docs: sync with goclaw v3 major release (EN+VI+ZH) (#51)

* docs: sync with goclaw v3 major release (EN+VI+ZH)

Sync with goclaw source range 0e2282be..050aafc9 — v3 core architecture
redesign. 922 source files changed, affecting nearly every subsystem.

Major additions
- NEW advanced/knowledge-vault.md (EN+VI+ZH) + DOC_MAP triple-sync
  (README.md, js/docs-app.js, index.html sidebar)
- 8-stage agent pipeline replaces legacy think->act->observe across
  core-concepts/{how-goclaw-works,agents-explained}
- 3-tier memory architecture (L0/L1/L2) + consolidation workers
  (episodic, semantic, dedup, dreaming, l0_abstract), auto_injector,
  trivial_filter in core-concepts/memory-system.md
- v3 multi-tenant architecture with per-edition rate limits
  (MaxSubagentConcurrent, MaxSubagentDepth) in core-concepts/multi-tenancy.md
- Mode Prompt System + PromptMode + OrchestrationMode in
  advanced/model-steering.md and agents/system-prompt-anatomy.md
- Agent evolution: guardrails, suggestion engine, skill draft/apply,
  evolution cron, CAPABILITIES.md editable in advanced/agent-evolution.md
- Parallel sub-agent enhancement (#600): BatchQueue[T], WaitAll, auto-retry,
  producer-consumer announce queue, subagent_tasks persistence in
  agent-teams/delegation-and-handoff.md
- Domain Event Bus + event types catalog in agent-teams/team-messaging.md
- Provider Adapter System + credential resolver + SSE scanner in
  providers/overview.md
- v3 REST endpoint families (vault, episodic, memory, evolution,
  orchestration, v3-flags, packages, summoner, traces, backup, tenant-backup)
  in reference/rest-api.md
- Session IDOR fix (requireSessionOwner) in reference/websocket-protocol.md
- Migrations 37-44 schema additions (memory_evolution, vault_documents,
  vault_links, episodic_summaries + search index + promoted, vault_tsv_summary,
  vault_team_custom_scope, seed agents_core/task) in
  reference/database-schema.md, deployment/database-setup.md,
  deployment/upgrading.md, troubleshooting/database.md
- Traces UI (timestamps, copy, syntax highlight, gzip export) +
  OpenTelemetry notes in deployment/observability.md
- Docker privilege separation, pkg-helper, pairing auth hardening in
  deployment/security-hardening.md
- cmd/ gateway decomposition + new backup/restore/tenant commands in
  reference/cli-commands.md
- Bootstrap templates (SOUL, CAPABILITIES, AGENTS_CORE, AGENTS_TASK,
  BOOTSTRAP_PREDEFINED) in agents/{creating-agents,summoning-bootstrap}

All modified pages carry updated footer:
  goclaw-source: 050aafc9 | updated: 2026-04-09

Audit report: plans/reports/docs-audit-260409-2332-v3-major-release.md

* docs: refresh README structure tree counts

- providers 23 -> 24, channels 11 -> 12, agent-teams 5 -> 6,
  advanced 21 -> 24 (matches current filesystem)
- add zh/ mirror line alongside vi/
- drop stale '~96 pages' suffix on vi/

* docs: fix broken v3 system links on how-goclaw-works

- /mode-prompt-system -> /model-steering (Mode Prompt System content
  lives in advanced/model-steering.md)
- /multi-tenant -> /multi-tenancy (DOC_MAP key is multi-tenancy)

Applies to EN, VI, ZH.

