Merge branch 'main' into nanogpt

2026-01-26 14:29:42 -05:00 · 2026-01-26 14:29:42 -05:00 · b709f32cb3
commit b709f32cb3
parent cb500d4e6d 10d5ea5de6
127 changed files with 4230 additions and 2351 deletions
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@ -0,0 +1 @@
+custom: ['https://github.com/sponsors/steipete']
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@ -24,6 +24,7 @@
  - changed-files:
      - any-glob-to-any-file:
          - "extensions/line/**"
+          - "docs/channels/line.md"
 "channel: matrix":
  - changed-files:
      - any-glob-to-any-file:
@ -132,6 +133,17 @@
          - "docs/**"
          - "docs.acp.md"

+"cli":
+  - changed-files:
+      - any-glob-to-any-file:
+          - "src/cli/**"
+
+"security":
+  - changed-files:
+      - any-glob-to-any-file:
+          - "docs/cli/security.md"
+          - "docs/gateway/security.md"
+
 "extensions: copilot-proxy":
  - changed-files:
      - any-glob-to-any-file:
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -6,17 +6,25 @@ Docs: https://docs.clawd.bot
 Status: unreleased.

 ### Changes
+- Agents: honor tools.exec.safeBins in exec allowlist checks. (#2281)
+- Docs: tighten Fly private deployment steps. (#2289) Thanks @dguido.
+- Gateway: warn on hook tokens via query params; document header auth preference. (#2200) Thanks @YuriNachos.
+- Gateway: add dangerous Control UI device auth bypass flag + audit warnings. (#2248)
 - Doctor: warn on gateway exposure without auth. (#2016) Thanks @Alex-Alaniz.
+- Discord: add configurable privileged gateway intents for presences/members. (#2266) Thanks @kentaro.
 - Docs: add Vercel AI Gateway to providers sidebar. (#1901) Thanks @jerilynzheng.
 - Agents: expand cron tool description with full schema docs. (#1988) Thanks @tomascupr.
 - Skills: add missing dependency metadata for GitHub, Notion, Slack, Discord. (#1995) Thanks @jackheuberger.
 - Docs: add Render deployment guide. (#1975) Thanks @anurag.
 - Docs: add Claude Max API Proxy guide. (#1875) Thanks @atalovesyou.
 - Docs: add DigitalOcean deployment guide. (#1870) Thanks @0xJonHoldsCrypto.
+- Docs: add Oracle Cloud (OCI) platform guide + cross-links. (#2333) Thanks @hirefrank.
 - Docs: add Raspberry Pi install guide. (#1871) Thanks @0xJonHoldsCrypto.
 - Docs: add GCP Compute Engine deployment guide. (#1848) Thanks @hougangdev.
+- Docs: add LINE channel guide. Thanks @thewilloftheshadow.
 - Docs: credit both contributors for Control UI refresh. (#1852) Thanks @EnzeD.
 - Onboarding: add Venice API key to non-interactive flow. (#1893) Thanks @jonisjongithub.
+- Onboarding: strengthen security warning copy for beta + access control expectations.
 - Tlon: format thread reply IDs as @ud. (#1837) Thanks @wca4a.
 - Gateway: prefer newest session metadata when combining stores. (#1823) Thanks @emanuelst.
 - Web UI: keep sub-agent announce replies visible in WebChat. (#1977) Thanks @andrescardonas7.
@ -25,7 +33,9 @@ Status: unreleased.
 - Browser: fall back to URL matching for extension relay target resolution. (#1999) Thanks @jonit-dev.
 - Update: ignore dist/control-ui for dirty checks and restore after ui builds. (#1976) Thanks @Glucksberg.
 - Telegram: allow caption param for media sends. (#1888) Thanks @mguellsegarra.
+- Telegram: support plugin sendPayload channelData (media/buttons) and validate plugin commands. (#1917) Thanks @JoshuaLelon.
 - Telegram: avoid block replies when streaming is disabled. (#1885) Thanks @ivancasco.
+- Security: use Windows ACLs for permission audits and fixes on Windows. (#1957)
 - Auth: show copyable Google auth URL after ASCII prompt. (#1787) Thanks @robbyczgw-cla.
 - Routing: precompile session key regexes. (#1697) Thanks @Ray0907.
 - TUI: avoid width overflow when rendering selection lists. (#1686) Thanks @mossein.
@ -34,16 +44,26 @@ Status: unreleased.
 - Slack: clear ack reaction after streamed replies. (#2044) Thanks @fancyboi999.
 - macOS: keep custom SSH usernames in remote target. (#2046) Thanks @algal.

+### Breaking
+- **BREAKING:** Gateway auth mode "none" is removed; gateway now requires token/password (Tailscale Serve identity still allowed).
+
 ### Fixes
+- Telegram: wrap reasoning italics per line to avoid raw underscores. (#2181) Thanks @YuriNachos.
+- Voice Call: enforce Twilio webhook signature verification for ngrok URLs; disable ngrok free tier bypass by default.
 - Security: harden Tailscale Serve auth by validating identity via local tailscaled before trusting headers.
+- Build: align memory-core peer dependency with lockfile.
 - Security: add mDNS discovery mode with minimal default to reduce information disclosure. (#1882) Thanks @orlyjamie.
+- Security: harden URL fetches with DNS pinning to reduce rebinding risk. Thanks Chris Zheng.
 - Web UI: improve WebChat image paste previews and allow image-only sends. (#1925) Thanks @smartprogrammer93.
 - Security: wrap external hook content by default with a per-hook opt-out. (#1827) Thanks @mertcicekci0.
 - Gateway: default auth now fail-closed (token/password required; Tailscale Serve identity remains allowed).
+- Gateway: treat loopback + non-local Host connections as remote unless trusted proxy headers are present.
+- Onboarding: remove unsupported gateway auth "off" choice from onboarding/configure flows and CLI flags.

 ## 2026.1.24-3

 ### Fixes
+- Slack: fix image downloads failing due to missing Authorization header on cross-origin redirects. (#1936) Thanks @sanderhelgesen.
 - Gateway: harden reverse proxy handling for local-client detection and unauthenticated proxied connects. (#1795) Thanks @orlyjamie.
 - Security audit: flag loopback Control UI with auth disabled as critical. (#1795) Thanks @orlyjamie.
 - CLI: resume claude-cli sessions and stream CLI replies to TUI clients. (#1921) Thanks @rmorse.
--- a/5
+++ b/5
@ -32,4 +32,9 @@ RUN pnpm ui:build

