue.+'
+      # Ignore intentional if: false for disabled jobs
+      - 'constant expression "false" in condition'

.github/dependabot.yml

@@ -0,0 +1,113 @@
+# Dependabot configuration
+# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+
+registries:
+  npm-npmjs:
+    type: npm-registry
+    url: https://registry.npmjs.org
+    replaces-base: true
+
+updates:
+  # npm dependencies (root)
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
+    groups:
+      production:
+        dependency-type: production
+        update-types:
+          - minor
+          - patch
+      development:
+        dependency-type: development
+        update-types:
+          - minor
+          - patch
+    open-pull-requests-limit: 10
+    registries:
+      - npm-npmjs
+
+  # GitHub Actions
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
+    groups:
+      actions:
+        patterns:
+          - "*"
+        update-types:
+          - minor
+          - patch
+    open-pull-requests-limit: 5
+
+  # Swift Package Manager - macOS app
+  - package-ecosystem: swift
+    directory: /apps/macos
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
+    groups:
+      swift-deps:
+        patterns:
+          - "*"
+        update-types:
+          - minor
+          - patch
+    open-pull-requests-limit: 5
+
+  # Swift Package Manager - shared ClawdbotKit
+  - package-ecosystem: swift
+    directory: /apps/shared/ClawdbotKit
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
+    groups:
+      swift-deps:
+        patterns:
+          - "*"
+        update-types:
+          - minor
+          - patch
+    open-pull-requests-limit: 5
+
+  # Swift Package Manager - Swabble
+  - package-ecosystem: swift
+    directory: /Swabble
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
+    groups:
+      swift-deps:
+        patterns:
+          - "*"
+        update-types:
+          - minor
+          - patch
+    open-pull-requests-limit: 5
+
+  # Gradle - Android app
+  - package-ecosystem: gradle
+    directory: /apps/android
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
+    groups:
+      android-deps:
+        patterns:
+          - "*"
+        update-types:
+          - minor
+          - patch
+    open-pull-requests-limit: 5

.pre-commit-config.yaml

@@ -0,0 +1,105 @@
+# Pre-commit hooks for clawdbot
+# Install: prek install
+# Run manually: prek run --all-files
+#
+# See https://pre-commit.com for more information
+
+repos:
+  # Basic file hygiene
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v6.0.0
+    hooks:
+      - id: trailing-whitespace
+        exclude: '^(docs/|dist/|vendor/|.*\.snap$)'
+      - id: end-of-file-fixer
+        exclude: '^(docs/|dist/|vendor/|.*\.snap$)'
+      - id: check-yaml
+        args: [--allow-multiple-documents]
+      - id: check-added-large-files
+        args: [--maxkb=500]
+      - id: check-merge-conflict
+
+  # Secret detection (same as CI)
+  - repo: https://github.com/Yelp/detect-secrets
+    rev: v1.5.0
+    hooks:
+      - id: detect-secrets
+        args:
+          - --baseline
+          - .secrets.baseline
+          - --exclude-files
+          - '(^|/)(dist/|vendor/|pnpm-lock\.yaml$|\.detect-secrets\.cfg$)'
+          - --exclude-lines
+          - 'key_content\.include\?\("BEGIN PRIVATE KEY"\)'
+          - --exclude-lines
+          - 'case \.apiKeyEnv: "API key \(env var\)"'
+          - --exclude-lines
+          - 'case apikey = "apiKey"'
+          - --exclude-lines
+          - '"gateway\.remote\.password"'
+          - --exclude-lines
+          - '"gateway\.auth\.password"'
+          - --exclude-lines
+          - '"talk\.apiKey"'
+          - --exclude-lines
+          - '=== "string"'
+          - --exclude-lines
+          - 'typeof remote\?\.password === "string"'
+
+  # Shell script linting
+  - repo: https://github.com/koalaman/shellcheck-precommit
+    rev: v0.11.0
+    hooks:
+      - id: shellcheck
+        args: [--severity=error]  # Only fail on errors, not warnings/info
+        # Exclude vendor and scripts with embedded code or known issues
+        exclude: '^(vendor/|scripts/e2e/)'
+
+  # GitHub Actions linting
+  - repo: https://github.com/rhysd/actionlint
+    rev: v1.7.10
+    hooks:
+      - id: actionlint
+
+  # GitHub Actions security audit
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.22.0
+    hooks:
+      - id: zizmor
+        args: [--persona=regular, --min-severity=medium, --min-confidence=medium]
+        exclude: '^(vendor/|Swabble/)'
+
+  # Project checks (same commands as CI)
+  - repo: local
+    hooks:
+      # oxlint --type-aware src test
+      - id: oxlint
+        name: oxlint
+        entry: scripts/pre-commit/run-node-tool.sh oxlint --type-aware src test
+        language: system
+        pass_filenames: false
+        types_or: [javascript, jsx, ts, tsx]
+
+      # oxfmt --check src test
+      - id: oxfmt
+        name: oxfmt
+        entry: scripts/pre-commit/run-node-tool.sh oxfmt --check src test
+        language: system
+        pass_filenames: false
+        types_or: [javascript, jsx, ts, tsx]
+
+      # swiftlint (same as CI)
+      - id: swiftlint
+        name: swiftlint
+        entry: swiftlint --config .swiftlint.yml
+        language: system
+        pass_filenames: false
+        types: [swift]
+
+      # swiftformat --lint (same as CI)
+      - id: swiftformat
+        name: swiftformat
+        entry: swiftformat --lint apps/macos/Sources --config .swiftformat
+        language: system
+        pass_filenames: false
+        types: [swift]

.shellcheckrc

@@ -0,0 +1,25 @@
+# ShellCheck configuration
+# https://www.shellcheck.net/wiki/
+
+# Disable common false positives and style suggestions
+
+# SC2034: Variable appears unused (often exported or used indirectly)
+disable=SC2034
+
+# SC2155: Declare and assign separately (common idiom, rarely causes issues)
+disable=SC2155
+
+# SC2295: Expansions inside ${..} need quoting (info-level, rarely causes issues)
+disable=SC2295
+
+# SC1012: \r is literal (tr -d '\r' works as intended on most systems)
+disable=SC1012
+
+# SC2026: Word outside quotes (info-level, often intentional)
+disable=SC2026
+
+# SC2016: Expressions don't expand in single quotes (often intentional in sed/awk)
+disable=SC2016
+
+# SC2129: Consider using { cmd1; cmd2; } >> file (style preference)
+disable=SC2129

.swiftformat

@@ -23,7 +23,7 @@
 # Whitespace
 --trimwhitespace always
 --emptybraces no-space
---nospaceoperators ...,..< 
+--nospaceoperators ...,..<
 --ranges no-space
 --someAny true
 --voidtype void

AGENTS.md

@@ -37,6 +37,7 @@
 ## Build, Test, and Development Commands
 - Runtime baseline: Node **22+** (keep Node + Bun paths working).
 - Install deps: `pnpm install`
+- Pre-commit hooks: `prek install` (runs same checks as CI)
 - Also supported: `bun install` (keep `pnpm-lock.yaml` + Bun patching in sync when touching deps/patches).
 - Prefer Bun for TypeScript execution (scripts, dev, tests): `bun <file.ts>` / `bunx <tool>`.
 - Run CLI in dev: `pnpm clawdbot ...` (bun) or `pnpm dev`.

CHANGELOG.md

@@ -9,10 +9,10 @@ Docs: https://docs.clawd.bot
 - Venius (Venice AI): highlight provider guide + cross-links + expanded guidance. https://docs.clawd.bot/providers/venice
 
 ### Changes
-- Control UI: refresh design, typography, and iconography; ship local Clawdbot logo asset. (#1745) Thanks @EnzeD.
 - TTS: add Edge TTS provider fallback, defaulting to keyless Edge with MP3 retry on format failures. (#1668) Thanks @steipete. https://docs.clawd.bot/tts
 - Web search: add Brave freshness filter parameter for time-scoped results. (#1688) Thanks @JonUleis. https://docs.clawd.bot/tools/web
 - TTS: add auto mode enum (off/always/inbound/tagged) with per-session `/tts` override. (#1667) Thanks @sebslight. https://docs.clawd.bot/tts
+- Dev: add prek pre-commit hooks + dependabot config for weekly updates. (#1720) Thanks @dguido.
 - Docs: expand FAQ (migration, scheduling, concurrency, model recommendations, OpenAI subscription auth, Pi sizing, hackable install, docs SSL workaround).
 - Docs: add verbose installer troubleshooting guidance.
 - Docs: add macOS VM guide with local/hosted options + VPS/nodes guidance. (#1693) Thanks @f-trycua.
@@ -23,8 +23,12 @@ Docs: https://docs.clawd.bot
 - Telegram: add `channels.telegram.linkPreview` to toggle outbound link previews. (#1700) Thanks @zerone0x. https://docs.clawd.bot/channels/telegram
 - Telegram: treat DM topics as separate sessions and keep DM history limits stable with thread suffixes. (#1597) Thanks @rohannagpal.
 - Telegram: add verbose raw-update logging for inbound Telegram updates. (#1597) Thanks @rohannagpal.
+- Diagnostics: add diagnostic flags for targeted debug logs (config + env override). https://docs.clawd.bot/diagnostics/flags
 
 ### Fixes
+- macOS: rearm gateway receive loop before push handling to avoid node invoke stalls. (#1752) Thanks @ngutman.
+- Gateway: include inline config env vars in service install environments. (#1735) Thanks @Seredeep.
+- BlueBubbles: route phone-number targets to DMs, avoid leaking routing IDs, and auto-create missing DMs (Private API required). (#1751) Thanks @tyler6204. https://docs.clawd.bot/channels/bluebubbles
 - BlueBubbles: keep part-index GUIDs in reply tags when short IDs are missing.
 - Web UI: hide internal `message_id` hints in chat bubbles.
 - Web UI: show Stop button during active runs, swap back to New session when idle. (#1664) Thanks @ndbroadbent.
@@ -39,6 +43,7 @@ Docs: https://docs.clawd.bot
 - Agents: auto-compact on context overflow prompt errors before failing. (#1627) Thanks @rodrigouroz.
 - Agents: use the active auth profile for auto-compaction recovery.
 - Models: default missing custom provider fields so minimal configs are accepted.
+- Media understanding: skip image understanding when the primary model already supports vision. (#1747) Thanks @tyler6204.
 - Gateway: skip Tailscale DNS probing when tailscale.mode is off. (#1671)
 - Gateway: reduce log noise for late invokes + remote node probes; debounce skills refresh. (#1607) Thanks @petter-b.
 - Gateway: clarify Control UI/WebChat auth error hints for missing tokens. (#1690)

README.md

@@ -459,7 +459,7 @@ Use these when you’re past the onboarding flow and want the deeper reference.
 
 ## Clawd
 
-Clawdbot was built for **Clawd**, a space lobster AI assistant. 🦞  
+Clawdbot was built for **Clawd**, a space lobster AI assistant. 🦞
 by Peter Steinberger and the community.
 
 - [clawd.me](https://clawd.me)
@@ -468,7 +468,7 @@ by Peter Steinberger and the community.
 
 ## Community
 
-See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines, maintainers, and how to submit PRs.  
+See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines, maintainers, and how to submit PRs.
 AI/vibe-coded PRs welcome! 🤖
 
 Special thanks to [Mario Zechner](https://mariozechner.at/) for his support and for

SECURITY.md

@@ -12,4 +12,3 @@ If you believe you’ve found a security issue in Clawdbot, please report it pri
 For threat model + hardening guidance (including `clawdbot security audit --deep` and `--fix`), see:
 
 - `https://docs.clawd.bot/gateway/security`
-

appcast.xml

@@ -212,4 +212,4 @@
             <enclosure url="https://github.com/clawdbot/clawdbot/releases/download/v2026.1.21/Clawdbot-2026.1.21.zip" length="22284796" type="application/octet-stream" sparkle:edSignature="pXji4NMA/cu35iMxln385d6LnsT4yIZtFtFiR7sIimKeSC2CsyeWzzSD0EhJsN98PdSoy69iEFZt4I2ZtNCECg=="/>
         </item>
     </channel>
-</rss>
+</rss>

apps/android/app/src/main/java/com/clawdbot/android/CameraHudState.kt

@@ -12,4 +12,3 @@ data class CameraHudState(
   val kind: CameraHudKind,
   val message: String,
 )
-

apps/android/app/src/main/java/com/clawdbot/android/VoiceWakeMode.kt

@@ -12,4 +12,3 @@ enum class VoiceWakeMode(val rawValue: String) {
     }
   }
 }
-

apps/android/app/src/main/java/com/clawdbot/android/node/SmsManager.kt

@@ -135,7 +135,7 @@ class SmsManager(private val context: Context) {
 
     /**
      * Send an SMS message.
-     * 
+     *
      * @param paramsJson JSON with "to" (phone number) and "message" (text) fields
      * @return SendResult indicating success or failure
      */

apps/android/app/src/main/res/values/colors.xml

@@ -1,4 +1,3 @@
 <resources>
     <color name="ic_launcher_background">#0A0A0A</color>
 </resources>
-

apps/android/app/src/main/res/values/strings.xml

@@ -1,4 +1,3 @@
 <resources>
     <string name="app_name">Clawdbot Node</string>
 </resources>
-

apps/android/app/src/test/java/com/clawdbot/android/voice/VoiceWakeCommandExtractorTest.kt

@@ -23,4 +23,3 @@ class VoiceWakeCommandExtractorTest {
     assertNull(VoiceWakeCommandExtractor.extractCommand("hey claude!", listOf("claude")))
   }
 }
-

apps/android/settings.gradle.kts

@@ -16,4 +16,3 @@ dependencyResolutionManagement {
 
 rootProject.name = "ClawdbotNodeAndroid"
 include(":app")
-

apps/ios/.swiftlint.yml

@@ -3,4 +3,3 @@ parent_config: ../../.swiftlint.yml
 included:
   - Sources
   - ../shared/ClawdisNodeKit/Sources
-

apps/macos/Icon.icon/icon.json

@@ -33,4 +33,4 @@
     ],
     "squares" : "shared"
   }
-}
+}

apps/macos/Sources/Clawdbot/Resources/DeviceModels/LICENSE.apple-device-identifiers.txt

@@ -18,4 +18,4 @@ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+SOFTWARE.

