C# 13 / .NET 10 / WinUI 3 / Windows App SDK 1.8 implementation of the
OpenClaw node with 1:1 functional parity with the macOS Swift app.

Features: gateway WebSocket + ed25519 auth, system tray, canvas (WebView2),
camera.snap/clip, screen.record, system.run + exec approvals, Talk Mode
STT/TTS, onboarding wizard, autostart, deep links, pairing, cron, skills.

Architecture: Hexagonal (Ports & Adapters), MVVM, MediatR, MSIX x64 + ARM64.

AI-assisted

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>

… before buffering

- GatewayReceiveLoopHostedService: SendConnectRequestAsync now reads
  GatewayPassword() when no token is present and sends auth: { password }
  so password-auth gateways can accept the connection (P1 Codex review)
- GatewayCliClient.ReceiveFrameAsync: copy each received chunk into a new
  array before buffering; the reused receive buffer was overwritten on
  subsequent ReceiveAsync calls, corrupting fragmented frames (P2 Codex review)

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>

- WindowsNodeModeCoordinator: same password-auth fallback applied to the
  node connect handshake (P1 Codex review on second pass)
- GatewayReceiveLoopHostedService: remove diagnostic log that emitted the
  serialized connect frame, which includes token/password material (P2
  security finding Codex review)

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>

…p, csproj AnyCPU default

- OpenClawConfigFile.GatewayPassword() now reads ~/.openclaw/openclaw.json →
  gateway.auth.password first (mirrors ReadGatewayAuthToken), then falls back to
  gateway.remote.password — local password-auth gateways were silently broken
- GatewayReceiveLoopHostedService: call MarkDisconnected when socket drops from
  Connected state, not only from Connecting/Reconnecting — coordinator can now
  schedule a retry after an unexpected disconnection
- WindowsNodeModeCoordinator: remove diagnostic log that leaked connect frame
  (including auth material) at INFO level
- OpenClawWindows.csproj: default Platform to x64 when AnyCPU/unset so that
  bare "dotnet build/test" without -p:Platform works; ARM64 explicit builds unaffected

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>

…fallback and URI scheme

Auth centralization (Codex P1/P2):
- GatewayReceiveLoopHostedService and WindowsNodeModeCoordinator now resolve
  token/password from IGatewayEndpointStore.CurrentState instead of reading
  OpenClawConfigFile directly, picking up env-var overrides and local/remote
  precedence that the store already implements correctly
- GatewayEndpointStore.ResolveConfigToken returns null when gateway.auth.mode=password
  so callers naturally fall through to the password credential (Codex P2)

JsonSettingsRepositoryAdapter fixes (Codex GitHub bot P1 x2):
- LoadAsync in Remote mode now falls back to local file when gateway is offline
  instead of returning DefaultSettings(), preserving persisted mode/endpoint
  so the reconnect coordinator can continue retrying
- InjectTokenIntoUri preserves the original URI scheme (ws/wss) instead of
  hardcoding ws://, preventing silent TLS downgrade for wss endpoints

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>

…sts to temp dir

- GatewayReceiveLoopHostedService and WindowsNodeModeCoordinator now call
  RefreshAsync before reading CurrentState so a token/password rotation or
  auth.mode change is picked up on the next reconnect without requiring restart
- DpapiKeypairStorageAdapter gains an internal test constructor accepting an
  explicit storage path so the test suite never touches the real keypair.dpapi
  in %APPDATA%\OpenClaw — a crash or aborted run can no longer leave the
  developer's device unpaired
- DpapiKeypairStorageAdapterTests updated to use an isolated temp directory

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>

- NamedPipeExecApprovalAdapter: accept both `type` and `messageType`
  discriminators; unwrap `approved` from `payloadJson` envelope; loop
  to ensure full 4-byte length prefix is read
- GatewayReceiveLoopHostedService / WindowsNodeModeCoordinator: use
  RequireConfigAsync() instead of RefreshAsync()+CurrentState so SSH
  remote mode has credentials before sending the connect request;
  restore GatewayEndpointUri user-info token fallback for installs
  that embed the token in the URI
- GatewayReceiveLoopTests: update mock to RequireConfigAsync pattern
- windows-release.yml / windows-security.yml: fix oxfmt YAML format