 ENV NODE_ENV=production

+# Security hardening: Run as non-root user
+# The node:22-bookworm image includes a 'node' user (uid 1000)
+# This reduces the attack surface by preventing container escape via root privileges
+USER node
+
 CMD ["node", "dist/index.js"]
--- a/README.md
+++ b/README.md
@ -479,32 +479,33 @@ Thanks to all clawtributors:
 <p align="left">
  <a href="https://github.com/steipete"><img src="https://avatars.githubusercontent.com/u/58493?v=4&s=48" width="48" height="48" alt="steipete" title="steipete"/></a> <a href="https://github.com/plum-dawg"><img src="https://avatars.githubusercontent.com/u/5909950?v=4&s=48" width="48" height="48" alt="plum-dawg" title="plum-dawg"/></a> <a href="https://github.com/bohdanpodvirnyi"><img src="https://avatars.githubusercontent.com/u/31819391?v=4&s=48" width="48" height="48" alt="bohdanpodvirnyi" title="bohdanpodvirnyi"/></a> <a href="https://github.com/iHildy"><img src="https://avatars.githubusercontent.com/u/25069719?v=4&s=48" width="48" height="48" alt="iHildy" title="iHildy"/></a> <a href="https://github.com/joaohlisboa"><img src="https://avatars.githubusercontent.com/u/8200873?v=4&s=48" width="48" height="48" alt="joaohlisboa" title="joaohlisboa"/></a> <a href="https://github.com/mneves75"><img src="https://avatars.githubusercontent.com/u/2423436?v=4&s=48" width="48" height="48" alt="mneves75" title="mneves75"/></a> <a href="https://github.com/MatthieuBizien"><img src="https://avatars.githubusercontent.com/u/173090?v=4&s=48" width="48" height="48" alt="MatthieuBizien" title="MatthieuBizien"/></a> <a href="https://github.com/MaudeBot"><img src="https://avatars.githubusercontent.com/u/255777700?v=4&s=48" width="48" height="48" alt="MaudeBot" title="MaudeBot"/></a> <a href="https://github.com/Glucksberg"><img src="https://avatars.githubusercontent.com/u/80581902?v=4&s=48" width="48" height="48" alt="Glucksberg" title="Glucksberg"/></a> <a href="https://github.com/rahthakor"><img src="https://avatars.githubusercontent.com/u/8470553?v=4&s=48" width="48" height="48" alt="rahthakor" title="rahthakor"/></a>
  <a href="https://github.com/vrknetha"><img src="https://avatars.githubusercontent.com/u/20596261?v=4&s=48" width="48" height="48" alt="vrknetha" title="vrknetha"/></a> <a href="https://github.com/radek-paclt"><img src="https://avatars.githubusercontent.com/u/50451445?v=4&s=48" width="48" height="48" alt="radek-paclt" title="radek-paclt"/></a> <a href="https://github.com/tobiasbischoff"><img src="https://avatars.githubusercontent.com/u/711564?v=4&s=48" width="48" height="48" alt="Tobias Bischoff" title="Tobias Bischoff"/></a> <a href="https://github.com/joshp123"><img src="https://avatars.githubusercontent.com/u/1497361?v=4&s=48" width="48" height="48" alt="joshp123" title="joshp123"/></a> <a href="https://github.com/czekaj"><img src="https://avatars.githubusercontent.com/u/1464539?v=4&s=48" width="48" height="48" alt="czekaj" title="czekaj"/></a> <a href="https://github.com/mukhtharcm"><img src="https://avatars.githubusercontent.com/u/56378562?v=4&s=48" width="48" height="48" alt="mukhtharcm" title="mukhtharcm"/></a> <a href="https://github.com/sebslight"><img src="https://avatars.githubusercontent.com/u/19554889?v=4&s=48" width="48" height="48" alt="sebslight" title="sebslight"/></a> <a href="https://github.com/maxsumrall"><img src="https://avatars.githubusercontent.com/u/628843?v=4&s=48" width="48" height="48" alt="maxsumrall" title="maxsumrall"/></a> <a href="https://github.com/xadenryan"><img src="https://avatars.githubusercontent.com/u/165437834?v=4&s=48" width="48" height="48" alt="xadenryan" title="xadenryan"/></a> <a href="https://github.com/rodrigouroz"><img src="https://avatars.githubusercontent.com/u/384037?v=4&s=48" width="48" height="48" alt="rodrigouroz" title="rodrigouroz"/></a>
-  <a href="https://github.com/juanpablodlc"><img src="https://avatars.githubusercontent.com/u/92012363?v=4&s=48" width="48" height="48" alt="juanpablodlc" title="juanpablodlc"/></a> <a href="https://github.com/hsrvc"><img src="https://avatars.githubusercontent.com/u/129702169?v=4&s=48" width="48" height="48" alt="hsrvc" title="hsrvc"/></a> <a href="https://github.com/magimetal"><img src="https://avatars.githubusercontent.com/u/36491250?v=4&s=48" width="48" height="48" alt="magimetal" title="magimetal"/></a> <a href="https://github.com/meaningfool"><img src="https://avatars.githubusercontent.com/u/2862331?v=4&s=48" width="48" height="48" alt="meaningfool" title="meaningfool"/></a> <a href="https://github.com/tyler6204"><img src="https://avatars.githubusercontent.com/u/64381258?v=4&s=48" width="48" height="48" alt="tyler6204" title="tyler6204"/></a> <a href="https://github.com/patelhiren"><img src="https://avatars.githubusercontent.com/u/172098?v=4&s=48" width="48" height="48" alt="patelhiren" title="patelhiren"/></a> <a href="https://github.com/NicholasSpisak"><img src="https://avatars.githubusercontent.com/u/129075147?v=4&s=48" width="48" height="48" alt="NicholasSpisak" title="NicholasSpisak"/></a> <a href="https://github.com/jonisjongithub"><img src="https://avatars.githubusercontent.com/u/86072337?v=4&s=48" width="48" height="48" alt="jonisjongithub" title="jonisjongithub"/></a> <a href="https://github.com/zerone0x"><img src="https://avatars.githubusercontent.com/u/39543393?v=4&s=48" width="48" height="48" alt="zerone0x" title="zerone0x"/></a> <a href="https://github.com/AbhisekBasu1"><img src="https://avatars.githubusercontent.com/u/40645221?v=4&s=48" width="48" height="48" alt="abhisekbasu1" title="abhisekbasu1"/></a>
+  <a href="https://github.com/juanpablodlc"><img src="https://avatars.githubusercontent.com/u/92012363?v=4&s=48" width="48" height="48" alt="juanpablodlc" title="juanpablodlc"/></a> <a href="https://github.com/hsrvc"><img src="https://avatars.githubusercontent.com/u/129702169?v=4&s=48" width="48" height="48" alt="hsrvc" title="hsrvc"/></a> <a href="https://github.com/magimetal"><img src="https://avatars.githubusercontent.com/u/36491250?v=4&s=48" width="48" height="48" alt="magimetal" title="magimetal"/></a> <a href="https://github.com/zerone0x"><img src="https://avatars.githubusercontent.com/u/39543393?v=4&s=48" width="48" height="48" alt="zerone0x" title="zerone0x"/></a> <a href="https://github.com/meaningfool"><img src="https://avatars.githubusercontent.com/u/2862331?v=4&s=48" width="48" height="48" alt="meaningfool" title="meaningfool"/></a> <a href="https://github.com/tyler6204"><img src="https://avatars.githubusercontent.com/u/64381258?v=4&s=48" width="48" height="48" alt="tyler6204" title="tyler6204"/></a> <a href="https://github.com/patelhiren"><img src="https://avatars.githubusercontent.com/u/172098?v=4&s=48" width="48" height="48" alt="patelhiren" title="patelhiren"/></a> <a href="https://github.com/NicholasSpisak"><img src="https://avatars.githubusercontent.com/u/129075147?v=4&s=48" width="48" height="48" alt="NicholasSpisak" title="NicholasSpisak"/></a> <a href="https://github.com/jonisjongithub"><img src="https://avatars.githubusercontent.com/u/86072337?v=4&s=48" width="48" height="48" alt="jonisjongithub" title="jonisjongithub"/></a> <a href="https://github.com/AbhisekBasu1"><img src="https://avatars.githubusercontent.com/u/40645221?v=4&s=48" width="48" height="48" alt="abhisekbasu1" title="abhisekbasu1"/></a>
  <a href="https://github.com/jamesgroat"><img src="https://avatars.githubusercontent.com/u/2634024?v=4&s=48" width="48" height="48" alt="jamesgroat" title="jamesgroat"/></a> <a href="https://github.com/claude"><img src="https://avatars.githubusercontent.com/u/81847?v=4&s=48" width="48" height="48" alt="claude" title="claude"/></a> <a href="https://github.com/JustYannicc"><img src="https://avatars.githubusercontent.com/u/52761674?v=4&s=48" width="48" height="48" alt="JustYannicc" title="JustYannicc"/></a> <a href="https://github.com/Hyaxia"><img src="https://avatars.githubusercontent.com/u/36747317?v=4&s=48" width="48" height="48" alt="Hyaxia" title="Hyaxia"/></a> <a href="https://github.com/dantelex"><img src="https://avatars.githubusercontent.com/u/631543?v=4&s=48" width="48" height="48" alt="dantelex" title="dantelex"/></a> <a href="https://github.com/SocialNerd42069"><img src="https://avatars.githubusercontent.com/u/118244303?v=4&s=48" width="48" height="48" alt="SocialNerd42069" title="SocialNerd42069"/></a> <a href="https://github.com/daveonkels"><img src="https://avatars.githubusercontent.com/u/533642?v=4&s=48" width="48" height="48" alt="daveonkels" title="daveonkels"/></a> <a href="https://github.com/apps/google-labs-jules"><img src="https://avatars.githubusercontent.com/in/842251?v=4&s=48" width="48" height="48" alt="google-labs-jules[bot]" title="google-labs-jules[bot]"/></a> <a href="https://github.com/lc0rp"><img src="https://avatars.githubusercontent.com/u/2609441?v=4&s=48" width="48" height="48" alt="lc0rp" title="lc0rp"/></a> <a href="https://github.com/mousberg"><img src="https://avatars.githubusercontent.com/u/57605064?v=4&s=48" width="48" height="48" alt="mousberg" title="mousberg"/></a>
-  <a href="https://github.com/vignesh07"><img src="https://avatars.githubusercontent.com/u/1436853?v=4&s=48" width="48" height="48" alt="vignesh07" title="vignesh07"/></a> <a href="https://github.com/mteam88"><img src="https://avatars.githubusercontent.com/u/84196639?v=4&s=48" width="48" height="48" alt="mteam88" title="mteam88"/></a> <a href="https://github.com/dbhurley"><img src="https://avatars.githubusercontent.com/u/5251425?v=4&s=48" width="48" height="48" alt="dbhurley" title="dbhurley"/></a> <a href="https://github.com/mbelinky"><img src="https://avatars.githubusercontent.com/u/132747814?v=4&s=48" width="48" height="48" alt="Mariano Belinky" title="Mariano Belinky"/></a> <a href="https://github.com/omniwired"><img src="https://avatars.githubusercontent.com/u/322761?v=4&s=48" width="48" height="48" alt="Eng. Juan Combetto" title="Eng. Juan Combetto"/></a> <a href="https://github.com/TSavo"><img src="https://avatars.githubusercontent.com/u/877990?v=4&s=48" width="48" height="48" alt="TSavo" title="TSavo"/></a> <a href="https://github.com/julianengel"><img src="https://avatars.githubusercontent.com/u/10634231?v=4&s=48" width="48" height="48" alt="julianengel" title="julianengel"/></a> <a href="https://github.com/bradleypriest"><img src="https://avatars.githubusercontent.com/u/167215?v=4&s=48" width="48" height="48" alt="bradleypriest" title="bradleypriest"/></a> <a href="https://github.com/benithors"><img src="https://avatars.githubusercontent.com/u/20652882?v=4&s=48" width="48" height="48" alt="benithors" title="benithors"/></a> <a href="https://github.com/rohannagpal"><img src="https://avatars.githubusercontent.com/u/4009239?v=4&s=48" width="48" height="48" alt="rohannagpal" title="rohannagpal"/></a>
-  <a href="https://github.com/timolins"><img src="https://avatars.githubusercontent.com/u/1440854?v=4&s=48" width="48" height="48" alt="timolins" title="timolins"/></a> <a href="https://github.com/f-trycua"><img src="https://avatars.githubusercontent.com/u/195596869?v=4&s=48" width="48" height="48" alt="f-trycua" title="f-trycua"/></a> <a href="https://github.com/benostein"><img src="https://avatars.githubusercontent.com/u/31802821?v=4&s=48" width="48" height="48" alt="benostein" title="benostein"/></a> <a href="https://github.com/Nachx639"><img src="https://avatars.githubusercontent.com/u/71144023?v=4&s=48" width="48" height="48" alt="nachx639" title="nachx639"/></a> <a href="https://github.com/pvoo"><img src="https://avatars.githubusercontent.com/u/20116814?v=4&s=48" width="48" height="48" alt="pvoo" title="pvoo"/></a> <a href="https://github.com/sreekaransrinath"><img src="https://avatars.githubusercontent.com/u/50989977?v=4&s=48" width="48" height="48" alt="sreekaransrinath" title="sreekaransrinath"/></a> <a href="https://github.com/gupsammy"><img src="https://avatars.githubusercontent.com/u/20296019?v=4&s=48" width="48" height="48" alt="gupsammy" title="gupsammy"/></a> <a href="https://github.com/cristip73"><img src="https://avatars.githubusercontent.com/u/24499421?v=4&s=48" width="48" height="48" alt="cristip73" title="cristip73"/></a> <a href="https://github.com/stefangalescu"><img src="https://avatars.githubusercontent.com/u/52995748?v=4&s=48" width="48" height="48" alt="stefangalescu" title="stefangalescu"/></a> <a href="https://github.com/nachoiacovino"><img src="https://avatars.githubusercontent.com/u/50103937?v=4&s=48" width="48" height="48" alt="nachoiacovino" title="nachoiacovino"/></a>
-  <a href="https://github.com/vsabavat"><img src="https://avatars.githubusercontent.com/u/50385532?v=4&s=48" width="48" height="48" alt="Vasanth Rao Naik Sabavat" title="Vasanth Rao Naik Sabavat"/></a> <a href="https://github.com/petter-b"><img src="https://avatars.githubusercontent.com/u/62076402?v=4&s=48" width="48" height="48" alt="petter-b" title="petter-b"/></a> <a href="https://github.com/cpojer"><img src="https://avatars.githubusercontent.com/u/13352?v=4&s=48" width="48" height="48" alt="cpojer" title="cpojer"/></a> <a href="https://github.com/scald"><img src="https://avatars.githubusercontent.com/u/1215913?v=4&s=48" width="48" height="48" alt="scald" title="scald"/></a> <a href="https://github.com/gumadeiras"><img src="https://avatars.githubusercontent.com/u/5599352?v=4&s=48" width="48" height="48" alt="gumadeiras" title="gumadeiras"/></a> <a href="https://github.com/andranik-sahakyan"><img src="https://avatars.githubusercontent.com/u/8908029?v=4&s=48" width="48" height="48" alt="andranik-sahakyan" title="andranik-sahakyan"/></a> <a href="https://github.com/davidguttman"><img src="https://avatars.githubusercontent.com/u/431696?v=4&s=48" width="48" height="48" alt="davidguttman" title="davidguttman"/></a> <a href="https://github.com/sleontenko"><img src="https://avatars.githubusercontent.com/u/7135949?v=4&s=48" width="48" height="48" alt="sleontenko" title="sleontenko"/></a> <a href="https://github.com/denysvitali"><img src="https://avatars.githubusercontent.com/u/4939519?v=4&s=48" width="48" height="48" alt="denysvitali" title="denysvitali"/></a> <a href="https://github.com/orlyjamie"><img src="https://avatars.githubusercontent.com/u/6668807?v=4&s=48" width="48" height="48" alt="orlyjamie" title="orlyjamie"/></a>
-  <a href="https://github.com/thewilloftheshadow"><img src="https://avatars.githubusercontent.com/u/35580099?v=4&s=48" width="48" height="48" alt="thewilloftheshadow" title="thewilloftheshadow"/></a> <a href="https://github.com/sircrumpet"><img src="https://avatars.githubusercontent.com/u/4436535?v=4&s=48" width="48" height="48" alt="sircrumpet" title="sircrumpet"/></a> <a href="https://github.com/peschee"><img src="https://avatars.githubusercontent.com/u/63866?v=4&s=48" width="48" height="48" alt="peschee" title="peschee"/></a> <a href="https://github.com/rafaelreis-r"><img src="https://avatars.githubusercontent.com/u/57492577?v=4&s=48" width="48" height="48" alt="rafaelreis-r" title="rafaelreis-r"/></a> <a href="https://github.com/ratulsarna"><img src="https://avatars.githubusercontent.com/u/105903728?v=4&s=48" width="48" height="48" alt="ratulsarna" title="ratulsarna"/></a> <a href="https://github.com/lutr0"><img src="https://avatars.githubusercontent.com/u/76906369?v=4&s=48" width="48" height="48" alt="lutr0" title="lutr0"/></a> <a href="https://github.com/danielz1z"><img src="https://avatars.githubusercontent.com/u/235270390?v=4&s=48" width="48" height="48" alt="danielz1z" title="danielz1z"/></a> <a href="https://github.com/emanuelst"><img src="https://avatars.githubusercontent.com/u/9994339?v=4&s=48" width="48" height="48" alt="emanuelst" title="emanuelst"/></a> <a href="https://github.com/KristijanJovanovski"><img src="https://avatars.githubusercontent.com/u/8942284?v=4&s=48" width="48" height="48" alt="KristijanJovanovski" title="KristijanJovanovski"/></a> <a href="https://github.com/rdev"><img src="https://avatars.githubusercontent.com/u/8418866?v=4&s=48" width="48" height="48" alt="rdev" title="rdev"/></a>
-  <a href="https://github.com/joshrad-dev"><img src="https://avatars.githubusercontent.com/u/62785552?v=4&s=48" width="48" height="48" alt="joshrad-dev" title="joshrad-dev"/></a> <a href="https://github.com/kiranjd"><img src="https://avatars.githubusercontent.com/u/25822851?v=4&s=48" width="48" height="48" alt="kiranjd" title="kiranjd"/></a> <a href="https://github.com/osolmaz"><img src="https://avatars.githubusercontent.com/u/2453968?v=4&s=48" width="48" height="48" alt="osolmaz" title="osolmaz"/></a> <a href="https://github.com/adityashaw2"><img src="https://avatars.githubusercontent.com/u/41204444?v=4&s=48" width="48" height="48" alt="adityashaw2" title="adityashaw2"/></a> <a href="https://github.com/CashWilliams"><img src="https://avatars.githubusercontent.com/u/613573?v=4&s=48" width="48" height="48" alt="CashWilliams" title="CashWilliams"/></a> <a href="https://github.com/search?q=sheeek"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="sheeek" title="sheeek"/></a> <a href="https://github.com/artuskg"><img src="https://avatars.githubusercontent.com/u/11966157?v=4&s=48" width="48" height="48" alt="artuskg" title="artuskg"/></a> <a href="https://github.com/Takhoffman"><img src="https://avatars.githubusercontent.com/u/781889?v=4&s=48" width="48" height="48" alt="Takhoffman" title="Takhoffman"/></a> <a href="https://github.com/onutc"><img src="https://avatars.githubusercontent.com/u/152018508?v=4&s=48" width="48" height="48" alt="onutc" title="onutc"/></a> <a href="https://github.com/pauloportella"><img src="https://avatars.githubusercontent.com/u/22947229?v=4&s=48" width="48" height="48" alt="pauloportella" title="pauloportella"/></a>
-  <a href="https://github.com/neooriginal"><img src="https://avatars.githubusercontent.com/u/54811660?v=4&s=48" width="48" height="48" alt="neooriginal" title="neooriginal"/></a> <a href="https://github.com/ManuelHettich"><img src="https://avatars.githubusercontent.com/u/17690367?v=4&s=48" width="48" height="48" alt="manuelhettich" title="manuelhettich"/></a> <a href="https://github.com/minghinmatthewlam"><img src="https://avatars.githubusercontent.com/u/14224566?v=4&s=48" width="48" height="48" alt="minghinmatthewlam" title="minghinmatthewlam"/></a> <a href="https://github.com/myfunc"><img src="https://avatars.githubusercontent.com/u/19294627?v=4&s=48" width="48" height="48" alt="myfunc" title="myfunc"/></a> <a href="https://github.com/travisirby"><img src="https://avatars.githubusercontent.com/u/5958376?v=4&s=48" width="48" height="48" alt="travisirby" title="travisirby"/></a> <a href="https://github.com/buddyh"><img src="https://avatars.githubusercontent.com/u/31752869?v=4&s=48" width="48" height="48" alt="buddyh" title="buddyh"/></a> <a href="https://github.com/connorshea"><img src="https://avatars.githubusercontent.com/u/2977353?v=4&s=48" width="48" height="48" alt="connorshea" title="connorshea"/></a> <a href="https://github.com/kyleok"><img src="https://avatars.githubusercontent.com/u/58307870?v=4&s=48" width="48" height="48" alt="kyleok" title="kyleok"/></a> <a href="https://github.com/mcinteerj"><img src="https://avatars.githubusercontent.com/u/3613653?v=4&s=48" width="48" height="48" alt="mcinteerj" title="mcinteerj"/></a> <a href="https://github.com/apps/dependabot"><img src="https://avatars.githubusercontent.com/in/29110?v=4&s=48" width="48" height="48" alt="dependabot[bot]" title="dependabot[bot]"/></a>
-  <a href="https://github.com/John-Rood"><img src="https://avatars.githubusercontent.com/u/62669593?v=4&s=48" width="48" height="48" alt="John-Rood" title="John-Rood"/></a> <a href="https://github.com/timkrase"><img src="https://avatars.githubusercontent.com/u/38947626?v=4&s=48" width="48" height="48" alt="timkrase" title="timkrase"/></a> <a href="https://github.com/uos-status"><img src="https://avatars.githubusercontent.com/u/255712580?v=4&s=48" width="48" height="48" alt="uos-status" title="uos-status"/></a> <a href="https://github.com/gerardward2007"><img src="https://avatars.githubusercontent.com/u/3002155?v=4&s=48" width="48" height="48" alt="gerardward2007" title="gerardward2007"/></a> <a href="https://github.com/obviyus"><img src="https://avatars.githubusercontent.com/u/22031114?v=4&s=48" width="48" height="48" alt="obviyus" title="obviyus"/></a> <a href="https://github.com/roshanasingh4"><img src="https://avatars.githubusercontent.com/u/88576930?v=4&s=48" width="48" height="48" alt="roshanasingh4" title="roshanasingh4"/></a> <a href="https://github.com/tosh-hamburg"><img src="https://avatars.githubusercontent.com/u/58424326?v=4&s=48" width="48" height="48" alt="tosh-hamburg" title="tosh-hamburg"/></a> <a href="https://github.com/azade-c"><img src="https://avatars.githubusercontent.com/u/252790079?v=4&s=48" width="48" height="48" alt="azade-c" title="azade-c"/></a> <a href="https://github.com/JonUleis"><img src="https://avatars.githubusercontent.com/u/7644941?v=4&s=48" width="48" height="48" alt="JonUleis" title="JonUleis"/></a> <a href="https://github.com/bjesuiter"><img src="https://avatars.githubusercontent.com/u/2365676?v=4&s=48" width="48" height="48" alt="bjesuiter" title="bjesuiter"/></a>
-  <a href="https://github.com/cheeeee"><img src="https://avatars.githubusercontent.com/u/21245729?v=4&s=48" width="48" height="48" alt="cheeeee" title="cheeeee"/></a> <a href="https://github.com/j1philli"><img src="https://avatars.githubusercontent.com/u/3744255?v=4&s=48" width="48" height="48" alt="Josh Phillips" title="Josh Phillips"/></a> <a href="https://github.com/robbyczgw-cla"><img src="https://avatars.githubusercontent.com/u/239660374?v=4&s=48" width="48" height="48" alt="robbyczgw-cla" title="robbyczgw-cla"/></a> <a href="https://github.com/dlauer"><img src="https://avatars.githubusercontent.com/u/757041?v=4&s=48" width="48" height="48" alt="dlauer" title="dlauer"/></a> <a href="https://github.com/pookNast"><img src="https://avatars.githubusercontent.com/u/14242552?v=4&s=48" width="48" height="48" alt="pookNast" title="pookNast"/></a> <a href="https://github.com/Whoaa512"><img src="https://avatars.githubusercontent.com/u/1581943?v=4&s=48" width="48" height="48" alt="Whoaa512" title="Whoaa512"/></a> <a href="https://github.com/YuriNachos"><img src="https://avatars.githubusercontent.com/u/19365375?v=4&s=48" width="48" height="48" alt="YuriNachos" title="YuriNachos"/></a> <a href="https://github.com/chriseidhof"><img src="https://avatars.githubusercontent.com/u/5382?v=4&s=48" width="48" height="48" alt="chriseidhof" title="chriseidhof"/></a> <a href="https://github.com/ngutman"><img src="https://avatars.githubusercontent.com/u/1540134?v=4&s=48" width="48" height="48" alt="ngutman" title="ngutman"/></a> <a href="https://github.com/ysqander"><img src="https://avatars.githubusercontent.com/u/80843820?v=4&s=48" width="48" height="48" alt="ysqander" title="ysqander"/></a>
-  <a href="https://github.com/aj47"><img src="https://avatars.githubusercontent.com/u/8023513?v=4&s=48" width="48" height="48" alt="aj47" title="aj47"/></a> <a href="https://github.com/superman32432432"><img src="https://avatars.githubusercontent.com/u/7228420?v=4&s=48" width="48" height="48" alt="superman32432432" title="superman32432432"/></a> <a href="https://github.com/search?q=Yurii%20Chukhlib"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Yurii Chukhlib" title="Yurii Chukhlib"/></a> <a href="https://github.com/grp06"><img src="https://avatars.githubusercontent.com/u/1573959?v=4&s=48" width="48" height="48" alt="grp06" title="grp06"/></a> <a href="https://github.com/antons"><img src="https://avatars.githubusercontent.com/u/129705?v=4&s=48" width="48" height="48" alt="antons" title="antons"/></a> <a href="https://github.com/austinm911"><img src="https://avatars.githubusercontent.com/u/31991302?v=4&s=48" width="48" height="48" alt="austinm911" title="austinm911"/></a> <a href="https://github.com/apps/blacksmith-sh"><img src="https://avatars.githubusercontent.com/in/807020?v=4&s=48" width="48" height="48" alt="blacksmith-sh[bot]" title="blacksmith-sh[bot]"/></a> <a href="https://github.com/damoahdominic"><img src="https://avatars.githubusercontent.com/u/4623434?v=4&s=48" width="48" height="48" alt="damoahdominic" title="damoahdominic"/></a> <a href="https://github.com/dan-dr"><img src="https://avatars.githubusercontent.com/u/6669808?v=4&s=48" width="48" height="48" alt="dan-dr" title="dan-dr"/></a> <a href="https://github.com/HeimdallStrategy"><img src="https://avatars.githubusercontent.com/u/223014405?v=4&s=48" width="48" height="48" alt="HeimdallStrategy" title="HeimdallStrategy"/></a>
-  <a href="https://github.com/imfing"><img src="https://avatars.githubusercontent.com/u/5097752?v=4&s=48" width="48" height="48" alt="imfing" title="imfing"/></a> <a href="https://github.com/jalehman"><img src="https://avatars.githubusercontent.com/u/550978?v=4&s=48" width="48" height="48" alt="jalehman" title="jalehman"/></a> <a href="https://github.com/jarvis-medmatic"><img src="https://avatars.githubusercontent.com/u/252428873?v=4&s=48" width="48" height="48" alt="jarvis-medmatic" title="jarvis-medmatic"/></a> <a href="https://github.com/kkarimi"><img src="https://avatars.githubusercontent.com/u/875218?v=4&s=48" width="48" height="48" alt="kkarimi" title="kkarimi"/></a> <a href="https://github.com/mahmoudashraf93"><img src="https://avatars.githubusercontent.com/u/9130129?v=4&s=48" width="48" height="48" alt="mahmoudashraf93" title="mahmoudashraf93"/></a> <a href="https://github.com/pkrmf"><img src="https://avatars.githubusercontent.com/u/1714267?v=4&s=48" width="48" height="48" alt="pkrmf" title="pkrmf"/></a> <a href="https://github.com/RandyVentures"><img src="https://avatars.githubusercontent.com/u/149904821?v=4&s=48" width="48" height="48" alt="RandyVentures" title="RandyVentures"/></a> <a href="https://github.com/search?q=Ryan%20Lisse"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Ryan Lisse" title="Ryan Lisse"/></a> <a href="https://github.com/dougvk"><img src="https://avatars.githubusercontent.com/u/401660?v=4&s=48" width="48" height="48" alt="dougvk" title="dougvk"/></a> <a href="https://github.com/erikpr1994"><img src="https://avatars.githubusercontent.com/u/6299331?v=4&s=48" width="48" height="48" alt="erikpr1994" title="erikpr1994"/></a>
-  <a href="https://github.com/search?q=Ghost"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Ghost" title="Ghost"/></a> <a href="https://github.com/jonasjancarik"><img src="https://avatars.githubusercontent.com/u/2459191?v=4&s=48" width="48" height="48" alt="jonasjancarik" title="jonasjancarik"/></a> <a href="https://github.com/search?q=Keith%20the%20Silly%20Goose"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Keith the Silly Goose" title="Keith the Silly Goose"/></a> <a href="https://github.com/search?q=L36%20Server"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="L36 Server" title="L36 Server"/></a> <a href="https://github.com/search?q=Marc"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Marc" title="Marc"/></a> <a href="https://github.com/mitschabaude-bot"><img src="https://avatars.githubusercontent.com/u/247582884?v=4&s=48" width="48" height="48" alt="mitschabaude-bot" title="mitschabaude-bot"/></a> <a href="https://github.com/mkbehr"><img src="https://avatars.githubusercontent.com/u/1285?v=4&s=48" width="48" height="48" alt="mkbehr" title="mkbehr"/></a> <a href="https://github.com/neist"><img src="https://avatars.githubusercontent.com/u/1029724?v=4&s=48" width="48" height="48" alt="neist" title="neist"/></a> <a href="https://github.com/sibbl"><img src="https://avatars.githubusercontent.com/u/866535?v=4&s=48" width="48" height="48" alt="sibbl" title="sibbl"/></a> <a href="https://github.com/chrisrodz"><img src="https://avatars.githubusercontent.com/u/2967620?v=4&s=48" width="48" height="48" alt="chrisrodz" title="chrisrodz"/></a>
-  <a href="https://github.com/search?q=Friederike%20Seiler"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Friederike Seiler" title="Friederike Seiler"/></a> <a href="https://github.com/gabriel-trigo"><img src="https://avatars.githubusercontent.com/u/38991125?v=4&s=48" width="48" height="48" alt="gabriel-trigo" title="gabriel-trigo"/></a> <a href="https://github.com/Iamadig"><img src="https://avatars.githubusercontent.com/u/102129234?v=4&s=48" width="48" height="48" alt="iamadig" title="iamadig"/></a> <a href="https://github.com/jdrhyne"><img src="https://avatars.githubusercontent.com/u/7828464?v=4&s=48" width="48" height="48" alt="Jonathan D. Rhyne (DJ-D)" title="Jonathan D. Rhyne (DJ-D)"/></a> <a href="https://github.com/search?q=Kit"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Kit" title="Kit"/></a> <a href="https://github.com/koala73"><img src="https://avatars.githubusercontent.com/u/996596?v=4&s=48" width="48" height="48" alt="koala73" title="koala73"/></a> <a href="https://github.com/manmal"><img src="https://avatars.githubusercontent.com/u/142797?v=4&s=48" width="48" height="48" alt="manmal" title="manmal"/></a> <a href="https://github.com/ogulcancelik"><img src="https://avatars.githubusercontent.com/u/7064011?v=4&s=48" width="48" height="48" alt="ogulcancelik" title="ogulcancelik"/></a> <a href="https://github.com/pasogott"><img src="https://avatars.githubusercontent.com/u/23458152?v=4&s=48" width="48" height="48" alt="pasogott" title="pasogott"/></a> <a href="https://github.com/petradonka"><img src="https://avatars.githubusercontent.com/u/7353770?v=4&s=48" width="48" height="48" alt="petradonka" title="petradonka"/></a>
-  <a href="https://github.com/rubyrunsstuff"><img src="https://avatars.githubusercontent.com/u/246602379?v=4&s=48" width="48" height="48" alt="rubyrunsstuff" title="rubyrunsstuff"/></a> <a href="https://github.com/siddhantjain"><img src="https://avatars.githubusercontent.com/u/4835232?v=4&s=48" width="48" height="48" alt="siddhantjain" title="siddhantjain"/></a> <a href="https://github.com/suminhthanh"><img src="https://avatars.githubusercontent.com/u/2907636?v=4&s=48" width="48" height="48" alt="suminhthanh" title="suminhthanh"/></a> <a href="https://github.com/svkozak"><img src="https://avatars.githubusercontent.com/u/31941359?v=4&s=48" width="48" height="48" alt="svkozak" title="svkozak"/></a> <a href="https://github.com/VACInc"><img src="https://avatars.githubusercontent.com/u/3279061?v=4&s=48" width="48" height="48" alt="VACInc" title="VACInc"/></a> <a href="https://github.com/wes-davis"><img src="https://avatars.githubusercontent.com/u/16506720?v=4&s=48" width="48" height="48" alt="wes-davis" title="wes-davis"/></a> <a href="https://github.com/zats"><img src="https://avatars.githubusercontent.com/u/2688806?v=4&s=48" width="48" height="48" alt="zats" title="zats"/></a> <a href="https://github.com/24601"><img src="https://avatars.githubusercontent.com/u/1157207?v=4&s=48" width="48" height="48" alt="24601" title="24601"/></a> <a href="https://github.com/adam91holt"><img src="https://avatars.githubusercontent.com/u/9592417?v=4&s=48" width="48" height="48" alt="adam91holt" title="adam91holt"/></a> <a href="https://github.com/ameno-"><img src="https://avatars.githubusercontent.com/u/2416135?v=4&s=48" width="48" height="48" alt="ameno-" title="ameno-"/></a>
-  <a href="https://github.com/search?q=Chris%20Taylor"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Chris Taylor" title="Chris Taylor"/></a> <a href="https://github.com/djangonavarro220"><img src="https://avatars.githubusercontent.com/u/251162586?v=4&s=48" width="48" height="48" alt="Django Navarro" title="Django Navarro"/></a> <a href="https://github.com/evalexpr"><img src="https://avatars.githubusercontent.com/u/23485511?v=4&s=48" width="48" height="48" alt="evalexpr" title="evalexpr"/></a> <a href="https://github.com/henrino3"><img src="https://avatars.githubusercontent.com/u/4260288?v=4&s=48" width="48" height="48" alt="henrino3" title="henrino3"/></a> <a href="https://github.com/humanwritten"><img src="https://avatars.githubusercontent.com/u/206531610?v=4&s=48" width="48" height="48" alt="humanwritten" title="humanwritten"/></a> <a href="https://github.com/larlyssa"><img src="https://avatars.githubusercontent.com/u/13128869?v=4&s=48" width="48" height="48" alt="larlyssa" title="larlyssa"/></a> <a href="https://github.com/odysseus0"><img src="https://avatars.githubusercontent.com/u/8635094?v=4&s=48" width="48" height="48" alt="odysseus0" title="odysseus0"/></a> <a href="https://github.com/oswalpalash"><img src="https://avatars.githubusercontent.com/u/6431196?v=4&s=48" width="48" height="48" alt="oswalpalash" title="oswalpalash"/></a> <a href="https://github.com/pcty-nextgen-service-account"><img src="https://avatars.githubusercontent.com/u/112553441?v=4&s=48" width="48" height="48" alt="pcty-nextgen-service-account" title="pcty-nextgen-service-account"/></a> <a href="https://github.com/rmorse"><img src="https://avatars.githubusercontent.com/u/853547?v=4&s=48" width="48" height="48" alt="rmorse" title="rmorse"/></a>
-  <a href="https://github.com/Syhids"><img src="https://avatars.githubusercontent.com/u/671202?v=4&s=48" width="48" height="48" alt="Syhids" title="Syhids"/></a> <a href="https://github.com/search?q=Aaron%20Konyer"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Aaron Konyer" title="Aaron Konyer"/></a> <a href="https://github.com/aaronveklabs"><img src="https://avatars.githubusercontent.com/u/225997828?v=4&s=48" width="48" height="48" alt="aaronveklabs" title="aaronveklabs"/></a> <a href="https://github.com/andreabadesso"><img src="https://avatars.githubusercontent.com/u/3586068?v=4&s=48" width="48" height="48" alt="andreabadesso" title="andreabadesso"/></a> <a href="https://github.com/search?q=Andrii"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Andrii" title="Andrii"/></a> <a href="https://github.com/cash-echo-bot"><img src="https://avatars.githubusercontent.com/u/252747386?v=4&s=48" width="48" height="48" alt="cash-echo-bot" title="cash-echo-bot"/></a> <a href="https://github.com/search?q=Clawd"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Clawd" title="Clawd"/></a> <a href="https://github.com/search?q=ClawdFx"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="ClawdFx" title="ClawdFx"/></a> <a href="https://github.com/dguido"><img src="https://avatars.githubusercontent.com/u/294844?v=4&s=48" width="48" height="48" alt="dguido" title="dguido"/></a> <a href="https://github.com/EnzeD"><img src="https://avatars.githubusercontent.com/u/9866900?v=4&s=48" width="48" height="48" alt="EnzeD" title="EnzeD"/></a>
-  <a href="https://github.com/erik-agens"><img src="https://avatars.githubusercontent.com/u/80908960?v=4&s=48" width="48" height="48" alt="erik-agens" title="erik-agens"/></a> <a href="https://github.com/Evizero"><img src="https://avatars.githubusercontent.com/u/10854026?v=4&s=48" width="48" height="48" alt="Evizero" title="Evizero"/></a> <a href="https://github.com/fcatuhe"><img src="https://avatars.githubusercontent.com/u/17382215?v=4&s=48" width="48" height="48" alt="fcatuhe" title="fcatuhe"/></a> <a href="https://github.com/itsjaydesu"><img src="https://avatars.githubusercontent.com/u/220390?v=4&s=48" width="48" height="48" alt="itsjaydesu" title="itsjaydesu"/></a> <a href="https://github.com/ivancasco"><img src="https://avatars.githubusercontent.com/u/2452858?v=4&s=48" width="48" height="48" alt="ivancasco" title="ivancasco"/></a> <a href="https://github.com/ivanrvpereira"><img src="https://avatars.githubusercontent.com/u/183991?v=4&s=48" width="48" height="48" alt="ivanrvpereira" title="ivanrvpereira"/></a> <a href="https://github.com/jayhickey"><img src="https://avatars.githubusercontent.com/u/1676460?v=4&s=48" width="48" height="48" alt="jayhickey" title="jayhickey"/></a> <a href="https://github.com/jeffersonwarrior"><img src="https://avatars.githubusercontent.com/u/89030989?v=4&s=48" width="48" height="48" alt="jeffersonwarrior" title="jeffersonwarrior"/></a> <a href="https://github.com/search?q=jeffersonwarrior"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="jeffersonwarrior" title="jeffersonwarrior"/></a> <a href="https://github.com/jverdi"><img src="https://avatars.githubusercontent.com/u/345050?v=4&s=48" width="48" height="48" alt="jverdi" title="jverdi"/></a>
-  <a href="https://github.com/longmaba"><img src="https://avatars.githubusercontent.com/u/9361500?v=4&s=48" width="48" height="48" alt="longmaba" title="longmaba"/></a> <a href="https://github.com/mickahouan"><img src="https://avatars.githubusercontent.com/u/31423109?v=4&s=48" width="48" height="48" alt="mickahouan" title="mickahouan"/></a> <a href="https://github.com/mjrussell"><img src="https://avatars.githubusercontent.com/u/1641895?v=4&s=48" width="48" height="48" alt="mjrussell" title="mjrussell"/></a> <a href="https://github.com/odnxe"><img src="https://avatars.githubusercontent.com/u/403141?v=4&s=48" width="48" height="48" alt="odnxe" title="odnxe"/></a> <a href="https://github.com/p6l-richard"><img src="https://avatars.githubusercontent.com/u/18185649?v=4&s=48" width="48" height="48" alt="p6l-richard" title="p6l-richard"/></a> <a href="https://github.com/philipp-spiess"><img src="https://avatars.githubusercontent.com/u/458591?v=4&s=48" width="48" height="48" alt="philipp-spiess" title="philipp-spiess"/></a> <a href="https://github.com/robaxelsen"><img src="https://avatars.githubusercontent.com/u/13132899?v=4&s=48" width="48" height="48" alt="robaxelsen" title="robaxelsen"/></a> <a href="https://github.com/search?q=Sash%20Catanzarite"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Sash Catanzarite" title="Sash Catanzarite"/></a> <a href="https://github.com/T5-AndyML"><img src="https://avatars.githubusercontent.com/u/22801233?v=4&s=48" width="48" height="48" alt="T5-AndyML" title="T5-AndyML"/></a> <a href="https://github.com/travisp"><img src="https://avatars.githubusercontent.com/u/165698?v=4&s=48" width="48" height="48" alt="travisp" title="travisp"/></a>
-  <a href="https://github.com/search?q=VAC"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="VAC" title="VAC"/></a> <a href="https://github.com/search?q=william%20arzt"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="william arzt" title="william arzt"/></a> <a href="https://github.com/zknicker"><img src="https://avatars.githubusercontent.com/u/1164085?v=4&s=48" width="48" height="48" alt="zknicker" title="zknicker"/></a> <a href="https://github.com/abhaymundhara"><img src="https://avatars.githubusercontent.com/u/62872231?v=4&s=48" width="48" height="48" alt="abhaymundhara" title="abhaymundhara"/></a> <a href="https://github.com/search?q=alejandro%20maza"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="alejandro maza" title="alejandro maza"/></a> <a href="https://github.com/andrewting19"><img src="https://avatars.githubusercontent.com/u/10536704?v=4&s=48" width="48" height="48" alt="andrewting19" title="andrewting19"/></a> <a href="https://github.com/anpoirier"><img src="https://avatars.githubusercontent.com/u/1245729?v=4&s=48" width="48" height="48" alt="anpoirier" title="anpoirier"/></a> <a href="https://github.com/arthyn"><img src="https://avatars.githubusercontent.com/u/5466421?v=4&s=48" width="48" height="48" alt="arthyn" title="arthyn"/></a> <a href="https://github.com/Asleep123"><img src="https://avatars.githubusercontent.com/u/122379135?v=4&s=48" width="48" height="48" alt="Asleep123" title="Asleep123"/></a> <a href="https://github.com/bolismauro"><img src="https://avatars.githubusercontent.com/u/771999?v=4&s=48" width="48" height="48" alt="bolismauro" title="bolismauro"/></a>
-  <a href="https://github.com/conhecendoia"><img src="https://avatars.githubusercontent.com/u/82890727?v=4&s=48" width="48" height="48" alt="conhecendoia" title="conhecendoia"/></a> <a href="https://github.com/dasilva333"><img src="https://avatars.githubusercontent.com/u/947827?v=4&s=48" width="48" height="48" alt="dasilva333" title="dasilva333"/></a> <a href="https://github.com/search?q=Developer"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Developer" title="Developer"/></a> <a href="https://github.com/search?q=Dimitrios%20Ploutarchos"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Dimitrios Ploutarchos" title="Dimitrios Ploutarchos"/></a> <a href="https://github.com/search?q=Drake%20Thomsen"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Drake Thomsen" title="Drake Thomsen"/></a> <a href="https://github.com/fal3"><img src="https://avatars.githubusercontent.com/u/6484295?v=4&s=48" width="48" height="48" alt="fal3" title="fal3"/></a> <a href="https://github.com/search?q=Felix%20Krause"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Felix Krause" title="Felix Krause"/></a> <a href="https://github.com/foeken"><img src="https://avatars.githubusercontent.com/u/13864?v=4&s=48" width="48" height="48" alt="foeken" title="foeken"/></a> <a href="https://github.com/search?q=ganghyun%20kim"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="ganghyun kim" title="ganghyun kim"/></a> <a href="https://github.com/grrowl"><img src="https://avatars.githubusercontent.com/u/907140?v=4&s=48" width="48" height="48" alt="grrowl" title="grrowl"/></a>
-  <a href="https://github.com/gtsifrikas"><img src="https://avatars.githubusercontent.com/u/8904378?v=4&s=48" width="48" height="48" alt="gtsifrikas" title="gtsifrikas"/></a> <a href="https://github.com/HazAT"><img src="https://avatars.githubusercontent.com/u/363802?v=4&s=48" width="48" height="48" alt="HazAT" title="HazAT"/></a> <a href="https://github.com/hrdwdmrbl"><img src="https://avatars.githubusercontent.com/u/554881?v=4&s=48" width="48" height="48" alt="hrdwdmrbl" title="hrdwdmrbl"/></a> <a href="https://github.com/hugobarauna"><img src="https://avatars.githubusercontent.com/u/2719?v=4&s=48" width="48" height="48" alt="hugobarauna" title="hugobarauna"/></a> <a href="https://github.com/search?q=Jamie%20Openshaw"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Jamie Openshaw" title="Jamie Openshaw"/></a> <a href="https://github.com/search?q=Jarvis"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Jarvis" title="Jarvis"/></a> <a href="https://github.com/search?q=Jefferson%20Nunn"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Jefferson Nunn" title="Jefferson Nunn"/></a> <a href="https://github.com/search?q=Kevin%20Lin"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Kevin Lin" title="Kevin Lin"/></a> <a href="https://github.com/kitze"><img src="https://avatars.githubusercontent.com/u/1160594?v=4&s=48" width="48" height="48" alt="kitze" title="kitze"/></a> <a href="https://github.com/levifig"><img src="https://avatars.githubusercontent.com/u/1605?v=4&s=48" width="48" height="48" alt="levifig" title="levifig"/></a>
-  <a href="https://github.com/search?q=Lloyd"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Lloyd" title="Lloyd"/></a> <a href="https://github.com/loukotal"><img src="https://avatars.githubusercontent.com/u/18210858?v=4&s=48" width="48" height="48" alt="loukotal" title="loukotal"/></a> <a href="https://github.com/louzhixian"><img src="https://avatars.githubusercontent.com/u/7994361?v=4&s=48" width="48" height="48" alt="louzhixian" title="louzhixian"/></a> <a href="https://github.com/martinpucik"><img src="https://avatars.githubusercontent.com/u/5503097?v=4&s=48" width="48" height="48" alt="martinpucik" title="martinpucik"/></a> <a href="https://github.com/search?q=Matt%20mini"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Matt mini" title="Matt mini"/></a> <a href="https://github.com/search?q=Miles"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Miles" title="Miles"/></a> <a href="https://github.com/mrdbstn"><img src="https://avatars.githubusercontent.com/u/58957632?v=4&s=48" width="48" height="48" alt="mrdbstn" title="mrdbstn"/></a> <a href="https://github.com/MSch"><img src="https://avatars.githubusercontent.com/u/7475?v=4&s=48" width="48" height="48" alt="MSch" title="MSch"/></a> <a href="https://github.com/search?q=Mustafa%20Tag%20Eldeen"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Mustafa Tag Eldeen" title="Mustafa Tag Eldeen"/></a> <a href="https://github.com/ndraiman"><img src="https://avatars.githubusercontent.com/u/12609607?v=4&s=48" width="48" height="48" alt="ndraiman" title="ndraiman"/></a>
-  <a href="https://github.com/nexty5870"><img src="https://avatars.githubusercontent.com/u/3869659?v=4&s=48" width="48" height="48" alt="nexty5870" title="nexty5870"/></a> <a href="https://github.com/Noctivoro"><img src="https://avatars.githubusercontent.com/u/183974570?v=4&s=48" width="48" height="48" alt="Noctivoro" title="Noctivoro"/></a> <a href="https://github.com/prathamdby"><img src="https://avatars.githubusercontent.com/u/134331217?v=4&s=48" width="48" height="48" alt="prathamdby" title="prathamdby"/></a> <a href="https://github.com/ptn1411"><img src="https://avatars.githubusercontent.com/u/57529765?v=4&s=48" width="48" height="48" alt="ptn1411" title="ptn1411"/></a> <a href="https://github.com/reeltimeapps"><img src="https://avatars.githubusercontent.com/u/637338?v=4&s=48" width="48" height="48" alt="reeltimeapps" title="reeltimeapps"/></a> <a href="https://github.com/RLTCmpe"><img src="https://avatars.githubusercontent.com/u/10762242?v=4&s=48" width="48" height="48" alt="RLTCmpe" title="RLTCmpe"/></a> <a href="https://github.com/search?q=Rolf%20Fredheim"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Rolf Fredheim" title="Rolf Fredheim"/></a> <a href="https://github.com/search?q=Rony%20Kelner"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Rony Kelner" title="Rony Kelner"/></a> <a href="https://github.com/search?q=Samrat%20Jha"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Samrat Jha" title="Samrat Jha"/></a> <a href="https://github.com/senoldogann"><img src="https://avatars.githubusercontent.com/u/45736551?v=4&s=48" width="48" height="48" alt="senoldogann" title="senoldogann"/></a>
-  <a href="https://github.com/Seredeep"><img src="https://avatars.githubusercontent.com/u/22802816?v=4&s=48" width="48" height="48" alt="Seredeep" title="Seredeep"/></a> <a href="https://github.com/sergical"><img src="https://avatars.githubusercontent.com/u/3760543?v=4&s=48" width="48" height="48" alt="sergical" title="sergical"/></a> <a href="https://github.com/shiv19"><img src="https://avatars.githubusercontent.com/u/9407019?v=4&s=48" width="48" height="48" alt="shiv19" title="shiv19"/></a> <a href="https://github.com/shiyuanhai"><img src="https://avatars.githubusercontent.com/u/1187370?v=4&s=48" width="48" height="48" alt="shiyuanhai" title="shiyuanhai"/></a> <a href="https://github.com/siraht"><img src="https://avatars.githubusercontent.com/u/73152895?v=4&s=48" width="48" height="48" alt="siraht" title="siraht"/></a> <a href="https://github.com/snopoke"><img src="https://avatars.githubusercontent.com/u/249606?v=4&s=48" width="48" height="48" alt="snopoke" title="snopoke"/></a> <a href="https://github.com/testingabc321"><img src="https://avatars.githubusercontent.com/u/8577388?v=4&s=48" width="48" height="48" alt="testingabc321" title="testingabc321"/></a> <a href="https://github.com/search?q=The%20Admiral"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="The Admiral" title="The Admiral"/></a> <a href="https://github.com/thesash"><img src="https://avatars.githubusercontent.com/u/1166151?v=4&s=48" width="48" height="48" alt="thesash" title="thesash"/></a> <a href="https://github.com/search?q=Ubuntu"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Ubuntu" title="Ubuntu"/></a>
-  <a href="https://github.com/voidserf"><img src="https://avatars.githubusercontent.com/u/477673?v=4&s=48" width="48" height="48" alt="voidserf" title="voidserf"/></a> <a href="https://github.com/search?q=Vultr-Clawd%20Admin"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Vultr-Clawd Admin" title="Vultr-Clawd Admin"/></a> <a href="https://github.com/search?q=Wimmie"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Wimmie" title="Wimmie"/></a> <a href="https://github.com/wstock"><img src="https://avatars.githubusercontent.com/u/1394687?v=4&s=48" width="48" height="48" alt="wstock" title="wstock"/></a> <a href="https://github.com/yazinsai"><img src="https://avatars.githubusercontent.com/u/1846034?v=4&s=48" width="48" height="48" alt="yazinsai" title="yazinsai"/></a> <a href="https://github.com/search?q=ymat19"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="ymat19" title="ymat19"/></a> <a href="https://github.com/search?q=Zach%20Knickerbocker"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Zach Knickerbocker" title="Zach Knickerbocker"/></a> <a href="https://github.com/0xJonHoldsCrypto"><img src="https://avatars.githubusercontent.com/u/81202085?v=4&s=48" width="48" height="48" alt="0xJonHoldsCrypto" title="0xJonHoldsCrypto"/></a> <a href="https://github.com/aaronn"><img src="https://avatars.githubusercontent.com/u/1653630?v=4&s=48" width="48" height="48" alt="aaronn" title="aaronn"/></a> <a href="https://github.com/Alphonse-arianee"><img src="https://avatars.githubusercontent.com/u/254457365?v=4&s=48" width="48" height="48" alt="Alphonse-arianee" title="Alphonse-arianee"/></a>
-  <a href="https://github.com/atalovesyou"><img src="https://avatars.githubusercontent.com/u/3534502?v=4&s=48" width="48" height="48" alt="atalovesyou" title="atalovesyou"/></a> <a href="https://github.com/search?q=Azade"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Azade" title="Azade"/></a> <a href="https://github.com/carlulsoe"><img src="https://avatars.githubusercontent.com/u/34673973?v=4&s=48" width="48" height="48" alt="carlulsoe" title="carlulsoe"/></a> <a href="https://github.com/search?q=ddyo"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="ddyo" title="ddyo"/></a> <a href="https://github.com/search?q=Erik"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Erik" title="Erik"/></a> <a href="https://github.com/hougangdev"><img src="https://avatars.githubusercontent.com/u/105773686?v=4&s=48" width="48" height="48" alt="hougangdev" title="hougangdev"/></a> <a href="https://github.com/latitudeki5223"><img src="https://avatars.githubusercontent.com/u/119656367?v=4&s=48" width="48" height="48" alt="latitudeki5223" title="latitudeki5223"/></a> <a href="https://github.com/search?q=Manuel%20Maly"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Manuel Maly" title="Manuel Maly"/></a> <a href="https://github.com/search?q=Mourad%20Boustani"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Mourad Boustani" title="Mourad Boustani"/></a> <a href="https://github.com/odrobnik"><img src="https://avatars.githubusercontent.com/u/333270?v=4&s=48" width="48" height="48" alt="odrobnik" title="odrobnik"/></a>
-  <a href="https://github.com/pcty-nextgen-ios-builder"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="pcty-nextgen-ios-builder" title="pcty-nextgen-ios-builder"/></a> <a href="https://github.com/search?q=Quentin"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Quentin" title="Quentin"/></a> <a href="https://github.com/search?q=Randy%20Torres"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Randy Torres" title="Randy Torres"/></a> <a href="https://github.com/rhjoh"><img src="https://avatars.githubusercontent.com/u/105699450?v=4&s=48" width="48" height="48" alt="rhjoh" title="rhjoh"/></a> <a href="https://github.com/ronak-guliani"><img src="https://avatars.githubusercontent.com/u/23518228?v=4&s=48" width="48" height="48" alt="ronak-guliani" title="ronak-guliani"/></a> <a href="https://github.com/search?q=William%20Stock"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="William Stock" title="William Stock"/></a>
+  <a href="https://github.com/vignesh07"><img src="https://avatars.githubusercontent.com/u/1436853?v=4&s=48" width="48" height="48" alt="vignesh07" title="vignesh07"/></a> <a href="https://github.com/mteam88"><img src="https://avatars.githubusercontent.com/u/84196639?v=4&s=48" width="48" height="48" alt="mteam88" title="mteam88"/></a> <a href="https://github.com/joeynyc"><img src="https://avatars.githubusercontent.com/u/17919866?v=4&s=48" width="48" height="48" alt="joeynyc" title="joeynyc"/></a> <a href="https://github.com/orlyjamie"><img src="https://avatars.githubusercontent.com/u/6668807?v=4&s=48" width="48" height="48" alt="orlyjamie" title="orlyjamie"/></a> <a href="https://github.com/dbhurley"><img src="https://avatars.githubusercontent.com/u/5251425?v=4&s=48" width="48" height="48" alt="dbhurley" title="dbhurley"/></a> <a href="https://github.com/mbelinky"><img src="https://avatars.githubusercontent.com/u/132747814?v=4&s=48" width="48" height="48" alt="Mariano Belinky" title="Mariano Belinky"/></a> <a href="https://github.com/omniwired"><img src="https://avatars.githubusercontent.com/u/322761?v=4&s=48" width="48" height="48" alt="Eng. Juan Combetto" title="Eng. Juan Combetto"/></a> <a href="https://github.com/TSavo"><img src="https://avatars.githubusercontent.com/u/877990?v=4&s=48" width="48" height="48" alt="TSavo" title="TSavo"/></a> <a href="https://github.com/julianengel"><img src="https://avatars.githubusercontent.com/u/10634231?v=4&s=48" width="48" height="48" alt="julianengel" title="julianengel"/></a> <a href="https://github.com/bradleypriest"><img src="https://avatars.githubusercontent.com/u/167215?v=4&s=48" width="48" height="48" alt="bradleypriest" title="bradleypriest"/></a>
+  <a href="https://github.com/benithors"><img src="https://avatars.githubusercontent.com/u/20652882?v=4&s=48" width="48" height="48" alt="benithors" title="benithors"/></a> <a href="https://github.com/rohannagpal"><img src="https://avatars.githubusercontent.com/u/4009239?v=4&s=48" width="48" height="48" alt="rohannagpal" title="rohannagpal"/></a> <a href="https://github.com/timolins"><img src="https://avatars.githubusercontent.com/u/1440854?v=4&s=48" width="48" height="48" alt="timolins" title="timolins"/></a> <a href="https://github.com/f-trycua"><img src="https://avatars.githubusercontent.com/u/195596869?v=4&s=48" width="48" height="48" alt="f-trycua" title="f-trycua"/></a> <a href="https://github.com/benostein"><img src="https://avatars.githubusercontent.com/u/31802821?v=4&s=48" width="48" height="48" alt="benostein" title="benostein"/></a> <a href="https://github.com/Nachx639"><img src="https://avatars.githubusercontent.com/u/71144023?v=4&s=48" width="48" height="48" alt="nachx639" title="nachx639"/></a> <a href="https://github.com/pvoo"><img src="https://avatars.githubusercontent.com/u/20116814?v=4&s=48" width="48" height="48" alt="pvoo" title="pvoo"/></a> <a href="https://github.com/sreekaransrinath"><img src="https://avatars.githubusercontent.com/u/50989977?v=4&s=48" width="48" height="48" alt="sreekaransrinath" title="sreekaransrinath"/></a> <a href="https://github.com/gupsammy"><img src="https://avatars.githubusercontent.com/u/20296019?v=4&s=48" width="48" height="48" alt="gupsammy" title="gupsammy"/></a> <a href="https://github.com/cristip73"><img src="https://avatars.githubusercontent.com/u/24499421?v=4&s=48" width="48" height="48" alt="cristip73" title="cristip73"/></a>
+  <a href="https://github.com/stefangalescu"><img src="https://avatars.githubusercontent.com/u/52995748?v=4&s=48" width="48" height="48" alt="stefangalescu" title="stefangalescu"/></a> <a href="https://github.com/nachoiacovino"><img src="https://avatars.githubusercontent.com/u/50103937?v=4&s=48" width="48" height="48" alt="nachoiacovino" title="nachoiacovino"/></a> <a href="https://github.com/vsabavat"><img src="https://avatars.githubusercontent.com/u/50385532?v=4&s=48" width="48" height="48" alt="Vasanth Rao Naik Sabavat" title="Vasanth Rao Naik Sabavat"/></a> <a href="https://github.com/petter-b"><img src="https://avatars.githubusercontent.com/u/62076402?v=4&s=48" width="48" height="48" alt="petter-b" title="petter-b"/></a> <a href="https://github.com/cpojer"><img src="https://avatars.githubusercontent.com/u/13352?v=4&s=48" width="48" height="48" alt="cpojer" title="cpojer"/></a> <a href="https://github.com/scald"><img src="https://avatars.githubusercontent.com/u/1215913?v=4&s=48" width="48" height="48" alt="scald" title="scald"/></a> <a href="https://github.com/gumadeiras"><img src="https://avatars.githubusercontent.com/u/5599352?v=4&s=48" width="48" height="48" alt="gumadeiras" title="gumadeiras"/></a> <a href="https://github.com/andranik-sahakyan"><img src="https://avatars.githubusercontent.com/u/8908029?v=4&s=48" width="48" height="48" alt="andranik-sahakyan" title="andranik-sahakyan"/></a> <a href="https://github.com/davidguttman"><img src="https://avatars.githubusercontent.com/u/431696?v=4&s=48" width="48" height="48" alt="davidguttman" title="davidguttman"/></a> <a href="https://github.com/sleontenko"><img src="https://avatars.githubusercontent.com/u/7135949?v=4&s=48" width="48" height="48" alt="sleontenko" title="sleontenko"/></a>
+  <a href="https://github.com/denysvitali"><img src="https://avatars.githubusercontent.com/u/4939519?v=4&s=48" width="48" height="48" alt="denysvitali" title="denysvitali"/></a> <a href="https://github.com/thewilloftheshadow"><img src="https://avatars.githubusercontent.com/u/35580099?v=4&s=48" width="48" height="48" alt="thewilloftheshadow" title="thewilloftheshadow"/></a> <a href="https://github.com/shakkernerd"><img src="https://avatars.githubusercontent.com/u/165377636?v=4&s=48" width="48" height="48" alt="shakkernerd" title="shakkernerd"/></a> <a href="https://github.com/sircrumpet"><img src="https://avatars.githubusercontent.com/u/4436535?v=4&s=48" width="48" height="48" alt="sircrumpet" title="sircrumpet"/></a> <a href="https://github.com/peschee"><img src="https://avatars.githubusercontent.com/u/63866?v=4&s=48" width="48" height="48" alt="peschee" title="peschee"/></a> <a href="https://github.com/rafaelreis-r"><img src="https://avatars.githubusercontent.com/u/57492577?v=4&s=48" width="48" height="48" alt="rafaelreis-r" title="rafaelreis-r"/></a> <a href="https://github.com/ratulsarna"><img src="https://avatars.githubusercontent.com/u/105903728?v=4&s=48" width="48" height="48" alt="ratulsarna" title="ratulsarna"/></a> <a href="https://github.com/lutr0"><img src="https://avatars.githubusercontent.com/u/76906369?v=4&s=48" width="48" height="48" alt="lutr0" title="lutr0"/></a> <a href="https://github.com/danielz1z"><img src="https://avatars.githubusercontent.com/u/235270390?v=4&s=48" width="48" height="48" alt="danielz1z" title="danielz1z"/></a> <a href="https://github.com/emanuelst"><img src="https://avatars.githubusercontent.com/u/9994339?v=4&s=48" width="48" height="48" alt="emanuelst" title="emanuelst"/></a>
+  <a href="https://github.com/KristijanJovanovski"><img src="https://avatars.githubusercontent.com/u/8942284?v=4&s=48" width="48" height="48" alt="KristijanJovanovski" title="KristijanJovanovski"/></a> <a href="https://github.com/rdev"><img src="https://avatars.githubusercontent.com/u/8418866?v=4&s=48" width="48" height="48" alt="rdev" title="rdev"/></a> <a href="https://github.com/rhuanssauro"><img src="https://avatars.githubusercontent.com/u/164682191?v=4&s=48" width="48" height="48" alt="rhuanssauro" title="rhuanssauro"/></a> <a href="https://github.com/joshrad-dev"><img src="https://avatars.githubusercontent.com/u/62785552?v=4&s=48" width="48" height="48" alt="joshrad-dev" title="joshrad-dev"/></a> <a href="https://github.com/kiranjd"><img src="https://avatars.githubusercontent.com/u/25822851?v=4&s=48" width="48" height="48" alt="kiranjd" title="kiranjd"/></a> <a href="https://github.com/osolmaz"><img src="https://avatars.githubusercontent.com/u/2453968?v=4&s=48" width="48" height="48" alt="osolmaz" title="osolmaz"/></a> <a href="https://github.com/adityashaw2"><img src="https://avatars.githubusercontent.com/u/41204444?v=4&s=48" width="48" height="48" alt="adityashaw2" title="adityashaw2"/></a> <a href="https://github.com/CashWilliams"><img src="https://avatars.githubusercontent.com/u/613573?v=4&s=48" width="48" height="48" alt="CashWilliams" title="CashWilliams"/></a> <a href="https://github.com/search?q=sheeek"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="sheeek" title="sheeek"/></a> <a href="https://github.com/artuskg"><img src="https://avatars.githubusercontent.com/u/11966157?v=4&s=48" width="48" height="48" alt="artuskg" title="artuskg"/></a>
+  <a href="https://github.com/Takhoffman"><img src="https://avatars.githubusercontent.com/u/781889?v=4&s=48" width="48" height="48" alt="Takhoffman" title="Takhoffman"/></a> <a href="https://github.com/onutc"><img src="https://avatars.githubusercontent.com/u/152018508?v=4&s=48" width="48" height="48" alt="onutc" title="onutc"/></a> <a href="https://github.com/pauloportella"><img src="https://avatars.githubusercontent.com/u/22947229?v=4&s=48" width="48" height="48" alt="pauloportella" title="pauloportella"/></a> <a href="https://github.com/neooriginal"><img src="https://avatars.githubusercontent.com/u/54811660?v=4&s=48" width="48" height="48" alt="neooriginal" title="neooriginal"/></a> <a href="https://github.com/ManuelHettich"><img src="https://avatars.githubusercontent.com/u/17690367?v=4&s=48" width="48" height="48" alt="manuelhettich" title="manuelhettich"/></a> <a href="https://github.com/minghinmatthewlam"><img src="https://avatars.githubusercontent.com/u/14224566?v=4&s=48" width="48" height="48" alt="minghinmatthewlam" title="minghinmatthewlam"/></a> <a href="https://github.com/myfunc"><img src="https://avatars.githubusercontent.com/u/19294627?v=4&s=48" width="48" height="48" alt="myfunc" title="myfunc"/></a> <a href="https://github.com/travisirby"><img src="https://avatars.githubusercontent.com/u/5958376?v=4&s=48" width="48" height="48" alt="travisirby" title="travisirby"/></a> <a href="https://github.com/buddyh"><img src="https://avatars.githubusercontent.com/u/31752869?v=4&s=48" width="48" height="48" alt="buddyh" title="buddyh"/></a> <a href="https://github.com/connorshea"><img src="https://avatars.githubusercontent.com/u/2977353?v=4&s=48" width="48" height="48" alt="connorshea" title="connorshea"/></a>
+  <a href="https://github.com/kyleok"><img src="https://avatars.githubusercontent.com/u/58307870?v=4&s=48" width="48" height="48" alt="kyleok" title="kyleok"/></a> <a href="https://github.com/mcinteerj"><img src="https://avatars.githubusercontent.com/u/3613653?v=4&s=48" width="48" height="48" alt="mcinteerj" title="mcinteerj"/></a> <a href="https://github.com/apps/dependabot"><img src="https://avatars.githubusercontent.com/in/29110?v=4&s=48" width="48" height="48" alt="dependabot[bot]" title="dependabot[bot]"/></a> <a href="https://github.com/John-Rood"><img src="https://avatars.githubusercontent.com/u/62669593?v=4&s=48" width="48" height="48" alt="John-Rood" title="John-Rood"/></a> <a href="https://github.com/timkrase"><img src="https://avatars.githubusercontent.com/u/38947626?v=4&s=48" width="48" height="48" alt="timkrase" title="timkrase"/></a> <a href="https://github.com/uos-status"><img src="https://avatars.githubusercontent.com/u/255712580?v=4&s=48" width="48" height="48" alt="uos-status" title="uos-status"/></a> <a href="https://github.com/gerardward2007"><img src="https://avatars.githubusercontent.com/u/3002155?v=4&s=48" width="48" height="48" alt="gerardward2007" title="gerardward2007"/></a> <a href="https://github.com/obviyus"><img src="https://avatars.githubusercontent.com/u/22031114?v=4&s=48" width="48" height="48" alt="obviyus" title="obviyus"/></a> <a href="https://github.com/roshanasingh4"><img src="https://avatars.githubusercontent.com/u/88576930?v=4&s=48" width="48" height="48" alt="roshanasingh4" title="roshanasingh4"/></a> <a href="https://github.com/tosh-hamburg"><img src="https://avatars.githubusercontent.com/u/58424326?v=4&s=48" width="48" height="48" alt="tosh-hamburg" title="tosh-hamburg"/></a>
+  <a href="https://github.com/azade-c"><img src="https://avatars.githubusercontent.com/u/252790079?v=4&s=48" width="48" height="48" alt="azade-c" title="azade-c"/></a> <a href="https://github.com/JonUleis"><img src="https://avatars.githubusercontent.com/u/7644941?v=4&s=48" width="48" height="48" alt="JonUleis" title="JonUleis"/></a> <a href="https://github.com/bjesuiter"><img src="https://avatars.githubusercontent.com/u/2365676?v=4&s=48" width="48" height="48" alt="bjesuiter" title="bjesuiter"/></a> <a href="https://github.com/cheeeee"><img src="https://avatars.githubusercontent.com/u/21245729?v=4&s=48" width="48" height="48" alt="cheeeee" title="cheeeee"/></a> <a href="https://github.com/j1philli"><img src="https://avatars.githubusercontent.com/u/3744255?v=4&s=48" width="48" height="48" alt="Josh Phillips" title="Josh Phillips"/></a> <a href="https://github.com/YuriNachos"><img src="https://avatars.githubusercontent.com/u/19365375?v=4&s=48" width="48" height="48" alt="YuriNachos" title="YuriNachos"/></a> <a href="https://github.com/robbyczgw-cla"><img src="https://avatars.githubusercontent.com/u/239660374?v=4&s=48" width="48" height="48" alt="robbyczgw-cla" title="robbyczgw-cla"/></a> <a href="https://github.com/dlauer"><img src="https://avatars.githubusercontent.com/u/757041?v=4&s=48" width="48" height="48" alt="dlauer" title="dlauer"/></a> <a href="https://github.com/pookNast"><img src="https://avatars.githubusercontent.com/u/14242552?v=4&s=48" width="48" height="48" alt="pookNast" title="pookNast"/></a> <a href="https://github.com/Whoaa512"><img src="https://avatars.githubusercontent.com/u/1581943?v=4&s=48" width="48" height="48" alt="Whoaa512" title="Whoaa512"/></a>
+  <a href="https://github.com/chriseidhof"><img src="https://avatars.githubusercontent.com/u/5382?v=4&s=48" width="48" height="48" alt="chriseidhof" title="chriseidhof"/></a> <a href="https://github.com/ngutman"><img src="https://avatars.githubusercontent.com/u/1540134?v=4&s=48" width="48" height="48" alt="ngutman" title="ngutman"/></a> <a href="https://github.com/ysqander"><img src="https://avatars.githubusercontent.com/u/80843820?v=4&s=48" width="48" height="48" alt="ysqander" title="ysqander"/></a> <a href="https://github.com/aj47"><img src="https://avatars.githubusercontent.com/u/8023513?v=4&s=48" width="48" height="48" alt="aj47" title="aj47"/></a> <a href="https://github.com/superman32432432"><img src="https://avatars.githubusercontent.com/u/7228420?v=4&s=48" width="48" height="48" alt="superman32432432" title="superman32432432"/></a> <a href="https://github.com/search?q=Yurii%20Chukhlib"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Yurii Chukhlib" title="Yurii Chukhlib"/></a> <a href="https://github.com/grp06"><img src="https://avatars.githubusercontent.com/u/1573959?v=4&s=48" width="48" height="48" alt="grp06" title="grp06"/></a> <a href="https://github.com/antons"><img src="https://avatars.githubusercontent.com/u/129705?v=4&s=48" width="48" height="48" alt="antons" title="antons"/></a> <a href="https://github.com/austinm911"><img src="https://avatars.githubusercontent.com/u/31991302?v=4&s=48" width="48" height="48" alt="austinm911" title="austinm911"/></a> <a href="https://github.com/apps/blacksmith-sh"><img src="https://avatars.githubusercontent.com/in/807020?v=4&s=48" width="48" height="48" alt="blacksmith-sh[bot]" title="blacksmith-sh[bot]"/></a>
+  <a href="https://github.com/damoahdominic"><img src="https://avatars.githubusercontent.com/u/4623434?v=4&s=48" width="48" height="48" alt="damoahdominic" title="damoahdominic"/></a> <a href="https://github.com/dan-dr"><img src="https://avatars.githubusercontent.com/u/6669808?v=4&s=48" width="48" height="48" alt="dan-dr" title="dan-dr"/></a> <a href="https://github.com/HeimdallStrategy"><img src="https://avatars.githubusercontent.com/u/223014405?v=4&s=48" width="48" height="48" alt="HeimdallStrategy" title="HeimdallStrategy"/></a> <a href="https://github.com/imfing"><img src="https://avatars.githubusercontent.com/u/5097752?v=4&s=48" width="48" height="48" alt="imfing" title="imfing"/></a> <a href="https://github.com/jalehman"><img src="https://avatars.githubusercontent.com/u/550978?v=4&s=48" width="48" height="48" alt="jalehman" title="jalehman"/></a> <a href="https://github.com/jarvis-medmatic"><img src="https://avatars.githubusercontent.com/u/252428873?v=4&s=48" width="48" height="48" alt="jarvis-medmatic" title="jarvis-medmatic"/></a> <a href="https://github.com/kkarimi"><img src="https://avatars.githubusercontent.com/u/875218?v=4&s=48" width="48" height="48" alt="kkarimi" title="kkarimi"/></a> <a href="https://github.com/mahmoudashraf93"><img src="https://avatars.githubusercontent.com/u/9130129?v=4&s=48" width="48" height="48" alt="mahmoudashraf93" title="mahmoudashraf93"/></a> <a href="https://github.com/pkrmf"><img src="https://avatars.githubusercontent.com/u/1714267?v=4&s=48" width="48" height="48" alt="pkrmf" title="pkrmf"/></a> <a href="https://github.com/RandyVentures"><img src="https://avatars.githubusercontent.com/u/149904821?v=4&s=48" width="48" height="48" alt="RandyVentures" title="RandyVentures"/></a>
+  <a href="https://github.com/search?q=Ryan%20Lisse"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Ryan Lisse" title="Ryan Lisse"/></a> <a href="https://github.com/dougvk"><img src="https://avatars.githubusercontent.com/u/401660?v=4&s=48" width="48" height="48" alt="dougvk" title="dougvk"/></a> <a href="https://github.com/erikpr1994"><img src="https://avatars.githubusercontent.com/u/6299331?v=4&s=48" width="48" height="48" alt="erikpr1994" title="erikpr1994"/></a> <a href="https://github.com/search?q=Ghost"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Ghost" title="Ghost"/></a> <a href="https://github.com/jonasjancarik"><img src="https://avatars.githubusercontent.com/u/2459191?v=4&s=48" width="48" height="48" alt="jonasjancarik" title="jonasjancarik"/></a> <a href="https://github.com/search?q=Keith%20the%20Silly%20Goose"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Keith the Silly Goose" title="Keith the Silly Goose"/></a> <a href="https://github.com/search?q=L36%20Server"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="L36 Server" title="L36 Server"/></a> <a href="https://github.com/search?q=Marc"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Marc" title="Marc"/></a> <a href="https://github.com/mitschabaude-bot"><img src="https://avatars.githubusercontent.com/u/247582884?v=4&s=48" width="48" height="48" alt="mitschabaude-bot" title="mitschabaude-bot"/></a> <a href="https://github.com/mkbehr"><img src="https://avatars.githubusercontent.com/u/1285?v=4&s=48" width="48" height="48" alt="mkbehr" title="mkbehr"/></a>
+  <a href="https://github.com/neist"><img src="https://avatars.githubusercontent.com/u/1029724?v=4&s=48" width="48" height="48" alt="neist" title="neist"/></a> <a href="https://github.com/sibbl"><img src="https://avatars.githubusercontent.com/u/866535?v=4&s=48" width="48" height="48" alt="sibbl" title="sibbl"/></a> <a href="https://github.com/chrisrodz"><img src="https://avatars.githubusercontent.com/u/2967620?v=4&s=48" width="48" height="48" alt="chrisrodz" title="chrisrodz"/></a> <a href="https://github.com/search?q=Friederike%20Seiler"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Friederike Seiler" title="Friederike Seiler"/></a> <a href="https://github.com/gabriel-trigo"><img src="https://avatars.githubusercontent.com/u/38991125?v=4&s=48" width="48" height="48" alt="gabriel-trigo" title="gabriel-trigo"/></a> <a href="https://github.com/Iamadig"><img src="https://avatars.githubusercontent.com/u/102129234?v=4&s=48" width="48" height="48" alt="iamadig" title="iamadig"/></a> <a href="https://github.com/jdrhyne"><img src="https://avatars.githubusercontent.com/u/7828464?v=4&s=48" width="48" height="48" alt="Jonathan D. Rhyne (DJ-D)" title="Jonathan D. Rhyne (DJ-D)"/></a> <a href="https://github.com/search?q=Kit"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Kit" title="Kit"/></a> <a href="https://github.com/koala73"><img src="https://avatars.githubusercontent.com/u/996596?v=4&s=48" width="48" height="48" alt="koala73" title="koala73"/></a> <a href="https://github.com/manmal"><img src="https://avatars.githubusercontent.com/u/142797?v=4&s=48" width="48" height="48" alt="manmal" title="manmal"/></a>
+  <a href="https://github.com/ogulcancelik"><img src="https://avatars.githubusercontent.com/u/7064011?v=4&s=48" width="48" height="48" alt="ogulcancelik" title="ogulcancelik"/></a> <a href="https://github.com/pasogott"><img src="https://avatars.githubusercontent.com/u/23458152?v=4&s=48" width="48" height="48" alt="pasogott" title="pasogott"/></a> <a href="https://github.com/petradonka"><img src="https://avatars.githubusercontent.com/u/7353770?v=4&s=48" width="48" height="48" alt="petradonka" title="petradonka"/></a> <a href="https://github.com/rubyrunsstuff"><img src="https://avatars.githubusercontent.com/u/246602379?v=4&s=48" width="48" height="48" alt="rubyrunsstuff" title="rubyrunsstuff"/></a> <a href="https://github.com/siddhantjain"><img src="https://avatars.githubusercontent.com/u/4835232?v=4&s=48" width="48" height="48" alt="siddhantjain" title="siddhantjain"/></a> <a href="https://github.com/suminhthanh"><img src="https://avatars.githubusercontent.com/u/2907636?v=4&s=48" width="48" height="48" alt="suminhthanh" title="suminhthanh"/></a> <a href="https://github.com/svkozak"><img src="https://avatars.githubusercontent.com/u/31941359?v=4&s=48" width="48" height="48" alt="svkozak" title="svkozak"/></a> <a href="https://github.com/VACInc"><img src="https://avatars.githubusercontent.com/u/3279061?v=4&s=48" width="48" height="48" alt="VACInc" title="VACInc"/></a> <a href="https://github.com/wes-davis"><img src="https://avatars.githubusercontent.com/u/16506720?v=4&s=48" width="48" height="48" alt="wes-davis" title="wes-davis"/></a> <a href="https://github.com/zats"><img src="https://avatars.githubusercontent.com/u/2688806?v=4&s=48" width="48" height="48" alt="zats" title="zats"/></a>
+  <a href="https://github.com/24601"><img src="https://avatars.githubusercontent.com/u/1157207?v=4&s=48" width="48" height="48" alt="24601" title="24601"/></a> <a href="https://github.com/adam91holt"><img src="https://avatars.githubusercontent.com/u/9592417?v=4&s=48" width="48" height="48" alt="adam91holt" title="adam91holt"/></a> <a href="https://github.com/ameno-"><img src="https://avatars.githubusercontent.com/u/2416135?v=4&s=48" width="48" height="48" alt="ameno-" title="ameno-"/></a> <a href="https://github.com/search?q=Chris%20Taylor"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Chris Taylor" title="Chris Taylor"/></a> <a href="https://github.com/djangonavarro220"><img src="https://avatars.githubusercontent.com/u/251162586?v=4&s=48" width="48" height="48" alt="Django Navarro" title="Django Navarro"/></a> <a href="https://github.com/evalexpr"><img src="https://avatars.githubusercontent.com/u/23485511?v=4&s=48" width="48" height="48" alt="evalexpr" title="evalexpr"/></a> <a href="https://github.com/henrino3"><img src="https://avatars.githubusercontent.com/u/4260288?v=4&s=48" width="48" height="48" alt="henrino3" title="henrino3"/></a> <a href="https://github.com/humanwritten"><img src="https://avatars.githubusercontent.com/u/206531610?v=4&s=48" width="48" height="48" alt="humanwritten" title="humanwritten"/></a> <a href="https://github.com/larlyssa"><img src="https://avatars.githubusercontent.com/u/13128869?v=4&s=48" width="48" height="48" alt="larlyssa" title="larlyssa"/></a> <a href="https://github.com/odysseus0"><img src="https://avatars.githubusercontent.com/u/8635094?v=4&s=48" width="48" height="48" alt="odysseus0" title="odysseus0"/></a>
+  <a href="https://github.com/oswalpalash"><img src="https://avatars.githubusercontent.com/u/6431196?v=4&s=48" width="48" height="48" alt="oswalpalash" title="oswalpalash"/></a> <a href="https://github.com/pcty-nextgen-service-account"><img src="https://avatars.githubusercontent.com/u/112553441?v=4&s=48" width="48" height="48" alt="pcty-nextgen-service-account" title="pcty-nextgen-service-account"/></a> <a href="https://github.com/rmorse"><img src="https://avatars.githubusercontent.com/u/853547?v=4&s=48" width="48" height="48" alt="rmorse" title="rmorse"/></a> <a href="https://github.com/Syhids"><img src="https://avatars.githubusercontent.com/u/671202?v=4&s=48" width="48" height="48" alt="Syhids" title="Syhids"/></a> <a href="https://github.com/search?q=Aaron%20Konyer"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Aaron Konyer" title="Aaron Konyer"/></a> <a href="https://github.com/aaronveklabs"><img src="https://avatars.githubusercontent.com/u/225997828?v=4&s=48" width="48" height="48" alt="aaronveklabs" title="aaronveklabs"/></a> <a href="https://github.com/andreabadesso"><img src="https://avatars.githubusercontent.com/u/3586068?v=4&s=48" width="48" height="48" alt="andreabadesso" title="andreabadesso"/></a> <a href="https://github.com/search?q=Andrii"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Andrii" title="Andrii"/></a> <a href="https://github.com/cash-echo-bot"><img src="https://avatars.githubusercontent.com/u/252747386?v=4&s=48" width="48" height="48" alt="cash-echo-bot" title="cash-echo-bot"/></a> <a href="https://github.com/search?q=Clawd"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Clawd" title="Clawd"/></a>
+  <a href="https://github.com/search?q=ClawdFx"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="ClawdFx" title="ClawdFx"/></a> <a href="https://github.com/dguido"><img src="https://avatars.githubusercontent.com/u/294844?v=4&s=48" width="48" height="48" alt="dguido" title="dguido"/></a> <a href="https://github.com/EnzeD"><img src="https://avatars.githubusercontent.com/u/9866900?v=4&s=48" width="48" height="48" alt="EnzeD" title="EnzeD"/></a> <a href="https://github.com/erik-agens"><img src="https://avatars.githubusercontent.com/u/80908960?v=4&s=48" width="48" height="48" alt="erik-agens" title="erik-agens"/></a> <a href="https://github.com/Evizero"><img src="https://avatars.githubusercontent.com/u/10854026?v=4&s=48" width="48" height="48" alt="Evizero" title="Evizero"/></a> <a href="https://github.com/fcatuhe"><img src="https://avatars.githubusercontent.com/u/17382215?v=4&s=48" width="48" height="48" alt="fcatuhe" title="fcatuhe"/></a> <a href="https://github.com/itsjaydesu"><img src="https://avatars.githubusercontent.com/u/220390?v=4&s=48" width="48" height="48" alt="itsjaydesu" title="itsjaydesu"/></a> <a href="https://github.com/ivancasco"><img src="https://avatars.githubusercontent.com/u/2452858?v=4&s=48" width="48" height="48" alt="ivancasco" title="ivancasco"/></a> <a href="https://github.com/ivanrvpereira"><img src="https://avatars.githubusercontent.com/u/183991?v=4&s=48" width="48" height="48" alt="ivanrvpereira" title="ivanrvpereira"/></a> <a href="https://github.com/jayhickey"><img src="https://avatars.githubusercontent.com/u/1676460?v=4&s=48" width="48" height="48" alt="jayhickey" title="jayhickey"/></a>
+  <a href="https://github.com/jeffersonwarrior"><img src="https://avatars.githubusercontent.com/u/89030989?v=4&s=48" width="48" height="48" alt="jeffersonwarrior" title="jeffersonwarrior"/></a> <a href="https://github.com/search?q=jeffersonwarrior"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="jeffersonwarrior" title="jeffersonwarrior"/></a> <a href="https://github.com/jverdi"><img src="https://avatars.githubusercontent.com/u/345050?v=4&s=48" width="48" height="48" alt="jverdi" title="jverdi"/></a> <a href="https://github.com/longmaba"><img src="https://avatars.githubusercontent.com/u/9361500?v=4&s=48" width="48" height="48" alt="longmaba" title="longmaba"/></a> <a href="https://github.com/mickahouan"><img src="https://avatars.githubusercontent.com/u/31423109?v=4&s=48" width="48" height="48" alt="mickahouan" title="mickahouan"/></a> <a href="https://github.com/mjrussell"><img src="https://avatars.githubusercontent.com/u/1641895?v=4&s=48" width="48" height="48" alt="mjrussell" title="mjrussell"/></a> <a href="https://github.com/odnxe"><img src="https://avatars.githubusercontent.com/u/403141?v=4&s=48" width="48" height="48" alt="odnxe" title="odnxe"/></a> <a href="https://github.com/p6l-richard"><img src="https://avatars.githubusercontent.com/u/18185649?v=4&s=48" width="48" height="48" alt="p6l-richard" title="p6l-richard"/></a> <a href="https://github.com/philipp-spiess"><img src="https://avatars.githubusercontent.com/u/458591?v=4&s=48" width="48" height="48" alt="philipp-spiess" title="philipp-spiess"/></a> <a href="https://github.com/robaxelsen"><img src="https://avatars.githubusercontent.com/u/13132899?v=4&s=48" width="48" height="48" alt="robaxelsen" title="robaxelsen"/></a>
+  <a href="https://github.com/search?q=Sash%20Catanzarite"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Sash Catanzarite" title="Sash Catanzarite"/></a> <a href="https://github.com/T5-AndyML"><img src="https://avatars.githubusercontent.com/u/22801233?v=4&s=48" width="48" height="48" alt="T5-AndyML" title="T5-AndyML"/></a> <a href="https://github.com/travisp"><img src="https://avatars.githubusercontent.com/u/165698?v=4&s=48" width="48" height="48" alt="travisp" title="travisp"/></a> <a href="https://github.com/search?q=VAC"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="VAC" title="VAC"/></a> <a href="https://github.com/search?q=william%20arzt"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="william arzt" title="william arzt"/></a> <a href="https://github.com/zknicker"><img src="https://avatars.githubusercontent.com/u/1164085?v=4&s=48" width="48" height="48" alt="zknicker" title="zknicker"/></a> <a href="https://github.com/abhaymundhara"><img src="https://avatars.githubusercontent.com/u/62872231?v=4&s=48" width="48" height="48" alt="abhaymundhara" title="abhaymundhara"/></a> <a href="https://github.com/search?q=alejandro%20maza"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="alejandro maza" title="alejandro maza"/></a> <a href="https://github.com/Alex-Alaniz"><img src="https://avatars.githubusercontent.com/u/88956822?v=4&s=48" width="48" height="48" alt="Alex-Alaniz" title="Alex-Alaniz"/></a> <a href="https://github.com/andrewting19"><img src="https://avatars.githubusercontent.com/u/10536704?v=4&s=48" width="48" height="48" alt="andrewting19" title="andrewting19"/></a>
+  <a href="https://github.com/anpoirier"><img src="https://avatars.githubusercontent.com/u/1245729?v=4&s=48" width="48" height="48" alt="anpoirier" title="anpoirier"/></a> <a href="https://github.com/arthyn"><img src="https://avatars.githubusercontent.com/u/5466421?v=4&s=48" width="48" height="48" alt="arthyn" title="arthyn"/></a> <a href="https://github.com/Asleep123"><img src="https://avatars.githubusercontent.com/u/122379135?v=4&s=48" width="48" height="48" alt="Asleep123" title="Asleep123"/></a> <a href="https://github.com/bolismauro"><img src="https://avatars.githubusercontent.com/u/771999?v=4&s=48" width="48" height="48" alt="bolismauro" title="bolismauro"/></a> <a href="https://github.com/conhecendoia"><img src="https://avatars.githubusercontent.com/u/82890727?v=4&s=48" width="48" height="48" alt="conhecendoia" title="conhecendoia"/></a> <a href="https://github.com/dasilva333"><img src="https://avatars.githubusercontent.com/u/947827?v=4&s=48" width="48" height="48" alt="dasilva333" title="dasilva333"/></a> <a href="https://github.com/search?q=Developer"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Developer" title="Developer"/></a> <a href="https://github.com/search?q=Dimitrios%20Ploutarchos"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Dimitrios Ploutarchos" title="Dimitrios Ploutarchos"/></a> <a href="https://github.com/search?q=Drake%20Thomsen"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Drake Thomsen" title="Drake Thomsen"/></a> <a href="https://github.com/fal3"><img src="https://avatars.githubusercontent.com/u/6484295?v=4&s=48" width="48" height="48" alt="fal3" title="fal3"/></a>
+  <a href="https://github.com/search?q=Felix%20Krause"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Felix Krause" title="Felix Krause"/></a> <a href="https://github.com/foeken"><img src="https://avatars.githubusercontent.com/u/13864?v=4&s=48" width="48" height="48" alt="foeken" title="foeken"/></a> <a href="https://github.com/search?q=ganghyun%20kim"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="ganghyun kim" title="ganghyun kim"/></a> <a href="https://github.com/grrowl"><img src="https://avatars.githubusercontent.com/u/907140?v=4&s=48" width="48" height="48" alt="grrowl" title="grrowl"/></a> <a href="https://github.com/gtsifrikas"><img src="https://avatars.githubusercontent.com/u/8904378?v=4&s=48" width="48" height="48" alt="gtsifrikas" title="gtsifrikas"/></a> <a href="https://github.com/HazAT"><img src="https://avatars.githubusercontent.com/u/363802?v=4&s=48" width="48" height="48" alt="HazAT" title="HazAT"/></a> <a href="https://github.com/hrdwdmrbl"><img src="https://avatars.githubusercontent.com/u/554881?v=4&s=48" width="48" height="48" alt="hrdwdmrbl" title="hrdwdmrbl"/></a> <a href="https://github.com/hugobarauna"><img src="https://avatars.githubusercontent.com/u/2719?v=4&s=48" width="48" height="48" alt="hugobarauna" title="hugobarauna"/></a> <a href="https://github.com/search?q=Jamie%20Openshaw"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Jamie Openshaw" title="Jamie Openshaw"/></a> <a href="https://github.com/search?q=Jarvis"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Jarvis" title="Jarvis"/></a>
+  <a href="https://github.com/search?q=Jefferson%20Nunn"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Jefferson Nunn" title="Jefferson Nunn"/></a> <a href="https://github.com/search?q=Kevin%20Lin"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Kevin Lin" title="Kevin Lin"/></a> <a href="https://github.com/kitze"><img src="https://avatars.githubusercontent.com/u/1160594?v=4&s=48" width="48" height="48" alt="kitze" title="kitze"/></a> <a href="https://github.com/levifig"><img src="https://avatars.githubusercontent.com/u/1605?v=4&s=48" width="48" height="48" alt="levifig" title="levifig"/></a> <a href="https://github.com/search?q=Lloyd"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Lloyd" title="Lloyd"/></a> <a href="https://github.com/loukotal"><img src="https://avatars.githubusercontent.com/u/18210858?v=4&s=48" width="48" height="48" alt="loukotal" title="loukotal"/></a> <a href="https://github.com/louzhixian"><img src="https://avatars.githubusercontent.com/u/7994361?v=4&s=48" width="48" height="48" alt="louzhixian" title="louzhixian"/></a> <a href="https://github.com/martinpucik"><img src="https://avatars.githubusercontent.com/u/5503097?v=4&s=48" width="48" height="48" alt="martinpucik" title="martinpucik"/></a> <a href="https://github.com/search?q=Matt%20mini"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Matt mini" title="Matt mini"/></a> <a href="https://github.com/mertcicekci0"><img src="https://avatars.githubusercontent.com/u/179321902?v=4&s=48" width="48" height="48" alt="mertcicekci0" title="mertcicekci0"/></a>
+  <a href="https://github.com/search?q=Miles"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Miles" title="Miles"/></a> <a href="https://github.com/mrdbstn"><img src="https://avatars.githubusercontent.com/u/58957632?v=4&s=48" width="48" height="48" alt="mrdbstn" title="mrdbstn"/></a> <a href="https://github.com/MSch"><img src="https://avatars.githubusercontent.com/u/7475?v=4&s=48" width="48" height="48" alt="MSch" title="MSch"/></a> <a href="https://github.com/search?q=Mustafa%20Tag%20Eldeen"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Mustafa Tag Eldeen" title="Mustafa Tag Eldeen"/></a> <a href="https://github.com/ndraiman"><img src="https://avatars.githubusercontent.com/u/12609607?v=4&s=48" width="48" height="48" alt="ndraiman" title="ndraiman"/></a> <a href="https://github.com/nexty5870"><img src="https://avatars.githubusercontent.com/u/3869659?v=4&s=48" width="48" height="48" alt="nexty5870" title="nexty5870"/></a> <a href="https://github.com/Noctivoro"><img src="https://avatars.githubusercontent.com/u/183974570?v=4&s=48" width="48" height="48" alt="Noctivoro" title="Noctivoro"/></a> <a href="https://github.com/prathamdby"><img src="https://avatars.githubusercontent.com/u/134331217?v=4&s=48" width="48" height="48" alt="prathamdby" title="prathamdby"/></a> <a href="https://github.com/ptn1411"><img src="https://avatars.githubusercontent.com/u/57529765?v=4&s=48" width="48" height="48" alt="ptn1411" title="ptn1411"/></a> <a href="https://github.com/reeltimeapps"><img src="https://avatars.githubusercontent.com/u/637338?v=4&s=48" width="48" height="48" alt="reeltimeapps" title="reeltimeapps"/></a>
+  <a href="https://github.com/RLTCmpe"><img src="https://avatars.githubusercontent.com/u/10762242?v=4&s=48" width="48" height="48" alt="RLTCmpe" title="RLTCmpe"/></a> <a href="https://github.com/search?q=Rolf%20Fredheim"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Rolf Fredheim" title="Rolf Fredheim"/></a> <a href="https://github.com/search?q=Rony%20Kelner"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Rony Kelner" title="Rony Kelner"/></a> <a href="https://github.com/search?q=Samrat%20Jha"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Samrat Jha" title="Samrat Jha"/></a> <a href="https://github.com/senoldogann"><img src="https://avatars.githubusercontent.com/u/45736551?v=4&s=48" width="48" height="48" alt="senoldogann" title="senoldogann"/></a> <a href="https://github.com/Seredeep"><img src="https://avatars.githubusercontent.com/u/22802816?v=4&s=48" width="48" height="48" alt="Seredeep" title="Seredeep"/></a> <a href="https://github.com/sergical"><img src="https://avatars.githubusercontent.com/u/3760543?v=4&s=48" width="48" height="48" alt="sergical" title="sergical"/></a> <a href="https://github.com/shiv19"><img src="https://avatars.githubusercontent.com/u/9407019?v=4&s=48" width="48" height="48" alt="shiv19" title="shiv19"/></a> <a href="https://github.com/shiyuanhai"><img src="https://avatars.githubusercontent.com/u/1187370?v=4&s=48" width="48" height="48" alt="shiyuanhai" title="shiyuanhai"/></a> <a href="https://github.com/siraht"><img src="https://avatars.githubusercontent.com/u/73152895?v=4&s=48" width="48" height="48" alt="siraht" title="siraht"/></a>
+  <a href="https://github.com/snopoke"><img src="https://avatars.githubusercontent.com/u/249606?v=4&s=48" width="48" height="48" alt="snopoke" title="snopoke"/></a> <a href="https://github.com/testingabc321"><img src="https://avatars.githubusercontent.com/u/8577388?v=4&s=48" width="48" height="48" alt="testingabc321" title="testingabc321"/></a> <a href="https://github.com/search?q=The%20Admiral"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="The Admiral" title="The Admiral"/></a> <a href="https://github.com/thesash"><img src="https://avatars.githubusercontent.com/u/1166151?v=4&s=48" width="48" height="48" alt="thesash" title="thesash"/></a> <a href="https://github.com/search?q=Ubuntu"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Ubuntu" title="Ubuntu"/></a> <a href="https://github.com/voidserf"><img src="https://avatars.githubusercontent.com/u/477673?v=4&s=48" width="48" height="48" alt="voidserf" title="voidserf"/></a> <a href="https://github.com/search?q=Vultr-Clawd%20Admin"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Vultr-Clawd Admin" title="Vultr-Clawd Admin"/></a> <a href="https://github.com/search?q=Wimmie"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Wimmie" title="Wimmie"/></a> <a href="https://github.com/wstock"><img src="https://avatars.githubusercontent.com/u/1394687?v=4&s=48" width="48" height="48" alt="wstock" title="wstock"/></a> <a href="https://github.com/yazinsai"><img src="https://avatars.githubusercontent.com/u/1846034?v=4&s=48" width="48" height="48" alt="yazinsai" title="yazinsai"/></a>
+  <a href="https://github.com/search?q=ymat19"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="ymat19" title="ymat19"/></a> <a href="https://github.com/search?q=Zach%20Knickerbocker"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Zach Knickerbocker" title="Zach Knickerbocker"/></a> <a href="https://github.com/0xJonHoldsCrypto"><img src="https://avatars.githubusercontent.com/u/81202085?v=4&s=48" width="48" height="48" alt="0xJonHoldsCrypto" title="0xJonHoldsCrypto"/></a> <a href="https://github.com/aaronn"><img src="https://avatars.githubusercontent.com/u/1653630?v=4&s=48" width="48" height="48" alt="aaronn" title="aaronn"/></a> <a href="https://github.com/Alphonse-arianee"><img src="https://avatars.githubusercontent.com/u/254457365?v=4&s=48" width="48" height="48" alt="Alphonse-arianee" title="Alphonse-arianee"/></a> <a href="https://github.com/atalovesyou"><img src="https://avatars.githubusercontent.com/u/3534502?v=4&s=48" width="48" height="48" alt="atalovesyou" title="atalovesyou"/></a> <a href="https://github.com/search?q=Azade"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Azade" title="Azade"/></a> <a href="https://github.com/carlulsoe"><img src="https://avatars.githubusercontent.com/u/34673973?v=4&s=48" width="48" height="48" alt="carlulsoe" title="carlulsoe"/></a> <a href="https://github.com/search?q=ddyo"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="ddyo" title="ddyo"/></a> <a href="https://github.com/search?q=Erik"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Erik" title="Erik"/></a>
+  <a href="https://github.com/hougangdev"><img src="https://avatars.githubusercontent.com/u/105773686?v=4&s=48" width="48" height="48" alt="hougangdev" title="hougangdev"/></a> <a href="https://github.com/latitudeki5223"><img src="https://avatars.githubusercontent.com/u/119656367?v=4&s=48" width="48" height="48" alt="latitudeki5223" title="latitudeki5223"/></a> <a href="https://github.com/search?q=Manuel%20Maly"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Manuel Maly" title="Manuel Maly"/></a> <a href="https://github.com/search?q=Mourad%20Boustani"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Mourad Boustani" title="Mourad Boustani"/></a> <a href="https://github.com/odrobnik"><img src="https://avatars.githubusercontent.com/u/333270?v=4&s=48" width="48" height="48" alt="odrobnik" title="odrobnik"/></a> <a href="https://github.com/pcty-nextgen-ios-builder"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="pcty-nextgen-ios-builder" title="pcty-nextgen-ios-builder"/></a> <a href="https://github.com/search?q=Quentin"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Quentin" title="Quentin"/></a> <a href="https://github.com/search?q=Randy%20Torres"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="Randy Torres" title="Randy Torres"/></a> <a href="https://github.com/rhjoh"><img src="https://avatars.githubusercontent.com/u/105699450?v=4&s=48" width="48" height="48" alt="rhjoh" title="rhjoh"/></a> <a href="https://github.com/ronak-guliani"><img src="https://avatars.githubusercontent.com/u/23518228?v=4&s=48" width="48" height="48" alt="ronak-guliani" title="ronak-guliani"/></a>
+  <a href="https://github.com/search?q=William%20Stock"><img src="assets/avatar-placeholder.svg" width="48" height="48" alt="William Stock" title="William Stock"/></a>
 </p>
--- a/SECURITY.md
+++ b/SECURITY.md
@ -1,6 +1,6 @@
 # Security Policy