* docs(what-is-goclaw): refresh for v3 + expand audit mapping.json

what-is-goclaw (EN+VI+ZH):
- replace think->act->observe with 8-stage pipeline
- add Knowledge Vault, 3-Tier Memory, Agent Evolution, Mode Prompt System,
  Multi-Tenant v3 to Key Features table
- update How It Works mermaid + narrative with pipeline + workers
- PostgreSQL OR SQLite operating mode note
- footer SHA 050aafc9 | 2026-04-09

audit mapping.json (46 -> 114 rules):
- NEW patterns: internal/{vault,consolidation,eventbus,orchestration,
  pipeline,backup,tokencount,workspace}/*, pkg/{browser,protocol}/*
- Split internal/agent/* into targeted sub-patterns (evolution, suggestion,
  orchestration_mode, systemprompt, prompt_builder, preview_prompt,
  user_identity, loop_pipeline)
- Split internal/http/* into feature-specific patterns (vault, memory,
  episodic, evolution, orchestration, summoner, traces, packages, backup,
  tenant_backup, knowledge_graph, skills_grants)
- Split cmd/* into targeted patterns (onboard, tui, backup, restore,
  tenant, setup, gateway_evolution)
- Add troubleshooting/* page links to corresponding internal/* patterns
- NEW top-level patterns: Dockerfile, docker-compose*.yaml, Makefile,
  scripts/install*, scripts/setup*, .github/workflows/release*
- NEW: docs/* source-of-truth patterns for v3 docs (00-arch, 17-changelog,
  21-evolution, 22-v3-http, 23-multi-tenant, 24-vault, model-steering)
- Document unmapped pages (recipes, showcases, pure guides)

* docs: sync remaining stale pages for v3 release (EN+VI+ZH)

Wave 2 of v3 docs sync — 104 files, +1796/-142.

agents/* (5 pages × EN+VI+ZH):
- context-files: CAPABILITIES.md, AGENTS_CORE/TASK, BOOTSTRAP_PREDEFINED
- editing-personality: self-evolve allows CAPABILITIES.md
- open-vs-predefined: capabilities backfill
- sharing-and-access: permission cache
- user-overrides: user_identity_resolver

core-concepts + agent-teams (3 pages × EN+VI+ZH):
- sessions-and-history: v3 pipeline stage references
- tools-overview: vault_link, vault_backlinks tools
- what-are-teams: orchestration redesign, event bus

advanced/* (6 pages × EN+VI+ZH):
- usage-quota: MaxSubagentConcurrent/Depth edition limits
- cost-tracking: per-subagent token tracking
- extended-thinking: Qwen 3.5, DashScope guard
- custom-tools: vault tools (vault_link, vault_backlinks)
- caching: permission cache
- channel-instances: health states

getting-started/* (4 pages × EN+VI+ZH):
- quick-start: new TUI onboard flow
- installation: Docker pkg-helper, privilege separation
- configuration: v3 config keys (vault, evolution, edition)
- web-dashboard-tour: vault page, packages page, v3 flags

troubleshooting/* (6 pages × EN+VI+ZH):
- agent-teams: WaitAll, BatchQueue, edition rate limits
- websocket: session IDOR / requireSessionOwner
- providers: SSEScanner, credential resolver
- channels: WhatsApp native, health states
- mcp: footer only
- channels/whatsapp.md: footer only

medium-priority (11 pages × EN+VI+ZH):
- telegram: /subagents commands
- browser-pairing: auth hardening
- authentication: OAuth provider routing
- scheduling-cron: evolution cron
- anthropic: prompt caching fix, model aliases
- dashscope: Qwen 3.5, per-model thinking
- acp: session tracking
- config-reference: v3 config keys
- environment-variables: runtime package env vars
- docker-compose: pkg-helper, privilege separation
- production-checklist: v3 upgrade items

All footers: goclaw-source: 050aafc9 | updated: 2026-04-09

* docs: bump remaining 169 stale footers to 050aafc9 (Wave 3)

All remaining LOW-priority pages (channels, advanced, providers,
recipes, reference/templates, showcases, troubleshooting, deployment,
getting-started) now point to goclaw HEAD 050aafc9.

Source audit confirmed these pages only need footer bumps — all v3
changes in the corresponding source code (channel handler splits,
heartbeat ticker refactor, provider file decomposition) are internal
refactors with no user-facing documentation impact.

Coverage: 56 EN × 3 langs = 169 files (EN + VI + ZH)
Includes reusable scripts/bump-footers.py for future sync.