apps/macos/Sources/Clawdbot/Resources/DeviceModels/ios-device-identifiers.json

@@ -173,4 +173,4 @@
   "iPod5,1": "iPod touch (5th generation)",
   "iPod7,1": "iPod touch (6th generation)",
   "iPod9,1": "iPod touch (7th generation)"
-}
+}

apps/macos/Sources/Clawdbot/Resources/DeviceModels/mac-device-identifiers.json

@@ -211,4 +211,4 @@
     "Mac Pro (2019)",
     "Mac Pro (Rack, 2019)"
   ]
-}
+}

apps/shared/ClawdbotKit/Sources/ClawdbotKit/GatewayChannel.swift

@@ -427,8 +427,8 @@ public actor GatewayChannelActor {
                 Task { await self.handleReceiveFailure(err) }
             case let .success(msg):
                 Task {
-                    await self.handle(msg)
                     await self.listen()
+                    await self.handle(msg)
                 }
             }
         }
@@ -574,46 +574,22 @@ public actor GatewayChannelActor {
         params: [String: AnyCodable]?,
         timeoutMs: Double? = nil) async throws -> Data
     {
-        do {
-            try await self.connect()
-        } catch {
-            throw self.wrap(error, context: "gateway connect")
-        }
-        let id = UUID().uuidString
+        try await self.connectOrThrow(context: "gateway connect")
         let effectiveTimeout = timeoutMs ?? self.defaultRequestTimeoutMs
-        // Encode request using the generated models to avoid JSONSerialization/ObjC bridging pitfalls.
-        let paramsObject: ProtoAnyCodable? = params.map { entries in
-            let dict = entries.reduce(into: [String: ProtoAnyCodable]()) { dict, entry in
-                dict[entry.key] = ProtoAnyCodable(entry.value.value)
-            }
-            return ProtoAnyCodable(dict)
-        }
-        let frame = RequestFrame(
-            type: "req",
-            id: id,
-            method: method,
-            params: paramsObject)
-        let data: Data
-        do {
-            data = try self.encoder.encode(frame)
-        } catch {
-            self.logger.error(
-                "gateway request encode failed \(method, privacy: .public) error=\(error.localizedDescription, privacy: .public)")
-            throw error
-        }
+        let payload = try self.encodeRequest(method: method, params: params, kind: "request")
         let response = try await withCheckedThrowingContinuation { (cont: CheckedContinuation<GatewayFrame, Error>) in
-            self.pending[id] = cont
+            self.pending[payload.id] = cont
             Task { [weak self] in
                 guard let self else { return }
                 try? await Task.sleep(nanoseconds: UInt64(effectiveTimeout * 1_000_000))
-                await self.timeoutRequest(id: id, timeoutMs: effectiveTimeout)
+                await self.timeoutRequest(id: payload.id, timeoutMs: effectiveTimeout)
             }
             Task {
                 do {
-                    try await self.task?.send(.data(data))
+                    try await self.task?.send(.data(payload.data))
                 } catch {
                     let wrapped = self.wrap(error, context: "gateway send \(method)")
-                    let waiter = self.pending.removeValue(forKey: id)
+                    let waiter = self.pending.removeValue(forKey: payload.id)
                     // Treat send failures as a broken socket: mark disconnected and trigger reconnect.
                     self.connected = false
                     self.task?.cancel(with: .goingAway, reason: nil)
@@ -657,6 +633,42 @@ public actor GatewayChannelActor {
         return NSError(domain: ns.domain, code: ns.code, userInfo: [NSLocalizedDescriptionKey: "\(context): \(desc)"])
     }
 
+    private func connectOrThrow(context: String) async throws {
+        do {
+            try await self.connect()
+        } catch {
+            throw self.wrap(error, context: context)
+        }
+    }
+
+    private func encodeRequest(
+        method: String,
+        params: [String: AnyCodable]?,
+        kind: String) throws -> (id: String, data: Data)
+    {
+        let id = UUID().uuidString
+        // Encode request using the generated models to avoid JSONSerialization/ObjC bridging pitfalls.
+        let paramsObject: ProtoAnyCodable? = params.map { entries in
+            let dict = entries.reduce(into: [String: ProtoAnyCodable]()) { dict, entry in
+                dict[entry.key] = ProtoAnyCodable(entry.value.value)
+            }
+            return ProtoAnyCodable(dict)
+        }
+        let frame = RequestFrame(
+            type: "req",
+            id: id,
+            method: method,
+            params: paramsObject)
+        do {
+            let data = try self.encoder.encode(frame)
+            return (id: id, data: data)
+        } catch {
+            self.logger.error(
+                "gateway \(kind) encode failed \(method, privacy: .public) error=\(error.localizedDescription, privacy: .public)")
+            throw error
+        }
+    }
+
     private func failPending(_ error: Error) async {
         let waiters = self.pending
         self.pending.removeAll()

apps/shared/ClawdbotKit/Tests/ClawdbotKitTests/GatewayChannelTests.swift

@@ -0,0 +1,212 @@
+import Foundation
+import Testing
+@testable import ClawdbotKit
+import ClawdbotProtocol
+
+private final class FakeWebSocketTask: WebSocketTasking, @unchecked Sendable {
+    private let lock = NSLock()
+    private var queue: [URLSessionWebSocketTask.Message] = []
+    private var pendingHandler: (@Sendable (Result<URLSessionWebSocketTask.Message, Error>) -> Void)?
+    private var pendingContinuation: CheckedContinuation<URLSessionWebSocketTask.Message, Error>?
+    private let encoder = JSONEncoder()
+    private let decoder = JSONDecoder()
+
+    var state: URLSessionTask.State = .running
+
+    func resume() {}
+
+    func cancel(with closeCode: URLSessionWebSocketTask.CloseCode, reason: Data?) {
+        state = .canceling
+    }
+
+    func send(_ message: URLSessionWebSocketTask.Message) async throws {
+        guard case let .data(data) = message else { return }
+        guard let frame = try? decoder.decode(RequestFrame.self, from: data) else { return }
+        switch frame.method {
+        case "connect":
+            enqueueResponse(id: frame.id, payload: helloOkPayload())
+        default:
+            enqueueResponse(id: frame.id, payload: ["ok": true])
+        }
+    }
+
+    func receive() async throws -> URLSessionWebSocketTask.Message {
+        try await withCheckedThrowingContinuation { cont in
+            lock.lock()
+            if !queue.isEmpty {
+                let msg = queue.removeFirst()
+                lock.unlock()
+                cont.resume(returning: msg)
+                return
+            }
+            pendingContinuation = cont
+            lock.unlock()
+        }
+    }
+
+    func receive(
+        completionHandler: @escaping @Sendable (Result<URLSessionWebSocketTask.Message, Error>) -> Void)
+    {
+        lock.lock()
+        if !queue.isEmpty {
+            let msg = queue.removeFirst()
+            lock.unlock()
+            completionHandler(.success(msg))
+            return
+        }
+        pendingHandler = completionHandler
+        lock.unlock()
+    }
+
+    func enqueue(_ message: URLSessionWebSocketTask.Message) {
+        lock.lock()
+        if let handler = pendingHandler {
+            pendingHandler = nil
+            lock.unlock()
+            handler(.success(message))
+            return
+        }
+        if let continuation = pendingContinuation {
+            pendingContinuation = nil
+            lock.unlock()
+            continuation.resume(returning: message)
+            return
+        }
+        queue.append(message)
+        lock.unlock()
+    }
+
+    private func enqueueResponse(id: String, payload: [String: Any]) {
+        let response = ResponseFrame(
+            type: "res",
+            id: id,
+            ok: true,
+            payload: ClawdbotProtocol.AnyCodable(payload),
+            error: nil)
+        guard let data = try? encoder.encode(response) else { return }
+        enqueue(.data(data))
+    }
+
+    private func helloOkPayload() -> [String: Any] {
+        [
+            "type": "hello.ok",
+            "protocol": 1,
+            "server": [:],
+            "features": [:],
+            "snapshot": [
+                "presence": [],
+                "health": [:],
+                "stateVersion": [
+                    "presence": 0,
+                    "health": 0,
+                ],
+                "uptimeMs": 0,
+            ],
+            "policy": [
+                "tickIntervalMs": 1000,
+            ],
+        ]
+    }
+}
+
+private final class FakeWebSocketSession: WebSocketSessioning {
+    let task: FakeWebSocketTask
+
+    init(task: FakeWebSocketTask) {
+        self.task = task
+    }
+
+    func makeWebSocketTask(url: URL) -> WebSocketTaskBox {
+        WebSocketTaskBox(task: task)
+    }
+}
+
+private actor AsyncSignal {
+    private var continuation: CheckedContinuation<Result<Void, Error>, Never>?
+    private var stored: Result<Void, Error>?
+
+    func finish(_ result: Result<Void, Error>) {
+        if let continuation {
+            self.continuation = nil
+            continuation.resume(returning: result)
+            return
+        }
+        stored = result
+    }
+
+    func wait() async throws {
+        let result = await withCheckedContinuation { cont in
+            if let stored {
+                self.stored = nil
+                cont.resume(returning: stored)
+                return
+            }
+            continuation = cont
+        }
+        switch result {
+        case .success:
+            return
+        case let .failure(error):
+            throw error
+        }
+    }
+}
+
+private enum TestError: Error {
+    case timeout
+}
+
+struct GatewayChannelTests {
+    @Test
+    func listenRearmsBeforePushHandler() async throws {
+        let task = FakeWebSocketTask()
+        let session = FakeWebSocketSession(task: task)
+        let signal = AsyncSignal()
+        let url = URL(string: "ws://example.invalid")!
+        final class ChannelBox { var channel: GatewayChannelActor? }
+        let box = ChannelBox()
+
+        let channel = GatewayChannelActor(
+            url: url,
+            token: nil,
+            session: WebSocketSessionBox(session: session),
+            pushHandler: { push in
+                guard case let .event(evt) = push, evt.event == "test.event" else { return }
+                guard let channel = box.channel else { return }
+                let params: [String: ClawdbotKit.AnyCodable] = [
+                    "event": ClawdbotKit.AnyCodable("test"),
+                    "payloadJSON": ClawdbotKit.AnyCodable(NSNull()),
+                ]
+                do {
+                    _ = try await channel.request(method: "node.event", params: params, timeoutMs: 50)
+                    await signal.finish(.success(()))
+                } catch {
+                    await signal.finish(.failure(error))
+                }
+            })
+        box.channel = channel
+
+        let challenge = EventFrame(
+            type: "event",
+            event: "connect.challenge",
+            payload: ClawdbotProtocol.AnyCodable(["nonce": "test-nonce"]),
+            seq: nil,
+            stateversion: nil)
+        let encoder = JSONEncoder()
+        task.enqueue(.data(try encoder.encode(challenge)))
+
+        try await channel.connect()
+
+        let event = EventFrame(
+            type: "event",
+            event: "test.event",
+            payload: ClawdbotProtocol.AnyCodable([:]),
+            seq: nil,
+            stateversion: nil)
+        task.enqueue(.data(try encoder.encode(event)))
+
+        try await AsyncTimeout.withTimeout(seconds: 1, onTimeout: { TestError.timeout }) {
+            try await signal.wait()
+        }
+    }
+}

dist/control-ui/index.html

@@ -6,8 +6,8 @@
     <title>Clawdbot Control</title>
     <meta name="color-scheme" content="dark light" />
     <link rel="icon" href="./favicon.ico" sizes="any" />
-    <script type="module" crossorigin src="./assets/index-CJVJFuAg.js"></script>
-    <link rel="stylesheet" crossorigin href="./assets/index-tlTzxSME.css">
+    <script type="module" crossorigin src="./assets/index-DQcOTEYz.js"></script>
+    <link rel="stylesheet" crossorigin href="./assets/index-08nzABV3.css">
   </head>
   <body>
     <clawdbot-app></clawdbot-app>

dist/control-ui/pixel-lobster.svg

@@ -1,60 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<svg xmlns="http://www.w3.org/2000/svg" width="64" height="64" viewBox="0 0 16 16" role="img" aria-label="Pixel lobster">
-  <rect width="16" height="16" fill="none"/>
-  
-  <g fill="#3a0a0d">
-    <rect x="1" y="5" width="1" height="3"/>
-    <rect x="2" y="4" width="1" height="1"/>
-    <rect x="2" y="8" width="1" height="1"/>
-    <rect x="3" y="3" width="1" height="1"/>
-    <rect x="3" y="9" width="1" height="1"/>
-    <rect x="4" y="2" width="1" height="1"/>
-    <rect x="4" y="10" width="1" height="1"/>
-    <rect x="5" y="2" width="6" height="1"/>
-    <rect x="11" y="2" width="1" height="1"/>
-    <rect x="12" y="3" width="1" height="1"/>
-    <rect x="12" y="9" width="1" height="1"/>
-    <rect x="13" y="4" width="1" height="1"/>
-    <rect x="13" y="8" width="1" height="1"/>
-    <rect x="14" y="5" width="1" height="3"/>
-    <rect x="5" y="11" width="6" height="1"/>
-    <rect x="4" y="12" width="1" height="1"/>
-    <rect x="11" y="12" width="1" height="1"/>
-    <rect x="3" y="13" width="1" height="1"/>
-    <rect x="12" y="13" width="1" height="1"/>
-    <rect x="5" y="14" width="6" height="1"/>
-  </g>
-
-  
-  <g fill="#ff4f40">
-    <rect x="5" y="3" width="6" height="1"/>
-    <rect x="4" y="4" width="8" height="1"/>
-    <rect x="3" y="5" width="10" height="1"/>
-    <rect x="3" y="6" width="10" height="1"/>
-    <rect x="3" y="7" width="10" height="1"/>
-    <rect x="4" y="8" width="8" height="1"/>
-    <rect x="5" y="9" width="6" height="1"/>
-    <rect x="5" y="12" width="6" height="1"/>
-    <rect x="6" y="13" width="4" height="1"/>
-  </g>
-
-  
-  <g fill="#ff775f">
-    <rect x="1" y="6" width="2" height="1"/>
-    <rect x="2" y="5" width="1" height="1"/>
-    <rect x="2" y="7" width="1" height="1"/>
-    <rect x="13" y="6" width="2" height="1"/>
-    <rect x="13" y="5" width="1" height="1"/>
-    <rect x="13" y="7" width="1" height="1"/>
-  </g>
-
-  
-  <g fill="#081016">
-    <rect x="6" y="5" width="1" height="1"/>
-    <rect x="9" y="5" width="1" height="1"/>
-  </g>
-  <g fill="#f5fbff">
-    <rect x="6" y="4" width="1" height="1"/>
-    <rect x="9" y="4" width="1" height="1"/>
-  </g>
-</svg>

docs/channels/bluebubbles.md

@@ -213,6 +213,7 @@ Prefer `chat_guid` for stable routing:
 - `chat_id:123`
 - `chat_identifier:...`
 - Direct handles: `+15555550123`, `user@example.com`
+  - If a direct handle does not have an existing DM chat, Clawdbot will create one via `POST /api/v1/chat/new`. This requires the BlueBubbles Private API to be enabled.
 