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>

…rtup reconnect

- Encrypt RemoteToken/RemotePassword with DPAPI in settings.json (no plaintext)
- Restore credentials from local file after gateway config.get (not in gateway schema)
- Save locally before gateway write so credentials survive gateway failures
- DeepLinkHandler: persist RemoteTransport.Direct, token and password from deep link
- GatewayRemoteConfig: add HasRemoteSection to distinguish absent vs present-but-no-transport
- GatewayEndpointStore.SetModeAsync: transport fallback uses SSH when remote section present
  but no explicit transport; settings.RemoteTransport only when no remote section at all
- GatewayEndpointStore.ResolveEffectiveMode: only AppSettings.Remote overrides openclaw.json;
  Local does not downgrade an operator-configured remote mode; adds openclaw.json fallback
- GatewayConnectivityCoordinator.StartAsync: always call RefreshAsync so deep-link or
  UI-configured gateways reconnect after restart regardless of openclaw.json initial mode
- Fix flaky TalkModeControllerTests: replace Task.Delay with TCS for fire-and-forget sync

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>

- KickRemoteEnsureIfNeeded: use settings.RemoteTarget (SSH host/user)
  instead of RemoteUrl (WebSocket URL, used for direct transport only)
- GatewayUriNormalizer: use UriComponents.Port instead of IsDefaultPort
  to detect explicit port — IsDefaultPort is true for both absent and
  explicit :80 in .NET, causing valid ws://localhost:80 to be rewritten

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>

FIX-A: CanvasNavigateHandler — whitelist http/https only; reject file://,
       javascript:, data:, ftp:// from gateway-initiated canvas.navigate.
FIX-B: JsonExecApprovalsRepository — DPAPI-encrypt IPC token at rest;
       auto-migrate plaintext on next save (zero-downtime).
FIX-C: FileSystemDeepLinkKeyStore — DPAPI-encrypt persisted deeplink key;
       add SemaphoreSlim + volatile for thread-safe double-check locking.
FIX-D: NamedPipeExecApprovalAdapter — nonce cache (10 s TTL) to reject
       replayed HMAC-authenticated IPC requests.
FIX-E: GatewayTlsPinStore — mark _pins volatile to prevent stale-read
       in EnsureLoadedAsync without holding the lock.
FIX-G: DeepLinkHandler — replace DateTime _lastPromptAt with long +
       Interlocked.Read/Exchange (volatile is invalid for DateTime struct).
FIX-H: CanvasSchemeHandlerAdapter — 10 MB file-size guard before
       File.ReadAllBytes to prevent OOM on malicious large files.

Tests: +6 CanvasNavigateHandlerTests covering all invalid schemes.
All 2058 tests green (1 pre-existing skip).

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>

…ispatch

P1 — IRemoteTunnelService.ConnectAsync gains an explicit remotePort parameter so
the SSH -L forward uses the gateway port read from config (gateway.remote.url or
settings.RemoteUrl) instead of the hardcoded DefaultRemotePort=18789.
GatewayEndpointStore.KickRemoteEnsureIfNeeded derives the remote port via
ResolveRemoteGatewayPort, which checks the config URL first, then the settings
URL, then falls back to GatewayEnvironment.GatewayPort().

P2 — GatewayExecApprovalOrchestrator.ShowDialogOnUiThreadAsync captures the
TryEnqueue return value; if the dispatcher queue is unavailable or full the TCS
is resolved immediately as Deny so the gate semaphore is never permanently blocked.

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>

…ring TCS

P1 — ApplyConnectionModeHandler now derives the remote gateway port from
settings.RemoteUrl before calling ConnectAsync, so SSH mode tunnels to the
correct port (e.g. 443 for wss://) instead of always using 18789.
ResolveRemotePort parses the explicit port, falls back to the scheme default
(wss → 443, ws → 18789).

P2 — DevicePairingApprovalOrchestrator and NodePairingApprovalOrchestrator now
capture the TryEnqueue return value; if the dispatcher queue is unavailable or
full, the TCS is resolved immediately as PairingDecision.Later so
PresentNextLoopAsync is never permanently blocked and subsequent pairing requests
continue to be processed.