* docs: sync with goclaw v3.2.0 — Pancake channel, schema v47, API endpoints

- Add channels/pancake.md: new multi-platform proxy channel (FB, Zalo, IG,
  TikTok, WA, Line) with full setup, config, webhook, dedup docs
- Bump database schema v44→v47: episodic recall scoring, vault nullable
  agent_id, cron_jobs unique constraint
- Add 19 undocumented REST endpoints: vault CRUD, upload, rescan, search,
  enrichment status, system restore, agent prompt preview
- Add whatsapp.qr.start method + events to WebSocket protocol
- Remove stale GET /agents/{id}/instances/{userID}/files/{fileName}
- Update mapping.json with pancake source rule
- Triple sync: README.md + docs-app.js + index.html

* docs: regenerate llms files with Pancake channel

- Add Pancake entry to EN/VI/ZH llms.txt
- Rebuild llms-full.txt (now 114 files)

* docs: fix 18 broken internal links + bump goclaw-source footers to 1296cdbf

Broken link fixes (EN/VI/ZH):
- predefined-agents.md → agents-explained.md
- skill-publishing.md → skills.md
- api-keys.md → advanced/api-keys-rbac.md
- agent-teams/overview.md → what-are-teams.md
- delegation.md → ../agent-teams/delegation-and-handoff.md
- knowledge-vault → knowledge-vault.md (missing .md extension)
- knowledge-graph → knowledge-graph.md (missing .md extension)
- CONTRIBUTING.md link.md placeholders → real paths

Bump goclaw-source footers to 1296cdbf | 2026-04-11 for all modified files

Remove deprecated scripts/bump-footers.py and scripts/bump-footers.sh

* fix(js): resolve relative markdown links to DOC_MAP hash keys

Previous regex only stripped one level of ../, causing links like
../core-concepts/agents-explained.md to remain as raw .md paths
and render markdown source instead of SPA navigation.

New logic: strip all ../  ./ prefixes, match bare filename against
DOC_MAP[k].file.en.endsWith(), produce /hashKey routes.

* docs(templates): sync with goclaw source — add CAPABILITIES.md, fix AGENTS.md/TOOLS.md

- Add reference/templates/capabilities.md — core context file referenced
  from SOUL.md, seeded to all workspaces, loaded in all session modes
- Fix AGENTS.md doc template to match source:
  - Add "Match their language" rule (was missing)
  - Fix Memory section to match source ("Your tools handle recall")
  - Add "Participate, don't dominate" line in Group Chats
  - Add "Adding a message would interrupt the vibe" NO_REPLY trigger
  - Match compact cron example format from source
- Fix TOOLS.md doc template to include "Media Files" section from source
- Triple sync: README.md + docs-app.js + index.html sidebar for capabilities
- Update llms.txt (EN/VI/ZH) with CAPABILITIES.md entry
- Bump footer SHA to 1296cdbf

Author: thieung

.claude/skills/goclaw-docs-audit/mapping.json

@@ -33,8 +33,8 @@ Core material with examples, diagrams, and code blocks.
 
