https://librefang.ai/feed.xml 2026-06-11T00:00:00Z LibreFang <noreply@librefang.ai> https://librefang.ai/changelog/#2026-6-11 2026-06-11T00:00:00Z

2026.6.11 — 2026-06-11

Documentation, maintenance, and other internal changes

### Maintenance - Bump @whiskeysockets/baileys from 6.7.21 to 6.7.22 in /packages/whatsapp-gateway (#6077) (@app/dependabot) - Bump @types/react from 19.2.16 to 19.2.17 in /web in the web-minor-patch group (#6079) (@app/dependabot) - Bump the dashboard-minor-patch group in /crates/librefang-api/dashboard with 3 updates (#6080) (@app/dependabot) - Free runner disk space before nix build (#6082) (@houko) - Free runner disk space before the unit-test build (fixes ENOSPC on main) (#6089) (@houko) ]]> https://librefang.ai/changelog/#2026-6-10 2026-06-10T00:00:00Z

2026.6.10 — 2026-06-10

preamble in history_fold summary parsing (#6009) (#6011) (@houko) - Redact images for text-only models via catalog supports_vision (#6010) (#6013) (@houko) - Assign approved workshop skill to the creating agent (#5989) (#6014) (@houko) - Cron enable/disable now PUTs with an {enabled} body instead of POSTing a PUT-only route (#6018) (@neo-wanderer) - Resolve channel_send mirror owner via bindings, not just default_agent (#6023) (@neo-wanderer) - Daemon_json surfaces error-less 4xx instead of silent success (#6019) (#6024) (@houko) - Stabilize non-headless Chrome startup under env isolation (#6028) (@app/copilot-swe-agent) - Explain empty sidecar form + warn on legacy [channels.*] config (#6030) (@houko) - Chrono_lite_date() returns wrong dates for most of the year (#6048) (@houko) - Quota/budget time windows compare RFC3339 text lexicographically, ignoring time-of-day (#6049) (@houko) - Unbounded Vec growth from attacker-controlled streamed tool-call index (OOM) (#6050) (@houko) - Self-referential $ref in a tool schema overflows the stack (DoS from untrusted MCP/skill schemas) (#6051) (@houko) - Redact_secrets leaks a real token that follows a short match (#6052) (@houko) - SSRF allowlist omits 0.0.0.0, CGNAT/Alibaba IMDS, 192.0.0.192, and AWS IMDS hostnames (#6053) (@houko) - Single-quote dotenv value panics credential resolution (#6054) (@houko) - WASM net_fetch follows redirects without per-hop SSRF re-validation (DNS-rebinding); misses Azure IMDS (#6055) (@houko) - TOML injection via unescaped system_prompt / name / tags in generated agent manifests (#6056) (@houko) - Unauthenticated pre-handshake read can pin a 16 MiB buffer (memory-exhaustion DoS) (#6057) (@houko) - Non-ASCII snippet offset misalignment; body cap not enforced on rendered bytes (#6058) (@houko) - Query-string injection via unescaped MiniMax task_id/file_id (#6059) (@houko) - Apply_patch files_moved counter incremented before the move write succeeds (#6060) (@houko) - Vault staging-file race across processes; OAuth deny hangs 5 minutes (#6061) (@houko) - Trim/prune drop in-memory entries even when the SQLite DELETE fails (#6062) (@houko) - Exec timeout leaks docker process; bind-mount validation never runs (#6063) (@houko) - Taint_scanning=false silently disables documented always-on credential key-name blocking (#6064) (@houko) - Auto-update script TOCTOU/symlink exec; skill-install path traversal (#6065) (@houko) - ClawHub/Skillhub zip install bypasses the supply-chain audit (.pth RCE) (#6066) (@houko) - Permission bridge serializes all sessions, dropping approval events on broadcast lag (#6067) (@houko) - Channel error truncation panics on multi-byte UTF-8 boundary (#6068) (@houko) - Sidecar stderr read is unbounded — same OOM vector already capped for stdout (#6069) (@houko) - Describe_event panics on multi-byte Custom payload; correct false test-env safety claim (#6070) (@houko) - Vault KDF uses volatile Argon2::default() while on-disk format stores no params (#6071) (@houko) - Allow unused_mut on chromium launch args off-Linux (#6072) (@houko) ### Changed - Split role-trait god-file into per-domain modules (#5970) (@houko) - Split the 14.6k-line main.rs into per-command modules (#5971) (@houko) - Derive task_claim retry budget from pool size (#5974) (@houko) - Split routes/agents.rs into per-concern modules (#5975) (@houko) - Split routes/workflows.rs into per-concern modules (#5985) (@houko) - Split routes/skills.rs into per-concern modules (#5986) (@houko) - Split routes/config.rs into per-concern modules (#5993) (@houko)

Documentation, maintenance, and other internal changes

### Documentation - Guard against editing a re-created worktree on a stale base (#6002) (@houko) ### Maintenance - Populate sessions.peer_id on save (#5286) (@f-liva) - Make required-status-checks enforceable — CI Gate, aarch64 lane, openapi-drift fix (#5943) (@houko) - Merge_group support (prereq for merge queue) [stacked on #5943] (#5944) (@houko) - Extract heartbeat de-dup transition into a testable helper (#5949) (@houko) - Faster + reliable docker dev iteration — mold linker + per-worktree target (#5952) (@houko) - Auto-commit regenerated codegen on same-repo PRs (#5994) (@houko) - Ignore skill scaffolder template TODOs (#5982, #5983) (#5995) (@houko) - Bump the cargo-minor-patch group with 11 updates (#6006) (@app/dependabot) - Bump the web-minor-patch group in /web with 9 updates (#6007) (@app/dependabot) - Bump the dashboard-minor-patch group in /crates/librefang-api/dashboard with 12 updates (#6008) (@app/dependabot) - Ignore .github self-scan that spawns false-positive issues (#6012) (@houko) - Bump the docs-minor-patch group in /docs with 6 updates (#6015) (@app/dependabot) - Bump next from 15.5.18 to 16.2.7 in /docs (#6016) (@app/dependabot)

]]> https://librefang.ai/changelog/#2026-5-31 2026-05-31T00:00:00Z

2026.5.31 — 2026-05-31

Documentation, maintenance, and other internal changes

### Maintenance - Regression test for #5857 Windows provider-key path validation (#5927) (@houko) - Skip deleted (410 Gone) issues in auto-close reconciler (#5933) (@houko) - Rustfmt knowledge.rs to unbreak main Quality (post #5767) (#5938) (@houko) ]]> https://librefang.ai/changelog/#2026-5-30 2026-05-30T00:00:00Z

2026.5.30 — 2026-05-30

Documentation, maintenance, and other internal changes

### Documentation - Fix three agent-facing architecture drift points (#5901) (@houko) ### Maintenance - Bump the docs-minor-patch group in /docs with 2 updates (#5847) (@app/dependabot) - Cargo fmt recently-merged code (repair main Quality fmt) (#5853) (@houko) - Fix Windows-only red in shell capability test (path-not-found wording) (#5854) (@houko) - Raise Test / Windows shard timeout 45 → 60 min to match macOS (#5856) (@houko) ]]> https://librefang.ai/changelog/#2026-5-28 2026-05-28T00:00:00Z

2026.5.28 — 2026-05-28

Documentation, maintenance, and other internal changes

### Maintenance - Bump the cargo-minor-patch group with 4 updates (#5748) (@app/dependabot) - Bump wasmtime from 44.0.1 to 45.0.0 (#5749) (@app/dependabot) - Bump sysinfo from 0.38.4 to 0.39.2 (#5750) (@app/dependabot) - Bump which from 7.0.3 to 8.0.2 (#5751) (@app/dependabot) - Bump tikv-jemallocator from 0.6.1 to 0.7.0 (#5752) (@app/dependabot) - Bump the actions-minor-patch group with 4 updates (#5790) (@app/dependabot) - Bump actions/setup-python from 5 to 6 (#5791) (@app/dependabot) - Bump the web-minor-patch group in /web with 3 updates (#5810) (@app/dependabot) - Bump the dashboard-minor-patch group in /crates/librefang-api/dashboard with 7 updates (#5811) (@app/dependabot) - Bump globals from 15.15.0 to 17.6.0 in /crates/librefang-api/dashboard (#5812) (@app/dependabot) - Docker fallback for `just release` when cargo is missing (#5825) (@houko) ]]> https://librefang.ai/changelog/#2026-5-25 2026-05-25T00:00:00Z

2026.5.25 — 2026-05-25

` instead of error-shaped not-found (#5487) (@houko) - Wake idle agent after approval resolve so the chat gets the result (#5488) (@houko) - Suppress redundant /approve|/reject ack on inline-keyboard tap (#5490) (@houko) - Route agent reply through channel after wake — fixes "tap Approve → silence" (#5491) (@houko) - Cargo fmt + regenerate sdk/ to repair main CI (Quality, OpenAPI Drift) (#5494) (@houko) - Log only email domain at INFO in OIDC auth_callback (#5504) (@houko) - Sanitize reserved channel names at every SenderContext ingress (#5506) (@houko) - Return path relative to home_dir, not absolute (#5509) (@houko) - Keyboard nav for NotificationCenter (WAI-ARIA Menu Button) (#5510) (@houko) - Record comms_send in hash-chained audit log (#5512) (@houko) - Reject empty code in OAuth callback before token exchange (#5515) (@houko) - SSRF-validate attachment URLs + DNS-rebind pin (#5517) (@houko) - Cap bulk-handler Vec::with_capacity to prevent DoS pre-allocation (#5520) (@houko) - Bound buckets map with hard cap + periodic sweep (#5522) (@houko) - Never log raw IdP token-endpoint response bodies (#5526) (@houko) - Detect partial-upgrade drift between migrations table and user_version pragma (#5528) (@houko) - Never silently default or fabricate from corrupt JSON-in-TEXT columns (#5532) (@houko) - Reclaim per-session bucket on session delete (#5534) (@houko) - Bound RoundRobin cursor with cycle-aware iteration (#5536) (@houko) - Restore main — rustfmt drift + 2 PR-only test failures (#5538) (@houko) - Release prune lock across try_summarize_trim().await; CAS on messages_generation (#5541) (@houko) - Validate provider name shape before deriving env var (#5542) (@houko) - Bijective SHA-256 agent_id suffix to stop container-name collisions (#5545) (@houko) - Hold ledger mutex across check + add (#5548) (@houko) - Validate tool args at boundary before forwarding to MCP server (#5550) (@houko) - Acquire per-agent semaphore in workflow send_message closure (#5554) (@houko) - Cap system_prompt size and lock down create-handler invariants (#5558) (@houko) - Allow zero spaces in attribution regex (#5560) (@houko) - Swap RefCell for parking_lot::Mutex to remove async borrow-panic footgun (#5563) (@houko) - Reject `..` per-segment in react_asset, not by substring (#5565) (@houko) - Switch useSessionStream to authenticated WebSocket (#5567) (@houko) - Make agent_concurrency_for entry construction atomic (#5569) (@houko) - Hash session tokens at rest in sessions.json — backup-snapshot replay resistance (#5571) (@houko) - #[serde(skip_serializing)] api_key + proxy_url (#5573) (@houko) - Escape translator HTML, route via (#5576) (@houko) - Canonicalize + containment-check source/target_dir (#5577) (@houko) - Warn at boot when declared provider API-key env vars are unset or empty (#5579) (@houko) - Gate X-Forwarded-Proto on trusted_proxies for session cookie Secure flag (#5581) (@houko) - Allowlist --network and --cap-add to prevent sandbox collapse (#5583) (@houko) - Install-deps program allowlist + flag denylist + Owner-only role (#5588) (@houko) - Warn on manifest swap when session_mode or max_concurrent_invocations changes (#5590) (@houko) - Remove partial identity files on write failure (#5592) (@houko) - Evict JWKS + discovery caches on external_auth hot-reload (#5594) (@houko) - Fail-closed when guard-bash-safety lib is missing (#5596) (@houko) - Rephrase strip_images placeholder so LLM does not deny image reception (#5597) (@DaBlitzStein) - Wrap connect_mcp_servers spawns in spawn_supervised (#5599) (@houko) - Hold Lane::Trigger permit across run_workflow spawn (#5602) (@houko) - Derive deterministic SessionId for New-mode fires (#5604) (@houko) - Align missed-fire log with single-catchup behaviour (#5606) (@houko) - Classify refresh failures, single-flight refresh, drop unwrap (#5609) (@houko) - Allow known framework source dirs, not just the librefang home (#5614) (@houko) - Backfill missing #[utoipa::path] handlers + regenerate openapi.json (#5620) (@houko) - API-surface hygiene — SPA route allowlist, registry id validation, auth/providers gating (#5638) (@houko) - Non-IdP external_auth edits are a no-op, not a restart (#5646) (@houko) - Propagate sender peer_id through remember_interaction_b… (#5647) (@Chukwuebuka-2003) - Persist /sync since_token across restarts (#5651) (@neo-wanderer) - External_auth IdP change is hot-reload, not restart (restore main) (#5652) (@houko) - Clear clippy Quality lane (needless borrow, doc indentation, manual char comparison, await-holding-lock) (#5654) (@houko) - Downgrade boot integrity-check failure to WARN (#5659) (@houko) - Migrate legacy shared-namespace row on fallback hit (#5660) (@houko) - Bound graceful shutdown so daemon.lock release isn't blocked by a hung phase (#5662) (@houko) - Plug data leaks, restore lost state, harden parsing (#5674) (@leszek3737) - Harden pre-commit + add detect-secrets CI workflow (#5681) (@houko) - CommsKeys hierarchy + TerminalTabs storage helper + Modal autoFocus (#5682) (@houko) - Soft-cap in-memory entries between trims at 1.5x max_in_memory_entries (#5683) (@houko) - Harden build.rs git/date invocation; document pnpm audit ignores (#5684) (@houko) - WARN when [agents..proactive_memory] appears in config.toml (real path is agent.toml) (#5687) (@houko) - Filter /commands dispatch by account_id (multi-bot isolation) (#5688) (@houko) - Widen exclusions, regenerate baseline, ignore generated_at drift (#5691) (@houko) - Update audit_retention_test for #5683 soft-cap drain (#5693) (@houko) - Strip line_number drift from detect-secrets baseline diff (#5695) (@houko) - Log bot_token fingerprint instead of full token (fixes #5543) (#5700) (@houko) - Replace removed `all-channels` feature with `telemetry` (#5702) (@houko) - Add provider_budget_routes_test to detect-secrets baseline (#5707) (@houko) - Regenerate SDKs for /api/budget/providers to repair main CI drift (#5709) (@houko) - Include sdk/python/librefang in flake source filter (#5714) (@houko) ### Changed - Unify error contracts — RFC + ToolError + first migration (#3576) (#5258) (@houko) - Extract shared helpers + WS client + test fakes (#5335) (@houko) - Return librefang-types IntegrationError from install_integration (stop leaking ExtensionResult) (#5622) (@houko) - Return types-owned outcome from install_integration (stop leaking InstallResult) (#5644) (@houko) - Widen ApiErrorResponse::internal_scrub sweep across routes (#5661) (@houko) ### Performance - Use count_sessions() on status + snapshot (audit: list-sessions-decode-on-poll) (#5326) (@houko) - Use list_arcs() in agent_budget_ranking (closes #5347) (#5348) (@houko) - Evict stale tool-call timestamps on push (closes #5362) (#5363) (@houko) - Rotate to next key on first RateLimit (closes #5373) (#5374) (@houko) - Tx-wrap recall access bump + batched IN hydrate (closes #5375) (#5376) (@houko) - Composite sessions(agent_id, updated_at) + audit_entries(agent_id, timestamp) indexes (#5399) (@houko) - Stream extract_text_content into a single String to avoid per-save Vec allocation (#5501) (@houko) - Offload SQLite insert+prune via spawn_blocking, counter-gate prune (#5524) (@houko) - Block_in_place for ImageFile reads (4 sites) (#5530) (@houko) - Memoize dashboard_snapshot_inner with 900ms TTL cache (#5552) (@houko) - Unblock axum executor on create_backup + persist_budget (spawn_blocking) (#5556) (@houko)

Documentation, maintenance, and other internal changes

### Documentation - Sidecar-first channel documentation (P6) (#5225) (@houko) - Import audit backlog (120 tracking items) (#5240) (@houko) - Fix stale telegram.rs reference in custom-channel example (#5248) (@houko) - Fill in [[sidecar_channels]] samples for all 27 adapters (#5464) (@houko) - Canonical config-reload field table derived from build_reload_plan (#5642) (@houko) ### Maintenance - Restore rustfmt-clean main (Quality CI gate) (#5222) (@houko) - Add Dockerfile.rust-dev with Tauri Linux GTK deps (#5233) (@houko) - Cross-impl protocol conformance corpus + versioned spec (v1) (#5237) (@houko) - Remove 6 low-value channel adapters (#5265) (@houko) - Drop per-merge auto-update trigger from auto-update-branches (#5266) (@houko) - Drop 12 unmaintained adapters (#5267) (@houko) - Bump the cargo-minor-patch group with 8 updates (#5269) (@app/dependabot) - Bump opentelemetry-otlp from 0.31.1 to 0.32.0 (#5270) (@app/dependabot) - Bump russh-keys from 0.45.0 to 0.49.2 (#5271) (@app/dependabot) - Bump shlex from 1.3.0 to 2.0.1 (#5272) (@app/dependabot) - Bump tracing-opentelemetry from 0.32.1 to 0.33.0 (#5273) (@app/dependabot) - Cargo fmt — fix rustfmt drift on main after channel-removal merges (#5274) (@houko) - Bump Apple-Actions/upload-testflight-build from 5.1.0 to 5.2.1 in the actions-minor-patch group (#5304) (@app/dependabot) - Pin silent_response markers against prompt-builder output (#5344) (@f-liva) - Drop pulldown-cmark workspace dep, orphaned by matrix sidecar #5368 (#5407) (@houko) - Pin SessionMode strict-variant deserialization (audit-disputed) (#5416) (@houko) - Bump the web-minor-patch group in /web with 9 updates (#5438) (@app/dependabot) - Bump the dashboard-minor-patch group in /crates/librefang-api/dashboard with 12 updates (#5440) (@app/dependabot) - 3 nits from post-merge audit (#5454) (@houko) - Remove dead in-process channel scaffolding (#5461) (@houko) - Delete dead per-channel REST endpoints + their helpers (#5463) (@houko) - Rephrase docstring "stub" mentions to stop bot false positives (#5467) (@houko) - Prune unused dependencies across the workspace (#5473) (@houko) - Clean up sidecar migration tails (#5479) (@houko) - Bump the docs-minor-patch group in /docs with 10 updates (#5493) (@app/dependabot) - Skip Cloudflare Pages deploy on Dependabot PRs (#5495) (@houko) - Run Coverage workflow on push:main only, not per-PR (#5496) (@houko) - Make the per-PR test lane Linux-only (#5498) (@houko) - Cover LIBREFANG_VAULT_KEY 32-ASCII-vs-32-bytes pitfall (#5611) (@houko) - Replace fixed 150ms sleeps with condition-based polling (#5613) (@houko) - Parallel semaphore-contention coverage for trigger concurrency caps (#5616) (@houko) - Assert every KernelConfig field is reload-classified + backfill (#5619) (@houko) - Replace unmaintained serde_yaml with serde_yaml_ng (RUSTSEC-2024-0320) (#5626) (@houko) - Full-router semantic tests for lifecycle routes (suspend/resume/mode) (#5628) (@houko) - Convert tools integration tests from mock to full router (#5630) (@houko) - Convert load_test from mock to full router (exercise real middleware) (#5632) (@houko) - Full-router semantic tests for files (path-traversal) + capabilities routes (#5634) (@houko) - Convert agent_identity_registry tests from mock to full router (#5636) (@houko) - Full-router semantic tests for clone/reload/push + bulk routes (#5640) (@houko) - Delete 65 audit docs whose GitHub issue is closed (#5670) (@houko) - Rename librefang-migrate → librefang-import + reconcile stale CLAUDE.md + justfile policy (#5668) (#5685) (@houko) ### Reverted - Roll back v2026.5.25-beta.13 / beta.14 version bumps to 2026.5.17-beta.12 (#5717) (@houko) ### Other - [Medium] Per-trigger `session_mode_override = New` is throttled by the manifest's `Persistent` clamp (#5624) (@houko)