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>

…olve

CF-015 (P1): ResumeGatewayConnectionHandler never cleared the paused state set
by PauseGatewayConnectionHandler. Added GatewayConnection.MarkResumed() (Paused→
Connected) and inject GatewayConnection + ISettingsRepository into the resume
handler; clears IsPaused=false in settings and transitions the state machine so
the reconnect coordinator and WindowsNodeModeCoordinator stop gating on Paused.

CF-016 (P2): DevicePairingApprovalOrchestrator Approve/Reject branches removed
the request from _queue but did not call NotifyPendingChanged(). SystemTrayViewModel
watches IDevicePairingPendingMonitor.Changed for badge updates, so the pending
count stayed stale until an unrelated push event fired. Added NotifyPendingChanged()
immediately after each RemoveAll in the Approve and Reject cases.

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>

…ttribute check

CF-017 (P1): ApplyHelloOk looked for snapshot.sessiondefaults (all lowercase)
but gateway sends sessionDefaults (camelCase), so mainSessionKey was always
silently dropped and fell back to "main".

CF-018 (P1): BrowserProxyCommand hardcoded port 18789 for the control endpoint.
Now calls ResolveGatewayPort() which reads OPENCLAW_GATEWAY_PORT env var then
openclaw.json gateway.port, matching GatewayEnvironment.GatewayPort() behaviour.

CF-019 (P2): LoadProxyFiles filtered with HasFlag(Normal | Archive); Normal is
exclusive and never combined with other flags on Windows, so regular files
(typically Archive) were rejected. Now rejects only FileAttributes.Directory.

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>

… on remote load

CF-020 (P2): OpenChatAsync catch block wrote to C:\temp\openchat_error.txt;
that directory rarely exists so the recovery path itself threw DirectoryNotFoundException.
Replaced with Debug.WriteLine (best-effort, never throws).

CF-021 (P2): LoadAsync in remote mode merged RemoteToken/RemotePassword from local
JSON but dropped IsPaused, so pause-on-restart was silently ignored when config.get
succeeded. Now also copies IsPaused from local file.

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>

… honour IsPaused on reconnect

CF-022: GatewayConnectDeepLink.IsLoopbackHost no longer treats .local mDNS hosts as loopback.
ws:// deep links to *.local are rejected at parse time; GatewayUriNormalizer rejects them
downstream anyway, so accepting them created a broken saved config.

CF-023: ApplyConnectionModeHandler now injects IGatewayProcessManager and calls SetActive(true)
when switching to Local mode (unless paused), and SetActive(false) in Remote/Unconfigured branches.
Previously the Local branch never started the gateway process, leaving the app reconnecting to
ws://127.0.0.1:18789 with nothing listening until a manual restart.

CF-024: GatewayReconnectCoordinatorHostedService.ResolveEndpointAsync now returns null when
settings.IsPaused is true. On app restart the in-memory state is Disconnected (not Paused),
so the Paused state guard was ineffective; the persisted IsPaused flag is now the authoritative
source for post-restart pause durability.

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>

…overflow

CF-025: Remove the catch block from SaveToGatewayAsync so that config.get/config.set
failures (disconnect, auth error, hash conflict) propagate to SaveAsync callers. Previously
the catch swallowed every exception and returned success, silently losing remote settings
writes while the caller believed the save succeeded.

CF-026: Use long arithmetic in ComputeBackoffMs to prevent int overflow. With int
arithmetic, BaseDelayMs * (1 << attempt) overflows to a negative value after enough retries,
collapsing the capped backoff to the 500ms floor and causing a rapid reconnect storm during
prolonged outages. Caps the shift at 30 and uses long intermediates so the result is always
a non-negative value clamped by MaxDelayMs.

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>

CF-027: EvaluateExecRequestHandler now reads both the env field (used by the gateway's
node-invoke-system-run-approval.ts allowlist) and envOverrides (compat alias). Both are
merged — envOverrides wins on conflict — so environment variables injected by agents are
no longer silently dropped before policy evaluation and execution.

