feat: add prek pre-commit hooks and dependabot (#1720)

* feat: add prek pre-commit hooks and dependabot Pre-commit hooks (via prek): - Basic hygiene: trailing-whitespace, end-of-file-fixer, check-yaml, check-added-large-files, check-merge-conflict - Security: detect-secrets, zizmor (GitHub Actions audit) - Linting: shellcheck, actionlint, oxlint, swiftlint - Formatting: oxfmt, swiftformat Dependabot: - npm and GitHub Actions ecosystems - Grouped updates (production/development/actions) - 7-day cooldown for supply chain protection Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * docs: add prek install instruction to AGENTS.md --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-25 05:53:23 -05:00 · 2026-01-25 05:53:23 -05:00 · 48aea87028
parent 612a27f3dd
commit 48aea87028
69 changed files with 2143 additions and 214 deletions
--- a/.github/actionlint.yaml
+++ b/.github/actionlint.yaml
@ -0,0 +1,17 @@
 # actionlint configuration
 # https://github.com/rhysd/actionlint/blob/main/docs/config.md
 self-hosted-runner:
  labels:
    # Blacksmith CI runners
    - blacksmith-4vcpu-ubuntu-2404
    - blacksmith-4vcpu-windows-2025
 # Ignore patterns for known issues
 paths:
  .github/workflows/**/*.yml:
    ignore:
      # Ignore shellcheck warnings (we run shellcheck separately)
      - 'shellcheck reported issue.+'
      # Ignore intentional if: false for disabled jobs
      - 'constant expression "false" in condition'
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,113 @@
 # Dependabot configuration
 # https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
 version: 2
 registries:
  npm-npmjs:
    type: npm-registry
    url: https://registry.npmjs.org
    replaces-base: true
 updates:
  # npm dependencies (root)
  - package-ecosystem: npm
    directory: /
    schedule:
      interval: weekly
    cooldown:
      default-days: 7
    groups:
      production:
        dependency-type: production
        update-types:
          - minor
          - patch
      development:
        dependency-type: development
        update-types:
          - minor
          - patch
    open-pull-requests-limit: 10
    registries:
      - npm-npmjs
  # GitHub Actions
  - package-ecosystem: github-actions
    directory: /
    schedule:
      interval: weekly
    cooldown:
      default-days: 7
    groups:
      actions:
        patterns:
          - "*"
        update-types:
          - minor
          - patch
    open-pull-requests-limit: 5
  # Swift Package Manager - macOS app
  - package-ecosystem: swift
    directory: /apps/macos
    schedule:
      interval: weekly
    cooldown:
      default-days: 7
    groups:
      swift-deps:
        patterns:
          - "*"
        update-types:
          - minor
          - patch
    open-pull-requests-limit: 5
  # Swift Package Manager - shared ClawdbotKit
  - package-ecosystem: swift
    directory: /apps/shared/ClawdbotKit
    schedule:
      interval: weekly
    cooldown:
      default-days: 7
    groups:
      swift-deps:
        patterns:
          - "*"
        update-types:
          - minor
          - patch
    open-pull-requests-limit: 5
  # Swift Package Manager - Swabble
  - package-ecosystem: swift
    directory: /Swabble
    schedule:
      interval: weekly
    cooldown:
      default-days: 7
    groups:
      swift-deps:
        patterns:
          - "*"
        update-types:
          - minor
          - patch
    open-pull-requests-limit: 5
  # Gradle - Android app
  - package-ecosystem: gradle
    directory: /apps/android
    schedule:
      interval: weekly
    cooldown:
      default-days: 7
    groups:
      android-deps:
        patterns:
          - "*"
        update-types:
          - minor
          - patch
    open-pull-requests-limit: 5
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -0,0 +1,85 @@
 # Pre-commit hooks for clawdbot
 # Install: prek install
 # Run manually: prek run --all-files
 #
 # See https://pre-commit.com for more information
 repos:
  # Basic file hygiene
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v6.0.0
    hooks:
      - id: trailing-whitespace
        exclude: '^(docs/|dist/|vendor/|.*\.snap$)'
      - id: end-of-file-fixer
        exclude: '^(docs/|dist/|vendor/|.*\.snap$)'
      - id: check-yaml
        args: [--allow-multiple-documents]
      - id: check-added-large-files
        args: [--maxkb=500]
      - id: check-merge-conflict
  # Secret detection (same as CI)
  - repo: https://github.com/Yelp/detect-secrets
    rev: v1.5.0
    hooks:
      - id: detect-secrets
        args: [--baseline, .secrets.baseline]
  # Shell script linting
  - repo: https://github.com/koalaman/shellcheck-precommit
    rev: v0.11.0
    hooks:
      - id: shellcheck
        args: [--severity=error]  # Only fail on errors, not warnings/info
        # Exclude vendor and scripts with embedded code or known issues
        exclude: '^(vendor/|scripts/e2e/)'
  # GitHub Actions linting
  - repo: https://github.com/rhysd/actionlint
