_____ _                         _                 _         _
  / ____| |                       | |               | |       | |
 | |    | |__  _ __ _   _ ___  ___| | __ _ _ __ ___ | |__   __| | __ _
 | |    |  _ \|  __| | | / __|/ _ \ |/ _` |  _   _ \|  _ \ / _  |/ _` |
 | |____| | | | |  | |_| \__ \ (_) | | (_| | | | | || |_) | (_| | (_| |
  \_____|_| |_|_|   \__, |___/\___/|_|\__,_|_| |_| |_|___/ \__,_|\__,_|
                      __/ |
                     |___/       W R I T E U P S

<<< Back to Index

OpenClaw Full Technical Specification (Source-Derived)

Date: 2026-03-02

Repo analyzed: /home/slime/openclaw

Spec scope: Gateway + CLI + agent runtime integration + channels + plugins + memory + automation + node/browser/canvas + policy/safety + startup/ops.

0) Method, confidence, and constraints

• This spec is derived from source tree inspection (primarily src/, extensions/, plus selected docs for intent alignment).
• I prioritized concrete module references and runtime dataflow over prose from docs.
• Some subsystems are broad; where full behavior depends on uninspected deep branches, I mark TODO/uncertain explicitly.

Primary code anchors used:

• Entrypoints: openclaw.mjs, src/entry.ts, src/cli/run-main.ts, src/index.ts
• Gateway core: src/gateway/server.impl.ts, src/gateway/server-methods.ts, src/gateway/server-cron.ts, src/gateway/auth.ts
• Tools + plugin tool composition: src/agents/openclaw-tools.ts, src/plugins/tools.ts, src/gateway/tools-invoke-http.ts
• Channels plugin model: src/channels/plugins/*, src/channels/registry.ts
• Memory core: src/memory/*, extensions/memory-core/index.ts
• Heartbeat: src/infra/heartbeat-runner.ts
• Skills: src/agents/skills.ts, src/agents/skills/refresh.ts
• Outbound messaging: src/infra/outbound/deliver.ts

1) System architecture

1.1 What OpenClaw is (runtime architecture)

OpenClaw is a local-first control plane + assistant runtime built around:

1. A multi-surface CLI (openclaw ...) and daemon-capable gateway server.

2. A gateway WS/HTTP control plane exposing methods for chat/session/channel/tool/cron/node operations.

3. A tool-enabled agent run path (embedded Pi runtime + optional CLI providers).

4. A plugin architecture for channels, tools, hooks, memory, and extension CLIs.

1.2 Layered architecture

1) Process/bootstrap layer

• openclaw.mjs (packaged launcher): compile cache + dist entry detection.
• src/entry.ts: full startup wrapper, warning suppression respawn, profile env handling.

2) CLI routing/execution layer

• Fast-path router: src/cli/route.ts for selected commands (status, health, etc.).
• Commander program graph: src/cli/program/* and many sub-CLI registrars.

3) Gateway control plane

• Gateway construction + startup orchestration: src/gateway/server.impl.ts
• Auth/rate-limit/method scope policy: src/gateway/auth.ts, src/gateway/method-scopes.ts, src/gateway/role-policy.ts
• Channel manager, cron service, browser server, canvas host, tailscale, hooks, plugins loaded during gateway startup.

4) Agent runtime/tool execution layer

• src/commands/agent.ts is key high-level runner for session-bound turns.
• Tool set assembly from core + plugin tools: src/agents/openclaw-tools.ts, src/plugins/tools.ts.

5) Integration layer

• Channels via plugin adapters (src/channels/plugins/types.adapters.ts).
• Node/canvas/browser integrations (src/browser/*, src/canvas-host/*, node invoke paths).
• Memory via core memory subsystem (src/memory/*) and plugin slot (extensions/memory-core).