CF-028: RemoteTunnelManager.EnsureControlTunnelAsync now tracks the active tunnelEndpoint
and remotePort and only reuses the existing tunnel when both still match. Previously any
connected tunnel was reused regardless of configuration, causing traffic to stay pinned to
the old gateway after a host or port change until a manual restart.

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>

…equeues

CF-029: IShellExecutor.RunAsync now accepts optional cwd and env parameters.
ShellExecutorAdapter applies them to ProcessStartInfo (WorkingDirectory + Environment).
EvaluateExecRequestHandler passes the parsed cwd and sanitized env to RunAsync so
approved system.run commands run in the requested directory with the expected environment
instead of the app's default process context.

CF-030: NodePairingApprovalOrchestrator now calls NotifyPendingChanged() after every
dequeue in the present loop — Approve, Reject and Later branches. Previously all three
removed from _queue without notifying the monitor, leaving stale node-pair badge counts
until an unrelated pairing event triggered a refresh.

CF-031: DevicePairingApprovalOrchestrator now calls NotifyPendingChanged() when a
remote resolution removes a request from _queue. Previously only the local Approve/Reject
branches notified; remote resolutions left stale device-pair badge counts.

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>

…unnel endpoint

CF-032: GatewayRpcChannelAdapter.ExecApprovalResolveAsync sent { requestId, decision }
but the gateway schema expects { id, decision }. Every UI approval/deny failed server-side,
leaving approvals permanently pending.

CF-033: GatewayEndpointStore.KickRemoteEnsureIfNeeded built sshEndpoint from RemoteTarget
only, dropping RemoteIdentity. Remote setups using a non-default SSH identity file now
correctly compose the endpoint as identity@target, matching all other SSH connection paths.

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>

… mode switch; fix port precedence

CF-056: TryLoadFromGatewayAsync no longer deserializes the config.get payload as
AppSettingsDto. The gateway config uses the OpenClaw schema (agents/auth/commands/
gateway), not the AppSettings schema — deserialization produced all-defaults including
ConnectionMode.Unconfigured, which caused subsequent SaveAsync calls to persist a
defaulted settings file and wipe the user's remote configuration. The method now only
caches the hash for conflict detection; settings are always loaded from the local file.

CF-057: ApplyConnectionModeHandler no longer passes settings.IsPaused to
GatewayAutostartPolicy when switching to Local mode. IsPaused is remote-only; a
paused remote session was suppressing the local gateway start and leaving the app
disconnected until the user manually hit resume.

CF-058: ResolveRemotePort now tries settings.RemoteUrl before openclaw.json. When
invoked from SaveSettingsHandler the user's freshly saved URL must win over a stale
config-file entry. Config is the fallback for setups where the URL lives only in
openclaw.json and settings.RemoteUrl is empty.

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>

…only remote mode

CF-059: GatewayWebSocketAdapter now builds the Origin header from the WebSocket scheme
(wss → https, ws → http). The previous hardcoded http:// caused TLS deployments to
reject the handshake because the gateway origin check compares the full origin including
scheme, so https://<host> != http://<host>.

CF-060: WindowsGatewayProcessManager.SetActive now checks GatewayRemoteConfig.HasRemoteSection
in addition to settings.ConnectionMode == Remote. In config-only remote setups (gateway.remote
present in openclaw.json but ConnectionMode not yet persisted), the previous check missed the
remote mode, started a local gateway, and AutoResolveConnectionModeAsync subsequently flipped
ConnectionMode to Local, breaking remote-first installs.

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>

Windows PLATFORM_DEFAULTS only had SYSTEM_COMMANDS, blocking all
canvas.* invocations from the gateway before they reached the node.
Added CANVAS_COMMANDS to match macOS parity.

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>

This reverts commit 44b3e57.

NodeInvokeDispatcher was using FirstError.Description which is always
the ErrorOr default "A failure has occurred." for single-arg Error.Failure()
calls. Now uses "{Code}: {Description}" so both the machine-readable code
(e.g. "FFMPEG_NO_OUTPUT", "Video mux error: ...") and any human-readable
description are visible in logs and gateway responses.

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>