 ## What's Next
 
-- [Next logical page](link.md)
-- [Related topic](link.md)
+- [Getting Started](getting-started/quick-start.md)
+- [Related topic](core-concepts/how-goclaw-works.md)
 ```
 
 ### Tone

CONTRIBUTING.md

@@ -70,6 +70,7 @@
 - [Zalo Personal](channels/zalo-personal.md)
 - [Slack](channels/slack.md)
 - [WhatsApp](channels/whatsapp.md)
+- [Pancake](channels/pancake.md)
 - [WebSocket](channels/websocket.md)
 - [Browser Pairing](channels/browser-pairing.md)
 
@@ -92,6 +93,7 @@
 - [Media Generation](advanced/media-generation.md)
 - [TTS & Voice](advanced/tts-voice.md)
 - [Knowledge Graph](advanced/knowledge-graph.md)
+- [Knowledge Vault](advanced/knowledge-vault.md)
 - [Caching](advanced/caching.md)
 - [Browser Automation](advanced/browser-automation.md)
 - [Extended Thinking](advanced/extended-thinking.md)
@@ -142,6 +144,7 @@
   - [AGENTS.md](reference/templates/agents.md)
   - [SOUL.md](reference/templates/soul.md)
   - [IDENTITY.md](reference/templates/identity.md)
+  - [CAPABILITIES.md](reference/templates/capabilities.md)
   - [TOOLS.md](reference/templates/tools.md)
   - [USER.md](reference/templates/user.md)
   - [USER_PREDEFINED.md](reference/templates/user-predefined.md)
@@ -173,16 +176,17 @@ See [CONTRIBUTING.md](CONTRIBUTING.md) for writing guidelines and bilingual proc
 ├── getting-started/        # Onboarding (6 pages)
 ├── core-concepts/          # Architecture & concepts (6 pages)
 ├── agents/                 # Agent configuration (8 pages)
-├── providers/              # LLM provider guides (23 pages)
-├── channels/               # Messaging channel setup (11 pages)
-├── agent-teams/            # Team collaboration (5 pages)
-├── advanced/               # Power-user features (21 pages)
+├── providers/              # LLM provider guides (24 pages)
+├── channels/               # Messaging channel setup (13 pages)
+├── agent-teams/            # Team collaboration (6 pages)
+├── advanced/               # Power-user features (24 pages)
 ├── deployment/             # Deploy & operate (7 pages)
 ├── recipes/                # Step-by-step tutorials (5 pages)
 ├── showcases/              # Gallery & examples (1 page)
-├── reference/              # API, CLI & config reference (15 pages)
+├── reference/              # API, CLI & config reference (16 pages)
 ├── troubleshooting/        # Debug & FAQ (7 pages)
-├── vi/                     # Vietnamese mirror (~96 pages)
+├── vi/                     # Vietnamese mirror
+├── zh/                     # Chinese mirror
 ├── archive/                # Old technical docs (DO NOT reference)
 └── images/dashboard/       # Dashboard screenshots
 ```

README.md

@@ -8,19 +8,24 @@ GoClaw includes three subsystems that allow predefined agents to evolve their be
 
 | Subsystem | What it does | Config key |
 |---|---|---|
-| Self-Evolution | Agent refines its own tone and voice via SOUL.md | `self_evolve` |
+| Self-Evolution | Agent refines its own tone/voice (SOUL.md) and domain expertise (CAPABILITIES.md) | `self_evolve` |
 | Skill Learning Loop | Agent captures reusable workflows as skills | `skill_evolve` |
 | Skill Management | Create, patch, delete, and grant skills | `skill_manage` tool |
 
 Both `self_evolve` and `skill_evolve` are disabled by default. Enable them per-agent in **Agent Settings → Config tab**.
 
 ---
 
-## Self-Evolution (SOUL.md)
+## Self-Evolution (SOUL.md + CAPABILITIES.md)
 
 ### What it does
 
-When `self_evolve` is enabled, an agent can update its own `SOUL.md` file during conversation to refine how it communicates. There is no dedicated tool for this — the agent uses the standard `write_file` tool. A context file interceptor ensures only `SOUL.md` is writable; `IDENTITY.md` and `AGENTS.md` remain locked regardless.
+When `self_evolve` is enabled, an agent can update two of its own context files during conversation:
+
+- **`SOUL.md`** — to refine communication style (tone, voice, vocabulary, response style)
+- **`CAPABILITIES.md`** — to refine domain expertise, technical skills, and specialized knowledge
+
+There is no dedicated tool for this — the agent uses the standard `write_file` tool. A context file interceptor ensures only `SOUL.md` and `CAPABILITIES.md` are writable; `IDENTITY.md` and `AGENTS.md` remain locked regardless.
 
 Changes happen incrementally. The agent is guided to update only when it notices clear patterns in user feedback — not on every turn.
 