1.3 Runtime model

• OpenClaw supports direct CLI invocation and daemonized gateway operation.
• Gateway is a stateful process hosting:
• channel account connectivity state,
• session lifecycle operations,
• cron scheduler + run log behavior,
• tool invocation surfaces (chat tool use + HTTP /tools/invoke),
• node/canvas/browser side services.
• Agent runs are session-key scoped and can be associated with agent IDs, channels, account IDs, thread/group contexts.

Edge cases/constraints:

• Startup migrates and validates config; invalid config blocks startup (server.impl.ts).
• Feature startup may be env-gated in tests (OPENCLAW_SKIP_*, VITEST).
• Some services are lazily imported for startup speed (browser control server).

2) Startup sequence (from executable to ready gateway)

2.1 CLI/bootstrap sequence

1. openclaw.mjs

• Enables Node compile cache if possible.
• Loads warning filter from dist.
• Imports dist/entry.js (or .mjs) else throws missing build output.

2. src/entry.ts

• Main-module guard to prevent duplicated startup side effects.
• Normalizes env/argv, handles --no-color env toggles.
• May respawn process to suppress experimental warning flags.
• Fast-path root --version and root --help without full heavy startup.
• Applies CLI profile env via parseCliProfileArgs + applyCliProfileEnv.
• Imports src/cli/run-main.ts and runs runCli.

3. src/cli/run-main.ts

• Loads .env, normalizes env, runtime guard checks, optional CLI path adjustments.
• Attempts fast command route (tryRouteCli) for lightweight operations.
• Builds Commander program, optionally lazily registers only relevant primary command.
• Registers plugin CLI commands only when needed.

2.2 Gateway startup sequence (`startGatewayServer`)

From src/gateway/server.impl.ts:

• Reads config snapshot.
• Migrates legacy entries if found (unless Nix mode where it fails hard).
• Re-reads and validates config; rejects startup on invalid schema.
• Applies plugin auto-enable transforms and persists if changed.
• Initializes runtime services and managers (channels, auth limiters, node registry, cron, hooks, model catalog, maintenance, ws handlers, sidecars).
• Can also schedule update checks and start heartbeat/diagnostic loops.

Known constraints:

• Strong startup strictness around config correctness.
• Test/minimal gateway mode present (OPENCLAW_TEST_MINIMAL_GATEWAY).
• Multiple startup features are conditionally disabled in tests/env.

3) Configuration and schema system

What it does

Provides a typed, validated, migratable configuration model with schema export and runtime snapshot support.

Key modules

• Public config API re-exports: src/config/config.ts
• Schema generation: src/config/schema.ts
• Validation/types: src/config/zod-schema*.ts, src/config/types*.ts, src/config/validation.ts
• Legacy migration: src/config/legacy-migrate.ts, legacy.migrations.*.ts
• IO/cache/snapshots: src/config/io.ts

Data flow

config file -> read snapshot -> legacy detect/migrate -> zod validation -> runtime snapshot -> downstream subsystem resolution.

Edge cases / constraints

• Invalid config stops gateway startup.
• Nix mode disallows auto-legacy migration path (explicit update required).
• Schema/hints/tags include extension metadata (plugin/channel UI schema merge behavior in schema.ts).

4) Session model and lifecycle

What it does

Tracks conversations/runs via session keys, session files/transcripts, and store entries; supports main aliases, per-agent mapping, override fields, and lifecycle operations via CLI and gateway methods.

Key modules

• Session key + store mechanics: src/config/sessions/*
• Agent command persistence: src/commands/agent.ts, src/commands/agent/session-store.ts
• Session events: src/sessions/transcript-events.ts
• Gateway session operations: src/gateway/server-methods.ts, src/gateway/sessions-patch.ts, tests under src/gateway/server.sessions.*.test.ts

Data flow

Inbound command/message -> resolve agent + session key -> load/merge session entry -> run agent/tooling -> append transcript / update store -> emit transcript update events.