-If you believe you’ve found a security issue in Clawdbot, please report it privately.
+If you believe you've found a security issue in Clawdbot, please report it privately.

 ## Reporting

@ -12,3 +12,46 @@ If you believe you’ve found a security issue in Clawdbot, please report it pri
 For threat model + hardening guidance (including `clawdbot security audit --deep` and `--fix`), see:

 - `https://docs.clawd.bot/gateway/security`
+
+## Runtime Requirements
+
+### Node.js Version
+
+Clawdbot requires **Node.js 22.12.0 or later** (LTS). This version includes important security patches:
+
+- CVE-2025-59466: async_hooks DoS vulnerability
+- CVE-2026-21636: Permission model bypass vulnerability
+
+Verify your Node.js version:
+
+```bash
+node --version  # Should be v22.12.0 or later
+```
+
+### Docker Security
+
+When running Clawdbot in Docker:
+
+1. The official image runs as a non-root user (`node`) for reduced attack surface
+2. Use `--read-only` flag when possible for additional filesystem protection
+3. Limit container capabilities with `--cap-drop=ALL`
+
+Example secure Docker run:
+
+```bash
+docker run --read-only --cap-drop=ALL \
+  -v clawdbot-data:/app/data \
+  clawdbot/clawdbot:latest
+```
+
+## Security Scanning
+
+This project uses `detect-secrets` for automated secret detection in CI/CD.
+See `.detect-secrets.cfg` for configuration and `.secrets.baseline` for the baseline.
+
+Run locally:
+
+```bash
+pip install detect-secrets==1.5.0
+detect-secrets scan --baseline .secrets.baseline
+```
--- a/docs/automation/webhook.md
+++ b/docs/automation/webhook.md
@ -27,10 +27,10 @@ Notes:

 ## Auth

-Every request must include the hook token:
- `Authorization: Bearer <token>`
- or `x-clawdbot-token: <token>`
- or `?token=<token>`
+Every request must include the hook token. Prefer headers:
+- `Authorization: Bearer <token>` (recommended)
+- `x-clawdbot-token: <token>`
+- `?token=<token>` (deprecated; logs a warning and will be removed in a future major release)

 ## Endpoints

--- a/docs/channels/index.md
+++ b/docs/channels/index.md
@ -21,6 +21,7 @@ Text is supported everywhere; media and reactions vary by channel.
 - [BlueBubbles](/channels/bluebubbles) — **Recommended for iMessage**; uses the BlueBubbles macOS server REST API with full feature support (edit, unsend, effects, reactions, group management — edit currently broken on macOS 26 Tahoe).
 - [iMessage](/channels/imessage) — macOS only; native integration via imsg (legacy, consider BlueBubbles for new setups).
 - [Microsoft Teams](/channels/msteams) — Bot Framework; enterprise support (plugin, installed separately).
+- [LINE](/channels/line) — LINE Messaging API bot (plugin, installed separately).
 - [Nextcloud Talk](/channels/nextcloud-talk) — Self-hosted chat via Nextcloud Talk (plugin, installed separately).
 - [Matrix](/channels/matrix) — Matrix protocol (plugin, installed separately).
 - [Nostr](/channels/nostr) — Decentralized DMs via NIP-04 (plugin, installed separately).
--- a/docs/channels/line.md
+++ b/docs/channels/line.md
@ -0,0 +1,183 @@
+---
+summary: "LINE Messaging API plugin setup, config, and usage"
+read_when:
+  - You want to connect Clawdbot to LINE
+  - You need LINE webhook + credential setup
+  - You want LINE-specific message options
+---
+
+# LINE (plugin)
+
+LINE connects to Clawdbot via the LINE Messaging API. The plugin runs as a webhook
+receiver on the gateway and uses your channel access token + channel secret for
+authentication.
+
+Status: supported via plugin. Direct messages, group chats, media, locations, Flex
+messages, template messages, and quick replies are supported. Reactions and threads
+are not supported.
+
+## Plugin required
+
+Install the LINE plugin:
+
+```bash
+clawdbot plugins install @clawdbot/line
+```
+
+Local checkout (when running from a git repo):
+
+```bash
+clawdbot plugins install ./extensions/line
+```
+
+## Setup
+
+1) Create a LINE Developers account and open the Console:
+   https://developers.line.biz/console/
+2) Create (or pick) a Provider and add a **Messaging API** channel.
+3) Copy the **Channel access token** and **Channel secret** from the channel settings.
+4) Enable **Use webhook** in the Messaging API settings.
+5) Set the webhook URL to your gateway endpoint (HTTPS required):
+
+```
+https://gateway-host/line/webhook
+```
+
+The gateway responds to LINE’s webhook verification (GET) and inbound events (POST).
+If you need a custom path, set `channels.line.webhookPath` or
+`channels.line.accounts.<id>.webhookPath` and update the URL accordingly.
+
+## Configure
+
+Minimal config:
+
+```json5
+{
+  channels: {
+    line: {
+      enabled: true,
+      channelAccessToken: "LINE_CHANNEL_ACCESS_TOKEN",
+      channelSecret: "LINE_CHANNEL_SECRET",
+      dmPolicy: "pairing"
+    }
+  }
+}
+```
+
+Env vars (default account only):
+
+- `LINE_CHANNEL_ACCESS_TOKEN`
+- `LINE_CHANNEL_SECRET`
+
+Token/secret files:
+
+```json5
+{
+  channels: {
+    line: {
+      tokenFile: "/path/to/line-token.txt",
+      secretFile: "/path/to/line-secret.txt"
+    }
+  }
+}
+```
+
+Multiple accounts:
+
+```json5
+{
+  channels: {
+    line: {
+      accounts: {
+        marketing: {
+          channelAccessToken: "...",
+          channelSecret: "...",
+          webhookPath: "/line/marketing"
+        }
+      }
+    }
+  }
+}
+```
+
+## Access control
+
+Direct messages default to pairing. Unknown senders get a pairing code and their
+messages are ignored until approved.
+
+```bash
+clawdbot pairing list line
+clawdbot pairing approve line <CODE>
+```
+
+Allowlists and policies:
+
+- `channels.line.dmPolicy`: `pairing | allowlist | open | disabled`
+- `channels.line.allowFrom`: allowlisted LINE user IDs for DMs
+- `channels.line.groupPolicy`: `allowlist | open | disabled`
+- `channels.line.groupAllowFrom`: allowlisted LINE user IDs for groups
+- Per-group overrides: `channels.line.groups.<groupId>.allowFrom`
+
+LINE IDs are case-sensitive. Valid IDs look like:
+
+- User: `U` + 32 hex chars
+- Group: `C` + 32 hex chars
+- Room: `R` + 32 hex chars
+
+## Message behavior
+
+- Text is chunked at 5000 characters.
+- Markdown formatting is stripped; code blocks and tables are converted into Flex
+  cards when possible.
+- Streaming responses are buffered; LINE receives full chunks with a loading
+  animation while the agent works.
+- Media downloads are capped by `channels.line.mediaMaxMb` (default 10).
+
+## Channel data (rich messages)
+
+Use `channelData.line` to send quick replies, locations, Flex cards, or template
+messages.
+
+```json5
+{
+  text: "Here you go",
+  channelData: {
+    line: {
+      quickReplies: ["Status", "Help"],
+      location: {
+        title: "Office",
+        address: "123 Main St",
+        latitude: 35.681236,
+        longitude: 139.767125
+      },
+      flexMessage: {
+        altText: "Status card",
+        contents: { /* Flex payload */ }
+      },
+      templateMessage: {
+        type: "confirm",
+        text: "Proceed?",
+        confirmLabel: "Yes",
+        confirmData: "yes",
+        cancelLabel: "No",
+        cancelData: "no"
+      }
+    }
+  }
+}
+```
+
+The LINE plugin also ships a `/card` command for Flex message presets:
+
+```
+/card info "Welcome" "Thanks for joining!"
+```
+
+## Troubleshooting
+
+- **Webhook verification fails:** ensure the webhook URL is HTTPS and the
+  `channelSecret` matches the LINE console.
+- **No inbound events:** confirm the webhook path matches `channels.line.webhookPath`
+  and that the gateway is reachable from LINE.
+- **Media download errors:** raise `channels.line.mediaMaxMb` if media exceeds the
+  default limit.
--- a/docs/cli/index.md
+++ b/docs/cli/index.md
@ -297,7 +297,7 @@ Options:
 - `--non-interactive`
 - `--mode <local|remote>`
 - `--flow <quickstart|advanced|manual>` (manual is an alias for advanced)
- `--auth-choice <setup-token|claude-cli|token|openai-codex|openai-api-key|openrouter-api-key|ai-gateway-api-key|moonshot-api-key|kimi-code-api-key|nanogpt-api-key|codex-cli|gemini-api-key|zai-api-key|apiKey|minimax-api|opencode-zen|skip>`
+- `--auth-choice <setup-token|token|chutes|openai-codex|openai-api-key|openrouter-api-key|ai-gateway-api-key|moonshot-api-key|kimi-code-api-key|nanogpt-api-key|synthetic-api-key|venice-api-key|gemini-api-key|zai-api-key|apiKey|minimax-api|minimax-api-lightning|opencode-zen|skip>`
 - `--token-provider <id>` (non-interactive; used with `--auth-choice token`)
 - `--token <token>` (non-interactive; used with `--auth-choice token`)
 - `--token-profile-id <id>` (non-interactive; default: `<provider>:manual`)
@ -315,7 +315,7 @@ Options:
 - `--opencode-zen-api-key <key>`
 - `--gateway-port <port>`
 - `--gateway-bind <loopback|lan|tailnet|auto|custom>`
- `--gateway-auth <off|token|password>`
+- `--gateway-auth <token|password>`
 - `--gateway-token <token>`
 - `--gateway-password <password>`
 - `--remote-url <url>`
@ -359,7 +359,7 @@ Options:
 Manage chat channel accounts (WhatsApp/Telegram/Discord/Google Chat/Slack/Mattermost (plugin)/Signal/iMessage/MS Teams).

 Subcommands:
- `channels list`: show configured channels and auth profiles (Claude Code + Codex CLI OAuth sync included).
+- `channels list`: show configured channels and auth profiles.
 - `channels status`: check gateway reachability and channel health (`--probe` runs extra checks; use `clawdbot health` or `clawdbot status --deep` for gateway health probes).
 - Tip: `channels status` prints warnings with suggested fixes when it can detect common misconfigurations (then points you to `clawdbot doctor`).
 - `channels logs`: show recent channel logs from the gateway log file.
@ -391,12 +391,6 @@ Common options:
 - `--lines <n>` (default `200`)
 - `--json`

-OAuth sync sources:
- Claude Code → `anthropic:claude-cli`
-  - macOS: Keychain item "Claude Code-credentials" (choose "Always Allow" to avoid launchd prompts)
-  - Linux/Windows: `~/.claude/.credentials.json`
- `~/.codex/auth.json` → `openai-codex:codex-cli`
-
 More detail: [/concepts/oauth](/concepts/oauth)

 Examples:
@ -677,10 +671,11 @@ Tip: when calling `config.set`/`config.apply`/`config.patch` directly, pass `bas

 See [/concepts/models](/concepts/models) for fallback behavior and scanning strategy.

-Preferred Anthropic auth (CLI token, not API key):
+Preferred Anthropic auth (setup-token):

 ```bash
 claude setup-token
+clawdbot models auth setup-token --provider anthropic
 clawdbot models status
 ```

--- a/docs/cli/models.md
+++ b/docs/cli/models.md
@ -64,5 +64,5 @@ clawdbot models auth paste-token
 `clawdbot plugins list` to see which providers are installed.

 Notes:
- `setup-token` runs `claude setup-token` on the current machine (requires the Claude Code CLI).
- `paste-token` accepts a token string generated elsewhere.
+- `setup-token` prompts for a setup-token value (generate it with `claude setup-token` on any machine).
+- `paste-token` accepts a token string generated elsewhere or from automation.
--- a/docs/concepts/model-providers.md
+++ b/docs/concepts/model-providers.md
@ -49,9 +49,9 @@ Clawdbot ships with the pi‑ai catalog. These providers require **no**
 ### OpenAI Code (Codex)

 - Provider: `openai-codex`
- Auth: OAuth or Codex CLI (`~/.codex/auth.json`)
+- Auth: OAuth (ChatGPT)
 - Example model: `openai-codex/gpt-5.2`
- CLI: `clawdbot onboard --auth-choice openai-codex` or `codex-cli`
+- CLI: `clawdbot onboard --auth-choice openai-codex` or `clawdbot models auth login --provider openai-codex`

 ```json5
 {
--- a/docs/concepts/oauth.md
+++ b/docs/concepts/oauth.md
@ -1,18 +1,17 @@
 ---
-summary: "OAuth in Clawdbot: token exchange, storage, CLI sync, and multi-account patterns"
+summary: "OAuth in Clawdbot: token exchange, storage, and multi-account patterns"
 read_when:
  - You want to understand Clawdbot OAuth end-to-end
  - You hit token invalidation / logout issues
-  - You want to reuse Claude Code / Codex CLI OAuth tokens
+  - You want setup-token or OAuth auth flows
  - You want multiple accounts or profile routing
 ---
 # OAuth

-Clawdbot supports “subscription auth” via OAuth for providers that offer it (notably **Anthropic (Claude Pro/Max)** and **OpenAI Codex (ChatGPT OAuth)**). This page explains:
+Clawdbot supports “subscription auth” via OAuth for providers that offer it (notably **OpenAI Codex (ChatGPT OAuth)**). For Anthropic subscriptions, use the **setup-token** flow. This page explains:

 - how the OAuth **token exchange** works (PKCE)
 - where tokens are **stored** (and why)
- how we **reuse external CLI tokens** (Claude Code / Codex CLI)
 - how to handle **multiple accounts** (profiles + per-session overrides)

 Clawdbot also supports **provider plugins** that ship their own OAuth or API‑key
@ -31,7 +30,6 @@ Practical symptom:

 To reduce that, Clawdbot treats `auth-profiles.json` as a **token sink**:
 - the runtime reads credentials from **one place**
- we can **sync in** credentials from external CLIs instead of doing a second login
 - we can keep multiple profiles and route them deterministically

 ## Storage (where tokens live)
@ -46,47 +44,39 @@ Legacy import-only file (still supported, but not the main store):

 All of the above also respect `$CLAWDBOT_STATE_DIR` (state dir override). Full reference: [/gateway/configuration](/gateway/configuration#auth-storage-oauth--api-keys)

-## Reusing Claude Code / Codex CLI OAuth tokens (recommended)
+## Anthropic setup-token (subscription auth)

-If you already signed in with the external CLIs *on the gateway host*, Clawdbot can reuse those tokens without starting a separate OAuth flow:
+Run `claude setup-token` on any machine, then paste it into Clawdbot:

- Claude Code: `anthropic:claude-cli`
-  - macOS: Keychain item "Claude Code-credentials" (choose "Always Allow" to avoid launchd prompts)
-  - Linux/Windows: `~/.claude/.credentials.json`
- Codex CLI: reads `~/.codex/auth.json` → profile `openai-codex:codex-cli`
+```bash
+clawdbot models auth setup-token --provider anthropic
+```

-Sync happens when Clawdbot loads the auth store (so it stays up-to-date when the CLIs refresh tokens).
-On macOS, the first read may trigger a Keychain prompt; run `clawdbot models status`
-in a terminal once if the Gateway runs headless and can’t access the entry.
+If you generated the token elsewhere, paste it manually:

-How to verify:
+```bash
+clawdbot models auth paste-token --provider anthropic
+```
+
+Verify:

 ```bash
 clawdbot models status
-clawdbot channels list
-```
-
-Or JSON:
-
-```bash
-clawdbot channels list --json
 ```

 ## OAuth exchange (how login works)

 Clawdbot’s interactive login flows are implemented in `@mariozechner/pi-ai` and wired into the wizards/commands.

-### Anthropic (Claude Pro/Max)
+### Anthropic (Claude Pro/Max) setup-token

-Flow shape (PKCE):
+Flow shape:

-1) generate PKCE verifier/challenge
-2) open `https://claude.ai/oauth/authorize?...`
-3) user pastes `code#state`
-4) exchange at `https://console.anthropic.com/v1/oauth/token`
-5) store `{ access, refresh, expires }` under an auth profile
+1) run `claude setup-token`
+2) paste the token into Clawdbot
+3) store as a token auth profile (no refresh)

-The wizard path is `clawdbot onboard` → auth choice `oauth` (Anthropic).
+The wizard path is `clawdbot onboard` → auth choice `setup-token` (Anthropic).

 ### OpenAI Codex (ChatGPT OAuth)

@ -99,7 +89,7 @@ Flow shape (PKCE):
 5) exchange at `https://auth.openai.com/oauth/token`
 6) extract `accountId` from the access token and store `{ access, refresh, expires, accountId }`

-Wizard path is `clawdbot onboard` → auth choice `openai-codex` (or `codex-cli` to reuse an existing Codex CLI login).
+Wizard path is `clawdbot onboard` → auth choice `openai-codex`.

 ## Refresh + expiry

@ -111,23 +101,6 @@ At runtime:

 The refresh flow is automatic; you generally don't need to manage tokens manually.

-### Bidirectional sync with Claude Code
-
-When Clawdbot refreshes an Anthropic OAuth token (profile `anthropic:claude-cli`), it **writes the new credentials back** to Claude Code's storage:
-
- **Linux/Windows**: updates `~/.claude/.credentials.json`
- **macOS**: updates Keychain item "Claude Code-credentials"
-
-This ensures both tools stay in sync and neither gets "logged out" after the other refreshes.
-
-**Why this matters for long-running agents:**
-
-Anthropic OAuth tokens expire after a few hours. Without bidirectional sync:
-1. Clawdbot refreshes the token → gets new access token
-2. Claude Code still has the old token → gets logged out
-
-With bidirectional sync, both tools always have the latest valid token, enabling autonomous operation for days or weeks without manual intervention.
-
 ## Multiple accounts (profiles) + routing

 Two patterns:
--- a/docs/docs.json
+++ b/docs/docs.json
@ -117,6 +117,14 @@
      "source": "/mattermost/",
      "destination": "/channels/mattermost"
    },
+    {
+      "source": "/line",
+      "destination": "/channels/line"
+    },
+    {
+      "source": "/line/",
+      "destination": "/channels/line"
+    },
    {
      "source": "/glm",
      "destination": "/providers/glm"
@ -197,6 +205,14 @@
      "source": "/providers/msteams/",
      "destination": "/channels/msteams"
    },
+    {
+      "source": "/providers/line",
+      "destination": "/channels/line"
+    },
+    {
+      "source": "/providers/line/",
+      "destination": "/channels/line"
+    },
    {
      "source": "/providers/signal",
      "destination": "/channels/signal"
@ -974,6 +990,7 @@
          "channels/signal",
          "channels/imessage",
          "channels/msteams",
+          "channels/line",
          "channels/matrix",
          "channels/zalo",
          "channels/zalouser",
--- a/docs/gateway/authentication.md
+++ b/docs/gateway/authentication.md
@ -1,5 +1,5 @@
 ---
-summary: "Model authentication: OAuth, API keys, and Claude Code token reuse"
+summary: "Model authentication: OAuth, API keys, and setup-token"
 read_when:
  - Debugging model auth or OAuth expiry
  - Documenting authentication or credential storage
@ -7,8 +7,8 @@ read_when:
 # Authentication

 Clawdbot supports OAuth and API keys for model providers. For Anthropic
-accounts, we recommend using an **API key**. Clawdbot can also reuse Claude Code
-credentials, including the long‑lived token created by `claude setup-token`.
+accounts, we recommend using an **API key**. For Claude subscription access,
+use the long‑lived token created by `claude setup-token`.

 See [/concepts/oauth](/concepts/oauth) for the full OAuth flow and storage
 layout.
@ -47,29 +47,26 @@ API keys for daemon use: `clawdbot onboard`.
 See [Help](/help) for details on env inheritance (`env.shellEnv`,
 `~/.clawdbot/.env`, systemd/launchd).

-## Anthropic: Claude Code CLI setup-token (supported)
+## Anthropic: setup-token (subscription auth)

-For Anthropic, the recommended path is an **API key**. If you’re already using
-Claude Code CLI, the setup-token flow is also supported.
-Run it on the **gateway host**:
+For Anthropic, the recommended path is an **API key**. If you’re using a Claude
+subscription, the setup-token flow is also supported. Run it on the **gateway host**:

 ```bash
 claude setup-token
 ```

-Then verify and sync into Clawdbot:
+Then paste it into Clawdbot:

 ```bash
-clawdbot models status
-clawdbot doctor
+clawdbot models auth setup-token --provider anthropic
 ```

-This should create (or refresh) an auth profile like `anthropic:claude-cli` in
-the agent auth store.
+If the token was created on another machine, paste it manually:

-Clawdbot config sets `auth.profiles["anthropic:claude-cli"].mode` to `"oauth"` so
-the profile accepts both OAuth and setup-token credentials. Older configs that
-used `"token"` are auto-migrated on load.
+```bash
+clawdbot models auth paste-token --provider anthropic
+```

 If you see an Anthropic error like:

@ -79,12 +76,6 @@ This credential is only authorized for use with Claude Code and cannot be used f

 …use an Anthropic API key instead.

-Alternative: run the wrapper (also updates Clawdbot config):
-
-```bash
-clawdbot models auth setup-token --provider anthropic
-```
-
 Manual token entry (any provider; writes `auth-profiles.json` + updates config):

 ```bash
@ -101,10 +92,6 @@ clawdbot models status --check
 Optional ops scripts (systemd/Termux) are documented here:
 [/automation/auth-monitoring](/automation/auth-monitoring)

-`clawdbot models status` loads Claude Code credentials into Clawdbot’s
-`auth-profiles.json` and shows expiry (warns within 24h by default).
-`clawdbot doctor` also performs the sync when it runs.
-
 > `claude setup-token` requires an interactive TTY.

 ## Checking model auth status
@ -118,7 +105,7 @@ clawdbot doctor

 ### Per-session (chat command)

-Use `/model <alias-or-id>@<profileId>` to pin a specific provider credential for the current session (example profile ids: `anthropic:claude-cli`, `anthropic:default`).
+Use `/model <alias-or-id>@<profileId>` to pin a specific provider credential for the current session (example profile ids: `anthropic:default`, `anthropic:work`).

 Use `/model` (or `/model list`) for a compact picker; use `/model status` for the full view (candidates + next auth profile, plus provider endpoint details when configured).