@@ -39,30 +44,20 @@ When `self_evolve=true`, GoClaw injects this guidance into the system prompt (~9
 ```
 ## Self-Evolution
 
-You have self-evolution enabled. You may update your SOUL.md file to
-refine your communication style over time.
-
-What you CAN evolve in SOUL.md:
-- Tone, voice, and manner of speaking
-- Response style and formatting preferences
-- Vocabulary and phrasing patterns
-- Interaction patterns based on user feedback
-
-What you MUST NOT change:
-- Your name, identity, or contact information
-- Your core purpose or role
-- Any content in IDENTITY.md or AGENTS.md (these remain locked)
-
-Make changes incrementally. Only update SOUL.md when you notice clear
-patterns in user feedback or interaction style preferences.
+You may update SOUL.md to refine communication style (tone, voice, vocabulary, response style).
+You may update CAPABILITIES.md to refine domain expertise, technical skills, and specialized knowledge.
+MUST NOT change: name, identity, contact info, core purpose, IDENTITY.md, or AGENTS.md.
+Make changes incrementally based on clear user feedback patterns.
 ```
 
+> Source: `buildSelfEvolveSection()` in `internal/agent/systemprompt.go`.
+
 ### Security
 
 | Layer | What it enforces |
 |---|---|
 | System prompt guidance | CAN/MUST NOT rules limit scope |
-| Context file interceptor | Validates that only SOUL.md is written |
+| Context file interceptor | Validates that only SOUL.md or CAPABILITIES.md is written |
 | File locking | IDENTITY.md and AGENTS.md are always read-only |
 
 ---
@@ -332,6 +327,89 @@ Maximum overhead per run with both features enabled: ~305 tokens for skill learn
 
 ---
 
+## v3: Evolution Metrics and Suggestion Engine
+
+v3 adds automated, metrics-driven evolution for predefined agents. This operates separately from the manual skill learning loop above.
+
+### How It Works
+
+```
+Metrics collected during agent runs (7-day rolling window)
+    ↓
+SuggestionEngine.Analyze() — runs daily via cron
+    ├─ LowRetrievalUsageRule  (avg recall < threshold)
+    ├─ ToolFailureRule         (single tool failure rate > 20%)
+    └─ RepeatedToolRule        (tool called 5+ consecutive times)
+    ↓
+Suggestion created with status "pending"
+    ↓
+Admin reviews → approve / reject / rollback
+```
+
+### Metric Types
+
+| Type | What is tracked | Examples |
+|------|----------------|---------|
+| `tool` | Per-tool performance | invocation_count, success_rate, failure_count, avg_duration_ms |
+| `retrieval` | Knowledge retrieval quality | recall_rate, precision, relevance_score |
+| `feedback` | User satisfaction signals | rating, sentiment, effectiveness_score |
+
+Metrics aggregate over 7-day rolling windows. At least 100 data points are required before a suggestion can be auto-applied (configurable via `min_data_points` guardrail).
+
+### Suggestion Types
+
+| Type | Trigger | Recommendation |
+|------|---------|----------------|
+| `low_retrieval_usage` | Avg recall below threshold for 7 days | Lower `retrieval_threshold` by ≤ 0.1 |
+| `tool_failure` | Single tool failure rate > 20% | Review tool config or add fallback |
+| `repeated_tool` | Same tool called 5+ consecutive times | Extract workflow as a skill |
+
+Only one pending suggestion of each type per agent exists at a time (duplicate prevention).
+
+### Auto-Adapt Guardrails
+
+Suggestions can be auto-applied when approved. Guardrails prevent runaway parameter changes:
+
+| Guardrail | Default | Purpose |
+|-----------|---------|---------|
+| `max_delta_per_cycle` | 0.1 | Max parameter change per apply cycle |
+| `min_data_points` | 100 | Minimum metrics required before applying |
+| `rollback_on_drop_pct` | 20.0 | Auto-rollback if quality drops >20% after apply |
+| `locked_params` | `[]` | Parameters that cannot be auto-changed |
+
+Baseline parameter values are stored in the suggestion's `parameters._baseline` field for rollback.
+
+### Evolution Cron
+
+Analysis runs on a configurable schedule (default: daily at 02:00). Set via `evolution_cron_schedule` in agent config:
+
+```json
+{
+  "evolution_enabled": true,
+  "evolution_cron_schedule": "every day at 02:00",
+  "evolution_guardrails": {
+    "max_delta_per_cycle": 0.1,
+    "min_data_points": 100,
+    "rollback_on_drop_pct": 20.0,
+    "locked_params": []
+  }
+}
+```
+
+Set `evolution_enabled: false` to disable all metrics collection for an agent.
+
+### HTTP API
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `GET` | `/v1/agents/{id}/evolution/metrics` | Query/aggregate metrics |
+| `GET` | `/v1/agents/{id}/evolution/suggestions` | List suggestions |
+| `PATCH` | `/v1/agents/{id}/evolution/suggestions/{sid}` | Approve / reject / rollback |
+
+WebSocket equivalents: `agent.evolution.metrics`, `agent.evolution.suggestions`, `agent.evolution.apply`, `agent.evolution.rollback`.
+
+---
+
 ## Common Issues
 