Edge cases / constraints

• Alias canonicalization and agent-bound main key handling can remap requested session keys.
• Subagent session keys get differentiated policy treatment (isSubagentSessionKey in tools invoke path).
• Session override fields intentionally deleted in merge logic in agent.ts (explicit clear semantics).

5) Agent runtime and model execution

What it does

Runs turns against either embedded provider runtime or CLI provider bridges, with model fallback, think-level controls, and session-bound metadata.

Key modules

• Main command path: src/commands/agent.ts
• Embedded runtime: src/agents/pi-embedded.ts
• CLI providers: src/agents/cli-runner.ts
• Model selection/fallback: src/agents/model-selection.ts, model-fallback.ts, model-catalog.ts

Data flow

agent command opts -> resolve provider/model/timeout/session -> run provider attempt(s) w/ fallback -> collect output/meta -> persist session + deliver optional outbound.

Edge cases / constraints

• Handles expired CLI sessions by clearing/retrying (FailoverError session_expired logic).
• Distinguishes fallback retry prompt context.
• Auth profile/session override behavior provider-sensitive.

6) Tool system

6.1 Core tool composition

src/agents/openclaw-tools.ts constructs core tools including:

• browser
• canvas
• nodes
• cron
• message
• tts
• gateway
• agents_list
• sessions_* (list/history/send/spawn)
• subagents
• session_status
• web_search / web_fetch
• image (conditional by agent dir/model vision)

It threads runtime context into tools: session key, channel/account/thread/group context, sender identity, policy constraints.

6.2 Plugin tools

src/plugins/tools.ts:

• Loads plugin registry and tool factories.
• Applies optional tool gating/allowlist (group:plugins, plugin id, explicit tool names).
• Tracks tool origin meta via WeakMap for diagnostics/policy application.
• Handles name conflicts (plugin vs core or duplicate plugin tool names).

6.3 HTTP tool invocation

src/gateway/tools-invoke-http.ts exposes POST /tools/invoke:

• Authenticates request via gateway auth stack.
• Parses tool/action/args/session.
• Resolves effective tool policy chain (global, provider, agent, group, subagent).
• Builds tool catalog and applies policy pipeline.
• Enforces default deny list for high-risk tools in HTTP surface (from src/security/dangerous-tools.ts).

Edge cases/constraints:

• Test guard can reject memory tools if memory plugin slot disabled.
• Action is merged into args when schema supports action.
• Tool input/auth errors mapped to HTTP status.

7) Channel plugin system and messaging semantics

What it does

Abstracts each messaging surface behind typed adapters while keeping core flows channel-agnostic.

Key modules

• Runtime plugin channel registry: src/channels/plugins/index.ts
• Core channel IDs + aliases: src/channels/registry.ts
• Adapter contract types: src/channels/plugins/types.adapters.ts
• Outbound delivery orchestration: src/infra/outbound/deliver.ts

Channel adapter capabilities (contract)

• Setup/config/account resolution
• Gateway start/stop/login/logout
• Outbound send (text/media/payload/poll)
• Chunking and limits
• Directory lookups
• Security/DM policy helpers
• Group mention/tool policy hooks
• Heartbeat readiness + recipient resolution
• Command/message action adapters

Outbound data flow

reply payload(s) -> normalize payloads -> enqueue delivery queue (write-ahead) -> resolve channel outbound adapter -> chunk text (channel aware) -> send text/media/payload -> ack/fail queue entry -> optional transcript mirroring/hooks.

Edge cases / constraints

• bestEffort can produce partial failure state; queue marked fail in that case.
• Channel-specific chunking modes + text limits vary.
• Adapter missing send handlers yields outbound not configured error.

8) Memory subsystem

What it does

Provides file-backed + vector-augmented memory indexing/search/get tooling with pluggable embeddings and batching backends.