@ -128,23 +115,12 @@ Set an explicit auth profile order override for an agent (stored in that agent

 ```bash
 clawdbot models auth order get --provider anthropic
-clawdbot models auth order set --provider anthropic anthropic:claude-cli
+clawdbot models auth order set --provider anthropic anthropic:default
 clawdbot models auth order clear --provider anthropic
 ```

 Use `--agent <id>` to target a specific agent; omit it to use the configured default agent.

-## How sync works
-
-1. **Claude Code** stores credentials in `~/.claude/.credentials.json` (or
-   Keychain on macOS).
-2. **Clawdbot** syncs those into
-   `~/.clawdbot/agents/<agentId>/agent/auth-profiles.json` when the auth store is
-   loaded.
-3. Refreshable OAuth profiles can be refreshed automatically on use. Static
-   token profiles (including Claude Code CLI setup-token) are not refreshable by
-   Clawdbot.
-
 ## Troubleshooting

 ### “No credentials found”
@ -159,7 +135,7 @@ clawdbot models status
 ### Token expiring/expired

 Run `clawdbot models status` to confirm which profile is expiring. If the profile
-is `anthropic:claude-cli`, rerun `claude setup-token`.
+is missing, rerun `claude setup-token` and paste the token again.

 ## Requirements

--- a/docs/gateway/configuration.md
+++ b/docs/gateway/configuration.md
@ -374,12 +374,6 @@ Overrides:

 On first use, Clawdbot imports `oauth.json` entries into `auth-profiles.json`.

-Clawdbot also auto-syncs OAuth tokens from external CLIs into `auth-profiles.json` (when present on the gateway host):
- Claude Code → `anthropic:claude-cli`
-  - macOS: Keychain item "Claude Code-credentials" (choose "Always Allow" to avoid launchd prompts)
-  - Linux/Windows: `~/.claude/.credentials.json`
- `~/.codex/auth.json` (Codex CLI) → `openai-codex:codex-cli`
-
 ### `auth`

 Optional metadata for auth profiles. This does **not** store secrets; it maps
@ -400,10 +394,6 @@ rotation order used for failover.
 }
 ```

-Note: `anthropic:claude-cli` should use `mode: "oauth"` even when the stored
-credential is a setup-token. Clawdbot auto-migrates older configs that used
-`mode: "token"`.
-
 ### `agents.list[].identity`

 Optional per-agent identity used for defaults and UX. This is written by the macOS onboarding assistant.
@ -2847,9 +2837,11 @@ Control UI base path:
 - `gateway.controlUi.basePath` sets the URL prefix where the Control UI is served.
 - Examples: `"/ui"`, `"/clawdbot"`, `"/apps/clawdbot"`.
 - Default: root (`/`) (unchanged).
- `gateway.controlUi.allowInsecureAuth` allows token-only auth for the Control UI and skips
-  device identity + pairing (even on HTTPS). Default: `false`. Prefer HTTPS
+- `gateway.controlUi.allowInsecureAuth` allows token-only auth for the Control UI when
+  device identity is omitted (typically over HTTP). Default: `false`. Prefer HTTPS
  (Tailscale Serve) or `127.0.0.1`.
+- `gateway.controlUi.dangerouslyDisableDeviceAuth` disables device identity checks for the
+  Control UI (token/password only). Default: `false`. Break-glass only.

 Related docs:
 - [Control UI](/web/control-ui)
--- a/docs/gateway/protocol.md
+++ b/docs/gateway/protocol.md
@ -198,7 +198,8 @@ The Gateway treats these as **claims** and enforces server-side allowlists.
 - **Local** connects include loopback and the gateway host’s own tailnet address
  (so same‑host tailnet binds can still auto‑approve).
 - All WS clients must include `device` identity during `connect` (operator + node).
-  Control UI can omit it **only** when `gateway.controlUi.allowInsecureAuth` is enabled.
+  Control UI can omit it **only** when `gateway.controlUi.allowInsecureAuth` is enabled
+  (or `gateway.controlUi.dangerouslyDisableDeviceAuth` for break-glass use).
 - Non-local connections must sign the server-provided `connect.challenge` nonce.

 ## TLS + pinning
--- a/docs/gateway/security.md
+++ b/docs/gateway/security.md
@ -58,9 +58,13 @@ When the audit prints findings, treat this as a priority order:

 The Control UI needs a **secure context** (HTTPS or localhost) to generate device
 identity. If you enable `gateway.controlUi.allowInsecureAuth`, the UI falls back
-to **token-only auth** and skips device pairing (even on HTTPS). This is a security
+to **token-only auth** and skips device pairing when device identity is omitted. This is a security
 downgrade—prefer HTTPS (Tailscale Serve) or open the UI on `127.0.0.1`.

+For break-glass scenarios only, `gateway.controlUi.dangerouslyDisableDeviceAuth`
+disables device identity checks entirely. This is a severe security downgrade;
+keep it off unless you are actively debugging and can revert quickly.
+
 `clawdbot security audit` warns when this setting is enabled.

 ## Reverse Proxy Configuration
@ -193,10 +197,17 @@ Prompt injection is when an attacker crafts a message that manipulates the model
 Even with strong system prompts, **prompt injection is not solved**. What helps in practice:
 - Keep inbound DMs locked down (pairing/allowlists).
 - Prefer mention gating in groups; avoid “always-on” bots in public rooms.
- Treat links and pasted instructions as hostile by default.
+- Treat links, attachments, and pasted instructions as hostile by default.
 - Run sensitive tool execution in a sandbox; keep secrets out of the agent’s reachable filesystem.
+- Limit high-risk tools (`exec`, `browser`, `web_fetch`, `web_search`) to trusted agents or explicit allowlists.
 - **Model choice matters:** older/legacy models can be less robust against prompt injection and tool misuse. Prefer modern, instruction-hardened models for any bot with tools. We recommend Anthropic Opus 4.5 because it’s quite good at recognizing prompt injections (see [“A step forward on safety”](https://www.anthropic.com/news/claude-opus-4-5)).

+Red flags to treat as untrusted:
+- “Read this file/URL and do exactly what it says.”
+- “Ignore your system prompt or safety rules.”
+- “Reveal your hidden instructions or tool outputs.”
+- “Paste the full contents of ~/.clawdbot or your logs.”
+
 ### Prompt injection does not require public DMs

 Even if **only you** can message the bot, prompt injection can still happen via
@ -210,6 +221,7 @@ tool calls. Reduce the blast radius by:
  then pass the summary to your main agent.
 - Keeping `web_search` / `web_fetch` / `browser` off for tool-enabled agents unless needed.
 - Enabling sandboxing and strict tool allowlists for any agent that touches untrusted input.
+- Keeping secrets out of prompts; pass them via env/config on the gateway host instead.

 ### Model strength (security note)

@ -226,8 +238,12 @@ Recommendations:

 `/reasoning` and `/verbose` can expose internal reasoning or tool output that
 was not meant for a public channel. In group settings, treat them as **debug
-only** and keep them off unless you explicitly need them. If you enable them,
-do so only in trusted DMs or tightly controlled rooms.
+only** and keep them off unless you explicitly need them.
+
+Guidance:
+- Keep `/reasoning` and `/verbose` disabled in public rooms.
+- If you enable them, do so only in trusted DMs or tightly controlled rooms.
+- Remember: verbose output can include tool args, URLs, and data the model saw.

 ## Incident Response (if you suspect compromise)

@ -544,6 +560,7 @@ access those accounts and data. Treat browser profiles as **sensitive state**:
 - For remote gateways, assume “browser control” is equivalent to “operator access” to whatever that profile can reach.
 - Treat `browser.controlUrl` endpoints as an admin API: tailnet-only + token auth. Prefer Tailscale Serve over LAN binds.
 - Keep `browser.controlToken` separate from `gateway.auth.token` (you can reuse it, but that increases blast radius).
+- Prefer env vars for the token (`CLAWDBOT_BROWSER_CONTROL_TOKEN`) instead of storing it in config on disk.
 - Chrome extension relay mode is **not** “safer”; it can take over your existing Chrome tabs. Assume it can act as you in whatever that tab/profile can reach.

 ## Per-agent access profiles (multi-agent)
--- a/docs/gateway/troubleshooting.md
+++ b/docs/gateway/troubleshooting.md
@ -53,13 +53,12 @@ clawdbot models status

 This means the stored Anthropic OAuth token expired and the refresh failed.
 If you’re on a Claude subscription (no API key), the most reliable fix is to
-switch to a **Claude Code setup-token** or re-sync Claude Code CLI OAuth on the
-**gateway host**.
+switch to a **Claude Code setup-token** and paste it on the **gateway host**.

 **Recommended (setup-token):**

 ```bash
-# Run on the gateway host (runs Claude Code CLI)
+# Run on the gateway host (paste the setup-token)
 clawdbot models auth setup-token --provider anthropic
 clawdbot models status
 ```
@ -71,10 +70,6 @@ clawdbot models auth paste-token --provider anthropic
 clawdbot models status
 ```

-**If you want to keep OAuth reuse:**
-log in with Claude Code CLI on the gateway host, then run `clawdbot models status`
-to sync the refreshed token into Clawdbot’s auth store.
-
 More detail: [Anthropic](/providers/anthropic) and [OAuth](/concepts/oauth).

 ### Control UI fails on HTTP ("device identity required" / "connect failed")
@ -214,7 +209,7 @@ the Gateway likely refused to bind.
 - Fix: run `clawdbot doctor` to update it (or `clawdbot gateway install --force` for a full rewrite).

 **If `Last gateway error:` mentions “refusing to bind … without auth”**
- You set `gateway.bind` to a non-loopback mode (`lan`/`tailnet`/`custom`, or `auto` when loopback is unavailable) but left auth off.
+- You set `gateway.bind` to a non-loopback mode (`lan`/`tailnet`/`custom`, or `auto` when loopback is unavailable) but didn’t configure auth.
 - Fix: set `gateway.auth.mode` + `gateway.auth.token` (or export `CLAWDBOT_GATEWAY_TOKEN`) and restart the service.

 **If `clawdbot gateway status` says `bind=tailnet` but no tailnet interface was found**
--- a/docs/help/faq.md
+++ b/docs/help/faq.md
@ -630,7 +630,7 @@ Docs: [Anthropic](/providers/anthropic), [OpenAI](/providers/openai),

 ### Can I use Claude Max subscription without an API key

-Yes. You can authenticate with **Claude Code CLI OAuth** or a **setup-token**
+Yes. You can authenticate with a **setup-token**
 instead of an API key. This is the subscription path.

 Claude Pro/Max subscriptions **do not include an API key**, so this is the
@ -640,11 +640,7 @@ If you want the most explicit, supported path, use an Anthropic API key.

 ### How does Anthropic setuptoken auth work

-`claude setup-token` generates a **token string** via the Claude Code CLI (it is not available in the web console). You can run it on **any machine**. If Claude Code CLI credentials are present on the gateway host, Clawdbot can reuse them; otherwise choose **Anthropic token (paste setup-token)** and paste the string. The token is stored as an auth profile for the **anthropic** provider and used like an API key or OAuth profile. More detail: [OAuth](/concepts/oauth).
-
-Clawdbot keeps `auth.profiles["anthropic:claude-cli"].mode` set to `"oauth"` so
-the profile accepts both OAuth and setup-token credentials; older `"token"` mode
-entries auto-migrate.
+`claude setup-token` generates a **token string** via the Claude Code CLI (it is not available in the web console). You can run it on **any machine**. Choose **Anthropic token (paste setup-token)** in the wizard or paste it with `clawdbot models auth paste-token --provider anthropic`. The token is stored as an auth profile for the **anthropic** provider and used like an API key (no auto-refresh). More detail: [OAuth](/concepts/oauth).

 ### Where do I find an Anthropic setuptoken

@ -656,9 +652,9 @@ claude setup-token

 Copy the token it prints, then choose **Anthropic token (paste setup-token)** in the wizard. If you want to run it on the gateway host, use `clawdbot models auth setup-token --provider anthropic`. If you ran `claude setup-token` elsewhere, paste it on the gateway host with `clawdbot models auth paste-token --provider anthropic`. See [Anthropic](/providers/anthropic).

-### Do you support Claude subscription auth Claude Code OAuth
+### Do you support Claude subscription auth (Claude Pro/Max)

-Yes. Clawdbot can **reuse Claude Code CLI credentials** (OAuth) and also supports **setup-token**. If you have a Claude subscription, we recommend **setup-token** for long‑running setups (requires Claude Pro/Max + the `claude` CLI). You can generate it anywhere and paste it on the gateway host. OAuth reuse is supported, but avoid logging in separately via Clawdbot and Claude Code to prevent token conflicts. See [Anthropic](/providers/anthropic) and [OAuth](/concepts/oauth).
+Yes — via **setup-token**. Clawdbot no longer reuses Claude Code CLI OAuth tokens; use a setup-token or an Anthropic API key. Generate the token anywhere and paste it on the gateway host. See [Anthropic](/providers/anthropic) and [OAuth](/concepts/oauth).

 Note: Claude subscription access is governed by Anthropic’s terms. For production or multi‑user workloads, API keys are usually the safer choice.

@ -678,13 +674,12 @@ Yes - via pi‑ai’s **Amazon Bedrock (Converse)** provider with **manual confi

 ### How does Codex auth work

-Clawdbot supports **OpenAI Code (Codex)** via OAuth or by reusing your Codex CLI login (`~/.codex/auth.json`). The wizard can import the CLI login or run the OAuth flow and will set the default model to `openai-codex/gpt-5.2` when appropriate. See [Model providers](/concepts/model-providers) and [Wizard](/start/wizard).
+Clawdbot supports **OpenAI Code (Codex)** via OAuth (ChatGPT sign-in). The wizard can run the OAuth flow and will set the default model to `openai-codex/gpt-5.2` when appropriate. See [Model providers](/concepts/model-providers) and [Wizard](/start/wizard).

 ### Do you support OpenAI subscription auth Codex OAuth

-Yes. Clawdbot fully supports **OpenAI Code (Codex) subscription OAuth** and can also reuse an
-existing Codex CLI login (`~/.codex/auth.json`) on the gateway host. The onboarding wizard
-can import the CLI login or run the OAuth flow for you.
+Yes. Clawdbot fully supports **OpenAI Code (Codex) subscription OAuth**. The onboarding wizard
+can run the OAuth flow for you.

 See [OAuth](/concepts/oauth), [Model providers](/concepts/model-providers), and [Wizard](/start/wizard).

@ -1940,8 +1935,8 @@ You can list available models with `/model`, `/model list`, or `/model status`.
 You can also force a specific auth profile for the provider (per session):

 ```
-/model opus@anthropic:claude-cli
 /model opus@anthropic:default
+/model opus@anthropic:work
 ```

 Tip: `/model status` shows which agent is active, which `auth-profiles.json` file is being used, and which auth profile will be tried next.
@ -2145,21 +2140,17 @@ It means the system attempted to use the auth profile ID `anthropic:default`, bu
 - **Sanity‑check model/auth status**
  - Use `clawdbot models status` to see configured models and whether providers are authenticated.

-**Fix checklist for No credentials found for profile anthropic claude cli**
+**Fix checklist for No credentials found for profile anthropic**

-This means the run is pinned to the **Claude Code CLI** profile, but the Gateway
-can’t find that profile in its auth store.
+This means the run is pinned to an Anthropic auth profile, but the Gateway
+can’t find it in its auth store.

- **Sync the Claude Code CLI token on the gateway host**
-  - Run `clawdbot models status` (it loads + syncs Claude Code CLI credentials).
-  - If it still says missing: run `claude setup-token` (or `clawdbot models auth setup-token --provider anthropic`) and retry.
- **If the token was created on another machine**
-  - Paste it into the gateway host with `clawdbot models auth paste-token --provider anthropic`.
- **Check the profile mode**
-  - `auth.profiles["anthropic:claude-cli"].mode` must be `"oauth"` (token mode rejects OAuth credentials).
+- **Use a setup-token**
+  - Run `claude setup-token`, then paste it with `clawdbot models auth setup-token --provider anthropic`.
+  - If the token was created on another machine, use `clawdbot models auth paste-token --provider anthropic`.
 - **If you want to use an API key instead**
  - Put `ANTHROPIC_API_KEY` in `~/.clawdbot/.env` on the **gateway host**.
-  - Clear any pinned order that forces `anthropic:claude-cli`:
+  - Clear any pinned order that forces a missing profile:
    ```bash
    clawdbot models auth order clear --provider anthropic
    ```
@ -2181,7 +2172,7 @@ Fix: Clawdbot now strips unsigned thinking blocks for Google Antigravity Claude.

 ## Auth profiles: what they are and how to manage them

-Related: [/concepts/oauth](/concepts/oauth) (OAuth flows, token storage, multi-account patterns, CLI sync)
+Related: [/concepts/oauth](/concepts/oauth) (OAuth flows, token storage, multi-account patterns)

 ### What is an auth profile

@ -2212,10 +2203,10 @@ You can also set a **per-agent** order override (stored in that agent’s `auth-
 clawdbot models auth order get --provider anthropic

 # Lock rotation to a single profile (only try this one)
-clawdbot models auth order set --provider anthropic anthropic:claude-cli
+clawdbot models auth order set --provider anthropic anthropic:default

 # Or set an explicit order (fallback within provider)
-clawdbot models auth order set --provider anthropic anthropic:claude-cli anthropic:default
+clawdbot models auth order set --provider anthropic anthropic:work anthropic:default

 # Clear override (fall back to config auth.order / round-robin)
 clawdbot models auth order clear --provider anthropic
@ -2224,7 +2215,7 @@ clawdbot models auth order clear --provider anthropic
 To target a specific agent:

 ```bash
-clawdbot models auth order set --provider anthropic --agent main anthropic:claude-cli
+clawdbot models auth order set --provider anthropic --agent main anthropic:default
 ```

 ### OAuth vs API key whats the difference
@ -2234,7 +2225,7 @@ Clawdbot supports both:
 - **OAuth** often leverages subscription access (where applicable).
 - **API keys** use pay‑per‑token billing.

-The wizard explicitly supports Anthropic OAuth and OpenAI Codex OAuth and can store API keys for you.
+The wizard explicitly supports Anthropic setup-token and OpenAI Codex OAuth and can store API keys for you.

 ## Gateway: ports, “already running”, and remote mode

--- a/docs/platforms/digitalocean.md
+++ b/docs/platforms/digitalocean.md
@ -1,5 +1,5 @@
 ---
-summary: "Clawdbot on DigitalOcean (cheapest paid VPS option)"
+summary: "Clawdbot on DigitalOcean (simple paid VPS option)"
 read_when:
  - Setting up Clawdbot on DigitalOcean
  - Looking for cheap VPS hosting for Clawdbot
@ -11,22 +11,22 @@ read_when:

 Run a persistent Clawdbot Gateway on DigitalOcean for **$6/month** (or $4/mo with reserved pricing).

-If you want something even cheaper, see [Oracle Cloud (Free Tier)](#oracle-cloud-free-alternative) at the bottom — it's **actually free forever**.
+If you want a $0/month option and don’t mind ARM + provider-specific setup, see the [Oracle Cloud guide](/platforms/oracle).

 ## Cost Comparison (2026)

 | Provider | Plan | Specs | Price/mo | Notes |
 |----------|------|-------|----------|-------|
-| **Oracle Cloud** | Always Free ARM | 4 OCPU, 24GB RAM | **$0** | Best value, requires ARM-compatible setup |
-| **Hetzner** | CX22 | 2 vCPU, 4GB RAM | €3.79 (~$4) | Cheapest paid, EU datacenters |
-| **DigitalOcean** | Basic | 1 vCPU, 1GB RAM | $6 | Easy UI, good docs |
-| **Vultr** | Cloud Compute | 1 vCPU, 1GB RAM | $6 | Many locations |
-| **Linode** | Nanode | 1 vCPU, 1GB RAM | $5 | Now part of Akamai |
+| Oracle Cloud | Always Free ARM | up to 4 OCPU, 24GB RAM | $0 | ARM, limited capacity / signup quirks |
+| Hetzner | CX22 | 2 vCPU, 4GB RAM | €3.79 (~$4) | Cheapest paid option |
+| DigitalOcean | Basic | 1 vCPU, 1GB RAM | $6 | Easy UI, good docs |
+| Vultr | Cloud Compute | 1 vCPU, 1GB RAM | $6 | Many locations |
+| Linode | Nanode | 1 vCPU, 1GB RAM | $5 | Now part of Akamai |

-**Recommendation:** 
- **Free:** Oracle Cloud ARM (if you can handle the signup process)
- **Paid:** Hetzner CX22 (best specs per dollar) — see [Hetzner guide](/platforms/hetzner)
- **Easy:** DigitalOcean (this guide) — beginner-friendly UI
+**Picking a provider:**
+- DigitalOcean: simplest UX + predictable setup (this guide)
+- Hetzner: good price/perf (see [Hetzner guide](/platforms/hetzner))
+- Oracle Cloud: can be $0/month, but is more finicky and ARM-only (see [Oracle guide](/platforms/oracle))

 ---

@ -192,7 +192,7 @@ tar -czvf clawdbot-backup.tar.gz ~/.clawdbot ~/clawd

 ## Oracle Cloud Free Alternative

-Oracle Cloud offers **Always Free** ARM instances that are significantly more powerful:
+Oracle Cloud offers **Always Free** ARM instances that are significantly more powerful than any paid option here — for $0/month.

 | What you get | Specs |
 |--------------|-------|
@ -201,19 +201,11 @@ Oracle Cloud offers **Always Free** ARM instances that are significantly more po
 | **200GB storage** | Block volume |
 | **Forever free** | No credit card charges |

-### Quick setup:
-1. Sign up at [oracle.com/cloud/free](https://www.oracle.com/cloud/free/)
-2. Create a VM.Standard.A1.Flex instance (ARM)
-3. Choose Oracle Linux or Ubuntu
-4. Allocate up to 4 OCPU / 24GB RAM within free tier
-5. Follow the same Clawdbot install steps above
-
 **Caveats:**
 - Signup can be finicky (retry if it fails)
 - ARM architecture — most things work, but some binaries need ARM builds
- Oracle may reclaim idle instances (keep them active)

-For the full Oracle guide, see the [community docs](https://gist.github.com/rssnyder/51e3cfedd730e7dd5f4a816143b25dbd).
+For the full setup guide, see [Oracle Cloud](/platforms/oracle). For signup tips and troubleshooting the enrollment process, see this [community guide](https://gist.github.com/rssnyder/51e3cfedd730e7dd5f4a816143b25dbd).

 ---

--- a/docs/platforms/fly.md
+++ b/docs/platforms/fly.md
@ -39,7 +39,9 @@ fly volumes create clawdbot_data --size 1 --region iad

 ## 2) Configure fly.toml

-Edit `fly.toml` to match your app name and requirements:
+Edit `fly.toml` to match your app name and requirements.
+
+**Security note:** The default config exposes a public URL. For a hardened deployment with no public IP, see [Private Deployment](#private-deployment-hardened) or use `fly.private.toml`.

 ```toml
 app = "my-clawdbot"  # Your app name
@ -104,6 +106,7 @@ fly secrets set DISCORD_BOT_TOKEN=MTQ...
 **Notes:**
 - Non-loopback binds (`--bind lan`) require `CLAWDBOT_GATEWAY_TOKEN` for security.
 - Treat these tokens like passwords.
+- **Prefer env vars over config file** for all API keys and tokens. This keeps secrets out of `clawdbot.json` where they could be accidentally exposed or logged.

 ## 4) Deploy

@ -337,6 +340,114 @@ fly machine update <machine-id> --vm-memory 2048 --command "node dist/index.js g

 **Note:** After `fly deploy`, the machine command may reset to what's in `fly.toml`. If you made manual changes, re-apply them after deploy.

+## Private Deployment (Hardened)
+
+By default, Fly allocates public IPs, making your gateway accessible at `https://your-app.fly.dev`. This is convenient but means your deployment is discoverable by internet scanners (Shodan, Censys, etc.).
+
+For a hardened deployment with **no public exposure**, use the private template.
+
+### When to use private deployment
+
+- You only make **outbound** calls/messages (no inbound webhooks)
+- You use **ngrok or Tailscale** tunnels for any webhook callbacks
+- You access the gateway via **SSH, proxy, or WireGuard** instead of browser
+- You want the deployment **hidden from internet scanners**
+
+### Setup
+
+Use `fly.private.toml` instead of the standard config:
+
+```bash
+# Deploy with private config
+fly deploy -c fly.private.toml
+```
+
+Or convert an existing deployment:
+
+```bash
+# List current IPs
+fly ips list -a my-clawdbot
+
+# Release public IPs
+fly ips release <public-ipv4> -a my-clawdbot
+fly ips release <public-ipv6> -a my-clawdbot
+
+# Switch to private config so future deploys don't re-allocate public IPs
+# (remove [http_service] or deploy with the private template)
+fly deploy -c fly.private.toml
+
+# Allocate private-only IPv6
+fly ips allocate-v6 --private -a my-clawdbot
+```
+
+After this, `fly ips list` should show only a `private` type IP:
+```
+VERSION  IP                   TYPE             REGION
+v6       fdaa:x:x:x:x::x      private          global
+```
+
+### Accessing a private deployment
+
+Since there's no public URL, use one of these methods:
+
+**Option 1: Local proxy (simplest)**
+```bash
+# Forward local port 3000 to the app
+fly proxy 3000:3000 -a my-clawdbot
+
+# Then open http://localhost:3000 in browser
+```
+
+**Option 2: WireGuard VPN**
+```bash
+# Create WireGuard config (one-time)
+fly wireguard create
+
+# Import to WireGuard client, then access via internal IPv6
+# Example: http://[fdaa:x:x:x:x::x]:3000
+```
+
+**Option 3: SSH only**
+```bash
+fly ssh console -a my-clawdbot
+```
+
+### Webhooks with private deployment
+
+If you need webhook callbacks (Twilio, Telnyx, etc.) without public exposure:
+
+1. **ngrok tunnel** - Run ngrok inside the container or as a sidecar
+2. **Tailscale Funnel** - Expose specific paths via Tailscale
+3. **Outbound-only** - Some providers (Twilio) work fine for outbound calls without webhooks
+
+Example voice-call config with ngrok:
+```json
+{
+  "plugins": {
+    "entries": {
+      "voice-call": {
+        "enabled": true,
+        "config": {
+          "provider": "twilio",
+          "tunnel": { "provider": "ngrok" }
+        }
+      }
+    }
+  }
+}
+```
+
+The ngrok tunnel runs inside the container and provides a public webhook URL without exposing the Fly app itself.
+
+### Security benefits
+
+| Aspect | Public | Private |
+|--------|--------|---------|
+| Internet scanners | Discoverable | Hidden |
+| Direct attacks | Possible | Blocked |
+| Control UI access | Browser | Proxy/VPN |
+| Webhook delivery | Direct | Via tunnel |
+
 ## Notes

 - Fly.io uses **x86 architecture** (not ARM)
--- a/docs/platforms/oracle.md
+++ b/docs/platforms/oracle.md
@ -0,0 +1,291 @@
+---
+summary: "Clawdbot on Oracle Cloud (Always Free ARM)"
+read_when:
+  - Setting up Clawdbot on Oracle Cloud
+  - Looking for low-cost VPS hosting for Clawdbot
+  - Want 24/7 Clawdbot on a small server
+---
+
+# Clawdbot on Oracle Cloud (OCI)
+
+## Goal
+
+Run a persistent Clawdbot Gateway on Oracle Cloud's **Always Free** ARM tier.
+
+Oracle’s free tier can be a great fit for Clawdbot (especially if you already have an OCI account), but it comes with tradeoffs:
+
+- ARM architecture (most things work, but some binaries may be x86-only)
+- Capacity and signup can be finicky
+
+## Cost Comparison (2026)
+
+| Provider | Plan | Specs | Price/mo | Notes |
+|----------|------|-------|----------|-------|
+| Oracle Cloud | Always Free ARM | up to 4 OCPU, 24GB RAM | $0 | ARM, limited capacity |
+| Hetzner | CX22 | 2 vCPU, 4GB RAM | ~ $4 | Cheapest paid option |
+| DigitalOcean | Basic | 1 vCPU, 1GB RAM | $6 | Easy UI, good docs |
+| Vultr | Cloud Compute | 1 vCPU, 1GB RAM | $6 | Many locations |
+| Linode | Nanode | 1 vCPU, 1GB RAM | $5 | Now part of Akamai |
+
+---
+
+## Prerequisites
+
+- Oracle Cloud account ([signup](https://www.oracle.com/cloud/free/)) — see [community signup guide](https://gist.github.com/rssnyder/51e3cfedd730e7dd5f4a816143b25dbd) if you hit issues
+- Tailscale account (free at [tailscale.com](https://tailscale.com))
+- ~30 minutes
+
+## 1) Create an OCI Instance
+
+1. Log into [Oracle Cloud Console](https://cloud.oracle.com/)
+2. Navigate to **Compute → Instances → Create Instance**
+3. Configure:
+   - **Name:** `clawdbot`
+   - **Image:** Ubuntu 24.04 (aarch64)
+   - **Shape:** `VM.Standard.A1.Flex` (Ampere ARM)
+   - **OCPUs:** 2 (or up to 4)
+   - **Memory:** 12 GB (or up to 24 GB)
+   - **Boot volume:** 50 GB (up to 200 GB free)
+   - **SSH key:** Add your public key
+4. Click **Create**
+5. Note the public IP address
+
+**Tip:** If instance creation fails with "Out of capacity", try a different availability domain or retry later. Free tier capacity is limited.
+
+## 2) Connect and Update
+
+```bash
+# Connect via public IP
+ssh ubuntu@YOUR_PUBLIC_IP
+
+# Update system
+sudo apt update && sudo apt upgrade -y
+sudo apt install -y build-essential
+```
+
+**Note:** `build-essential` is required for ARM compilation of some dependencies.
+
+## 3) Configure User and Hostname
+
+```bash
+# Set hostname
+sudo hostnamectl set-hostname clawdbot
+
+# Set password for ubuntu user
+sudo passwd ubuntu
+
+# Enable lingering (keeps user services running after logout)
+sudo loginctl enable-linger ubuntu
+```
+
+## 4) Install Tailscale
+
+```bash
+curl -fsSL https://tailscale.com/install.sh | sh
+sudo tailscale up --ssh --hostname=clawdbot
+```
+
+This enables Tailscale SSH, so you can connect via `ssh clawdbot` from any device on your tailnet — no public IP needed.
+
+Verify:
+```bash
+tailscale status
+```
+
+**From now on, connect via Tailscale:** `ssh ubuntu@clawdbot` (or use the Tailscale IP).
+
+## 5) Install Clawdbot
+
+```bash
+curl -fsSL https://clawd.bot/install.sh | bash
+source ~/.bashrc
+```
+
+When prompted "How do you want to hatch your bot?", select **"Do this later"**.
+
+> Note: If you hit ARM-native build issues, start with system packages (e.g. `sudo apt install -y build-essential`) before reaching for Homebrew.
+
+## 6) Configure Gateway (loopback + token auth) and enable Tailscale Serve
+
+Use token auth as the default. It’s predictable and avoids needing any “insecure auth” Control UI flags.
+
+```bash
+# Keep the Gateway private on the VM
+clawdbot config set gateway.bind loopback
+
+# Require auth for the Gateway + Control UI
+clawdbot config set gateway.auth.mode token
+clawdbot doctor --generate-gateway-token
+
+# Expose over Tailscale Serve (HTTPS + tailnet access)
+clawdbot config set gateway.tailscale.mode serve
+clawdbot config set gateway.trustedProxies '["127.0.0.1"]'
+
+systemctl --user restart clawdbot-gateway
+```
+
+## 7) Verify
+
+```bash
+# Check version
+clawdbot --version
+
+# Check daemon status
+systemctl --user status clawdbot-gateway
+
+# Check Tailscale Serve
+tailscale serve status
+
+# Test local response
+curl http://localhost:18789
+```
+
+## 8) Lock Down VCN Security
+
+Now that everything is working, lock down the VCN to block all traffic except Tailscale. OCI's Virtual Cloud Network acts as a firewall at the network edge — traffic is blocked before it reaches your instance.
+
+1. Go to **Networking → Virtual Cloud Networks** in the OCI Console
+2. Click your VCN → **Security Lists** → Default Security List
+3. **Remove** all ingress rules except:
+   - `0.0.0.0/0 UDP 41641` (Tailscale)
+4. Keep default egress rules (allow all outbound)
+
+This blocks SSH on port 22, HTTP, HTTPS, and everything else at the network edge. From now on, you can only connect via Tailscale.
+
+---
+
+## Access the Control UI
+
+From any device on your Tailscale network:
+
+```
+https://clawdbot.<tailnet-name>.ts.net/
+```
+
+Replace `<tailnet-name>` with your tailnet name (visible in `tailscale status`).
+
+No SSH tunnel needed. Tailscale provides:
+- HTTPS encryption (automatic certs)
+- Authentication via Tailscale identity
+- Access from any device on your tailnet (laptop, phone, etc.)
+
+---
+
+## Security: VCN + Tailscale (recommended baseline)
+
+With the VCN locked down (only UDP 41641 open) and the Gateway bound to loopback, you get strong defense-in-depth: public traffic is blocked at the network edge, and admin access happens over your tailnet.
+
+This setup often removes the *need* for extra host-based firewall rules purely to stop Internet-wide SSH brute force — but you should still keep the OS updated, run `clawdbot security audit`, and verify you aren’t accidentally listening on public interfaces.
+
+### What's Already Protected
+
+| Traditional Step | Needed? | Why |
+|------------------|---------|-----|
+| UFW firewall | No | VCN blocks before traffic reaches instance |
+| fail2ban | No | No brute force if port 22 blocked at VCN |
+| sshd hardening | No | Tailscale SSH doesn't use sshd |
+| Disable root login | No | Tailscale uses Tailscale identity, not system users |
+| SSH key-only auth | No | Tailscale authenticates via your tailnet |
+| IPv6 hardening | Usually not | Depends on your VCN/subnet settings; verify what’s actually assigned/exposed |
+
+### Still Recommended
+
+- **Credential permissions:** `chmod 700 ~/.clawdbot`
+- **Security audit:** `clawdbot security audit`
+- **System updates:** `sudo apt update && sudo apt upgrade` regularly
+- **Monitor Tailscale:** Review devices in [Tailscale admin console](https://login.tailscale.com/admin)
+
+### Verify Security Posture
+
+```bash
+# Confirm no public ports listening
+sudo ss -tlnp | grep -v '127.0.0.1\|::1'
+
+# Verify Tailscale SSH is active
+tailscale status | grep -q 'offers: ssh' && echo "Tailscale SSH active"
+
+# Optional: disable sshd entirely
+sudo systemctl disable --now ssh
+```
+
+---
+
+## Fallback: SSH Tunnel
+
+If Tailscale Serve isn't working, use an SSH tunnel:
+
+```bash
+# From your local machine (via Tailscale)
+ssh -L 18789:127.0.0.1:18789 ubuntu@clawdbot
+```
+
+Then open `http://localhost:18789`.
+
+---
+
+## Troubleshooting
+
+### Instance creation fails ("Out of capacity")
+Free tier ARM instances are popular. Try:
+- Different availability domain
+- Retry during off-peak hours (early morning)
+- Use the "Always Free" filter when selecting shape
+
+### Tailscale won't connect
+```bash
+# Check status
+sudo tailscale status
+
+# Re-authenticate
+sudo tailscale up --ssh --hostname=clawdbot --reset
+```
+
+### Gateway won't start
+```bash
+clawdbot gateway status
+clawdbot doctor --non-interactive
+journalctl --user -u clawdbot-gateway -n 50
+```
+
+### Can't reach Control UI
+```bash
+# Verify Tailscale Serve is running
+tailscale serve status
+
+# Check gateway is listening
+curl http://localhost:18789
+
+# Restart if needed
+systemctl --user restart clawdbot-gateway
+```
+
+### ARM binary issues
+Some tools may not have ARM builds. Check:
+```bash
+uname -m  # Should show aarch64
+```
+
+Most npm packages work fine. For binaries, look for `linux-arm64` or `aarch64` releases.
+
+---
+
+## Persistence
+
+All state lives in:
+- `~/.clawdbot/` — config, credentials, session data
+- `~/clawd/` — workspace (SOUL.md, memory, artifacts)
+
+Back up periodically:
+```bash
+tar -czvf clawdbot-backup.tar.gz ~/.clawdbot ~/clawd
+```
+
+---
+
+## See Also
+
+- [Gateway remote access](/gateway/remote) — other remote access patterns
+- [Tailscale integration](/gateway/tailscale) — full Tailscale docs
+- [Gateway configuration](/gateway/configuration) — all config options
+- [DigitalOcean guide](/platforms/digitalocean) — if you want paid + easier signup
+- [Hetzner guide](/platforms/hetzner) — Docker-based alternative
--- a/docs/plugins/voice-call.md
+++ b/docs/plugins/voice-call.md
@ -103,6 +103,8 @@ Notes:
 - Plivo requires a **publicly reachable** webhook URL.
 - `mock` is a local dev provider (no network calls).
 - `skipSignatureVerification` is for local testing only.
+- If you use ngrok free tier, set `publicUrl` to the exact ngrok URL; signature verification is always enforced.
+- Ngrok free tier URLs can change or add interstitial behavior; if `publicUrl` drifts, Twilio signatures will fail. For production, prefer a stable domain or Tailscale funnel.

 ## TTS for calls

--- a/docs/providers/anthropic.md
+++ b/docs/providers/anthropic.md
@ -1,14 +1,13 @@
 ---
-summary: "Use Anthropic Claude via API keys or Claude Code CLI auth in Clawdbot"
+summary: "Use Anthropic Claude via API keys or setup-token in Clawdbot"
 read_when:
  - You want to use Anthropic models in Clawdbot
-  - You want setup-token or Claude Code CLI auth instead of API keys
+  - You want setup-token instead of API keys
 ---
 # Anthropic (Claude)

 Anthropic builds the **Claude** model family and provides access via an API.
-In Clawdbot you can authenticate with an API key or reuse **Claude Code CLI** credentials
-(setup-token or OAuth).
+In Clawdbot you can authenticate with an API key or a **setup-token**.

 ## Option A: Anthropic API key

@ -37,7 +36,7 @@ clawdbot onboard --anthropic-api-key "$ANTHROPIC_API_KEY"
 ## Prompt caching (Anthropic API)

 Clawdbot does **not** override Anthropic’s default cache TTL unless you set it.
-This is **API-only**; Claude Code CLI OAuth ignores TTL settings.
+This is **API-only**; subscription auth does not honor TTL settings.

 To set the TTL per model, use `cacheControlTtl` in the model `params`:

@ -58,9 +57,9 @@ To set the TTL per model, use `cacheControlTtl` in the model `params`:
 Clawdbot includes the `extended-cache-ttl-2025-04-11` beta flag for Anthropic API
 requests; keep it if you override provider headers (see [/gateway/configuration](/gateway/configuration)).

-## Option B: Claude Code CLI (setup-token or OAuth)
+## Option B: Claude setup-token

-**Best for:** using your Claude subscription or existing Claude Code CLI login.
+**Best for:** using your Claude subscription.

 ### Where to get a setup-token

@ -85,8 +84,8 @@ clawdbot models auth paste-token --provider anthropic
 ### CLI setup

 ```bash
-# Reuse Claude Code CLI OAuth credentials if already logged in
-clawdbot onboard --auth-choice claude-cli
+# Paste a setup-token during onboarding
+clawdbot onboard --auth-choice setup-token
 ```

 ### Config snippet
@ -100,10 +99,7 @@ clawdbot onboard --auth-choice claude-cli
 ## Notes

 - Generate the setup-token with `claude setup-token` and paste it, or run `clawdbot models auth setup-token` on the gateway host.
- If you see “OAuth token refresh failed …” on a Claude subscription, re-auth with a setup-token or resync Claude Code CLI OAuth on the gateway host. See [/gateway/troubleshooting#oauth-token-refresh-failed-anthropic-claude-subscription](/gateway/troubleshooting#oauth-token-refresh-failed-anthropic-claude-subscription).
- Clawdbot writes `auth.profiles["anthropic:claude-cli"].mode` as `"oauth"` so the profile
-  accepts both OAuth and setup-token credentials. Older configs using `"token"` are
-  auto-migrated on load.
+- If you see “OAuth token refresh failed …” on a Claude subscription, re-auth with a setup-token. See [/gateway/troubleshooting#oauth-token-refresh-failed-anthropic-claude-subscription](/gateway/troubleshooting#oauth-token-refresh-failed-anthropic-claude-subscription).
 - Auth details + reuse rules are in [/concepts/oauth](/concepts/oauth).

 ## Troubleshooting
@ -119,7 +115,7 @@ clawdbot onboard --auth-choice claude-cli
 - Re-run onboarding for that agent, or paste a setup-token / API key on the
  gateway host, then verify with `clawdbot models status`.

-**No credentials found for profile `anthropic:default` or `anthropic:claude-cli`**
+**No credentials found for profile `anthropic:default`**
 - Run `clawdbot models status` to see which auth profile is active.
 - Re-run onboarding, or paste a setup-token / API key for that profile.

--- a/docs/providers/claude-max-api-proxy.md
+++ b/docs/providers/claude-max-api-proxy.md
@ -141,5 +141,5 @@ launchctl bootstrap gui/$(id -u) ~/Library/LaunchAgents/com.claude-max-api.plist

 ## See Also

- [Anthropic provider](/providers/anthropic) - Native Clawdbot integration with Claude Code CLI OAuth
+- [Anthropic provider](/providers/anthropic) - Native Clawdbot integration with Claude setup-token or API keys
 - [OpenAI provider](/providers/openai) - For OpenAI/Codex subscriptions
--- a/docs/providers/openai.md
+++ b/docs/providers/openai.md
@ -7,9 +7,7 @@ read_when:
 # OpenAI

 OpenAI provides developer APIs for GPT models. Codex supports **ChatGPT sign-in** for subscription
-access or **API key** sign-in for usage-based access. Codex cloud requires ChatGPT sign-in, while
-the Codex CLI supports either sign-in method. The Codex CLI caches login details in
-`~/.codex/auth.json` (or your OS credential store), which Clawdbot can reuse.
+access or **API key** sign-in for usage-based access. Codex cloud requires ChatGPT sign-in.

 ## Option A: OpenAI API key (OpenAI Platform)

@ -38,16 +36,14 @@ clawdbot onboard --openai-api-key "$OPENAI_API_KEY"
 **Best for:** using ChatGPT/Codex subscription access instead of an API key.
 Codex cloud requires ChatGPT sign-in, while the Codex CLI supports ChatGPT or API key sign-in.

-Clawdbot can reuse your **Codex CLI** login (`~/.codex/auth.json`) or run the OAuth flow.
-
 ### CLI setup

 ```bash
-# Reuse existing Codex CLI login
-clawdbot onboard --auth-choice codex-cli
-
-# Or run Codex OAuth in the wizard
+# Run Codex OAuth in the wizard
 clawdbot onboard --auth-choice openai-codex
+
+# Or run OAuth directly
+clawdbot models auth login --provider openai-codex
 ```

 ### Config snippet
--- a/docs/tools/slash-commands.md
+++ b/docs/tools/slash-commands.md
@ -132,7 +132,7 @@ Examples:
 /model list
 /model 3
 /model openai/gpt-5.2
-/model opus@anthropic:claude-cli
+/model opus@anthropic:default
 /model status
 ```

--- a/docs/vps.md
+++ b/docs/vps.md
@ -1,5 +1,5 @@
 ---
-summary: "VPS hosting hub for Clawdbot (Fly/Hetzner/GCP/exe.dev)"
+summary: "VPS hosting hub for Clawdbot (Oracle/Fly/Hetzner/GCP/exe.dev)"
 read_when:
  - You want to run the Gateway in the cloud
  - You need a quick map of VPS/hosting guides
@ -11,6 +11,7 @@ deployments work at a high level.