    rev: v1.7.10
    hooks:
      - id: actionlint
  # GitHub Actions security audit
  - repo: https://github.com/zizmorcore/zizmor-pre-commit
    rev: v1.22.0
    hooks:
      - id: zizmor
        args: [--persona=regular, --min-severity=medium, --min-confidence=medium]
        exclude: '^(vendor/|Swabble/)'
  # Project checks (same commands as CI)
  - repo: local
    hooks:
      # oxlint --type-aware src test
      - id: oxlint
        name: oxlint
        entry: npx oxlint --type-aware src test
        language: system
        pass_filenames: false
        types_or: [javascript, jsx, ts, tsx]
      # oxfmt --check src test
      - id: oxfmt
        name: oxfmt
        entry: npx oxfmt --check src test
        language: system
        pass_filenames: false
        types_or: [javascript, jsx, ts, tsx]
      # swiftlint (same as CI)
      - id: swiftlint
        name: swiftlint
        entry: swiftlint --config .swiftlint.yml
        language: system
        pass_filenames: false
        types: [swift]
      # swiftformat --lint (same as CI)
      - id: swiftformat
        name: swiftformat
        entry: swiftformat --lint apps/macos/Sources --config .swiftformat
        language: system
        pass_filenames: false
        types: [swift]
--- a/.secrets.baseline
+++ b/.secrets.baseline
--- a/.shellcheckrc
+++ b/.shellcheckrc
@ -0,0 +1,25 @@
 # ShellCheck configuration
 # https://www.shellcheck.net/wiki/
 # Disable common false positives and style suggestions
 # SC2034: Variable appears unused (often exported or used indirectly)
 disable=SC2034
 # SC2155: Declare and assign separately (common idiom, rarely causes issues)
 disable=SC2155
 # SC2295: Expansions inside ${..} need quoting (info-level, rarely causes issues)
 disable=SC2295
 # SC1012: \r is literal (tr -d '\r' works as intended on most systems)
 disable=SC1012
 # SC2026: Word outside quotes (info-level, often intentional)
 disable=SC2026
 # SC2016: Expressions don't expand in single quotes (often intentional in sed/awk)
 disable=SC2016
 # SC2129: Consider using { cmd1; cmd2; } >> file (style preference)
 disable=SC2129
--- a/.swiftformat
+++ b/.swiftformat
@ -23,7 +23,7 @@
 # Whitespace
 --trimwhitespace always
 --emptybraces no-space
--nospaceoperators ...,..< 
+--nospaceoperators ...,..<
 --ranges no-space
 --someAny true
 --voidtype void
--- a/AGENTS.md
+++ b/AGENTS.md
@ -37,6 +37,7 @@
 ## Build, Test, and Development Commands
 - Runtime baseline: Node **22+** (keep Node + Bun paths working).
 - Install deps: `pnpm install`
 - Pre-commit hooks: `prek install` (runs same checks as CI)
 - Also supported: `bun install` (keep `pnpm-lock.yaml` + Bun patching in sync when touching deps/patches).
 - Prefer Bun for TypeScript execution (scripts, dev, tests): `bun <file.ts>` / `bunx <tool>`.
 - Run CLI in dev: `pnpm clawdbot ...` (bun) or `pnpm dev`.
--- a/README.md
+++ b/README.md
@ -459,7 +459,7 @@ Use these when you’re past the onboarding flow and want the deeper reference.
 ## Clawd
-Clawdbot was built for **Clawd**, a space lobster AI assistant. 🦞  
+Clawdbot was built for **Clawd**, a space lobster AI assistant. 🦞
 by Peter Steinberger and the community.
 - [clawd.me](https://clawd.me)
@ -468,7 +468,7 @@ by Peter Steinberger and the community.
 ## Community
-See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines, maintainers, and how to submit PRs.  
+See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines, maintainers, and how to submit PRs.
 AI/vibe-coded PRs welcome! 🤖
 Special thanks to [Mario Zechner](https://mariozechner.at/) for his support and for
--- a/SECURITY.md
+++ b/SECURITY.md
@ -12,4 +12,3 @@ If you believe you’ve found a security issue in Clawdbot, please report it pri
 For threat model + hardening guidance (including `clawdbot security audit --deep` and `--fix`), see:
 - `https://docs.clawd.bot/gateway/security`
--- a/appcast.xml
+++ b/appcast.xml
@ -212,4 +212,4 @@
            <enclosure url="https://github.com/clawdbot/clawdbot/releases/download/v2026.1.21/Clawdbot-2026.1.21.zip" length="22284796" type="application/octet-stream" sparkle:edSignature="pXji4NMA/cu35iMxln385d6LnsT4yIZtFtFiR7sIimKeSC2CsyeWzzSD0EhJsN98PdSoy69iEFZt4I2ZtNCECg=="/>
        </item>
    </channel>
-</rss>
+</rss>
--- a/apps/android/app/src/main/java/com/clawdbot/android/CameraHudState.kt
+++ b/apps/android/app/src/main/java/com/clawdbot/android/CameraHudState.kt
@ -12,4 +12,3 @@ data class CameraHudState(
  val kind: CameraHudKind,
  val message: String,
 )
--- a/apps/android/app/src/main/java/com/clawdbot/android/VoiceWakeMode.kt
+++ b/apps/android/app/src/main/java/com/clawdbot/android/VoiceWakeMode.kt
@ -12,4 +12,3 @@ enum class VoiceWakeMode(val rawValue: String) {
    }
  }
 }
--- a/apps/android/app/src/main/java/com/clawdbot/android/node/SmsManager.kt
+++ b/apps/android/app/src/main/java/com/clawdbot/android/node/SmsManager.kt
@ -135,7 +135,7 @@ class SmsManager(private val context: Context) {
    /**
     * Send an SMS message.
