OpenClaw installer bundle v10

Environments
- prod
- staging

Files
- install-openclaw.ps1
- control-openclaw.ps1
- uninstall-openclaw.ps1
- install-openclaw.sh
- control-openclaw.sh
- uninstall-openclaw.sh
- publish-r2.sh

What changed from v8
- The installer no longer depends on `openclaw onboard`; it uses `openclaw setup --workspace ...` plus `openclaw config set --batch-file ...` for provider config
- The installer prewarms `document-extract` / `pdfjs-dist` before first normal runtime use
- Dashboard handoff now waits for `openclaw dashboard --no-open` and opens the tokenized URL directly instead of opening a bare dashboard page
- The shell and PowerShell control scripts use the same ready-first / tokenized-URL-first dashboard flow
- The installer now applies a post-install Control UI hotfix for stale `device_token_mismatch` recovery in the shipped `index-*.js` bundle

Normal install flow
1. Download the three scripts into one folder
2. Run .\install-openclaw.ps1
3. The script installs Node and OpenClaw from the built-in OSS URLs
4. The script initializes the workspace with `openclaw setup --workspace ...`
5. The script asks whether to configure a model provider
6. If the user answers Y:
   - enter provider base URL
   - enter provider API key
7. The installer tries to fetch the model list from <baseUrl>/models
8. If a suitable model is found, it is used automatically
9. If auto-detect fails, the script asks for a manual model ID or skips provider config
10. The script writes provider config with `openclaw config set --batch-file ...`
11. The script asks whether to configure a Feishu bot
12. If the user answers Y:
   - enter Feishu App ID
   - enter Feishu App Secret
13. The script writes Feishu channel config in `websocket` mode, opens DM access, and disables group triggers by default
14. The script applies a post-install Control UI hotfix for stale `device_token_mismatch` recovery
15. The script prewarms `document-extract` / `pdfjs-dist`
16. The script sets gateway.mode=local
17. The script installs Gateway auto-start
18. The script starts Gateway immediately
19. The script waits for `openclaw dashboard --no-open` and opens the tokenized dashboard URL

Install examples
powershell -ExecutionPolicy Bypass -File .\install-openclaw.ps1
powershell -ExecutionPolicy Bypass -File .\install-openclaw.ps1 -Proxy http://127.0.0.1:7890
powershell -ExecutionPolicy Bypass -File .\install-openclaw.ps1 -NodeMsiUrl https://your-cdn.example.com/node-v22-lts-x64.msi -OpenClawPackageUrl https://your-cdn.example.com/openclaw-latest.tgz
powershell -ExecutionPolicy Bypass -File .\install-openclaw.ps1 -FeishuAppId cli_xxx -FeishuAppSecret secret_xxx -SkipFeishuPrompt

Feishu bot creation checklist
1. Log in to the Feishu / Lark developer console and create a self-built app for your tenant.
2. Add the bot capability to the app.
3. In the app's basic credentials page, copy the App ID and App Secret.
4. In permissions / scopes, grant the bot the message permissions needed for DM receive/reply. Exact permission names can vary by console version, but the bot must be allowed to receive user messages and send replies.
5. Complete tenant installation / publish so the bot is available inside your organization.
6. Run the installer with the App ID and App Secret, or enter them when prompted.
7. After install, start a direct message with the bot in Feishu.

Notes for this installer:
- The current installer configures Feishu in `websocket` mode, so it does not require Feishu webhook Verification Token or Encrypt Key.
- The default policy opens direct messages (`dmPolicy=open`) but keeps group triggers disabled (`groupPolicy=disabled`).
- If you later want group chat triggers, update the OpenClaw config after install instead of changing the installer defaults.

Published script URLs
Windows x64
https://pub-644ad95b9d504aa8a79aeb428f44c923.r2.dev/prod/windows/x64/scripts/latest/install-openclaw.ps1
https://pub-644ad95b9d504aa8a79aeb428f44c923.r2.dev/prod/windows/x64/scripts/latest/control-openclaw.ps1
https://pub-644ad95b9d504aa8a79aeb428f44c923.r2.dev/prod/windows/x64/scripts/latest/uninstall-openclaw.ps1

macOS arm64
https://pub-644ad95b9d504aa8a79aeb428f44c923.r2.dev/prod/macos/arm64/scripts/latest/install-openclaw.sh
https://pub-644ad95b9d504aa8a79aeb428f44c923.r2.dev/prod/macos/arm64/scripts/latest/control-openclaw.sh
https://pub-644ad95b9d504aa8a79aeb428f44c923.r2.dev/prod/macos/arm64/scripts/latest/uninstall-openclaw.sh

macOS x64
https://pub-644ad95b9d504aa8a79aeb428f44c923.r2.dev/prod/macos/x64/scripts/latest/install-openclaw.sh
https://pub-644ad95b9d504aa8a79aeb428f44c923.r2.dev/prod/macos/x64/scripts/latest/control-openclaw.sh
https://pub-644ad95b9d504aa8a79aeb428f44c923.r2.dev/prod/macos/x64/scripts/latest/uninstall-openclaw.sh

Linux x64
https://pub-644ad95b9d504aa8a79aeb428f44c923.r2.dev/prod/linux/x64/scripts/latest/install-openclaw.sh
https://pub-644ad95b9d504aa8a79aeb428f44c923.r2.dev/prod/linux/x64/scripts/latest/control-openclaw.sh
https://pub-644ad95b9d504aa8a79aeb428f44c923.r2.dev/prod/linux/x64/scripts/latest/uninstall-openclaw.sh