## [Unreleased] ### Breaking Changes - **Subprocess plugin sandbox is now secure-by-default** (#2) (@houko). Hook subprocesses no longer get network or filesystem access unless the plugin opts in. `allow_network` and `allow_filesystem` in a plugin's `[hooks]` table now default to `false` (previously `true`); a plugin that needs outbound network or filesystem writes must declare `allow_network = true` / `allow_filesystem = true` in its `plugin.toml`. Existing plugins that relied on the old open-by-default behaviour will stop reaching the network / writing files after upgrade until they add these declarations. The `seccomp-sandbox` and `landlock-sandbox` features (Linux syscall + LSM filtering) are now enabled in the default feature set; they are no-ops on macOS / Windows. ### Changed - **refactor(subprocess): extract a shared `librefang-subprocess` transport; migrate the context-engine sidecar onto it** (@houko) — first step of unifying the three hand-rolled "persistent JSON-over-stdio subprocess" bridges (channels `SidecarAdapter`, `plugin_runtime::HookProcessPool`, `context_engine::SidecarContextEngine`), each of which re-implemented spawn + a background reply reader + id-matching + stderr draining + lifecycle, and had drifted apart (inconsistent reply-line caps, a missing write timeout in one, no exit signal in another). New low-level crate `crates/librefang-subprocess` owns that mechanism: `SubprocessTransport::spawn(TransportConfig)` + `request(json) -> Result`, with a bounded reply-line read (default 16 MiB), a timeout that bounds the write as well as the reply wait, stderr → log, a `subprocess_transport_exited` metric, and `kill_on_drop` reaping. It depends on no `librefang-*` crate so both `librefang-channels` and `librefang-runtime` can sit above it. `SidecarContextEngine` is migrated to it, shedding ~220 lines of duplicated transport for a thin policy wrapper; behaviour is unchanged (5 engine tests still pass through the new transport). The extraction also fixed a latent semantic bug carried over from the inline code: a dead child now surfaces as `TransportError::Dead`, distinct from a `{"error": …}` reply (`TransportError::Remote`), instead of conflating the two. `read_capped_line` and `write_line_timeout` are exposed as low-level primitives for the consumers whose protocol isn't id-matched request/reply. `plugin_runtime::HookProcessPool` is migrated onto them: its persistent `do_call` now reads through the bounded-line primitive and writes through the timeout-bounded one, gaining the reply-line cap and the per-call timeout it previously lacked (it accepted `timeout_secs` but never enforced it — 20 plugin-runtime tests still pass). The channels `SidecarAdapter` — event-stream rather than request/reply — reuses the bounded-line primitive for its inbound reader (previously read with an unbounded `lines()`), keeping its own event protocol and supervision/respawn loop; its 472 unit + 27 bridge-integration + 4 conformance-corpus tests pass. All three bridges now share the crate's line handling, so a transport-layer fix lands once: consistent reply-line caps, a write timeout on every consumer, and no unbounded inbound reads. - **context engine: the sidecar now auto-respawns instead of degrading until restart** (@houko) — builds on the shared transport above. `librefang-subprocess` gains `SupervisedTransport`, a lazy, self-respawning wrapper around `SubprocessTransport`: it spawns the child on first use and re-spawns it on the first call after a crash, rate-limited by a cooldown (default 5s) so a persistently-broken command can't spawn-storm. `SidecarContextEngine` uses it, so a crashed context sidecar degrades only the in-flight call to the built-in engine and recovers on a later turn — removing the documented v1 "dead until the daemon restarts" limitation. Construction is now infallible (lazy), so the engine no longer carries an `Option`. Covered by `supervised_respawns_after_child_exits` and `supervised_cooldown_blocks_respawn_storm`. - **memory: out-of-process extractor via the shared transport** (@houko) — a fourth consumer of `librefang-subprocess`, and the second "policy in a subprocess" extraction point. The `MemoryExtractor` trait already existed (the store holds `Arc`), so this adds `SidecarMemoryExtractor`, which implements it over `SupervisedTransport`. Unlike the context engine's `compact` (which must reuse the daemon's configured driver for cost/streaming/cache and so stays in Rust), memory extraction is a background, non-streaming, fire-and-forget task, so a sidecar is free to do it with its own LLM key, a cheap local model, embeddings, or heuristics. The sidecar returns *simple* memory items (`{content, category?, level?, metadata?}`) and the daemon assigns each a UUID + `created_at` and stamps `source = "sidecar"`; the SQLite store and the dedup decision (`decide_action`'s heuristic) stay in Rust. Selected via `[proactive_memory.extractor_sidecar]` (`command` / `args` / `request_timeout_secs`), which takes precedence over `extraction_model`; a down sidecar degrades to "nothing memorized this turn" and auto-respawns. A commandless `[extractor_sidecar]` table is treated as a misconfiguration — it is logged and ignored rather than spawning `""` on every turn, so extraction falls back to the built-in path; and because the sidecar bypasses the LLM extractor wholesale (including any per-agent `extraction_model` override), configuring both now emits a WARN naming which one wins. Ships a dependency-free Python reference (`docs/examples/memory_extractor_sidecar.py`). Covered by `extracts_via_sidecar`, `missing_sidecar_memorizes_nothing`, `empty_sidecar_command_is_ignored_and_falls_through_to_llm`, and `configured_sidecar_command_takes_precedence_over_llm`. - **BREAKING: rename crate `librefang-migrate` → `librefang-import`** (@houko) — the framework-import tool shared the word "migration" with `librefang-memory/src/migration.rs` (SQLite schema migrations), so grepping for "migration" returned the wrong file and forced every reader to disambiguate. The crate is renamed to `librefang-import`, which is what it actually does: import agents / memory / sessions / skills / channel configs from other frameworks (OpenClaw, OpenFang, LangChain, AutoGPT). Directory moved `crates/librefang-migrate/` → `crates/librefang-import/`; package name in `Cargo.toml` flipped; the three consumers (`librefang-api`, `librefang-cli`, `xtask`) updated to depend on `librefang-import` and reference `librefang_import::` in source. Public API (`MigrateSource`, `MigrateOptions`, `run_migration`, `report::MigrationReport`, `openclaw::*`, `openfang::*`) is preserved verbatim — only the crate name and import path change. The user-facing CLI command (`librefang migrate ...`) is unchanged. Workspace `members = [...]` and the doc references in `CLAUDE.md` / `AGENTS.md` / `CONTRIBUTING.md` / `README.md` + the 7 i18n READMEs (zh / es / fr / ko / de / ja / pl) also updated. **Operator action required**: out-of-tree consumers that declared `librefang-migrate = { path = "...", ... }` in their `Cargo.toml` must update both the dep name and any `use librefang_migrate::...` paths to `librefang_import`. Closes #5668. - **docs(claude-md): reconcile `crates/librefang-extensions/CLAUDE.md` and `crates/librefang-channels/CLAUDE.md` with current code** (@houko) — both files had drifted away from the live source; replaced with concise pointers to the top-level `CLAUDE.md` crate index so the stale prose can't mislead readers further. Closes #5668. - **build(justfile): make `justfile` the canonical developer entry point; delegate to `cargo xtask`** (@houko) — the `justfile` and `xtask/` overlapped on `setup` and several other recipes, with docs alternating between `just setup` and `cargo xtask setup` interchangeably. The rule is now documented at the top of `justfile`: `just` is the developer-facing surface, `xtask` is the underlying logic; recipes that duplicated logic now call `cargo xtask `. Closes #5668. - **docs(architecture): strengthen the sidecar-channels rationale against AI-codegen-era critique** (@houko) — the "Why" paragraph in `docs/architecture/sidecar-channels.md` had been leading with the contributor-ergonomics argument ("writable in ~40 lines of Python against a documented protocol"), which is a real benefit but no longer load-bearing on its own now that LLM-assisted Rust authoring has narrowed the practical gap between writing Python and writing Rust. Rewrote the top-of-doc rationale to lead with the three properties that survive when the language gap closes — crash isolation (an in-process panic ends the daemon, a sidecar crash is a `waitpid` event the supervisor restarts), supply-chain confinement (each of ~28 platform SDKs is its own sealed dependency tree, not part of the kernel binary's `cargo audit` surface), and the iteration loop (subprocess restart in seconds vs. `cargo build` + daemon restart that drops every active agent session) — and demoted the contributor-ergonomics benefit to a secondary effect. Added a new "Why subprocess, not in-process Rust?" section that addresses the AI-codegen counterargument head-on, plus an inline note that the wire protocol (see `sidecar-protocol.md`) is language-agnostic — a Rust sidecar SDK against the existing `conformance/sidecar/corpus/` is unblocked future work — so Python is the current first-party SDK out of migration friction, not architectural necessity. Also corrected the stale "~46 in-process Rust adapters that predate the policy are grandfathered and frozen" claim — `crates/librefang-channels/src/channels-allowlist.txt` now permits only the `sidecar` trampoline itself, the in-process set has been fully drained. No code changes; pure documentation. - **kernel(config-reload): non-IdP `external_auth` edits are a no-op, not a restart** — follow-up to #5652. #5652 cleared the main-CI red by gating #5619's backfill restart on `!external_auth_idp_changed(...)`, which left a non-IdP `external_auth` change (`session_ttl_secs`, `allowed_domains`, `redirect_url`, scopes, audience, `require_email_verified`) still classified as restart-required. But the OAuth layer reads every one of those live from the ArcSwap config on each request (`oauth.rs`: `config_ref()` / `config_snapshot()`), so the bare config swap already applies them on the next request — a restart was never needed, only over-conservative classification inherited from #5619's "RESTART when the live-read path can't be verified" default. The planner now records a no-op (`"external_auth config changed (effective on next request via config swap)"`) for those edits instead of telling the operator to restart; IdP-identity changes still queue `ReloadExternalAuth` (#5594) to evict the JWKS/discovery caches. Removed the now-dead `restart_if_changed(external_auth)` branch and moved the `classified_reload_fields()` entry into the hot-reload group. `test_external_auth_unrelated_field_does_not_evict_caches` extended to assert `!restart_required` + the no-op entry. `cargo test -p librefang-kernel --lib config_reload::` 40/40 (with the strengthened assertions), `cargo clippy -p librefang-kernel --lib -- -D warnings` + `cargo fmt --check` clean. Also refreshed the canonical ops table in `docs/operations/config-reload.md` — the `external_auth` row now reads **H/N** (was **R/H**), and the non-IdP prose reflects the live-read ArcSwap path instead of "no hot reapply path is wired, planner conservatively flags a restart". (@houko) ### Added - **kernel(triggers): `TaskClaimed` and `TaskCompleted` triggers gain an optional `creator_match` filter** (#5960) (@nevgenov), symmetrical to `TaskPosted`'s `assignee_match`, so an orchestrator can scope claim/completion notifications to tasks it originally posted instead of firing on every claim/completion system-wide. Accepts an agent UUID, display name, or `"self"`; absent (`#[serde(default)]`) it preserves the legacy fire-for-all behaviour and existing string-form triggers still parse. The original poster is threaded onto the `TaskClaimed` / `TaskCompleted` events from the task record. - **runtime(exec): opt-in `exec_policy.safe_bins_skip_approval` lets allowlist-mode `shell_exec` calls whose every base command is a declared `safe_bin` skip the approval prompt; default off preserves today's approve-every-shell posture** (#5962) (@jerrywang121). - **context engine: out-of-process `engine = "sidecar"`** — run the per-turn context **policy** (recall, window assembly, after-turn bookkeeping) in a subprocess of any language, keeping the **mechanism** it needs in Rust. The `ContextEngine` trait was already the right seam (`ingest` / `assemble` / `after_turn` / `bootstrap`); `SidecarContextEngine` implements it by delegating those async, non-LLM hooks to a child process over a newline-delimited JSON request/reply protocol, and wraps a built-in engine for the rest. LLM-bearing `compact` (its `Arc` can't cross a process boundary) and the cheap synchronous hooks (`truncate_tool_result`, `should_compress`, `update_model`, metrics) stay on the inner engine. Robustness is the headline: the context engine is on the per-turn critical path, so **every bridged call falls back to the built-in engine on any failure** — spawn failure, write error, request timeout, malformed reply, or a crashed process — and a flaky sidecar never breaks a turn. Configured via `[context_engine] engine = "sidecar"` + a `[context_engine.sidecar]` block (`command`, `args`, `request_timeout_secs`); the command is trusted operator config so its environment is inherited. Ships a dependency-free Python reference (`docs/examples/context_engine_sidecar.py`) and a protocol/design doc (`docs/architecture/sidecar-context-engine.md`). Tests cover an end-to-end `assemble` round-trip through a real subprocess and spawn-failure fallback. (@houko) - **skills: WASM skill runtime now executes in the existing `WasmSandbox`** — `SkillRuntime::Wasm` was a dead stub that returned `RuntimeNotAvailable("WASM skill runtime not yet implemented")`, even though the runtime already shipped a hardened `WasmSandbox` (capability gating, fuel/memory/wall-clock metering, denial-of-wallet host-call reservations from #3532 / #3864 / #3866). Wired the two together so a `[runtime] type = "wasm"` skill actually runs. Routing lives in `librefang-runtime` (`tool_runner/wasm_skill.rs`), not the skills loader: the sandbox and its `host_call` ABI need a `KernelHandle`, and `librefang-skills` must not depend on `librefang-runtime` (circular). The dispatcher branches on `runtime_type == Wasm` and calls `execute_wasm_skill`, which resolves the module path through the same `validate_script_path` containment guard the subprocess runtimes use (now `pub`), reads the `.wasm`/`.wat` bytes, maps the skill's declared `[requirements] capabilities` strings to `Capability` grants (fail-closed: an unrecognised string is logged and dropped, never granted), applies `requirements.timeout_secs`, and feeds the guest the same `{"tool", "input"[, "config"]}` envelope the Python/Node/Shell runtimes use so guest tool-dispatch is runtime-agnostic. Tests cover capability parsing (arg / no-arg / numeric variants and fail-closed garbage), an end-to-end echo module run through the sandbox, and path-traversal rejection. (@houko) - **skills: `librefang-skill` Rust SDK for authoring WASM skills** — new crate at `sdk/rust/librefang-skill` (its own workspace root, like the sidecar SDKs) that hides the raw sandbox guest ABI behind one `skill!(handler)` macro plus typed host-call wrappers, so a skill author writes a `fn(Request) -> Result` and nothing else. The macro emits the `alloc` / `execute` exports; `memory` is exported by the `wasm32-unknown-unknown` cdylib automatically. `Request` carries the `{tool, input, config}` envelope; a handler `Err` or malformed envelope surfaces to the agent as `{"error": ...}`. Host functions are exposed under `host::` (`time_now`, `fs_read`/`fs_write`/`fs_list`, `env_read`, `kv_get`/`kv_set`, `net_fetch`, `shell_exec`, `agent_send`, `agent_spawn`) with the capability and fuel cost of each documented; `host_call` / `log` are the escape hatches. The pointer marshaling is gated to `wasm32` while the envelope/pack/dispatch logic is target-agnostic and host-unit-tested (7 tests). Verified end-to-end: a real `cargo build --target wasm32-unknown-unknown` of an SDK-based skill emits a module importing exactly `librefang.host_call` / `librefang.host_log` (no WASI) and exporting `memory` / `alloc` / `execute` — the precise surface `WasmSandbox` instantiates. Ships with an `examples/echo.rs` and a README covering the `Cargo.toml` (`crate-type = ["cdylib"]`, `panic = "abort"`), build command, and matching `skill.toml`. (@houko) - **skills: WASM authoring is now first-class end to end (docs, CLI, example)** — supporting pieces so the WASM runtime is actually usable, not just present. (1) **Docs** (`docs/src/app/agent/skills/page.mdx` + zh): the WASM section described a `wasm32-wasi` + `_start` + stdin model that never matched the sandbox and would fail to instantiate (the sandbox provides only the `librefang` host imports, no WASI); rewritten to the real `librefang-skill` SDK flow — `wasm32-unknown-unknown`, the `skill!` macro, the `{tool, input, config}` envelope, the host-call capability/fuel table, and accurate sandbox limits. (2) **`librefang skill create`**: the scaffold hard-coded `entry = "src/main.py"` for every runtime and emitted a `// TODO` stub for anything non-Python; it now generates a correct per-runtime scaffold — for `wasm` a `cdylib` `Cargo.toml` (`librefang-skill` dep, `panic = "abort"`), a `src/lib.rs` with the `skill!` handler, the right `entry`, and the build/copy steps (the Node entry-path bug is fixed in passing). (3) **`librefang skill test`**: WASM skills now run in the real sandbox with no kernel (`execute_wasm_skill` is now `pub` and re-exported from `tool_runner`) — pure-compute tools run locally, capability-bearing host calls report an error rather than the previous "execution skipped". (4) **`publish.rs`**: a `.wasm` entry is now validated to start with the `\0asm` magic, catching an unbuilt placeholder or wrong path before publish; the manifest convention is `entry = "skill.wasm"` at the skill root (the packager excludes `target/`). (5) **Example**: new `examples/custom-skill-wasm/` (the WASM twin of `custom-skill-python`) — builds to a valid `wasm32-unknown-unknown` module verified to carry the `\0asm` magic. (6) **CI**: a path-gated `WASM Skill SDK` job fmt/clippy/tests the SDK and compiles the example for `wasm32-unknown-unknown`, so the SDK (an independent workspace the kernel lanes never build) can't silently drift from the sandbox guest ABI. (@houko) - **kernel(skills): `evolution_mode` (`free` / `controlled`) gates auto_evolve updates through approval + auto-assigns created skills to the creator** (#5844, #5819) (@DaBlitzStein) — `SkillWorkshopConfig` gains a per-agent `evolution_mode` knob (in `agent.toml` / `HAND.toml [agents.]