 ## Security
 - Webhook requests are authenticated by comparing `guid`/`password` query params or headers against `channels.bluebubbles.password`. Requests from `localhost` are also accepted.

docs/diagnostics/flags.md

@@ -0,0 +1,89 @@
+---
+summary: "Diagnostics flags for targeted debug logs"
+read_when:
+  - You need targeted debug logs without raising global logging levels
+  - You need to capture subsystem-specific logs for support
+---
+# Diagnostics Flags
+
+Diagnostics flags let you enable targeted debug logs without turning on verbose logging everywhere. Flags are opt-in and have no effect unless a subsystem checks them.
+
+## How it works
+
+- Flags are strings (case-insensitive).
+- You can enable flags in config or via an env override.
+- Wildcards are supported:
+  - `telegram.*` matches `telegram.http`
+  - `*` enables all flags
+
+## Enable via config
+
+```json
+{
+  "diagnostics": {
+    "flags": ["telegram.http"]
+  }
+}
+```
+
+Multiple flags:
+
+```json
+{
+  "diagnostics": {
+    "flags": ["telegram.http", "gateway.*"]
+  }
+}
+```
+
+Restart the gateway after changing flags.
+
+## Env override (one-off)
+
+```bash
+CLAWDBOT_DIAGNOSTICS=telegram.http,telegram.payload
+```
+
+Disable all flags:
+
+```bash
+CLAWDBOT_DIAGNOSTICS=0
+```
+
+## Where logs go
+
+Flags emit logs into the standard diagnostics log file. By default:
+
+```
+/tmp/clawdbot/clawdbot-YYYY-MM-DD.log
+```
+
+If you set `logging.file`, use that path instead. Logs are JSONL (one JSON object per line). Redaction still applies based on `logging.redactSensitive`.
+
+## Extract logs
+
+Pick the latest log file:
+
+```bash
+ls -t /tmp/clawdbot/clawdbot-*.log | head -n 1
+```
+
+Filter for Telegram HTTP diagnostics:
+
+```bash
+rg "telegram http error" /tmp/clawdbot/clawdbot-*.log
+```
+
+Or tail while reproducing:
+
+```bash
+tail -f /tmp/clawdbot/clawdbot-$(date +%F).log | rg "telegram http error"
+```
+
+For remote gateways, you can also use `clawdbot logs --follow` (see [/cli/logs](/cli/logs)).
+
+## Notes
+
+- If `logging.level` is set higher than `warn`, these logs may be suppressed. Default `info` is fine.
+- Flags are safe to leave enabled; they only affect log volume for the specific subsystem.
+- Use [/logging](/logging) to change log destinations, levels, and redaction.

docs/help/faq.md

@@ -138,6 +138,7 @@ Quick answers plus deeper troubleshooting for real-world setups (local dev, VPS,
   - [Can I use self-hosted models (llama.cpp, vLLM, Ollama)?](#can-i-use-selfhosted-models-llamacpp-vllm-ollama)
   - [What do Clawd, Flawd, and Krill use for models?](#what-do-clawd-flawd-and-krill-use-for-models)
   - [How do I switch models on the fly (without restarting)?](#how-do-i-switch-models-on-the-fly-without-restarting)
+  - [Can I use GPT 5.2 for daily tasks and Codex 5.2 for coding](#can-i-use-gpt-52-for-daily-tasks-and-codex-52-for-coding)
   - [Why do I see “Model … is not allowed” and then no reply?](#why-do-i-see-model-is-not-allowed-and-then-no-reply)
   - [Why do I see “Unknown model: minimax/MiniMax-M2.1”?](#why-do-i-see-unknown-model-minimaxminimaxm21)
   - [Can I use MiniMax as my default and OpenAI for complex tasks?](#can-i-use-minimax-as-my-default-and-openai-for-complex-tasks)
@@ -1947,6 +1948,16 @@ Re-run `/model` **without** the `@profile` suffix:
 If you want to return to the default, pick it from `/model` (or send `/model <default provider/model>`).
 Use `/model status` to confirm which auth profile is active.
 
+### Can I use GPT 5.2 for daily tasks and Codex 5.2 for coding
+
+Yes. Set one as default and switch as needed:
+
+- **Quick switch (per session):** `/model gpt-5.2` for daily tasks, `/model gpt-5.2-codex` for coding.
+- **Default + switch:** set `agents.defaults.model.primary` to `openai-codex/gpt-5.2`, then switch to `openai-codex/gpt-5.2-codex` when coding (or the other way around).
+- **Sub-agents:** route coding tasks to sub-agents with a different default model.
+
+See [Models](/concepts/models) and [Slash commands](/tools/slash-commands).
+
 ### Why do I see Model is not allowed and then no reply
 
 If `agents.defaults.models` is set, it becomes the **allowlist** for `/model` and any

docs/logging.md

@@ -192,6 +192,30 @@ Use this if you want diagnostics events available to plugins or custom sinks:
 }
 ```
 
+### Diagnostics flags (targeted logs)
+
+Use flags to turn on extra, targeted debug logs without raising `logging.level`.
+Flags are case-insensitive and support wildcards (e.g. `telegram.*` or `*`).
+
+```json
+{
+  "diagnostics": {
+    "flags": ["telegram.http"]
+  }
+}
+```
+
+Env override (one-off):
+
+```
+CLAWDBOT_DIAGNOSTICS=telegram.http,telegram.payload
+```
+
+Notes:
+- Flag logs go to the standard log file (same as `logging.file`).
+- Output is still redacted according to `logging.redactSensitive`.
+- Full guide: [/diagnostics/flags](/diagnostics/flags).
+
 ### Export to OpenTelemetry
 
 Diagnostics can be exported via the `diagnostics-otel` plugin (OTLP/HTTP). This

docs/platforms/fly.md

@@ -80,6 +80,7 @@ primary_region = "iad"
 |---------|-----|
 | `--bind lan` | Binds to `0.0.0.0` so Fly's proxy can reach the gateway |
 | `--allow-unconfigured` | Starts without a config file (you'll create one after) |
+| `internal_port = 3000` | Must match `--port 3000` (or `CLAWDBOT_GATEWAY_PORT`) for Fly health checks |
 | `memory = "2048mb"` | 512MB is too small; 2GB recommended |
 | `CLAWDBOT_STATE_DIR = "/data"` | Persists state on the volume |
 
@@ -235,6 +236,12 @@ The gateway is binding to `127.0.0.1` instead of `0.0.0.0`.
 
 **Fix:** Add `--bind lan` to your process command in `fly.toml`.
 
+### Health checks failing / connection refused
+
+Fly can't reach the gateway on the configured port.
+
+**Fix:** Ensure `internal_port` matches the gateway port (set `--port 3000` or `CLAWDBOT_GATEWAY_PORT=3000`).
+
 ### OOM / Memory Issues
 
 Container keeps restarting or getting killed. Signs: `SIGABRT`, `v8::internal::Runtime_AllocateInYoungGeneration`, or silent restarts.
@@ -268,11 +275,11 @@ The lock file is at `/data/gateway.*.lock` (not in a subdirectory).
 
 ### Config Not Being Read
 
-If using `--allow-unconfigured`, the gateway creates a minimal config. Your custom config at `/data/.clawdbot/clawdbot.json` should be read on restart.
+If using `--allow-unconfigured`, the gateway creates a minimal config. Your custom config at `/data/clawdbot.json` should be read on restart.
 
 Verify the config exists:
 ```bash
-fly ssh console --command "cat /data/.clawdbot/clawdbot.json"
+fly ssh console --command "cat /data/clawdbot.json"
 ```
 
 ### Writing Config via SSH
@@ -281,18 +288,24 @@ The `fly ssh console -C` command doesn't support shell redirection. To write a c
 
 ```bash
 # Use echo + tee (pipe from local to remote)
-echo '{"your":"config"}' | fly ssh console -C "tee /data/.clawdbot/clawdbot.json"
+echo '{"your":"config"}' | fly ssh console -C "tee /data/clawdbot.json"
 
 # Or use sftp
 fly sftp shell
-> put /local/path/config.json /data/.clawdbot/clawdbot.json
+> put /local/path/config.json /data/clawdbot.json
 ```
 
 **Note:** `fly sftp` may fail if the file already exists. Delete first:
 ```bash
-fly ssh console --command "rm /data/.clawdbot/clawdbot.json"
+fly ssh console --command "rm /data/clawdbot.json"
 ```
 
+### State Not Persisting
+
+If you lose credentials or sessions after a restart, the state dir is writing to the container filesystem.
+
+**Fix:** Ensure `CLAWDBOT_STATE_DIR=/data` is set in `fly.toml` and redeploy.
+
 ## Updates
 
 ```bash
@@ -330,6 +343,7 @@ fly machine update <machine-id> --vm-memory 2048 --command "node dist/index.js g
 - The Dockerfile is compatible with both architectures
 - For WhatsApp/Telegram onboarding, use `fly ssh console`
 - Persistent data lives on the volume at `/data`
+- Signal requires Java + signal-cli; use a custom image and keep memory at 2GB+.
 
 ## Cost
 

extensions/bluebubbles/src/channel.ts

@@ -25,9 +25,11 @@ import { resolveBlueBubblesMessageId } from "./monitor.js";
 import { probeBlueBubbles, type BlueBubblesProbe } from "./probe.js";
 import { sendMessageBlueBubbles } from "./send.js";
 import {
+  extractHandleFromChatGuid,
   looksLikeBlueBubblesTargetId,
   normalizeBlueBubblesHandle,
   normalizeBlueBubblesMessagingTarget,
+  parseBlueBubblesTarget,
 } from "./targets.js";
 import { bluebubblesMessageActions } from "./actions.js";
 import { monitorBlueBubblesProvider, resolveWebhookPathFromConfig } from "./monitor.js";
@@ -148,6 +150,58 @@ export const bluebubblesPlugin: ChannelPlugin<ResolvedBlueBubblesAccount> = {
       looksLikeId: looksLikeBlueBubblesTargetId,
       hint: "<handle|chat_guid:GUID|chat_id:ID|chat_identifier:ID>",
     },
+    formatTargetDisplay: ({ target, display }) => {
+      const shouldParseDisplay = (value: string): boolean => {
+        if (looksLikeBlueBubblesTargetId(value)) return true;
+        return /^(bluebubbles:|chat_guid:|chat_id:|chat_identifier:)/i.test(value);
+      };
+
+      // Helper to extract a clean handle from any BlueBubbles target format
+      const extractCleanDisplay = (value: string | undefined): string | null => {
+        const trimmed = value?.trim();
+        if (!trimmed) return null;
+        try {
+          const parsed = parseBlueBubblesTarget(trimmed);
+          if (parsed.kind === "chat_guid") {
+            const handle = extractHandleFromChatGuid(parsed.chatGuid);
+            if (handle) return handle;
+          }
+          if (parsed.kind === "handle") {
+            return normalizeBlueBubblesHandle(parsed.to);
+          }
+        } catch {
+          // Fall through
+        }
+        // Strip common prefixes and try raw extraction
+        const stripped = trimmed
+          .replace(/^bluebubbles:/i, "")
+          .replace(/^chat_guid:/i, "")
+          .replace(/^chat_id:/i, "")
+          .replace(/^chat_identifier:/i, "");
+        const handle = extractHandleFromChatGuid(stripped);
+        if (handle) return handle;
+        // Don't return raw chat_guid formats - they contain internal routing info
+        if (stripped.includes(";-;") || stripped.includes(";+;")) return null;
+        return stripped;
+      };
+
+      // Try to get a clean display from the display parameter first
+      const trimmedDisplay = display?.trim();
+      if (trimmedDisplay) {
+        if (!shouldParseDisplay(trimmedDisplay)) {
+          return trimmedDisplay;
+        }
+        const cleanDisplay = extractCleanDisplay(trimmedDisplay);
+        if (cleanDisplay) return cleanDisplay;
+      }
+
+      // Fall back to extracting from target
+      const cleanTarget = extractCleanDisplay(target);
+      if (cleanTarget) return cleanTarget;
+
+      // Last resort: return display or target as-is
+      return display?.trim() || target?.trim() || "";
+    },
   },
   setup: {
     resolveAccountId: ({ accountId }) => normalizeAccountId(accountId),

extensions/bluebubbles/src/send.test.ts

@@ -187,6 +187,47 @@ describe("send", () => {
       expect(result).toBe("iMessage;-;+15551234567");
     });
 
+    it("returns null when handle only exists in group chat (not DM)", async () => {
+      // This is the critical fix: if a phone number only exists as a participant in a group chat
+      // (no direct DM chat), we should NOT send to that group. Return null instead.
+      mockFetch
+        .mockResolvedValueOnce({
+          ok: true,
+          json: () =>
+            Promise.resolve({
+              data: [
+                {
+                  guid: "iMessage;+;group-the-council",
+                  participants: [
+                    { address: "+12622102921" },
+                    { address: "+15550001111" },
+                    { address: "+15550002222" },
+                  ],
+                },
+              ],
+            }),
+        })
+        // Empty second page to stop pagination
+        .mockResolvedValueOnce({
+          ok: true,
+          json: () => Promise.resolve({ data: [] }),
+        });
+
+      const target: BlueBubblesSendTarget = {
+        kind: "handle",
+        address: "+12622102921",
+        service: "imessage",
+      };
+      const result = await resolveChatGuidForTarget({
+        baseUrl: "http://localhost:1234",
+        password: "test",
+        target,
+      });
+
+      // Should return null, NOT the group chat GUID
+      expect(result).toBeNull();
+    });
+
     it("returns null when chat not found", async () => {
       mockFetch.mockResolvedValueOnce({
         ok: true,
@@ -344,14 +385,14 @@ describe("send", () => {
       ).rejects.toThrow("password is required");
     });
 
-    it("throws when chatGuid cannot be resolved", async () => {
+    it("throws when chatGuid cannot be resolved for non-handle targets", async () => {
       mockFetch.mockResolvedValue({
         ok: true,
         json: () => Promise.resolve({ data: [] }),
       });
 
       await expect(
-        sendMessageBlueBubbles("+15559999999", "Hello", {
+        sendMessageBlueBubbles("chat_id:999", "Hello", {
           serverUrl: "http://localhost:1234",
           password: "test",
         }),
@@ -398,6 +439,57 @@ describe("send", () => {
       expect(body.method).toBeUndefined();
     });
 