Key modules

• Core memory implementation: src/memory/*
• manager/search/index sync operations (manager*.ts, search-manager.ts)
• SQLite/vec backends (sqlite.ts, sqlite-vec.ts)
• embeddings providers (OpenAI/Gemini/Mistral/Voyage/remote)
• query expansion/MMR/temporal decay/hybrid scoring
• Plugin bridge: extensions/memory-core/index.ts
• Registers memory_search and memory_get tools
• Registers memory CLI

Data flow (typical)

source files/transcripts -> chunk + embedding generation -> store vectors/metadata -> query parse/expansion -> retrieval/rerank/hybrid -> return snippets/docs.

Edge cases / constraints

• Memory is plugin-slot mediated; tools unavailable when plugin disabled.
• Extensive tests indicate concurrency, read-only recovery, dedupe, atomic reindex safeguards.
• TODO/uncertain: exact production default memory backend toggles across profiles not exhaustively traced in this pass.

9) Cron and heartbeat behavior

9.1 Cron

src/gateway/server-cron.ts builds gateway cron service.

Capabilities:

• Job store path resolution.
• Cron-enabled gating (OPENCLAW_SKIP_CRON, config enable flag).
• Agent/session target resolution for jobs.
• Enqueue system events, request heartbeat wake, run isolated agent cron turns.
• Delivery failure alerts via outbound channel delivery target resolution.
• Run-log append and prune mechanics.
• Optional webhook notifications with SSRF-safe fetch path.

Edge cases/constraints:

• Legacy webhook compatibility remains (notify + legacy webhook fields).
• Session key cross-agent mismatch is corrected to agent main key.

9.2 Heartbeat

src/infra/heartbeat-runner.ts:

• Per-agent heartbeat config resolution (defaults + per-agent overrides).
• Interval parsing with duration parser and validation.
• Event filtering (cron/exec/system events), active-hours gating, visibility/target resolution.
• Can run ad-hoc (runHeartbeatOnce) and background recurring runner (startHeartbeatRunner).
• Delivery through channel-aware outbound paths.

Edge cases/constraints:

• If explicit heartbeat agents configured, only those agents heartbeat.
• Invalid intervals resolve to disabled/null scheduling behavior.
• Ack truncation and token stripping logic exists.

10) Browser, node, and canvas integrations

10.1 Browser

• Gateway start hook: src/gateway/server-browser.ts lazily starts browser control service unless env-disabled.
• Browser subsystem includes Playwright session/tools under src/browser/*.

Constraint:

• Env flags can disable browser control server; module override supported.

10.2 Node integration

• Gateway node registry and node events are in src/gateway/node-registry.ts, server-node-events.ts, server-node-subscriptions.ts.
• Node-host execution policy/invoke logic under src/node-host/* (invoke-system-run, allowlist, policy).

Constraint:

• Strong split between gateway-initiated invoke and node role methods/scopes.

10.3 Canvas

• Canvas host HTTP/WS server: src/canvas-host/server.ts
• Serves canvas root, injects live reload, supports A2UI bridge endpoints (canvas-host/a2ui.ts).
• Disabled in tests by default unless explicit allow flag.

Edge cases:

• Creates default test index.html when absent.
• Watches for changes with debounced reload broadcasts.

11) Gateway auth, safety, and policy behavior

11.1 Auth model

src/gateway/auth.ts supports:

• auth modes: none, token, password, trusted-proxy
• tailscale-verified auth path with header/whois checks
• proxy-aware client IP resolution for auth/rate limiting
• local direct request determination

11.2 Role + scope authorization

• Roles: operator vs node (src/gateway/role-policy.ts)
• Method scopes + least privilege grouping (src/gateway/method-scopes.ts)
• read/write/admin/approvals/pairing scopes
• default-deny for unclassified methods

11.3 Tool-risk restrictions

• src/security/dangerous-tools.ts defines:
• HTTP /tools/invoke default-denied high-risk tools (sessions_spawn, sessions_send, cron, gateway, whatsapp_login)
• ACP dangerous tool set requiring explicit approval semantics.