`, never `config.toml`). `free` (default) preserves today's behavior: a reviewer `create` queues for human approval (#5800) while an `update` / `patch` to an already-approved skill applies directly. `controlled` routes every mutation — create, update, and patch — through the pending queue, so an LLM-proposed update now crosses the same `SkillVerifier` prompt-injection scan that `save_candidate` already runs for creates instead of riding the direct `evolution::update_skill` / `patch_skill` path. Pending drafts now carry a `kind` discriminator (`create` / `update`) plus `target_skill_id` / `current_version` / `proposed_version` so an update draft records what it replaces (the diff view itself is a later PR); old on-disk drafts still deserialize because every new field is `#[serde(default)]` and `kind` defaults to `create`. Approving a pending create auto-assigns the new skill to the creating agent's `manifest.skills` allowlist (idempotent; an empty all-skills allowlist is left untouched so it is never narrowed), so an allowlist agent can use the skill it created. Approving an update whose target skill was deleted between capture and approval returns `422 Unprocessable Entity` (`kind: "target_skill_missing"`) and keeps the pending file, instead of a misleading `409` rename-and-retry conflict. This is PR A of a series — the dashboard diff / "Available" UI and the "Propose to Registry" action land separately. - **memory: per-agent `[proactive_memory] extraction_model` override** — #5475. `ProactiveMemoryOverrides` (per-agent override block in `agent.toml`) previously exposed only the three boolean knobs (`enabled`, `auto_memorize`, `auto_retrieve`) that #4870/#4892 added; the LLM extraction model was global-only, so multi-provider deployments had to pick one extractor that may not be reachable from every agent's provider keys. Added `extraction_model: Option` to `ProactiveMemoryOverrides` with the same `provider/model` / `provider:model` / bare-name surface as the global field, plus a `resolve_extraction_model(global)` resolver. Plumbed through a new `CatalogQuery::proactive_memory_extraction_model_for(agent_id)` role-trait method (default returns `None`, real impl in `LibreFangKernel` looks up the agent registry then resolves agent-override → kernel-global → `None`) that `LlmMemoryExtractor::extract_memories_with_agent_id` consults at request-build time to swap the wire-level model name. Driver itself is reused from the boot-time extraction driver — full per-agent driver switching (cross-provider) is a follow-up, documented inline on the new field. Integration test (`crates/librefang-runtime/tests/proactive_memory_extraction_model_override.rs`) builds a stub `KernelHandle` + recording `LlmDriver` to assert: agent override wins over the boot-time model, missing override falls back, and the `provider/` / `provider:` prefix is stripped before the API request. `Copy` removed from `ProactiveMemoryOverrides` (now owns a `String`). Docs updated in `docs/src/app/configuration/page.mdx` under `[proactive_memory]` with a new "Per-agent overrides" subsection. (@houko) - **sdk(rust): first-party Rust sidecar adapter SDK at `sdk/rust/librefang-sidecar/`** (@houko) — pairs with `sdk/python/librefang/sidecar/`, both implementing the post-#5219 sidecar wire protocol. Same surface on both sides: `Content::*` builders for every `ChannelContent` variant; event builders (`events::ready`, `events::message` + `MessageBuilder`, `events::error`, `events::typing`, `events::qr_ready`, `events::qr_status`); typed inbound `Command` enum with `parse_command(&str)` parsing every variant (`send`, `ready_ack`, `shutdown`, `heartbeat`, `typing`, `reaction`, `interactive`, `stream_start` / `_delta` / `_end`, plus a `Command::Unknown` forward-compat envelope); `SidecarAdapter` async trait with `on_send` (required) and `on_command` / `produce` / `on_shutdown` defaults; `run_stdio(adapter)` driver that owns the stdin reader, stdout writer, `ready` re-announce handshake (bounded by `ready_max_attempts` so a pre-#5219 daemon without `ready_ack` doesn't get spammed), graceful shutdown, and routing; `run_stdio_main(schema_fn, build_fn)` one-stop `main` helper that serves the daemon's `--describe` discovery contract before constructing the adapter (builder returns `Result` so adapters whose `new()` validates required env vars can fail with a structured error instead of panicking before discovery can respond); `with_backoff` helper for platform reconnect (independent of daemon-managed process lifecycle); `Schema` / `Field` for `--describe` self-description payloads. Wire-equivalent with the Python SDK and the Rust supervisor's `SidecarEvent` / `SidecarCommand` — pinned by the shared `conformance/sidecar/corpus/` via `sdk/rust/librefang-sidecar/tests/conformance.rs` (13 tests: producer-side asserts every event builder reproduces its corpus frame, consumer-side asserts every command corpus parses into the expected typed `Command`; coverage guards refuse a corpus entry with no assertion on either side, mirroring the Python suite's `EVENT_PRODUCER_SKIP` discipline). Lives as its own independent cargo workspace at `sdk/rust/librefang-sidecar/` so it doesn't pull `librefang-channels` / `librefang-kernel` into adapter authors' dep trees and doesn't contend with the kernel's shared `target/`. `cargo test` → 16 unit + 13 conformance + 3 doc-tests pass; `cargo clippy --all-targets -- -D warnings` clean; `cargo fmt --check` clean (Linux container build via `Dockerfile.rust-dev`). Includes `examples/echo.rs` — minimal `SidecarAdapter` that echoes every `send` back as a synthetic inbound `message` (no platform integration, suitable as a smoke-test against the supervisor and as a template for new adapters). `docs/architecture/sidecar-protocol.md` lifted from "two independent implementations" to "three" (Rust supervisor + Python SDK + Rust SDK), with the conformance-pair table updated. `docs/architecture/sidecar-channels.md` "polyglot by design" paragraph dropped its "unblocked future work" hedge and now lists the two SDKs side-by-side with their respective trade-offs. - **docs(architecture): canonical references for the Rust sidecar SDK and the Rust Telegram adapter** (@houko) — the Rust sidecar SDK (#5821) and the Rust Telegram adapter (#5831) both shipped with crate-level READMEs but no entry under `docs/architecture/`, so a reader following the project's documentation convention (the same place `sidecar-channels.md` and `sidecar-protocol.md` live) had no landing page. Added `docs/architecture/rust-sidecar-sdk.md` covering the SDK's trait + type surface (`SidecarAdapter`, `Command`, `Content`, `MessageBuilder`, `Schema`), the `run_stdio_main(schema_fn, build_fn)` lazy-build pattern that lets `--describe` discovery succeed before required env vars are set, panic isolation, `with_backoff`, the conformance-corpus pinning, and the common pitfalls (spawned-future-outliving-produce, mutex-across-await, stdout-must-be-reserved, recoverable-vs-fatal-errors-in-produce). Added `docs/architecture/rust-telegram-sidecar.md` covering the adapter's five-layer architecture (`api/` → `format/` → `translator.rs` → `dispatcher.rs` → `adapter.rs`), the inbound/outbound dataflow, the Markdown → HTML → sanitised → UTF-16-chunked text-rendering pipeline (including the Private-Use-Area sentinel scheme that prevents inline-code placeholder collision and the tag-aware chunker that preserves `` attributes across chunk boundaries), the security model (`BotClient::redact`, allowlist-on-every-event-kind, MediaGroup-recursion-cap, strict FileData byte decode), the 429 retry shape with `MAX_RETRY_AFTER_SECS = 300` cap, and the three deliberate Python-parity divergences (`parse_command` UTF-16 vs whitespace split, MediaGroup > 10 chunked vs `ValueError`, `channel`-chat-type not treated as group). Updated `docs/architecture/sidecar-channels.md` and `docs/architecture/sidecar-protocol.md` to link to both new pages so the existing SDK-bullet readers can find them. Updated `sdk/rust/librefang-sidecar/README.md` and `sdk/rust/librefang-sidecar-telegram/README.md` to point at their respective canonical reference pages. - **channels(rust): first-party Rust Telegram sidecar adapter at `sdk/rust/librefang-sidecar-telegram/`** (@houko) — feature-parity port of `sdk/python/librefang/sidecar/adapters/telegram.py` written against the Rust `librefang-sidecar` SDK that merged in #5821. Capabilities declared: `typing`, `reaction`, `interactive`, `thread`, `streaming`. Bot API surface covered: `getUpdates` long-poll with exponential backoff + cancel-safe yields, `sendMessage` (Markdown → Telegram-HTML via a sanitiser that allowlist-checks tags / href schemes and balances unclosed tags + 4096-UTF-16-unit chunker), `editMessageText` (with plain-text fallback on "can't parse entities"), `deleteMessage`, `sendChatAction(typing)`, `setMessageReaction` (same emoji-translation map as Python — ⏳ → 👀, ⚙️ → ⚡, ✅ → 🎉 or cleared depending on `TELEGRAM_CLEAR_DONE_REACTION`, ❌ → 👎), `sendPhoto` / `sendDocument` / `sendVoice` / `sendAudio` / `sendVideo` / `sendAnimation` / `sendSticker` / `sendLocation` / `sendMediaGroup` (2–10 photos/videos) / `sendPoll` (quiz / regular with explanation) — all via Bot API URL pass-through. Inline file bytes (`Content::FileData`) detect Ogg/Opus magic and route to `sendVoice` else `sendDocument` via multi-part upload. Inbound translation: `text`, leading `bot_command` entity becomes `Content::Command{name,args}` (with `@botname` suffix stripped), photo → `Content::Image` (resolved via `getFile`), document → `Content::File` (with voice-extension auto-routing), audio / voice / animation / video / video_note → respective rich-content variants, location → `Content::Location`, sticker → `Content::Sticker{file_id}`, contact → text label, `callback_query` → `Content::ButtonCallback` with the originating `message_id` / `chat_id` in metadata, `poll_answer` → `Content::PollAnswer{poll_id, option_ids}`. Reply context: `[Replying to : ""]` prefixed onto text or image caption. Streaming: `StreamStart` sends a placeholder, `StreamDelta` accumulates and edits the same message debounced at 1 second, `StreamEnd` flushes. Access control via `ALLOWED_USERS` CSV of numeric user IDs or `@usernames` (case-insensitive, leading `@` optional; empty list ⇒ open). Schema served via `--describe`: `TELEGRAM_BOT_TOKEN` (secret, required), `ALLOWED_USERS` (list, advanced), `TELEGRAM_CLEAR_DONE_REACTION` (bool, advanced). HTTP via `reqwest` with `rustls-tls` (no system OpenSSL). Independent cargo workspace; no transitive into the kernel binary. `cargo test` → 19 unit tests pass (UTF-16 chunking, Markdown → HTML, sanitiser tag-allowlist + href safety + unclosed-tag balancing); `cargo clippy --all-targets -- -D warnings` clean; `cargo fmt --check` clean. Configure via a `[[sidecar_channels]]` block: `command = "/abs/path/to/target/release/librefang-sidecar-telegram"`, `[sidecar_channels.secrets] TELEGRAM_BOT_TOKEN = ""`. - **cli: restore `librefang channel` subcommand as a sidecar-only group** — #5463 deleted the entire `Commands::Channel(ChannelCommands)` group on the same "everything was broken anyway" theory that took out `ChannelsPage.tsx`. Same wrong call. Restored as four sidecar-aware subcommands driving the surviving daemon endpoints: (@houko) - `librefang channel list` → `GET /api/channels` → table (NAME, KIND, CONFIGURED, TOKEN, 24H MSGS). (@houko) - `librefang channel reload` → `POST /api/channels/reload` → hot-reload `[[sidecar_channels]]` from disk without a daemon restart. (@houko) - `librefang channel setup []` → schema-driven prompt against `GET /api/channels` (consumes the per-row `fields[]` describe schema); non-secret fields pre-fill from `f.value`, secret fields with `has_value=true` render `(set — leave blank to keep)` so an empty submission preserves the stored secret. POSTs to `POST /api/channels/sidecar/{name}/configure` and shows `restart_required` / `shadowed_secrets_warning` from the response. Without `` it shows an interactive picker over unconfigured rows. (@houko) - `librefang channel rm ` → strips the matching `[[sidecar_channels]]` entry from `~/.librefang/config.toml` via `toml_edit`, then best-effort hot-reload (warns + continues if no daemon is running, so the change still applies on next start). (@houko) Five `clap`-parse `assert!(matches!(...))` tests added covering `list`, `setup`, `setup `, `reload`, `rm `. The pre-#5463 `test` / `enable` / `disable` arms are **not** restored — sidecars surface their own health via stdout logs (no in-band `/test` endpoint), and the presence of the `[[sidecar_channels]]` block is the only on/off signal (`rm` is the replacement). (@houko) - **channels(rust): ship the `librefang-sidecar-telegram` binary in the platform release tarballs** (@houko) — #5936 follow-up to #5831, which shipped the adapter source but left operators to install a Rust toolchain and `cargo build` it themselves. The release pipeline (`release.yml` + its manual mirror `release-cli.yml`) now builds the sidecar for each channel-capable native target (macOS x86_64 / aarch64, linux-gnu x86_64 / aarch64, musl x86_64 / aarch64, Windows x86_64 / aarch64) and bundles the binary **inside** the existing per-target archive next to `librefang` — no new release assets, so the cosign `SHA256SUMS` manifest and `EXPECTED_PLATFORMS` count are unchanged. The Android and `mini` variants are deliberately skipped (neither carries channels). `librefang update` therefore lands the binary at `~/.librefang/bin/librefang-sidecar-telegram` (`.exe` on Windows), and the daemon auto-resolves it: a sidecar channel whose `command` is empty or the bare stem `librefang-sidecar-telegram` is resolved against the daemon's own executable directory, then `~/.librefang/bin/`, then PATH; an absolute / relative path or any other program (`python3 -m …`) is treated as explicit operator intent and passed through unchanged. `install.sh` / `install.ps1` install the bundled binary when present and stay silent on older tarballs that lack it. ### Fixed - **channels: the dashboard configure form is no longer empty for sidecar adapters when `librefang-sdk` is not pip-installed** (@houko). The Add-a-channel form is schema-driven off `python3 -m librefang.sidecar.adapters. --describe`, but the boot-time probe (`routes/sidecar_describe.rs::describe_sidecar`) spawned the interpreter without the binary-embedded SDK on `PYTHONPATH` — unlike the live channel-spawn path, which has injected the embedded copy since the SDK was bundled. So on a fresh host with only `python3` (no `pip install librefang-sdk`), `--describe` failed with `ModuleNotFoundError`, and every adapter without a hand-maintained `static_fields` fallback (telegram, ntfy, gotify, mastodon, …) rendered a blank configure drawer — even though the adapter source ships embedded in the daemon binary. `describe_sidecar` now injects the embedded SDK exactly like the spawn path (`librefang_channels::embedded_sdk::pythonpath_with_embedded`, now `pub`), so the probe succeeds with just `python3` on PATH and the dashboard gets each adapter's authoritative live schema with zero setup. `static_fields` drops back to a true last resort (no usable `python3`, or the embedded extract errored). First-party adapter `--describe` is dependency-free (stdlib + the embedded `librefang.sidecar` only — telegram talks to the Bot API over `urllib`), so no third-party install is needed to populate the form. - **channels(wechat): the dashboard QR code was not scannable for login — WeChat decoded it as plain text instead of a login prompt** (@houko). The WeChat sidecar's `_qr_login` encoded the iLink `qrcode` field into the dashboard QR canvas, but that field is only the opaque status-poll key; the payload the WeChat app actually decodes on scan is `qrcode_img_content`. The pre-migration in-process Rust adapter surfaced `qrcode_img_content` as the QR payload (the original fix in #1560 / #1572: "use iLink qr_url … so WeChat can recognise the scan"), but the sidecar migration (#5421) dropped that field and fell back to encoding the poll token, so scanning showed a meaningless string instead of logging in. `_qr_login` now encodes `qrcode_img_content` (falling back to the token with a WARN only if iLink ever omits it), while still polling status with the `qrcode` token. - **kernel(goal-runner): an active goal run could intermittently report `running: false` via `GET /api/goals/{id}/run`** (@houko). `GoalRunner::state()` snapshots the run with a non-blocking `try_lock()` (so an async HTTP handler never parks on a tick), and the route renders a `None` snapshot as `{"running": false}` — indistinguishable from "no run exists". The run loop, however, held that same `state` mutex across `persist_run()`, a synchronous SQLite write (plus a potentially-blocking connection-pool checkout). Under load a `GET /run` landing inside that write window lost the `try_lock` and surfaced a live run as not running — a dashboard `/run` poll would flicker "stopped", and the `goal_run_start_then_stop_with_agent` integration test flaked on it. The loop now updates the in-memory state under the lock, releases it, and persists the cloned snapshot outside the lock; `state` is written only by the single loop task, so the snapshot stays consistent. This shrinks the lock hold to a few synchronous field writes, so `try_lock` no longer realistically contends. - **channels: stop silently swallowing an upgraded operator's channel config, and explain why the WeChat/etc. configure form is empty** (@houko). After the channel → sidecar migration (#5317–#5459) the in-process `[channels.]` config blocks were removed from `ChannelsConfig`, so an operator upgrading from a pre-migration build lost every configured channel on first boot: the old block deserialised into nothing, the dashboard channels page (which only renders `configured` rows) showed the WeChat card vanishing, and the only signal was a generic "Unknown config field (ignored)" log that never mentioned sidecars. Re-adding the channel then failed just as quietly — the configure form is schema-driven off `python3 -m librefang.sidecar.adapters. --describe`, which fails when the Python sidecar SDK is not installed (and a pre-migration WeChat ran in-process Rust, so an upgrader never had it), leaving the Add-picker drawer blank with no inputs and no explanation. Two targeted fixes: (1) `KernelConfig::detect_legacy_channel_blocks` now flags pre-sidecar `[channels.]` tables at boot and on `POST /api/config/reload`, emitting an actionable WARN that points at `[[sidecar_channels]]` + `pip install librefang-sdk` instead of the generic unknown-field line (mirrors the #5476 `detect_misplaced_per_agent_overrides` pattern); a scalar typo under `[channels]` still falls through to the generic pass. (2) When `--describe` fails with no static fallback, the daemon now caches the actionable reason and rides it along as `schema_error` on the channel's discovery row, so the dashboard configure drawer shows "Setup form unavailable — install the sidecar SDK and reload" with the install hint instead of a blank form, and disables Save. Regression tests: `detect_legacy_channel_blocks_*` (librefang-types), `discovery_row_surfaces_schema_error_only_when_schema_missing` (librefang-api), and a `ChannelsPage` vitest case asserting the reason renders and Save is disabled. - **security(channels): propagate per-sidecar `account_id` so multi-bot Telegram isolation actually engages** (#5955) (@nevgenov). Multi-instance sidecar setups (several `[[sidecar_channels]]` of `channel_type = "telegram"`) regressed the #5688 per-bot isolation because the daemon never propagated the operator-known `SidecarChannelConfig::name` as `account_id`, leaving the #5688 guards as dead code for sidecars. Two manifestations, one root: the daemon registration hardcoded `account_id = None`, so every sidecar's `default_agent` collided on the bare `channel_defaults["telegram"]` key (last-booted bot answered in every bot); and the sidecar reader loop stamped `channel_id` / `platform` / `sender_username` into per-message metadata but never `account_id`, so `dispatch_message` always took the global `set_user_default` branch and a `/agent ` selection in bot-A leaked to bot-B for the same platform user. The registration now qualifies each sidecar under its own `name` (`channel_bridge.rs`), and the reader loop stamps `metadata["account_id"]` from the same adapter name via `entry().or_insert_with(...)