+    it("creates a new chat when handle target is missing", async () => {
+      mockFetch
+        .mockResolvedValueOnce({
+          ok: true,
+          json: () => Promise.resolve({ data: [] }),
+        })
+        .mockResolvedValueOnce({
+          ok: true,
+          text: () =>
+            Promise.resolve(
+              JSON.stringify({
+                data: { guid: "new-msg-guid" },
+              }),
+            ),
+        });
+
+      const result = await sendMessageBlueBubbles("+15550009999", "Hello new chat", {
+        serverUrl: "http://localhost:1234",
+        password: "test",
+      });
+
+      expect(result.messageId).toBe("new-msg-guid");
+      expect(mockFetch).toHaveBeenCalledTimes(2);
+
+      const createCall = mockFetch.mock.calls[1];
+      expect(createCall[0]).toContain("/api/v1/chat/new");
+      const body = JSON.parse(createCall[1].body);
+      expect(body.addresses).toEqual(["+15550009999"]);
+      expect(body.message).toBe("Hello new chat");
+    });
+
+    it("throws when creating a new chat requires Private API", async () => {
+      mockFetch
+        .mockResolvedValueOnce({
+          ok: true,
+          json: () => Promise.resolve({ data: [] }),
+        })
+        .mockResolvedValueOnce({
+          ok: false,
+          status: 403,
+          text: () => Promise.resolve("Private API not enabled"),
+        });
+
+      await expect(
+        sendMessageBlueBubbles("+15550008888", "Hello", {
+          serverUrl: "http://localhost:1234",
+          password: "test",
+        }),
+      ).rejects.toThrow("Private API must be enabled");
+    });
+
     it("uses private-api when reply metadata is present", async () => {
       mockFetch
         .mockResolvedValueOnce({

extensions/bluebubbles/src/send.ts

@@ -257,11 +257,17 @@ export async function resolveChatGuidForTarget(params: {
           return guid;
         }
         if (!participantMatch && guid) {
-          const participants = extractParticipantAddresses(chat).map((entry) =>
-            normalizeBlueBubblesHandle(entry),
-          );
-          if (participants.includes(normalizedHandle)) {
-            participantMatch = guid;
+          // Only consider DM chats (`;-;` separator) as participant matches.
+          // Group chats (`;+;` separator) should never match when searching by handle/phone.
+          // This prevents routing "send to +1234567890" to a group chat that contains that number.
+          const isDmChat = guid.includes(";-;");
+          if (isDmChat) {
+            const participants = extractParticipantAddresses(chat).map((entry) =>
+              normalizeBlueBubblesHandle(entry),
+            );
+            if (participants.includes(normalizedHandle)) {
+              participantMatch = guid;
+            }
           }
         }
       }
@@ -270,6 +276,55 @@ export async function resolveChatGuidForTarget(params: {
   return participantMatch;
 }
 
+/**
+ * Creates a new chat (DM) and optionally sends an initial message.
+ * Requires Private API to be enabled in BlueBubbles.
+ */
+async function createNewChatWithMessage(params: {
+  baseUrl: string;
+  password: string;
+  address: string;
+  message: string;
+  timeoutMs?: number;
+}): Promise<BlueBubblesSendResult> {
+  const url = buildBlueBubblesApiUrl({
+    baseUrl: params.baseUrl,
+    path: "/api/v1/chat/new",
+    password: params.password,
+  });
+  const payload = {
+    addresses: [params.address],
+    message: params.message,
+  };
+  const res = await blueBubblesFetchWithTimeout(
+    url,
+    {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(payload),
+    },
+    params.timeoutMs,
+  );
+  if (!res.ok) {
+    const errorText = await res.text();
+    // Check for Private API not enabled error
+    if (res.status === 400 || res.status === 403 || errorText.toLowerCase().includes("private api")) {
+      throw new Error(
+        `BlueBubbles send failed: Cannot create new chat - Private API must be enabled. Original error: ${errorText || res.status}`,
+      );
+    }
+    throw new Error(`BlueBubbles create chat failed (${res.status}): ${errorText || "unknown"}`);
+  }
+  const body = await res.text();
+  if (!body) return { messageId: "ok" };
+  try {
+    const parsed = JSON.parse(body) as unknown;
+    return { messageId: extractMessageId(parsed) };
+  } catch {
+    return { messageId: "ok" };
+  }
+}
+
 export async function sendMessageBlueBubbles(
   to: string,
   text: string,
@@ -297,6 +352,17 @@ export async function sendMessageBlueBubbles(
     target,
   });
   if (!chatGuid) {
+    // If target is a phone number/handle and no existing chat found,
+    // auto-create a new DM chat using the /api/v1/chat/new endpoint
+    if (target.kind === "handle") {
+      return createNewChatWithMessage({
+        baseUrl,
+        password,
+        address: target.address,
+        message: trimmedText,
+        timeoutMs: opts.timeoutMs,
+      });
+    }
     throw new Error(
       "BlueBubbles send failed: chatGuid not found for target. Use a chat_guid target or ensure the chat exists.",
     );

extensions/matrix/src/matrix/monitor/auto-join.ts

@@ -33,7 +33,7 @@ export function registerMatrixAutoJoin(params: {
   // For "allowlist" mode, handle invites manually
   client.on("room.invite", async (roomId: string, _inviteEvent: unknown) => {
     if (autoJoin !== "allowlist") return;
-    
+
     // Get room alias if available
     let alias: string | undefined;
     let altAliases: string[] = [];

extensions/matrix/src/matrix/monitor/media.ts

@@ -25,7 +25,7 @@ async function fetchMatrixMediaBuffer(params: {
   // matrix-bot-sdk provides mxcToHttp helper
   const url = params.client.mxcToHttp(params.mxcUrl);
   if (!url) return null;
-  
+
   // Use the client's download method which handles auth
   try {
     const buffer = await params.client.downloadContent(params.mxcUrl);
@@ -61,7 +61,7 @@ async function fetchEncryptedMediaBuffer(params: {
     Buffer.from(encryptedBuffer),
     params.file,
   );
-  
+
   return { buffer: decrypted };
 }
 
@@ -77,7 +77,7 @@ export async function downloadMatrixMedia(params: {
   placeholder: string;
 } | null> {
   let fetched: { buffer: Buffer; headerType?: string } | null;
-  
+
   if (params.file) {
     // Encrypted media
     fetched = await fetchEncryptedMediaBuffer({
@@ -93,7 +93,7 @@ export async function downloadMatrixMedia(params: {
       maxBytes: params.maxBytes,
     });
   }
-  
+
   if (!fetched) return null;
   const headerType = fetched.headerType ?? params.contentType ?? undefined;
   const saved = await getMatrixRuntime().channel.media.saveMediaBuffer(

extensions/mattermost/src/group-mentions.ts

@@ -11,4 +11,4 @@ export function resolveMattermostGroupRequireMention(
   });
   if (typeof account.requireMention === "boolean") return account.requireMention;
   return true;
-}
+}

extensions/mattermost/src/mattermost/accounts.ts

@@ -112,4 +112,4 @@ export function listEnabledMattermostAccounts(cfg: ClawdbotConfig): ResolvedMatt
   return listMattermostAccountIds(cfg)
     .map((accountId) => resolveMattermostAccount({ cfg, accountId }))
     .filter((account) => account.enabled);
-}
+}

extensions/mattermost/src/mattermost/client.ts

@@ -205,4 +205,4 @@ export async function uploadMattermostFile(
     throw new Error("Mattermost file upload failed");
   }
   return info;
-}
+}

extensions/mattermost/src/mattermost/monitor-helpers.ts

@@ -147,4 +147,4 @@ export function resolveThreadSessionKeys(params: {
     ? `${params.baseSessionKey}:thread:${threadId}`
     : params.baseSessionKey;
   return { sessionKey, parentSessionKey: params.parentSessionKey };
-}
+}

extensions/mattermost/src/mattermost/probe.ts

@@ -67,4 +67,4 @@ export async function probeMattermost(
   } finally {
     if (timer) clearTimeout(timer);
   }
-}
+}

extensions/mattermost/src/onboarding-helpers.ts

@@ -39,4 +39,4 @@ export async function promptAccountId(params: PromptAccountIdParams): Promise<st
     );
   }
   return normalized;
-}
+}

extensions/mattermost/src/onboarding.ts

@@ -184,4 +184,4 @@ export const mattermostOnboardingAdapter: ChannelOnboardingAdapter = {
       mattermost: { ...cfg.channels?.mattermost, enabled: false },
     },
   }),
-};
+};

extensions/open-prose/skills/prose/examples/28-automated-pr-review.prose

@@ -22,11 +22,11 @@ parallel:
   security = session: security_expert
     prompt: "Perform a deep security audit of the changes. Look for OWASP top 10 issues."
     context: overview
-  
+
   perf = session: performance_expert
     prompt: "Analyze the performance implications. Identify potential bottlenecks or regressions."
     context: overview
-  
+
   style = session: reviewer
     prompt: "Review for code style, maintainability, and adherence to best practices."
     context: overview

extensions/voice-call/src/manager/context.ts

@@ -19,4 +19,3 @@ export type CallManagerContext = {
   transcriptWaiters: Map<CallId, TranscriptWaiter>;
   maxDurationTimers: Map<CallId, NodeJS.Timeout>;
 };
-

extensions/voice-call/src/manager/events.ts

@@ -175,4 +175,3 @@ export function processEvent(ctx: CallManagerContext, event: NormalizedEvent): v
 
   persistCallRecord(ctx.storePath, call);
 }
-

extensions/voice-call/src/manager/lookup.ts

@@ -31,4 +31,3 @@ export function findCall(params: {
     providerCallId: params.callIdOrProviderCallId,
   });
 }
-

extensions/voice-call/src/manager/state.ts

@@ -48,4 +48,3 @@ export function addTranscriptEntry(
   };
   call.transcript.push(entry);
 }
-

extensions/voice-call/src/manager/store.ts

@@ -86,4 +86,3 @@ export async function getCallHistoryFromStore(
 
   return calls;
 }
-

extensions/voice-call/src/manager/timers.ts

@@ -84,4 +84,3 @@ export function waitForFinalTranscript(
     ctx.transcriptWaiters.set(callId, { resolve, reject, timeout });
   });
 }
-

extensions/voice-call/src/manager/twiml.ts

@@ -7,4 +7,3 @@ export function generateNotifyTwiml(message: string, voice: string): string {
   <Hangup/>
 </Response>`;
 }
-

extensions/voice-call/src/providers/plivo.test.ts

@@ -26,4 +26,3 @@ describe("PlivoProvider", () => {
     expect(result.providerResponseBody).toContain('length="300"');
   });
 });
-

extensions/voice-call/src/providers/twilio/webhook.ts

@@ -27,4 +27,3 @@ export function verifyTwilioProviderWebhook(params: {
     reason: result.reason,
   };
 }
-

extensions/zalouser/src/channel.test.ts

@@ -15,4 +15,3 @@ describe("zalouser outbound chunker", () => {
     expect(chunks.every((c) => c.length <= limit)).toBe(true);
   });
 });
-

scripts/clawlog.sh

@@ -124,7 +124,7 @@ EOF
 # Function to list categories
 list_categories() {
     echo -e "${BLUE}Fetching VibeTunnel log categories from the last hour...${NC}\n"
-    
+
     # Get unique categories from recent logs
     log show --predicate "subsystem == \"$SUBSYSTEM\"" --last 1h 2>/dev/null | \
         grep -E "category: \"[^\"]+\"" | \
@@ -133,7 +133,7 @@ list_categories() {
         while read -r cat; do
             echo "  • $cat"
         done
-    
+
     echo -e "\n${YELLOW}Note: Only categories with recent activity are shown${NC}"
 }
 
@@ -230,29 +230,29 @@ fi
 if [[ "$STREAM_MODE" == true ]]; then
     # Streaming mode
     CMD="sudo log stream --predicate '$PREDICATE' --level $LOG_LEVEL --info"
-    
+
     echo -e "${GREEN}Streaming VibeTunnel logs continuously...${NC}"
     echo -e "${YELLOW}Press Ctrl+C to stop${NC}\n"
 else
     # Show mode
     CMD="sudo log show --predicate '$PREDICATE'"
-    
+
     # Add log level for show command
     if [[ "$LOG_LEVEL" == "debug" ]]; then
         CMD="$CMD --debug"
     else
         CMD="$CMD --info"
     fi
-    
+
     # Add time range
     CMD="$CMD --last $TIME_RANGE"
-    
+
     if [[ "$SHOW_TAIL" == true ]]; then
         echo -e "${GREEN}Showing last $TAIL_LINES log lines from the past $TIME_RANGE${NC}"
     else
         echo -e "${GREEN}Showing all logs from the past $TIME_RANGE${NC}"
     fi
-    
+
     # Show applied filters
     if [[ "$ERRORS_ONLY" == true ]]; then
         echo -e "${RED}Filter: Errors only${NC}"
@@ -277,14 +277,14 @@ if [[ -n "$OUTPUT_FILE" ]]; then
     if sudo -n /usr/bin/log show --last 1s 2>&1 | grep -q "password"; then
         handle_sudo_error
     fi
-    
+
     echo -e "${BLUE}Exporting logs to: $OUTPUT_FILE${NC}\n"
     if [[ "$SHOW_TAIL" == true ]] && [[ "$STREAM_MODE" == false ]]; then
         eval "$CMD" 2>&1 | tail -n "$TAIL_LINES" > "$OUTPUT_FILE"
     else
         eval "$CMD" > "$OUTPUT_FILE" 2>&1
     fi
-    
+
     # Check if file was created and has content
     if [[ -s "$OUTPUT_FILE" ]]; then
         LINE_COUNT=$(wc -l < "$OUTPUT_FILE" | tr -d ' ')
@@ -298,7 +298,7 @@ else
     if sudo -n /usr/bin/log show --last 1s 2>&1 | grep -q "password"; then
         handle_sudo_error
     fi
-    
+
     if [[ "$SHOW_TAIL" == true ]] && [[ "$STREAM_MODE" == false ]]; then
         # Apply tail for non-streaming mode
         eval "$CMD" 2>&1 | tail -n "$TAIL_LINES"

scripts/e2e/gateway-network-docker.sh

@@ -102,12 +102,12 @@ ws.send(
 	);
 	const connectRes = await onceFrame((o) => o?.type === \"res\" && o?.id === \"c1\");
 	if (!connectRes.ok) throw new Error(\"connect failed: \" + (connectRes.error?.message ?? \"unknown\"));
-	
+
 	ws.send(JSON.stringify({ type: \"req\", id: \"h1\", method: \"health\" }));
 	const healthRes = await onceFrame((o) => o?.type === \"res\" && o?.id === \"h1\", 10000);
 	if (!healthRes.ok) throw new Error(\"health failed: \" + (healthRes.error?.message ?? \"unknown\"));
 	if (healthRes.payload?.ok !== true) throw new Error(\"unexpected health payload\");
-	
+
 	ws.close();
 	console.log(\"ok\");
 NODE"

scripts/pre-commit/run-node-tool.sh

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+
+if [[ $# -lt 1 ]]; then
+  echo "usage: run-node-tool.sh <tool> [args...]" >&2
+  exit 2
+fi
+
+tool="$1"
+shift
+
+if [[ -f "$ROOT_DIR/pnpm-lock.yaml" ]] && command -v pnpm >/dev/null 2>&1; then
+  exec pnpm exec "$tool" "$@"
+fi
+
+if { [[ -f "$ROOT_DIR/bun.lockb" ]] || [[ -f "$ROOT_DIR/bun.lock" ]]; } && command -v bun >/dev/null 2>&1; then
+  exec bunx --bun "$tool" "$@"
+fi
+
+if command -v npm >/dev/null 2>&1; then
+  exec npm exec -- "$tool" "$@"
+fi
+
+if command -v npx >/dev/null 2>&1; then
+  exec npx "$tool" "$@"
+fi
+
+echo "Missing package manager: pnpm, bun, or npm required." >&2
+exit 1

scripts/update-clawtributors.types.ts

@@ -30,4 +30,3 @@ export type Entry = {
   avatar_url: string;
   lines: number;
 };
-