 | Issue | Cause | Fix |
@@ -348,7 +426,6 @@ Maximum overhead per run with both features enabled: ~305 tokens for skill learn
 ## What's Next
 
 - [Skills](./skills.md) — skill format, hierarchy, and hot reload
-- [Predefined Agents](../core-concepts/predefined-agents.md) — how predefined agents differ from open agents
-- [publish_skill](./skill-publishing.md) — directory-based skill publishing
+- [Predefined Agents](../core-concepts/agents-explained.md) — how predefined agents differ from open agents
 
-<!-- goclaw-source: b9d8754 | updated: 2026-03-23 -->
+<!-- goclaw-source: 1296cdbf | updated: 2026-04-11 -->

advanced/agent-evolution.md

@@ -259,4 +259,4 @@ When a key is created or revoked, a `cache.invalidate` event is broadcast on the
 - [Security Hardening](/deploy-security) — full 5-layer permission overview
 - [CLI Credentials](./cli-credentials.md) — SecureCLI: inject credentials into CLI tools (gh, aws, gcloud) without exposing secrets to the agent
 
-<!-- goclaw-source: c083622f | updated: 2026-04-05 -->
+<!-- goclaw-source: 050aafc9 | updated: 2026-04-09 -->

advanced/api-keys-rbac.md

@@ -10,6 +10,22 @@ This flow is distinct from standard API key providers — it is only needed if y
 
