- TUI: reload the active session after external `/new` or `/reset` session-change events so stale transcript and stream state clear promptly. Fixes #38966; carries forward #40472. Thanks @yizhanzjz and @wsyjh8.

- Control UI: preserve Gateway Access tokens during same-normalized WebSocket URL edits and reload gateway-scoped tokens when switching endpoints. Fixes #41545; repairs #42001 with additional source PRs #41546, #41552, and #41718. Thanks @wsyjh8, @llagy0020, @llagy007, @pingfanfan, and @zheliu2.

- Gateway CLI: tolerate a single transient clean WebSocket close before `hello-ok` so one-shot RPC calls reconnect instead of failing noisily, while repeated clean pre-hello closes still surface. Carries forward source PRs #54475 and #54774; #85253 covered adjacent connect assembly diagnostics. Thanks @ruanrrn.

- Gateway/Linux: keep root-owned systemd user service lifecycle commands on root's user manager when a stale `SUDO_USER` remains in a root shell with root's user bus environment. Fixes #81410. Thanks @Ericksza and @ChuckClose-tech.

- Release and test reliability: extend slow Gateway/full-suite watchdogs, split local full-suite shards when throttled, stabilize plugin auth marker fixtures, avoid brittle provider-ref error text, and keep QA Lab bootstrap selection assertions aligned with flow-only scenarios. (#92652)

- macOS Peekaboo bridge: update the embedded Peekaboo package to 3.5.2 and route bundled-skill CLI commands through the OpenClaw app bridge so they inherit its Screen Recording and Accessibility grants.

- Agent routing: route subagent RPC callbacks addressed to an agent-shaped `--to` target to the correct session key instead of falling back to the main session, so WeChat (and other channel) session-key callbacks reach the intended subagent session. (#90231) Thanks @zhangguiping-xydt.

expect(execFileMock).toHaveBeenCalledTimes(1);

});

it("keeps root user scope when stale SUDO_USER is paired with root bus environment", async () => {

mockEffectiveUid(0);

execFileMock.mockImplementationOnce((_cmd, args, _opts, cb) => {

assertUserSystemctlArgs(args, "status");

cb(null, "", "");

});

await expect(

isSystemdUserServiceAvailable({

HOME: "/root",

USER: "root",

LOGNAME: "root",

SUDO_USER: "debian",

XDG_RUNTIME_DIR: "/run/user/0",

DBUS_SESSION_BUS_ADDRESS: "unix:path=/run/user/0/bus",

}),

).resolves.toBe(true);

expect(execFileMock).toHaveBeenCalledTimes(1);

});

it("does not let stale SUDO_USER override a sudo-u target user scope", async () => {

mockEffectiveUid(1000);

execFileMock.mockImplementationOnce((_cmd, args, _opts, cb) => {

await assertRestartSuccess({ SUDO_USER: "debian" });

});

it("restarts root user services directly when stale SUDO_USER is paired with root bus environment", async () => {

mockEffectiveUid(0);

execFileMock

.mockImplementationOnce((_cmd, args, _opts, cb) => {

assertUserSystemctlArgs(args, "status");

cb(null, "", "");

})

.mockImplementationOnce((_cmd, args, _opts, cb) => {

assertUserSystemctlArgs(args, "restart", GATEWAY_SERVICE);

cb(null, "", "");

});

await assertRestartSuccess({

HOME: "/root",

USER: "root",

LOGNAME: "root",

SUDO_USER: "debian",

XDG_RUNTIME_DIR: "/run/user/0",

DBUS_SESSION_BUS_ADDRESS: "unix:path=/run/user/0/bus",

});

});

it("keeps direct --user scope when SUDO_USER is root", async () => {

execFileMock

.mockImplementationOnce((_cmd, args, _opts, cb) => {

return Boolean(user && user !== "root");

}

function hasRootUserManagerEnvironment(env: GatewayServiceEnv): boolean {

const home = env.HOME?.trim();

const runtimeDir = env.XDG_RUNTIME_DIR?.trim();

const dbusAddress = env.DBUS_SESSION_BUS_ADDRESS?.trim();

return (

home === "/root" &&

runtimeDir === "/run/user/0" &&

Boolean(dbusAddress?.includes("/run/user/0/bus"))

);

}

function resolveSystemctlUserScope(env: GatewayServiceEnv): {

machineUser: string | null;

preferMachineScope: boolean;

const effectiveUid = readSystemctlEffectiveUid();

const effectiveUser = readSystemctlEffectiveUser();

const isEffectiveRoot = effectiveUid === null ? effectiveUser === "root" : effectiveUid === 0;

const isSudoToRoot = isEffectiveRoot && isNonRootUser(sudoUser);

const machineUser = isSudoToRoot

? sudoUser

: isNonRootUser(envUser)

? envUser

: isNonRootUser(sudoUser)

? sudoUser

: effectiveUser || envUser || sudoUser || null;

const hasRootUserManager = isEffectiveRoot && hasRootUserManagerEnvironment(env);

const isSudoToRoot = isEffectiveRoot && !hasRootUserManager && isNonRootUser(sudoUser);

const machineUser = hasRootUserManager

? null

: isSudoToRoot

? sudoUser

: isNonRootUser(envUser)

? envUser

: isNonRootUser(sudoUser)

? sudoUser

: effectiveUser || envUser || sudoUser || null;

return {

machineUser,

preferMachineScope: isSudoToRoot,