-     * 
+     *
     * @param paramsJson JSON with "to" (phone number) and "message" (text) fields
     * @return SendResult indicating success or failure
     */
--- a/apps/android/app/src/main/res/values/colors.xml
+++ b/apps/android/app/src/main/res/values/colors.xml
@ -1,4 +1,3 @@
 <resources>
    <color name="ic_launcher_background">#0A0A0A</color>
 </resources>
--- a/apps/android/app/src/main/res/values/strings.xml
+++ b/apps/android/app/src/main/res/values/strings.xml
@ -1,4 +1,3 @@
 <resources>
    <string name="app_name">Clawdbot Node</string>
 </resources>
--- a/apps/android/app/src/test/java/com/clawdbot/android/voice/VoiceWakeCommandExtractorTest.kt
+++ b/apps/android/app/src/test/java/com/clawdbot/android/voice/VoiceWakeCommandExtractorTest.kt
@ -23,4 +23,3 @@ class VoiceWakeCommandExtractorTest {
    assertNull(VoiceWakeCommandExtractor.extractCommand("hey claude!", listOf("claude")))
  }
 }
--- a/apps/android/settings.gradle.kts
+++ b/apps/android/settings.gradle.kts
@ -16,4 +16,3 @@ dependencyResolutionManagement {
 rootProject.name = "ClawdbotNodeAndroid"
 include(":app")
--- a/apps/ios/.swiftlint.yml
+++ b/apps/ios/.swiftlint.yml
@ -3,4 +3,3 @@ parent_config: ../../.swiftlint.yml
 included:
  - Sources
  - ../shared/ClawdisNodeKit/Sources
--- a/apps/macos/Icon.icon/icon.json
+++ b/apps/macos/Icon.icon/icon.json
@ -33,4 +33,4 @@
    ],
    "squares" : "shared"
  }
-}
+}
--- a/apps/macos/Sources/Clawdbot/Resources/DeviceModels/LICENSE.apple-device-identifiers.txt
+++ b/apps/macos/Sources/Clawdbot/Resources/DeviceModels/LICENSE.apple-device-identifiers.txt
@ -18,4 +18,4 @@ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+SOFTWARE.
--- a/apps/macos/Sources/Clawdbot/Resources/DeviceModels/ios-device-identifiers.json
+++ b/apps/macos/Sources/Clawdbot/Resources/DeviceModels/ios-device-identifiers.json
@ -173,4 +173,4 @@
  "iPod5,1": "iPod touch (5th generation)",
  "iPod7,1": "iPod touch (6th generation)",
  "iPod9,1": "iPod touch (7th generation)"
-}
+}
--- a/apps/macos/Sources/Clawdbot/Resources/DeviceModels/mac-device-identifiers.json
+++ b/apps/macos/Sources/Clawdbot/Resources/DeviceModels/mac-device-identifiers.json
@ -211,4 +211,4 @@
    "Mac Pro (2019)",
    "Mac Pro (Rack, 2019)"
  ]
-}
+}
--- a/extensions/matrix/src/matrix/monitor/auto-join.ts
+++ b/extensions/matrix/src/matrix/monitor/auto-join.ts
@ -33,7 +33,7 @@ export function registerMatrixAutoJoin(params: {
  // For "allowlist" mode, handle invites manually
  client.on("room.invite", async (roomId: string, _inviteEvent: unknown) => {
    if (autoJoin !== "allowlist") return;
-    
+
    // Get room alias if available
    let alias: string | undefined;
    let altAliases: string[] = [];
--- a/extensions/matrix/src/matrix/monitor/media.ts
+++ b/extensions/matrix/src/matrix/monitor/media.ts
@ -25,7 +25,7 @@ async function fetchMatrixMediaBuffer(params: {
  // matrix-bot-sdk provides mxcToHttp helper
  const url = params.client.mxcToHttp(params.mxcUrl);
  if (!url) return null;
-  
+
  // Use the client's download method which handles auth
  try {
    const buffer = await params.client.downloadContent(params.mxcUrl);
@ -61,7 +61,7 @@ async function fetchEncryptedMediaBuffer(params: {
    Buffer.from(encryptedBuffer),