skills/local-places/SKILL.md

@@ -84,7 +84,7 @@ curl http://127.0.0.1:8000/places/{place_id}
       "open_now": true
     }
   ],
-  "next_page_token": "..." 
+  "next_page_token": "..."
 }
 ```
 

src/agents/model-catalog.ts

@@ -8,6 +8,7 @@ export type ModelCatalogEntry = {
   provider: string;
   contextWindow?: number;
   reasoning?: boolean;
+  input?: Array<"text" | "image">;
 };
 
 type DiscoveredModel = {
@@ -16,6 +17,7 @@ type DiscoveredModel = {
   provider: string;
   contextWindow?: number;
   reasoning?: boolean;
+  input?: Array<"text" | "image">;
 };
 
 type PiSdkModule = typeof import("@mariozechner/pi-coding-agent");
@@ -80,7 +82,10 @@ export async function loadModelCatalog(params?: {
             ? entry.contextWindow
             : undefined;
         const reasoning = typeof entry?.reasoning === "boolean" ? entry.reasoning : undefined;
-        models.push({ id, name, provider, contextWindow, reasoning });
+        const input = Array.isArray(entry?.input)
+          ? (entry.input as Array<"text" | "image">)
+          : undefined;
+        models.push({ id, name, provider, contextWindow, reasoning, input });
       }
 
       if (models.length === 0) {
@@ -105,3 +110,27 @@ export async function loadModelCatalog(params?: {
 
   return modelCatalogPromise;
 }
+
+/**
+ * Check if a model supports image input based on its catalog entry.
+ */
+export function modelSupportsVision(entry: ModelCatalogEntry | undefined): boolean {
+  return entry?.input?.includes("image") ?? false;
+}
+
+/**
+ * Find a model in the catalog by provider and model ID.
+ */
+export function findModelInCatalog(
+  catalog: ModelCatalogEntry[],
+  provider: string,
+  modelId: string,
+): ModelCatalogEntry | undefined {
+  const normalizedProvider = provider.toLowerCase().trim();
+  const normalizedModelId = modelId.toLowerCase().trim();
+  return catalog.find(
+    (entry) =>
+      entry.provider.toLowerCase() === normalizedProvider &&
+      entry.id.toLowerCase() === normalizedModelId,
+  );
+}

src/agents/pi-embedded-helpers.sanitizeuserfacingtext.test.ts

@@ -27,4 +27,14 @@ describe("sanitizeUserFacingText", () => {
     const raw = '{"type":"error","error":{"message":"Something exploded","type":"server_error"}}';
     expect(sanitizeUserFacingText(raw)).toBe("LLM error server_error: Something exploded");
   });
+
+  it("collapses consecutive duplicate paragraphs", () => {
+    const text = "Hello there!\n\nHello there!";
+    expect(sanitizeUserFacingText(text)).toBe("Hello there!");
+  });
+
+  it("does not collapse distinct paragraphs", () => {
+    const text = "Hello there!\n\nDifferent line.";
+    expect(sanitizeUserFacingText(text)).toBe(text);
+  });
 });

src/agents/pi-embedded-helpers/errors.ts

@@ -77,6 +77,29 @@ function stripFinalTagsFromText(text: string): string {
   return text.replace(FINAL_TAG_RE, "");
 }
 
+function collapseConsecutiveDuplicateBlocks(text: string): string {
+  const trimmed = text.trim();
+  if (!trimmed) return text;
+  const blocks = trimmed.split(/\n{2,}/);
+  if (blocks.length < 2) return text;
+
+  const normalizeBlock = (value: string) => value.trim().replace(/\s+/g, " ");
+  const result: string[] = [];
+  let lastNormalized: string | null = null;
+
+  for (const block of blocks) {
+    const normalized = normalizeBlock(block);
+    if (lastNormalized && normalized === lastNormalized) {
+      continue;
+    }
+    result.push(block.trim());
+    lastNormalized = normalized;
+  }
+
+  if (result.length === blocks.length) return text;
+  return result.join("\n\n");
+}
+
 function isLikelyHttpErrorText(raw: string): boolean {
   const match = raw.match(HTTP_STATUS_PREFIX_RE);
   if (!match) return false;
@@ -321,7 +344,7 @@ export function sanitizeUserFacingText(text: string): string {
     return formatRawAssistantErrorForUi(trimmed);
   }
 
-  return stripped;
+  return collapseConsecutiveDuplicateBlocks(stripped);
 }
 
 export function isRateLimitAssistantError(msg: AssistantMessage | undefined): boolean {

src/agents/tools/message-tool.ts

@@ -333,7 +333,13 @@ export function createMessageTool(options?: MessageToolOptions): AnyAgentTool {
     name: "message",
     description,
     parameters: schema,
-    execute: async (_toolCallId, args) => {
+    execute: async (_toolCallId, args, signal) => {
+      // Check if already aborted before doing any work
+      if (signal?.aborted) {
+        const err = new Error("Message send aborted");
+        err.name = "AbortError";
+        throw err;
+      }
       const params = args as Record<string, unknown>;
       const cfg = options?.config ?? loadConfig();
       const action = readStringParam(params, "action", {
@@ -366,6 +372,9 @@ export function createMessageTool(options?: MessageToolOptions): AnyAgentTool {
               currentThreadTs: options?.currentThreadTs,
               replyToMode: options?.replyToMode,
               hasRepliedRef: options?.hasRepliedRef,
+              // Direct tool invocations should not add cross-context decoration.
+              // The agent is composing a message, not forwarding from another chat.
+              skipCrossContextDecoration: true,
             }
           : undefined;
 
@@ -379,6 +388,7 @@ export function createMessageTool(options?: MessageToolOptions): AnyAgentTool {
         agentId: options?.agentSessionKey
           ? resolveSessionAgentId({ sessionKey: options.agentSessionKey, config: cfg })
           : undefined,
+        abortSignal: signal,
       });
 
       const toolResult = getToolResult(result);

src/auto-reply/model.test.ts

@@ -10,11 +10,17 @@ describe("extractModelDirective", () => {
       expect(result.cleaned).toBe("");
     });
 
-    it("extracts /models with argument", () => {
+    it("does not treat /models as a /model directive", () => {
       const result = extractModelDirective("/models gpt-5");
-      expect(result.hasDirective).toBe(true);
-      expect(result.rawModel).toBe("gpt-5");
-      expect(result.cleaned).toBe("");
+      expect(result.hasDirective).toBe(false);
+      expect(result.rawModel).toBeUndefined();
+      expect(result.cleaned).toBe("/models gpt-5");
+    });
+
+    it("does not parse /models as a /model directive (no args)", () => {
+      const result = extractModelDirective("/models");
+      expect(result.hasDirective).toBe(false);
+      expect(result.cleaned).toBe("/models");
     });
 
     it("extracts /model with provider/model format", () => {

src/auto-reply/model.ts

@@ -14,7 +14,7 @@ export function extractModelDirective(
   if (!body) return { cleaned: "", hasDirective: false };
 
   const modelMatch = body.match(
-    /(?:^|\s)\/models?(?=$|\s|:)\s*:?\s*([A-Za-z0-9_.:@-]+(?:\/[A-Za-z0-9_.:@-]+)*)?/i,
+    /(?:^|\s)\/model(?=$|\s|:)\s*:?\s*([A-Za-z0-9_.:@-]+(?:\/[A-Za-z0-9_.:@-]+)*)?/i,
   );
 
   const aliases = (options?.aliases ?? []).map((alias) => alias.trim()).filter(Boolean);

src/channels/plugins/types.core.ts

@@ -240,6 +240,12 @@ export type ChannelThreadingToolContext = {
   currentThreadTs?: string;
   replyToMode?: "off" | "first" | "all";
   hasRepliedRef?: { value: boolean };
+  /**
+   * When true, skip cross-context decoration (e.g., "[from X]" prefix).
+   * Use this for direct tool invocations where the agent is composing a new message,
+   * not forwarding/relaying a message from another conversation.
+   */
+  skipCrossContextDecoration?: boolean;
 };
 
 export type ChannelMessagingAdapter = {

src/cli/daemon-cli/install.ts

@@ -100,6 +100,7 @@ export async function runDaemonInstall(opts: DaemonInstallOptions) {
       if (json) warnings.push(message);
       else defaultRuntime.log(message);
     },
+    config: cfg,
   });
 
   try {

src/commands/configure.daemon.ts

@@ -11,6 +11,7 @@ import {
 } from "./daemon-runtime.js";
 import { guardCancel } from "./onboard-helpers.js";
 import { ensureSystemdUserLingerInteractive } from "./systemd-linger.js";
+import { loadConfig } from "../config/config.js";
 
 export async function maybeInstallDaemon(params: {
   runtime: RuntimeEnv;
@@ -81,12 +82,14 @@ export async function maybeInstallDaemon(params: {
 
         progress.setLabel("Preparing Gateway service…");
 
+        const cfg = loadConfig();
         const { programArguments, workingDirectory, environment } = await buildGatewayInstallPlan({
           env: process.env,
           port: params.port,
           token: params.gatewayToken,
           runtime: daemonRuntime,
           warn: (message, title) => note(message, title),
+          config: cfg,
         });
 
         progress.setLabel("Installing Gateway service…");

src/commands/daemon-install-helpers.test.ts

@@ -95,6 +95,140 @@ describe("buildGatewayInstallPlan", () => {
     expect(warn).toHaveBeenCalledWith("Node too old", "Gateway runtime");
     expect(mocks.resolvePreferredNodePath).toHaveBeenCalled();
   });
+
+  it("merges config env vars into the environment", async () => {
+    mocks.resolvePreferredNodePath.mockResolvedValue("/opt/node");
+    mocks.resolveGatewayProgramArguments.mockResolvedValue({
+      programArguments: ["node", "gateway"],
+      workingDirectory: "/Users/me",
+    });
+    mocks.resolveSystemNodeInfo.mockResolvedValue({
+      path: "/opt/node",
+      version: "22.0.0",
+      supported: true,
+    });
+    mocks.buildServiceEnvironment.mockReturnValue({
+      CLAWDBOT_PORT: "3000",
+      HOME: "/Users/me",
+    });
+
+    const plan = await buildGatewayInstallPlan({
+      env: {},
+      port: 3000,
+      runtime: "node",
+      config: {
+        env: {
+          vars: {
+            GOOGLE_API_KEY: "test-key",
+          },
+          CUSTOM_VAR: "custom-value",
+        },
+      },
+    });
+
+    // Config env vars should be present
+    expect(plan.environment.GOOGLE_API_KEY).toBe("test-key");
+    expect(plan.environment.CUSTOM_VAR).toBe("custom-value");
+    // Service environment vars should take precedence
+    expect(plan.environment.CLAWDBOT_PORT).toBe("3000");
+    expect(plan.environment.HOME).toBe("/Users/me");
+  });
+
+  it("does not include empty config env values", async () => {
+    mocks.resolvePreferredNodePath.mockResolvedValue("/opt/node");
+    mocks.resolveGatewayProgramArguments.mockResolvedValue({
+      programArguments: ["node", "gateway"],
+      workingDirectory: "/Users/me",
+    });
+    mocks.resolveSystemNodeInfo.mockResolvedValue({
+      path: "/opt/node",
+      version: "22.0.0",
+      supported: true,
+    });
+    mocks.buildServiceEnvironment.mockReturnValue({ CLAWDBOT_PORT: "3000" });
+
+    const plan = await buildGatewayInstallPlan({
+      env: {},
+      port: 3000,
+      runtime: "node",
+      config: {
+        env: {
+          vars: {
+            VALID_KEY: "valid",
+            EMPTY_KEY: "",
+          },
+        },
+      },
+    });
+
+    expect(plan.environment.VALID_KEY).toBe("valid");
+    expect(plan.environment.EMPTY_KEY).toBeUndefined();
+  });
+
+  it("drops whitespace-only config env values", async () => {
+    mocks.resolvePreferredNodePath.mockResolvedValue("/opt/node");
+    mocks.resolveGatewayProgramArguments.mockResolvedValue({
+      programArguments: ["node", "gateway"],
+      workingDirectory: "/Users/me",
+    });
+    mocks.resolveSystemNodeInfo.mockResolvedValue({
+      path: "/opt/node",
+      version: "22.0.0",
+      supported: true,
+    });
+    mocks.buildServiceEnvironment.mockReturnValue({});
+
+    const plan = await buildGatewayInstallPlan({
+      env: {},
+      port: 3000,
+      runtime: "node",
+      config: {
+        env: {
+          vars: {
+            VALID_KEY: "valid",
+          },
+          TRIMMED_KEY: "  ",
+        },
+      },
+    });
+
+    expect(plan.environment.VALID_KEY).toBe("valid");
+    expect(plan.environment.TRIMMED_KEY).toBeUndefined();
+  });
+
+  it("keeps service env values over config env vars", async () => {
+    mocks.resolvePreferredNodePath.mockResolvedValue("/opt/node");
+    mocks.resolveGatewayProgramArguments.mockResolvedValue({
+      programArguments: ["node", "gateway"],
+      workingDirectory: "/Users/me",
+    });
+    mocks.resolveSystemNodeInfo.mockResolvedValue({
+      path: "/opt/node",
+      version: "22.0.0",
+      supported: true,
+    });
+    mocks.buildServiceEnvironment.mockReturnValue({
+      HOME: "/Users/service",
+      CLAWDBOT_PORT: "3000",
+    });
+
+    const plan = await buildGatewayInstallPlan({
+      env: {},
+      port: 3000,
+      runtime: "node",
+      config: {
+        env: {
+          HOME: "/Users/config",
+          vars: {
+            CLAWDBOT_PORT: "9999",
+          },
+        },
+      },
+    });
+
+    expect(plan.environment.HOME).toBe("/Users/service");
+    expect(plan.environment.CLAWDBOT_PORT).toBe("3000");
+  });
 });
 
 describe("gatewayInstallErrorHint", () => {

src/commands/daemon-install-helpers.ts

@@ -7,6 +7,8 @@ import {
 } from "../daemon/runtime-paths.js";
 import { buildServiceEnvironment } from "../daemon/service-env.js";
 import { formatCliCommand } from "../cli/command-format.js";
+import { collectConfigEnvVars } from "../config/env-vars.js";
+import type { ClawdbotConfig } from "../config/types.js";
 import type { GatewayDaemonRuntime } from "./daemon-runtime.js";
 
 type WarnFn = (message: string, title?: string) => void;
@@ -31,6 +33,8 @@ export async function buildGatewayInstallPlan(params: {
   devMode?: boolean;
   nodePath?: string;
   warn?: WarnFn;
+  /** Full config to extract env vars from (env vars + inline env keys). */
+  config?: ClawdbotConfig;
 }): Promise<GatewayInstallPlan> {
   const devMode = params.devMode ?? resolveGatewayDevMode();
   const nodePath =
@@ -50,7 +54,7 @@ export async function buildGatewayInstallPlan(params: {
     const warning = renderSystemNodeWarning(systemNode, programArguments[0]);