Known constraints:

• Safety is policy-driven and surface-specific (chat vs HTTP vs ACP).
• Scope classifications require maintenance to prevent unclassified method drift.

12) Skills loading and refresh behavior

What it does

Loads and surfaces workspace/global/plugin-provided skills and keeps snapshots current as skill files change.

Key modules

• Skills API re-exports: src/agents/skills.ts
• Snapshot versioning + fs watch: src/agents/skills/refresh.ts
• Workspace skill build/prompt logic: src/agents/skills/workspace.ts

Data flow

resolve skill dirs -> load SKILL.md entries -> build command specs/prompts -> include in agent run context -> watch changes -> bump skill snapshot version -> refresh future runs.

Edge cases / constraints

• Watch targets intentionally restricted to SKILL.md patterns to avoid FD exhaustion.
• Multiple roots: workspace, global config dirs, extra dirs, plugin skill dirs.
• Watcher disabled via config (skills.load.watch=false).

13) Gateway plugin system (beyond tools/channels)

What it does

Discovers/loads plugin manifests and code, wires hook phases, optional HTTP and runtime services, and plugin CLI commands.

Key modules

• Discovery/loader/runtime: src/plugins/discovery.ts, loader.ts, runtime.ts
• Registry/services/hooks: registry.ts, services.ts, hooks.ts, hook-runner-global.ts
• CLI install/enable/toggle/status: src/plugins/install.ts, enable.ts, status.ts, cli.ts

Constraints

• Plugins can be globally disabled or slot-controlled.
• Name conflicts and schema validation are explicitly checked.
• Runtime boundary + path safety modules exist (path-safety.ts, runtime boundary tests).

14) Gateway method and command surface (major features)

Gateway methods (representative)

Method inventory is centrally listed via src/gateway/server-methods-list.ts and scope classification in method-scopes.ts.

Major groups:

• health/status/logs
• channels status/logout/auth flows
• send/chat/agent/wake
• sessions list/patch/delete/compact/reset/history/usage
• cron add/update/remove/run/list/status/runs
• node list/describe/invoke + pairing/device-token flows
• tools catalog and tool-related controls
• config get/patch/apply/reload
• browser request bridge
• tts/voicewake/talk config
• skills status/install/update

CLI major command families (source footprint)

From src/cli/* and registrars:

• gateway (run/dev/call/discovery)
• agent
• message
• status, health, sessions
• models
• memory
• nodes, node
• cron
• browser
• daemon
• config
• plugins
• skills
• hooks
• pairing
• secrets
• security
• onboard, update, doctor-related flows

TODO/uncertain: exact complete command argument matrix was not fully enumerated from every registrar in this pass.

15) Session messaging semantics

What it does

Normalizes assistant outputs into channel-deliverable payloads with chunking, media handling, best-effort behavior, delivery queue durability, and transcript mirroring hooks.

Key modules

• src/infra/outbound/deliver.ts
• src/auto-reply/chunk.ts
• src/channels/plugins/outbound/*
• session transcript append logic in src/config/sessions/*

Semantics highlights

• Delivery queue persisted before send (write-ahead).
• Per-payload error handling supports strict vs best-effort.
• Channel adapters can provide payload-level send and custom chunking.
• Mirror text/media into session transcript if configured context provided.

Edge constraints:

• Channel text limits are adapter-specific.
• Missing outbound adapter methods fail fast.

16) BOOT flow / automated startup run

src/gateway/boot.ts:

• Detects BOOT.md in workspace.
• Constructs explicit boot prompt instructing use of message tool and silent token reply.
• Runs one agent turn against main session mapping with temporary boot session id.
• Snapshots/restores main session mapping to avoid persistent side effects.

Edge case:

• Mapping restore failure is separately surfaced and can coexist with agent-run success/failure.