    params.file,
  );
-  
+
  return { buffer: decrypted };
 }
@ -77,7 +77,7 @@ export async function downloadMatrixMedia(params: {
  placeholder: string;
 } | null> {
  let fetched: { buffer: Buffer; headerType?: string } | null;
-  
+
  if (params.file) {
    // Encrypted media
    fetched = await fetchEncryptedMediaBuffer({
@ -93,7 +93,7 @@ export async function downloadMatrixMedia(params: {
      maxBytes: params.maxBytes,
    });
  }
-  
+
  if (!fetched) return null;
  const headerType = fetched.headerType ?? params.contentType ?? undefined;
  const saved = await getMatrixRuntime().channel.media.saveMediaBuffer(
--- a/extensions/mattermost/src/group-mentions.ts
+++ b/extensions/mattermost/src/group-mentions.ts
@ -11,4 +11,4 @@ export function resolveMattermostGroupRequireMention(
  });
  if (typeof account.requireMention === "boolean") return account.requireMention;
  return true;
-}
+}
--- a/extensions/mattermost/src/mattermost/accounts.ts
+++ b/extensions/mattermost/src/mattermost/accounts.ts
@ -112,4 +112,4 @@ export function listEnabledMattermostAccounts(cfg: ClawdbotConfig): ResolvedMatt
  return listMattermostAccountIds(cfg)
    .map((accountId) => resolveMattermostAccount({ cfg, accountId }))
    .filter((account) => account.enabled);
-}
+}
--- a/extensions/mattermost/src/mattermost/client.ts
+++ b/extensions/mattermost/src/mattermost/client.ts
@ -205,4 +205,4 @@ export async function uploadMattermostFile(
    throw new Error("Mattermost file upload failed");
  }
  return info;
-}
+}
--- a/extensions/mattermost/src/mattermost/monitor-helpers.ts
+++ b/extensions/mattermost/src/mattermost/monitor-helpers.ts
@ -147,4 +147,4 @@ export function resolveThreadSessionKeys(params: {
    ? `${params.baseSessionKey}:thread:${threadId}`
    : params.baseSessionKey;
  return { sessionKey, parentSessionKey: params.parentSessionKey };
-}
+}
--- a/extensions/mattermost/src/mattermost/probe.ts
+++ b/extensions/mattermost/src/mattermost/probe.ts
@ -67,4 +67,4 @@ export async function probeMattermost(
  } finally {
    if (timer) clearTimeout(timer);
  }
-}
+}
--- a/extensions/mattermost/src/onboarding-helpers.ts
+++ b/extensions/mattermost/src/onboarding-helpers.ts
@ -39,4 +39,4 @@ export async function promptAccountId(params: PromptAccountIdParams): Promise<st
    );
  }
  return normalized;
-}
+}
--- a/extensions/mattermost/src/onboarding.ts
+++ b/extensions/mattermost/src/onboarding.ts
@ -184,4 +184,4 @@ export const mattermostOnboardingAdapter: ChannelOnboardingAdapter = {
      mattermost: { ...cfg.channels?.mattermost, enabled: false },
    },
  }),
-};
+};
--- a/extensions/open-prose/skills/prose/examples/28-automated-pr-review.prose
+++ b/extensions/open-prose/skills/prose/examples/28-automated-pr-review.prose
@ -22,11 +22,11 @@ parallel:
  security = session: security_expert
    prompt: "Perform a deep security audit of the changes. Look for OWASP top 10 issues."
    context: overview
-  
+
  perf = session: performance_expert
    prompt: "Analyze the performance implications. Identify potential bottlenecks or regressions."
    context: overview
-  
+
  style = session: reviewer
    prompt: "Review for code style, maintainability, and adherence to best practices."