     if (warning) params.warn?.(warning, "Gateway runtime");
   }
-  const environment = buildServiceEnvironment({
+  const serviceEnvironment = buildServiceEnvironment({
     env: params.env,
     port: params.port,
     token: params.token,
@@ -60,6 +64,13 @@ export async function buildGatewayInstallPlan(params: {
         : undefined,
   });
 
+  // Merge config env vars into the service environment (vars + inline env keys).
+  // Config env vars are added first so service-specific vars take precedence.
+  const environment: Record<string, string | undefined> = {
+    ...collectConfigEnvVars(params.config),
+  };
+  Object.assign(environment, serviceEnvironment);
+
   return { programArguments, workingDirectory, environment };
 }
 

src/commands/doctor-gateway-daemon-flow.ts

@@ -161,6 +161,7 @@ export async function maybeRepairGatewayDaemon(params: {
           token: params.cfg.gateway?.auth?.token ?? process.env.CLAWDBOT_GATEWAY_TOKEN,
           runtime: daemonRuntime,
           warn: (message, title) => note(message, title),
+          config: params.cfg,
         });
         try {
           await service.install({

src/commands/doctor-gateway-services.ts

@@ -110,6 +110,7 @@ export async function maybeMigrateLegacyGatewayService(
     token: cfg.gateway?.auth?.token ?? process.env.CLAWDBOT_GATEWAY_TOKEN,
     runtime: daemonRuntime,
     warn: (message, title) => note(message, title),
+    config: cfg,
   });
   try {
     await service.install({
@@ -177,6 +178,7 @@ export async function maybeRepairGatewayServiceConfig(
     runtime: needsNodeRuntime && systemNodePath ? "node" : runtimeChoice,
     nodePath: systemNodePath ?? undefined,
     warn: (message, title) => note(message, title),
+    config: cfg,
   });
   const expectedEntrypoint = findGatewayEntrypoint(programArguments);
   const currentEntrypoint = findGatewayEntrypoint(command.programArguments);

src/commands/onboard-non-interactive/local/daemon-install.ts

@@ -38,6 +38,7 @@ export async function installGatewayDaemonNonInteractive(params: {
     token: gatewayToken,
     runtime: daemonRuntimeRaw,
     warn: (message) => runtime.log(message),
+    config: params.nextConfig,
   });
   try {
     await service.install({

src/config/env-vars.ts

@@ -0,0 +1,23 @@
+import type { ClawdbotConfig } from "./types.js";
+
+export function collectConfigEnvVars(cfg?: ClawdbotConfig): Record<string, string> {
+  const envConfig = cfg?.env;
+  if (!envConfig) return {};
+
+  const entries: Record<string, string> = {};
+
+  if (envConfig.vars) {
+    for (const [key, value] of Object.entries(envConfig.vars)) {
+      if (!value) continue;
+      entries[key] = value;
+    }
+  }
+
+  for (const [key, value] of Object.entries(envConfig)) {
+    if (key === "shellEnv" || key === "vars") continue;
+    if (typeof value !== "string" || !value.trim()) continue;
+    entries[key] = value;
+  }
+
+  return entries;
+}

src/config/io.ts

@@ -24,6 +24,7 @@ import {
 } from "./defaults.js";
 import { VERSION } from "../version.js";
 import { MissingEnvVarError, resolveConfigEnvVars } from "./env-substitution.js";
+import { collectConfigEnvVars } from "./env-vars.js";
 import { ConfigIncludeError, resolveConfigIncludes } from "./includes.js";
 import { findLegacyConfigIssues } from "./legacy.js";
 import { normalizeConfigPaths } from "./normalize-paths.js";
@@ -149,24 +150,7 @@ function warnIfConfigFromFuture(cfg: ClawdbotConfig, logger: Pick<typeof console
 }
 
 function applyConfigEnv(cfg: ClawdbotConfig, env: NodeJS.ProcessEnv): void {
-  const envConfig = cfg.env;
-  if (!envConfig) return;
-
-  const entries: Record<string, string> = {};
-
-  if (envConfig.vars) {
-    for (const [key, value] of Object.entries(envConfig.vars)) {
-      if (!value) continue;
-      entries[key] = value;
-    }
-  }
-
-  for (const [key, value] of Object.entries(envConfig)) {
-    if (key === "shellEnv" || key === "vars") continue;
-    if (typeof value !== "string" || !value.trim()) continue;
-    entries[key] = value;
-  }
-
+  const entries = collectConfigEnvVars(cfg);
   for (const [key, value] of Object.entries(entries)) {
     if (env[key]?.trim()) continue;
     env[key] = value;

src/config/schema.ts

@@ -107,6 +107,7 @@ const FIELD_LABELS: Record<string, string> = {
   "update.channel": "Update Channel",
   "update.checkOnStart": "Update Check on Start",
   "diagnostics.enabled": "Diagnostics Enabled",
+  "diagnostics.flags": "Diagnostics Flags",
   "diagnostics.otel.enabled": "OpenTelemetry Enabled",
   "diagnostics.otel.endpoint": "OpenTelemetry Endpoint",
   "diagnostics.otel.protocol": "OpenTelemetry Protocol",
@@ -388,6 +389,8 @@ const FIELD_HELP: Record<string, string> = {
   "nodeHost.browserProxy.enabled": "Expose the local browser control server via node proxy.",
   "nodeHost.browserProxy.allowProfiles":
     "Optional allowlist of browser profile names exposed via the node proxy.",
+  "diagnostics.flags":
+    'Enable targeted diagnostics logs by flag (e.g. ["telegram.http"]). Supports wildcards like "telegram.*" or "*".',
   "diagnostics.cacheTrace.enabled":
     "Log cache trace snapshots for embedded agent runs (default: false).",
   "diagnostics.cacheTrace.filePath":

src/config/types.base.ts

@@ -135,6 +135,8 @@ export type DiagnosticsCacheTraceConfig = {
 
 export type DiagnosticsConfig = {
   enabled?: boolean;
+  /** Optional ad-hoc diagnostics flags (e.g. "telegram.http"). */
+  flags?: string[];
   otel?: DiagnosticsOtelConfig;
   cacheTrace?: DiagnosticsCacheTraceConfig;
 };

src/config/zod-schema.ts

@@ -62,6 +62,7 @@ export const ClawdbotSchema = z
     diagnostics: z
       .object({
         enabled: z.boolean().optional(),
+        flags: z.array(z.string()).optional(),
         otel: z
           .object({
             enabled: z.boolean().optional(),

src/gateway/server.impl.ts

@@ -14,6 +14,7 @@ import {
   writeConfigFile,
 } from "../config/config.js";
 import { isDiagnosticsEnabled } from "../infra/diagnostic-events.js";
+import { logAcceptedEnvOption } from "../infra/env.js";
 import { applyPluginAutoEnable } from "../config/plugin-auto-enable.js";
 import { clearAgentRunContext, onAgentEvent } from "../infra/agent-events.js";
 import { onHeartbeatEvent } from "../infra/heartbeat-events.js";
@@ -149,6 +150,14 @@ export async function startGatewayServer(
 ): Promise<GatewayServer> {
   // Ensure all default port derivations (browser/canvas) see the actual runtime port.
   process.env.CLAWDBOT_GATEWAY_PORT = String(port);
+  logAcceptedEnvOption({
+    key: "CLAWDBOT_RAW_STREAM",
+    description: "raw stream logging enabled",
+  });
+  logAcceptedEnvOption({
+    key: "CLAWDBOT_RAW_STREAM_PATH",
+    description: "raw stream log path override",
+  });
 
   let configSnapshot = await readConfigFileSnapshot();
   if (configSnapshot.legacyIssues.length > 0) {

src/infra/diagnostic-flags.test.ts

@@ -0,0 +1,31 @@
+import { describe, expect, it } from "vitest";
+
+import type { ClawdbotConfig } from "../config/config.js";
+import { isDiagnosticFlagEnabled, resolveDiagnosticFlags } from "./diagnostic-flags.js";
+
+describe("diagnostic flags", () => {
+  it("merges config + env flags", () => {
+    const cfg = {
+      diagnostics: { flags: ["telegram.http", "cache.*"] },
+    } as ClawdbotConfig;
+    const env = {
+      CLAWDBOT_DIAGNOSTICS: "foo,bar",
+    } as NodeJS.ProcessEnv;
+
+    const flags = resolveDiagnosticFlags(cfg, env);
+    expect(flags).toEqual(expect.arrayContaining(["telegram.http", "cache.*", "foo", "bar"]));
+    expect(isDiagnosticFlagEnabled("telegram.http", cfg, env)).toBe(true);
+    expect(isDiagnosticFlagEnabled("cache.hit", cfg, env)).toBe(true);
+    expect(isDiagnosticFlagEnabled("foo", cfg, env)).toBe(true);
+  });
+
+  it("treats env true as wildcard", () => {
+    const env = { CLAWDBOT_DIAGNOSTICS: "1" } as NodeJS.ProcessEnv;
+    expect(isDiagnosticFlagEnabled("anything.here", undefined, env)).toBe(true);
+  });
+
+  it("treats env false as disabled", () => {
+    const env = { CLAWDBOT_DIAGNOSTICS: "0" } as NodeJS.ProcessEnv;
+    expect(isDiagnosticFlagEnabled("telegram.http", undefined, env)).toBe(false);
+  });
+});

src/infra/diagnostic-flags.ts

@@ -0,0 +1,70 @@
+import type { ClawdbotConfig } from "../config/config.js";
+
+const DIAGNOSTICS_ENV = "CLAWDBOT_DIAGNOSTICS";
+
+function normalizeFlag(value: string): string {
+  return value.trim().toLowerCase();
+}
+
+function parseEnvFlags(raw?: string): string[] {
+  if (!raw) return [];
+  const trimmed = raw.trim();
+  if (!trimmed) return [];
+  const lowered = trimmed.toLowerCase();
+  if (["0", "false", "off", "none"].includes(lowered)) return [];
+  if (["1", "true", "all", "*"].includes(lowered)) return ["*"];
+  return trimmed
+    .split(/[,\s]+/)
+    .map(normalizeFlag)
+    .filter(Boolean);
+}
+
+function uniqueFlags(flags: string[]): string[] {
+  const seen = new Set<string>();
+  const out: string[] = [];
+  for (const flag of flags) {
+    const normalized = normalizeFlag(flag);
+    if (!normalized || seen.has(normalized)) continue;
+    seen.add(normalized);
+    out.push(normalized);
+  }
+  return out;
+}
+
+export function resolveDiagnosticFlags(
+  cfg?: ClawdbotConfig,
+  env: NodeJS.ProcessEnv = process.env,
+): string[] {
+  const configFlags = Array.isArray(cfg?.diagnostics?.flags) ? cfg?.diagnostics?.flags : [];
+  const envFlags = parseEnvFlags(env[DIAGNOSTICS_ENV]);
+  return uniqueFlags([...configFlags, ...envFlags]);
+}
+
+export function matchesDiagnosticFlag(flag: string, enabledFlags: string[]): boolean {
+  const target = normalizeFlag(flag);
+  if (!target) return false;
+  for (const raw of enabledFlags) {
+    const enabled = normalizeFlag(raw);
+    if (!enabled) continue;
+    if (enabled === "*" || enabled === "all") return true;
+    if (enabled.endsWith(".*")) {
+      const prefix = enabled.slice(0, -2);
+      if (target === prefix || target.startsWith(`${prefix}.`)) return true;
+    }
+    if (enabled.endsWith("*")) {
+      const prefix = enabled.slice(0, -1);
+      if (target.startsWith(prefix)) return true;
+    }
+    if (enabled === target) return true;
+  }
+  return false;
+}
+
+export function isDiagnosticFlagEnabled(
+  flag: string,
+  cfg?: ClawdbotConfig,
+  env: NodeJS.ProcessEnv = process.env,
+): boolean {
+  const flags = resolveDiagnosticFlags(cfg, env);
+  return matchesDiagnosticFlag(flag, flags);
+}

src/infra/env.ts

@@ -1,5 +1,32 @@
+import { createSubsystemLogger } from "../logging/subsystem.js";
 import { parseBooleanValue } from "../utils/boolean.js";
 
+const log = createSubsystemLogger("env");
+const loggedEnv = new Set<string>();
+
+type AcceptedEnvOption = {
+  key: string;
+  description: string;
+  value?: string;
+  redact?: boolean;
+};
+
+function formatEnvValue(value: string, redact?: boolean): string {
+  if (redact) return "<redacted>";
+  const singleLine = value.replace(/\s+/g, " ").trim();
+  if (singleLine.length <= 160) return singleLine;
+  return `${singleLine.slice(0, 160)}…`;
+}
+
+export function logAcceptedEnvOption(option: AcceptedEnvOption): void {
+  if (process.env.VITEST || process.env.NODE_ENV === "test") return;
+  if (loggedEnv.has(option.key)) return;
+  const rawValue = option.value ?? process.env[option.key];
+  if (!rawValue || !rawValue.trim()) return;
+  loggedEnv.add(option.key);
+  log.info(`env: ${option.key}=${formatEnvValue(rawValue, option.redact)} (${option.description})`);
+}
+
 export function normalizeZaiEnv(): void {
   if (!process.env.ZAI_API_KEY?.trim() && process.env.Z_AI_API_KEY?.trim()) {
     process.env.ZAI_API_KEY = process.env.Z_AI_API_KEY;

src/infra/outbound/message-action-runner.test.ts

@@ -321,6 +321,44 @@ describe("runMessageAction context isolation", () => {
       }),
     ).rejects.toThrow(/Cross-context messaging denied/);
   });
+
+  it("aborts send when abortSignal is already aborted", async () => {
+    const controller = new AbortController();
+    controller.abort();
+
+    await expect(
+      runMessageAction({
+        cfg: slackConfig,
+        action: "send",
+        params: {
+          channel: "slack",
+          target: "#C12345678",
+          message: "hi",
+        },
+        dryRun: true,
+        abortSignal: controller.signal,
+      }),
+    ).rejects.toMatchObject({ name: "AbortError" });
+  });
+
+  it("aborts broadcast when abortSignal is already aborted", async () => {
+    const controller = new AbortController();
+    controller.abort();
+
+    await expect(
+      runMessageAction({
+        cfg: slackConfig,
+        action: "broadcast",
+        params: {
+          targets: ["channel:C12345678"],
+          channel: "slack",
+          message: "hi",
+        },
+        dryRun: true,
+        abortSignal: controller.signal,
+      }),
+    ).rejects.toMatchObject({ name: "AbortError" });
+  });
 });
 
 describe("runMessageAction sendAttachment hydration", () => {

src/infra/outbound/message-action-runner.ts

@@ -64,6 +64,7 @@ export type RunMessageActionParams = {
   sessionKey?: string;
   agentId?: string;
   dryRun?: boolean;
+  abortSignal?: AbortSignal;
 };
 
 export type MessageActionRunResult =
@@ -507,6 +508,7 @@ type ResolvedActionContext = {
   input: RunMessageActionParams;
   agentId?: string;
   resolvedTarget?: ResolvedMessagingTarget;
+  abortSignal?: AbortSignal;
 };
 function resolveGateway(input: RunMessageActionParams): MessageActionRunnerGateway | undefined {
   if (!input.gateway) return undefined;
@@ -524,6 +526,7 @@ async function handleBroadcastAction(
   input: RunMessageActionParams,
   params: Record<string, unknown>,
 ): Promise<MessageActionRunResult> {
+  throwIfAborted(input.abortSignal);
   const broadcastEnabled = input.cfg.tools?.message?.broadcast?.enabled !== false;
   if (!broadcastEnabled) {