17) Known constraints and sharp edges (cross-cutting)

1. Policy complexity is high (global/provider/agent/group/subagent + scope/role).

2. Plugin and channel ecosystems create broad behavior variance by install/profile.

3. Some feature surfaces are intentionally disabled in tests and require env overrides.

4. Config migration strictness can hard-stop startup.

5. Large method/CLI surface means parity verification should use generated inventories + tests, not prose alone.

18) Full feature inventory checklist (for parity auditing)

Legend: [x] observed in source, [?] partial/uncertain detail.

Core runtime

• [x] CLI launcher wrapper (openclaw.mjs)
• [x] Entry bootstrap/respawn/profile env (src/entry.ts)
• [x] Fast-path CLI router (src/cli/route.ts)
• [x] Commander command graph + lazy command registration (src/cli/program/*)
• [x] Runtime guard + unhandled error capture

Gateway core

• [x] Gateway server startup orchestration (server.impl.ts)
• [x] Config migration on boot
• [x] Config validation hard fail
• [x] Channel manager lifecycle
• [x] WS method dispatch + method listing
• [x] Gateway reload handlers
• [x] Maintenance timers
• [x] Startup logs + health snapshot support

Auth + security + policy

• [x] Token/password/trusted-proxy auth modes
• [x] Tailscale verified identity auth path
• [x] Auth rate limiting
• [x] Operator vs node role enforcement
• [x] Method scope authorization (read/write/admin/approvals/pairing)
• [x] Dangerous tool denylist for HTTP invoke
• [x] ACP dangerous tool classification

Sessions

• [x] Session key normalization + aliasing
• [x] Per-agent main session mapping
• [x] Session store merge/update semantics
• [x] Transcript update event emitter
• [x] Session patch/delete/reset/compact methods (method inventory)
• [x] Session usage/history/preview surfaces

Agent execution

• [x] Embedded provider runtime path
• [x] CLI provider runtime path
• [x] Model selection + fallback
• [x] Think/verbose level controls
• [x] Timeout resolution
• [x] Internal event prompt context injection

Tooling

• [x] Core toolset assembly (createOpenClawTools)
• [x] Plugin tool discovery and conflict resolution
• [x] Optional plugin tool allowlist
• [x] HTTP /tools/invoke surface
• [x] Tool policy pipeline integration

Channels + messaging

• [x] Channel plugin registry
• [x] Channel aliases + normalized IDs
• [x] Adapterized setup/config/outbound/pairing/security/directory APIs
• [x] Channel heartbeat adapters
• [x] Outbound delivery queue durability
• [x] Channel-specific chunking limits
• [x] Payload/media/poll send abstractions

Memory

• [x] Memory manager/index/search core
• [x] SQLite + sqlite-vec backends
• [x] Embedding provider adapters (OpenAI/Gemini/Mistral/Voyage/remote)
• [x] Query expansion/MMR/temporal decay/hybrid search
• [x] Memory plugin slot (memory-core) tools and CLI
• [?] Exact default production memory slot behavior by profile

Automation

• [x] Cron scheduler service integration
• [x] Isolated cron agent runs
• [x] Cron run logs + prune options
• [x] Cron webhooks with SSRF-guarded fetch
• [x] Heartbeat periodic runner
• [x] Heartbeat on-demand wake/run
• [x] Agent-specific heartbeat overrides

Node/browser/canvas

• [x] Browser control service startup gate
• [x] Browser tooling subsystem (src/browser/*)
• [x] Node registry/event/invoke method support
• [x] Node-host invoke + exec policy modules
• [x] Canvas host HTTP/WS server
• [x] Canvas A2UI bridge endpoints + live reload

Skills + plugins

• [x] Skills snapshot/prompt generation
• [x] Skills file watchers + version bumping
• [x] Plugin discovery/loader/registry/services
• [x] Plugin hook phases and global hook runner
• [x] Plugin CLI registration

Ops and management

• [x] Daemon CLI and lifecycle commands
• [x] Update CLI flows
• [x] Pairing and device token management surfaces
• [x] Secrets CLI and runtime snapshot hooks
• [x] Health/status command families
• [x] Onboarding/wizard integration path

Top-level checklist feature count: 95

19) Parity Audit Input Summary

Normalized feature IDs for Clawmacs parity comparison.