Linux arm64
https://pub-644ad95b9d504aa8a79aeb428f44c923.r2.dev/prod/linux/arm64/scripts/latest/install-openclaw.sh
https://pub-644ad95b9d504aa8a79aeb428f44c923.r2.dev/prod/linux/arm64/scripts/latest/control-openclaw.sh
https://pub-644ad95b9d504aa8a79aeb428f44c923.r2.dev/prod/linux/arm64/scripts/latest/uninstall-openclaw.sh

Published runtime URLs
Windows x64
https://pub-644ad95b9d504aa8a79aeb428f44c923.r2.dev/prod/windows/x64/runtime/node/node-lts-x64.msi
https://pub-644ad95b9d504aa8a79aeb428f44c923.r2.dev/prod/windows/x64/runtime/openclaw/openclaw-latest.tgz

macOS arm64
https://pub-644ad95b9d504aa8a79aeb428f44c923.r2.dev/prod/macos/arm64/runtime/node/node-lts-arm64.tar.gz
https://pub-644ad95b9d504aa8a79aeb428f44c923.r2.dev/prod/macos/arm64/runtime/openclaw/openclaw-latest.tgz

macOS x64
https://pub-644ad95b9d504aa8a79aeb428f44c923.r2.dev/prod/macos/x64/runtime/node/node-lts-x64.tar.gz
https://pub-644ad95b9d504aa8a79aeb428f44c923.r2.dev/prod/macos/x64/runtime/openclaw/openclaw-latest.tgz

Linux x64
https://pub-644ad95b9d504aa8a79aeb428f44c923.r2.dev/prod/linux/x64/runtime/node/node-lts-x64.tar.xz
https://pub-644ad95b9d504aa8a79aeb428f44c923.r2.dev/prod/linux/x64/runtime/openclaw/openclaw-latest.tgz

Linux arm64
https://pub-644ad95b9d504aa8a79aeb428f44c923.r2.dev/prod/linux/arm64/runtime/node/node-lts-arm64.tar.xz
https://pub-644ad95b9d504aa8a79aeb428f44c923.r2.dev/prod/linux/arm64/runtime/openclaw/openclaw-latest.tgz

Control examples
powershell -ExecutionPolicy Bypass -File .\control-openclaw.ps1 -Action status
powershell -ExecutionPolicy Bypass -File .\control-openclaw.ps1 -Action start
powershell -ExecutionPolicy Bypass -File .\control-openclaw.ps1 -Action stop
powershell -ExecutionPolicy Bypass -File .\control-openclaw.ps1 -Action restart
powershell -ExecutionPolicy Bypass -File .\control-openclaw.ps1 -Action dashboard
openclaw dashboard --no-open

Shell install examples
bash ./install-openclaw.sh
bash ./install-openclaw.sh --proxy http://127.0.0.1:7890
bash ./install-openclaw.sh --provider-base-url https://your-provider.example.com/v1 --provider-api-key sk-xxx
bash ./install-openclaw.sh --feishu-app-id cli_xxx --feishu-app-secret secret_xxx --skip-feishu-prompt
bash ./control-openclaw.sh --action status
bash ./uninstall-openclaw.sh

Uninstall
powershell -ExecutionPolicy Bypass -File .\uninstall-openclaw.ps1

Publish updated scripts to R2
bash ./publish-r2.sh
bash ./publish-r2.sh --env staging
bash ./publish-r2.sh --platform macos --arch arm64 install-openclaw.sh control-openclaw.sh uninstall-openclaw.sh
bash ./publish-r2.sh --platform macos --arch x64 install-openclaw.sh control-openclaw.sh uninstall-openclaw.sh
bash ./publish-r2.sh --platform linux --arch x64 install-openclaw.sh control-openclaw.sh uninstall-openclaw.sh
bash ./publish-r2.sh --platform linux --arch arm64 install-openclaw.sh control-openclaw.sh uninstall-openclaw.sh
bash ./publish-r2.sh --release 2026.04.29 install-openclaw.ps1 control-openclaw.ps1

Notes
- Windows and shell installers both try provider model auto-detect by calling `<baseUrl>/models`
- Provider setup is now openai-compatible only
- Auto-detect uses `Authorization: Bearer <key>`
- Feishu installer setup writes `channels.feishu` in `websocket` mode, sets `dmPolicy=open`, sets `allowFrom=["*"]`, and keeps `groupPolicy=disabled` by default so end users can DM the bot immediately without exposing group chats
- For China network conditions, using your own OSS URLs remains the most reliable setup
- Keep only two environments: `prod` for real downloads and `staging` for pre-release verification
- In the common case, users only need the three scripts for their platform; each install script already knows the default structured runtime URLs
- `install-openclaw.sh` currently targets `prod/macos/arm64`, `prod/macos/x64`, `prod/linux/x64`, and `prod/linux/arm64`
- `publish-r2.sh` uploads installer scripts to `<env>/<platform>/<arch>/scripts/latest/` and `<env>/<platform>/<arch>/scripts/<release>/`
- `publish-r2.sh` also uploads `<env>/<platform>/<arch>/manifest.json`
- `publish-r2.sh` now defaults to bucket `openclaw`, public base URL `https://pub-644ad95b9d504aa8a79aeb428f44c923.r2.dev`, env `prod`, platform `windows`, arch `x64`
- Windows install defaults to `prod/windows/x64/runtime/*`; shell install defaults to `prod/macos/arm64/runtime/*` or `prod/linux/x64/runtime/*` based on the detected host
- You can still override `--bucket`, `--public-base-url`, `--env`, `--platform`, `--arch`, `--release`, `--runtime-root`, and the matching `R2_*` env vars when needed
- Control UI access should use the tokenized URL printed by `openclaw dashboard --no-open`, not a bare `http://127.0.0.1:18789` URL
- The post-install Control UI hotfix is intentionally a bundle patch against installed `index-*.js` assets because the stale state lives in browser-side auth/cache behavior rather than OpenClaw config files