     throw new Error("Broadcast is disabled. Set tools.message.broadcast.enabled to true.");
@@ -548,8 +551,11 @@ async function handleBroadcastAction(
     error?: string;
     result?: MessageSendResult;
   }> = [];
+  const isAbortError = (err: unknown): boolean => err instanceof Error && err.name === "AbortError";
   for (const targetChannel of targetChannels) {
+    throwIfAborted(input.abortSignal);
     for (const target of rawTargets) {
+      throwIfAborted(input.abortSignal);
       try {
         const resolved = await resolveChannelTarget({
           cfg: input.cfg,
@@ -573,6 +579,7 @@ async function handleBroadcastAction(
           result: sendResult.kind === "send" ? sendResult.sendResult : undefined,
         });
       } catch (err) {
+        if (isAbortError(err)) throw err;
         results.push({
           channel: targetChannel,
           to: target,
@@ -592,8 +599,28 @@ async function handleBroadcastAction(
   };
 }
 
+function throwIfAborted(abortSignal?: AbortSignal): void {
+  if (abortSignal?.aborted) {
+    const err = new Error("Message send aborted");
+    err.name = "AbortError";
+    throw err;
+  }
+}
+
 async function handleSendAction(ctx: ResolvedActionContext): Promise<MessageActionRunResult> {
-  const { cfg, params, channel, accountId, dryRun, gateway, input, agentId, resolvedTarget } = ctx;
+  const {
+    cfg,
+    params,
+    channel,
+    accountId,
+    dryRun,
+    gateway,
+    input,
+    agentId,
+    resolvedTarget,
+    abortSignal,
+  } = ctx;
+  throwIfAborted(abortSignal);
   const action: ChannelMessageActionName = "send";
   const to = readStringParam(params, "to", { required: true });
   // Support media, path, and filePath parameters for attachments
@@ -676,6 +703,7 @@ async function handleSendAction(ctx: ResolvedActionContext): Promise<MessageActi
   }
   const mirrorMediaUrls =
     mergedMediaUrls.length > 0 ? mergedMediaUrls : mediaUrl ? [mediaUrl] : undefined;
+  throwIfAborted(abortSignal);
   const send = await executeSendAction({
     ctx: {
       cfg,
@@ -695,6 +723,7 @@ async function handleSendAction(ctx: ResolvedActionContext): Promise<MessageActi
               mediaUrls: mirrorMediaUrls,
             }
           : undefined,
+      abortSignal,
     },
     to,
     message,
@@ -718,7 +747,8 @@ async function handleSendAction(ctx: ResolvedActionContext): Promise<MessageActi
 }
 
 async function handlePollAction(ctx: ResolvedActionContext): Promise<MessageActionRunResult> {
-  const { cfg, params, channel, accountId, dryRun, gateway, input } = ctx;
+  const { cfg, params, channel, accountId, dryRun, gateway, input, abortSignal } = ctx;
+  throwIfAborted(abortSignal);
   const action: ChannelMessageActionName = "poll";
   const to = readStringParam(params, "to", { required: true });
   const question = readStringParam(params, "pollQuestion", {
@@ -777,7 +807,8 @@ async function handlePollAction(ctx: ResolvedActionContext): Promise<MessageActi
 }
 
 async function handlePluginAction(ctx: ResolvedActionContext): Promise<MessageActionRunResult> {
-  const { cfg, params, channel, accountId, dryRun, gateway, input } = ctx;
+  const { cfg, params, channel, accountId, dryRun, gateway, input, abortSignal } = ctx;
+  throwIfAborted(abortSignal);
   const action = input.action as Exclude<ChannelMessageActionName, "send" | "poll" | "broadcast">;
   if (dryRun) {
     return {
@@ -930,6 +961,7 @@ export async function runMessageAction(
       input,
       agentId: resolvedAgentId,
       resolvedTarget,
+      abortSignal: input.abortSignal,
     });
   }
 
@@ -942,6 +974,7 @@ export async function runMessageAction(
       dryRun,
       gateway,
       input,
+      abortSignal: input.abortSignal,
     });
   }
 
@@ -953,5 +986,6 @@ export async function runMessageAction(
     dryRun,
     gateway,
     input,
+    abortSignal: input.abortSignal,
   });
 }

src/infra/outbound/message.ts

@@ -50,6 +50,7 @@ type MessageSendParams = {
     text?: string;
     mediaUrls?: string[];
   };
+  abortSignal?: AbortSignal;
 };
 
 export type MessageSendResult = {
@@ -167,6 +168,7 @@ export async function sendMessage(params: MessageSendParams): Promise<MessageSen
       gifPlayback: params.gifPlayback,
       deps: params.deps,
       bestEffort: params.bestEffort,
+      abortSignal: params.abortSignal,
       mirror: params.mirror
         ? {
             ...params.mirror,

src/infra/outbound/outbound-policy.ts

@@ -119,6 +119,8 @@ export async function buildCrossContextDecoration(params: {
   accountId?: string | null;
 }): Promise<CrossContextDecoration | null> {
   if (!params.toolContext?.currentChannelId) return null;
+  // Skip decoration for direct tool sends (agent composing, not forwarding)
+  if (params.toolContext.skipCrossContextDecoration) return null;
   if (!isCrossContextTarget(params)) return null;
 
   const markerConfig = params.cfg.tools?.message?.crossContext?.marker;
@@ -131,11 +133,11 @@ export async function buildCrossContextDecoration(params: {
       targetId: params.toolContext.currentChannelId,
       accountId: params.accountId ?? undefined,
     })) ?? params.toolContext.currentChannelId;
+  // Don't force group formatting here; currentChannelId can be a DM or a group.
   const originLabel = formatTargetDisplay({
     channel: params.channel,
     target: params.toolContext.currentChannelId,
     display: currentName,
-    kind: "group",
   });
   const prefixTemplate = markerConfig?.prefix ?? "[from {channel}] ";
   const suffixTemplate = markerConfig?.suffix ?? "";

src/infra/outbound/outbound-send-service.ts

@@ -32,6 +32,7 @@ export type OutboundSendContext = {
     text?: string;
     mediaUrls?: string[];
   };
+  abortSignal?: AbortSignal;
 };
 
 function extractToolPayload(result: AgentToolResult<unknown>): unknown {
@@ -56,6 +57,14 @@ function extractToolPayload(result: AgentToolResult<unknown>): unknown {
   return result.content ?? result;
 }
 
+function throwIfAborted(abortSignal?: AbortSignal): void {
+  if (abortSignal?.aborted) {
+    const err = new Error("Message send aborted");
+    err.name = "AbortError";
+    throw err;
+  }
+}
+
 export async function executeSendAction(params: {
   ctx: OutboundSendContext;
   to: string;
@@ -70,6 +79,7 @@ export async function executeSendAction(params: {
   toolResult?: AgentToolResult<unknown>;
   sendResult?: MessageSendResult;
 }> {
+  throwIfAborted(params.ctx.abortSignal);
   if (!params.ctx.dryRun) {
     const handled = await dispatchChannelMessageAction({
       channel: params.ctx.channel,
@@ -103,6 +113,7 @@ export async function executeSendAction(params: {
     }
   }
 
+  throwIfAborted(params.ctx.abortSignal);
   const result: MessageSendResult = await sendMessage({
     cfg: params.ctx.cfg,
     to: params.to,
@@ -117,6 +128,7 @@ export async function executeSendAction(params: {
     deps: params.ctx.deps,
     gateway: params.ctx.gateway,
     mirror: params.ctx.mirror,
+    abortSignal: params.ctx.abortSignal,
   });
 
   return {

src/infra/outbound/target-resolver.ts

@@ -100,7 +100,12 @@ export function formatTargetDisplay(params: {
   if (!trimmedTarget) return trimmedTarget;
   if (trimmedTarget.startsWith("#") || trimmedTarget.startsWith("@")) return trimmedTarget;
 
-  const withoutPrefix = trimmedTarget.replace(/^telegram:/i, "");
+  const channelPrefix = `${params.channel}:`;
+  const withoutProvider = trimmedTarget.toLowerCase().startsWith(channelPrefix)
+    ? trimmedTarget.slice(channelPrefix.length)
+    : trimmedTarget;
+
+  const withoutPrefix = withoutProvider.replace(/^telegram:/i, "");
   if (/^channel:/i.test(withoutPrefix)) {
     return `#${withoutPrefix.replace(/^channel:/i, "")}`;
   }
@@ -119,14 +124,23 @@ function preserveTargetCase(channel: ChannelId, raw: string, normalized: string)
   return trimmed;
 }
 
-function detectTargetKind(raw: string, preferred?: TargetResolveKind): TargetResolveKind {
+function detectTargetKind(
+  channel: ChannelId,
+  raw: string,
+  preferred?: TargetResolveKind,
+): TargetResolveKind {
   if (preferred) return preferred;
   const trimmed = raw.trim();
   if (!trimmed) return "group";
+
   if (trimmed.startsWith("@") || /^<@!?/.test(trimmed) || /^user:/i.test(trimmed)) return "user";
-  if (trimmed.startsWith("#") || /^channel:/i.test(trimmed)) {
-    return "group";
+  if (trimmed.startsWith("#") || /^channel:/i.test(trimmed)) return "group";
+
+  // For some channels (e.g., BlueBubbles/iMessage), bare phone numbers are almost always DM targets.
+  if ((channel === "bluebubbles" || channel === "imessage") && /^\+?\d{6,}$/.test(trimmed)) {
+    return "user";
   }
+
   return "group";
 }
 
@@ -282,7 +296,7 @@ export async function resolveMessagingTarget(params: {
   const plugin = getChannelPlugin(params.channel);
   const providerLabel = plugin?.meta?.label ?? params.channel;
   const hint = plugin?.messaging?.targetResolver?.hint;
-  const kind = detectTargetKind(raw, params.preferredKind);
+  const kind = detectTargetKind(params.channel, raw, params.preferredKind);
   const normalized = normalizeTargetForProvider(params.channel, raw) ?? raw;
   const looksLikeTargetId = (): boolean => {
     const trimmed = raw.trim();
@@ -291,7 +305,12 @@ export async function resolveMessagingTarget(params: {
     if (lookup) return lookup(trimmed, normalized);
     if (/^(channel|group|user):/i.test(trimmed)) return true;
     if (/^[@#]/.test(trimmed)) return true;
-    if (/^\+?\d{6,}$/.test(trimmed)) return true;
+    if (/^\+?\d{6,}$/.test(trimmed)) {
+      // BlueBubbles/iMessage phone numbers should usually resolve via the directory to a DM chat,
+      // otherwise the provider may pick an existing group containing that handle.
+      if (params.channel === "bluebubbles" || params.channel === "imessage") return false;
+      return true;
+    }
     if (trimmed.includes("@thread")) return true;
     if (/^(conversation|user):/i.test(trimmed)) return true;
     return false;
@@ -353,6 +372,24 @@ export async function resolveMessagingTarget(params: {
       candidates: match.entries,
     };
   }
+  // For iMessage-style channels, allow sending directly to the normalized handle
+  // even if the directory doesn't contain an entry yet.
+  if (
+    (params.channel === "bluebubbles" || params.channel === "imessage") &&
+    /^\+?\d{6,}$/.test(query)
+  ) {
+    const directTarget = preserveTargetCase(params.channel, raw, normalized);
+    return {
+      ok: true,
+      target: {
+        to: directTarget,
+        kind,
+        display: stripTargetPrefixes(raw),
+        source: "normalized",
+      },
+    };
+  }
+
   return {
     ok: false,
     error: unknownTargetError(providerLabel, raw, hint),
@@ -367,16 +404,32 @@ export async function lookupDirectoryDisplay(params: {
   runtime?: RuntimeEnv;
 }): Promise<string | undefined> {
   const normalized = normalizeTargetForProvider(params.channel, params.targetId) ?? params.targetId;
-  const candidates = await getDirectoryEntries({
-    cfg: params.cfg,
-    channel: params.channel,
-    accountId: params.accountId,
-    kind: "group",
-    runtime: params.runtime,
-    preferLiveOnMiss: false,
-  });
-  const entry = candidates.find(
-    (candidate) => normalizeDirectoryEntryId(params.channel, candidate) === normalized,
-  );
+
+  // Targets can resolve to either peers (DMs) or groups. Try both.
+  const [groups, users] = await Promise.all([
+    getDirectoryEntries({
+      cfg: params.cfg,
+      channel: params.channel,
+      accountId: params.accountId,
+      kind: "group",
+      runtime: params.runtime,
+      preferLiveOnMiss: false,
+    }),
+    getDirectoryEntries({
+      cfg: params.cfg,
+      channel: params.channel,
+      accountId: params.accountId,
+      kind: "user",
+      runtime: params.runtime,
+      preferLiveOnMiss: false,
+    }),
+  ]);
+
+  const findMatch = (candidates: ChannelDirectoryEntry[]) =>
+    candidates.find(
+      (candidate) => normalizeDirectoryEntryId(params.channel, candidate) === normalized,
+    );
+
+  const entry = findMatch(groups) ?? findMatch(users);
   return entry?.name ?? entry?.handle ?? undefined;
 }

src/media-understanding/runner.ts

@@ -4,6 +4,11 @@ import os from "node:os";
 import path from "node:path";
 
 import type { ClawdbotConfig } from "../config/config.js";
+import {
+  findModelInCatalog,
+  loadModelCatalog,
+  modelSupportsVision,
+} from "../agents/model-catalog.js";
 import type { MsgContext } from "../auto-reply/templating.js";
 import { applyTemplate } from "../auto-reply/templating.js";
 import { requireApiKey, resolveApiKeyForProvider } from "../agents/model-auth.js";
@@ -1014,6 +1019,42 @@ export async function runCapability(params: {
     };
   }
 
+  // Skip image understanding when the primary model supports vision natively.
+  // The image will be injected directly into the model context instead.
+  const activeProvider = params.activeModel?.provider?.trim();
+  if (capability === "image" && activeProvider) {
+    const catalog = await loadModelCatalog({ config: cfg });
+    const entry = findModelInCatalog(catalog, activeProvider, params.activeModel?.model ?? "");
+    if (modelSupportsVision(entry)) {
+      if (shouldLogVerbose()) {
+        logVerbose("Skipping image understanding: primary model supports vision natively");
+      }
+      const model = params.activeModel?.model?.trim();
+      const reason = "primary model supports vision natively";
+      return {
+        outputs: [],
+        decision: {
+          capability,
+          outcome: "skipped",
+          attachments: selected.map((item) => {
+            const attempt = {
+              type: "provider" as const,
+              provider: activeProvider,
+              model: model || undefined,
+              outcome: "skipped" as const,
+              reason,
+            };
+            return {