 ## Pick a provider

+- **Oracle Cloud (Always Free)**: [Oracle](/platforms/oracle) — $0/month (Always Free, ARM; capacity/signup can be finicky)
 - **Fly.io**: [Fly.io](/platforms/fly)
 - **Hetzner (Docker)**: [Hetzner](/platforms/hetzner)
 - **GCP (Compute Engine)**: [GCP](/platforms/gcp)
--- a/extensions/voice-call/index.ts
+++ b/extensions/voice-call/index.ts
@ -1,8 +1,8 @@
 import { Type } from "@sinclair/typebox";
-
 import type { CoreConfig } from "./src/core-bridge.js";
 import {
  VoiceCallConfigSchema,
+  resolveVoiceCallConfig,
  validateProviderConfig,
  type VoiceCallConfig,
 } from "./src/config.js";
@ -145,8 +145,10 @@ const voiceCallPlugin = {
  description: "Voice-call plugin with Telnyx/Twilio/Plivo providers",
  configSchema: voiceCallConfigSchema,
  register(api) {
-    const cfg = voiceCallConfigSchema.parse(api.pluginConfig);
-    const validation = validateProviderConfig(cfg);
+    const config = resolveVoiceCallConfig(
+      voiceCallConfigSchema.parse(api.pluginConfig),
+    );
+    const validation = validateProviderConfig(config);

    if (api.pluginConfig && typeof api.pluginConfig === "object") {
      const raw = api.pluginConfig as Record<string, unknown>;
@ -167,7 +169,7 @@ const voiceCallPlugin = {
    let runtime: VoiceCallRuntime | null = null;

    const ensureRuntime = async () => {
-      if (!cfg.enabled) {
+      if (!config.enabled) {
        throw new Error("Voice call disabled in plugin config");
      }
      if (!validation.valid) {
@ -176,7 +178,7 @@ const voiceCallPlugin = {
      if (runtime) return runtime;
      if (!runtimePromise) {
        runtimePromise = createVoiceCallRuntime({
-          config: cfg,
+          config,
          coreConfig: api.config as CoreConfig,
          ttsRuntime: api.runtime.tts,
          logger: api.logger,
@ -457,7 +459,7 @@ const voiceCallPlugin = {
      ({ program }) =>
        registerVoiceCallCli({
          program,
-          config: cfg,
+          config,
          ensureRuntime,
          logger: api.logger,
        }),
@ -467,7 +469,7 @@ const voiceCallPlugin = {
    api.registerService({
      id: "voicecall",
      start: async () => {
-        if (!cfg.enabled) return;
+        if (!config.enabled) return;
        try {
          await ensureRuntime();
        } catch (err) {
--- a/extensions/voice-call/src/config.test.ts
+++ b/extensions/voice-call/src/config.test.ts
@ -0,0 +1,204 @@
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+
+import { validateProviderConfig, resolveVoiceCallConfig, type VoiceCallConfig } from "./config.js";
+
+function createBaseConfig(
+  provider: "telnyx" | "twilio" | "plivo" | "mock",
+): VoiceCallConfig {
+  return {
+    enabled: true,
+    provider,
+    fromNumber: "+15550001234",
+    inboundPolicy: "disabled",
+    allowFrom: [],
+    outbound: { defaultMode: "notify", notifyHangupDelaySec: 3 },
+    maxDurationSeconds: 300,
+    silenceTimeoutMs: 800,
+    transcriptTimeoutMs: 180000,
+    ringTimeoutMs: 30000,
+    maxConcurrentCalls: 1,
+    serve: { port: 3334, bind: "127.0.0.1", path: "/voice/webhook" },
+    tailscale: { mode: "off", path: "/voice/webhook" },
+    tunnel: { provider: "none", allowNgrokFreeTier: false },
+    streaming: {
+      enabled: false,
+      sttProvider: "openai-realtime",
+      sttModel: "gpt-4o-transcribe",
+      silenceDurationMs: 800,
+      vadThreshold: 0.5,
+      streamPath: "/voice/stream",
+    },
+    skipSignatureVerification: false,
+    stt: { provider: "openai", model: "whisper-1" },
+    tts: { provider: "openai", model: "gpt-4o-mini-tts", voice: "coral" },
+    responseModel: "openai/gpt-4o-mini",
+    responseTimeoutMs: 30000,
+  };
+}
+
+describe("validateProviderConfig", () => {
+  const originalEnv = { ...process.env };
+
+  beforeEach(() => {
+    // Clear all relevant env vars before each test
+    delete process.env.TWILIO_ACCOUNT_SID;
+    delete process.env.TWILIO_AUTH_TOKEN;
+    delete process.env.TELNYX_API_KEY;
+    delete process.env.TELNYX_CONNECTION_ID;
+    delete process.env.PLIVO_AUTH_ID;
+    delete process.env.PLIVO_AUTH_TOKEN;
+  });
+
+  afterEach(() => {
+    // Restore original env
+    process.env = { ...originalEnv };
+  });
+
+  describe("twilio provider", () => {
+    it("passes validation when credentials are in config", () => {
+      const config = createBaseConfig("twilio");
+      config.twilio = { accountSid: "AC123", authToken: "secret" };
+
+      const result = validateProviderConfig(config);
+
+      expect(result.valid).toBe(true);
+      expect(result.errors).toEqual([]);
+    });
+
+    it("passes validation when credentials are in environment variables", () => {
+      process.env.TWILIO_ACCOUNT_SID = "AC123";
+      process.env.TWILIO_AUTH_TOKEN = "secret";
+      let config = createBaseConfig("twilio");
+      config = resolveVoiceCallConfig(config);
+
+      const result = validateProviderConfig(config);
+
+      expect(result.valid).toBe(true);
+      expect(result.errors).toEqual([]);
+    });
+
+    it("passes validation with mixed config and env vars", () => {
+      process.env.TWILIO_AUTH_TOKEN = "secret";
+      let config = createBaseConfig("twilio");
+      config.twilio = { accountSid: "AC123" };
+      config = resolveVoiceCallConfig(config);
+
+      const result = validateProviderConfig(config);
+
+      expect(result.valid).toBe(true);
+      expect(result.errors).toEqual([]);
+    });
+
+    it("fails validation when accountSid is missing everywhere", () => {
+      process.env.TWILIO_AUTH_TOKEN = "secret";
+      let config = createBaseConfig("twilio");
+      config = resolveVoiceCallConfig(config);
+
+      const result = validateProviderConfig(config);
+
+      expect(result.valid).toBe(false);
+      expect(result.errors).toContain(
+        "plugins.entries.voice-call.config.twilio.accountSid is required (or set TWILIO_ACCOUNT_SID env)",
+      );
+    });
+
+    it("fails validation when authToken is missing everywhere", () => {
+      process.env.TWILIO_ACCOUNT_SID = "AC123";
+      let config = createBaseConfig("twilio");
+      config = resolveVoiceCallConfig(config);
+
+      const result = validateProviderConfig(config);
+
+      expect(result.valid).toBe(false);
+      expect(result.errors).toContain(
+        "plugins.entries.voice-call.config.twilio.authToken is required (or set TWILIO_AUTH_TOKEN env)",
+      );
+    });
+  });
+
+  describe("telnyx provider", () => {
+    it("passes validation when credentials are in config", () => {
+      const config = createBaseConfig("telnyx");
+      config.telnyx = { apiKey: "KEY123", connectionId: "CONN456" };
+
+      const result = validateProviderConfig(config);
+
+      expect(result.valid).toBe(true);
+      expect(result.errors).toEqual([]);
+    });
+
+    it("passes validation when credentials are in environment variables", () => {
+      process.env.TELNYX_API_KEY = "KEY123";
+      process.env.TELNYX_CONNECTION_ID = "CONN456";
+      let config = createBaseConfig("telnyx");
+      config = resolveVoiceCallConfig(config);
+
+      const result = validateProviderConfig(config);
+
+      expect(result.valid).toBe(true);
+      expect(result.errors).toEqual([]);
+    });
+
+    it("fails validation when apiKey is missing everywhere", () => {
+      process.env.TELNYX_CONNECTION_ID = "CONN456";
+      let config = createBaseConfig("telnyx");
+      config = resolveVoiceCallConfig(config);
+
+      const result = validateProviderConfig(config);
+
+      expect(result.valid).toBe(false);
+      expect(result.errors).toContain(
+        "plugins.entries.voice-call.config.telnyx.apiKey is required (or set TELNYX_API_KEY env)",
+      );
+    });
+  });
+
+  describe("plivo provider", () => {
+    it("passes validation when credentials are in config", () => {
+      const config = createBaseConfig("plivo");
+      config.plivo = { authId: "MA123", authToken: "secret" };
+
+      const result = validateProviderConfig(config);
+
+      expect(result.valid).toBe(true);
+      expect(result.errors).toEqual([]);
+    });
+
+    it("passes validation when credentials are in environment variables", () => {
+      process.env.PLIVO_AUTH_ID = "MA123";
+      process.env.PLIVO_AUTH_TOKEN = "secret";
+      let config = createBaseConfig("plivo");
+      config = resolveVoiceCallConfig(config);
+
+      const result = validateProviderConfig(config);
+
+      expect(result.valid).toBe(true);
+      expect(result.errors).toEqual([]);
+    });
+
+    it("fails validation when authId is missing everywhere", () => {
+      process.env.PLIVO_AUTH_TOKEN = "secret";
+      let config = createBaseConfig("plivo");
+      config = resolveVoiceCallConfig(config);
+
+      const result = validateProviderConfig(config);
+
+      expect(result.valid).toBe(false);
+      expect(result.errors).toContain(
+        "plugins.entries.voice-call.config.plivo.authId is required (or set PLIVO_AUTH_ID env)",
+      );
+    });
+  });
+
+  describe("disabled config", () => {
+    it("skips validation when enabled is false", () => {
+      const config = createBaseConfig("twilio");
+      config.enabled = false;
+
+      const result = validateProviderConfig(config);
+
+      expect(result.valid).toBe(true);
+      expect(result.errors).toEqual([]);
+    });
+  });
+});
--- a/extensions/voice-call/src/config.ts
+++ b/extensions/voice-call/src/config.ts
@ -217,13 +217,12 @@ export const VoiceCallTunnelConfigSchema = z
    /**
     * Allow ngrok free tier compatibility mode.
     * When true, signature verification failures on ngrok-free.app URLs
-     * will be logged but allowed through. Less secure, but necessary
-     * for ngrok free tier which may modify URLs.
+     * will include extra diagnostics. Signature verification is still required.
     */
-    allowNgrokFreeTier: z.boolean().default(true),
+    allowNgrokFreeTier: z.boolean().default(false),
  })
  .strict()
-  .default({ provider: "none", allowNgrokFreeTier: true });
+  .default({ provider: "none", allowNgrokFreeTier: false });
 export type VoiceCallTunnelConfig = z.infer<typeof VoiceCallTunnelConfigSchema>;

 // -----------------------------------------------------------------------------
@ -381,6 +380,55 @@ export type VoiceCallConfig = z.infer<typeof VoiceCallConfigSchema>;
 // Configuration Helpers
 // -----------------------------------------------------------------------------

+/**
+ * Resolves the configuration by merging environment variables into missing fields.
+ * Returns a new configuration object with environment variables applied.
+ */
+export function resolveVoiceCallConfig(config: VoiceCallConfig): VoiceCallConfig {
+  const resolved = JSON.parse(JSON.stringify(config)) as VoiceCallConfig;
+
+  // Telnyx
+  if (resolved.provider === "telnyx") {
+    resolved.telnyx = resolved.telnyx ?? {};
+    resolved.telnyx.apiKey =
+      resolved.telnyx.apiKey ?? process.env.TELNYX_API_KEY;
+    resolved.telnyx.connectionId =
+      resolved.telnyx.connectionId ?? process.env.TELNYX_CONNECTION_ID;
+    resolved.telnyx.publicKey =
+      resolved.telnyx.publicKey ?? process.env.TELNYX_PUBLIC_KEY;
+  }
+
+  // Twilio
+  if (resolved.provider === "twilio") {
+    resolved.twilio = resolved.twilio ?? {};
+    resolved.twilio.accountSid =
+      resolved.twilio.accountSid ?? process.env.TWILIO_ACCOUNT_SID;
+    resolved.twilio.authToken =
+      resolved.twilio.authToken ?? process.env.TWILIO_AUTH_TOKEN;
+  }
+
+  // Plivo
+  if (resolved.provider === "plivo") {
+    resolved.plivo = resolved.plivo ?? {};
+    resolved.plivo.authId =
+      resolved.plivo.authId ?? process.env.PLIVO_AUTH_ID;
+    resolved.plivo.authToken =
+      resolved.plivo.authToken ?? process.env.PLIVO_AUTH_TOKEN;
+  }
+
+  // Tunnel Config
+  resolved.tunnel = resolved.tunnel ?? {
+    provider: "none",
+    allowNgrokFreeTier: false,
+  };
+  resolved.tunnel.ngrokAuthToken =
+    resolved.tunnel.ngrokAuthToken ?? process.env.NGROK_AUTHTOKEN;
+  resolved.tunnel.ngrokDomain =
+    resolved.tunnel.ngrokDomain ?? process.env.NGROK_DOMAIN;
+
+  return resolved;
+}
+
 /**
 * Validate that the configuration has all required fields for the selected provider.
 */
--- a/extensions/voice-call/src/providers/twilio/webhook.ts
+++ b/extensions/voice-call/src/providers/twilio/webhook.ts
@ -11,7 +11,7 @@ export function verifyTwilioProviderWebhook(params: {
 }): WebhookVerificationResult {
  const result = verifyTwilioWebhook(params.ctx, params.authToken, {
    publicUrl: params.currentPublicUrl || undefined,
-    allowNgrokFreeTier: params.options.allowNgrokFreeTier ?? true,
+    allowNgrokFreeTier: params.options.allowNgrokFreeTier ?? false,
    skipVerification: params.options.skipVerification,
  });

--- a/extensions/voice-call/src/runtime.ts
+++ b/extensions/voice-call/src/runtime.ts
@ -1,6 +1,6 @@
 import type { CoreConfig } from "./core-bridge.js";
 import type { VoiceCallConfig } from "./config.js";
-import { validateProviderConfig } from "./config.js";
+import { resolveVoiceCallConfig, validateProviderConfig } from "./config.js";
 import { CallManager } from "./manager.js";
 import type { VoiceCallProvider } from "./providers/base.js";
 import { MockProvider } from "./providers/mock.js";
@ -37,20 +37,18 @@ function resolveProvider(config: VoiceCallConfig): VoiceCallProvider {
  switch (config.provider) {
    case "telnyx":
      return new TelnyxProvider({
-        apiKey: config.telnyx?.apiKey ?? process.env.TELNYX_API_KEY,
-        connectionId:
-          config.telnyx?.connectionId ?? process.env.TELNYX_CONNECTION_ID,
-        publicKey: config.telnyx?.publicKey ?? process.env.TELNYX_PUBLIC_KEY,
+        apiKey: config.telnyx?.apiKey,
+        connectionId: config.telnyx?.connectionId,
+        publicKey: config.telnyx?.publicKey,
      });
    case "twilio":
      return new TwilioProvider(
        {
-          accountSid:
-            config.twilio?.accountSid ?? process.env.TWILIO_ACCOUNT_SID,
-          authToken: config.twilio?.authToken ?? process.env.TWILIO_AUTH_TOKEN,
+          accountSid: config.twilio?.accountSid,
+          authToken: config.twilio?.authToken,
        },
        {
-          allowNgrokFreeTier: config.tunnel?.allowNgrokFreeTier ?? true,
+          allowNgrokFreeTier: config.tunnel?.allowNgrokFreeTier ?? false,
          publicUrl: config.publicUrl,
          skipVerification: config.skipSignatureVerification,
          streamPath: config.streaming?.enabled
@ -61,8 +59,8 @@ function resolveProvider(config: VoiceCallConfig): VoiceCallProvider {
    case "plivo":
      return new PlivoProvider(
        {
-          authId: config.plivo?.authId ?? process.env.PLIVO_AUTH_ID,
-          authToken: config.plivo?.authToken ?? process.env.PLIVO_AUTH_TOKEN,
+          authId: config.plivo?.authId,
+          authToken: config.plivo?.authToken,
        },
        {
          publicUrl: config.publicUrl,
@ -85,7 +83,7 @@ export async function createVoiceCallRuntime(params: {
  ttsRuntime?: TelephonyTtsRuntime;
  logger?: Logger;
 }): Promise<VoiceCallRuntime> {
-  const { config, coreConfig, ttsRuntime, logger } = params;
+  const { config: rawConfig, coreConfig, ttsRuntime, logger } = params;
  const log = logger ?? {
    info: console.log,
    warn: console.warn,
@ -93,6 +91,8 @@ export async function createVoiceCallRuntime(params: {
    debug: console.debug,
  };

+  const config = resolveVoiceCallConfig(rawConfig);
+
  if (!config.enabled) {
    throw new Error(
      "Voice call disabled. Enable the plugin entry in config.",
@ -125,9 +125,8 @@ export async function createVoiceCallRuntime(params: {
        provider: config.tunnel.provider,
        port: config.serve.port,
        path: config.serve.path,
-        ngrokAuthToken:
-          config.tunnel.ngrokAuthToken ?? process.env.NGROK_AUTHTOKEN,
-        ngrokDomain: config.tunnel.ngrokDomain ?? process.env.NGROK_DOMAIN,
+        ngrokAuthToken: config.tunnel.ngrokAuthToken,
+        ngrokDomain: config.tunnel.ngrokDomain,
      });
      publicUrl = tunnelResult?.publicUrl ?? null;
    } catch (err) {
--- a/extensions/voice-call/src/webhook-security.test.ts
+++ b/extensions/voice-call/src/webhook-security.test.ts
@ -205,4 +205,29 @@ describe("verifyTwilioWebhook", () => {

    expect(result.ok).toBe(true);
  });
+
+  it("rejects invalid signatures even with ngrok free tier enabled", () => {
+    const authToken = "test-auth-token";
+    const postBody = "CallSid=CS123&CallStatus=completed&From=%2B15550000000";
+
+    const result = verifyTwilioWebhook(
+      {
+        headers: {
+          host: "127.0.0.1:3334",
+          "x-forwarded-proto": "https",
+          "x-forwarded-host": "attacker.ngrok-free.app",
+          "x-twilio-signature": "invalid",
+        },
+        rawBody: postBody,
+        url: "http://127.0.0.1:3334/voice/webhook",
+        method: "POST",
+      },
+      authToken,
+      { allowNgrokFreeTier: true },
+    );
+
+    expect(result.ok).toBe(false);
+    expect(result.isNgrokFreeTier).toBe(true);
+    expect(result.reason).toMatch(/Invalid signature/);
+  });
 });
--- a/extensions/voice-call/src/webhook-security.ts
+++ b/extensions/voice-call/src/webhook-security.ts
@ -195,18 +195,6 @@ export function verifyTwilioWebhook(
    verificationUrl.includes(".ngrok-free.app") ||
    verificationUrl.includes(".ngrok.io");

-  if (isNgrokFreeTier && options?.allowNgrokFreeTier) {
-    console.warn(
-      "[voice-call] Twilio signature validation failed (proceeding for ngrok free tier compatibility)",
-    );
-    return {
-      ok: true,
-      reason: "ngrok free tier compatibility mode",
-      verificationUrl,
-      isNgrokFreeTier: true,
-    };
-  }
-
  return {
    ok: false,
    reason: `Invalid signature for URL: ${verificationUrl}`,
--- a/fly.private.toml
+++ b/fly.private.toml
@ -0,0 +1,39 @@
+# Clawdbot Fly.io PRIVATE deployment configuration
+# Use this template for hardened deployments with no public IP exposure.
+#
+# This config is suitable when:
+# - You only make outbound calls (no inbound webhooks needed)
+# - You use ngrok/Tailscale tunnels for any webhook callbacks
+# - You access the gateway via `fly proxy` or WireGuard, not public URL
+# - You want the deployment hidden from internet scanners (Shodan, etc.)
+#
+# See https://fly.io/docs/reference/configuration/
+
+app = "my-clawdbot"  # change to your app name
+primary_region = "iad"  # change to your closest region
+
+[build]
+  dockerfile = "Dockerfile"
+
+[env]
+  NODE_ENV = "production"
+  CLAWDBOT_PREFER_PNPM = "1"
+  CLAWDBOT_STATE_DIR = "/data"
+  NODE_OPTIONS = "--max-old-space-size=1536"
+
+[processes]
+  app = "node dist/index.js gateway --allow-unconfigured --port 3000 --bind lan"
+
+# NOTE: No [http_service] block = no public ingress allocated.
+# The gateway will only be accessible via:
+#   - fly proxy 3000:3000 -a <app-name>
+#   - fly wireguard (then access via internal IPv6)
+#   - fly ssh console
+
+[[vm]]
+  size = "shared-cpu-2x"
+  memory = "2048mb"
+
+[mounts]
+  source = "clawdbot_data"
+  destination = "/data"
--- a/scripts/claude-auth-status.sh
+++ b/scripts/claude-auth-status.sh
@ -54,7 +54,7 @@ calc_status_from_expires() {
 json_expires_for_claude_cli() {
    echo "$STATUS_JSON" | jq -r '
        [.auth.oauth.profiles[]
-          | select(.provider == "anthropic" and .type == "oauth" and .source == "claude-cli")
+          | select(.provider == "anthropic" and (.type == "oauth" or .type == "token"))
          | .expiresAt // 0]
        | max // 0
    ' 2>/dev/null || echo "0"
--- a/src/agents/auth-health.ts
+++ b/src/agents/auth-health.ts
@ -2,12 +2,10 @@ import type { ClawdbotConfig } from "../config/config.js";
 import {
  type AuthProfileCredential,
  type AuthProfileStore,
-  CLAUDE_CLI_PROFILE_ID,
-  CODEX_CLI_PROFILE_ID,
  resolveAuthProfileDisplayLabel,
 } from "./auth-profiles.js";

-export type AuthProfileSource = "claude-cli" | "codex-cli" | "store";
+export type AuthProfileSource = "store";

 export type AuthProfileHealthStatus = "ok" | "expiring" | "expired" | "missing" | "static";

@ -41,9 +39,7 @@ export type AuthHealthSummary = {

 export const DEFAULT_OAUTH_WARN_MS = 24 * 60 * 60 * 1000;

-export function resolveAuthProfileSource(profileId: string): AuthProfileSource {
-  if (profileId === CLAUDE_CLI_PROFILE_ID) return "claude-cli";
-  if (profileId === CODEX_CLI_PROFILE_ID) return "codex-cli";
+export function resolveAuthProfileSource(_profileId: string): AuthProfileSource {
  return "store";
 }

--- a/src/agents/auth-profiles.ensureauthprofilestore.test.ts
+++ b/src/agents/auth-profiles.ensureauthprofilestore.test.ts
@ -3,8 +3,7 @@ import os from "node:os";
 import path from "node:path";
 import { describe, expect, it } from "vitest";
 import { ensureAuthProfileStore } from "./auth-profiles.js";
-import { AUTH_STORE_VERSION, CODEX_CLI_PROFILE_ID } from "./auth-profiles/constants.js";
-import { withTempHome } from "../../test/helpers/temp-home.js";
+import { AUTH_STORE_VERSION } from "./auth-profiles/constants.js";

 describe("ensureAuthProfileStore", () => {
  it("migrates legacy auth.json and deletes it (PR #368)", () => {
@ -123,80 +122,4 @@ describe("ensureAuthProfileStore", () => {
      fs.rmSync(root, { recursive: true, force: true });
    }
  });
-
-  it("drops codex-cli from merged store when a custom openai-codex profile matches", async () => {
-    await withTempHome(async (tempHome) => {
-      const root = fs.mkdtempSync(path.join(os.tmpdir(), "clawdbot-auth-dedup-merge-"));
-      const previousAgentDir = process.env.CLAWDBOT_AGENT_DIR;
-      const previousPiAgentDir = process.env.PI_CODING_AGENT_DIR;
-      try {
-        const mainDir = path.join(root, "main-agent");
-        const agentDir = path.join(root, "agent-x");
-        fs.mkdirSync(mainDir, { recursive: true });
-        fs.mkdirSync(agentDir, { recursive: true });
-
-        process.env.CLAWDBOT_AGENT_DIR = mainDir;
-        process.env.PI_CODING_AGENT_DIR = mainDir;
-        process.env.HOME = tempHome;
-
-        fs.writeFileSync(
-          path.join(mainDir, "auth-profiles.json"),
-          `${JSON.stringify(
-            {
-              version: AUTH_STORE_VERSION,
-              profiles: {
-                [CODEX_CLI_PROFILE_ID]: {
-                  type: "oauth",
-                  provider: "openai-codex",
-                  access: "shared-access-token",
-                  refresh: "shared-refresh-token",
-                  expires: Date.now() + 3600000,
-                },
-              },
-            },
-            null,
-            2,
-          )}\n`,
-          "utf8",
-        );
-
-        fs.writeFileSync(
-          path.join(agentDir, "auth-profiles.json"),
-          `${JSON.stringify(
-            {
-              version: AUTH_STORE_VERSION,
-              profiles: {
-                "openai-codex:my-custom-profile": {
-                  type: "oauth",
-                  provider: "openai-codex",
-                  access: "shared-access-token",
-                  refresh: "shared-refresh-token",
-                  expires: Date.now() + 3600000,
-                },
-              },
-            },
-            null,
-            2,
-          )}\n`,
-          "utf8",
-        );
-
-        const store = ensureAuthProfileStore(agentDir);
-        expect(store.profiles[CODEX_CLI_PROFILE_ID]).toBeUndefined();
-        expect(store.profiles["openai-codex:my-custom-profile"]).toBeDefined();
-      } finally {
-        if (previousAgentDir === undefined) {
-          delete process.env.CLAWDBOT_AGENT_DIR;
-        } else {
-          process.env.CLAWDBOT_AGENT_DIR = previousAgentDir;
-        }
-        if (previousPiAgentDir === undefined) {
-          delete process.env.PI_CODING_AGENT_DIR;
-        } else {
-          process.env.PI_CODING_AGENT_DIR = previousPiAgentDir;
-        }
-        fs.rmSync(root, { recursive: true, force: true });
-      }
-    });
-  });
 });
--- a/src/agents/auth-profiles.external-cli-credential-sync.does-not-overwrite-api-keys-syncing-external.test.ts
+++ b/src/agents/auth-profiles.external-cli-credential-sync.does-not-overwrite-api-keys-syncing-external.test.ts
@ -1,102 +0,0 @@
-import fs from "node:fs";
-import os from "node:os";
-import path from "node:path";
-import { describe, expect, it } from "vitest";
-import { withTempHome } from "../../test/helpers/temp-home.js";
-import { CLAUDE_CLI_PROFILE_ID, ensureAuthProfileStore } from "./auth-profiles.js";
-
-describe("external CLI credential sync", () => {
-  it("does not overwrite API keys when syncing external CLI creds", async () => {
-    const agentDir = fs.mkdtempSync(path.join(os.tmpdir(), "clawdbot-no-overwrite-"));
-    try {
-      await withTempHome(
-        async (tempHome) => {
-          // Create Claude Code CLI credentials
-          const claudeDir = path.join(tempHome, ".claude");
-          fs.mkdirSync(claudeDir, { recursive: true });
-          const claudeCreds = {
-            claudeAiOauth: {
-              accessToken: "cli-access",
-              refreshToken: "cli-refresh",
-              expiresAt: Date.now() + 30 * 60 * 1000,
-            },
-          };
-          fs.writeFileSync(path.join(claudeDir, ".credentials.json"), JSON.stringify(claudeCreds));
-
-          // Create auth-profiles.json with an API key
-          const authPath = path.join(agentDir, "auth-profiles.json");
-          fs.writeFileSync(
-            authPath,
-            JSON.stringify({
-              version: 1,
-              profiles: {
-                "anthropic:default": {
-                  type: "api_key",
-                  provider: "anthropic",
-                  key: "sk-store",
-                },
-              },
-            }),
-          );
-
-          const store = ensureAuthProfileStore(agentDir);
-
-          // Should keep the store's API key and still add the CLI profile.
-          expect((store.profiles["anthropic:default"] as { key: string }).key).toBe("sk-store");
-          expect(store.profiles[CLAUDE_CLI_PROFILE_ID]).toBeDefined();
-        },
-        { prefix: "clawdbot-home-" },
-      );
-    } finally {
-      fs.rmSync(agentDir, { recursive: true, force: true });
-    }
-  });
-  it("prefers oauth over token even if token has later expiry (oauth enables auto-refresh)", async () => {
-    const agentDir = fs.mkdtempSync(path.join(os.tmpdir(), "clawdbot-cli-oauth-preferred-"));
-    try {
-      await withTempHome(
-        async (tempHome) => {
-          const claudeDir = path.join(tempHome, ".claude");
-          fs.mkdirSync(claudeDir, { recursive: true });
-          // CLI has OAuth credentials (with refresh token) expiring in 30 min
-          fs.writeFileSync(
-            path.join(claudeDir, ".credentials.json"),
-            JSON.stringify({
-              claudeAiOauth: {
-                accessToken: "cli-oauth-access",
-                refreshToken: "cli-refresh",
-                expiresAt: Date.now() + 30 * 60 * 1000,
-              },
-            }),
-          );
-
-          const authPath = path.join(agentDir, "auth-profiles.json");
-          // Store has token credentials expiring in 60 min (later than CLI)
-          fs.writeFileSync(
-            authPath,
-            JSON.stringify({
-              version: 1,
-              profiles: {
-                [CLAUDE_CLI_PROFILE_ID]: {
-                  type: "token",
-                  provider: "anthropic",
-                  token: "store-token-access",
-                  expires: Date.now() + 60 * 60 * 1000,
-                },
-              },
-            }),
-          );
-
-          const store = ensureAuthProfileStore(agentDir);
-          // OAuth should be preferred over token because it can auto-refresh
-          const cliProfile = store.profiles[CLAUDE_CLI_PROFILE_ID];
-          expect(cliProfile.type).toBe("oauth");
-          expect((cliProfile as { access: string }).access).toBe("cli-oauth-access");
-        },
-        { prefix: "clawdbot-home-" },
-      );
-    } finally {
-      fs.rmSync(agentDir, { recursive: true, force: true });
-    }
-  });
-});
--- a/src/agents/auth-profiles.external-cli-credential-sync.does-not-overwrite-fresher-store-oauth-older.test.ts
+++ b/src/agents/auth-profiles.external-cli-credential-sync.does-not-overwrite-fresher-store-oauth-older.test.ts
@ -1,106 +0,0 @@
-import fs from "node:fs";
-import os from "node:os";
-import path from "node:path";
-import { describe, expect, it } from "vitest";
-import { withTempHome } from "../../test/helpers/temp-home.js";
-import { CLAUDE_CLI_PROFILE_ID, ensureAuthProfileStore } from "./auth-profiles.js";
-
-describe("external CLI credential sync", () => {
-  it("does not overwrite fresher store oauth with older CLI oauth", async () => {
-    const agentDir = fs.mkdtempSync(path.join(os.tmpdir(), "clawdbot-cli-oauth-no-downgrade-"));
-    try {
-      await withTempHome(
-        async (tempHome) => {
-          const claudeDir = path.join(tempHome, ".claude");
-          fs.mkdirSync(claudeDir, { recursive: true });
-          // CLI has OAuth credentials expiring in 30 min
-          fs.writeFileSync(
-            path.join(claudeDir, ".credentials.json"),
-            JSON.stringify({
-              claudeAiOauth: {
-                accessToken: "cli-oauth-access",
-                refreshToken: "cli-refresh",
-                expiresAt: Date.now() + 30 * 60 * 1000,
-              },
-            }),
-          );
-
-          const authPath = path.join(agentDir, "auth-profiles.json");
-          // Store has OAuth credentials expiring in 60 min (later than CLI)
-          fs.writeFileSync(
-            authPath,
-            JSON.stringify({
-              version: 1,
-              profiles: {
-                [CLAUDE_CLI_PROFILE_ID]: {
-                  type: "oauth",
-                  provider: "anthropic",
-                  access: "store-oauth-access",
-                  refresh: "store-refresh",
-                  expires: Date.now() + 60 * 60 * 1000,
-                },
-              },
-            }),
-          );
-
-          const store = ensureAuthProfileStore(agentDir);
-          // Fresher store oauth should be kept
-          const cliProfile = store.profiles[CLAUDE_CLI_PROFILE_ID];
-          expect(cliProfile.type).toBe("oauth");
-          expect((cliProfile as { access: string }).access).toBe("store-oauth-access");
-        },
-        { prefix: "clawdbot-home-" },
-      );
-    } finally {
-      fs.rmSync(agentDir, { recursive: true, force: true });
-    }
-  });
-  it("does not downgrade store oauth to token when CLI lacks refresh token", async () => {
-    const agentDir = fs.mkdtempSync(path.join(os.tmpdir(), "clawdbot-cli-no-downgrade-oauth-"));
-    try {
-      await withTempHome(
-        async (tempHome) => {
-          const claudeDir = path.join(tempHome, ".claude");
-          fs.mkdirSync(claudeDir, { recursive: true });
-          // CLI has token-only credentials (no refresh token)
-          fs.writeFileSync(
-            path.join(claudeDir, ".credentials.json"),
-            JSON.stringify({
-              claudeAiOauth: {
-                accessToken: "cli-token-access",
-                expiresAt: Date.now() + 30 * 60 * 1000,
-              },
-            }),
-          );
-
-          const authPath = path.join(agentDir, "auth-profiles.json");
-          // Store already has OAuth credentials with refresh token
-          fs.writeFileSync(
-            authPath,
-            JSON.stringify({
-              version: 1,
-              profiles: {
-                [CLAUDE_CLI_PROFILE_ID]: {
-                  type: "oauth",
-                  provider: "anthropic",
-                  access: "store-oauth-access",
-                  refresh: "store-refresh",
-                  expires: Date.now() + 60 * 60 * 1000,
-                },
-              },
-            }),
-          );
-
-          const store = ensureAuthProfileStore(agentDir);
-          // Keep oauth to preserve auto-refresh capability
-          const cliProfile = store.profiles[CLAUDE_CLI_PROFILE_ID];
-          expect(cliProfile.type).toBe("oauth");
-          expect((cliProfile as { access: string }).access).toBe("store-oauth-access");
-        },
-        { prefix: "clawdbot-home-" },
-      );
-    } finally {
-      fs.rmSync(agentDir, { recursive: true, force: true });
-    }
-  });
-});
--- a/src/agents/auth-profiles.external-cli-credential-sync.skips-codex-sync-when-credentials-exist-in-another-profile.test.ts
+++ b/src/agents/auth-profiles.external-cli-credential-sync.skips-codex-sync-when-credentials-exist-in-another-profile.test.ts
@ -1,166 +0,0 @@
-import fs from "node:fs";
-import os from "node:os";
-import path from "node:path";
-import { describe, expect, it } from "vitest";
-import { withTempHome } from "../../test/helpers/temp-home.js";
-import { CODEX_CLI_PROFILE_ID, ensureAuthProfileStore } from "./auth-profiles.js";
-
-describe("external CLI credential sync", () => {
-  it("skips codex-cli sync when credentials already exist in another openai-codex profile", async () => {
-    const agentDir = fs.mkdtempSync(path.join(os.tmpdir(), "clawdbot-codex-dedup-skip-"));
-    try {
-      await withTempHome(
-        async (tempHome) => {
-          const codexDir = path.join(tempHome, ".codex");
-          fs.mkdirSync(codexDir, { recursive: true });
-          const codexAuthPath = path.join(codexDir, "auth.json");
-          fs.writeFileSync(
-            codexAuthPath,
-            JSON.stringify({
-              tokens: {
-                access_token: "shared-access-token",
-                refresh_token: "shared-refresh-token",
-              },
-            }),
-          );
-          fs.utimesSync(codexAuthPath, new Date(), new Date());
-
-          const authPath = path.join(agentDir, "auth-profiles.json");
-          fs.writeFileSync(
-            authPath,
-            JSON.stringify({
-              version: 1,
-              profiles: {
-                "openai-codex:my-custom-profile": {
-                  type: "oauth",
-                  provider: "openai-codex",
-                  access: "shared-access-token",
-                  refresh: "shared-refresh-token",
-                  expires: Date.now() + 3600000,
-                },
-              },
-            }),
-          );
-
-          const store = ensureAuthProfileStore(agentDir);
-
-          expect(store.profiles[CODEX_CLI_PROFILE_ID]).toBeUndefined();
-          expect(store.profiles["openai-codex:my-custom-profile"]).toBeDefined();
-        },
-        { prefix: "clawdbot-home-" },
-      );
-    } finally {
-      fs.rmSync(agentDir, { recursive: true, force: true });
-    }
-  });
-
-  it("creates codex-cli profile when credentials differ from existing openai-codex profiles", async () => {
-    const agentDir = fs.mkdtempSync(path.join(os.tmpdir(), "clawdbot-codex-dedup-create-"));
-    try {
-      await withTempHome(
-        async (tempHome) => {
-          const codexDir = path.join(tempHome, ".codex");
-          fs.mkdirSync(codexDir, { recursive: true });
-          const codexAuthPath = path.join(codexDir, "auth.json");
-          fs.writeFileSync(
-            codexAuthPath,
-            JSON.stringify({
-              tokens: {
-                access_token: "unique-access-token",
-                refresh_token: "unique-refresh-token",
-              },
-            }),
-          );
-          fs.utimesSync(codexAuthPath, new Date(), new Date());
-
-          const authPath = path.join(agentDir, "auth-profiles.json");
-          fs.writeFileSync(
-            authPath,
-            JSON.stringify({
-              version: 1,
-              profiles: {
-                "openai-codex:my-custom-profile": {
-                  type: "oauth",
-                  provider: "openai-codex",
-                  access: "different-access-token",
-                  refresh: "different-refresh-token",
-                  expires: Date.now() + 3600000,
-                },
-              },
-            }),
-          );
-
-          const store = ensureAuthProfileStore(agentDir);
-
-          expect(store.profiles[CODEX_CLI_PROFILE_ID]).toBeDefined();
-          expect((store.profiles[CODEX_CLI_PROFILE_ID] as { access: string }).access).toBe(
-            "unique-access-token",
-          );
-          expect(store.profiles["openai-codex:my-custom-profile"]).toBeDefined();
-        },
-        { prefix: "clawdbot-home-" },
-      );
-    } finally {
-      fs.rmSync(agentDir, { recursive: true, force: true });
-    }
-  });
-
-  it("removes codex-cli profile when it duplicates another openai-codex profile", async () => {
-    const agentDir = fs.mkdtempSync(path.join(os.tmpdir(), "clawdbot-codex-dedup-remove-"));
-    try {
-      await withTempHome(
-        async (tempHome) => {
-          const codexDir = path.join(tempHome, ".codex");
-          fs.mkdirSync(codexDir, { recursive: true });
-          const codexAuthPath = path.join(codexDir, "auth.json");
-          fs.writeFileSync(
-            codexAuthPath,
-            JSON.stringify({
-              tokens: {
-                access_token: "shared-access-token",
-                refresh_token: "shared-refresh-token",
-              },
-            }),
-          );
-          fs.utimesSync(codexAuthPath, new Date(), new Date());
-
-          const authPath = path.join(agentDir, "auth-profiles.json");
-          fs.writeFileSync(
-            authPath,
-            JSON.stringify({
-              version: 1,
-              profiles: {
-                [CODEX_CLI_PROFILE_ID]: {
-                  type: "oauth",
-                  provider: "openai-codex",
-                  access: "shared-access-token",
-                  refresh: "shared-refresh-token",
-                  expires: Date.now() + 3600000,
-                },
-                "openai-codex:my-custom-profile": {
-                  type: "oauth",
-                  provider: "openai-codex",
-                  access: "shared-access-token",
-                  refresh: "shared-refresh-token",
-                  expires: Date.now() + 3600000,
-                },
-              },
-            }),
-          );
-
-          const store = ensureAuthProfileStore(agentDir);
-
-          expect(store.profiles[CODEX_CLI_PROFILE_ID]).toBeUndefined();
-          const saved = JSON.parse(fs.readFileSync(authPath, "utf8")) as {
-            profiles?: Record<string, unknown>;
-          };
-          expect(saved.profiles?.[CODEX_CLI_PROFILE_ID]).toBeUndefined();
-          expect(saved.profiles?.["openai-codex:my-custom-profile"]).toBeDefined();
-        },
-        { prefix: "clawdbot-home-" },
-      );
-    } finally {
-      fs.rmSync(agentDir, { recursive: true, force: true });
-    }
-  });
-});
--- a/src/agents/auth-profiles.external-cli-credential-sync.syncs-claude-cli-oauth-credentials-into-anthropic.test.ts
+++ b/src/agents/auth-profiles.external-cli-credential-sync.syncs-claude-cli-oauth-credentials-into-anthropic.test.ts
@ -1,96 +0,0 @@
-import fs from "node:fs";
-import os from "node:os";
-import path from "node:path";
-import { describe, expect, it } from "vitest";
-import { withTempHome } from "../../test/helpers/temp-home.js";
-import { CLAUDE_CLI_PROFILE_ID, ensureAuthProfileStore } from "./auth-profiles.js";
-
-describe("external CLI credential sync", () => {
-  it("syncs Claude Code CLI OAuth credentials into anthropic:claude-cli", async () => {
-    const agentDir = fs.mkdtempSync(path.join(os.tmpdir(), "clawdbot-cli-sync-"));
-    try {
-      // Create a temp home with Claude Code CLI credentials
-      await withTempHome(
-        async (tempHome) => {
-          // Create Claude Code CLI credentials with refreshToken (OAuth)
-          const claudeDir = path.join(tempHome, ".claude");
-          fs.mkdirSync(claudeDir, { recursive: true });
-          const claudeCreds = {
-            claudeAiOauth: {
-              accessToken: "fresh-access-token",
-              refreshToken: "fresh-refresh-token",
-              expiresAt: Date.now() + 60 * 60 * 1000, // 1 hour from now
-            },
-          };
-          fs.writeFileSync(path.join(claudeDir, ".credentials.json"), JSON.stringify(claudeCreds));
-
-          // Create empty auth-profiles.json
-          const authPath = path.join(agentDir, "auth-profiles.json");
-          fs.writeFileSync(
-            authPath,
-            JSON.stringify({
-              version: 1,
-              profiles: {
-                "anthropic:default": {
-                  type: "api_key",
-                  provider: "anthropic",
-                  key: "sk-default",
-                },
-              },
-            }),
-          );
-
-          // Load the store - should sync from CLI as OAuth credential
-          const store = ensureAuthProfileStore(agentDir);
-
-          expect(store.profiles["anthropic:default"]).toBeDefined();
-          expect((store.profiles["anthropic:default"] as { key: string }).key).toBe("sk-default");
-          expect(store.profiles[CLAUDE_CLI_PROFILE_ID]).toBeDefined();
-          // Should be stored as OAuth credential (type: "oauth") for auto-refresh
-          const cliProfile = store.profiles[CLAUDE_CLI_PROFILE_ID];
-          expect(cliProfile.type).toBe("oauth");
-          expect((cliProfile as { access: string }).access).toBe("fresh-access-token");
-          expect((cliProfile as { refresh: string }).refresh).toBe("fresh-refresh-token");
-          expect((cliProfile as { expires: number }).expires).toBeGreaterThan(Date.now());
-        },
-        { prefix: "clawdbot-home-" },
-      );
-    } finally {
-      fs.rmSync(agentDir, { recursive: true, force: true });
-    }
-  });
-  it("syncs Claude Code CLI credentials without refreshToken as token type", async () => {
-    const agentDir = fs.mkdtempSync(path.join(os.tmpdir(), "clawdbot-cli-token-sync-"));
-    try {
-      await withTempHome(
-        async (tempHome) => {
-          // Create Claude Code CLI credentials WITHOUT refreshToken (fallback to token type)
-          const claudeDir = path.join(tempHome, ".claude");
-          fs.mkdirSync(claudeDir, { recursive: true });
-          const claudeCreds = {
-            claudeAiOauth: {
-              accessToken: "access-only-token",
-              // No refreshToken - backward compatibility scenario
-              expiresAt: Date.now() + 60 * 60 * 1000,
-            },
-          };
-          fs.writeFileSync(path.join(claudeDir, ".credentials.json"), JSON.stringify(claudeCreds));
-
-          const authPath = path.join(agentDir, "auth-profiles.json");
-          fs.writeFileSync(authPath, JSON.stringify({ version: 1, profiles: {} }));
-
-          const store = ensureAuthProfileStore(agentDir);
-
-          expect(store.profiles[CLAUDE_CLI_PROFILE_ID]).toBeDefined();
-          // Should be stored as token type (no refresh capability)
-          const cliProfile = store.profiles[CLAUDE_CLI_PROFILE_ID];
-          expect(cliProfile.type).toBe("token");
-          expect((cliProfile as { token: string }).token).toBe("access-only-token");
-        },
-        { prefix: "clawdbot-home-" },
-      );
-    } finally {
-      fs.rmSync(agentDir, { recursive: true, force: true });
-    }
-  });
-});
--- a/src/agents/auth-profiles.external-cli-credential-sync.updates-codex-cli-profile-codex-cli-refresh.test.ts
+++ b/src/agents/auth-profiles.external-cli-credential-sync.updates-codex-cli-profile-codex-cli-refresh.test.ts
@ -1,56 +0,0 @@
-import fs from "node:fs";
-import os from "node:os";
-import path from "node:path";
-import { describe, expect, it } from "vitest";
-import { withTempHome } from "../../test/helpers/temp-home.js";
-import { CODEX_CLI_PROFILE_ID, ensureAuthProfileStore } from "./auth-profiles.js";
-
-describe("external CLI credential sync", () => {
-  it("updates codex-cli profile when Codex CLI refresh token changes", async () => {
-    const agentDir = fs.mkdtempSync(path.join(os.tmpdir(), "clawdbot-codex-refresh-sync-"));
-    try {
-      await withTempHome(
-        async (tempHome) => {
-          const codexDir = path.join(tempHome, ".codex");
-          fs.mkdirSync(codexDir, { recursive: true });
-          const codexAuthPath = path.join(codexDir, "auth.json");
-          fs.writeFileSync(
-            codexAuthPath,
-            JSON.stringify({
-              tokens: {
-                access_token: "same-access",
-                refresh_token: "new-refresh",
-              },
-            }),
-          );
-          fs.utimesSync(codexAuthPath, new Date(), new Date());
-
-          const authPath = path.join(agentDir, "auth-profiles.json");
-          fs.writeFileSync(
-            authPath,
-            JSON.stringify({
-              version: 1,
-              profiles: {
-                [CODEX_CLI_PROFILE_ID]: {
-                  type: "oauth",
-                  provider: "openai-codex",
-                  access: "same-access",
-                  refresh: "old-refresh",
-                  expires: Date.now() - 1000,
-                },
-              },
-            }),
-          );
-
-          const store = ensureAuthProfileStore(agentDir);
-          expect((store.profiles[CODEX_CLI_PROFILE_ID] as { refresh: string }).refresh).toBe(
-            "new-refresh",
-          );
-        },
-        { prefix: "clawdbot-home-" },
-      );
-    } finally {
-      fs.rmSync(agentDir, { recursive: true, force: true });
-    }
-  });
-});
--- a/src/agents/auth-profiles.external-cli-credential-sync.upgrades-token-oauth-claude-cli-gets-refreshtoken.test.ts
+++ b/src/agents/auth-profiles.external-cli-credential-sync.upgrades-token-oauth-claude-cli-gets-refreshtoken.test.ts
@ -1,103 +0,0 @@
-import fs from "node:fs";
-import os from "node:os";
-import path from "node:path";
-import { describe, expect, it } from "vitest";
-import { withTempHome } from "../../test/helpers/temp-home.js";
-import {
-  CLAUDE_CLI_PROFILE_ID,
-  CODEX_CLI_PROFILE_ID,
-  ensureAuthProfileStore,
-} from "./auth-profiles.js";
-
-describe("external CLI credential sync", () => {
-  it("upgrades token to oauth when Claude Code CLI gets refreshToken", async () => {
-    const agentDir = fs.mkdtempSync(path.join(os.tmpdir(), "clawdbot-cli-upgrade-"));
-    try {
-      await withTempHome(
-        async (tempHome) => {
-          // Create Claude Code CLI credentials with refreshToken
-          const claudeDir = path.join(tempHome, ".claude");
-          fs.mkdirSync(claudeDir, { recursive: true });
-          fs.writeFileSync(
-            path.join(claudeDir, ".credentials.json"),
-            JSON.stringify({
-              claudeAiOauth: {
-                accessToken: "new-oauth-access",
-                refreshToken: "new-refresh-token",
-                expiresAt: Date.now() + 60 * 60 * 1000,
-              },
-            }),
-          );
-
-          // Create auth-profiles.json with existing token type credential
-          const authPath = path.join(agentDir, "auth-profiles.json");
-          fs.writeFileSync(
-            authPath,
-            JSON.stringify({
-              version: 1,
-              profiles: {
-                [CLAUDE_CLI_PROFILE_ID]: {
-                  type: "token",
-                  provider: "anthropic",
-                  token: "old-token",
-                  expires: Date.now() + 30 * 60 * 1000,
-                },
-              },
-            }),
-          );
-
-          const store = ensureAuthProfileStore(agentDir);
-
-          // Should upgrade from token to oauth
-          const cliProfile = store.profiles[CLAUDE_CLI_PROFILE_ID];
-          expect(cliProfile.type).toBe("oauth");
-          expect((cliProfile as { access: string }).access).toBe("new-oauth-access");
-          expect((cliProfile as { refresh: string }).refresh).toBe("new-refresh-token");
-        },
-        { prefix: "clawdbot-home-" },
-      );
-    } finally {
-      fs.rmSync(agentDir, { recursive: true, force: true });
-    }
-  });
-  it("syncs Codex CLI credentials into openai-codex:codex-cli", async () => {
-    const agentDir = fs.mkdtempSync(path.join(os.tmpdir(), "clawdbot-codex-sync-"));
-    try {
-      await withTempHome(
-        async (tempHome) => {
-          // Create Codex CLI credentials
-          const codexDir = path.join(tempHome, ".codex");
-          fs.mkdirSync(codexDir, { recursive: true });
-          const codexCreds = {
-            tokens: {
-              access_token: "codex-access-token",
-              refresh_token: "codex-refresh-token",
-            },
-          };
-          const codexAuthPath = path.join(codexDir, "auth.json");
-          fs.writeFileSync(codexAuthPath, JSON.stringify(codexCreds));
-
-          // Create empty auth-profiles.json
-          const authPath = path.join(agentDir, "auth-profiles.json");
-          fs.writeFileSync(
-            authPath,
-            JSON.stringify({
-              version: 1,
-              profiles: {},
-            }),
-          );
-
-          const store = ensureAuthProfileStore(agentDir);
-
-          expect(store.profiles[CODEX_CLI_PROFILE_ID]).toBeDefined();
-          expect((store.profiles[CODEX_CLI_PROFILE_ID] as { access: string }).access).toBe(
-            "codex-access-token",
-          );
-        },
-        { prefix: "clawdbot-home-" },
-      );
-    } finally {
-      fs.rmSync(agentDir, { recursive: true, force: true });
-    }
-  });
-});
--- a/src/agents/auth-profiles/external-cli-sync.ts
+++ b/src/agents/auth-profiles/external-cli-sync.ts
@ -1,22 +1,11 @@
+import { readQwenCliCredentialsCached } from "../cli-credentials.js";
 import {
-  readClaudeCliCredentialsCached,
-  readCodexCliCredentialsCached,
-  readQwenCliCredentialsCached,
-} from "../cli-credentials.js";
-import {
-  CLAUDE_CLI_PROFILE_ID,
-  CODEX_CLI_PROFILE_ID,
  EXTERNAL_CLI_NEAR_EXPIRY_MS,
  EXTERNAL_CLI_SYNC_TTL_MS,
  QWEN_CLI_PROFILE_ID,
  log,
 } from "./constants.js";
-import type {
-  AuthProfileCredential,
-  AuthProfileStore,
-  OAuthCredential,
-  TokenCredential,
-} from "./types.js";
+import type { AuthProfileCredential, AuthProfileStore, OAuthCredential } from "./types.js";