` so an adapter that already supplies its own `account_id` (dingtalk / email / google_chat) is preserved (`sidecar.rs`). Registration key and resolution key now both derive from `SidecarChannelConfig::name`, so they line up. Regression tests: `router::tests::sidecar_default_does_not_collide_across_bots` (two sidecars register under distinct `telegram:` keys, no last-writer-wins collision) and `sidecar::tests::test_sidecar_stamps_account_id_from_adapter_name` (a real sidecar subprocess stamps `account_id` from the config name, not the `ready`-event account, and preserves an adapter-supplied one). - **runtime(history-fold): preserve omitted tool-result content instead of substituting an "unavailable" stub** (#5978) (@DaBlitzStein). The fold's apply loop discarded the real tool result in two cases — an id the model silently omitted from an otherwise-valid batch, and a response that could not be parsed as `[{id,summary}]` JSON at all (the latter was dumped verbatim over every stale block as a "bulk summary"). Either way a recalled memory tool result lost its content, the agent read it as "no answer yet", and re-issued `memory_recall` forever — an endless loop that drained tokens (verified live: a Moonshot/Kimi response that failed the JSON parse triggered exactly this). Both cases now keep each block's preview-truncated original content, breaking the loop while still bounding the folded size; the raw unparseable response is no longer applied as a bulk summary. - **runtime(loop_guard): a blocked tool call is a soft outcome, and a persistent block stall degrades to a real reply instead of silent death** (#5979) (@DaBlitzStein). When the loop guard blocked a repeated `(tool, params)` call it returned a result with status `Error`, a hard error that aborted the remaining tool batch and counted toward `MAX_CONSECUTIVE_ALL_FAILED`; three consecutive blocks (e.g. an agent re-issuing an identical `memory_recall`) then exited the streaming loop and recorded an agent panic instead of letting the model adjust. The block result is now `Skipped` (a soft status), so it no longer aborts the batch or trips the consecutive-all-failed exit — the block message still steers the model and the genuinely fatal runaway stays caught by the circuit breaker. Making the block soft alone was insufficient: a model that keeps re-issuing the blocked call now spins to `max_iterations` and the channel bridge sanitizes the resulting `MaxIterationsExceeded` into user-visible silence — no worse panic, but still no reply. Both agent loops (streaming and non-streaming) now detect a *block-only* iteration — every tool result a soft loop-guard block, no success, no hard error, no assistant prose — and after `block_stall_degrade_after` consecutive such iterations (new `AutonomousConfig.block_stall_degrade_after`, default `2`, `None`/`0` disables) force a single tools-stripped completion so the model is compelled to answer in prose. The user gets the model's best reply instead of silence; tool_use/tool_result pairing is preserved because the forced turn finalizes through the normal end-turn path. Tests: `tool_call::loop_guard_block_tests::{soft_block_counts_toward_soft_error_total, block_only_iteration_is_detected, a_success_alongside_a_block_is_not_block_only, a_hard_error_alongside_a_block_is_not_block_only, no_results_is_not_block_only, consecutive_block_only_reaches_degrade_threshold_then_resets_on_progress}`. - **kernel(triggers): the evaluator no longer self-deadlocks when a per-event trigger budget is exhausted** (#5977) (@DaBlitzStein). `evaluate_event` snapshots the registered-trigger count with a lock-free `ids.len()` before the match loop, instead of calling `self.triggers.len()` inside the loop's budget-exhausted `warn!` branch. `DashMap::len()` read-locks every shard, so calling it while a `self.triggers.get_mut(&id)` `RefMut` still held that shard's write-lock self-deadlocked the evaluator on a single thread the first time a high-fan-out event hit `max_triggers_per_event`. The bug had been live in `origin/main` since the per-trigger cooldown feature landed (2026-03-26). - **kernel(cron): day-of-week now follows the POSIX convention (`0` and `7` both mean Sunday)** instead of the `cron` crate's 1-7 mapping (#5966) (@DaBlitzStein). Sunday-only schedules like `0 16 * * 0` were previously rejected as unschedulable, and numeric weekday ranges such as `1-5` silently shifted by one day (firing Sun-Thu instead of Mon-Fri). The 5/6-field expression is now remapped at the single conversion site before it reaches the crate, so `0`/`7` resolve to Sunday and `1-5` fires Monday through Friday as written. - **runtime(web_fetch): strip credential headers across redirect-origin boundaries** — the manual per-hop redirect loop (`send_with_pinned_redirects`, introduced to close the DNS-rebinding TOCTOU window by re-pinning every hop) re-attached the caller's headers verbatim on every hop, including cross-origin 3xx targets. reqwest's built-in redirect machinery removes `Authorization` / `Cookie` / `Proxy-Authorization` when a redirect leaves the origin, but the hand-written loop bypassed that, so an attacker-controlled public host could `302 Location: https://attacker.example/` and harvest the caller's bearer token or session cookie. The loop now mirrors reqwest's `remove_sensitive_headers`: a `crosses_origin` check (scheme / host / port) latches a `credentials_stripped` flag the first time any hop leaves the original origin, after which the sensitive headers (`authorization`, `cookie`, `cookie2`, `proxy-authorization`, `www-authenticate`, case-insensitive) are never re-attached for the rest of the chain — same-origin hops keep them, non-sensitive caller headers always pass through. The fix lands in the shared helper, so both `web_fetch` and `web_fetch_to_file` are covered. New tests: `test_cross_host_redirect_strips_credentials`, `test_same_host_redirect_preserves_credentials`, `test_redirect_to_metadata_ip_blocked_on_later_hop`, plus unit coverage for the two helpers. (@houko) - **llm: retry transport-layer errors and make the retry count configurable (#10)** — the HTTP-API drivers' retry loop only covered server-side throttling (429 / 529 / 503); transport failures from `reqwest::send()` — connection refused, TLS record-layer alerts, read timeouts — returned immediately via `?` and never entered the loop, so a single network hiccup on the only configured provider failed the whole turn instead of being retried (the outer `FallbackChain` was the only safety net, useless in single-provider setups). Transport errors now go through the same attempt/backoff decision as a 429, via a new `backoff::transport_error_is_retryable` that classifies a `reqwest::Error` by its structured predicates (`is_timeout` / `is_connect` / `is_request`) with a substring fallback to the shared transient classifier; applied across anthropic, openai, gemini, bedrock, and vertex_ai (complete + stream). The retry cap, previously hard-coded to 3 in six hand-copied loops, is now configurable through `DriverConfig.max_retries` (serde default 3 — behaviour unchanged; 0 disables in-driver retries) and a per-provider `provider_max_retries` map in `config.toml` mirroring `provider_request_timeout_secs`, readable/writable via the API config surface and classified restart-required in the config-reload plan. (@houko) - **Plugin seccomp allowlist was missing glibc / language-runtime start-up syscalls** (`rseq`, `set_robust_list`, `rt_sigtimedwait`, `statx`, `sched_getaffinity`, …) (#2) (@houko). With `seccomp-sandbox` off by default the gap was never exercised; enabling it by default exposed that every hook subprocess was `SIGSYS`-killed before reading stdin (observed as "Broken pipe"). The allowlist now covers the universal start-up set on both x86_64 and aarch64. - **Plugin `unshare` namespace probe checked only `unshare --help`, not whether the kernel actually grants the namespace** (#2) (@houko). In unprivileged containers / hardened CI the binary exists but `CLONE_NEWNET` / `CLONE_NEWNS` returns EPERM, so wrapping a deny-network / deny-filesystem hook with `unshare` killed the child instead of failing open to the env-var / Landlock isolation. The probe now runs `unshare -- -- true` and only wraps when the namespace can be created — important now that deny-by-default is the default posture. - **security(approval): `trusted_senders` no longer waives approval for high-risk tools** — the trusted-sender escape hatch was all-or-nothing: any `user_id` in `trusted_senders` made `requires_approval_with_context` return `false` for *every* tool — including `shell_exec`, `file_write`, `agent_spawn`, and the rest — and made `is_tool_denied_with_context` bypass channel deny rules for all of them too, so a single trusted id silently disabled the entire approval gate. The trust bypass now applies only to tools below `High` risk (`ApprovalManager::classify_risk`): for high-risk and Critical tools the bypass is skipped, so a gate the operator already configured (via `require_approval` or a channel deny rule) stays in force even for a trusted sender. `classify_risk` is extended to classify the control-plane tools (`agent_spawn`, `agent_kill`, `config_set`, `kernel_reload`) as `Critical` alongside `shell_exec`, matching their blast radius; `RiskLevel` derives `Ord` so the gate can compare severities. Tests: `test_context_trusted_sender_bypasses_low_risk_only` (trusted + Critical/High still gated, trusted + low-risk still exempt, untrusted unaffected) and `test_context_trusted_sender_channel_deny_high_risk_still_enforced` (channel deny on a high-risk tool survives trust, deny on a low-risk tool is still bypassed). (@houko) - **test(runtime): fix a Windows-only failure in `tool_runner::tests::shell::test_capability_enforcement_allowed`** — the test resolves a path under a nonexistent intermediate directory and asserts the error reads as file-not-found rather than permission-denied, but its accepted-phrase OR-chain only covered the Unix wordings ("No such file", "does not exist", …). On Windows a missing intermediate directory surfaces as `ERROR_PATH_NOT_FOUND` (os error 3) — "The system cannot find the path specified" — which matched none of them, so the `Test / Windows` shard went red on `main` independent of any feature change. Added `cannot find` to the OR-chain, which covers both the path form (os error 3) and the file form `ERROR_FILE_NOT_FOUND` (os error 2, "cannot find the file specified"). Test-only; no production behaviour change. (@houko) - **memory: audit-sweep on the proactive-memory subsystem — 5 CRITICAL + 7 HIGH findings (#5839)** — closes a split-brain in `list()` / `get()` (now read from the semantic store directly; the best-effort KV `memory:*` mirror is deleted entirely so future divergence is structurally impossible); drops the silent raw-transcript fallback in `ProactiveMemory::add` when extraction yields no structured signal; honors per-row `metadata["confidence"]` on insert (the LLM extractor prompt now requests it explicitly, so `extraction_threshold` is finally live); reworks decay as `rate / boost` (cap MAX_BOOST=4) so popular memories decay slower but strictly monotonically (the previous formula clamped the post-boost product back to 1.0, freezing every `access_count >= 2` memory at confidence 1.0 forever); stamps `deleted_at` on every `forget*` path so the retention sweep can finally hard-delete user-/API-initiated soft-deletes (previously only TTL decay stamped it, so manual deletes leaked their embedding BLOB forever); gates 12 memory write endpoints (`POST /api/memory`, `PUT /api/memory/items/{id}`, `DELETE`, bulk-delete, reset, clear-level, consolidate, cleanup, export, import, decay, relations) through the namespace guard with proper `AuthDenied → 403` plumbing. Also tightens `duplicate_threshold` default 0.5 → 0.85 (mem0's near-duplicate cut-off) and the `decide_action` UPDATE thresholds 0.5/0.6 → 0.7/0.8 so a topically-related but semantically-different memory no longer silently UPDATEs over an existing row; bounds `format_context` at the new configurable `ProactiveMemoryConfig::format_context_max_chars` (default 8000 chars / ~2000 tokens) with a "[+N omitted]" footer; detaches the every-10-calls auto-consolidate to `tokio::spawn` (inside a `tracing::Instrument` span tagged `task = "auto_consolidate"`) so the agent's hot path no longer waits on an O(n²) merge plus SQLite tx; threads the new `duplicate_threshold` into the periodic `ConsolidationEngine` via a new `set_duplicate_threshold` setter on `MemorySubstrate`, wired from both kernel boot and the `UpdateProactiveMemory` hot-reload op so the global sweep and the per-agent on-demand consolidate agree; tightens LLM-extraction validation (4-char minimum content, allowlist-fuzzy-matched category with case + plural tolerance, MAX_MEMORIES_PER_EXTRACTION = 20 cap). Drive-by: collapsed a clippy::manual_option_zip in `kernel/background_lifecycle.rs:88` (failed workspace clippy gate). **Operator-facing behaviour changes worth noting on upgrade:** (1) Audit-log shape: requests authenticated by the root `api_key` now carry a synthetic Owner-equivalent `AuthenticatedApiUser{name: "root", user_id: ROOT_API_KEY_USER_ID}` instead of the previous "trusted but anonymous" `None`, so every audit row written through `record_with_context(..., api_user.user_id, ...)` (`budget.rs`, `audit.rs`, memory-route denials, etc.) stamps a `user_id` for root-key callers where it previously stamped null. Queries grouped by `user_id` will see a new "root" bucket appear after upgrade. The synthetic id is a constant UUID (`00000000-0000-0000-0000-72006f0074a0`) outside the `LIBREFANG_USER_NAMESPACE` v5 hash space, so a real `[users] name = "root"` entry in `config.toml` cannot collide with it. (2) `POST /api/memory` with content the extractor cannot parse no longer creates a row — pre-fix it silently captured the whole concatenated message transcript as a session memory with no category, which was the dominant source of `category=null` rows on the dashboard. Operators that legitimately need raw-content capture should use `ProactiveMemoryStore::add_with_level` (the trait-impl path explicitly stores raw content) instead of the `add` trait method. (@houko) - **ci(discussion-to-issue): repair the daily backfill — `gh api --jq` does not accept `jq`'s `--arg`** — #5753. The follow-up commit on #3938 switched the backfill category filter to `gh api "repos/${REPO}/discussions" --paginate --jq --arg cat "$CAT" '.[] | select(...)'` to avoid shell-interpolating `${CAT}` into the jq source. `gh api --jq` only takes a single bare filter string — it does NOT proxy `--arg` through to jq — so `gh` parsed the call as `--jq=--arg` followed by three extra positional arguments and rejected it before any HTTP request, with `accepts 1 arg(s), received 4`. Every daily run since #3938 merged on 2026-04-28 has been red (27 consecutive failures). Fix is to drop `gh api`'s `--jq` flag and pipe the raw JSON to standalone `jq`, which does support `--arg` — preserving the original commit's shell-injection hardening intent (no `${CAT}` interpolated into the jq source) while restoring a working invocation. (@houko) - **xtask(changelog): take only the trailing `(#N)` from each `git log` subject** (@houko) — `extract_pr_numbers` grepped every `#N` on a oneline subject, so an in-title cross-reference (an issue `fixes #5740`, a prior PR `post-#5053`, or a "part N of M" marker `(#2)`) was treated as its own PR and fed to `gh pr view`, pulling unrelated ancient or unmerged PRs into the generated release notes — a beta.15 changelog run spuriously resolved `#2`, `#6`, `#10`, and `#5053`. A GitHub squash merge always appends the PR reference as the last `(#N)` of the subject line, so the parser now keeps only the trailing match per line. The line-parsing logic is split into a pure `parse_pr_numbers` helper with unit coverage for trailing-ref capture, in-title cross-reference rejection, merge-commit subjects, no-ref lines, dedup/sort, and empty input. ### Changed - **ci: run the Coverage workflow on `push: main` only, not on every PR** — `coverage.yml` ran the full instrumented `cargo llvm-cov nextest --workspace` (~20-30 min) on every non-docs PR to produce a report-only LCOV artifact that gates no merge — and a *full* workspace run, where the per-PR `test-unit` / `test-ubuntu` lanes are selective, so for a typical small PR it was the single most expensive job in the pipeline. Dropped the `pull_request` trigger; coverage now runs on `push: main` (keeping the `paths-ignore` skip for non-runtime diffs) plus `workflow_dispatch` for ad-hoc runs. The main-branch series is all a report-only trend metric needs. (@houko) - **ci: PR test lane is Linux-only — macOS / Windows run on push to main** — `test-macos` and `test-windows` in `ci.yml` previously ran on every rust PR (selective, affected crates), spending a macOS runner (10× Linux cost) and a Windows runner (2×) on each one. Both are now gated to `push: main`, where the full sharded suite already runs — a platform regression turns main red and is caught before it spreads, while PRs pay only the Linux lanes (`test-unit`, `test-ubuntu`, `live-integration-smoke`). The now-dead per-shard selective-skip gate in `test-windows` and the selective `else` branches in both jobs are removed. `main` carries no required-status-check ruleset, so the skipped jobs cannot block a PR. (@houko) - **sidecar migration tails: openapi spec + 4 SDKs + dashboard generated.ts regenerated** — #5463 deleted the per-channel REST handlers but the openapi-drift bot never auto-regenerated, leaving `openapi.json` + the auto-generated SDKs documenting 8 dead paths (`/api/channels/{name}/configure` POST + DELETE, `/instances` + `/instances/{index}` GET / POST / PUT / DELETE, `/test`, `/whatsapp/qr/{start,status}`, `/wechat/qr/{start,status}`). Hand-removed those entries from `openapi.json`, added the missing `/api/channels/registry` declaration (live in the router since #5463 but never declared in the utoipa bundle), regenerated via `python3 scripts/codegen-sdks.py` so `sdk/python/librefang/librefang_client.py`, `sdk/go/librefang.go`, `sdk/javascript/index.js`, `sdk/rust/src/lib.rs` all lose the 10 dead methods (`testChannel` / `configureChannel` / `listChannelInstances` / `createChannelInstance` / `updateChannelInstanceHandler` / `deleteChannelInstance` / `wechatQrStart` / `wechatQrStatus` / `whatsappQrStart` / `whatsappQrStatus`) and gain `listChannelRegistry`. `crates/librefang-api/dashboard/openapi/generated.ts` regenerated from the same `openapi.json` via `npx openapi-typescript`. (@houko) - **sidecar migration tails: 22 docs (en + zh) rewritten to match post-sidecar reality** — every `[channels.]` config sample replaced with the equivalent `[[sidecar_channels]]` entry across `configuration/page.mdx`, `configuration/channels/page.mdx`, `integrations/channels/{core,enterprise,integrations}/page.mdx`, `getting-started/page.mdx`, `getting-started/examples/page.mdx`, `integrations/cli/commands/page.mdx`, `integrations/cli/examples/page.mdx`, `operations/faq/page.mdx`, and `integrations/channels/page.mdx` (en + zh mirrors). The Channel Overrides section in `configuration/channels/page.mdx` + `configuration/page.mdx` + `integrations/channels/page.mdx` gets a "legacy — removed" banner with a migration mapping table for every knob (`model` / `system_prompt` / `dm_policy` / `group_policy` / `rate_limit_*` / `output_format` / `disable_commands` / `allowed_commands` / `blocked_commands` / `threading` / `usage_footer` / `typing_mode` / `prefix_agent_name`); the deleted `[channels..overrides]` shape is kept for migration reference only. The CLI command reference page rebuilt to document the four restored `librefang channel` subcommands above. The API endpoint table in `integrations/api/page.mdx` trimmed to the four live channel endpoints (`/api/channels`, `/api/channels/registry`, `/api/channels/sidecar/{name}/configure`, `/api/channels/reload`); the 7 dead `/api/channels/{name}/…` + `/api/channels/{wechat,whatsapp}/qr/…` rows removed. (@houko) - **sidecar migration tails: test probe + 4 stale-macro comments cleaned** — `boot_fails_on_stale_channel_output_format_key` in `config_routes_integration.rs` rotated from `[channels.google_chat]` + `webhook_port = "eighty-eighty"` (google_chat migrated to sidecar, the block is now an unknown section and the test was passing for the wrong reason) to `[[sidecar_channels]]` + `restart_initial_backoff_ms = "eighty-eighty"` so the wrong-type-coerce probe actually exercises a typed field on a still-living config section. Stale `for_each_channel_field!` / `check_channel!` / `find_channel_info!` macro references in `channel_bridge.rs:2393`, `messaging.rs:383`, and `channel_sender.rs:1` / `:17` / `:367` / `:380` rewritten to drop the dead-macro tour and just describe what the code actually does. (@houko) - **dashboard: restore `pages/ChannelsPage.tsx` as a sidecar-only page** — #5463 deleted the page wholesale on the assumption that "every interactive path was broken anyway"; that was the wrong call. The page is back, slimmed from 1488 → 761 lines, and routes every interaction through the surviving endpoint contract: `useChannels()` reads `GET /api/channels`, `useReloadChannels()` triggers `POST /api/channels/reload`, and the schema-driven `SidecarForm` drawer (which #5463 had already added) saves through `useSaveSidecarConfig()` → `POST /api/channels/sidecar/{name}/configure`. `SidecarForm` is also wired up properly this time: non-secret fields pre-populate from `ChannelField.value` so re-configuring an existing channel shows the current values instead of a blank form, and secret fields with `has_value: true` render a `"•••• (set — leave blank to keep)"` placeholder so the operator can re-save without retyping the secret (server treats absent keys as "leave alone"). The `config_template` TOML snippet (emitted by the backend on each row) is surfaced inline under a `