+              attachmentIndex: item.index,
+              attempts: [attempt],
+              chosen: attempt,
+            };
+          }),
+        },
+      };
+    }
+  }
+
   const entries = resolveModelEntries({
     cfg,
     capability,

src/media-understanding/runner.vision-skip.test.ts

@@ -0,0 +1,61 @@
+import { describe, expect, it, vi } from "vitest";
+
+import type { MsgContext } from "../auto-reply/templating.js";
+import type { ClawdbotConfig } from "../config/config.js";
+import {
+  buildProviderRegistry,
+  createMediaAttachmentCache,
+  normalizeMediaAttachments,
+  runCapability,
+} from "./runner.js";
+
+const catalog = [
+  {
+    id: "gpt-4.1",
+    name: "GPT-4.1",
+    provider: "openai",
+    input: ["text", "image"] as const,
+  },
+];
+
+vi.mock("../agents/model-catalog.js", async () => {
+  const actual = await vi.importActual<typeof import("../agents/model-catalog.js")>(
+    "../agents/model-catalog.js",
+  );
+  return {
+    ...actual,
+    loadModelCatalog: vi.fn(async () => catalog),
+  };
+});
+
+describe("runCapability image skip", () => {
+  it("skips image understanding when the active model supports vision", async () => {
+    const ctx: MsgContext = { MediaPath: "/tmp/image.png", MediaType: "image/png" };
+    const media = normalizeMediaAttachments(ctx);
+    const cache = createMediaAttachmentCache(media);
+    const cfg = {} as ClawdbotConfig;
+
+    try {
+      const result = await runCapability({
+        capability: "image",
+        cfg,
+        ctx,
+        attachments: cache,
+        media,
+        providerRegistry: buildProviderRegistry(),
+        activeModel: { provider: "openai", model: "gpt-4.1" },
+      });
+
+      expect(result.outputs).toHaveLength(0);
+      expect(result.decision.outcome).toBe("skipped");
+      expect(result.decision.attachments).toHaveLength(1);
+      expect(result.decision.attachments[0]?.attachmentIndex).toBe(0);
+      expect(result.decision.attachments[0]?.attempts[0]?.outcome).toBe("skipped");
+      expect(result.decision.attachments[0]?.attempts[0]?.reason).toBe(
+        "primary model supports vision natively",
+      );
+    } finally {
+      await cache.cleanup();
+    }
+  });
+});

src/telegram/send.ts

@@ -4,13 +4,16 @@ import type {
   ReactionType,
   ReactionTypeEmoji,
 } from "@grammyjs/types";
-import { type ApiClientOptions, Bot, InputFile } from "grammy";
+import { type ApiClientOptions, Bot, HttpError, InputFile } from "grammy";
 import { loadConfig } from "../config/config.js";
 import { logVerbose } from "../globals.js";
 import { recordChannelActivity } from "../infra/channel-activity.js";
-import { formatErrorMessage } from "../infra/errors.js";
+import { formatErrorMessage, formatUncaughtError } from "../infra/errors.js";
+import { isDiagnosticFlagEnabled } from "../infra/diagnostic-flags.js";
 import type { RetryConfig } from "../infra/retry.js";
 import { createTelegramRetryRunner } from "../infra/retry-policy.js";
+import { redactSensitiveText } from "../logging/redact.js";
+import { createSubsystemLogger } from "../logging/subsystem.js";
 import { mediaKindFromMime } from "../media/constants.js";
 import { isGifMedia } from "../media/mime.js";
 import { loadWebMedia } from "../web/media.js";
@@ -59,6 +62,19 @@ type TelegramReactionOpts = {
 };
 
 const PARSE_ERR_RE = /can't parse entities|parse entities|find end of the entity/i;
+const diagLogger = createSubsystemLogger("telegram/diagnostic");
+
+function createTelegramHttpLogger(cfg: ReturnType<typeof loadConfig>) {
+  const enabled = isDiagnosticFlagEnabled("telegram.http", cfg);
+  if (!enabled) {
+    return () => {};
+  }
+  return (label: string, err: unknown) => {
+    if (!(err instanceof HttpError)) return;
+    const detail = redactSensitiveText(formatUncaughtError(err.error ?? err));
+    diagLogger.warn(`telegram http error (${label}): ${detail}`);
+  };
+}
 
 function resolveToken(explicit: string | undefined, params: { accountId: string; token: string }) {
   if (explicit?.trim()) return explicit.trim();
@@ -178,7 +194,12 @@ export async function sendMessageTelegram(
     configRetry: account.config.retry,
     verbose: opts.verbose,
   });
-
+  const logHttpError = createTelegramHttpLogger(cfg);
+  const requestWithDiag = <T>(fn: () => Promise<T>, label?: string) =>
+    request(fn, label).catch((err) => {
+      logHttpError(label ?? "request", err);
+      throw err;
+    });
   const wrapChatNotFound = (err: unknown) => {
     if (!/400: Bad Request: chat not found/i.test(formatErrorMessage(err))) return err;
     return new Error(
@@ -217,30 +238,31 @@ export async function sendMessageTelegram(
       parse_mode: "HTML" as const,
       ...baseParams,
     };
-    const res = await request(() => api.sendMessage(chatId, htmlText, sendParams), "message").catch(
-      async (err) => {
-        // Telegram rejects malformed HTML (e.g., unsupported tags or entities).
-        // When that happens, fall back to plain text so the message still delivers.
-        const errText = formatErrorMessage(err);
-        if (PARSE_ERR_RE.test(errText)) {
-          if (opts.verbose) {
-            console.warn(`telegram HTML parse failed, retrying as plain text: ${errText}`);
-          }
-          const fallback = fallbackText ?? rawText;
-          const plainParams = hasBaseParams ? baseParams : undefined;
-          return await request(
-            () =>
-              plainParams
-                ? api.sendMessage(chatId, fallback, plainParams)
-                : api.sendMessage(chatId, fallback),
-            "message-plain",
-          ).catch((err2) => {
-            throw wrapChatNotFound(err2);
-          });
+    const res = await requestWithDiag(
+      () => api.sendMessage(chatId, htmlText, sendParams),
+      "message",
+    ).catch(async (err) => {
+      // Telegram rejects malformed HTML (e.g., unsupported tags or entities).
+      // When that happens, fall back to plain text so the message still delivers.
+      const errText = formatErrorMessage(err);
+      if (PARSE_ERR_RE.test(errText)) {
+        if (opts.verbose) {
+          console.warn(`telegram HTML parse failed, retrying as plain text: ${errText}`);
         }
-        throw wrapChatNotFound(err);
-      },
-    );
+        const fallback = fallbackText ?? rawText;
+        const plainParams = hasBaseParams ? baseParams : undefined;
+        return await requestWithDiag(
+          () =>
+            plainParams
+              ? api.sendMessage(chatId, fallback, plainParams)
+              : api.sendMessage(chatId, fallback),
+          "message-plain",
+        ).catch((err2) => {
+          throw wrapChatNotFound(err2);
+        });
+      }
+      throw wrapChatNotFound(err);
+    });
     return res;
   };
 
@@ -277,19 +299,20 @@ export async function sendMessageTelegram(
       | Awaited<ReturnType<typeof api.sendAnimation>>
       | Awaited<ReturnType<typeof api.sendDocument>>;
     if (isGif) {
-      result = await request(() => api.sendAnimation(chatId, file, mediaParams), "animation").catch(
-        (err) => {
-          throw wrapChatNotFound(err);
-        },
-      );
+      result = await requestWithDiag(
+        () => api.sendAnimation(chatId, file, mediaParams),
+        "animation",
+      ).catch((err) => {
+        throw wrapChatNotFound(err);
+      });
     } else if (kind === "image") {
-      result = await request(() => api.sendPhoto(chatId, file, mediaParams), "photo").catch(
+      result = await requestWithDiag(() => api.sendPhoto(chatId, file, mediaParams), "photo").catch(
         (err) => {
           throw wrapChatNotFound(err);
         },
       );
     } else if (kind === "video") {
-      result = await request(() => api.sendVideo(chatId, file, mediaParams), "video").catch(
+      result = await requestWithDiag(() => api.sendVideo(chatId, file, mediaParams), "video").catch(
         (err) => {
           throw wrapChatNotFound(err);
         },
@@ -302,24 +325,27 @@ export async function sendMessageTelegram(
         logFallback: logVerbose,
       });
       if (useVoice) {
-        result = await request(() => api.sendVoice(chatId, file, mediaParams), "voice").catch(
-          (err) => {
-            throw wrapChatNotFound(err);
-          },
-        );
+        result = await requestWithDiag(
+          () => api.sendVoice(chatId, file, mediaParams),
+          "voice",
+        ).catch((err) => {
+          throw wrapChatNotFound(err);
+        });
       } else {
-        result = await request(() => api.sendAudio(chatId, file, mediaParams), "audio").catch(
-          (err) => {
-            throw wrapChatNotFound(err);
-          },
-        );
+        result = await requestWithDiag(
+          () => api.sendAudio(chatId, file, mediaParams),
+          "audio",
+        ).catch((err) => {
+          throw wrapChatNotFound(err);
+        });
       }
     } else {
-      result = await request(() => api.sendDocument(chatId, file, mediaParams), "document").catch(
-        (err) => {
-          throw wrapChatNotFound(err);
-        },
-      );
+      result = await requestWithDiag(
+        () => api.sendDocument(chatId, file, mediaParams),
+        "document",
+      ).catch((err) => {
+        throw wrapChatNotFound(err);
+      });
     }
     const mediaMessageId = String(result?.message_id ?? "unknown");
     const resolvedChatId = String(result?.chat?.id ?? chatId);
@@ -400,6 +426,12 @@ export async function reactMessageTelegram(
     configRetry: account.config.retry,
     verbose: opts.verbose,
   });
+  const logHttpError = createTelegramHttpLogger(cfg);
+  const requestWithDiag = <T>(fn: () => Promise<T>, label?: string) =>
+    request(fn, label).catch((err) => {
+      logHttpError(label ?? "request", err);
+      throw err;
+    });
   const remove = opts.remove === true;
   const trimmedEmoji = emoji.trim();
   // Build the reaction array. We cast emoji to the grammY union type since
@@ -411,7 +443,7 @@ export async function reactMessageTelegram(
   if (typeof api.setMessageReaction !== "function") {
     throw new Error("Telegram reactions are unavailable in this bot API.");
   }
-  await request(() => api.setMessageReaction(chatId, messageId, reactions), "reaction");
+  await requestWithDiag(() => api.setMessageReaction(chatId, messageId, reactions), "reaction");
   return { ok: true };
 }
 
@@ -446,7 +478,13 @@ export async function deleteMessageTelegram(
     configRetry: account.config.retry,
     verbose: opts.verbose,
   });
-  await request(() => api.deleteMessage(chatId, messageId), "deleteMessage");
+  const logHttpError = createTelegramHttpLogger(cfg);
+  const requestWithDiag = <T>(fn: () => Promise<T>, label?: string) =>
+    request(fn, label).catch((err) => {
+      logHttpError(label ?? "request", err);
+      throw err;
+    });
+  await requestWithDiag(() => api.deleteMessage(chatId, messageId), "deleteMessage");
   logVerbose(`[telegram] Deleted message ${messageId} from chat ${chatId}`);
   return { ok: true };
 }

src/wizard/onboarding.finalize.ts

@@ -169,6 +169,7 @@ export async function finalizeOnboardingWizard(options: FinalizeOnboardingOption
           token: settings.gatewayToken,
           runtime: daemonRuntime,
           warn: (message, title) => prompter.note(message, title),
+          config: nextConfig,
         });
 
         progress.update("Installing Gateway service…");

ui/public/pixel-lobster.svg

@@ -1,60 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<svg xmlns="http://www.w3.org/2000/svg" width="64" height="64" viewBox="0 0 16 16" role="img" aria-label="Pixel lobster">
-  <rect width="16" height="16" fill="none"/>
-  
-  <g fill="#3a0a0d">
-    <rect x="1" y="5" width="1" height="3"/>
-    <rect x="2" y="4" width="1" height="1"/>
-    <rect x="2" y="8" width="1" height="1"/>
-    <rect x="3" y="3" width="1" height="1"/>
-    <rect x="3" y="9" width="1" height="1"/>
-    <rect x="4" y="2" width="1" height="1"/>
-    <rect x="4" y="10" width="1" height="1"/>
-    <rect x="5" y="2" width="6" height="1"/>
-    <rect x="11" y="2" width="1" height="1"/>
-    <rect x="12" y="3" width="1" height="1"/>
-    <rect x="12" y="9" width="1" height="1"/>
-    <rect x="13" y="4" width="1" height="1"/>
-    <rect x="13" y="8" width="1" height="1"/>
-    <rect x="14" y="5" width="1" height="3"/>
-    <rect x="5" y="11" width="6" height="1"/>
-    <rect x="4" y="12" width="1" height="1"/>
-    <rect x="11" y="12" width="1" height="1"/>
-    <rect x="3" y="13" width="1" height="1"/>
-    <rect x="12" y="13" width="1" height="1"/>
-    <rect x="5" y="14" width="6" height="1"/>
-  </g>
-
-  
-  <g fill="#ff4f40">
-    <rect x="5" y="3" width="6" height="1"/>
-    <rect x="4" y="4" width="8" height="1"/>
-    <rect x="3" y="5" width="10" height="1"/>
-    <rect x="3" y="6" width="10" height="1"/>
-    <rect x="3" y="7" width="10" height="1"/>
-    <rect x="4" y="8" width="8" height="1"/>
-    <rect x="5" y="9" width="6" height="1"/>
-    <rect x="5" y="12" width="6" height="1"/>
-    <rect x="6" y="13" width="4" height="1"/>
-  </g>
-
-  
-  <g fill="#ff775f">
-    <rect x="1" y="6" width="2" height="1"/>
-    <rect x="2" y="5" width="1" height="1"/>
-    <rect x="2" y="7" width="1" height="1"/>
-    <rect x="13" y="6" width="2" height="1"/>
-    <rect x="13" y="5" width="1" height="1"/>
-    <rect x="13" y="7" width="1" height="1"/>
-  </g>
-
-  
-  <g fill="#081016">
-    <rect x="6" y="5" width="1" height="1"/>
-    <rect x="9" y="5" width="1" height="1"/>
-  </g>
-  <g fill="#f5fbff">
-    <rect x="6" y="4" width="1" height="1"/>
-    <rect x="9" y="4" width="1" height="1"/>
-  </g>
-</svg>

ui/src/main.ts

@@ -1,3 +1,2 @@
 import "./styles.css";
 import "./ui/app.ts";
-

ui/src/styles/chat/layout.css

@@ -279,4 +279,3 @@
     min-width: 120px;
   }
 }
-