    context: overview
--- a/extensions/voice-call/src/manager/context.ts
+++ b/extensions/voice-call/src/manager/context.ts
@ -19,4 +19,3 @@ export type CallManagerContext = {
  transcriptWaiters: Map<CallId, TranscriptWaiter>;
  maxDurationTimers: Map<CallId, NodeJS.Timeout>;
 };
--- a/extensions/voice-call/src/manager/events.ts
+++ b/extensions/voice-call/src/manager/events.ts
@ -175,4 +175,3 @@ export function processEvent(ctx: CallManagerContext, event: NormalizedEvent): v
  persistCallRecord(ctx.storePath, call);
 }
--- a/extensions/voice-call/src/manager/lookup.ts
+++ b/extensions/voice-call/src/manager/lookup.ts
@ -31,4 +31,3 @@ export function findCall(params: {
    providerCallId: params.callIdOrProviderCallId,
  });
 }
--- a/extensions/voice-call/src/manager/state.ts
+++ b/extensions/voice-call/src/manager/state.ts
@ -48,4 +48,3 @@ export function addTranscriptEntry(
  };
  call.transcript.push(entry);
 }
--- a/extensions/voice-call/src/manager/store.ts
+++ b/extensions/voice-call/src/manager/store.ts
@ -86,4 +86,3 @@ export async function getCallHistoryFromStore(
  return calls;
 }
--- a/extensions/voice-call/src/manager/timers.ts
+++ b/extensions/voice-call/src/manager/timers.ts
@ -84,4 +84,3 @@ export function waitForFinalTranscript(
    ctx.transcriptWaiters.set(callId, { resolve, reject, timeout });
  });
 }
--- a/extensions/voice-call/src/manager/twiml.ts
+++ b/extensions/voice-call/src/manager/twiml.ts
@ -7,4 +7,3 @@ export function generateNotifyTwiml(message: string, voice: string): string {
  <Hangup/>
 </Response>`;
 }
--- a/extensions/voice-call/src/providers/plivo.test.ts
+++ b/extensions/voice-call/src/providers/plivo.test.ts
@ -26,4 +26,3 @@ describe("PlivoProvider", () => {
    expect(result.providerResponseBody).toContain('length="300"');
  });
 });
--- a/extensions/voice-call/src/providers/twilio/webhook.ts
+++ b/extensions/voice-call/src/providers/twilio/webhook.ts
@ -27,4 +27,3 @@ export function verifyTwilioProviderWebhook(params: {
    reason: result.reason,
  };
 }
--- a/extensions/zalouser/src/channel.test.ts
+++ b/extensions/zalouser/src/channel.test.ts
@ -15,4 +15,3 @@ describe("zalouser outbound chunker", () => {
    expect(chunks.every((c) => c.length <= limit)).toBe(true);
  });
 });
--- a/scripts/clawlog.sh
+++ b/scripts/clawlog.sh
@ -124,7 +124,7 @@ EOF
 # Function to list categories
 list_categories() {
    echo -e "${BLUE}Fetching VibeTunnel log categories from the last hour...${NC}\n"
-    
+
    # Get unique categories from recent logs
    log show --predicate "subsystem == \"$SUBSYSTEM\"" --last 1h 2>/dev/null | \
        grep -E "category: \"[^\"]+\"" | \
@ -133,7 +133,7 @@ list_categories() {
        while read -r cat; do
            echo "  • $cat"
        done
-    
+
    echo -e "\n${YELLOW}Note: Only categories with recent activity are shown${NC}"
 }
@ -230,29 +230,29 @@ fi
 if [[ "$STREAM_MODE" == true ]]; then
    # Streaming mode
    CMD="sudo log stream --predicate '$PREDICATE' --level $LOG_LEVEL --info"
-    
+
    echo -e "${GREEN}Streaming VibeTunnel logs continuously...${NC}"
    echo -e "${YELLOW}Press Ctrl+C to stop${NC}\n"
 else
    # Show mode
    CMD="sudo log show --predicate '$PREDICATE'"
-    
+
    # Add log level for show command
    if [[ "$LOG_LEVEL" == "debug" ]]; then
        CMD="$CMD --debug"
    else
        CMD="$CMD --info"
    fi
-    
+
    # Add time range
    CMD="$CMD --last $TIME_RANGE"
-    
+
    if [[ "$SHOW_TAIL" == true ]]; then
        echo -e "${GREEN}Showing last $TAIL_LINES log lines from the past $TIME_RANGE${NC}"
    else
        echo -e "${GREEN}Showing all logs from the past $TIME_RANGE${NC}"
    fi
-    
+
    # Show applied filters
    if [[ "$ERRORS_ONLY" == true ]]; then
        echo -e "${RED}Filter: Errors only${NC}"