 ---
 
+## OAuth Provider Routing (v3)
+
+GoClaw supports routing OAuth tokens to multiple provider types beyond OpenAI/Codex. In v3, the provider type `media` covers services like **Suno** (AI music) and **DashScope** (Alibaba media generation) that use OAuth or session tokens rather than plain API keys.
+
+### Media Provider Types
+
+| Provider type | Services | Auth method |
+|---------------|----------|-------------|
+| `openai-codex` | ChatGPT via Responses API | OAuth 2.0 PKCE |
+| `suno` | Suno AI music generation | Session token |
+| `dashscope` | Alibaba DashScope (when OAuth-based) | OAuth or API key |
+
+Media provider types are registered in the `llm_providers` table with the appropriate `provider_type` value. The gateway resolves the correct token source and refresh logic based on `provider_type` at request time.
+
+---
+
 ## How It Works
 
 ```mermaid
@@ -195,4 +211,4 @@ source .env.local
 - [Providers Overview](/providers-overview) — all supported LLM providers and how to configure them
 - [Hooks & Quality Gates](/hooks-quality-gates) — add validation to agent outputs
 
-<!-- goclaw-source: 57754a5 | updated: 2026-03-18 -->
+<!-- goclaw-source: 050aafc9 | updated: 2026-04-09 -->

advanced/authentication.md

@@ -256,4 +256,4 @@ Returns:
 - [Exec Approval](/exec-approval) — require human sign-off before running commands
 - [Hooks & Quality Gates](/hooks-quality-gates) — add pre/post checks to agent actions
 
-<!-- goclaw-source: 57754a5 | updated: 2026-03-18 -->
+<!-- goclaw-source: 050aafc9 | updated: 2026-04-09 -->

advanced/browser-automation.md

@@ -70,6 +70,26 @@ Values are serialized as JSON. Pattern deletion uses SCAN with batch size of 100
 
 ---
 
+## Permission Cache
+
+GoClaw includes a dedicated `PermissionCache` for hot permission lookups that happen on every request. Unlike the context file caches, the permission cache is always in-memory — it does not use Redis.
+
+| Cache | TTL | Key format | What it caches |
+|---|---|---|---|
+| `tenantRole` | 30s | `tenantID:userID` | User's role within a tenant |
+| `agentAccess` | 30s | `agentID:userID` | Whether user can access an agent + their role |
+| `teamAccess` | 30s | `teamID:userID` | Whether user can access a team |
+
+**Invalidation via pubsub**: When a user's permissions change (e.g., role update, agent access revoked), GoClaw publishes a `CacheInvalidate` event on the internal bus. The permission cache processes these events:
+
+- `CacheKindTenantUsers` — clears all tenant role entries (short TTL makes a full clear acceptable)
+- `CacheKindAgentAccess` — removes all entries for that `agentID` prefix
+- `CacheKindTeamAccess` — removes all entries for that `teamID` prefix
+
+Permission changes take effect within 30 seconds at most, with immediate invalidation on write paths.
+
+---
+
 ## Cache Behavior
 
 Both backends implement the same interface:
@@ -91,4 +111,4 @@ Both backends implement the same interface:
 - [Database Setup](/deploy-database) — PostgreSQL configuration
 - [Production Checklist](/deploy-checklist) — Deploy with confidence
 
-<!-- goclaw-source: 57754a5 | updated: 2026-03-18 -->
+<!-- goclaw-source: 050aafc9 | updated: 2026-04-09 -->

advanced/caching.md

@@ -195,6 +195,40 @@ curl -X DELETE http://localhost:8080/v1/channels/instances/3f2a1b4c-... \
 
 ---
 
+## Channel Health
+
+Each channel instance exposes a runtime health snapshot. GoClaw tracks the current lifecycle state, failure classification, failure counters, and an operator remediation hint.
+
+### Health states
+
+| State | Meaning |
+|---|---|
+| `registered` | Instance created but not yet started |
+| `starting` | Channel is initializing (connecting to upstream) |
+| `healthy` | Channel is running and accepting messages |
+| `degraded` | Channel is running but experiencing issues |
+| `failed` | Channel failed to start or crashed |
+| `stopped` | Channel was intentionally stopped |
+
+### Failure classification
+
+When a channel enters `failed` or `degraded` state, GoClaw classifies the error into one of four kinds:
+
+| Kind | Examples | Retryable |
+|---|---|---|
+| `auth` | 401 Unauthorized, invalid token | No |
+| `config` | Missing credentials, invalid proxy URL, agent not found | No |
+| `network` | Timeout, connection refused, DNS failure, EOF | Yes |
+| `unknown` | Unexpected errors | Yes |
+
+### Remediation hints
+
+Each failed channel includes a `remediation` object with a `code`, `headline`, and `hint` pointing to the relevant UI surface (`credentials`, `advanced`, `reauth`, or `details`). For example, a Zalo Personal auth failure suggests re-opening the sign-in flow rather than checking credentials.
+
+Health data is available in the channel instance detail view in the Web UI and via the `GET /v1/channels/instances/{id}` endpoint.
+
+---
+
 ## Group file writers
 
 Each channel instance exposes writer-management endpoints that delegate to its bound agent. Writers control who can upload files through the group file feature.
@@ -248,4 +282,4 @@ DELETE /v1/channels/instances/{id}/writers/{userId}?group_id=<group_id>
 - [Multi-Channel Setup](/recipe-multi-channel)
 - [Multi-Tenancy](/multi-tenancy)
 
-<!-- goclaw-source: 57754a5 | updated: 2026-03-18 -->
+<!-- goclaw-source: 050aafc9 | updated: 2026-04-09 -->

advanced/channel-instances.md

@@ -143,4 +143,4 @@ Update the grant: `{"enabled": false}`. The binary remains accessible to other a
 - [API Keys & RBAC](/api-keys-rbac)
 - [Security Hardening](/deploy-security)
 
-<!-- goclaw-source: c083622f | updated: 2026-04-05 -->
+<!-- goclaw-source: 050aafc9 | updated: 2026-04-09 -->