` summary inside `SidecarForm` for ops who want to hand-edit `config.toml` instead of using the form. The `/channels` route is restored in `router.tsx`, the runtime-section nav entry + `Network` lucide import in `App.tsx`, the `n: { to: "/channels" }` vim shortcut in `useKeyboardShortcuts.ts`, the `channels` navigate-to entry in `CommandPalette.tsx`, and both `nav.channels` + a pruned 27-key `channels` namespace (down from 48 pre-#5463 — every key that drove a deleted endpoint or in-process-only feature is gone) in `locales/{en,zh}.json` — i18n-parity verified. `ChannelsPage.test.tsx` is rewritten to 386 lines / 11 cases covering the surviving flows: loading skeleton, empty-state CTA, configured-list render, search filter, picker drawer with unconfigured channels, picker → sidecar configure drawer swap, schema-driven Save dispatch → `useSaveSidecarConfig.mutate`, Reload header → `useReloadChannels.mutate`, **non-secret field pre-population from `f.value`**, **secret field "currently set" placeholder when `f.has_value`**, and **`config_template` `

` snippet inside the drawer**. The 13 instance / test / qr test cases from #5463-pre that drove deleted endpoints stay deleted. **No dead code is restored**: the 6 `Promise.reject` stubs (`testChannel` / `configureChannel` / `listChannelInstances` / `createChannelInstance` / `updateChannelInstance` / `deleteChannelInstance`), the `_channelEndpointGone` helper, the 4 dead QR helpers, the `ChannelInstance` / `ChannelInstancesResponse` / `QrStartResponse` / `QrStatusResponse` types, the 5 wrapper mutation hooks (`useConfigureChannel` / `useCreateChannelInstance` / `useUpdateChannelInstance` / `useDeleteChannelInstance` / `useTestChannel`), the `useChannelInstances` query + the `instances(name)` factory entry on `channelKeys`, and the typed-http-client re-exports of all of the above stay gone. The `ChannelField` + `config_template` are kept on `ChannelItem` because `SidecarForm` consumes them; the 7 in-process-era optional fields that #5463-pre's `ChannelItem` carried (`instance_count` / `difficulty` / `setup_time` / `quick_setup` / `setup_type` / `setup_steps` / `webhook_endpoint`) are dropped from the type — they were either never emitted post-migration (`webhook_endpoint`) or always degenerate values (`""` / `"sidecar"` / `0`) the page only rendered via dead conditional branches. The 1488-line page collapses to 761 by dropping the in-process-era `ChannelForm` / `InstancesDialog` / `QrLoginDialog` blocks wholesale, trimming `DetailsModal` to (status badge + `has_token` row + `Required Fields` checklist + read-only "manage via config.toml" note), removing the unreachable `!configured && config_template` branch on `DetailsModal` (the `config_template` surface lives inside `SidecarForm` instead), and dropping the qr / legacy branches in `handleCardConfigure` / `handlePick`. The four small `ChannelsPage`-referencing doc comments in `ProvidersPage.tsx`, `ProvidersPage.test.tsx`, `UsersPage.test.tsx`, and `DrawerPanel.test.tsx` are restored with corrected text — the cross-reference is valid again now that the page exists, and the references that pointed at deleted components (`ChannelsPage::ConfigDialog`) or fictional history ("tabs being retired") are rewritten. Dashboard `pnpm typecheck` clean; `npx vitest run src/pages/ChannelsPage.test.tsx` reports **11/11 passing**. (@houko) ### Removed - **BREAKING: delete dead `/api/channels/{name}/*` REST endpoints + their CLI / TUI surface** — per-channel-instance HTTP endpoints that all 404'd unconditionally after the in-process channel registry emptied: `GET /api/channels/{name}` (get_channel), `POST /api/channels/{name}/configure` (configure_channel), `DELETE /api/channels/{name}/configure` (remove_channel), `GET /api/channels/{name}/instances` (list_channel_instances), `POST same` (create_channel_instance), `PUT /api/channels/{name}/instances/{index}` (update_channel_instance_handler), `DELETE same` (delete_channel_instance), `POST /api/channels/{name}/test` (test_channel). Every handler started with `find_channel_meta(&name)?` which returned `None` since `CHANNEL_REGISTRY` is empty, producing a fall-through 404. The 9 handlers + 5 helper functions (`build_instance_fields_json`, `resolve_secret_env_overrides`, `canonical_json`, `instance_signature`, `read_disk_channels`, `PreparedWrite` / `prepare_fields_write` / `apply_secret_writes`, `send_channel_test_message`) + 2 type definitions (`ChannelMeta`, `ChannelField`) + 1 enum (`FieldType`) + 1 empty const (`CHANNEL_REGISTRY`) + 1 lookup (`find_channel_meta`) + 5 dispatchers (`is_channel_configured`, `webhook_route_suffix`, `webhook_endpoint_url`, `inject_callback_url`, `build_field_json`, `channel_config_values`, `channel_instance_count`, `channel_instances_serialized`) are gone. `list_channels` and `channels_snapshot` simplified to skip the empty-registry loop (they now serve sidecar rows exclusively via `sidecar_channel_rows` + `sidecar_discovery_rows`). The 9 supporting helpers in `routes/skills.rs` that powered the deleted handlers also go: `upsert_channel_config`, `remove_channel_config`, `build_channel_toml_table`, `append_channel_instance`, `update_channel_instance`, `remove_channel_instance`, `CHANNEL_AOT_CONFLICT_PREFIX`, `validate_env_var` (+ `DENIED_ENV_VARS` / `ENV_VALUE_MAX_LEN` constants), plus 16 unit tests covering them. The `test_channel_status_tests` + `instance_helper_tests` modules in `routes/channels.rs` are deleted entirely. **The CLI `librefang channel {list,setup,test,enable,disable}` subcommand group is also removed** — every wizard arm targeted an in-process adapter that had since migrated to a sidecar, and the wizard's fall-through arm already errored out for every supported channel; scripts that called these will now fail with `error: unrecognized subcommand 'channel'`. **The TUI `Channels` tab is also gone** — its `F8` / `Alt-8` shortcuts are retired and fall through to the default key handler rather than being silently swallowed; the screen module (`tui/screens/channels.rs`, 720 lines) + the `ChannelListLoaded` / `ChannelTestResult` events + the `spawn_fetch_channels` / `spawn_test_channel` helpers + the `handle_channel_action` dispatcher were all retired with it. **The dashboard SPA `ChannelsPage.tsx` (~1.5k lines) + its 524-line vitest file are deleted wholesale**, along with the `testChannel` / `configureChannel` / `listChannelInstances` / `createChannelInstance` / `updateChannelInstance` / `deleteChannelInstance` helpers in `api.ts`, the corresponding mutation/query hooks in `lib/mutations/channels.ts` + `lib/queries/channels.ts`, the `instances(name)` factory entry in `channelKeys`, the typed-http-client re-exports in `lib/http/client.ts`, the `ChannelField` / `ChannelInstance` / `ChannelInstancesResponse` / `QrStartResponse` / `QrStatusResponse` types, and the four `wechatQrStart` / `wechatQrStatus` / `whatsappQrStart` / `whatsappQrStatus` helpers (the matching daemon QR routes had already been removed when WhatsApp / WeChat migrated to sidecars). The `/channels` route + its `lazyWithReload` entry are stripped from `router.tsx`, the route-type union in `App.tsx`, the runtime-section nav entry (and now-unused `Network` lucide import), the `n: { to: "/channels" }` vim-style shortcut in `useKeyboardShortcuts.ts`, the `channels` command-palette navigate-to entry (the registry-browse entry that opens `librefang.ai/channels` in a new tab stays — it points at the public catalog, not the deleted dashboard route), and both `nav.channels` + the entire 48-key `channels` namespace from `locales/en.json` and `locales/zh.json` (i18n-parity script reports parity at 3445 keys). Stale `ChannelsPage`-references in `ProvidersPage.tsx`, `ProvidersPage.test.tsx`, `UsersPage.test.tsx`, and `DrawerPanel.test.tsx` doc comments are rewritten to drop the dead cross-reference. Dashboard typecheck (`pnpm typecheck`) clean; `pnpm test` 659/659 outside two pre-existing failure clusters in `ProvidersPage.test.tsx` (introduced by #5260's `useCredentialPools` without a matching mock update) and `ModelsPage.test.tsx` (zustand `persist` middleware hitting an unmocked jsdom `storage` shim) — both predate this PR and are tracked separately. The 4 surviving HTTP endpoints — `GET /api/channels` (list), `POST /api/channels/reload`, `GET /api/channels/registry` (now also declared in the utoipa bundle so it appears in the generated OpenAPI spec / SDKs), `POST /api/channels/sidecar/{name}/configure` — cover the post-migration dashboard contract. **Operator action required**: any custom integration that hit the deleted endpoints needs to switch to `POST /api/channels/sidecar/{name}/configure` for channel configuration; channel deletion happens by removing the corresponding `[[sidecar_channels]]` entry from `config.toml` then `POST /api/channels/reload`. Anyone scripted against `librefang channel …` should move to editing `[[sidecar_channels]]` directly + the sidecar configure REST endpoint. Net: **-6446 / +233 lines** across 27 files (Rust side: `routes/channels.rs` -1684, `routes/skills.rs` -934, `cli/main.rs` -302, `cli/tui/screens/channels.rs` -720, `cli/tui/mod.rs` -84, `cli/tui/event.rs` -95, `cli/tui/screens/mod.rs` +3, `openapi.rs` -5; dashboard side: `pages/ChannelsPage.tsx` -1488, `pages/ChannelsPage.test.tsx` -524, `api.ts` -156, `lib/mutations/channels.ts` -95, `lib/queries/channels.ts` -22, `lib/queries/keys.ts` -6, `lib/http/client.ts` -8, `App.tsx` -3, `router.tsx` -8, `components/ui/CommandPalette.tsx` -1, `lib/useKeyboardShortcuts.ts` -1, `locales/en.json` -51, `locales/zh.json` -51, and small comment fixups in 4 unrelated pages). Workspace `cargo check --workspace --lib` + `cargo clippy --workspace --all-targets -- -D warnings` clean; `cargo test -p librefang-api --lib` 653/653 (was 679 — 26 tests removed alongside the deleted helpers); `cargo test -p librefang-cli --lib` clean. (@houko) ### Changed - **chore(channels): remove dead in-process channel scaffolding** — every channel runs as a sidecar now (#5459 closed the migration with google_chat); the kernel-side scaffolding that gated in-process adapter dispatch has zero remaining consumers and is gone. Concretely: (1) **`for_each_channel_field!` macro** + its `#[macro_export]` + 3 invocation sites in `channel_sender.rs::resolve_channel_owner` / `messaging.rs::resolve_agent_home_channel` (rewritten to scan `cfg.sidecar_channels` directly) + the `for_each_channel_field_macro_uses_dictionary_order` test (witness pool empty), (2) `channel_bridge.rs::channel_overrides` body — the `find_channel_info!` macro never expanded; the function now returns `None` unconditionally (per-channel overrides only live on sidecar adapters via `agent_channel_overrides`), (3) `channel_bridge.rs::start_channel_bridge_with_config` — the `check_channel!` macro + `has_any` flag + 18 stale "X migrated to sidecar" comments collapsed; the function now early-returns when `cfg.sidecar_channels.is_empty()`, (4) `routes/channels.rs::instance_helper_tests` 4-test suite that broke at runtime after #5455 emptied `CHANNEL_REGISTRY` (their `find_channel_meta("webhook")` panicked because webhook had migrated; suite retired with the witness pool), (5) `OneOrMany` type + JSON-schema + serde impls + my own `OoMTestRow` regression tests from `librefang-types/src/config/serde_helpers.rs` — no production caller left after every `OneOrMany` channel field went away, (6) `ChannelsConfig` body comment-wall (18 redundant "X migrated to sidecar" doc comments — the type now only carries the 3 `file_download_*` / `file_upload_max_bytes` global file-transfer fields, summarised in one doc paragraph), (7) Cargo feature aliases gone from 5 manifests: `librefang-channels::all-channels` / `librefang-api::core-channels` + `all-channels` + `all-channels-no-email` + `mini` / `librefang-cli::all-channels` + `mini` + `android` / `librefang-desktop::all-channels` + `mini` + `mobile-no-email`. `librefang-cli::default` drops `librefang-api/core-channels` (now just `["telemetry"]`); `librefang-api::default` drops `core-channels` (now just `["telemetry"]`). `.github/workflows/mobile-smoke.yml` drops the `-f mobile-no-email` flag from the Android tauri build (rustls-platform-verifier's Android workaround is no longer needed — the IMAP/SMTP code path it gated runs out-of-process). `librefang-channels/src/lib.rs` top-of-file docstring rewritten to drop the "40+ pluggable messaging integrations" claim + the 18-line `// X migrated to sidecar` migration comment wall. Net: **-628 lines** across 13 files. No behaviour change — every removed symbol was either an unused macro / dead code path or a feature alias that had collapsed to `[]`. Workspace `cargo check --workspace --lib --tests` + `cargo clippy --workspace --all-targets -- -D warnings` clean; `cargo test -p librefang-types` 817/817, `-p librefang-api` 679/679 (4 previously-broken instance_helper_tests now properly retired), `-p librefang-kernel` 1079/1079. (@houko) ### Removed - **BREAKING: removed 6 low-value channel adapters** — `viber`, `messenger`, `nostr`, `discourse`, `mqtt`, `linkedin`. Full cascade: `src/.rs` deletions; `lib.rs` mods; `Cargo.toml` features in both `librefang-channels` and `librefang-api` (plus the `k256` / `rumqttc` optional deps that nostr / mqtt pulled in); the channels-allowlist entries (so `cargo xtask channel-policy` permanently blocks reintroduction); `Config` structs + `Default` impls; `channels.` fields in `ChannelsConfig` + its `Default`; the validation-hook env-var checks; `channel_bridge.rs` imports, spawn blocks, `find_channel_info!` / `check_channel!` macro arms, and default-empty test assertions; `routes/channels.rs` `ChannelMeta` entries plus the 4 match arms (`is_some` / serialize / `len` / `ser`); the `webhook_route_suffix` allowlist entries; `routes/config.rs` `ch!()` calls; kernel `channel_sender` `for_each_channel_field!` macro entries and expected-name list; CLI TUI `ChannelDef` entries; docs `[channels.X]` blocks in `configuration/page.mdx` / `configuration/channels/page.mdx` (en + zh) and the corresponding `integrations/channels/{social,integrations}/page.mdx` tutorial sections. **Operator action required**: an existing `[channels.viber]` / `[channels.messenger]` / `[channels.nostr]` / `[channels.discourse]` / `[channels.mqtt]` / `[channels.linkedin]` block is no longer recognised — remove it from `config.toml`. (@houko) - **BREAKING: drop 12 unmaintained in-process channel adapters** — `gitter`, `keybase`, `flock`, `pumble`, `revolt`, `guilded`, `mumble`, `xmpp`, `irc`, `threema`, `twist`, `voice` are removed wholesale: adapter modules under `crates/librefang-channels/src/`, the matching `[channels.]` config structs (`IrcConfig`, `XmppConfig`, `GitterConfig`, `KeybaseConfig`, `FlockConfig`, `PumbleConfig`, `RevoltConfig`, `GuildedConfig`, `MumbleConfig`, `ThreemaConfig`, `TwistConfig`, `VoiceConfig`), the per-channel `cargo` features (`channel-`, incl. removal from `all-channels` / `all-channels-no-email` / `mini`), the `channel_bridge` import/check/boot blocks, the kernel `for_each_channel_field!` macro entries, the API channel registry (`ChannelMeta` / `is_channel_configured` / `channel_config_values` / `channel_instance_count` / `channel_instances_serialized`), the CLI TUI `ChannelDef` rows, the `[channels.]` configuration docs (en + zh), and the dashboard i18n `fld_irc` entry. The 12 basenames are removed from `crates/librefang-channels/src/channels-allowlist.txt`, so the sidecar-first ratchet (`cargo xtask channel-policy`) now permanently rejects any attempt to reintroduce these adapters in-process. **Operator action required**: anyone setting `features = ["channel-"]` (any of the 12) in `Cargo.toml` or carrying a `[channels.]` block will fail to build / fail to deserialize on upgrade — pin a pre-removal release if you still need one of these in-process, or ship a sidecar adapter (see `docs/architecture/sidecar-channels.md` and the `librefang.sidecar` SDK examples under `sdk/python/`). The OpenClaw migrator (`librefang-migrate::openclaw`) now emits a warning instead of writing `[channels.irc]` when it encounters legacy IRC blocks. `voice` is removed because the standalone WebSocket STT/TTS channel was orthogonal to (and overlapped) the in-band audio transcription path that already lives in `librefang-runtime-media`; `xmpp` / `irc` users have migrated to Matrix and Discord respectively; the remaining nine adapters had effectively zero traction. (@vip) ### Changed - **Config samples now cover all 27 sidecar channel adapters.** `librefang.toml.example` and `crates/librefang-cli/templates/init_default_config.toml` previously sampled only 4 sidecars (telegram / discord / slack / wechat) — operators running `librefang init` or copy-pasting from the example file had no in-tree guidance for the other 23 (bluesky / dingtalk / email / feishu / google_chat / gotify / line / mastodon / matrix / mattermost / nextcloud / ntfy / qq / reddit / rocketchat / signal / teams / twitch / webex / webhook / wecom / whatsapp / zulip), even though they all shipped through the #5224 → #5459 migration project. Both files now carry a commented `[[sidecar_channels]]` block per adapter, generated from each adapter's own `SCHEMA` declaration via `python3 -m librefang.sidecar.adapters. --describe` so the sample can never silently drift from the env-var contract the adapter enforces at startup. Each block lists the required env vars verbatim from the SCHEMA + up to 2 commonly-tuned optionals as inline hints; the full inventory is one `--describe` away. The 4 pre-existing blocks were rewritten into the same generated format. Sanitisations applied during generation so the sample stays operator-useful: secret-type values render as `"..."` (the SCHEMA `placeholder` for secret fields is free-text dashboard prose — `"from Settings → Development → Your apps"`, `"(production should always set this)"` — that doesn't belong in a TOML literal) BUT the original hint is preserved as a trailing `# ` comment so semantic guidance like `TWITCH_OAUTH_TOKEN = "..." # oauth:abc123… (the prefix is auto-added)` isn't lost; text placeholders with `"` get backslash-escaped; descriptions split on `". "` (period + space) so "Rocket.Chat REST API" doesn't truncate to "Rocket"; the redundant "(out-of-process sidecar)" suffix is stripped from per-block headers since the section header already documents this for all 27 entries. Per-block migration warnings (`# Migrated from in-process to sidecar in #. Old [channels.] blocks are no longer recognised.`) ship for all 27 adapters so an operator upgrading a pre-migration config gets an explicit signal at the matching block rather than a parser error in isolation. Two adapters whose SCHEMA marks every env-var optional but which still require operator input to start (whatsapp — Cloud API vs Baileys gateway; wechat — pre-supplied token vs QR-login) carry a one-line "Requires EITHER / OR" hint above the env table. ntfy carries a one-line privacy note that `NTFY_SERVER_URL` defaults to the public ntfy.sh server unless overridden. The generic "Sidecar channel adapters (out-of-process, any language)" section in `librefang.toml.example` that documents the protocol-level meta-fields (`restart`, `restart_initial_backoff_ms`, `message_buffer`, `overflow`, …) now sits ABOVE the 27 per-adapter blocks so the operator reads the protocol context first, then the specific instances. The generator script ships at `scripts/gen_sidecar_samples.py` for future re-runs when a new sidecar lands or a SCHEMA rotates — invoke as `cd sdk/python && python3 ../../scripts/gen_sidecar_samples.py > /tmp/blocks.txt`, paste between the marker headers in both files, then `cargo xtask schema-check gen` to refresh `xtask/baselines/config.sha256`. Also drops the stale `[channels.whatsapp]` in-process snippet (`phone_number_id_env` / `access_token_env` fields no longer exist post-#5445). Verification: `tomllib.load()` on both files clean; `cargo xtask schema-check gen && check` baseline regenerated and matches. (@houko) - **BREAKING: Google Chat migrated from in-process Rust adapter to sidecar-only** — the in-process `librefang-channels::google_chat` adapter (`GoogleChatAdapter`, 818 lines: service-account JWT auth via RS256 (rsa + sha2 crates), `https://oauth2.googleapis.com/token` exchange with 5-minute refresh buffer + double-checked-locking token cache, `https://chat.googleapis.com/v1/{space}/messages` outbound (text only, 4096-char chunking), axum-mounted `/channels/google_chat/webhook` route on the shared API server, `MESSAGE`-only inbound filter, `space.name` allowlist via `GoogleChatConfig.space_ids`, `space.type != "DM"` group detection, `text.starts_with('/')` → `ChannelContent::Command` routing, multi-bot `account_id` metadata injection, `ALLOWED_TOKEN_URI_PREFIXES` SSRF allowlist on the `token_uri` field of the service-account JSON) is deleted along with the `[channels.google_chat]` config schema (`GoogleChatConfig` + `Default` impl), the `channel-google-chat` cargo feature in both `librefang-channels` and `librefang-api` (which collapses `all-channels` / `all-channels-no-email` / `mini` / `core-channels` to empty arrays — `webhook` migrated in #5455 was the only remaining sibling), the `rsa` optional dep in `librefang-channels/Cargo.toml` (no other in-process consumer left), the dashboard `ChannelMeta` descriptor + 4 match arms (`is_some` / serialize / `len` / `ser`) + the `webhook_route_suffix` `google_chat` entry, the kernel `channel_sender` `for_each_channel_field!