 function shallowEqualOAuthCredentials(a: OAuthCredential | undefined, b: OAuthCredential): boolean {
  if (!a) return false;
@ -33,25 +22,10 @@ function shallowEqualOAuthCredentials(a: OAuthCredential | undefined, b: OAuthCr
  );
 }

-function shallowEqualTokenCredentials(a: TokenCredential | undefined, b: TokenCredential): boolean {
-  if (!a) return false;
-  if (a.type !== "token") return false;
-  return (
-    a.provider === b.provider &&
-    a.token === b.token &&
-    a.expires === b.expires &&
-    a.email === b.email
-  );
-}
-
 function isExternalProfileFresh(cred: AuthProfileCredential | undefined, now: number): boolean {
  if (!cred) return false;
  if (cred.type !== "oauth" && cred.type !== "token") return false;
-  if (
-    cred.provider !== "anthropic" &&
-    cred.provider !== "openai-codex" &&
-    cred.provider !== "qwen-portal"
-  ) {
+  if (cred.provider !== "qwen-portal") {
    return false;
  }
  if (typeof cred.expires !== "number") return true;
@ -59,163 +33,14 @@ function isExternalProfileFresh(cred: AuthProfileCredential | undefined, now: nu
 }

 /**
- * Find any existing openai-codex profile (other than codex-cli) that has the same
- * access and refresh tokens. This prevents creating a duplicate codex-cli profile
- * when the user has already set up a custom profile with the same credentials.
- */
-export function findDuplicateCodexProfile(
-  store: AuthProfileStore,
-  creds: OAuthCredential,
-): string | undefined {
-  for (const [profileId, profile] of Object.entries(store.profiles)) {
-    if (profileId === CODEX_CLI_PROFILE_ID) continue;
-    if (profile.type !== "oauth") continue;
-    if (profile.provider !== "openai-codex") continue;
-    if (profile.access === creds.access && profile.refresh === creds.refresh) {
-      return profileId;
-    }
-  }
-  return undefined;
-}
-
-/**
- * Sync OAuth credentials from external CLI tools (Claude Code CLI, Codex CLI) into the store.
- * This allows clawdbot to use the same credentials as these tools without requiring
- * separate authentication, and keeps credentials in sync when CLI tools refresh tokens.
+ * Sync OAuth credentials from external CLI tools (Qwen Code CLI) into the store.
 *
 * Returns true if any credentials were updated.
 */
-export function syncExternalCliCredentials(
-  store: AuthProfileStore,
-  options?: { allowKeychainPrompt?: boolean },
-): boolean {
+export function syncExternalCliCredentials(store: AuthProfileStore): boolean {
  let mutated = false;
  const now = Date.now();

-  // Sync from Claude Code CLI (supports both OAuth and Token credentials)
-  const existingClaude = store.profiles[CLAUDE_CLI_PROFILE_ID];
-  const shouldSyncClaude =
-    !existingClaude ||
-    existingClaude.provider !== "anthropic" ||
-    existingClaude.type === "token" ||
-    !isExternalProfileFresh(existingClaude, now);
-  const claudeCreds = shouldSyncClaude
-    ? readClaudeCliCredentialsCached({
-        allowKeychainPrompt: options?.allowKeychainPrompt,
-        ttlMs: EXTERNAL_CLI_SYNC_TTL_MS,
-      })
-    : null;
-  if (claudeCreds) {
-    const existing = store.profiles[CLAUDE_CLI_PROFILE_ID];
-    const claudeCredsExpires = claudeCreds.expires ?? 0;
-
-    // Determine if we should update based on credential comparison
-    let shouldUpdate = false;
-    let isEqual = false;
-
-    if (claudeCreds.type === "oauth") {
-      const existingOAuth = existing?.type === "oauth" ? existing : undefined;
-      isEqual = shallowEqualOAuthCredentials(existingOAuth, claudeCreds);
-      // Update if: no existing profile, type changed to oauth, expired, or CLI has newer token
-      shouldUpdate =
-        !existingOAuth ||
-        existingOAuth.provider !== "anthropic" ||
-        existingOAuth.expires <= now ||
-        (claudeCredsExpires > now && claudeCredsExpires > existingOAuth.expires);
-    } else {
-      const existingToken = existing?.type === "token" ? existing : undefined;
-      isEqual = shallowEqualTokenCredentials(existingToken, claudeCreds);
-      // Update if: no existing profile, expired, or CLI has newer token
-      shouldUpdate =
-        !existingToken ||
-        existingToken.provider !== "anthropic" ||
-        (existingToken.expires ?? 0) <= now ||
-        (claudeCredsExpires > now && claudeCredsExpires > (existingToken.expires ?? 0));
-    }
-
-    // Also update if credential type changed (token -> oauth upgrade)
-    if (existing && existing.type !== claudeCreds.type) {
-      // Prefer oauth over token (enables auto-refresh)
-      if (claudeCreds.type === "oauth") {
-        shouldUpdate = true;
-        isEqual = false;
-      }
-    }
-
-    // Avoid downgrading from oauth to token-only credentials.
-    if (existing?.type === "oauth" && claudeCreds.type === "token") {
-      shouldUpdate = false;
-    }
-
-    if (shouldUpdate && !isEqual) {
-      store.profiles[CLAUDE_CLI_PROFILE_ID] = claudeCreds;
-      mutated = true;
-      log.info("synced anthropic credentials from claude cli", {
-        profileId: CLAUDE_CLI_PROFILE_ID,
-        type: claudeCreds.type,
-        expires:
-          typeof claudeCreds.expires === "number"
-            ? new Date(claudeCreds.expires).toISOString()
-            : "unknown",
-      });
-    }
-  }
-
-  // Sync from Codex CLI
-  const existingCodex = store.profiles[CODEX_CLI_PROFILE_ID];
-  const existingCodexOAuth = existingCodex?.type === "oauth" ? existingCodex : undefined;
-  const duplicateExistingId = existingCodexOAuth
-    ? findDuplicateCodexProfile(store, existingCodexOAuth)
-    : undefined;
-  if (duplicateExistingId) {
-    delete store.profiles[CODEX_CLI_PROFILE_ID];
-    mutated = true;
-    log.info("removed codex-cli profile: credentials already exist in another profile", {
-      existingProfileId: duplicateExistingId,
-      removedProfileId: CODEX_CLI_PROFILE_ID,
-    });
-  }
-  const shouldSyncCodex =
-    !existingCodex ||
-    existingCodex.provider !== "openai-codex" ||
-    !isExternalProfileFresh(existingCodex, now);
-  const codexCreds =
-    shouldSyncCodex || duplicateExistingId
-      ? readCodexCliCredentialsCached({ ttlMs: EXTERNAL_CLI_SYNC_TTL_MS })
-      : null;
-  if (codexCreds) {
-    const duplicateProfileId = findDuplicateCodexProfile(store, codexCreds);
-    if (duplicateProfileId) {
-      if (store.profiles[CODEX_CLI_PROFILE_ID]) {
-        delete store.profiles[CODEX_CLI_PROFILE_ID];
-        mutated = true;
-        log.info("removed codex-cli profile: credentials already exist in another profile", {
-          existingProfileId: duplicateProfileId,
-          removedProfileId: CODEX_CLI_PROFILE_ID,
-        });
-      }
-    } else {
-      const existing = store.profiles[CODEX_CLI_PROFILE_ID];
-      const existingOAuth = existing?.type === "oauth" ? existing : undefined;
-
-      // Codex creds don't carry expiry; use file mtime heuristic for freshness.
-      const shouldUpdate =
-        !existingOAuth ||
-        existingOAuth.provider !== "openai-codex" ||
-        existingOAuth.expires <= now ||
-        codexCreds.expires > existingOAuth.expires;
-
-      if (shouldUpdate && !shallowEqualOAuthCredentials(existingOAuth, codexCreds)) {
-        store.profiles[CODEX_CLI_PROFILE_ID] = codexCreds;
-        mutated = true;
-        log.info("synced openai-codex credentials from codex cli", {
-          profileId: CODEX_CLI_PROFILE_ID,
-          expires: new Date(codexCreds.expires).toISOString(),
-        });
-      }
-    }
-  }
-
  // Sync from Qwen Code CLI
  const existingQwen = store.profiles[QWEN_CLI_PROFILE_ID];
  const shouldSyncQwen =
--- a/src/agents/auth-profiles/oauth.ts
+++ b/src/agents/auth-profiles/oauth.ts
@ -4,8 +4,7 @@ import lockfile from "proper-lockfile";
 import type { ClawdbotConfig } from "../../config/config.js";
 import { refreshChutesTokens } from "../chutes-oauth.js";
 import { refreshQwenPortalCredentials } from "../../providers/qwen-portal-oauth.js";
-import { writeClaudeCliCredentials } from "../cli-credentials.js";
-import { AUTH_STORE_LOCK_OPTIONS, CLAUDE_CLI_PROFILE_ID } from "./constants.js";
+import { AUTH_STORE_LOCK_OPTIONS } from "./constants.js";
 import { formatAuthDoctorHint } from "./doctor.js";
 import { ensureAuthStoreFile, resolveAuthStorePath } from "./paths.js";
 import { suggestOAuthProfileIdForLegacyDefault } from "./repair.js";
@ -72,12 +71,6 @@ async function refreshOAuthTokenWithLock(params: {
    };
    saveAuthProfileStore(store, params.agentDir);

-    // Sync refreshed credentials back to Claude Code CLI if this is the claude-cli profile
-    // This ensures Claude Code continues to work after ClawdBot refreshes the token
-    if (params.profileId === CLAUDE_CLI_PROFILE_ID && cred.provider === "anthropic") {
-      writeClaudeCliCredentials(result.newCredentials);
-    }
-
    return result;
  } finally {
    if (release) {
--- a/src/agents/auth-profiles/store.ts
+++ b/src/agents/auth-profiles/store.ts
@ -3,13 +3,8 @@ import type { OAuthCredentials } from "@mariozechner/pi-ai";
 import lockfile from "proper-lockfile";
 import { resolveOAuthPath } from "../../config/paths.js";
 import { loadJsonFile, saveJsonFile } from "../../infra/json-file.js";
-import {
-  AUTH_STORE_LOCK_OPTIONS,
-  AUTH_STORE_VERSION,
-  CODEX_CLI_PROFILE_ID,
-  log,
-} from "./constants.js";
-import { findDuplicateCodexProfile, syncExternalCliCredentials } from "./external-cli-sync.js";
+import { AUTH_STORE_LOCK_OPTIONS, AUTH_STORE_VERSION, log } from "./constants.js";
+import { syncExternalCliCredentials } from "./external-cli-sync.js";
 import { ensureAuthStoreFile, resolveAuthStorePath, resolveLegacyAuthStorePath } from "./paths.js";
 import type { AuthProfileCredential, AuthProfileStore, ProfileUsageStats } from "./types.js";

@ -229,14 +224,14 @@ export function loadAuthProfileStore(): AuthProfileStore {

 function loadAuthProfileStoreForAgent(
  agentDir?: string,
-  options?: { allowKeychainPrompt?: boolean },
+  _options?: { allowKeychainPrompt?: boolean },
 ): AuthProfileStore {
  const authPath = resolveAuthStorePath(agentDir);
  const raw = loadJsonFile(authPath);
  const asStore = coerceAuthStore(raw);
  if (asStore) {
    // Sync from external CLI tools on every load
-    const synced = syncExternalCliCredentials(asStore, options);
+    const synced = syncExternalCliCredentials(asStore);
    if (synced) {
      saveJsonFile(authPath, asStore);
    }
@ -297,7 +292,7 @@ function loadAuthProfileStoreForAgent(
  }

  const mergedOAuth = mergeOAuthFileIntoStore(store);
-  const syncedCli = syncExternalCliCredentials(store, options);
+  const syncedCli = syncExternalCliCredentials(store);
  const shouldWrite = legacy !== null || mergedOAuth || syncedCli;
  if (shouldWrite) {
    saveJsonFile(authPath, store);
@ -337,15 +332,6 @@ export function ensureAuthProfileStore(
  const mainStore = loadAuthProfileStoreForAgent(undefined, options);
  const merged = mergeAuthProfileStores(mainStore, store);

-  // Keep per-agent view clean even if the main store has codex-cli.
-  const codexProfile = merged.profiles[CODEX_CLI_PROFILE_ID];
-  if (codexProfile?.type === "oauth") {
-    const duplicateId = findDuplicateCodexProfile(merged, codexProfile);
-    if (duplicateId) {
-      delete merged.profiles[CODEX_CLI_PROFILE_ID];
-    }
-  }
-
  return merged;
 }

--- a/src/agents/model-fallback.test.ts
+++ b/src/agents/model-fallback.test.ts
@ -101,7 +101,7 @@ describe("runWithModelFallback", () => {
    const cfg = makeCfg();
    const run = vi
      .fn()
-      .mockRejectedValueOnce(new Error('No credentials found for profile "anthropic:claude-cli".'))
+      .mockRejectedValueOnce(new Error('No credentials found for profile "anthropic:default".'))
      .mockResolvedValueOnce("ok");

    const result = await runWithModelFallback({
--- a/src/agents/pi-embedded-helpers.isautherrormessage.test.ts
+++ b/src/agents/pi-embedded-helpers.isautherrormessage.test.ts
@ -12,7 +12,7 @@ const _makeFile = (overrides: Partial<WorkspaceBootstrapFile>): WorkspaceBootstr
 describe("isAuthErrorMessage", () => {
  it("matches credential validation errors", () => {
    const samples = [
-      'No credentials found for profile "anthropic:claude-cli".',
+      'No credentials found for profile "anthropic:default".',
      "No API key found for profile openai.",
    ];
    for (const sample of samples) {
--- a/src/agents/pi-embedded-utils.test.ts
+++ b/src/agents/pi-embedded-utils.test.ts
@ -1,6 +1,6 @@
 import type { AssistantMessage } from "@mariozechner/pi-ai";
 import { describe, expect, it } from "vitest";
-import { extractAssistantText } from "./pi-embedded-utils.js";
+import { extractAssistantText, formatReasoningMessage } from "./pi-embedded-utils.js";

 describe("extractAssistantText", () => {
  it("strips Minimax tool invocation XML from text", () => {
@ -508,3 +508,41 @@ File contents here`,
    expect(result).toBe("StartMiddleEnd");
  });
 });
+
+describe("formatReasoningMessage", () => {
+  it("returns empty string for empty input", () => {
+    expect(formatReasoningMessage("")).toBe("");
+  });
+
+  it("returns empty string for whitespace-only input", () => {
+    expect(formatReasoningMessage("   \n  \t  ")).toBe("");
+  });
+
+  it("wraps single line in italics", () => {
+    expect(formatReasoningMessage("Single line of reasoning")).toBe(
+      "Reasoning:\n_Single line of reasoning_",
+    );
+  });
+
+  it("wraps each line separately for multiline text (Telegram fix)", () => {
+    expect(formatReasoningMessage("Line one\nLine two\nLine three")).toBe(
+      "Reasoning:\n_Line one_\n_Line two_\n_Line three_",
+    );
+  });
+
+  it("preserves empty lines between reasoning text", () => {
+    expect(formatReasoningMessage("First block\n\nSecond block")).toBe(
+      "Reasoning:\n_First block_\n\n_Second block_",
+    );
+  });
+
+  it("handles mixed empty and non-empty lines", () => {
+    expect(formatReasoningMessage("A\n\nB\nC")).toBe("Reasoning:\n_A_\n\n_B_\n_C_");
+  });
+
+  it("trims leading/trailing whitespace", () => {
+    expect(formatReasoningMessage("  \n  Reasoning here  \n  ")).toBe(
+      "Reasoning:\n_Reasoning here_",
+    );
+  });
+});
--- a/src/agents/pi-embedded-utils.ts
+++ b/src/agents/pi-embedded-utils.ts
@ -211,7 +211,13 @@ export function formatReasoningMessage(text: string): string {
  if (!trimmed) return "";
  // Show reasoning in italics (cursive) for markdown-friendly surfaces (Discord, etc.).
  // Keep the plain "Reasoning:" prefix so existing parsing/detection keeps working.
-  return `Reasoning:\n_${trimmed}_`;
+  // Note: Underscore markdown cannot span multiple lines on Telegram, so we wrap
+  // each non-empty line separately.
+  const italicLines = trimmed
+    .split("\n")
+    .map((line) => (line ? `_${line}_` : line))
+    .join("\n");
+  return `Reasoning:\n${italicLines}`;
 }

 type ThinkTaggedSplitBlock =
--- a/src/agents/pi-tools.safe-bins.test.ts
+++ b/src/agents/pi-tools.safe-bins.test.ts
@ -0,0 +1,78 @@
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import { describe, expect, it, vi } from "vitest";
+import type { ClawdbotConfig } from "../config/config.js";
+import type { ExecApprovalsResolved } from "../infra/exec-approvals.js";
+import { createClawdbotCodingTools } from "./pi-tools.js";
+
+vi.mock("../infra/exec-approvals.js", async (importOriginal) => {
+  const mod = await importOriginal<typeof import("../infra/exec-approvals.js")>();
+  const approvals: ExecApprovalsResolved = {
+    path: "/tmp/exec-approvals.json",
+    socketPath: "/tmp/exec-approvals.sock",
+    token: "token",
+    defaults: {
+      security: "allowlist",
+      ask: "off",
+      askFallback: "deny",
+      autoAllowSkills: false,
+    },
+    agent: {
+      security: "allowlist",
+      ask: "off",
+      askFallback: "deny",
+      autoAllowSkills: false,
+    },
+    allowlist: [],
+    file: {
+      version: 1,
+      socket: { path: "/tmp/exec-approvals.sock", token: "token" },
+      defaults: {
+        security: "allowlist",
+        ask: "off",
+        askFallback: "deny",
+        autoAllowSkills: false,
+      },
+      agents: {},
+    },
+  };
+  return { ...mod, resolveExecApprovals: () => approvals };
+});
+
+describe("createClawdbotCodingTools safeBins", () => {
+  it("threads tools.exec.safeBins into exec allowlist checks", async () => {
+    if (process.platform === "win32") return;
+
+    const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "clawdbot-safe-bins-"));
+    const cfg: ClawdbotConfig = {
+      tools: {
+        exec: {
+          host: "gateway",
+          security: "allowlist",
+          ask: "off",
+          safeBins: ["echo"],
+        },
+      },
+    };
+
+    const tools = createClawdbotCodingTools({
+      config: cfg,
+      sessionKey: "agent:main:main",
+      workspaceDir: tmpDir,
+      agentDir: path.join(tmpDir, "agent"),
+    });
+    const execTool = tools.find((tool) => tool.name === "exec");
+    expect(execTool).toBeDefined();
+
+    const marker = `safe-bins-${Date.now()}`;
+    const result = await execTool!.execute("call1", {
+      command: `echo ${marker}`,
+      workdir: tmpDir,
+    });
+    const text = result.content.find((content) => content.type === "text")?.text ?? "";
+
+    expect(result.details.status).toBe("completed");
+    expect(text).toContain(marker);
+  });
+});
--- a/src/agents/pi-tools.ts
+++ b/src/agents/pi-tools.ts
@ -86,6 +86,7 @@ function resolveExecConfig(cfg: ClawdbotConfig | undefined) {
    ask: globalExec?.ask,
    node: globalExec?.node,
    pathPrepend: globalExec?.pathPrepend,
+    safeBins: globalExec?.safeBins,
    backgroundMs: globalExec?.backgroundMs,
    timeoutSec: globalExec?.timeoutSec,
    approvalRunningNoticeMs: globalExec?.approvalRunningNoticeMs,
@ -235,6 +236,7 @@ export function createClawdbotCodingTools(options?: {
    ask: options?.exec?.ask ?? execConfig.ask,
    node: options?.exec?.node ?? execConfig.node,
    pathPrepend: options?.exec?.pathPrepend ?? execConfig.pathPrepend,
+    safeBins: options?.exec?.safeBins ?? execConfig.safeBins,
    agentId,
    cwd: options?.workspaceDir,
    allowBackground,
--- a/src/agents/tools/discord-actions-guild.ts
+++ b/src/agents/tools/discord-actions-guild.ts
@ -1,5 +1,6 @@
 import type { AgentToolResult } from "@mariozechner/pi-agent-core";
 import type { DiscordActionConfig } from "../../config/config.js";
+import { getPresence } from "../../discord/monitor/presence-cache.js";
 import {
  addRoleDiscord,
  createChannelDiscord,
@ -54,7 +55,10 @@ export async function handleDiscordGuildAction(
      const member = accountId
        ? await fetchMemberInfoDiscord(guildId, userId, { accountId })
        : await fetchMemberInfoDiscord(guildId, userId);
-      return jsonResult({ ok: true, member });
+      const presence = getPresence(accountId, userId);
+      const activities = presence?.activities ?? undefined;
+      const status = presence?.status ?? undefined;
+      return jsonResult({ ok: true, member, ...(presence ? { status, activities } : {}) });
    }
    case "roleInfo": {
      if (!isActionEnabled("roleInfo")) {
--- a/src/agents/tools/web-fetch.ts
+++ b/src/agents/tools/web-fetch.ts
@ -1,7 +1,13 @@
 import { Type } from "@sinclair/typebox";

 import type { ClawdbotConfig } from "../../config/config.js";
-import { assertPublicHostname, SsrFBlockedError } from "../../infra/net/ssrf.js";
+import {
+  closeDispatcher,
+  createPinnedDispatcher,
+  resolvePinnedHostname,
+  SsrFBlockedError,
+} from "../../infra/net/ssrf.js";
+import type { Dispatcher } from "undici";
 import { stringEnum } from "../schema/typebox.js";
 import type { AnyAgentTool } from "./common.js";
 import { jsonResult, readNumberParam, readStringParam } from "./common.js";
@ -167,7 +173,7 @@ async function fetchWithRedirects(params: {
  maxRedirects: number;
  timeoutSeconds: number;
  userAgent: string;
-}): Promise<{ response: Response; finalUrl: string }> {
+}): Promise<{ response: Response; finalUrl: string; dispatcher: Dispatcher }> {
  const signal = withTimeout(undefined, params.timeoutSeconds * 1000);
  const visited = new Set<string>();
  let currentUrl = params.url;
@ -184,39 +190,50 @@ async function fetchWithRedirects(params: {
      throw new Error("Invalid URL: must be http or https");
    }

-    await assertPublicHostname(parsedUrl.hostname);
-
-    const res = await fetch(parsedUrl.toString(), {
-      method: "GET",
-      headers: {
-        Accept: "*/*",
-        "User-Agent": params.userAgent,
-        "Accept-Language": "en-US,en;q=0.9",
-      },
-      signal,
-      redirect: "manual",
-    });
+    const pinned = await resolvePinnedHostname(parsedUrl.hostname);
+    const dispatcher = createPinnedDispatcher(pinned);
+    let res: Response;
+    try {
+      res = await fetch(parsedUrl.toString(), {
+        method: "GET",
+        headers: {
+          Accept: "*/*",
+          "User-Agent": params.userAgent,
+          "Accept-Language": "en-US,en;q=0.9",
+        },
+        signal,
+        redirect: "manual",
+        dispatcher,
+      } as RequestInit);
+    } catch (err) {
+      await closeDispatcher(dispatcher);
+      throw err;
+    }

    if (isRedirectStatus(res.status)) {
      const location = res.headers.get("location");
      if (!location) {
+        await closeDispatcher(dispatcher);
        throw new Error(`Redirect missing location header (${res.status})`);
      }
      redirectCount += 1;
      if (redirectCount > params.maxRedirects) {
+        await closeDispatcher(dispatcher);
        throw new Error(`Too many redirects (limit: ${params.maxRedirects})`);
      }
      const nextUrl = new URL(location, parsedUrl).toString();
      if (visited.has(nextUrl)) {
+        await closeDispatcher(dispatcher);
        throw new Error("Redirect loop detected");
      }
      visited.add(nextUrl);
      void res.body?.cancel();
+      await closeDispatcher(dispatcher);
      currentUrl = nextUrl;
      continue;
    }

-    return { response: res, finalUrl: currentUrl };
+    return { response: res, finalUrl: currentUrl, dispatcher };
  }
 }

@ -348,6 +365,7 @@ async function runWebFetch(params: {

  const start = Date.now();
  let res: Response;
+  let dispatcher: Dispatcher | null = null;
  let finalUrl = params.url;
  try {
    const result = await fetchWithRedirects({
@ -358,6 +376,7 @@ async function runWebFetch(params: {
    });
    res = result.response;
    finalUrl = result.finalUrl;
+    dispatcher = result.dispatcher;
  } catch (error) {
    if (error instanceof SsrFBlockedError) {
      throw error;
@ -396,108 +415,112 @@ async function runWebFetch(params: {
    throw error;
  }

-  if (!res.ok) {
-    if (params.firecrawlEnabled && params.firecrawlApiKey) {
-      const firecrawl = await fetchFirecrawlContent({
-        url: params.url,
-        extractMode: params.extractMode,
-        apiKey: params.firecrawlApiKey,
-        baseUrl: params.firecrawlBaseUrl,
-        onlyMainContent: params.firecrawlOnlyMainContent,
-        maxAgeMs: params.firecrawlMaxAgeMs,
-        proxy: params.firecrawlProxy,
-        storeInCache: params.firecrawlStoreInCache,
-        timeoutSeconds: params.firecrawlTimeoutSeconds,
-      });
-      const truncated = truncateText(firecrawl.text, params.maxChars);
-      const payload = {
-        url: params.url,
-        finalUrl: firecrawl.finalUrl || finalUrl,
-        status: firecrawl.status ?? res.status,
-        contentType: "text/markdown",
-        title: firecrawl.title,
-        extractMode: params.extractMode,
-        extractor: "firecrawl",
-        truncated: truncated.truncated,
-        length: truncated.text.length,
-        fetchedAt: new Date().toISOString(),
-        tookMs: Date.now() - start,
-        text: truncated.text,
-        warning: firecrawl.warning,
-      };
-      writeCache(FETCH_CACHE, cacheKey, payload, params.cacheTtlMs);
-      return payload;
-    }
-    const rawDetail = await readResponseText(res);
-    const detail = formatWebFetchErrorDetail({
-      detail: rawDetail,
-      contentType: res.headers.get("content-type"),
-      maxChars: DEFAULT_ERROR_MAX_CHARS,
-    });
-    throw new Error(`Web fetch failed (${res.status}): ${detail || res.statusText}`);
-  }
-
-  const contentType = res.headers.get("content-type") ?? "application/octet-stream";
-  const body = await readResponseText(res);
-
-  let title: string | undefined;
-  let extractor = "raw";
-  let text = body;
-  if (contentType.includes("text/html")) {
-    if (params.readabilityEnabled) {
-      const readable = await extractReadableContent({
-        html: body,
-        url: finalUrl,
-        extractMode: params.extractMode,
-      });
-      if (readable?.text) {
-        text = readable.text;
-        title = readable.title;
-        extractor = "readability";
-      } else {
-        const firecrawl = await tryFirecrawlFallback({ ...params, url: finalUrl });
-        if (firecrawl) {
-          text = firecrawl.text;
-          title = firecrawl.title;
-          extractor = "firecrawl";
-        } else {
-          throw new Error(
-            "Web fetch extraction failed: Readability and Firecrawl returned no content.",
-          );
-        }
+  try {
+    if (!res.ok) {
+      if (params.firecrawlEnabled && params.firecrawlApiKey) {
+        const firecrawl = await fetchFirecrawlContent({
+          url: params.url,
+          extractMode: params.extractMode,
+          apiKey: params.firecrawlApiKey,
+          baseUrl: params.firecrawlBaseUrl,
+          onlyMainContent: params.firecrawlOnlyMainContent,
+          maxAgeMs: params.firecrawlMaxAgeMs,
+          proxy: params.firecrawlProxy,
+          storeInCache: params.firecrawlStoreInCache,
+          timeoutSeconds: params.firecrawlTimeoutSeconds,
+        });
+        const truncated = truncateText(firecrawl.text, params.maxChars);
+        const payload = {
+          url: params.url,
+          finalUrl: firecrawl.finalUrl || finalUrl,
+          status: firecrawl.status ?? res.status,
+          contentType: "text/markdown",
+          title: firecrawl.title,
+          extractMode: params.extractMode,
+          extractor: "firecrawl",
+          truncated: truncated.truncated,
+          length: truncated.text.length,
+          fetchedAt: new Date().toISOString(),
+          tookMs: Date.now() - start,
+          text: truncated.text,
+          warning: firecrawl.warning,
+        };
+        writeCache(FETCH_CACHE, cacheKey, payload, params.cacheTtlMs);
+        return payload;
      }
-    } else {
-      throw new Error(
-        "Web fetch extraction failed: Readability disabled and Firecrawl unavailable.",
-      );
+      const rawDetail = await readResponseText(res);
+      const detail = formatWebFetchErrorDetail({
+        detail: rawDetail,
+        contentType: res.headers.get("content-type"),
+        maxChars: DEFAULT_ERROR_MAX_CHARS,
+      });
+      throw new Error(`Web fetch failed (${res.status}): ${detail || res.statusText}`);
    }
-  } else if (contentType.includes("application/json")) {
-    try {
-      text = JSON.stringify(JSON.parse(body), null, 2);
-      extractor = "json";
-    } catch {
-      text = body;
-      extractor = "raw";
-    }
-  }