• core.cli.bootstrap
• core.cli.fast_route
• core.cli.commander_graph
• core.gateway.startup_orchestration
• core.gateway.ws_control_plane
• core.gateway.http_surfaces
• core.config.migration
• core.config.validation
• core.config.schema_export
• core.sessions.key_model
• core.sessions.store_merge
• core.sessions.transcript_events
• core.sessions.lifecycle_methods
• core.agent.embedded_runtime
• core.agent.cli_runtime
• core.agent.model_selection
• core.agent.model_failover
• core.agent.timeout_controls
• tools.core.browser
• tools.core.canvas
• tools.core.nodes
• tools.core.cron
• tools.core.message
• tools.core.tts
• tools.core.gateway
• tools.core.sessions_list
• tools.core.sessions_history
• tools.core.sessions_send
• tools.core.sessions_spawn
• tools.core.subagents
• tools.core.session_status
• tools.core.web_search
• tools.core.web_fetch
• tools.core.image
• tools.plugin.discovery
• tools.plugin.optional_allowlist
• tools.policy.pipeline
• tools.http_invoke
• tools.http_invoke_default_deny
• channels.plugin_registry
• channels.id_alias_normalization
• channels.adapter.setup
• channels.adapter.gateway_lifecycle
• channels.adapter.outbound
• channels.adapter.poll
• channels.adapter.directory
• channels.adapter.security
• channels.adapter.pairing
• channels.adapter.heartbeat
• messaging.delivery_queue_wal
• messaging.chunking_policy
• messaging.media_delivery
• messaging.best_effort_mode
• messaging.transcript_mirroring
• memory.plugin_slot
• memory.tools.search_get
• memory.cli
• memory.index_manager
• memory.sqlite_backend
• memory.sqlite_vec_backend
• memory.embeddings.openai
• memory.embeddings.gemini
• memory.embeddings.mistral
• memory.embeddings.voyage
• memory.embeddings.remote
• memory.rerank.mmr
• memory.query_expansion
• memory.temporal_decay
• memory.hybrid_search
• automation.cron.scheduler
• automation.cron.isolated_agent_run
• automation.cron.run_log
• automation.cron.webhook_notify
• automation.heartbeat.periodic_runner
• automation.heartbeat.on_demand
• automation.heartbeat.agent_overrides
• integrations.browser.control_service
• integrations.browser.playwright
• integrations.node.registry
• integrations.node.invoke
• integrations.node.exec_policy
• integrations.canvas.host_server
• integrations.canvas.a2ui_bridge
• integrations.canvas.live_reload
• security.auth.modes
• security.auth.tailscale_identity
• security.auth.rate_limit
• security.roles.operator_node
• security.method_scopes
• security.tools.dangerous_acp
• skills.snapshot_build
• skills.watch_refresh
• plugins.discovery_loader
• plugins.registry_services
• plugins.hook_runner
• plugins.cli_registration
• ops.daemon_cli
• ops.update_cli
• ops.pairing_management
• ops.secrets_runtime
• ops.health_status
• ops.onboarding_wizard

20) Explicit TODO / uncertain items

1. Exact complete CLI option matrices for every subcommand were not exhaustively expanded from all registrar files.

2. Exact default memory slot behavior across all profiles/install modes needs targeted trace through config defaults + plugin auto-enable path.

3. Exact full gateway WS method payload schemas per method should be generated from method handler signatures/protocol schema output for machine-check parity.

<<< Back to Index