` entry + `EXPECTED` name-list (now both empty — no in-process channels left), the config-validation env-var hook (`service_account_env` + `service_account_key_path` presence check), the `channel_bridge` `GoogleChatAdapter` import + builder block + `check_channel!` invocation + `find_channel_info!` match arm, and the route-handler 412/200 test witness pair (`missing_required_env_returns_412` + `credentials_present_no_target_returns_200`) — retired because the in-process witness pool of channels with a `required: true` secret env var is now empty (rotation history: matrix → whatsapp → google_chat). The `routes/channels.rs::instance_helper_tests` 4-test suite is also retired (witness pool empty — `webhook` is also a sidecar after #5455). `google_chat` is removed from `crates/librefang-channels/src/channels-allowlist.txt`, so `cargo xtask channel-policy` permanently rejects any attempt to reintroduce an in-process Google Chat adapter. `librefang-migrate`'s OpenClaw importer (both the typed `migrate_channels_from_openclaw` path and the loose-JSON `migrate_channels_from_json` path) records the legacy `[channels.google_chat]` block as a SkippedItem (same shape as Matrix / Feishu / Teams / WhatsApp / Webhook removals); the four channel-table helpers (`map_dm_policy`, `map_group_policy`, `build_channel_table`, `allow_from_to_toml_array`) that the in-process import paths used are all deleted with the Google Chat code path that was their last consumer. The CLI `librefang init ` wizard match collapses to a fall-through unknown-channel hint (`maybe_write_channel_config` / `notify_daemon_restart` also removed). Behaviour is preserved by the new reference sidecar `librefang.sidecar.adapters.google_chat` (ships in `librefang-sdk`; source at `sdk/python/librefang/sidecar/adapters/google_chat.py`, stdlib-only — `urllib.request` for REST + `BaseHTTPRequestHandler` over `HTTPServer` for inbound, no third-party deps): same service-account JWT auth path with an in-module PKCS#8 PEM parser + RSA modular-exponentiation signer + PKCS#1 v1.5 SHA-256 padding (`_parse_pkcs8_rsa_private_key`, `_pkcs1_sign_sha256`, `_sign_rs256_jwt` — covered by `test_jwt_signing_round_trip_against_test_pem`), same `ALLOWED_TOKEN_URI_PREFIXES` SSRF allowlist on `token_uri`, same `https://oauth2.googleapis.com/token` exchange with 5-minute refresh buffer cached in a `_TokenCache` (`threading.Lock`-backed, mirrors the Rust `Arc>`), same pre-supplied `access_token` fallback path (cached as `DEFAULT_TOKEN_LIFETIME_SECS`, no auto-refresh), same `https://chat.googleapis.com/v1/{space}/messages` outbound with 4096-char UTF-8-safe chunking, same `MESSAGE`-only / space-allowlist / DM-vs-group / `/cmd`-routing inbound semantics, same multi-bot `account_id` metadata injection (#5003). The in-process adapter mounted onto LibreFang's shared axum server at `/channels/google_chat/webhook`; the sidecar runs its own webhook server (configurable `GOOGLE_CHAT_WEBHOOK_PORT`, default `8090`) so the public URL operators register in the Google Cloud Console Bot configuration changes from `https:///channels/google_chat/webhook` to `https://:/webhook`. **Three improvements over the Rust adapter**: (1) **401 clears the cached token** — the Rust adapter cached the OAuth2 access token until its TTL expired and surfaced a generic `Google Chat API error 401` on stale-token failures, forcing the operator to wait out the cache. The sidecar's `_send_text` clears `_token_cache` on 401 so the next send re-runs the JWT auth path; (2) **`WEBHOOK_MAX_BODY_BYTES = 1 MiB` cap on the inbound webhook body** — Rust inherited axum's default `DefaultBodyLimit` (2 MiB); the sidecar's `HTTPServer` enforces 1 MiB at the handler before allocating the body buffer, rejecting a malicious `Content-Length: 10G` with 413 before any read; (3) **start-time PEM validation** — the Rust adapter deferred RSA private-key parsing until the first `_get_access_token` call (lazy), so an invalid PEM surfaced as a runtime error on the first outbound. The sidecar parses + caches the `(n, d)` tuple in `__init__`, raising `RuntimeError` at boot so misconfigured deployments fail-fast. **Operator action required**: an existing `[channels.google_chat]` block is no longer recognised — re-declare as `[[sidecar_channels]]` running `python3 -m librefang.sidecar.adapters.google_chat` with `GOOGLE_CHAT_SERVICE_ACCOUNT_JSON` (the **full JSON blob**, not a path — in `~/.librefang/secrets.env`), `GOOGLE_CHAT_WEBHOOK_PORT` (default `8090`, in `[sidecar_channels.env]`). Optional knobs: `GOOGLE_CHAT_SPACE_IDS` (CSV, e.g. `spaces/AAAA,spaces/BBBB`; empty = all spaces), `GOOGLE_CHAT_ACCOUNT_ID` (multi-bot routing — surfaces as `google_chat:` in `channel_defaults`), `GOOGLE_CHAT_API_BASE` (testing override). The Google Cloud Console Bot configuration messaging endpoint must be repointed to the sidecar URL. `ChannelType::Custom("google_chat")` is preserved via `channel_type = "google_chat"` on the sidecar entry so existing routing / `channel_role_mapping` keys that reference `google_chat` continue to resolve. After this PR there are **zero in-process channels** in the workspace — every channel runs as a sidecar. Verification: `cd sdk/python && pytest tests/test_google_chat_adapter.py` — **32 passed** (env enforcement (missing JSON / bad JSON / no auth path), pre-supplied access_token construction, JWT construction parses PEM into `(n, d)` tuple, CSV space-id parsing, account_id propagation, bad webhook port raises, JWT `token_uri` SSRF allowlist (rejects `attacker.example`), inbound parsing (plain text / slash command / DM `is_group=false` / threaded / non-MESSAGE / empty text / space allowlist filter / empty filter = all), UTF-8-safe `_split_message` (short / empty / byte-boundary / multibyte), outbound `_send_text` (endpoint / auth header / chunking / 401 clears cache), `on_send` dispatch (real `Send` dataclass: `channel_id` happy-path / `cmd.user.platform_id` fallback / empty channel drops / non-`spaces/` channel drops / empty text drops), JWT round-trip against a 2048-bit test key (header / claims / signature byte length), schema sanity (required `secret`-type service-account field, `advanced=true` on account_id)). (@houko) - **BREAKING: Webhook migrated from in-process Rust adapter to sidecar-only** — the in-process `librefang-channels::webhook` adapter (`WebhookAdapter`, 772 lines: HMAC-SHA256 signature verification on `X-Webhook-Signature: sha256=` with constant-time compare, optional `X-Webhook-Timestamp` replay-window check (±5 minutes), JSON inbound parsing for `{sender_id, sender_name, message, thread_id, is_group, metadata}`, slash-command routing on messages starting with `/`, outbound `POST {callback_url}` signed the same way with 65535-char chunking + 100ms inter-chunk delay, **SSRF guard** via `http_client::validate_url_for_fetch` (rejects private/loopback/link-local/multicast/cloud-metadata callback URLs at adapter construction), `deliver_only` mode that tags inbound with `__deliver_only__` + `__deliver_target__` metadata for the kernel's `bridge.rs:2845-2851` LLM-short-circuit routing) is deleted along with the `[channels.webhook]` config schema (`WebhookConfig`), the `channel-webhook` cargo feature in both `librefang-channels` and `librefang-api` (incl. its membership in `core-channels` / `all-channels` / `all-channels-no-email` / `mini` — `core-channels` collapses to `channel-google-chat` alone now), the dashboard `ChannelMeta` descriptor + 4 match arms (`is_some` / serialize / `len` / `ser`) + the `"webhook"` arm of `webhook_route_suffix`, the kernel `channel_sender` `for_each_channel_field!` entry + `EXPECTED` name-list, the config-validation hook (env-var presence + `deliver_only` needs `deliver`), the `channel_bridge` `WebhookAdapter` import + builder block + `check_channel!` invocation + `find_channel_info!` match arm, the route-handler 412/200 test witness (rotated `webhook` → `google_chat`), and the demo-only Python adapter that previously lived at `sdk/python/librefang/sidecar/adapters/webhook.py` (132 lines using a hand-rolled JSON-RPC protocol — replaced by the standard `SidecarAdapter`-framework port). `webhook` is removed from `crates/librefang-channels/src/channels-allowlist.txt`, so `cargo xtask channel-policy` permanently rejects any attempt to reintroduce an in-process webhook adapter. The `librefang-types` `mod.rs` test rotations move the OneOrMany + `deny_unknown_fields` (#5130) witnesses from WebhookConfig to GoogleChatConfig (the LAST remaining in-process channel) and McpServerConfigEntry respectively; the `librefang-api` `config_routes_integration` boot-fail test rotates `[channels.webhook] listen_port = "eighty-eighty"` → `[channels.google_chat] webhook_port = "eighty-eighty"` for the wrong-type-coerce probe. Behaviour is preserved by the new reference sidecar `librefang.sidecar.adapters.webhook` (ships in `librefang-sdk`; source at `sdk/python/librefang/sidecar/adapters/webhook.py`, stdlib-only — `BaseHTTPRequestHandler` over `ThreadingTCPServer` for inbound, `urllib.request` for outbound, no third-party deps): same HMAC-SHA256 verification with constant-time compare, same ±5-minute timestamp skew window for replay protection, same sig-only fallback (with a per-request WARN log) when the timestamp header is absent — backwards-compatible with clients that never sent it; PRESENT-but-malformed timestamp returns 400 to distinguish "client bug" from "attacker probing the bypass" (matches webhook.rs:295-310). Auth failures collapse to a single `Forbidden` response so an attacker can't probe which check failed. Same JSON inbound parse (`message` / `sender_id` / `sender_name` / `thread_id` / `is_group` / `metadata`, fallbacks `"webhook-user"` / `"Webhook User"` for missing identity fields, empty `message` drops with 200 OK so caller doesn't retry). Same slash-command routing (`/cmd args` → `Command`). Same outbound shape (`{sender_id: "librefang", sender_name: "LibreFang", recipient_id, recipient_name, message, timestamp}`), 65535-char chunking, 100 ms inter-chunk delay. Same SSRF guard — pure-Python port of `http_client::validate_url_for_fetch` covering IPv4 (`0/8`, `10/8`, `127/8`, `100.64/10`, `169.254/16`, `172.16/12`, `192.168/16`, `192.0.0/24`, multicast `224-239`, reserved `240-255`), IPv6 (loopback, link-local, site-local, multicast, unique-local, IPv4-mapped via `::ffff:` and NAT64 via `64:ff9b::`), and reserved hostnames (`localhost`, `localhost.`, `kubernetes.default.svc.cluster.local`). Same `deliver_only` metadata propagation (`__deliver_only__` + `__deliver_target__`) — kernel bridge routing is unchanged. Same multi-bot `account_id` injection (#5003). **Operator action required**: an existing `[channels.webhook]` block is no longer recognised — re-declare as `[[sidecar_channels]]` running `python3 -m librefang.sidecar.adapters.webhook` with `WEBHOOK_LISTEN_PORT` (in `[sidecar_channels.env]`) and `WEBHOOK_SECRET` (in `~/.librefang/secrets.env`). Optional knobs (all on the `[sidecar_channels.env]` block): `WEBHOOK_LISTEN_PATH` (default `/webhook`), `WEBHOOK_CALLBACK_URL` (optional outbound delivery, SSRF-guarded at startup AND on every send), `WEBHOOK_DELIVER_ONLY = "1"` + `WEBHOOK_DELIVER = "telegram"` for pass-through, `WEBHOOK_ACCOUNT_ID`. **Four improvements over the Rust adapter**: (1) **inbound dedupe on `platform_message_id`** — Rust assigned a fresh `wh-` ID on each emit and never deduped, so a misbehaving upstream that delivered twice would double-emit. Sidecar threads either the inbound's own `metadata.message_id` (when present) or a synthesised `wh--` ID through a bounded `SeenSet` (10000 cap / 5000 evict); the 8-char body-hash suffix prevents collisions between simultaneous deliveries at the same millisecond, which the Rust millisecond-only ID flattened together; (2) **429 `Retry-After` honoured** on outbound POSTs — Rust raised on first non-2xx (webhook.rs:476-480). Sidecar parses `Retry-After` (default 30 s, floor 1 s, cap 60 s), sleeps, retries, then logs-and-continues on the second 429 so a single throttled chunk doesn't drop the rest of a multi-chunk reply; (3) **explicit 30 s timeout** on every outbound POST — Rust relied on `reqwest`'s default; (4) **per-send SSRF re-check** — the Rust adapter validated the `callback_url` once at adapter construction; the sidecar re-checks before every POST so a config-reload that swapped the URL to a private host doesn't leak the signing secret to localhost. The `deliver_only` validation is also tighter: Rust warn-and-continued when `deliver_only=true` but `deliver` was unset (silent inbound drop at runtime); the sidecar fail-closes at startup with `SystemExit(2)`. Verification: `cd sdk/python && pytest tests/test_webhook_adapter.py` — **74 passed** (env handling incl. all SSRF-rejection paths (loopback IPv4 / RFC 1918 / link-local / CGN / multicast / IPv6 loopback + link-local + IPv4-mapped / reserved hostnames / non-http scheme), signature verify (valid / wrong key / wrong body / missing / empty / wrong prefix / short-length-mismatch), `parse_webhook_body` happy path + missing-message drop + default-sender fallback + non-string-field defaults + non-dict, `_verify_request` (valid sig with/without timestamp / missing sig 403 / empty sig 403 / malformed-timestamp 400 / stale-timestamp 403 / future-timestamp 403 / wrong-sig 403 / ±300 s skew boundary), `_handle_webhook_body` end-to-end (happy / slash-command with-and-without args / msg-ID dedupe / account_id injection / deliver_only metadata / is_group propagation / invalid sig 403 / malformed JSON 400 / empty message 200 / 10-minute-old replay 403), outbound (basic / chunking / no-callback log+drop / signature round-trip verifies / 429 retry / non-2xx raises / empty text drops), `on_send` dispatch (text / user.platform_id fallback / empty recipient drops / unsupported placeholder), schema + capabilities). (@houko) - **BREAKING: WhatsApp migrated from in-process Rust adapter to sidecar-only (dual-mode preserved)** — the in-process `librefang-channels::whatsapp` adapter (`WhatsAppAdapter`, 918 lines: Cloud API outbound to `graph.facebook.com/v17.0//messages` for text / audio / image / document / location, OpenSSL-backed Bearer auth, multipart media upload for raw voice bytes (`api_upload_media`), Web/QR gateway outbound proxy (`gateway_send_message` / `gateway_send_voice` to `{gateway_url}/message/{send,send-voice}`), DM / group policy filter (`should_handle_message` with `DmPolicy::{Respond,AllowedOnly,Ignore}` × `GroupPolicy::{All,MentionOnly,CommandsOnly,Ignore}`), `is_bot_mentioned` substring match against `bot_phone` (with / without `@` + `+` strip) and `bot_name`, sender allowlist by exact phone match, multi-bot `account_id` metadata) is deleted along with the `[channels.whatsapp]` config schema (`WhatsAppConfig` + `deny_unknown_fields`), the `channel-whatsapp` cargo feature in both `librefang-channels` and `librefang-api` (incl. its membership in `all-channels` / `all-channels-no-email` / `mini`), the dashboard `ChannelMeta` descriptor + 4 match arms (`is_some` / serialize / `len` / `ser`), the dashboard's custom `POST /channels/whatsapp/qr/start` + `GET /channels/whatsapp/qr/status` route pair (~210 lines incl. the `gateway_http_post` / `gateway_http_get` raw-TCP helper functions — the Baileys gateway when in use now exposes its own QR endpoint and the dashboard proxies it directly), the kernel `whatsapp_gateway.rs` module (`include_str!` of `packages/whatsapp-gateway/{index.js,package.json,scripts/postinstall.js}`, gateway-dir extraction, `npm install` orchestration, `node index.js` child-process supervisor with 5s / 10s / 20s restart backoff, `whatsapp_gateway_pid` field on `LibreFangKernel`, `whatsapp_pid()` accessor, shutdown SIGTERM / taskkill cleanup, and the `background_lifecycle` spawn block that auto-started it whenever `[channels.whatsapp]` was non-empty), the kernel `channel_sender` `for_each_channel_field!` entry + `EXPECTED` name-list, the config-validation env-var hook, the `channel_bridge` `WhatsAppAdapter` import + builder block + `check_channel!` invocation + `find_channel_info!` match arm, the CLI-TUI `ChannelDef`, the CLI `librefang channel setup whatsapp` wizard arm + status-table row, and the route-handler 412/200 test witness (rotated `whatsapp` → `google_chat`, which still ships in-process with a `required: true` secret env var). `whatsapp` is removed from `crates/librefang-channels/src/channels-allowlist.txt`, so `cargo xtask channel-policy` permanently rejects any attempt to reintroduce an in-process WhatsApp adapter. `librefang-migrate`'s OpenClaw importer (both the YAML + the JSON5 paths) now records the legacy `[channels.whatsapp]` block as a SkippedItem (same shape as IRC / Mattermost / Signal / Matrix / Feishu / Email / WeCom / WeChat / DingTalk / Teams removals); the `[channels.whatsapp]` round-trip channel-items count drops from 2 → 1. The `librefang-migrate` `openfang.rs` drift tests rotate `[channels.whatsapp]` → `[[mcp_servers]]` (the remaining `deny_unknown_fields` witness after WhatsAppConfig went away) and the `config_routes_integration` boot-fail test rotates to `[channels.webhook]` for the wrong-type-coerce probe. Behaviour is preserved by the new reference sidecar `librefang.sidecar.adapters.whatsapp` (ships in `librefang-sdk`; source at `sdk/python/librefang/sidecar/adapters/whatsapp.py`, stdlib-only — `urllib.request` for REST + `BaseHTTPRequestHandler` over `ThreadingTCPServer` for inbound, no third-party deps): same Cloud API outbound for text / audio (URL link) / image (link + caption) / document (link + filename) / location, same gateway outbound proxy with graceful-degradation per-content-type to text in Web mode (voice URL → `(Voice message: )`, image without caption → `(Image — not supported in Web mode)`, file → `(File: — not supported in Web mode)`), same 4096-char chunking, same DM × group policy filter logic with TOML-string-compatible policy names (`respond` / `allowed_only` / `ignore` × `all` / `mention_only` / `commands_only` / `ignore`), same bot-mention detection (phone with / without `@` + `+` strip, name substring, all case-insensitive), same allowlist semantics, same multi-bot `account_id` metadata injection (#5003). The shared `/channels/whatsapp/qr/*` routes are gone — the Baileys gateway (when still in use for Web/QR mode) is now operated as a separate `[[sidecar_channels]]` entry (or external service) and the kernel no longer embeds / auto-spawns the Node.js process. **Four improvements over the Rust adapter**: (1) **real Cloud API inbound webhook** — `WhatsAppAdapter::start()` at whatsapp.rs:454-483 was a `TODO` stub that logged "webhook ready" and never actually parsed incoming activities; operators wanting Cloud API inbound had to wire their own webhook → `/api/agents/{id}/message` forwarder. The sidecar implements the real handler: `GET {path}` returns `hub.challenge` for Meta's subscription confirmation when `hub.mode == "subscribe"` and `hub.verify_token` matches `WHATSAPP_VERIFY_TOKEN`; `POST {path}` verifies `X-Hub-Signature-256` against `HMAC-SHA256(WHATSAPP_APP_SECRET, raw_body)` (constant-time compare), then parses `entry[].changes[].value.messages[]` and emits text events through the standard sidecar protocol; (2) **inbound dedupe on `message.id`** — Meta retries on non-200, bounded `SeenSet` (10000 / evict 5000) keeps redeliveries from double-emitting; (3) **429 `Retry-After` honoured** on every outbound POST — Rust warned-and-failed on the first non-2xx (whatsapp.rs:373-377); (4) **explicit 30 s timeouts** on every REST call — Rust relied on `reqwest`'s defaults. **Operator action required**: an existing `[channels.whatsapp]` block is no longer recognised — re-declare as `[[sidecar_channels]]` running `python3 -m librefang.sidecar.adapters.whatsapp`. For **Cloud API mode**: `WHATSAPP_PHONE_NUMBER_ID` (in `[sidecar_channels.env]`) + `WHATSAPP_ACCESS_TOKEN` / `WHATSAPP_VERIFY_TOKEN` / `WHATSAPP_APP_SECRET` (in `~/.librefang/secrets.env`), optional `WHATSAPP_WEBHOOK_PORT` (default `8460`) / `WHATSAPP_WEBHOOK_PATH` (default `/webhook`). For **Web/QR mode**: `WHATSAPP_GATEWAY_URL = "http://localhost:3009"` (in `[sidecar_channels.env]`) and the Baileys gateway (`npx @librefang/whatsapp-gateway`) must be run separately — the kernel no longer auto-spawns it. Optional knobs in both modes: `WHATSAPP_ALLOWED_USERS` (csv), `WHATSAPP_ACCOUNT_ID`, `WHATSAPP_BOT_PHONE` / `WHATSAPP_BOT_NAME` (for `mention_only` group policy), `WHATSAPP_DM_POLICY` / `WHATSAPP_GROUP_POLICY`. `ChannelType::WhatsApp` is preserved via `channel_type = "whatsapp"` on the sidecar entry so existing routing / `channel_role_mapping` keys continue to resolve. Verification: `cd sdk/python && pytest tests/test_whatsapp_adapter.py` — **76 passed** (env handling + dual-mode construction (Cloud / gateway / missing-creds-fails-closed), CSV / path-normalize / lowercase-policy parsing, `X-Hub-Signature-256` verify (valid / wrong key / wrong body / missing / empty / wrong prefix / non-hex / empty digest), `is_bot_mentioned` (phone / `@`-prefix / name case-insensitive / no-match / empty-text), `should_handle_message` (DM × `respond` / `allowed_only` reject+accept / `allowed_only` empty-allowlist / `ignore`; group × `all` / `mention_only` reject+accept / `commands_only` reject+accept-with-leading-spaces / `ignore` / unknown policy fails-closed), `parse_cloud_api_message` (text / non-text dropped / empty text / missing field / phone fallback / multiple / account_id injection / non-dict / missing entry), `_handle_get_verify` (subscribe match / wrong token / wrong mode all-reject), `_handle_post_webhook` (signature disabled / valid / invalid 401 / malformed 400 / dedupe / DM policy applied), Cloud API outbound (basic text / chunking / 429 retry / non-2xx raises / empty drops / audio-link / image with-and-without caption / file / location), gateway outbound (text basic / chunks / non-2xx raises), `on_send` dispatch (cloud text / image / voice / file / location; gateway text / voice degrades / image uses caption / no caption placeholder; empty recipient drops; user.platform_id fallback), schema + capabilities). (@houko) - **BREAKING: Microsoft Teams migrated from in-process Rust adapter to sidecar-only** — the in-process `librefang-channels::teams` adapter (`TeamsAdapter`, 948 lines: Bot Framework v3 REST + axum-mounted `/channels/teams/webhook` route on the shared API server, OAuth2 client-credentials flow with 5-minute refresh buffer, `Authorization: HMAC ` HMAC-SHA256 verification on every inbound, Azure AD tenant allowlist via `channelData.tenant.id`, self-skip by `from.id == app_id`, `/cmd args` slash-command routing, group detection via `conversation.isGroup`) is deleted along with the `[channels.teams]` config schema (`TeamsConfig`), the `channel-teams` cargo feature in both `librefang-channels` and `librefang-api` (incl. its membership in `all-channels` / `all-channels-no-email` / `mini`), the dashboard `ChannelMeta` descriptor + 4 match arms (`is_some` / serialize / `len` / `ser`), the `webhook_route_suffix` `teams` entry, the kernel `channel_sender` `for_each_channel_field!