-  const truncated = truncateText(text, params.maxChars);
-  const payload = {
-    url: params.url,
-    finalUrl,
-    status: res.status,
-    contentType,
-    title,
-    extractMode: params.extractMode,
-    extractor,
-    truncated: truncated.truncated,
-    length: truncated.text.length,
-    fetchedAt: new Date().toISOString(),
-    tookMs: Date.now() - start,
-    text: truncated.text,
-  };
-  writeCache(FETCH_CACHE, cacheKey, payload, params.cacheTtlMs);
-  return payload;
+    const contentType = res.headers.get("content-type") ?? "application/octet-stream";
+    const body = await readResponseText(res);
+
+    let title: string | undefined;
+    let extractor = "raw";
+    let text = body;
+    if (contentType.includes("text/html")) {
+      if (params.readabilityEnabled) {
+        const readable = await extractReadableContent({
+          html: body,
+          url: finalUrl,
+          extractMode: params.extractMode,
+        });
+        if (readable?.text) {
+          text = readable.text;
+          title = readable.title;
+          extractor = "readability";
+        } else {
+          const firecrawl = await tryFirecrawlFallback({ ...params, url: finalUrl });
+          if (firecrawl) {
+            text = firecrawl.text;
+            title = firecrawl.title;
+            extractor = "firecrawl";
+          } else {
+            throw new Error(
+              "Web fetch extraction failed: Readability and Firecrawl returned no content.",
+            );
+          }
+        }
+      } else {
+        throw new Error(
+          "Web fetch extraction failed: Readability disabled and Firecrawl unavailable.",
+        );
+      }
+    } else if (contentType.includes("application/json")) {
+      try {
+        text = JSON.stringify(JSON.parse(body), null, 2);
+        extractor = "json";
+      } catch {
+        text = body;
+        extractor = "raw";
+      }
+    }
+
+    const truncated = truncateText(text, params.maxChars);
+    const payload = {
+      url: params.url,
+      finalUrl,
+      status: res.status,
+      contentType,
+      title,
+      extractMode: params.extractMode,
+      extractor,
+      truncated: truncated.truncated,
+      length: truncated.text.length,
+      fetchedAt: new Date().toISOString(),
+      tookMs: Date.now() - start,
+      text: truncated.text,
+    };
+    writeCache(FETCH_CACHE, cacheKey, payload, params.cacheTtlMs);
+    return payload;
+  } finally {
+    await closeDispatcher(dispatcher);
+  }
 }

 async function tryFirecrawlFallback(params: {
--- a/src/channels/plugins/outbound/telegram.test.ts
+++ b/src/channels/plugins/outbound/telegram.test.ts
@ -0,0 +1,81 @@
+import { describe, expect, it, vi } from "vitest";
+
+import type { ClawdbotConfig } from "../../../config/config.js";
+import { telegramOutbound } from "./telegram.js";
+
+describe("telegramOutbound.sendPayload", () => {
+  it("sends text payload with buttons", async () => {
+    const sendTelegram = vi.fn(async () => ({ messageId: "m1", chatId: "c1" }));
+
+    const result = await telegramOutbound.sendPayload?.({
+      cfg: {} as ClawdbotConfig,
+      to: "telegram:123",
+      text: "ignored",
+      payload: {
+        text: "Hello",
+        channelData: {
+          telegram: {
+            buttons: [[{ text: "Option", callback_data: "/option" }]],
+          },
+        },
+      },
+      deps: { sendTelegram },
+    });
+
+    expect(sendTelegram).toHaveBeenCalledTimes(1);
+    expect(sendTelegram).toHaveBeenCalledWith(
+      "telegram:123",
+      "Hello",
+      expect.objectContaining({
+        buttons: [[{ text: "Option", callback_data: "/option" }]],
+        textMode: "html",
+      }),
+    );
+    expect(result).toEqual({ channel: "telegram", messageId: "m1", chatId: "c1" });
+  });
+
+  it("sends media payloads and attaches buttons only to first", async () => {
+    const sendTelegram = vi
+      .fn()
+      .mockResolvedValueOnce({ messageId: "m1", chatId: "c1" })
+      .mockResolvedValueOnce({ messageId: "m2", chatId: "c1" });
+
+    const result = await telegramOutbound.sendPayload?.({
+      cfg: {} as ClawdbotConfig,
+      to: "telegram:123",
+      text: "ignored",
+      payload: {
+        text: "Caption",
+        mediaUrls: ["https://example.com/a.png", "https://example.com/b.png"],
+        channelData: {
+          telegram: {
+            buttons: [[{ text: "Go", callback_data: "/go" }]],
+          },
+        },
+      },
+      deps: { sendTelegram },
+    });
+
+    expect(sendTelegram).toHaveBeenCalledTimes(2);
+    expect(sendTelegram).toHaveBeenNthCalledWith(
+      1,
+      "telegram:123",
+      "Caption",
+      expect.objectContaining({
+        mediaUrl: "https://example.com/a.png",
+        buttons: [[{ text: "Go", callback_data: "/go" }]],
+      }),
+    );
+    const secondOpts = sendTelegram.mock.calls[1]?.[2] as { buttons?: unknown } | undefined;
+    expect(sendTelegram).toHaveBeenNthCalledWith(
+      2,
+      "telegram:123",
+      "",
+      expect.objectContaining({
+        mediaUrl: "https://example.com/b.png",
+      }),
+    );
+    expect(secondOpts?.buttons).toBeUndefined();
+    expect(result).toEqual({ channel: "telegram", messageId: "m2", chatId: "c1" });
+  });
+});
--- a/src/channels/plugins/outbound/telegram.ts
+++ b/src/channels/plugins/outbound/telegram.ts
@ -18,6 +18,7 @@ function parseThreadId(threadId?: string | number | null) {
  const parsed = Number.parseInt(trimmed, 10);
  return Number.isFinite(parsed) ? parsed : undefined;
 }
+
 export const telegramOutbound: ChannelOutboundAdapter = {
  deliveryMode: "direct",
  chunker: markdownToTelegramHtmlChunks,
@ -50,4 +51,46 @@ export const telegramOutbound: ChannelOutboundAdapter = {
    });
    return { channel: "telegram", ...result };
  },
+  sendPayload: async ({ to, payload, accountId, deps, replyToId, threadId }) => {
+    const send = deps?.sendTelegram ?? sendMessageTelegram;
+    const replyToMessageId = parseReplyToMessageId(replyToId);
+    const messageThreadId = parseThreadId(threadId);
+    const telegramData = payload.channelData?.telegram as
+      | { buttons?: Array<Array<{ text: string; callback_data: string }>> }
+      | undefined;
+    const text = payload.text ?? "";
+    const mediaUrls = payload.mediaUrls?.length
+      ? payload.mediaUrls
+      : payload.mediaUrl
+        ? [payload.mediaUrl]
+        : [];
+    const baseOpts = {
+      verbose: false,
+      textMode: "html" as const,
+      messageThreadId,
+      replyToMessageId,
+      accountId: accountId ?? undefined,
+    };
+
+    if (mediaUrls.length === 0) {
+      const result = await send(to, text, {
+        ...baseOpts,
+        buttons: telegramData?.buttons,
+      });
+      return { channel: "telegram", ...result };
+    }
+
+    // Telegram allows reply_markup on media; attach buttons only to first send.
+    let finalResult: Awaited<ReturnType<typeof send>> | undefined;
+    for (let i = 0; i < mediaUrls.length; i += 1) {
+      const mediaUrl = mediaUrls[i];
+      const isFirst = i === 0;
+      finalResult = await send(to, isFirst ? text : "", {
+        ...baseOpts,
+        mediaUrl,
+        ...(isFirst ? { buttons: telegramData?.buttons } : {}),
+      });
+    }
+    return { channel: "telegram", ...(finalResult ?? { messageId: "unknown", chatId: to }) };
+  },
 };
--- a/src/cli/models-cli.ts
+++ b/src/cli/models-cli.ts
@ -389,7 +389,7 @@ export function registerModelsCli(program: Command) {
    .description("Set per-agent auth order override (locks rotation to this list)")
    .requiredOption("--provider <name>", "Provider id (e.g. anthropic)")
    .option("--agent <id>", "Agent id (default: configured default agent)")
-    .argument("<profileIds...>", "Auth profile ids (e.g. anthropic:claude-cli)")
+    .argument("<profileIds...>", "Auth profile ids (e.g. anthropic:default)")
    .action(async (profileIds: string[], opts) => {
      await runModelsCommand(async () => {
        await modelsAuthOrderSetCommand(
--- a/src/cli/program/register.onboard.ts
+++ b/src/cli/program/register.onboard.ts
@ -52,7 +52,7 @@ export function registerOnboardCommand(program: Command) {
    .option("--mode <mode>", "Wizard mode: local|remote")
    .option(
      "--auth-choice <choice>",
-      "Auth: setup-token|claude-cli|token|chutes|openai-codex|openai-api-key|openrouter-api-key|ai-gateway-api-key|moonshot-api-key|kimi-code-api-key|synthetic-api-key|nanogpt-api-key|venice-api-key|codex-cli|gemini-api-key|zai-api-key|apiKey|minimax-api|minimax-api-lightning|opencode-zen|skip",
+      "Auth: setup-token|token|chutes|openai-codex|openai-api-key|openrouter-api-key|ai-gateway-api-key|moonshot-api-key|kimi-code-api-key|synthetic-api-key|nanogpt-api-key|venice-api-key|gemini-api-key|zai-api-key|apiKey|minimax-api|minimax-api-lightning|opencode-zen|skip",
    )
    .option(
      "--token-provider <id>",
@ -79,7 +79,7 @@ export function registerOnboardCommand(program: Command) {
    .option("--opencode-zen-api-key <key>", "OpenCode Zen API key")
    .option("--gateway-port <port>", "Gateway port")
    .option("--gateway-bind <mode>", "Gateway bind: loopback|tailnet|lan|auto|custom")
-    .option("--gateway-auth <mode>", "Gateway auth: off|token|password")
+    .option("--gateway-auth <mode>", "Gateway auth: token|password")
    .option("--gateway-token <token>", "Gateway token (token auth)")
    .option("--gateway-password <password>", "Gateway password (password auth)")
    .option("--remote-url <url>", "Remote Gateway WebSocket URL")
--- a/src/cli/security-cli.ts
+++ b/src/cli/security-cli.ts
@ -87,16 +87,23 @@ export function registerSecurityCli(program: Command) {
            lines.push(muted(`  ${shortenHomeInString(change)}`));
          }
          for (const action of fixResult.actions) {
-            const mode = action.mode.toString(8).padStart(3, "0");
-            if (action.ok) lines.push(muted(`  chmod ${mode} ${shortenHomePath(action.path)}`));
-            else if (action.skipped)
-              lines.push(
-                muted(`  skip chmod ${mode} ${shortenHomePath(action.path)} (${action.skipped})`),
-              );
-            else if (action.error)
-              lines.push(
-                muted(`  chmod ${mode} ${shortenHomePath(action.path)} failed: ${action.error}`),
-              );
+            if (action.kind === "chmod") {
+              const mode = action.mode.toString(8).padStart(3, "0");
+              if (action.ok) lines.push(muted(`  chmod ${mode} ${shortenHomePath(action.path)}`));
+              else if (action.skipped)
+                lines.push(
+                  muted(`  skip chmod ${mode} ${shortenHomePath(action.path)} (${action.skipped})`),
+                );
+              else if (action.error)
+                lines.push(
+                  muted(`  chmod ${mode} ${shortenHomePath(action.path)} failed: ${action.error}`),
+                );
+              continue;
+            }
+            const command = shortenHomeInString(action.command);
+            if (action.ok) lines.push(muted(`  ${command}`));
+            else if (action.skipped) lines.push(muted(`  skip ${command} (${action.skipped})`));
+            else if (action.error) lines.push(muted(`  ${command} failed: ${action.error}`));
          }
          if (fixResult.errors.length > 0) {
            for (const err of fixResult.errors) {
--- a/src/commands/agents.commands.add.ts
+++ b/src/commands/agents.commands.add.ts
@ -258,7 +258,6 @@ export async function agentsAddCommand(
        prompter,
        store: authStore,
        includeSkip: true,
-        includeClaudeCliIfMissing: true,
      });

      const authResult = await applyAuthChoice({
--- a/src/commands/auth-choice-options.test.ts
+++ b/src/commands/auth-choice-options.test.ts
@ -1,6 +1,6 @@
 import { describe, expect, it } from "vitest";

-import { type AuthProfileStore, CLAUDE_CLI_PROFILE_ID } from "../agents/auth-profiles.js";
+import type { AuthProfileStore } from "../agents/auth-profiles.js";
 import { buildAuthChoiceOptions } from "./auth-choice-options.js";

 describe("buildAuthChoiceOptions", () => {
@ -9,60 +9,18 @@ describe("buildAuthChoiceOptions", () => {
    const options = buildAuthChoiceOptions({
      store,
      includeSkip: false,
-      includeClaudeCliIfMissing: false,
-      platform: "linux",
    });

    expect(options.find((opt) => opt.value === "github-copilot")).toBeDefined();
  });
-  it("includes Claude Code CLI option on macOS even when missing", () => {
+  it("includes setup-token option for Anthropic", () => {
    const store: AuthProfileStore = { version: 1, profiles: {} };
    const options = buildAuthChoiceOptions({
      store,
      includeSkip: false,
-      includeClaudeCliIfMissing: true,
-      platform: "darwin",
    });

-    const claudeCli = options.find((opt) => opt.value === "claude-cli");
-    expect(claudeCli).toBeDefined();
-    expect(claudeCli?.hint).toBe("reuses existing Claude Code auth · requires Keychain access");
-  });
-
-  it("skips missing Claude Code CLI option off macOS", () => {
-    const store: AuthProfileStore = { version: 1, profiles: {} };
-    const options = buildAuthChoiceOptions({
-      store,
-      includeSkip: false,
-      includeClaudeCliIfMissing: true,
-      platform: "linux",
-    });
-
-    expect(options.find((opt) => opt.value === "claude-cli")).toBeUndefined();
-  });
-
-  it("uses token hint when Claude Code CLI credentials exist", () => {
-    const store: AuthProfileStore = {
-      version: 1,
-      profiles: {
-        [CLAUDE_CLI_PROFILE_ID]: {
-          type: "token",
-          provider: "anthropic",
-          token: "token",
-          expires: Date.now() + 60 * 60 * 1000,
-        },
-      },
-    };
-
-    const options = buildAuthChoiceOptions({
-      store,
-      includeSkip: false,
-      includeClaudeCliIfMissing: true,
-      platform: "darwin",
-    });
-
-    const claudeCli = options.find((opt) => opt.value === "claude-cli");
-    expect(claudeCli?.hint).toContain("token ok");
+    expect(options.some((opt) => opt.value === "token")).toBe(true);
  });

  it("includes Z.AI (GLM) auth choice", () => {
@ -70,8 +28,6 @@ describe("buildAuthChoiceOptions", () => {
    const options = buildAuthChoiceOptions({
      store,
      includeSkip: false,
-      includeClaudeCliIfMissing: true,
-      platform: "darwin",
    });

    expect(options.some((opt) => opt.value === "zai-api-key")).toBe(true);
@ -82,8 +38,6 @@ describe("buildAuthChoiceOptions", () => {
    const options = buildAuthChoiceOptions({
      store,
      includeSkip: false,
-      includeClaudeCliIfMissing: true,
-      platform: "darwin",
    });

    expect(options.some((opt) => opt.value === "minimax-api")).toBe(true);
@ -95,8 +49,6 @@ describe("buildAuthChoiceOptions", () => {
    const options = buildAuthChoiceOptions({
      store,
      includeSkip: false,
-      includeClaudeCliIfMissing: true,
-      platform: "darwin",
    });

    expect(options.some((opt) => opt.value === "moonshot-api-key")).toBe(true);
@ -108,8 +60,6 @@ describe("buildAuthChoiceOptions", () => {
    const options = buildAuthChoiceOptions({
      store,
      includeSkip: false,
-      includeClaudeCliIfMissing: true,
-      platform: "darwin",
    });

    expect(options.some((opt) => opt.value === "ai-gateway-api-key")).toBe(true);
@ -120,8 +70,6 @@ describe("buildAuthChoiceOptions", () => {
    const options = buildAuthChoiceOptions({
      store,
      includeSkip: false,
-      includeClaudeCliIfMissing: true,
-      platform: "darwin",
    });

    expect(options.some((opt) => opt.value === "synthetic-api-key")).toBe(true);
@ -144,8 +92,6 @@ describe("buildAuthChoiceOptions", () => {
    const options = buildAuthChoiceOptions({
      store,
      includeSkip: false,
-      includeClaudeCliIfMissing: true,
-      platform: "darwin",
    });

    expect(options.some((opt) => opt.value === "chutes")).toBe(true);
@ -156,8 +102,6 @@ describe("buildAuthChoiceOptions", () => {
    const options = buildAuthChoiceOptions({
      store,
      includeSkip: false,
-      includeClaudeCliIfMissing: true,
-      platform: "darwin",
    });

    expect(options.some((opt) => opt.value === "qwen-portal")).toBe(true);
--- a/src/commands/auth-choice-options.ts
+++ b/src/commands/auth-choice-options.ts
@ -1,6 +1,4 @@
 import type { AuthProfileStore } from "../agents/auth-profiles.js";
-import { CLAUDE_CLI_PROFILE_ID, CODEX_CLI_PROFILE_ID } from "../agents/auth-profiles.js";
-import { colorize, isRich, theme } from "../terminal/theme.js";
 import type { AuthChoice } from "./onboard-types.js";

 export type AuthChoiceOption = {
@ -42,13 +40,13 @@ const AUTH_CHOICE_GROUP_DEFS: {
    value: "openai",
    label: "OpenAI",
    hint: "Codex OAuth + API key",
-    choices: ["codex-cli", "openai-codex", "openai-api-key"],
+    choices: ["openai-codex", "openai-api-key"],
  },
  {
    value: "anthropic",
    label: "Anthropic",
-    hint: "Claude Code CLI + API key",
-    choices: ["token", "claude-cli", "apiKey"],
+    hint: "setup-token + API key",
+    choices: ["token", "apiKey"],
  },
  {
    value: "minimax",
@ -124,65 +122,12 @@ const AUTH_CHOICE_GROUP_DEFS: {
  },
 ];

-function formatOAuthHint(expires?: number, opts?: { allowStale?: boolean }): string {
-  const rich = isRich();
-  if (!expires) {
-    return colorize(rich, theme.muted, "token unavailable");
-  }
-  const now = Date.now();
-  const remaining = expires - now;
-  if (remaining <= 0) {
-    if (opts?.allowStale) {
-      return colorize(rich, theme.warn, "token present · refresh on use");
-    }
-    return colorize(rich, theme.error, "token expired");
-  }
-  const minutes = Math.round(remaining / (60 * 1000));
-  const duration =
-    minutes >= 120
-      ? `${Math.round(minutes / 60)}h`
-      : minutes >= 60
-        ? "1h"
-        : `${Math.max(minutes, 1)}m`;
-  const label = `token ok · expires in ${duration}`;
-  if (minutes <= 10) {
-    return colorize(rich, theme.warn, label);
-  }
-  return colorize(rich, theme.success, label);
-}
-
 export function buildAuthChoiceOptions(params: {
  store: AuthProfileStore;
  includeSkip: boolean;
-  includeClaudeCliIfMissing?: boolean;
-  platform?: NodeJS.Platform;
 }): AuthChoiceOption[] {
+  void params.store;
  const options: AuthChoiceOption[] = [];
-  const platform = params.platform ?? process.platform;
-
-  const codexCli = params.store.profiles[CODEX_CLI_PROFILE_ID];
-  if (codexCli?.type === "oauth") {
-    options.push({
-      value: "codex-cli",
-      label: "OpenAI Codex OAuth (Codex CLI)",
-      hint: formatOAuthHint(codexCli.expires, { allowStale: true }),
-    });
-  }
-
-  const claudeCli = params.store.profiles[CLAUDE_CLI_PROFILE_ID];
-  if (claudeCli?.type === "oauth" || claudeCli?.type === "token") {
-    options.push({
-      value: "claude-cli",
-      label: "Anthropic token (Claude Code CLI)",
-      hint: `reuses existing Claude Code auth · ${formatOAuthHint(claudeCli.expires)}`,
-    });
-  } else if (params.includeClaudeCliIfMissing && platform === "darwin") {
-    options.push({
-      value: "claude-cli",
-      label: "Anthropic token (Claude Code CLI)",
-      hint: "reuses existing Claude Code auth · requires Keychain access",
-    });
-  }

  options.push({
    value: "token",
@ -256,12 +201,7 @@ export function buildAuthChoiceOptions(params: {
  return options;
 }

-export function buildAuthChoiceGroups(params: {
-  store: AuthProfileStore;
-  includeSkip: boolean;
-  includeClaudeCliIfMissing?: boolean;
-  platform?: NodeJS.Platform;
-}): {
+export function buildAuthChoiceGroups(params: { store: AuthProfileStore; includeSkip: boolean }): {
  groups: AuthChoiceGroup[];
  skipOption?: AuthChoiceOption;
 } {
--- a/src/commands/auth-choice-prompt.ts
+++ b/src/commands/auth-choice-prompt.ts
@ -9,8 +9,6 @@ export async function promptAuthChoiceGrouped(params: {
  prompter: WizardPrompter;
  store: AuthProfileStore;
  includeSkip: boolean;
-  includeClaudeCliIfMissing?: boolean;
-  platform?: NodeJS.Platform;
 }): Promise<AuthChoice> {
  const { groups, skipOption } = buildAuthChoiceGroups(params);
  const availableGroups = groups.filter((group) => group.options.length > 0);
--- a/src/commands/auth-choice.apply.anthropic.ts
+++ b/src/commands/auth-choice.apply.anthropic.ts
@ -1,8 +1,4 @@
-import {
-  CLAUDE_CLI_PROFILE_ID,
-  ensureAuthProfileStore,
-  upsertAuthProfile,
-} from "../agents/auth-profiles.js";
+import { upsertAuthProfile } from "../agents/auth-profiles.js";
 import {
  formatApiKeyPreview,
  normalizeApiKeyInput,
@ -15,153 +11,17 @@ import { applyAuthProfileConfig, setAnthropicApiKey } from "./onboard-auth.js";
 export async function applyAuthChoiceAnthropic(
  params: ApplyAuthChoiceParams,
 ): Promise<ApplyAuthChoiceResult | null> {
-  if (params.authChoice === "claude-cli") {
+  if (
+    params.authChoice === "setup-token" ||
+    params.authChoice === "oauth" ||
+    params.authChoice === "token"
+  ) {
    let nextConfig = params.config;
-    const store = ensureAuthProfileStore(params.agentDir, {
-      allowKeychainPrompt: false,
-    });
-    const hasClaudeCli = Boolean(store.profiles[CLAUDE_CLI_PROFILE_ID]);
-    if (!hasClaudeCli && process.platform === "darwin") {
-      await params.prompter.note(
-        [
-          "macOS will show a Keychain prompt next.",
-          'Choose "Always Allow" so the launchd gateway can start without prompts.',
-          'If you choose "Allow" or "Deny", each restart will block on a Keychain alert.',
-        ].join("\n"),
-        "Claude Code CLI Keychain",
-      );
-      const proceed = await params.prompter.confirm({
-        message: "Check Keychain for Claude Code CLI credentials now?",
-        initialValue: true,
-      });
-      if (!proceed) return { config: nextConfig };
-    }
-
-    const storeWithKeychain = hasClaudeCli
-      ? store
-      : ensureAuthProfileStore(params.agentDir, {
-          allowKeychainPrompt: true,
-        });
-
-    if (!storeWithKeychain.profiles[CLAUDE_CLI_PROFILE_ID]) {
-      if (process.stdin.isTTY) {
-        const runNow = await params.prompter.confirm({
-          message: "Run `claude setup-token` now?",
-          initialValue: true,
-        });
-        if (runNow) {
-          const res = await (async () => {
-            const { spawnSync } = await import("node:child_process");
-            return spawnSync("claude", ["setup-token"], { stdio: "inherit" });
-          })();
-          if (res.error) {
-            await params.prompter.note(
-              `Failed to run claude: ${String(res.error)}`,
-              "Claude setup-token",
-            );
-          }
-        }
-      } else {
-        await params.prompter.note(
-          "`claude setup-token` requires an interactive TTY.",
-          "Claude setup-token",
-        );
-      }
-
-      const refreshed = ensureAuthProfileStore(params.agentDir, {
-        allowKeychainPrompt: true,
-      });
-      if (!refreshed.profiles[CLAUDE_CLI_PROFILE_ID]) {
-        await params.prompter.note(
-          process.platform === "darwin"
-            ? 'No Claude Code CLI credentials found in Keychain ("Claude Code-credentials") or ~/.claude/.credentials.json.'
-            : "No Claude Code CLI credentials found at ~/.claude/.credentials.json.",
-          "Claude Code CLI OAuth",
-        );
-        return { config: nextConfig };
-      }
-    }
-    nextConfig = applyAuthProfileConfig(nextConfig, {
-      profileId: CLAUDE_CLI_PROFILE_ID,
-      provider: "anthropic",
-      mode: "oauth",
-    });
-    return { config: nextConfig };
-  }
-
-  if (params.authChoice === "setup-token" || params.authChoice === "oauth") {
-    let nextConfig = params.config;
-    await params.prompter.note(
-      [
-        "This will run `claude setup-token` to create a long-lived Anthropic token.",
-        "Requires an interactive TTY and a Claude Pro/Max subscription.",
-      ].join("\n"),
-      "Anthropic setup-token",
-    );
-
-    if (!process.stdin.isTTY) {
-      await params.prompter.note(
-        "`claude setup-token` requires an interactive TTY.",
-        "Anthropic setup-token",
-      );
-      return { config: nextConfig };
-    }
-
-    const proceed = await params.prompter.confirm({
-      message: "Run `claude setup-token` now?",
-      initialValue: true,
-    });
-    if (!proceed) return { config: nextConfig };
-
-    const res = await (async () => {
-      const { spawnSync } = await import("node:child_process");
-      return spawnSync("claude", ["setup-token"], { stdio: "inherit" });
-    })();
-    if (res.error) {
-      await params.prompter.note(
-        `Failed to run claude: ${String(res.error)}`,
-        "Anthropic setup-token",
-      );
-      return { config: nextConfig };
-    }
-    if (typeof res.status === "number" && res.status !== 0) {
-      await params.prompter.note(
-        `claude setup-token failed (exit ${res.status})`,
-        "Anthropic setup-token",
-      );
-      return { config: nextConfig };
-    }
-
-    const store = ensureAuthProfileStore(params.agentDir, {
-      allowKeychainPrompt: true,
-    });
-    if (!store.profiles[CLAUDE_CLI_PROFILE_ID]) {
-      await params.prompter.note(
-        `No Claude Code CLI credentials found after setup-token. Expected ${CLAUDE_CLI_PROFILE_ID}.`,
-        "Anthropic setup-token",
-      );
-      return { config: nextConfig };
-    }
-
-    nextConfig = applyAuthProfileConfig(nextConfig, {
-      profileId: CLAUDE_CLI_PROFILE_ID,
-      provider: "anthropic",
-      mode: "oauth",
-    });
-    return { config: nextConfig };
-  }
-
-  if (params.authChoice === "token") {
-    let nextConfig = params.config;
-    const provider = (await params.prompter.select({
-      message: "Token provider",
-      options: [{ value: "anthropic", label: "Anthropic (only supported)" }],
-    })) as "anthropic";
    await params.prompter.note(
      ["Run `claude setup-token` in your terminal.", "Then paste the generated token below."].join(
        "\n",
      ),
-      "Anthropic token",
+      "Anthropic setup-token",
    );

    const tokenRaw = await params.prompter.text({
@ -174,6 +34,7 @@ export async function applyAuthChoiceAnthropic(
      message: "Token name (blank = default)",
      placeholder: "default",
    });
+    const provider = "anthropic";
    const namedProfileId = buildTokenProfileId({
      provider,
      name: String(profileNameRaw ?? ""),
--- a/src/commands/auth-choice.apply.openai.ts
+++ b/src/commands/auth-choice.apply.openai.ts
@ -1,5 +1,4 @@
 import { loginOpenAICodex } from "@mariozechner/pi-ai";
-import { CODEX_CLI_PROFILE_ID, ensureAuthProfileStore } from "../agents/auth-profiles.js";
 import { resolveEnvApiKey } from "../agents/model-auth.js";
 import { upsertSharedEnvVar } from "../infra/env-file.js";
 import { isRemoteEnvironment } from "./oauth-env.js";
@ -146,45 +145,5 @@ export async function applyAuthChoiceOpenAI(
    return { config: nextConfig, agentModelOverride };
  }

-  if (params.authChoice === "codex-cli") {
-    let nextConfig = params.config;
-    let agentModelOverride: string | undefined;
-    const noteAgentModel = async (model: string) => {
-      if (!params.agentId) return;
-      await params.prompter.note(
-        `Default model set to ${model} for agent "${params.agentId}".`,
-        "Model configured",
-      );
-    };
-
-    const store = ensureAuthProfileStore(params.agentDir);
-    if (!store.profiles[CODEX_CLI_PROFILE_ID]) {
-      await params.prompter.note(
-        "No Codex CLI credentials found at ~/.codex/auth.json.",
-        "Codex CLI OAuth",
-      );
-      return { config: nextConfig, agentModelOverride };
-    }
-    nextConfig = applyAuthProfileConfig(nextConfig, {
-      profileId: CODEX_CLI_PROFILE_ID,
-      provider: "openai-codex",
-      mode: "oauth",
-    });
-    if (params.setDefaultModel) {
-      const applied = applyOpenAICodexModelDefault(nextConfig);
-      nextConfig = applied.next;
-      if (applied.changed) {
-        await params.prompter.note(
-          `Default model set to ${OPENAI_CODEX_DEFAULT_MODEL}`,
-          "Model configured",
-        );
-      }
-    } else {
-      agentModelOverride = OPENAI_CODEX_DEFAULT_MODEL;
-      await noteAgentModel(OPENAI_CODEX_DEFAULT_MODEL);
-    }
-    return { config: nextConfig, agentModelOverride };
-  }
-
  return null;
 }
--- a/src/commands/channels.adds-non-default-telegram-account.test.ts
+++ b/src/commands/channels.adds-non-default-telegram-account.test.ts
@ -244,7 +244,7 @@ describe("channels command", () => {
    authMocks.loadAuthProfileStore.mockReturnValue({
      version: 1,
      profiles: {
-        "anthropic:claude-cli": {
+        "anthropic:default": {
          type: "oauth",
          provider: "anthropic",
          access: "token",
@ -252,7 +252,7 @@ describe("channels command", () => {
          expires: 0,
          created: 0,
        },
-        "openai-codex:codex-cli": {
+        "openai-codex:default": {
          type: "oauth",
          provider: "openai",
          access: "token",
@ -268,8 +268,8 @@ describe("channels command", () => {
      auth?: Array<{ id: string }>;
    };
    const ids = payload.auth?.map((entry) => entry.id) ?? [];
-    expect(ids).toContain("anthropic:claude-cli");
-    expect(ids).toContain("openai-codex:codex-cli");
+    expect(ids).toContain("anthropic:default");
+    expect(ids).toContain("openai-codex:default");
  });

  it("stores default account names in accounts when multiple accounts exist", async () => {
--- a/src/commands/channels/list.ts
+++ b/src/commands/channels/list.ts
@ -1,8 +1,4 @@
-import {
-  CLAUDE_CLI_PROFILE_ID,
-  CODEX_CLI_PROFILE_ID,
-  loadAuthProfileStore,
-} from "../../agents/auth-profiles.js";
+import { loadAuthProfileStore } from "../../agents/auth-profiles.js";
 import { listChannelPlugins } from "../../channels/plugins/index.js";
 import { buildChannelAccountSnapshot } from "../../channels/plugins/status.js";
 import type { ChannelAccountSnapshot, ChannelPlugin } from "../../channels/plugins/types.js";
@ -115,7 +111,7 @@ export async function channelsListCommand(
    id: profileId,
    provider: profile.provider,
    type: profile.type,
-    isExternal: profileId === CLAUDE_CLI_PROFILE_ID || profileId === CODEX_CLI_PROFILE_ID,
+    isExternal: false,
  }));
  if (opts.json) {
    const usage = includeUsage ? await loadProviderUsageSummary() : undefined;
--- a/src/commands/configure.gateway-auth.test.ts
+++ b/src/commands/configure.gateway-auth.test.ts
@ -3,26 +3,18 @@ import { describe, expect, it } from "vitest";
 import { buildGatewayAuthConfig } from "./configure.js";

 describe("buildGatewayAuthConfig", () => {
-  it("clears token/password when auth is off", () => {
-    const result = buildGatewayAuthConfig({
-      existing: { mode: "token", token: "abc", password: "secret" },
-      mode: "off",
-    });
-
-    expect(result).toBeUndefined();
-  });
-
-  it("preserves allowTailscale when auth is off", () => {
+  it("preserves allowTailscale when switching to token", () => {
    const result = buildGatewayAuthConfig({
      existing: {
-        mode: "token",
-        token: "abc",
+        mode: "password",
+        password: "secret",
        allowTailscale: true,
      },
-      mode: "off",
+      mode: "token",
+      token: "abc",
    });

-    expect(result).toEqual({ allowTailscale: true });
+    expect(result).toEqual({ mode: "token", token: "abc", allowTailscale: true });
  });

  it("drops password when switching to token", () => {
--- a/src/commands/configure.gateway-auth.ts
+++ b/src/commands/configure.gateway-auth.ts
@ -12,7 +12,7 @@ import {
  promptModelAllowlist,
 } from "./model-picker.js";

-type GatewayAuthChoice = "off" | "token" | "password";
+type GatewayAuthChoice = "token" | "password";

 const ANTHROPIC_OAUTH_MODEL_KEYS = [
  "anthropic/claude-opus-4-5",
@ -30,9 +30,6 @@ export function buildGatewayAuthConfig(params: {
  const base: GatewayAuthConfig = {};
  if (typeof allowTailscale === "boolean") base.allowTailscale = allowTailscale;

-  if (params.mode === "off") {
-    return Object.keys(base).length > 0 ? base : undefined;
-  }
  if (params.mode === "token") {
    return { ...base, mode: "token", token: params.token };
  }
@ -50,7 +47,6 @@ export async function promptAuthConfig(
      allowKeychainPrompt: false,
    }),
    includeSkip: true,
-    includeClaudeCliIfMissing: true,
  });

  let next = cfg;
@ -77,10 +73,7 @@ export async function promptAuthConfig(
  }

  const anthropicOAuth =
-    authChoice === "claude-cli" ||
-    authChoice === "setup-token" ||
-    authChoice === "token" ||
-    authChoice === "oauth";
+    authChoice === "setup-token" || authChoice === "token" || authChoice === "oauth";

  const allowlistSelection = await promptModelAllowlist({
    config: next,
--- a/src/commands/configure.gateway.ts
+++ b/src/commands/configure.gateway.ts
@ -7,7 +7,7 @@ import { buildGatewayAuthConfig } from "./configure.gateway-auth.js";
 import { confirm, select, text } from "./configure.shared.js";
 import { guardCancel, randomToken } from "./onboard-helpers.js";

-type GatewayAuthChoice = "off" | "token" | "password";
+type GatewayAuthChoice = "token" | "password";

 export async function promptGatewayConfig(
  cfg: ClawdbotConfig,
@ -91,11 +91,6 @@ export async function promptGatewayConfig(
    await select({
      message: "Gateway auth",
      options: [
-        {
-          value: "off",
-          label: "Off (loopback only)",
-          hint: "Not recommended unless you fully trust local processes",
-        },
        { value: "token", label: "Token", hint: "Recommended default" },
        { value: "password", label: "Password" },
      ],
@ -165,11 +160,6 @@ export async function promptGatewayConfig(
    bind = "loopback";
  }

-  if (authMode === "off" && bind !== "loopback") {
-    note("Non-loopback bind requires auth. Switching to token auth.", "Note");
-    authMode = "token";
-  }
-
  if (tailscaleMode === "funnel" && authMode !== "password") {
    note("Tailscale funnel requires password auth.", "Note");
    authMode = "password";
--- a/src/commands/doctor-auth.deprecated-cli-profiles.test.ts
+++ b/src/commands/doctor-auth.deprecated-cli-profiles.test.ts
@ -0,0 +1,109 @@
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+
+import { maybeRemoveDeprecatedCliAuthProfiles } from "./doctor-auth.js";
+import type { DoctorPrompter } from "./doctor-prompter.js";
+
+let originalAgentDir: string | undefined;
+let originalPiAgentDir: string | undefined;
+let tempAgentDir: string | undefined;
+
+function makePrompter(confirmValue: boolean): DoctorPrompter {
+  return {
+    confirm: vi.fn().mockResolvedValue(confirmValue),
+    confirmRepair: vi.fn().mockResolvedValue(confirmValue),
+    confirmAggressive: vi.fn().mockResolvedValue(confirmValue),
+    confirmSkipInNonInteractive: vi.fn().mockResolvedValue(confirmValue),
+    select: vi.fn().mockResolvedValue(""),
+    shouldRepair: confirmValue,
+    shouldForce: false,
+  };
+}
+
+beforeEach(() => {
+  originalAgentDir = process.env.CLAWDBOT_AGENT_DIR;
+  originalPiAgentDir = process.env.PI_CODING_AGENT_DIR;
+  tempAgentDir = fs.mkdtempSync(path.join(os.tmpdir(), "clawdbot-auth-"));
+  process.env.CLAWDBOT_AGENT_DIR = tempAgentDir;
+  process.env.PI_CODING_AGENT_DIR = tempAgentDir;
+});
+
+afterEach(() => {
+  if (originalAgentDir === undefined) {
+    delete process.env.CLAWDBOT_AGENT_DIR;
+  } else {
+    process.env.CLAWDBOT_AGENT_DIR = originalAgentDir;
+  }
+  if (originalPiAgentDir === undefined) {
+    delete process.env.PI_CODING_AGENT_DIR;
+  } else {
+    process.env.PI_CODING_AGENT_DIR = originalPiAgentDir;
+  }
+  if (tempAgentDir) {
+    fs.rmSync(tempAgentDir, { recursive: true, force: true });
+    tempAgentDir = undefined;
+  }
+});
+
+describe("maybeRemoveDeprecatedCliAuthProfiles", () => {
+  it("removes deprecated CLI auth profiles from store + config", async () => {
+    if (!tempAgentDir) throw new Error("Missing temp agent dir");
+    const authPath = path.join(tempAgentDir, "auth-profiles.json");
+    fs.writeFileSync(
+      authPath,
+      `${JSON.stringify(
+        {
+          version: 1,
+          profiles: {
+            "anthropic:claude-cli": {
+              type: "oauth",
+              provider: "anthropic",
+              access: "token-a",
+              refresh: "token-r",
+              expires: Date.now() + 60_000,
+            },
+            "openai-codex:codex-cli": {
+              type: "oauth",
+              provider: "openai-codex",
+              access: "token-b",
+              refresh: "token-r2",
+              expires: Date.now() + 60_000,
+            },
+          },
+        },
+        null,
+        2,
+      )}\n`,
+      "utf8",
+    );
+
+    const cfg = {
+      auth: {
+        profiles: {
+          "anthropic:claude-cli": { provider: "anthropic", mode: "oauth" },
+          "openai-codex:codex-cli": { provider: "openai-codex", mode: "oauth" },
+        },
+        order: {
+          anthropic: ["anthropic:claude-cli"],
+          "openai-codex": ["openai-codex:codex-cli"],
+        },
+      },
+    } as const;
+
+    const next = await maybeRemoveDeprecatedCliAuthProfiles(cfg, makePrompter(true));
+
+    const raw = JSON.parse(fs.readFileSync(authPath, "utf8")) as {
+      profiles?: Record<string, unknown>;
+    };
+    expect(raw.profiles?.["anthropic:claude-cli"]).toBeUndefined();
+    expect(raw.profiles?.["openai-codex:codex-cli"]).toBeUndefined();
+
+    expect(next.auth?.profiles?.["anthropic:claude-cli"]).toBeUndefined();
+    expect(next.auth?.profiles?.["openai-codex:codex-cli"]).toBeUndefined();
+    expect(next.auth?.order?.anthropic).toBeUndefined();
+    expect(next.auth?.order?.["openai-codex"]).toBeUndefined();
+  });
+});
--- a/src/commands/doctor-auth.ts
+++ b/src/commands/doctor-auth.ts
@ -11,6 +11,7 @@ import {
  resolveApiKeyForProfile,
  resolveProfileUnusableUntilForDisplay,
 } from "../agents/auth-profiles.js";
+import { updateAuthProfileStoreWithLock } from "../agents/auth-profiles/store.js";
 import type { ClawdbotConfig } from "../config/config.js";
 import { note } from "../terminal/note.js";
 import { formatCliCommand } from "../cli/command-format.js";
@ -38,6 +39,148 @@ export async function maybeRepairAnthropicOAuthProfileId(
  return repair.config;
 }

+function pruneAuthOrder(
+  order: Record<string, string[]> | undefined,
+  profileIds: Set<string>,
+): { next: Record<string, string[]> | undefined; changed: boolean } {
+  if (!order) return { next: order, changed: false };
+  let changed = false;
+  const next: Record<string, string[]> = {};
+  for (const [provider, list] of Object.entries(order)) {
+    const filtered = list.filter((id) => !profileIds.has(id));
+    if (filtered.length !== list.length) changed = true;
+    if (filtered.length > 0) next[provider] = filtered;
+  }
+  return { next: Object.keys(next).length > 0 ? next : undefined, changed };
+}
+
+function pruneAuthProfiles(
+  cfg: ClawdbotConfig,
+  profileIds: Set<string>,
+): { next: ClawdbotConfig; changed: boolean } {
+  const profiles = cfg.auth?.profiles;
+  const order = cfg.auth?.order;
+  const nextProfiles = profiles ? { ...profiles } : undefined;
+  let changed = false;
+
+  if (nextProfiles) {
+    for (const id of profileIds) {
+      if (id in nextProfiles) {
+        delete nextProfiles[id];
+        changed = true;
+      }
+    }
+  }
+
+  const prunedOrder = pruneAuthOrder(order, profileIds);
+  if (prunedOrder.changed) changed = true;
+
+  if (!changed) return { next: cfg, changed: false };
+
+  const nextAuth =
+    nextProfiles || prunedOrder.next
+      ? {
+          ...cfg.auth,
+          profiles: nextProfiles && Object.keys(nextProfiles).length > 0 ? nextProfiles : undefined,
+          order: prunedOrder.next,
+        }
+      : undefined;
+
+  return {
+    next: {
+      ...cfg,
+      auth: nextAuth,
+    },
+    changed: true,
+  };
+}
+
+export async function maybeRemoveDeprecatedCliAuthProfiles(
+  cfg: ClawdbotConfig,
+  prompter: DoctorPrompter,
+): Promise<ClawdbotConfig> {
+  const store = ensureAuthProfileStore(undefined, { allowKeychainPrompt: false });
+  const deprecated = new Set<string>();
+  if (store.profiles[CLAUDE_CLI_PROFILE_ID] || cfg.auth?.profiles?.[CLAUDE_CLI_PROFILE_ID]) {
+    deprecated.add(CLAUDE_CLI_PROFILE_ID);
+  }
+  if (store.profiles[CODEX_CLI_PROFILE_ID] || cfg.auth?.profiles?.[CODEX_CLI_PROFILE_ID]) {
+    deprecated.add(CODEX_CLI_PROFILE_ID);
+  }
+
+  if (deprecated.size === 0) return cfg;
+
+  const lines = ["Deprecated external CLI auth profiles detected (no longer supported):"];
+  if (deprecated.has(CLAUDE_CLI_PROFILE_ID)) {
+    lines.push(
+      `- ${CLAUDE_CLI_PROFILE_ID} (Anthropic): use setup-token → ${formatCliCommand("clawdbot models auth setup-token")}`,
+    );
+  }
+  if (deprecated.has(CODEX_CLI_PROFILE_ID)) {
+    lines.push(
+      `- ${CODEX_CLI_PROFILE_ID} (OpenAI Codex): use OAuth → ${formatCliCommand(
+        "clawdbot models auth login --provider openai-codex",
+      )}`,
+    );
+  }
+  note(lines.join("\n"), "Auth profiles");
+
+  const shouldRemove = await prompter.confirmRepair({
+    message: "Remove deprecated CLI auth profiles now?",
+    initialValue: true,
+  });
+  if (!shouldRemove) return cfg;
+
+  await updateAuthProfileStoreWithLock({
+    updater: (nextStore) => {
+      let mutated = false;
+      for (const id of deprecated) {
+        if (nextStore.profiles[id]) {
+          delete nextStore.profiles[id];
+          mutated = true;
+        }
+        if (nextStore.usageStats?.[id]) {
+          delete nextStore.usageStats[id];
+          mutated = true;
+        }
+      }
+      if (nextStore.order) {
+        for (const [provider, list] of Object.entries(nextStore.order)) {
+          const filtered = list.filter((id) => !deprecated.has(id));
+          if (filtered.length !== list.length) {
+            mutated = true;
+            if (filtered.length > 0) {
+              nextStore.order[provider] = filtered;
+            } else {
+              delete nextStore.order[provider];
+            }
+          }
+        }
+      }
+      if (nextStore.lastGood) {
+        for (const [provider, profileId] of Object.entries(nextStore.lastGood)) {
+          if (deprecated.has(profileId)) {
+            delete nextStore.lastGood[provider];
+            mutated = true;
+          }
+        }
+      }
+      return mutated;
+    },
+  });
+
+  const pruned = pruneAuthProfiles(cfg, deprecated);
+  if (pruned.changed) {
+    note(
+      Array.from(deprecated.values())
+        .map((id) => `- removed ${id} from config`)
+        .join("\n"),
+      "Doctor changes",
+    );
+  }
+  return pruned.next;
+}
+
 type AuthIssue = {
  profileId: string;
  provider: string;
@ -47,10 +190,14 @@ type AuthIssue = {

 function formatAuthIssueHint(issue: AuthIssue): string | null {
  if (issue.provider === "anthropic" && issue.profileId === CLAUDE_CLI_PROFILE_ID) {
-    return "Run `claude setup-token` on the gateway host.";
+    return `Deprecated profile. Use ${formatCliCommand("clawdbot models auth setup-token")} or ${formatCliCommand(
+      "clawdbot configure",
+    )}.`;
  }
  if (issue.provider === "openai-codex" && issue.profileId === CODEX_CLI_PROFILE_ID) {
-    return `Run \`codex login\` (or \`${formatCliCommand("clawdbot configure")}\` → OpenAI Codex OAuth).`;
+    return `Deprecated profile. Use ${formatCliCommand(
+      "clawdbot models auth login --provider openai-codex",
+    )} or ${formatCliCommand("clawdbot configure")}.`;
  }
  return `Re-auth via \`${formatCliCommand("clawdbot configure")}\` or \`${formatCliCommand("clawdbot onboard")}\`.`;
 }
--- a/src/commands/doctor-security.test.ts
+++ b/src/commands/doctor-security.test.ts
@ -0,0 +1,71 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+
+import type { ClawdbotConfig } from "../config/config.js";
+
+const note = vi.hoisted(() => vi.fn());
+
+vi.mock("../terminal/note.js", () => ({
+  note,
+}));
+
+vi.mock("../channels/plugins/index.js", () => ({
+  listChannelPlugins: () => [],
+}));
+
+import { noteSecurityWarnings } from "./doctor-security.js";
+
+describe("noteSecurityWarnings gateway exposure", () => {
+  let prevToken: string | undefined;
+  let prevPassword: string | undefined;
+
+  beforeEach(() => {
+    note.mockClear();
+    prevToken = process.env.CLAWDBOT_GATEWAY_TOKEN;
+    prevPassword = process.env.CLAWDBOT_GATEWAY_PASSWORD;
+    delete process.env.CLAWDBOT_GATEWAY_TOKEN;
+    delete process.env.CLAWDBOT_GATEWAY_PASSWORD;
+  });
+
+  afterEach(() => {
+    if (prevToken === undefined) delete process.env.CLAWDBOT_GATEWAY_TOKEN;
+    else process.env.CLAWDBOT_GATEWAY_TOKEN = prevToken;
+    if (prevPassword === undefined) delete process.env.CLAWDBOT_GATEWAY_PASSWORD;
+    else process.env.CLAWDBOT_GATEWAY_PASSWORD = prevPassword;
+  });
+
+  const lastMessage = () => String(note.mock.calls.at(-1)?.[0] ?? "");
+
+  it("warns when exposed without auth", async () => {
+    const cfg = { gateway: { bind: "lan" } } as ClawdbotConfig;
+    await noteSecurityWarnings(cfg);
+    const message = lastMessage();
+    expect(message).toContain("CRITICAL");
+    expect(message).toContain("without authentication");
+  });
+
+  it("uses env token to avoid critical warning", async () => {
+    process.env.CLAWDBOT_GATEWAY_TOKEN = "token-123";
+    const cfg = { gateway: { bind: "lan" } } as ClawdbotConfig;
+    await noteSecurityWarnings(cfg);
+    const message = lastMessage();
+    expect(message).toContain("WARNING");
+    expect(message).not.toContain("CRITICAL");
+  });
+
+  it("treats whitespace token as missing", async () => {
+    const cfg = {
+      gateway: { bind: "lan", auth: { mode: "token", token: "   " } },
+    } as ClawdbotConfig;
+    await noteSecurityWarnings(cfg);
+    const message = lastMessage();
+    expect(message).toContain("CRITICAL");
+  });
+
+  it("skips warning for loopback bind", async () => {
+    const cfg = { gateway: { bind: "loopback" } } as ClawdbotConfig;
+    await noteSecurityWarnings(cfg);
+    const message = lastMessage();
+    expect(message).toContain("No channel security warnings detected");
+    expect(message).not.toContain("Gateway bound");
+  });
+});
--- a/src/commands/doctor-security.ts
+++ b/src/commands/doctor-security.ts
@ -1,10 +1,12 @@
 import { resolveChannelDefaultAccountId } from "../channels/plugins/helpers.js";
 import { listChannelPlugins } from "../channels/plugins/index.js";
 import type { ChannelId } from "../channels/plugins/types.js";
-import type { ClawdbotConfig } from "../config/config.js";
+import type { ClawdbotConfig, GatewayBindMode } from "../config/config.js";
 import { readChannelAllowFromStore } from "../pairing/pairing-store.js";
 import { note } from "../terminal/note.js";
 import { formatCliCommand } from "../cli/command-format.js";
+import { resolveGatewayAuth } from "../gateway/auth.js";
+import { isLoopbackHost, resolveGatewayBindHost } from "../gateway/net.js";

 export async function noteSecurityWarnings(cfg: ClawdbotConfig) {
  const warnings: string[] = [];
@ -16,50 +18,55 @@ export async function noteSecurityWarnings(cfg: ClawdbotConfig) {
  // Check for dangerous gateway binding configurations
  // that expose the gateway to network without proper auth