@ -277,14 +277,14 @@ if [[ -n "$OUTPUT_FILE" ]]; then
    if sudo -n /usr/bin/log show --last 1s 2>&1 | grep -q "password"; then
        handle_sudo_error
    fi
-    
+
    echo -e "${BLUE}Exporting logs to: $OUTPUT_FILE${NC}\n"
    if [[ "$SHOW_TAIL" == true ]] && [[ "$STREAM_MODE" == false ]]; then
        eval "$CMD" 2>&1 | tail -n "$TAIL_LINES" > "$OUTPUT_FILE"
    else
        eval "$CMD" > "$OUTPUT_FILE" 2>&1
    fi
-    
+
    # Check if file was created and has content
    if [[ -s "$OUTPUT_FILE" ]]; then
        LINE_COUNT=$(wc -l < "$OUTPUT_FILE" | tr -d ' ')
@ -298,7 +298,7 @@ else
    if sudo -n /usr/bin/log show --last 1s 2>&1 | grep -q "password"; then
        handle_sudo_error
    fi
-    
+
    if [[ "$SHOW_TAIL" == true ]] && [[ "$STREAM_MODE" == false ]]; then
        # Apply tail for non-streaming mode
        eval "$CMD" 2>&1 | tail -n "$TAIL_LINES"
--- a/scripts/e2e/gateway-network-docker.sh
+++ b/scripts/e2e/gateway-network-docker.sh
@ -102,12 +102,12 @@ ws.send(
 	);
 	const connectRes = await onceFrame((o) => o?.type === \"res\" && o?.id === \"c1\");
 	if (!connectRes.ok) throw new Error(\"connect failed: \" + (connectRes.error?.message ?? \"unknown\"));
-	
+
 	ws.send(JSON.stringify({ type: \"req\", id: \"h1\", method: \"health\" }));
 	const healthRes = await onceFrame((o) => o?.type === \"res\" && o?.id === \"h1\", 10000);
 	if (!healthRes.ok) throw new Error(\"health failed: \" + (healthRes.error?.message ?? \"unknown\"));
 	if (healthRes.payload?.ok !== true) throw new Error(\"unexpected health payload\");
-	
+
 	ws.close();
 	console.log(\"ok\");
 NODE"
--- a/scripts/update-clawtributors.types.ts
+++ b/scripts/update-clawtributors.types.ts
@ -30,4 +30,3 @@ export type Entry = {
  avatar_url: string;
  lines: number;
 };
--- a/skills/local-places/SKILL.md
+++ b/skills/local-places/SKILL.md
@ -84,7 +84,7 @@ curl http://127.0.0.1:8000/places/{place_id}
      "open_now": true
    }
  ],
-  "next_page_token": "..." 
+  "next_page_token": "..."
 }
 ```
--- a/ui/src/main.ts
+++ b/ui/src/main.ts
@ -1,3 +1,2 @@
 import "./styles.css";
 import "./ui/app.ts";
--- a/ui/src/styles/chat/layout.css
+++ b/ui/src/styles/chat/layout.css
@ -279,4 +279,3 @@
    min-width: 120px;
  }
 }
--- a/ui/src/styles/chat/text.css
+++ b/ui/src/styles/chat/text.css
@ -122,4 +122,3 @@
  border-top: 1px solid var(--border);
  margin: 1em 0;
 }
--- a/ui/src/styles/chat/tool-cards.css
+++ b/ui/src/styles/chat/tool-cards.css
@ -196,4 +196,3 @@
    transform: scale(1);
  }
 }
--- a/ui/src/ui/app-events.ts
+++ b/ui/src/ui/app-events.ts
@ -3,4 +3,3 @@ export type EventLogEntry = {
  event: string;
  payload?: unknown;
 };
--- a/ui/src/ui/app-tool-stream.ts
+++ b/ui/src/ui/app-tool-stream.ts
@ -154,13 +154,13 @@ const COMPACTION_TOAST_DURATION_MS = 5000;
 export function handleCompactionEvent(host: CompactionHost, payload: AgentEventPayload) {
  const data = payload.data ?? {};
  const phase = typeof data.phase === "string" ? data.phase : "";
-  
+
  // Clear any existing timer
  if (host.compactionClearTimer != null) {
    window.clearTimeout(host.compactionClearTimer);
    host.compactionClearTimer = null;
  }
-  
+
  if (phase === "start") {
    host.compactionStatus = {
      active: true,
@ -183,13 +183,13 @@ export function handleCompactionEvent(host: CompactionHost, payload: AgentEventP
 export function handleAgentEvent(host: ToolStreamHost, payload?: AgentEventPayload) {
  if (!payload) return;
-  
+
  // Handle compaction events
  if (payload.stream === "compaction") {
    handleCompactionEvent(host as CompactionHost, payload);
    return;
  }
-  
+
  if (payload.stream !== "tool") return;
  const sessionKey =
    typeof payload.sessionKey === "string" ? payload.sessionKey : undefined;
--- a/ui/src/ui/controllers/config/form-utils.ts