` entry + `EXPECTED` name-list, the config-validation env-var hook, the `channel_bridge` `TeamsAdapter` import + builder block + `check_channel!` invocation + `find_channel_info!` match arm, and the route-handler 412/200 test witness (`Path("teams")` → `Path("whatsapp")`). `teams` is removed from `crates/librefang-channels/src/channels-allowlist.txt`, so `cargo xtask channel-policy` permanently rejects any attempt to reintroduce an in-process teams adapter. `librefang-migrate`'s OpenClaw importer (both YAML + JSON5 paths) now records the legacy `[channels.teams]` block as a SkippedItem (same shape as IRC / Mattermost / Signal / Matrix / Feishu / Email / WeCom / WeChat / DingTalk removals); the `[channels.teams]` round-trip channel-items count drops from 3 → 2. Behaviour is preserved by the new reference sidecar `librefang.sidecar.adapters.teams` (ships in `librefang-sdk`; source at `sdk/python/librefang/sidecar/adapters/teams.py`, stdlib-only — `urllib.request` for REST + `BaseHTTPRequestHandler` over `ThreadingTCPServer` for inbound, no third-party deps): same Bot Framework v3 inbound activity parsing, same HMAC-SHA256 verification of `Authorization: HMAC ` over the raw request body using the base64-decoded `TEAMS_SECURITY_TOKEN` (empty/non-base64 token → WARN + disabled), same OAuth2 client-credentials token cache with 5-minute refresh buffer (`POST {oauth_url}` with `grant_type=client_credentials` + `scope=https://api.botframework.com/.default`), same outbound `POST {service_url}/v3/conversations/{id}/activities` with `{type: "message", text: }`, same 4096-char chunking, same `from.id == app_id` self-skip, same `channelData.tenant.id` allowlist (empty = all), same `/cmd args` Command routing, same `conversation.isGroup` group detection, same multi-bot `account_id` metadata injection (#5003), same typing indicator via `{type: "typing"}` (declared `capabilities = ["typing"]` so the daemon routes `TypingCmd`). The in-process adapter mounted onto LibreFang's shared axum server at `/channels/teams/webhook`; the sidecar runs its own webhook server (configurable `TEAMS_WEBHOOK_PORT` / `TEAMS_WEBHOOK_PATH`, defaults `8459` / `/webhook`) so the public URL operators register in the Azure Bot Channel configuration changes from `https:///channels/teams/webhook` to `https://:`. **Four improvements over the Rust adapter**: (1) **per-conversation `service_url` reuse** — the Rust adapter stored the inbound `serviceUrl` in `metadata.serviceUrl` but never used it on outbound, so for tenant- / region-routed deployments where Microsoft assigns different service URLs per conversation, every reply silently landed on `DEFAULT_SERVICE_URL`. The sidecar caches the most recent `serviceUrl` per `conversation_id` and uses it on outbound; (2) **inbound dedupe on Activity ID** — Rust emitted every activity unconditionally and Bot Framework retries on non-2xx / timeout could double-emit. Bounded `SeenSet` (10000 cap / 5000 evict); (3) **429 `Retry-After` honoured** on every outbound POST — Rust warned-and-dropped (teams.rs:254-258); (4) **explicit 30 s timeout on every REST call** — Rust relied on `reqwest`'s default. **Operator action required**: an existing `[channels.teams]` block is no longer recognised — re-declare as `[[sidecar_channels]]` running `python3 -m librefang.sidecar.adapters.teams` with `TEAMS_APP_ID` + `TEAMS_WEBHOOK_PORT` (in `[sidecar_channels.env]`) and `TEAMS_APP_PASSWORD` + `TEAMS_SECURITY_TOKEN` (in `~/.librefang/secrets.env`). Optional knobs: `TEAMS_WEBHOOK_PATH` (default `/webhook`), `TEAMS_ALLOWED_TENANTS` (csv), `TEAMS_ACCOUNT_ID`. The Azure Bot Channel messaging endpoint must be repointed to the sidecar URL. `ChannelType::Teams` is preserved via `channel_type = "teams"` on the sidecar entry so existing routing / `channel_role_mapping` keys continue to resolve. Verification: `cd sdk/python && pytest tests/test_teams_adapter.py` — **64 passed** (env enforcement, HMAC-SHA256 signature verify (valid / wrong key / wrong body / missing / empty / wrong prefix / non-base64 / empty base64), `parse_teams_activity` (basic / self-skip / non-message / missing from / empty text / tenant accept+reject / tenant missing with allowlist / group / `/cmd` routing with-args + no-args / account_id injection / non-dict), `_handle_webhook_body` end-to-end (emit / bad sig 401 / missing auth 400 / verification-disabled accept / malformed JSON 400 / Activity-ID dedupe / per-conversation service_url cache / fallback to default), `_send_text` (basic / cached service_url / chunking / empty drop / empty conversation drop / 429 retry / 5xx warn+continue), OAuth token cache (caches across calls / non-2xx raises / missing access_token raises / default TTL on missing expires_in), `on_send` (basic / user.platform_id fallback / empty conversation drop / unsupported placeholder / empty text drop), typing (basic / swallows errors / empty conv skipped / on_command routes TypingCmd / on_command empty channel drops), schema + capabilities). (@houko) - **BREAKING: DingTalk migrated from in-process Rust adapter to sidecar-only, Stream mode only — Webhook mode is removed** — the in-process `librefang-channels::dingtalk` adapter (`DingTalkAdapter`, 1276 lines: dual `DingTalkReceiveMode` (`Stream` default + `Webhook` legacy); **Stream mode**: dynamic gateway registration via `POST https://api.dingtalk.com/v1.0/gateway/connections/open` returning per-connection `{endpoint, ticket}`, WebSocket to `wss://endpoint?ticket=` with strict `{code, headers, message, data}` ACK schema for every CALLBACK frame (no ACK → DingTalk redelivers), SYSTEM ping/pong heartbeat on application-level `headers.topic == "ping"` frames, per-message `sessionWebhook` URL extraction for replies; **Webhook mode**: HTTP POST callback server with HMAC-SHA256 signature verification computed as `HMAC_SHA256(secret, timestamp + "\n" + secret + body_bytes)` and ±5 minute replay window, outbound via `POST https://oapi.dingtalk.com/robot/send?access_token=×tamp=&sign=` with `HMAC_SHA256(secret, timestamp + "\n" + secret)` (body excluded, legacy quirk)) is deleted along with the `[channels.dingtalk]` config schema (`DingTalkConfig` + `DingTalkReceiveMode` enum), the `channel-dingtalk` cargo feature in both `librefang-channels` and `librefang-api` (incl. its membership in `all-channels` / `all-channels-no-email`), the dashboard `ChannelMeta` descriptor + 4 match arms (`is_some` / serialize / `len` / `ser`) + the `webhook_route_suffix` `dingtalk` entry, the CLI-TUI `ChannelDef`, the kernel `channel_sender` `for_each_channel_field!` entry + `EXPECTED` name-list, the config-validation env-var hook, and the `channel_bridge` adapter initialization (both Stream + Webhook arms) + `check_channel!` invocation + `find_channel_info!` match arm. `dingtalk` is removed from `crates/librefang-channels/src/channels-allowlist.txt`, so `cargo xtask channel-policy` permanently rejects any attempt to reintroduce an in-process dingtalk adapter. Behaviour is preserved for **Stream mode** by the new reference sidecar `librefang.sidecar.adapters.dingtalk` (ships in `librefang-sdk`; source at `sdk/python/librefang/sidecar/adapters/dingtalk.py`, stdlib-only — RFC 6455 WS client via the shared `librefang.sidecar.ws.WebSocketClient`, no third-party deps): same `POST /v1.0/gateway/connections/open` registration with `{clientId, clientSecret, subscriptions: [{type: "CALLBACK", topic: "/v1.0/im/bot/messages/get"}], ua: "librefang"}`, same `wss://endpoint?ticket=` connection (base64 ticket chars `+`/`=`/`/` percent-encoded via `urllib.parse.quote(safe='')`), same SYSTEM-ping pong with echoed `data` field + `messageId`, same CALLBACK frame parsing (frame `data` is a JSON-encoded string requiring nested `json.loads`), same strict `{code: 200, headers: {contentType, messageId}, message: "OK", data: "{\"response\": null}"}` ACK schema after every CALLBACK regardless of parse outcome, same `msgtype: "text"` filter (other types silently dropped), same `senderStaffId`/`senderId` fallback chain, same conversationType `"1"` (DM) / `"2"` (group) mapping, same `isInAtList` + `atUsers` non-empty mention detection, same slash-command parsing (`/cmd args` → `Command`), same per-message `sessionWebhook` URL extraction for replies, same 20000-char chunking via shared `split_message`, same 200 ms inter-chunk delay, same 3 → 60 s exponential reconnect backoff, same multi-bot `account_id` metadata injection (#5003). **Webhook mode is NOT ported** — both DingTalk modes were stdlib-compatible (HMAC-SHA256 in stdlib `hmac`), but Stream mode is the DingTalk-documented modern default (requires no public IP / port), simpler to operate, and a strict superset of Webhook for restricted-egress deployments. Operators on Webhook mode must re-create the robot in the DingTalk Open Platform with stream subscription enabled and migrate to the sidecar's stream credentials (`DINGTALK_APP_KEY` + `DINGTALK_APP_SECRET` instead of `DINGTALK_ACCESS_TOKEN` + `DINGTALK_SECRET`). **Four improvements over the Rust adapter**: (1) **inbound dedupe on `messageId`** — Rust emitted every CALLBACK unconditionally; on reconnect + platform redelivery the bot could re-emit. Sidecar threads `messageId` through `librefang.sidecar.common.SeenSet` (capacity 10000, evict 5000); (2) **heartbeat-and-send coexist on one socket via stdlib `queue.Queue`** — Rust used `tokio::mpsc` with a separate read/write split; sidecar drains a queue between `wait_readable` ticks. `on_send` is non-blocking; the WS thread drains the queue between heartbeat ticks and message reads, so a slow `sessionWebhook` POST never wedges inbound; (3) **429 `Retry-After` honoured on every outbound POST** — Rust had no 429 handling, so a throttled `sessionWebhook` reply burned the chunking delay or dropped the chunk. Sidecar parses `Retry-After` (default 30 s, floor 1 s, cap 60 s), sleeps, retries once, then logs-and-continues on the second 429 (same shape as #5303 across other sidecars); (4) **explicit 15 s `urlopen` timeout on every HTTP call** — Rust used `reqwest`'s `.timeout(Duration::from_secs(15))` only on gateway registration; the outbound `self.client.post` relied on the client default. Sidecar passes `timeout=15.0` on every call so a misbehaving `sessionWebhook` host can't hang the send loop. **Operator action required**: an existing `[channels.dingtalk]` block is no longer recognised — re-declare as `[[sidecar_channels]]` running `python3 -m librefang.sidecar.adapters.dingtalk` with `DINGTALK_APP_KEY` (in `[sidecar_channels.env]`) and `DINGTALK_APP_SECRET` (in `~/.librefang/secrets.env`); optional knobs are `DINGTALK_ALLOWED_USERS` (CSV staffId allowlist), `DINGTALK_ACCOUNT_ID`. See `sdk/python/librefang/sidecar/adapters/dingtalk.py` header for the exact config. `ChannelType::Custom("dingtalk")` is preserved via `channel_type = "dingtalk"` on the sidecar entry so existing routing / `channel_role_mapping` keys that reference `dingtalk` continue to resolve. Verification: `cd sdk/python && pytest tests/test_dingtalk_adapter.py` — **61 passed** (env enforcement, frame helpers (`_is_system_ping`, `_build_pong_frame`, `_build_callback_ack`), `parse_dingtalk_event` for text / group / slash command / non-text msgtype reject / data not-string / data unparseable / sender fallback / mention detection (`isInAtList` + `atUsers`) / allowlist accept+reject / account_id injection / message_id fallback chain / zero-expired-time omission, `_enqueue_text` (chunking / empty / no-session-webhook), `_mark_seen` (fresh + dedupe + empty), `on_send` (cached sessionWebhook lookup + eviction / user.session_webhook fallback / missing webhook drops / unsupported content placeholder / empty text drop), `_register_gateway` (happy + missing endpoint/ticket + non-200), and end-to-end `_run_session` via an in-memory WS fake (emit after parse / always ACK / pong / msgId dedupe / session_webhook caching / unknown frame types / send-queue drain). (@houko) - **BREAKING: WeChat (personal account via iLink) migrated from in-process Rust adapter to sidecar-only** — the in-process `librefang-channels::wechat` adapter (`WeChatAdapter`, 1122 lines: REST + long-poll over iLink with persistent `bot_token`, QR-code login flow (`GET /ilink/bot/get_bot_qrcode` + status poll), `POST /ilink/bot/getupdates` long-poll loop with 35 s server-held connections, `POST /ilink/bot/sendmessage` outbound with per-user `context_token` for reply association, `POST /ilink/bot/getconfig` typing-ticket refresh, 5 inbound item types (text / image / voice / file / video), bot-origin self-skip via `@im.bot` suffix, per-user reply-context cache, sender allowlist with exact-match) is deleted along with the `[channels.wechat]` config schema (`WeChatConfig`), the `channel-wechat` cargo feature (from both `librefang-channels` and `librefang-api`, incl. its membership in `all-channels` / `all-channels-no-email`), the dashboard `ChannelMeta` + 4 match arms (`is_some` / serialize / `len` / `ser`), the two custom QR-flow routes (`POST /channels/wechat/qr/start` + `GET /channels/wechat/qr/status`, ~150 lines of QR-state handler), the kernel `channel_sender` `for_each_channel_field!` entry + `EXPECTED` name-list, the `channel_bridge` `WeChatAdapter` import + builder loop, the CLI init-template `[channels.wechat]` block, and the round-trip skill-config test witness (`[channels.wechat]` → `[channels.whatsapp]`). `wechat` is removed from `crates/librefang-channels/src/channels-allowlist.txt`, so `cargo xtask channel-policy` permanently rejects any attempt to reintroduce an in-process wechat adapter. Behaviour is preserved by the new reference sidecar `librefang.sidecar.adapters.wechat` (ships in `librefang-sdk`; source at `sdk/python/librefang/sidecar/adapters/wechat.py`, stdlib-only — `urllib.request` for REST, no third-party deps): same `ilinkai.weixin.qq.com` endpoint, same QR-code login flow (driven by the sidecar itself — QR string logged at INFO for operators to scan from the WeChat app; the dashboard reads it back from sidecar logs), same long-poll cadence with the server-supplied `longpolling_timeout_ms` hint, same `context_token` per-user reply-association cache, same 4096-char chunking, same 5-item-type inbound parsing (text / image / voice / file / video), same allowlist semantics (exact user_id match), same `@im.bot`-suffix self-skip, same multi-bot `account_id` metadata injection (#5003), same persistent `WECHAT_BOT_TOKEN` env-var override to skip the QR flow on restart, same outbound-media degradation (image / file / voice / video send a "[Unsupported content type]" placeholder — the in-process adapter never wired media upload either). **Improvements over the Rust adapter**: (1) **inbound dedupe on `msg_id` / `svr_msg_id`** — Rust emitted every parsed message unconditionally; a long-poll retry could re-deliver. Sidecar threads the IDs through a bounded `SeenSet` (10000 capacity / 5000 evict); (2) **429 `Retry-After` honoured on every REST path** — Rust had no 429 handling at all, so a throttled `getupdates` or `sendmessage` either burned the backoff budget or dropped the chunk. Sidecar parses `Retry-After` (default 30 s, floor 1 s, capped at `WECHAT_MAX_BACKOFF_SECS`), sleeps, retries once, then logs-and-continues on the second 429; (3) **explicit 30 s timeouts on every REST call** — Rust pre-configured `reqwest`'s 90 s default; the sidecar tightens it so a wedged iLink endpoint doesn't pin the worker thread; (4) **shutdown event interrupts backoff** — `threading.Event.wait(backoff)` lets a `Shutdown` command exit the executor thread promptly. **Operator action required**: an existing `[channels.wechat]` block is no longer recognised — re-declare as `[[sidecar_channels]]` running `python3 -m librefang.sidecar.adapters.wechat`; persisted bot tokens move from a `WECHAT_BOT_TOKEN` env-var (still the same name, just consumed by the sidecar process now) into `~/.librefang/secrets.env`. Optional knobs: `WECHAT_ALLOWED_USERS` (csv), `WECHAT_ACCOUNT_ID`, `WECHAT_INITIAL_BACKOFF_SECS`, `WECHAT_MAX_BACKOFF_SECS`. The two dashboard endpoints (`/channels/wechat/qr/start` + `/qr/status`) are removed; the sidecar now logs the QR code itself at INFO. `ChannelType::WeChat` is preserved via `channel_type = "wechat"` on the sidecar entry so existing routing / `channel_role_mapping` keys continue to resolve. Verification: `cd sdk/python && pytest tests/test_wechat_adapter.py` — **51 passed** (env handling, `generate_wechat_uin` shape + uniqueness, `parse_wechat_msg` for 5 item types incl. bot-origin self-skip / empty-text / unsupported / cdn_url fallback / display-name fallback / account_id injection, `_send_text` (basic / chunking / empty drop / no-token raise / 429-retry / HTTP-error raise / body shape), `on_send` dispatch (Text / user.platform_id fallback / unsupported placeholder / empty-user drop / empty-text drop / cached context_token reuse), `_dispatch_messages` integration (emit + reply-context stash / dedupe / allowlist accept+reject / bot-origin skip / account_id injection), QR login (happy path / expired / missing qrcode / non-200 retry), schema + capabilities). (@houko) - **BREAKING: Email (IMAP + SMTP) migrated from in-process Rust adapter to sidecar-only** — the in-process `librefang-channels::email` adapter (`EmailAdapter`, 1604 lines: `imap` crate poll loop with custom `rustls-connector` TLS context for the per-instance CA-pinning + accept-invalid-certs knobs (#4877), `mailparse` MIME extraction, `lettre` async SMTP over `tokio` with implicit-TLS / STARTTLS pivoting on port, SASL `AUTHENTICATE PLAIN` fallback for Lark/Larksuite, sender allowlist with `@domain` matching (#3463), `[agent] Subject` routing, quarantine-on-poison-pill (`+FLAGS \Seen Librefang-Quarantine`, #3481), per-sender reply-context cache for `In-Reply-To` threading) is deleted along with the `[channels.email]` config schema (`EmailConfig` including the 4 split-credentials fields + `tls_root_ca_path` + `tls_accept_invalid_certs`), the `channel-email` cargo feature (and the five optional deps it gated: `lettre` / `imap` / `rustls-connector` / `rustls-pemfile` / `mailparse`), the `all-channels-no-email` Android-target carve-out (no longer needed — the rustls-connector / rustls-platform-verifier Android incompatibility went away with the IMAP stack), the dashboard `ChannelMeta` descriptor + 4 match arms (`is_some` / serialize / `len` / `ser`), the CLI-TUI `ChannelDef`, the CLI wizard's `email` arm, the kernel `channel_sender` `for_each_channel_field!