-  const gatewayBind = cfg.gateway?.bind ?? "loopback";
+  const gatewayBind = (cfg.gateway?.bind ?? "loopback") as string;
  const customBindHost = cfg.gateway?.customBindHost?.trim();
-  const authMode = cfg.gateway?.auth?.mode ?? "off";
-  const authToken = cfg.gateway?.auth?.token;
-  const authPassword = cfg.gateway?.auth?.password;
+  const bindModes: GatewayBindMode[] = ["auto", "lan", "loopback", "custom", "tailnet"];
+  const bindMode = bindModes.includes(gatewayBind as GatewayBindMode)
+    ? (gatewayBind as GatewayBindMode)
+    : undefined;
+  const resolvedBindHost = bindMode
+    ? await resolveGatewayBindHost(bindMode, customBindHost)
+    : "0.0.0.0";
+  const isExposed = !isLoopbackHost(resolvedBindHost);

-  const isLoopbackBindHost = (host: string) => {
-    const normalized = host.trim().toLowerCase();
-    return (
-      normalized === "localhost" ||
-      normalized === "::1" ||
-      normalized === "[::1]" ||
-      normalized.startsWith("127.")
-    );
-  };
-
-  // Bindings that expose gateway beyond localhost
-  const exposedBindings = ["all", "lan", "0.0.0.0"];
-  const isExposed =
-    exposedBindings.includes(gatewayBind) ||
-    (gatewayBind === "custom" && (!customBindHost || !isLoopbackBindHost(customBindHost)));
+  const resolvedAuth = resolveGatewayAuth({
+    authConfig: cfg.gateway?.auth,
+    env: process.env,
+    tailscaleMode: cfg.gateway?.tailscale?.mode ?? "off",
+  });
+  const authToken = resolvedAuth.token?.trim() ?? "";
+  const authPassword = resolvedAuth.password?.trim() ?? "";
+  const hasToken = authToken.length > 0;
+  const hasPassword = authPassword.length > 0;
+  const hasSharedSecret =
+    (resolvedAuth.mode === "token" && hasToken) ||
+    (resolvedAuth.mode === "password" && hasPassword);
+  const bindDescriptor = `"${gatewayBind}" (${resolvedBindHost})`;

  if (isExposed) {
-    if (authMode === "off") {
+    if (!hasSharedSecret) {
+      const authFixLines =
+        resolvedAuth.mode === "password"
+          ? [
+              `  Fix: ${formatCliCommand("clawdbot configure")} to set a password`,
+              `  Or switch to token: ${formatCliCommand("clawdbot config set gateway.auth.mode token")}`,
+            ]
+          : [
+              `  Fix: ${formatCliCommand("clawdbot doctor --fix")} to generate a token`,
+              `  Or set token directly: ${formatCliCommand(
+                "clawdbot config set gateway.auth.mode token",
+              )}`,
+            ];
      warnings.push(
-        `- CRITICAL: Gateway bound to "${gatewayBind}" with NO authentication.`,
+        `- CRITICAL: Gateway bound to ${bindDescriptor} without authentication.`,
        `  Anyone on your network (or internet if port-forwarded) can fully control your agent.`,
        `  Fix: ${formatCliCommand("clawdbot config set gateway.bind loopback")}`,
-        `  Or enable auth: ${formatCliCommand("clawdbot config set gateway.auth.mode token")}`,
-      );
-    } else if (authMode === "token" && !authToken) {
-      warnings.push(
-        `- CRITICAL: Gateway bound to "${gatewayBind}" with empty auth token.`,
-        `  Fix: ${formatCliCommand("clawdbot doctor --fix")} to generate a token`,
-      );
-    } else if (authMode === "password" && !authPassword) {
-      warnings.push(
-        `- CRITICAL: Gateway bound to "${gatewayBind}" with empty password.`,
-        `  Fix: ${formatCliCommand("clawdbot configure")} to set a password`,
+        ...authFixLines,
      );
    } else {
      // Auth is configured, but still warn about network exposure
      warnings.push(
-        `- WARNING: Gateway bound to "${gatewayBind}" (network-accessible).`,
+        `- WARNING: Gateway bound to ${bindDescriptor} (network-accessible).`,
        `  Ensure your auth credentials are strong and not exposed.`,
      );
    }
--- a/src/commands/doctor.ts
+++ b/src/commands/doctor.ts
@ -22,7 +22,11 @@ import { defaultRuntime } from "../runtime.js";
 import { note } from "../terminal/note.js";
 import { stylePromptTitle } from "../terminal/prompt-style.js";
 import { shortenHomePath } from "../utils.js";
-import { maybeRepairAnthropicOAuthProfileId, noteAuthProfileHealth } from "./doctor-auth.js";
+import {
+  maybeRemoveDeprecatedCliAuthProfiles,
+  maybeRepairAnthropicOAuthProfileId,
+  noteAuthProfileHealth,
+} from "./doctor-auth.js";
 import { loadAndMaybeMigrateDoctorConfig } from "./doctor-config-flow.js";
 import { maybeRepairGatewayDaemon } from "./doctor-gateway-daemon-flow.js";
 import { checkGatewayHealth } from "./doctor-gateway-health.js";
@ -104,6 +108,7 @@ export async function doctorCommand(
  }

  cfg = await maybeRepairAnthropicOAuthProfileId(cfg, prompter);
+  cfg = await maybeRemoveDeprecatedCliAuthProfiles(cfg, prompter);
  await noteAuthProfileHealth({
    cfg,
    prompter,
--- a/src/commands/models/auth.ts
+++ b/src/commands/models/auth.ts
@ -1,12 +1,6 @@
-import { spawnSync } from "node:child_process";
-
 import { confirm as clackConfirm, select as clackSelect, text as clackText } from "@clack/prompts";

-import {
-  CLAUDE_CLI_PROFILE_ID,
-  ensureAuthProfileStore,
-  upsertAuthProfile,
-} from "../../agents/auth-profiles.js";
+import { upsertAuthProfile } from "../../agents/auth-profiles.js";
 import { normalizeProviderId } from "../../agents/model-selection.js";
 import {
  resolveAgentDir,
@ -33,6 +27,7 @@ import type {
  ProviderPlugin,
 } from "../../plugins/types.js";
 import type { AuthProfileCredential } from "../../agents/auth-profiles/types.js";
+import { validateAnthropicSetupToken } from "../auth-token.js";

 const confirm = (params: Parameters<typeof clackConfirm>[0]) =>
  clackConfirm({
@ -73,9 +68,7 @@ export async function modelsAuthSetupTokenCommand(
 ) {
  const provider = resolveTokenProvider(opts.provider ?? "anthropic");
  if (provider !== "anthropic") {
-    throw new Error(
-      "Only --provider anthropic is supported for setup-token (uses `claude setup-token`).",
-    );
+    throw new Error("Only --provider anthropic is supported for setup-token.");
  }

  if (!process.stdin.isTTY) {
@ -84,38 +77,38 @@ export async function modelsAuthSetupTokenCommand(

  if (!opts.yes) {
    const proceed = await confirm({
-      message: "Run `claude setup-token` now?",
+      message: "Have you run `claude setup-token` and copied the token?",
      initialValue: true,
    });
    if (!proceed) return;
  }

-  const res = spawnSync("claude", ["setup-token"], { stdio: "inherit" });
-  if (res.error) throw res.error;
-  if (typeof res.status === "number" && res.status !== 0) {
-    throw new Error(`claude setup-token failed (exit ${res.status})`);
-  }
-
-  const store = ensureAuthProfileStore(undefined, {
-    allowKeychainPrompt: true,
+  const tokenInput = await text({
+    message: "Paste Anthropic setup-token",
+    validate: (value) => validateAnthropicSetupToken(String(value ?? "")),
+  });
+  const token = String(tokenInput).trim();
+  const profileId = resolveDefaultTokenProfileId(provider);
+
+  upsertAuthProfile({
+    profileId,
+    credential: {
+      type: "token",
+      provider,
+      token,
+    },
  });
-  const synced = store.profiles[CLAUDE_CLI_PROFILE_ID];
-  if (!synced) {
-    throw new Error(
-      `No Claude Code CLI credentials found after setup-token. Expected auth profile ${CLAUDE_CLI_PROFILE_ID}.`,
-    );
-  }

  await updateConfig((cfg) =>
    applyAuthProfileConfig(cfg, {
-      profileId: CLAUDE_CLI_PROFILE_ID,
-      provider: "anthropic",
-      mode: "oauth",
+      profileId,
+      provider,
+      mode: "token",
    }),
  );

  logConfigUpdated(runtime);
-  runtime.log(`Auth profile: ${CLAUDE_CLI_PROFILE_ID} (anthropic/oauth)`);
+  runtime.log(`Auth profile: ${profileId} (${provider}/token)`);
 }

 export async function modelsAuthPasteTokenCommand(
@ -189,7 +182,7 @@ export async function modelsAuthAddCommand(_opts: Record<string, never>, runtime
            {
              value: "setup-token",
              label: "setup-token (claude)",
-              hint: "Runs `claude setup-token` (recommended)",
+              hint: "Paste a setup-token from `claude setup-token`",
            },
          ]
        : []),
--- a/src/commands/models/list.status-command.ts
+++ b/src/commands/models/list.status-command.ts
@ -487,7 +487,7 @@ export async function modelsStatusCommand(
    for (const provider of missingProvidersInUse) {
      const hint =
        provider === "anthropic"
-          ? `Run \`claude setup-token\` or \`${formatCliCommand("clawdbot configure")}\`.`
+          ? `Run \`claude setup-token\`, then \`${formatCliCommand("clawdbot models auth setup-token")}\` or \`${formatCliCommand("clawdbot configure")}\`.`
          : `Run \`${formatCliCommand("clawdbot configure")}\` or set an API key env var.`;
      runtime.log(`- ${theme.heading(provider)} ${hint}`);
    }
@ -558,9 +558,7 @@ export async function modelsStatusCommand(
            : profile.expiresAt
              ? ` expires in ${formatRemainingShort(profile.remainingMs)}`
              : " expires unknown";
-        const source =
-          profile.source !== "store" ? colorize(rich, theme.muted, ` (${profile.source})`) : "";
-        runtime.log(`  - ${label} ${status}${expiry}${source}`);
+        runtime.log(`  - ${label} ${status}${expiry}`);
      }
    }
  }
--- a/src/commands/onboard-auth.test.ts
+++ b/src/commands/onboard-auth.test.ts
@ -154,13 +154,13 @@ describe("applyAuthProfileConfig", () => {
        },
      },
      {
-        profileId: "anthropic:claude-cli",
+        profileId: "anthropic:work",
        provider: "anthropic",
        mode: "oauth",
      },
    );

-    expect(next.auth?.order?.anthropic).toEqual(["anthropic:claude-cli", "anthropic:default"]);
+    expect(next.auth?.order?.anthropic).toEqual(["anthropic:work", "anthropic:default"]);
  });
 });

--- a/src/commands/onboard-non-interactive.gateway.test.ts
+++ b/src/commands/onboard-non-interactive.gateway.test.ts
@ -210,7 +210,7 @@ describe("onboard (non-interactive): gateway and remote auth", () => {
    await fs.rm(stateDir, { recursive: true, force: true });
  }, 60_000);

-  it("auto-enables token auth when binding LAN and persists the token", async () => {
+  it("auto-generates token auth when binding LAN and persists the token", async () => {
    if (process.platform === "win32") {
      // Windows runner occasionally drops the temp config write in this flow; skip to keep CI green.
      return;
@ -242,7 +242,6 @@ describe("onboard (non-interactive): gateway and remote auth", () => {
        installDaemon: false,
        gatewayPort: port,
        gatewayBind: "lan",
-        gatewayAuth: "off",
      },
      runtime,
    );
--- a/src/commands/onboard-non-interactive/local/auth-choice.ts
+++ b/src/commands/onboard-non-interactive/local/auth-choice.ts
@ -1,9 +1,4 @@
-import {
-  CLAUDE_CLI_PROFILE_ID,
-  CODEX_CLI_PROFILE_ID,
-  ensureAuthProfileStore,
-  upsertAuthProfile,
-} from "../../../agents/auth-profiles.js";
+import { upsertAuthProfile } from "../../../agents/auth-profiles.js";
 import { normalizeProviderId } from "../../../agents/model-selection.js";
 import { parseDurationMs } from "../../../cli/parse-duration.js";
 import type { ClawdbotConfig } from "../../../config/config.js";
@ -38,7 +33,6 @@ import {
  setZaiApiKey,
 } from "../../onboard-auth.js";
 import type { AuthChoice, OnboardOptions } from "../../onboard-types.js";
-import { applyOpenAICodexModelDefault } from "../../openai-codex-model-default.js";
 import { resolveNonInteractiveApiKey } from "../api-keys.js";
 import { shortenHomePath } from "../../../utils.js";

@ -52,6 +46,28 @@ export async function applyNonInteractiveAuthChoice(params: {
  const { authChoice, opts, runtime, baseConfig } = params;
  let nextConfig = params.nextConfig;

+  if (authChoice === "claude-cli" || authChoice === "codex-cli") {
+    runtime.error(
+      [
+        `Auth choice "${authChoice}" is deprecated.`,
+        'Use "--auth-choice token" (Anthropic setup-token) or "--auth-choice openai-codex".',
+      ].join("\n"),
+    );
+    runtime.exit(1);
+    return null;
+  }
+
+  if (authChoice === "setup-token") {
+    runtime.error(
+      [
+        'Auth choice "setup-token" requires interactive mode.',
+        'Use "--auth-choice token" with --token and --token-provider anthropic.',
+      ].join("\n"),
+    );
+    runtime.exit(1);
+    return null;
+  }
+
  if (authChoice === "apiKey") {
    const resolved = await resolveNonInteractiveApiKey({
      provider: "anthropic",
@ -339,41 +355,6 @@ export async function applyNonInteractiveAuthChoice(params: {
    return applyMinimaxApiConfig(nextConfig, modelId);
  }

-  if (authChoice === "claude-cli") {
-    const store = ensureAuthProfileStore(undefined, {
-      allowKeychainPrompt: false,
-    });
-    if (!store.profiles[CLAUDE_CLI_PROFILE_ID]) {
-      runtime.error(
-        process.platform === "darwin"
-          ? 'No Claude Code CLI credentials found. Run interactive onboarding to approve Keychain access for "Claude Code-credentials".'
-          : "No Claude Code CLI credentials found at ~/.claude/.credentials.json",
-      );
-      runtime.exit(1);
-      return null;
-    }
-    return applyAuthProfileConfig(nextConfig, {
-      profileId: CLAUDE_CLI_PROFILE_ID,
-      provider: "anthropic",
-      mode: "oauth",
-    });
-  }
-
-  if (authChoice === "codex-cli") {
-    const store = ensureAuthProfileStore();
-    if (!store.profiles[CODEX_CLI_PROFILE_ID]) {
-      runtime.error("No Codex CLI credentials found at ~/.codex/auth.json");
-      runtime.exit(1);
-      return null;
-    }
-    nextConfig = applyAuthProfileConfig(nextConfig, {
-      profileId: CODEX_CLI_PROFILE_ID,
-      provider: "openai-codex",
-      mode: "oauth",
-    });
-    return applyOpenAICodexModelDefault(nextConfig).next;
-  }
-
  if (authChoice === "minimax") return applyMinimaxConfig(nextConfig);

  if (authChoice === "opencode-zen") {
--- a/src/commands/onboard-non-interactive/local/gateway-config.ts
+++ b/src/commands/onboard-non-interactive/local/gateway-config.ts
@ -28,16 +28,20 @@ export function applyNonInteractiveGatewayConfig(params: {

  const port = hasGatewayPort ? (opts.gatewayPort as number) : params.defaultPort;
  let bind = opts.gatewayBind ?? "loopback";
-  let authMode = opts.gatewayAuth ?? "token";
+  const authModeRaw = opts.gatewayAuth ?? "token";
+  if (authModeRaw !== "token" && authModeRaw !== "password") {
+    runtime.error("Invalid --gateway-auth (use token|password).");
+    runtime.exit(1);
+    return null;
+  }
+  let authMode = authModeRaw;
  const tailscaleMode = opts.tailscale ?? "off";
  const tailscaleResetOnExit = Boolean(opts.tailscaleResetOnExit);

  // Tighten config to safe combos:
  // - If Tailscale is on, force loopback bind (the tunnel handles external access).
-  // - If binding beyond loopback, disallow auth=off.
  // - If using Tailscale Funnel, require password auth.
  if (tailscaleMode !== "off" && bind !== "loopback") bind = "loopback";
-  if (authMode === "off" && bind !== "loopback") authMode = "token";
  if (tailscaleMode === "funnel" && authMode !== "password") authMode = "password";

  let nextConfig = params.nextConfig;
--- a/src/commands/onboard-types.ts
+++ b/src/commands/onboard-types.ts
@ -33,7 +33,7 @@ export type AuthChoice =
  | "copilot-proxy"
  | "qwen-portal"
  | "skip";
-export type GatewayAuthChoice = "off" | "token" | "password";
+export type GatewayAuthChoice = "token" | "password";
 export type ResetScope = "config" | "config+creds+sessions" | "full";
 export type GatewayBind = "loopback" | "lan" | "auto" | "custom" | "tailnet";
 export type TailscaleMode = "off" | "serve" | "funnel";
--- a/src/commands/onboard.ts
+++ b/src/commands/onboard.ts
@ -12,9 +12,33 @@ import type { OnboardOptions } from "./onboard-types.js";
 export async function onboardCommand(opts: OnboardOptions, runtime: RuntimeEnv = defaultRuntime) {
  assertSupportedRuntime(runtime);
  const authChoice = opts.authChoice === "oauth" ? ("setup-token" as const) : opts.authChoice;
+  const normalizedAuthChoice =
+    authChoice === "claude-cli"
+      ? ("setup-token" as const)
+      : authChoice === "codex-cli"
+        ? ("openai-codex" as const)
+        : authChoice;
+  if (opts.nonInteractive && (authChoice === "claude-cli" || authChoice === "codex-cli")) {
+    runtime.error(
+      [
+        `Auth choice "${authChoice}" is deprecated.`,
+        'Use "--auth-choice token" (Anthropic setup-token) or "--auth-choice openai-codex".',
+      ].join("\n"),
+    );
+    runtime.exit(1);
+    return;
+  }
+  if (authChoice === "claude-cli") {
+    runtime.log('Auth choice "claude-cli" is deprecated; using setup-token flow instead.');
+  }
+  if (authChoice === "codex-cli") {
+    runtime.log('Auth choice "codex-cli" is deprecated; using OpenAI Codex OAuth instead.');
+  }
  const flow = opts.flow === "manual" ? ("advanced" as const) : opts.flow;
  const normalizedOpts =
-    authChoice === opts.authChoice && flow === opts.flow ? opts : { ...opts, authChoice, flow };
+    normalizedAuthChoice === opts.authChoice && flow === opts.flow
+      ? opts
+      : { ...opts, authChoice: normalizedAuthChoice, flow };

  if (normalizedOpts.nonInteractive && normalizedOpts.acceptRisk !== true) {
    runtime.error(
--- a/src/config/schema.ts
+++ b/src/config/schema.ts
@ -199,6 +199,7 @@ const FIELD_LABELS: Record<string, string> = {
  "tools.web.fetch.userAgent": "Web Fetch User-Agent",
  "gateway.controlUi.basePath": "Control UI Base Path",
  "gateway.controlUi.allowInsecureAuth": "Allow Insecure Control UI Auth",
+  "gateway.controlUi.dangerouslyDisableDeviceAuth": "Dangerously Disable Control UI Device Auth",
  "gateway.http.endpoints.chatCompletions.enabled": "OpenAI Chat Completions Endpoint",
  "gateway.reload.mode": "Config Reload Mode",
  "gateway.reload.debounceMs": "Config Reload Debounce (ms)",
@ -321,6 +322,8 @@ const FIELD_LABELS: Record<string, string> = {
  "channels.discord.retry.maxDelayMs": "Discord Retry Max Delay (ms)",
  "channels.discord.retry.jitter": "Discord Retry Jitter",
  "channels.discord.maxLinesPerMessage": "Discord Max Lines Per Message",
+  "channels.discord.intents.presence": "Discord Presence Intent",
+  "channels.discord.intents.guildMembers": "Discord Guild Members Intent",
  "channels.slack.dm.policy": "Slack DM Policy",
  "channels.slack.allowBots": "Slack Allow Bot Messages",
  "channels.discord.token": "Discord Bot Token",
@ -379,6 +382,8 @@ const FIELD_HELP: Record<string, string> = {
    "Optional URL prefix where the Control UI is served (e.g. /clawdbot).",
  "gateway.controlUi.allowInsecureAuth":
    "Allow Control UI auth over insecure HTTP (token-only; not recommended).",
+  "gateway.controlUi.dangerouslyDisableDeviceAuth":
+    "DANGEROUS. Disable Control UI device identity checks (token/password only).",
  "gateway.http.endpoints.chatCompletions.enabled":
    "Enable the OpenAI-compatible `POST /v1/chat/completions` endpoint (default: false).",
  "gateway.reload.mode": 'Hot reload strategy for config changes ("hybrid" recommended).',
@ -657,6 +662,10 @@ const FIELD_HELP: Record<string, string> = {
  "channels.discord.retry.maxDelayMs": "Maximum retry delay cap in ms for Discord outbound calls.",
  "channels.discord.retry.jitter": "Jitter factor (0-1) applied to Discord retry delays.",
  "channels.discord.maxLinesPerMessage": "Soft max line count per Discord message (default: 17).",
+  "channels.discord.intents.presence":
+    "Enable the Guild Presences privileged intent. Must also be enabled in the Discord Developer Portal. Allows tracking user activities (e.g. Spotify). Default: false.",
+  "channels.discord.intents.guildMembers":
+    "Enable the Guild Members privileged intent. Must also be enabled in the Discord Developer Portal. Default: false.",
  "channels.slack.dm.policy":
    'Direct message access control ("pairing" recommended). "open" requires channels.slack.dm.allowFrom=["*"].',
 };
--- a/src/config/types.discord.ts
+++ b/src/config/types.discord.ts
@ -72,6 +72,13 @@ export type DiscordActionConfig = {
  channels?: boolean;
 };

+export type DiscordIntentsConfig = {
+  /** Enable Guild Presences privileged intent (requires Portal opt-in). Default: false. */
+  presence?: boolean;
+  /** Enable Guild Members privileged intent (requires Portal opt-in). Default: false. */
+  guildMembers?: boolean;
+};
+
 export type DiscordExecApprovalConfig = {
  /** Enable exec approval forwarding to Discord DMs. Default: false. */
  enabled?: boolean;
@ -139,6 +146,8 @@ export type DiscordAccountConfig = {
  heartbeat?: ChannelHeartbeatVisibilityConfig;
  /** Exec approval forwarding configuration. */
  execApprovals?: DiscordExecApprovalConfig;
+  /** Privileged Gateway Intents (must also be enabled in Discord Developer Portal). */
+  intents?: DiscordIntentsConfig;
 };

 export type DiscordConfig = {
--- a/src/config/types.gateway.ts
+++ b/src/config/types.gateway.ts
@ -66,6 +66,8 @@ export type GatewayControlUiConfig = {
  basePath?: string;
  /** Allow token-only auth over insecure HTTP (default: false). */
  allowInsecureAuth?: boolean;
+  /** DANGEROUS: Disable device identity checks for the Control UI (default: false). */
+  dangerouslyDisableDeviceAuth?: boolean;
 };

 export type GatewayAuthMode = "token" | "password";
--- a/src/config/zod-schema.providers-core.ts
+++ b/src/config/zod-schema.providers-core.ts
@ -256,6 +256,13 @@ export const DiscordAccountSchema = z
      })
      .strict()
      .optional(),
+    intents: z
+      .object({
+        presence: z.boolean().optional(),
+        guildMembers: z.boolean().optional(),
+      })
+      .strict()
+      .optional(),
  })
  .strict();

--- a/src/config/zod-schema.ts
+++ b/src/config/zod-schema.ts
@ -319,6 +319,7 @@ export const ClawdbotSchema = z
            enabled: z.boolean().optional(),
            basePath: z.string().optional(),
            allowInsecureAuth: z.boolean().optional(),
+            dangerouslyDisableDeviceAuth: z.boolean().optional(),
          })
          .strict()
          .optional(),
--- a/src/discord/monitor.slash.test.ts
+++ b/src/discord/monitor.slash.test.ts
@ -16,6 +16,7 @@ vi.mock("@buape/carbon", () => ({
  MessageCreateListener: class {},
  MessageReactionAddListener: class {},
  MessageReactionRemoveListener: class {},
+  PresenceUpdateListener: class {},
  Row: class {
    constructor(_components: unknown[]) {}
  },
--- a/src/discord/monitor/listeners.ts
+++ b/src/discord/monitor/listeners.ts
@ -4,11 +4,13 @@ import {
  MessageCreateListener,
  MessageReactionAddListener,
  MessageReactionRemoveListener,
+  PresenceUpdateListener,
 } from "@buape/carbon";

 import { danger } from "../../globals.js";
 import { formatDurationSeconds } from "../../infra/format-duration.js";
 import { enqueueSystemEvent } from "../../infra/system-events.js";
+import { setPresence } from "./presence-cache.js";
 import { createSubsystemLogger } from "../../logging/subsystem.js";
 import { resolveAgentRoute } from "../../routing/resolve-route.js";
 import {
@ -269,3 +271,34 @@ async function handleDiscordReactionEvent(params: {
    params.logger.error(danger(`discord reaction handler failed: ${String(err)}`));
  }
 }
+
+type PresenceUpdateEvent = Parameters<PresenceUpdateListener["handle"]>[0];
+
+export class DiscordPresenceListener extends PresenceUpdateListener {
+  private logger?: Logger;
+  private accountId?: string;
+
+  constructor(params: { logger?: Logger; accountId?: string }) {
+    super();
+    this.logger = params.logger;
+    this.accountId = params.accountId;
+  }
+
+  async handle(data: PresenceUpdateEvent) {
+    try {
+      const userId =
+        "user" in data && data.user && typeof data.user === "object" && "id" in data.user
+          ? String(data.user.id)
+          : undefined;
+      if (!userId) return;
+      setPresence(
+        this.accountId,
+        userId,
+        data as import("discord-api-types/v10").GatewayPresenceUpdate,
+      );
+    } catch (err) {
+      const logger = this.logger ?? discordEventQueueLog;
+      logger.error(danger(`discord presence handler failed: ${String(err)}`));
+    }
+  }
+}
--- a/src/discord/monitor/presence-cache.test.ts
+++ b/src/discord/monitor/presence-cache.test.ts
@ -0,0 +1,34 @@
+import { beforeEach, describe, expect, it } from "vitest";
+import type { GatewayPresenceUpdate } from "discord-api-types/v10";
+import { clearPresences, getPresence, presenceCacheSize, setPresence } from "./presence-cache.js";
+
+describe("presence-cache", () => {
+  beforeEach(() => {
+    clearPresences();
+  });
+
+  it("scopes presence entries by account", () => {
+    const presenceA = { status: "online" } as GatewayPresenceUpdate;
+    const presenceB = { status: "idle" } as GatewayPresenceUpdate;
+
+    setPresence("account-a", "user-1", presenceA);
+    setPresence("account-b", "user-1", presenceB);
+
+    expect(getPresence("account-a", "user-1")).toBe(presenceA);
+    expect(getPresence("account-b", "user-1")).toBe(presenceB);
+    expect(getPresence("account-a", "user-2")).toBeUndefined();
+  });
+
+  it("clears presence per account", () => {
+    const presence = { status: "dnd" } as GatewayPresenceUpdate;
+
+    setPresence("account-a", "user-1", presence);
+    setPresence("account-b", "user-2", presence);
+
+    clearPresences("account-a");
+
+    expect(getPresence("account-a", "user-1")).toBeUndefined();
+    expect(getPresence("account-b", "user-2")).toBe(presence);
+    expect(presenceCacheSize()).toBe(1);
+  });
+});
--- a/src/discord/monitor/presence-cache.ts
+++ b/src/discord/monitor/presence-cache.ts
@ -0,0 +1,52 @@
+import type { GatewayPresenceUpdate } from "discord-api-types/v10";
+
+/**
+ * In-memory cache of Discord user presence data.
+ * Populated by PRESENCE_UPDATE gateway events when the GuildPresences intent is enabled.
+ */
+const presenceCache = new Map<string, Map<string, GatewayPresenceUpdate>>();
+
+function resolveAccountKey(accountId?: string): string {
+  return accountId ?? "default";
+}
+
+/** Update cached presence for a user. */
+export function setPresence(
+  accountId: string | undefined,
+  userId: string,
+  data: GatewayPresenceUpdate,
+): void {
+  const accountKey = resolveAccountKey(accountId);
+  let accountCache = presenceCache.get(accountKey);
+  if (!accountCache) {
+    accountCache = new Map();
+    presenceCache.set(accountKey, accountCache);
+  }
+  accountCache.set(userId, data);
+}
+
+/** Get cached presence for a user. Returns undefined if not cached. */
+export function getPresence(
+  accountId: string | undefined,
+  userId: string,
+): GatewayPresenceUpdate | undefined {
+  return presenceCache.get(resolveAccountKey(accountId))?.get(userId);
+}
+
+/** Clear cached presence data. */
+export function clearPresences(accountId?: string): void {
+  if (accountId) {
+    presenceCache.delete(resolveAccountKey(accountId));
+    return;
+  }
+  presenceCache.clear();
+}
+
+/** Get the number of cached presence entries. */
+export function presenceCacheSize(): number {
+  let total = 0;
+  for (const accountCache of presenceCache.values()) {
+    total += accountCache.size;
+  }
+  return total;
+}
--- a/src/discord/monitor/provider.ts
+++ b/src/discord/monitor/provider.ts
@ -28,6 +28,7 @@ import { resolveDiscordUserAllowlist } from "../resolve-users.js";
 import { normalizeDiscordToken } from "../token.js";
 import {
  DiscordMessageListener,
+  DiscordPresenceListener,
  DiscordReactionListener,
  DiscordReactionRemoveListener,
  registerDiscordListener,
@ -109,6 +110,25 @@ function formatDiscordDeployErrorDetails(err: unknown): string {
  return details.length > 0 ? ` (${details.join(", ")})` : "";
 }

+function resolveDiscordGatewayIntents(
+  intentsConfig?: import("../../config/types.discord.js").DiscordIntentsConfig,
+): number {
+  let intents =
+    GatewayIntents.Guilds |
+    GatewayIntents.GuildMessages |
+    GatewayIntents.MessageContent |
+    GatewayIntents.DirectMessages |
+    GatewayIntents.GuildMessageReactions |
+    GatewayIntents.DirectMessageReactions;
+  if (intentsConfig?.presence) {
+    intents |= GatewayIntents.GuildPresences;
+  }
+  if (intentsConfig?.guildMembers) {
+    intents |= GatewayIntents.GuildMembers;
+  }
+  return intents;
+}
+
 export async function monitorDiscordProvider(opts: MonitorDiscordOpts = {}) {
  const cfg = opts.config ?? loadConfig();
  const account = resolveDiscordAccount({
@ -451,13 +471,7 @@ export async function monitorDiscordProvider(opts: MonitorDiscordOpts = {}) {
        reconnect: {
          maxAttempts: Number.POSITIVE_INFINITY,
        },
-        intents:
-          GatewayIntents.Guilds |
-          GatewayIntents.GuildMessages |
-          GatewayIntents.MessageContent |
-          GatewayIntents.DirectMessages |
-          GatewayIntents.GuildMessageReactions |
-          GatewayIntents.DirectMessageReactions,
+        intents: resolveDiscordGatewayIntents(discordCfg.intents),
        autoInteractions: true,
      }),
    ],
@ -527,6 +541,14 @@ export async function monitorDiscordProvider(opts: MonitorDiscordOpts = {}) {
    }),
  );

+  if (discordCfg.intents?.presence) {
+    registerDiscordListener(
+      client.listeners,
+      new DiscordPresenceListener({ logger, accountId: account.accountId }),
+    );
+    runtime.log?.("discord: GuildPresences intent enabled — presence listener registered");
+  }
+
  runtime.log?.(`logged in to discord${botUserId ? ` as ${botUserId}` : ""}`);

  // Start exec approvals handler after client is ready
--- a/src/gateway/auth.test.ts
+++ b/src/gateway/auth.test.ts
@ -5,8 +5,8 @@ import { authorizeGatewayConnect } from "./auth.js";
 describe("gateway auth", () => {
  it("does not throw when req is missing socket", async () => {
    const res = await authorizeGatewayConnect({
-      auth: { mode: "none", allowTailscale: false },
-      connectAuth: null,
+      auth: { mode: "token", token: "secret", allowTailscale: false },
+      connectAuth: { token: "secret" },
      // Regression: avoid crashing on req.socket.remoteAddress when callers pass a non-IncomingMessage.
      req: {} as never,
    });
@ -63,40 +63,10 @@ describe("gateway auth", () => {
    expect(res.reason).toBe("password_missing_config");
  });

-  it("reports tailscale auth reasons when required", async () => {
-    const reqBase = {
-      socket: { remoteAddress: "100.100.100.100" },
-      headers: { host: "gateway.local" },
-    };
-
-    const missingUser = await authorizeGatewayConnect({
-      auth: { mode: "none", allowTailscale: true },
-      connectAuth: null,
-      req: reqBase as never,
-    });
-    expect(missingUser.ok).toBe(false);
-    expect(missingUser.reason).toBe("tailscale_user_missing");
-
-    const missingProxy = await authorizeGatewayConnect({
-      auth: { mode: "none", allowTailscale: true },
-      connectAuth: null,
-      req: {
-        ...reqBase,
-        headers: {
-          host: "gateway.local",
-          "tailscale-user-login": "peter",
-          "tailscale-user-name": "Peter",
-        },
-      } as never,
-    });
-    expect(missingProxy.ok).toBe(false);
-    expect(missingProxy.reason).toBe("tailscale_proxy_missing");
-  });
-
  it("treats local tailscale serve hostnames as direct", async () => {
    const res = await authorizeGatewayConnect({
-      auth: { mode: "none", allowTailscale: true },
-      connectAuth: null,
+      auth: { mode: "token", token: "secret", allowTailscale: true },
+      connectAuth: { token: "secret" },
      req: {
        socket: { remoteAddress: "127.0.0.1" },
        headers: { host: "gateway.tailnet-1234.ts.net:443" },
@ -104,21 +74,7 @@ describe("gateway auth", () => {
    });

    expect(res.ok).toBe(true);
-    expect(res.method).toBe("none");
-  });
-
-  it("does not treat tailscale clients as direct", async () => {
-    const res = await authorizeGatewayConnect({
-      auth: { mode: "none", allowTailscale: true },
-      connectAuth: null,
-      req: {
-        socket: { remoteAddress: "100.64.0.42" },
-        headers: { host: "gateway.tailnet-1234.ts.net" },
-      } as never,
-    });
-
-    expect(res.ok).toBe(false);
-    expect(res.reason).toBe("tailscale_user_missing");
+    expect(res.method).toBe("token");
  });

  it("allows tailscale identity to satisfy token mode auth", async () => {
@ -143,41 +99,4 @@ describe("gateway auth", () => {
    expect(res.method).toBe("tailscale");
    expect(res.user).toBe("peter");
  });
-
-  it("rejects mismatched tailscale identity when required", async () => {
-    const res = await authorizeGatewayConnect({
-      auth: { mode: "none", allowTailscale: true },
-      connectAuth: null,
-      tailscaleWhois: async () => ({ login: "alice@example.com", name: "Alice" }),
-      req: {
-        socket: { remoteAddress: "127.0.0.1" },
-        headers: {
-          host: "gateway.local",
-          "x-forwarded-for": "100.64.0.1",
-          "x-forwarded-proto": "https",
-          "x-forwarded-host": "ai-hub.bone-egret.ts.net",
-          "tailscale-user-login": "peter@example.com",
-          "tailscale-user-name": "Peter",
-        },
-      } as never,
-    });
-
-    expect(res.ok).toBe(false);
-    expect(res.reason).toBe("tailscale_user_mismatch");
-  });
-
-  it("treats trusted proxy loopback clients as direct", async () => {
-    const res = await authorizeGatewayConnect({
-      auth: { mode: "none", allowTailscale: true },
-      connectAuth: null,
-      trustedProxies: ["10.0.0.2"],
-      req: {
-        socket: { remoteAddress: "10.0.0.2" },
-        headers: { host: "localhost", "x-forwarded-for": "127.0.0.1" },
-      } as never,
-    });
-
-    expect(res.ok).toBe(true);
-    expect(res.method).toBe("none");
-  });
 });
--- a/src/gateway/auth.ts
+++ b/src/gateway/auth.ts
@ -3,7 +3,7 @@ import type { IncomingMessage } from "node:http";
 import type { GatewayAuthConfig, GatewayTailscaleMode } from "../config/config.js";
 import { readTailscaleWhoisIdentity, type TailscaleWhoisIdentity } from "../infra/tailscale.js";
 import { isTrustedProxyAddress, parseForwardedForClientIp, resolveGatewayClientIp } from "./net.js";
-export type ResolvedGatewayAuthMode = "none" | "token" | "password";
+export type ResolvedGatewayAuthMode = "token" | "password";

 export type ResolvedGatewayAuth = {
  mode: ResolvedGatewayAuthMode;
@ -14,7 +14,7 @@ export type ResolvedGatewayAuth = {

 export type GatewayAuthResult = {
  ok: boolean;
-  method?: "none" | "token" | "password" | "tailscale" | "device-token";
+  method?: "token" | "password" | "tailscale" | "device-token";
  user?: string;
  reason?: string;
 };
@ -84,7 +84,7 @@ function resolveRequestClientIp(
  });
 }

-function isLocalDirectRequest(req?: IncomingMessage, trustedProxies?: string[]): boolean {
+export function isLocalDirectRequest(req?: IncomingMessage, trustedProxies?: string[]): boolean {
  if (!req) return false;
  const clientIp = resolveRequestClientIp(req, trustedProxies) ?? "";
  if (!isLoopbackAddress(clientIp)) return false;
@ -219,13 +219,6 @@ export async function authorizeGatewayConnect(params: {
        user: tailscaleCheck.user.login,
      };
    }
-    if (auth.mode === "none") {
-      return { ok: false, reason: tailscaleCheck.reason };
-    }
-  }
-
-  if (auth.mode === "none") {
-    return { ok: true, method: "none" };
  }

  if (auth.mode === "token") {
--- a/src/gateway/gateway.e2e.test.ts
+++ b/src/gateway/gateway.e2e.test.ts
@ -181,7 +181,7 @@ describe("gateway e2e", () => {
    const port = await getFreeGatewayPort();
    const server = await startGatewayServer(port, {
      bind: "loopback",
-      auth: { mode: "none" },
+      auth: { mode: "token", token: wizardToken },
      controlUiEnabled: false,
      wizardRunner: async (_opts, _runtime, prompter) => {
        await prompter.intro("Wizard E2E");
@ -197,6 +197,7 @@ describe("gateway e2e", () => {

    const client = await connectGatewayClient({
      url: `ws://127.0.0.1:${port}`,
+      token: wizardToken,
      clientDisplayName: "vitest-wizard",
    });

--- a/src/gateway/hooks.test.ts
+++ b/src/gateway/hooks.test.ts
@ -47,15 +47,21 @@ describe("gateway hooks helpers", () => {
      },
    } as unknown as IncomingMessage;
    const url = new URL("http://localhost/hooks/wake?token=query");
-    expect(extractHookToken(req, url)).toBe("top");
+    const result1 = extractHookToken(req, url);
+    expect(result1.token).toBe("top");
+    expect(result1.fromQuery).toBe(false);

    const req2 = {
      headers: { "x-clawdbot-token": "header" },
    } as unknown as IncomingMessage;
-    expect(extractHookToken(req2, url)).toBe("header");
+    const result2 = extractHookToken(req2, url);
+    expect(result2.token).toBe("header");
+    expect(result2.fromQuery).toBe(false);

    const req3 = { headers: {} } as unknown as IncomingMessage;
-    expect(extractHookToken(req3, url)).toBe("query");
+    const result3 = extractHookToken(req3, url);
+    expect(result3.token).toBe("query");
+    expect(result3.fromQuery).toBe(true);
  });

  test("normalizeWakePayload trims + validates", () => {
--- a/Show More
+++ b/Show More
				`@ -0,0 +1 @@`
				`custom: ['https://github.com/sponsors/steipete']`