+++ b/ui/src/ui/controllers/config/form-utils.ts
@ -74,4 +74,3 @@ export function removePathValue(
    delete (current as Record<string, unknown>)[lastKey];
  }
 }
--- a/ui/src/ui/controllers/debug.ts
+++ b/ui/src/ui/controllers/debug.ts
@ -54,4 +54,3 @@ export async function callDebugMethod(state: DebugState) {
    state.debugCallError = String(err);
  }
 }
--- a/ui/src/ui/controllers/presence.ts
+++ b/ui/src/ui/controllers/presence.ts
@ -33,4 +33,3 @@ export async function loadPresence(state: PresenceState) {
    state.presenceLoading = false;
  }
 }
--- a/ui/src/ui/format.test.ts
+++ b/ui/src/ui/format.test.ts
@ -39,4 +39,3 @@ describe("stripThinkingTags", () => {
    expect(stripThinkingTags("Hello</final>")).toBe("Hello");
  });
 });
--- a/ui/src/ui/markdown.test.ts
+++ b/ui/src/ui/markdown.test.ts
@ -30,4 +30,3 @@ describe("toSanitizedMarkdownHtml", () => {
    expect(html).toContain("console.log(1)");
  });
 });
--- a/ui/src/ui/presenter.ts
+++ b/ui/src/ui/presenter.ts
@ -55,4 +55,3 @@ export function formatCronPayload(job: CronJob) {
  if (p.kind === "systemEvent") return `System: ${p.text}`;
  return `Agent: ${p.message}`;
 }
--- a/ui/src/ui/uuid.test.ts
+++ b/ui/src/ui/uuid.test.ts
@ -30,4 +30,3 @@ describe("generateUUID", () => {
    expect(id).toMatch(/^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/);
  });
 });
--- a/ui/src/ui/uuid.ts
+++ b/ui/src/ui/uuid.ts
@ -40,4 +40,3 @@ export function generateUUID(cryptoLike: CryptoLike | null = globalThis.crypto):
  return uuidFromBytes(weakRandomBytes());
 }
--- a/ui/src/ui/views/channels.shared.ts
+++ b/ui/src/ui/views/channels.shared.ts
@ -43,4 +43,3 @@ export function renderChannelAccountCount(
  if (count < 2) return nothing;
  return html`<div class="account-count">Accounts (${count})</div>`;
 }
--- a/ui/src/ui/views/channels.whatsapp.ts
+++ b/ui/src/ui/views/channels.whatsapp.ts
@ -116,4 +116,3 @@ export function renderWhatsAppCard(params: {
    </div>
  `;
 }
--- a/ui/src/ui/views/chat.ts
+++ b/ui/src/ui/views/chat.ts
@ -70,7 +70,7 @@ const COMPACTION_TOAST_DURATION_MS = 5000;
 function renderCompactionIndicator(status: CompactionIndicatorStatus | null | undefined) {
  if (!status) return nothing;
-  
+
  // Show "compacting..." while active
  if (status.active) {
    return html`
@ -91,7 +91,7 @@ function renderCompactionIndicator(status: CompactionIndicatorStatus | null | un
      `;
    }
  }
-  
+
  return nothing;
 }
--- a/ui/src/ui/views/config-form.node.ts
+++ b/ui/src/ui/views/config-form.node.ts
@ -120,7 +120,7 @@ export function renderNode(params: {
      const hasString = normalizedTypes.has("string");
      const hasNumber = normalizedTypes.has("number");
      const hasBoolean = normalizedTypes.has("boolean");
-      
+
      if (hasBoolean && normalizedTypes.size === 1) {
        return renderNode({
          ...params,
@ -383,14 +383,14 @@ function renderObject(params: {
  const hint = hintForPath(path, hints);
  const label = hint?.label ?? schema.title ?? humanize(String(path.at(-1)));
  const help = hint?.help ?? schema.description;
-  
+
  const fallback = value ?? schema.default;
  const obj = fallback && typeof fallback === "object" && !Array.isArray(fallback)
    ? (fallback as Record<string, unknown>)
    : {};
  const props = schema.properties ?? {};
  const entries = Object.entries(props);
-  
+
  // Sort by hint order
  const sorted = entries.sort((a, b) => {
    const orderA = hintForPath([...path, a[0]], hints)?.order ?? 0;
@ -514,7 +514,7 @@ function renderArray(params: {
        </button>
      </div>
      ${help ? html`<div class="cfg-array__help">${help}</div>` : nothing}
-      
+
      ${arr.length === 0 ? html`
        <div class="cfg-array__empty">
          No items yet. Click "Add" to create one.