` entry + `EXPECTED` name-list, the config-validation env-var hook, and the `channel_bridge` `EmailCredentials` + `resolve_email_credentials` helper (+ the 7-test split-credentials fallback unit-test block that exercised it). `email` is removed from `crates/librefang-channels/src/channels-allowlist.txt`, so `cargo xtask channel-policy` permanently rejects any attempt to reintroduce an in-process email adapter. Behaviour is preserved by the new reference sidecar `librefang.sidecar.adapters.email` (ships in `librefang-sdk`; source at `sdk/python/librefang/sidecar/adapters/email.py`, **stdlib-only** — `imaplib.IMAP4_SSL` + `smtplib.SMTP` / `SMTP_SSL` + the `email` package + `ssl`, no third-party deps): same IMAP-poll cadence (default 30 s) with `UID SEARCH UNSEEN UNKEYWORD Librefang-Quarantine` (fallback `UNSEEN` on rejection), same 50-UID-per-cycle fetch cap, same SASL PLAIN fallback (`\0user\0pass`) when LOGIN fails, same MIME walker preferring `text/plain` over the first subpart, same `[agent] Subject` extraction (surfaced via `metadata.target_agent`), same exact-address / `@domain` allowlist (substring rejected, #3463), same per-sender `(subject, message_id)` reply context cache feeding `In-Reply-To` + `References` on outbound, same quarantine-on-poison-pill, same `Subject: ...\n\nbody` convention on outbound text, same SMTP port-routing (465 → `SMTP_SSL`, otherwise STARTTLS via `EHLO`), same multi-bot `account_id` metadata injection (#5003), same `EMAIL_TLS_ROOT_CA_PATH` / `EMAIL_TLS_ACCEPT_INVALID_CERTS` knobs (always-WARN on every connect when validation is off, #4877). **Improvements over the Rust adapter**: (1) **inbound dedupe on Message-ID** — Rust marked Seen after emit; a flag-update failure left the message UNSEEN and the next poll re-emitted it. Sidecar runs a bounded `SeenSet` on Message-ID so a flag-update hiccup doesn't double-emit; (2) **explicit timeouts on every IMAP + SMTP connection** (`EMAIL_NET_TIMEOUT_SECS`, default 60 s); (3) **shutdown event interrupts backoff** — `threading.Event.wait(backoff)` lets `Shutdown` exit the executor thread promptly. **Operator action required**: an existing `[channels.email]` block is no longer recognised — re-declare as `[[sidecar_channels]]` running `python3 -m librefang.sidecar.adapters.email` with `EMAIL_IMAP_HOST` / `EMAIL_SMTP_HOST` / `EMAIL_USERNAME` (in `[sidecar_channels.env]`) and `EMAIL_PASSWORD` (in `~/.librefang/secrets.env`). Per-protocol overrides land on `EMAIL_IMAP_USERNAME` / `EMAIL_IMAP_PASSWORD` / `EMAIL_SMTP_USERNAME` / `EMAIL_SMTP_PASSWORD`; advanced knobs are `EMAIL_IMAP_PORT` (993) / `EMAIL_SMTP_PORT` (587) / `EMAIL_POLL_INTERVAL_SECS` (30) / `EMAIL_FOLDERS` (INBOX, csv) / `EMAIL_ALLOWED_SENDERS` (csv) / `EMAIL_ACCOUNT_ID` / `EMAIL_TLS_ROOT_CA_PATH` / `EMAIL_TLS_ACCEPT_INVALID_CERTS` / `EMAIL_NET_TIMEOUT_SECS`. See `sdk/python/librefang/sidecar/adapters/email.py` header for the exact config. `ChannelType::Email` is preserved via `channel_type = "email"` on the sidecar entry so existing routing / `channel_role_mapping` keys continue to resolve. The Android-specific `all-channels-no-email` feature on `librefang-api` / `librefang-cli` / `librefang-desktop` now collapses to `all-channels` because the IMAP/SMTP code is no longer in the Rust crate graph. Verification: `cd sdk/python && pytest tests/test_email_adapter.py` — **63 passed** (env handling, port/CSV/bool parsing, `extract_email_addr`, `sender_matches_allowlist` (exact / `@domain` / case-insensitive / #3463 no-substring), `extract_agent_from_subject` / `strip_agent_tag`, `parse_email_message` (plaintext / multipart / malformed / Message-ID / text/plain preference / HTML-fallback), `build_outbound_subject`, `_ReplyCtxCache`, `_parse_uid_search` + `_parse_fetch_response`, `_imap_login` LOGIN-then-PLAIN fallback, `_poll_once` (happy-path / Seen flag-set / disallowed-sender quarantine / unparseable quarantine / Message-ID dedupe / fallback-search / account_id injection / reply-context storage), `on_send` (basic / In-Reply-To / explicit Subject prefix / fallback / invalid recipient / unsupported content / port-465 SMTP_SSL), schema + capabilities). (@houko) - **BREAKING: Feishu / Lark migrated from in-process Rust adapter to sidecar-only** — the in-process `librefang-channels::feishu` adapter (`FeishuAdapter`, 2926 lines: unified Feishu CN + Lark intl, dual receive mode with `axum`-mounted webhook router or `tokio-tungstenite` WebSocket gateway, tenant access token cache with 7200 s expiry + 300 s refresh buffer, AES-256-CBC + PKCS#7 decryption for encrypted webhook payloads via the `aes` + `cbc` crates, `parse_feishu_event` for v2 `im.message.receive_v1` + `parse_feishu_event_v1` legacy + `parse_card_action` for approval button clicks, `@_user_N` mention placeholder expansion, sliding-window event dedup, processing-state `Typing` reaction add/remove via `POST /reactions` / `DELETE /reactions/{id}`, REST `POST /open-apis/im/v1/messages` text + interactive-card outbound, `build_approval_card` builder) is deleted along with the `[channels.feishu]` config schema (`FeishuConfig`, `FeishuRegion`, `FeishuReceiveMode`), the `channel-feishu` cargo feature in both `librefang-channels` and `librefang-api` (incl. its membership in `all-channels` and the `aes` / `cbc` optional deps it gated), the dashboard `ChannelMeta` descriptor + 4 match arms (`is_some` / serialize / `len` / `ser`) + `webhook_route_suffix` entry, the CLI-TUI `ChannelDef`, the kernel `channel_sender` `for_each_channel_field!` entry + `EXPECTED` name-list, the config-validation env-var hook, and the `channel_bridge` `feishu` builder + import. `feishu` is removed from `crates/librefang-channels/src/channels-allowlist.txt`, so `cargo xtask channel-policy` now permanently rejects any attempt to reintroduce an in-process feishu adapter. `librefang-migrate`'s OpenClaw importer (both YAML + JSON5 paths) now records the legacy `[channels.feishu]` block as a skipped sidecar channel (same shape as IRC / Mattermost / Signal / Matrix removals); `test_policy_migration`'s in-process `dmPolicy → dm_policy` witness rotates feishu → google_chat to keep mapping coverage alive. Behaviour is preserved by the new reference sidecar `librefang.sidecar.adapters.feishu` (ships in `librefang-sdk`; source at `sdk/python/librefang/sidecar/adapters/feishu.py`, stdlib-only — `urllib.request` for REST, hand-rolled RFC 6455 WS client over `socket`+`ssl` like discord/slack/webex/mattermost/qq/matrix, **pure-Python AES-256-CBC + PKCS#7 decrypt** for encrypted webhook payloads so we don't pull `cryptography` into the sidecar's stdlib-only dependency contract — verified against NIST SP 800-38A F.2.5 test vectors): same two-step WS endpoint discovery (`POST /callback/ws/endpoint` → `wss://` URL + `ClientConfig.PingInterval`), same default `websocket` receive mode + opt-in `webhook` mode (HTTP server on `FEISHU_WEBHOOK_PORT`), same Feishu (CN) ↔ Lark (intl) auto-routing via `FEISHU_REGION`, same tenant access token caching + 5-minute refresh buffer (feishu.rs:1021-1075 parity), same `im.message.receive_v1` v2 + legacy v1 inbound parsing, same `card.action.trigger` routing to a `Command` content (`approve` / `reject` with `[request_id]` args), same `@_user_N` placeholder expansion (replaces with `@`, `@_all` → `@all`), same `sender_type in ("app", "bot")` self-skip (closes the #2435 echo loop), same `root_id` → `thread_id` round-trip, same `account_id` metadata injection for multi-bot routing (#5003), same processing-state `Typing` reaction add/remove (fail-open), same `MAX_MESSAGE_LEN = 4096` chunking, same interactive card outbound via `msg_type = "interactive"`. **Improvements over the Rust adapter**: (1) **pure-Python AES-256-CBC decrypt** — Rust used the `aes` + `cbc` crates with `SHA256(encrypt_key)` as the key; the sidecar re-implements the same primitive in stdlib (`hashlib.sha256` + a hand-coded AES-256 round / S-box / mix-columns) so encrypted webhook payloads round-trip without third-party deps; (2) **explicit timeouts on every HTTP call** — Rust relied on `reqwest`'s default (none); a wedged Feishu endpoint hung the producer task forever. Sidecar passes `timeout=30s` on every REST call + WS handshake; (3) **event dedup is locked at construction** — Rust's `seen_events` was a `Mutex` populated lazily; the sidecar's `_EventDedup` is initialised in `__init__` so concurrent first-event arrivals never race-create separate maps. **Operator action required**: an existing `[channels.feishu]` block is no longer recognised — re-declare as `[[sidecar_channels]]` running `python3 -m librefang.sidecar.adapters.feishu` with `FEISHU_APP_ID` (in `[sidecar_channels.env]`) and `FEISHU_APP_SECRET` (in `~/.librefang/secrets.env`); optional knobs are `FEISHU_REGION` (`cn` / `intl`), `FEISHU_RECEIVE_MODE` (`websocket` / `webhook`), `FEISHU_WEBHOOK_PORT`, `FEISHU_VERIFICATION_TOKEN`, `FEISHU_ENCRYPT_KEY`, `FEISHU_ACCOUNT_ID`. See `sdk/python/librefang/sidecar/adapters/feishu.py` header for the exact config. `ChannelType::Custom("feishu")` and `ChannelType::Custom("lark")` are preserved via `channel_type = "feishu"` on the sidecar entry so existing routing / `channel_role_mapping` keys continue to resolve. Verification: `cd sdk/python && pytest tests/test_feishu_adapter.py` — **91 passed** (covers env handling, region/mode parsing, NIST AES-256 test vector + full PKCS#7 round-trip, payload-decrypt failure modes, event dedup + sliding window purge, `build_approval_card` for 4 risk levels, v2 + v1 + card-action parsers incl. mention expansion / self-skip / group-vs-DM / root_id thread / slash-command routing, token cache + refresh + API-error surfacing, `_validate`, `_send_text` chunking + error propagation, `_send_card` for interactive cards, `on_send` dispatch for Text / Interactive / fallback / channel-id fallback, `_get_ws_endpoint`, `_handle_ws_text` + `_handle_ws_binary` (protobuf-wrapped JSON extraction), `_dispatch_event` dedup + `account_id` injection, webhook HTTP handler for challenge / token verification / encrypted-payload decrypt / 404 / 400, schema + capabilities). (@houko) - **BREAKING: WeCom migrated from in-process Rust adapter to sidecar-only, WebSocket mode only — Callback mode is removed** — the in-process `librefang-channels::wecom` adapter (`WeComAdapter`, 2497 lines: WebSocket long-connection to `wss://openws.work.weixin.qq.com` with `aibot_subscribe` / `aibot_msg_callback` / `aibot_respond_msg` / `aibot_send_msg` / `ping` / `pong` frame routing + `cmd`/`action` and `body`/`data` legacy-key tolerance + per-user `req_id` cache for passive replies + 30 s heartbeat + 1 → 30 s exponential reconnect backoff + **callback mode**: HTTP webhook server with HMAC-SHA1 signature verification over `sort(token, timestamp, nonce, encrypt)`, AES-CBC-256 decryption of inbound payloads (32-byte base64 key, 16-byte IV from key prefix, 16-byte random prefix + 4-byte big-endian length + receiveid suffix + PKCS#7 32-byte block alignment), one-shot `response_url` cache with 5-minute TTL + composite `user_id|chat_id` key for groups, and webhook-key fallback extracted from the first inbound `response_url`) is deleted along with the `[channels.wecom]` config schema (`WeComConfig` + `WeComMode` enum), the `channel-wecom` cargo feature in both `librefang-channels` and `librefang-api` (incl. its membership in `all-channels` / `all-channels-no-email`; the optional `aes` / `cbc` deps stay because `channel-feishu` still gates them), the dashboard `ChannelMeta` descriptor + 4 match arms (`is_some` / serialize / `len` / `ser`), the kernel `channel_sender` `for_each_channel_field!` entry + `EXPECTED` name-list, the kernel-side wecom-specific formatter dispatch (`format_for_wecom` / `markdown_to_wecom_plain` plus the 7 internal helpers they used: `strip_atx_heading` / `strip_blockquote_prefix` / `strip_task_list_prefix` / `is_fenced_code_marker` / `is_setext_heading_underline` / `is_table_divider` / `strip_inline_markdown`), the `default_channel_initial_backoff_secs` shared constant that had no other caller, the `inject_callback_url` arm and the `webhook_route_suffix` `wecom` entry (wecom was the only `callback_url`-bearing in-process channel), and the `test_one_or_many_array_of_wecom_tables` config-parse test. `wecom` is removed from `crates/librefang-channels/src/channels-allowlist.txt`, so `cargo xtask channel-policy` permanently rejects any attempt to reintroduce an in-process wecom adapter. Behaviour is preserved for **WebSocket mode** by the new reference sidecar `librefang.sidecar.adapters.wecom` (ships in `librefang-sdk`; source at `sdk/python/librefang/sidecar/adapters/wecom.py`, stdlib-only — RFC 6455 WS client via the shared `librefang.sidecar.ws.WebSocketClient`, no third-party deps): same `wss://openws.work.weixin.qq.com` endpoint, same `aibot_subscribe` handshake carrying `bot_id` + `secret`, same `cmd`/`action` and `body`/`data` legacy-key tolerance, same `userid`/`user_id` and `chattype`/`chat_type` fallback chain, same `is_subscribe_success` detection (both explicit `cmd: "aibot_subscribe"` ack AND server-style ack with `errcode: 0` + `headers.req_id` starting with `"aibot_subscribe"`), same `aibot_msg_callback` parsing with text-only msgtype filter (non-text msgtypes still silently dropped, mirroring `wecom.rs:103-106`), same per-user `req_id` cache so the first outbound after an inbound uses `aibot_respond_msg` (one-shot, evicted on send) and subsequent outbounds fall back to `aibot_send_msg`, same `msgtype: "markdown"` body shape (WeCom's intelligent-bot `aibot_respond_msg` rejects `msgtype: "text"`), same 4096-char chunking via the shared `split_message`, same 30 s `cmd: "ping"` heartbeat, same 1 → 30 s exponential reconnect backoff, same multi-bot `account_id` metadata injection (#5003). **Callback mode is NOT ported** — Python's standard library has no AES-CBC primitive, and the sidecar SDK is stdlib-only by policy across all 19 reference adapters. Operators who relied on callback mode must either switch the bot to WebSocket mode in the WeCom admin console (it requires no public endpoint, so the WS path is a strict superset of what callback could do in restricted-egress environments), or ship their own callback-mode sidecar that brings its own AES dependency. **Three improvements over the Rust adapter**: (1) **inbound dedupe on `req_id`** — the Rust emit at `wecom.rs:770` was unconditional, so a WS reconnect that races with the platform's redelivery would emit the same message twice. The sidecar threads `req_id` through `librefang.sidecar.common.SeenSet` (capacity 10000, evict 5000), matching the dedupe envelope every recent sidecar (qq, mattermost, signal, line, matrix) settled on; (2) **heartbeat-and-send coexist on one socket via a stdlib `queue.Queue`** — the Rust adapter used a bounded `tokio::mpsc` (`wecom.rs:580`); the sidecar uses an unbounded `queue.Queue` polled at the same read tick as inbound. `on_send` is non-blocking; the WS thread drains the queue between heartbeat ticks and message reads, so a slow `aibot_send_msg` server-side never wedges inbound; (3) **send result is observable in logs** — the Rust adapter only logged `frame sent over WebSocket successfully` (`wecom.rs:631`) before the server ACK arrived; the sidecar logs the same plus the server's `errcode` / `errmsg` (when non-zero) on the ACK frame, so operators can correlate a `send succeeded` log line with the actual platform-side outcome instead of having to enable DEBUG. **Operator action required**: an existing `[channels.wecom]` block is no longer recognised — re-declare as `[[sidecar_channels]]` running `python3 -m librefang.sidecar.adapters.wecom` with `WECOM_BOT_ID` (in `[sidecar_channels.env]`) and `WECOM_BOT_SECRET` (in `~/.librefang/secrets.env`); optional knobs are `WECOM_ALLOWED_USERS`, `WECOM_ACCOUNT_ID`. See `sdk/python/librefang/sidecar/adapters/wecom.py` header for the exact config. `ChannelType::Custom("wecom")` is preserved via `channel_type = "wecom"` on the sidecar entry so existing routing / `channel_role_mapping` keys that reference `wecom` continue to resolve. Verification: `cd sdk/python && pytest tests/test_wecom_adapter.py` — **62 passed** (env enforcement, frame-helper key fallback (`cmd`/`action`, `body`/`data`, `headers.req_id`/`body.req_id`), `_is_subscribe_success` (explicit + server-style ack + nonzero errcode), `parse_wecom_event` for text / legacy `action`/`data` / group / non-text msgtype reject / event-cmd reject / missing-req_id / missing-user / empty-content / allowlist accept+reject / account_id injection + omission / `response_url` metadata surfacing, frame builders (subscribe / respond_msg / send_msg / ping), `_enqueue_text` routing (no-req_id → send_msg / req_id → respond_msg+evict / chunking / first-chunk-respond-rest-send / empty-text noop), `_mark_seen` (fresh + dedupe + empty), `on_send` (basic / user.platform_id fallback / unsupported content placeholder / no-user-id drop / empty-text drop), and end-to-end `_run_session` via a scripted in-memory WS fake (subscribe-first emission / message-after-ack / req_id dedupe across redelivery / req_id caching / subscribe failure returns / non-msg-callback frames ignored / send-queue drained). (@houko) - **BREAKING: Matrix migrated from in-process Rust adapter to sidecar-only** — the in-process `librefang-channels::matrix` adapter (`MatrixAdapter`, 3356 lines: long-poll `GET /sync` + `PUT /rooms/{}/send/{}/{}` outbound + `POST /_matrix/media/v3/upload` + reaction lifecycle + streaming-edit `m.replace` with 429 retry + E2EE warn-once per room + `mxc://` → MSC3916 authenticated download URL + `pulldown-cmark` Markdown→HTML rendering for `formatted_body`) is deleted along with the `[channels.matrix]` config schema (`MatrixConfig`), the `channel-matrix` cargo feature (and the optional `pulldown-cmark` dep it gated), the dashboard `ChannelMeta` descriptor + 4 match arms, the CLI-TUI `ChannelDef`, the kernel `channel_sender` macro entry, the config-validation env-var hook, and the legacy `crates/librefang-api/tests/channels_routes_test.rs` integration test (which used `MatrixConfig` as its only in-process witness and required a separate rewrite that's deferred). `matrix` is removed from `crates/librefang-channels/src/channels-allowlist.txt`, so `cargo xtask channel-policy` permanently rejects any attempt to reintroduce an in-process matrix adapter. `librefang-migrate`'s OpenClaw importer (both YAML + JSON5 paths) now records the legacy `[channels.matrix]` block as a skipped sidecar channel; `test_policy_migration`'s in-process witness rotates discord → slack → mattermost → signal → matrix → **feishu** to keep `dmPolicy: "disabled"` → `dm_policy = "ignore"` coverage alive. Behaviour is preserved by the new reference sidecar `librefang.sidecar.adapters.matrix` (ships in `librefang-sdk`; source at `sdk/python/librefang/sidecar/adapters/matrix.py`, stdlib-only — `urllib.request` for HTTPS, hand-rolled CommonMark subset renderer for `formatted_body`, no third-party deps): same long-poll `/sync` with `since` cursor + 30 s server timeout, same `m.room.message` event filter with 5-msgtype dispatch (`m.text`/`m.notice`/`m.emote` → text or Command on `/` prefix; `m.image`/`m.file`/`m.audio`/`m.video` → media), same room allowlist + self-skip on `sender == user_id`, same E2EE warn-once per room, same `mxc://` → MSC3916 authenticated download URL conversion, same `parse_thread_relation` → `thread_id` on inbound, same multi-bot `account_id` metadata injection (#5003), same `MAX_MESSAGE_LEN = 4096` chunking, same 5 outbound surfaces (text + 11 ChannelContent variants in `on_send`, typing via `TypingCmd`, reaction with lifecycle redact + insert via `Reaction`, thread wrap via `cmd.thread_id`, streaming edit via `StreamStart`/`StreamDelta`/`StreamEnd`), same `m.replace` edit with shared `txn_id` across both attempts under 429, same 1–60 s exponential reconnect backoff on `/sync` failure, same default 50 MiB upload cap (`MATRIX_MAX_UPLOAD_BYTES` override). **Three improvements over the Rust adapter**: (1) **inbound dedupe on `event_id`** — Rust emitted every event_id from a sync batch unconditionally; on retry / `since` reset the bot could re-emit. Bounded `SeenSet` with `SEEN_MESSAGES_MAX=10000` / `EVICT=5000`; (2) **429 `Retry-After` honoured at every PUT, not just edit** — Rust's `api_edit_event_with_retry` honoured Retry-After but `api_send_event` and `api_redact` did not. The sidecar's `_put_event` honours it everywhere (1 retry then raise on second 429); (3) **explicit 60 s timeout on `/sync`, 30 s on every other REST call** — Rust relied on `reqwest`'s default (none); a hung homeserver would hang the producer thread forever. Markdown→HTML rendering is a stdlib subset (headings, bold, italic, inline code, fenced code blocks, links with `javascript:` / `data:` scheme rejection, lists, blockquotes, horizontal rules, GFM tables, strikethrough, `` strip, paragraph wrapping). Raw HTML in the source is HTML-entity-escaped before rendering so an LLM-authored `