* refactor: move slash commands to .claude/commands/dev/

* chore: remove old .claude/dev/ directory

---------

Co-authored-by: Claude <[email protected]>

…tions

Replaces non-atomic `fs.writeFile()` calls in `persistTranscript()` and
`persistDescription()` with atomic temp-file-then-rename pattern. This
prevents data corruption when concurrent webhook processing writes to
the same sidecar file.

Implementation:
- Created shared `atomicWriteFile()` utility in `src/utils/atomic-write.ts`
- Uses unique temp file with UUID suffix for each write operation
- POSIX-guaranteed atomic `fs.rename()` to final location
- Automatic cleanup of temp files on error
- Comprehensive unit tests covering atomic behavior, concurrent writes,
  error handling, and edge cases (9 tests, all passing)

Fixes:
- Race condition when duplicate webhooks process same media file
- Data corruption from interrupted writes leaving partial UTF-8 sequences
- Last-write-wins now atomic (no partial states visible)

Resolves openclaw#5 (todos/005-pending-p1-race-condition-sidecar-files.md)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

Updated todo file status from pending to resolved after implementing
atomic write pattern for sidecar file creation.

Implemented:
- Atomic write utility with comprehensive tests
- Applied to both transcription and video sidecar persistence
- All acceptance criteria met
- 9 unit tests passing

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

- Decision #5: Distill into TypeScript with Rust portability in mind
- Decision #6: Minimal viable agent is CLI + Claude + file tools
- Removed answered questions from Open Questions section

https://claude.ai/code/session_0171xZCAV5r6yGGgzMpGDDDP

Validates decision #5 (TypeScript with Rust portability):
- Rust library using napi-rs for Node.js bindings
- TypeScript wrapper that matches original interface
- 44 tests pass for both implementations (88 total)

Architecture: TypeScript handles async orchestration (summarizer callback),
Rust handles pure computation (token estimation, metadata extraction).

Files:
- crates/compaction/src/lib.rs - Rust implementation
- src/compaction/rust.ts - TypeScript wrapper
- src/compaction/rust.test.ts - Equivalent tests for Rust impl

https://claude.ai/code/session_011TWuFG2PPSUU497XsRQYwy

…ames-in-security-extensions

Fix implementations to use the correct tool names.

Create Issue openclaw#5 documenting the technical inaccuracy of deployment instructions that were incorrectly claiming the project was Python-based when it's actually a Node.js project.

Ω₀=0.02
F2✓ (documenting the error)
F7✓ (acknowledging technical inaccuracies)

…iner, Postgres traces, cost budgets, phase restructuring

Factsheet changes (12 architecture critiques):
- Add users table with auth provider (openclaw#1)
- Change all TEXT PKs to native UUID type (openclaw#2)
- Remove orphaned session_id from Task/TaskCommand/TaskResult (openclaw#3)
- Replace per-task containers with single shared Docker container (openclaw#4)
- Phase injection queue: in-memory Phase 1, Redis Phase 2+ (openclaw#5)
- Decouple Board Sync DB writes from WebSocket broadcasting (openclaw#6)
- Move trace storage from JSONL+index to Postgres-only (openclaw#7)
- Add chat_messages escalation to agent context (openclaw#8)
- Normalize discussion_messages into separate table (openclaw#9)
- Add PolicyEngine facade with single evaluate() entry point (openclaw#10)
- Add per-plugin Zod validation schemas for SourceConfig (openclaw#11)
- Add CostPolicy with token/cost budgets and cost_usage table (openclaw#12)

Blueprint changes (4 implementation improvements):
- Split Phase 1 into 4 sub-phases (1a-1d)
- Reorder: API skeleton before agent loop
- Defer frontend to Phase 5
- Add packages/shared for types and schemas

DB schema: 17 tables → 20 tables (added users, traces, discussion_messages, cost_usage)

https://claude.ai/code/session_01V2xvGqZqX6JKPGQeXyNMQW

The "pulling yourself up by your own hair" story perfectly
illustrates OpenClaw's self-development: AI using itself to
improve itself.

Added ASCII art and connection to real git history showing
Shadow, CLAWDINATOR, Jarvis commits.

Co-Authored-By: Claude Opus 4.5 <[email protected]>

Add comprehensive tests to close remaining refactor risks identified in
code-inspection.md. New coverage includes:

- Gateway mirror + A2A announce integration (Gap openclaw#1): 5 tests
- Role/source attribution interface contract (Gap openclaw#2): test.fails
- Config variations with vi.doMock pattern (Gap openclaw#9): 5 tests
- Tool restriction enforcement (Gap openclaw#5): 5 tests
- Concurrency/race safeguard (Gap openclaw#6): 5 tests + strategy docs

Total: 65 tests across 5 files (all passing)

Files:
- a2a-integration.regression.test.ts (new)
- config-variation.regression.test.ts (new)
- send-a2a-announce.integration.test.ts (new)
- Updated: a2a-flow, sessions-send-async, README, QC report

Co-authored-by: Cursor <[email protected]>

…d key support

## Summary
- Added deterministic idempotencyKey injection for side-effect tools (sessions_send,
  sessions_spawn, message, browser, nodes, canvas) during cron runs.
- Key is derived from runId + toolName + stable-stringified params (SHA-256).
- Only activates for cron-prefixed runIds; non-cron runs are unaffected.
- sessions_send now honors a provided idempotencyKey instead of always generating a UUID.
- Threaded runId through tool creation pipeline (pi-tools → attempt → tool-definition-adapter).
- Added contract tests: deterministic injection + sessions_send key passthrough.
- Updated existing before-tool-call tests with runId context.

## Why
- Cron retries after restarts were duplicating sends and tool calls because each retry
  generated a new random idempotency key. Deriving the key from the stable cron runId
  ensures replays produce the same key, enabling downstream dedupe. (Red-team risk openclaw#5)

## Systems
- agents (pi-tools, pi-tools.before-tool-call, pi-tool-definition-adapter,
  pi-embedded-runner, sessions-send-tool)

## Agent
- agent: MIS

Co-authored-by: Cursor <[email protected]>

- health-manager: use resolveConfigDir() for health-stats.json path (Critical #1)

- health-manager: replace console.error with subsystem logger (Minor #3)

- health-manager: document async load race condition (Minor #2)

- bindings: use resolveConfigDir() for routing.json path (Minor #5)