@ -597,7 +597,7 @@ function renderMapField(params: {
          Add Entry
        </button>
      </div>
-      
+
      ${entries.length === 0 ? html`
        <div class="cfg-map__empty">No custom entries.</div>
      ` : html`
--- a/ui/src/ui/views/config-form.render.ts
+++ b/ui/src/ui/views/config-form.render.ts
@ -94,16 +94,16 @@ function matchesSearch(key: string, schema: JsonSchema, query: string): boolean
  if (!query) return true;
  const q = query.toLowerCase();
  const meta = SECTION_META[key];
-  
+
  // Check key name
  if (key.toLowerCase().includes(q)) return true;
-  
+
  // Check label and description
  if (meta) {
    if (meta.label.toLowerCase().includes(q)) return true;
    if (meta.description.toLowerCase().includes(q)) return true;
  }
-  
+
  return schemaMatches(schema, q);
 }
@ -192,8 +192,8 @@ export function renderConfigForm(props: ConfigFormProps) {
      <div class="config-empty">
        <div class="config-empty__icon">${icons.search}</div>
        <div class="config-empty__text">
-          ${searchQuery 
+          ${searchQuery
-            ? `No settings match "${searchQuery}"` 
+            ? `No settings match "${searchQuery}"`
            : "No settings in this section"}
        </div>
      </div>
--- a/ui/src/ui/views/config-form.shared.ts
+++ b/ui/src/ui/views/config-form.shared.ts
@ -89,4 +89,3 @@ export function isSensitivePath(path: Array<string | number>): boolean {
    key.endsWith("key")
  );
 }
--- a/ui/src/ui/views/config-form.ts
+++ b/ui/src/ui/views/config-form.ts
@ -5,4 +5,3 @@ export {
 } from "./config-form.analyze";
 export { renderNode } from "./config-form.node";
 export { schemaType, type JsonSchema } from "./config-form.shared";
--- a/ui/src/ui/views/config.ts
+++ b/ui/src/ui/views/config.ts
@ -138,7 +138,7 @@ function computeDiff(
 ): Array<{ path: string; from: unknown; to: unknown }> {
  if (!original || !current) return [];
  const changes: Array<{ path: string; from: unknown; to: unknown }> = [];
-  
+
  function compare(orig: unknown, curr: unknown, path: string) {
    if (orig === curr) return;
    if (typeof orig !== typeof curr) {
@ -164,7 +164,7 @@ function computeDiff(
      compare(origObj[key], currObj[key], path ? `${path}.${key}` : key);
    }
  }
-  
+
  compare(original, current, "");
  return changes;
 }
@ -258,7 +258,7 @@ export function renderConfig(props: ConfigProps) {
          <div class="config-sidebar__title">Settings</div>
          <span class="pill pill--sm ${validity === "valid" ? "pill--ok" : validity === "invalid" ? "pill--danger" : ""}">${validity}</span>
        </div>
-        
+
        <!-- Search -->
        <div class="config-search">
          <svg class="config-search__icon" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
@ -273,13 +273,13 @@ export function renderConfig(props: ConfigProps) {
            @input=${(e: Event) => props.onSearchChange((e.target as HTMLInputElement).value)}
          />
          ${props.searchQuery ? html`
-            <button 
+            <button
              class="config-search__clear"
              @click=${() => props.onSearchChange("")}
            >×</button>
          ` : nothing}
        </div>
-        
+
        <!-- Section nav -->
        <nav class="config-nav">
          <button
@ -299,7 +299,7 @@ export function renderConfig(props: ConfigProps) {
            </button>
          `)}
        </nav>
-        
+
        <!-- Mode toggle at bottom -->
        <div class="config-sidebar__footer">
          <div class="config-mode-toggle">
@ -319,7 +319,7 @@ export function renderConfig(props: ConfigProps) {
          </div>
        </div>
      </aside>
-      
+
      <!-- Main content -->
      <main class="config-main">
        <!-- Action bar -->
@ -358,7 +358,7 @@ export function renderConfig(props: ConfigProps) {
            </button>
          </div>
        </div>
-        
+
        <!-- Diff panel (form mode only - raw mode doesn't have granular diff) -->
        ${hasChanges && props.formMode === "form" ? html`
          <details class="config-diff">
--- a/zizmor.yml
+++ b/zizmor.yml
@ -0,0 +1,17 @@
 # zizmor configuration
 # https://docs.zizmor.sh/configuration/
 rules:
  # Disable unpinned-uses - pinning to SHA hashes is a significant change
  # that should be done deliberately, not enforced by pre-commit
  unpinned-uses:
    disable: true
  # Disable excessive-permissions for now - adding explicit permissions
  # blocks requires careful review of each workflow's needs
  excessive-permissions:
    disable: true
  # Disable artipacked (persist-credentials) - low confidence finding
  artipacked:
    disable: true
`@ -12,4 +12,3 @@ If you believe you’ve found a security issue in Clawdbot, please report it pri`
	For threat model + hardening guidance (including `clawdbot security audit --deep` and `--fix`), see:	For threat model + hardening guidance (including `clawdbot security audit --deep` and `--fix`), see:

	- `https://docs.clawd.bot/gateway/security`	- `https://docs.clawd.bot/gateway/security`
`@ -16,4 +16,3 @@ dependencyResolutionManagement {`

	`rootProject.name = "ClawdbotNodeAndroid"`	`rootProject.name = "ClawdbotNodeAndroid"`
	`include(":app")`	`include(":app")`
`@ -175,4 +175,3 @@ export function processEvent(ctx: CallManagerContext, event: NormalizedEvent): v`

	`persistCallRecord(ctx.storePath, call);`	`persistCallRecord(ctx.storePath, call);`
	`}`	`}`
`@ -86,4 +86,3 @@ export async function getCallHistoryFromStore(`

	`return calls;`	`return calls;`
	`}`	`}`
`@ -1,3 +1,2 @@`
	`import "./styles.css";`	`import "./styles.css";`
	`import "./ui/app.ts";`	`import "./ui/app.ts";`
`@ -40,4 +40,3 @@ export function generateUUID(cryptoLike: CryptoLike \| null = globalThis.crypto):`

	`return uuidFromBytes(weakRandomBytes());`	`return uuidFromBytes(weakRandomBytes());`
	`}`	`}`