[Repo Assist] chore(deps): bump NuGet packages (test SDK, ProtectedData, Zeroconf)

[github-actions]

🤖 This is an automated pull request from Repo Assist.

Summary

Bumps three NuGet packages to their latest minor/patch versions, identified via dotnet list package --outdated.

Package	From	To	Projects
Microsoft.NET.Test.Sdk	18.4.0	18.6.0	All test projects (via tests/Directory.Build.props)
System.Security.Cryptography.ProtectedData	10.0.0	10.0.8	OpenClaw.Tray.WinUI, OpenClaw.Tray.Tests
Zeroconf	3.6.11	3.7.16	OpenClaw.Tray.WinUI, OpenClaw.Tray.Tests

All updates are minor/patch bumps with no API-breaking changes expected.

Test Status

• ✅ dotnet test OpenClaw.Shared.Tests — 2015 passed, 29 skipped, 8 pre-existing Linux-environment failures (MCP policy path tests, unrelated to this change)
• ✅ dotnet test OpenClaw.Tray.Tests — 860 passed, 2 skipped, 0 failures

Generated by 🌈 Repo Assist, see workflow run. Learn more.

To install this agentic workflow, run

gh aw add githubnext/agentics/workflows/repo-assist.md@97143ac59cb3a13ef2a77581f929f06719c7402a

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed May 28, 2026, 9:37 PM ET / 01:37 UTC.

Summary
This PR bumps Microsoft.NET.Test.Sdk, System.Security.Cryptography.ProtectedData, and Zeroconf PackageReference versions across the tray app and test projects.

Reproducibility: not applicable. this is a dependency maintenance PR rather than a bug report. Source inspection confirms the changed packages are used by test infrastructure and tray runtime paths.

Review metrics: 2 noteworthy metrics.

• Package References Changed: 3 packages across 3 project files; 5 insertions, 5 deletions. The diff is small, but it updates shared test infrastructure plus two tray runtime dependencies.
• Runtime Dependencies Changed: 2 runtime package bumps. ProtectedData and Zeroconf affect stored secret protection and gateway discovery, which deserve upgrade validation beyond compile-only review.

Merge readiness
Overall: 🦐 gold shrimp
Proof: 🌊 off-meta tidepool
Patch quality: 🦐 gold shrimp
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Provide clean ./build.ps1, shared test, and tray test results for the PR branch.
• [P2] Add or link a focused Windows tray smoke for protected settings and gateway discovery if maintainers want runtime coverage before landing.

Risk before merge

• [P1] The PR body reports OpenClaw.Shared.Tests with 8 Linux-environment failures and does not include the AGENTS-required ./build.ps1 result, so required validation is not clean yet.
• [P1] The runtime package bumps affect DPAPI-backed protected settings and Zeroconf mDNS gateway discovery; package existence checks passed, but real Windows upgrade/discovery behavior was not proven in this read-only review.

Maintainer options:

1. Require Clean Repository Validation (recommended)
   Run ./build.ps1 and both AGENTS-required dotnet test commands on the PR branch before merge, because the current PR body does not show a clean required validation set.
2. Ask For A Focused Windows Smoke
   If maintainers want higher confidence for the runtime packages, ask for a protected-settings save/reload and gateway-discovery smoke on Windows before landing.
3. Hold The Dependency Bump
   If clean validation or Windows runtime confidence cannot be produced, keep the PR open or close it in favor of a later narrower dependency update.

Next step before merge

• [P2] No narrow code repair is identified; maintainers should require clean validation and decide whether the runtime dependency smoke coverage is sufficient.

Security
Cleared: The diff only changes existing PackageReference versions from nuget.org and introduces no new package source, script, permission, secret handling path, or generated code.

Review details

Best possible solution:

Land the package bumps only after clean required build/tests and, ideally, a Windows tray smoke covering protected settings and gateway discovery.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is a dependency maintenance PR rather than a bug report. Source inspection confirms the changed packages are used by test infrastructure and tray runtime paths.

Is this the best way to solve the issue?

Yes, the patch is the narrowest way to take these dependency updates. Merge readiness depends on clean required validation and targeted Windows runtime confidence for the two tray dependencies.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 281656fc017e.

Label changes

Label changes:

• add P3: This is a low-risk dependency maintenance PR with no confirmed user-facing regression or blocking code defect.
• add merge-risk: 🚨 compatibility: The runtime dependency bumps could affect existing Windows tray settings protection or gateway discovery behavior if not validated on the target runtime.
• add rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🌊 off-meta tidepool and patch quality is 🦐 gold shrimp.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: This is a bot-generated dependency PR, so the external-contributor real-behavior proof gate is not applicable; validation still needs to be clean before merge.

Label justifications:

• P3: This is a low-risk dependency maintenance PR with no confirmed user-facing regression or blocking code defect.
• merge-risk: 🚨 compatibility: The runtime dependency bumps could affect existing Windows tray settings protection or gateway discovery behavior if not validated on the target runtime.
• rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🌊 off-meta tidepool and patch quality is 🦐 gold shrimp.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: This is a bot-generated dependency PR, so the external-contributor real-behavior proof gate is not applicable; validation still needs to be clean before merge.

Evidence reviewed

What I checked:

• PR diff scope: Head commit 6dcb3d5 changes only three project files, with 5 insertions and 5 deletions, updating the three NuGet package versions described in the PR body. (6dcb3d52f600)
• Current main still has old runtime package versions: Current main still references System.Security.Cryptography.ProtectedData 10.0.0 and Zeroconf 3.6.11 in the tray WinUI project, so the PR is not already implemented on main. (src/OpenClaw.Tray.WinUI/OpenClaw.Tray.WinUI.csproj:67, 281656fc017e)
• Current main still has old test SDK version: Current main still references Microsoft.NET.Test.Sdk 18.4.0 in tests/Directory.Build.props. (tests/Directory.Build.props:27, 281656fc017e)
• Runtime surface touched by ProtectedData bump: ProtectedData is used for DPAPI-backed protected settings secrets, including protect and unprotect paths for stored settings values. (src/OpenClaw.Tray.WinUI/Services/SettingsManager.cs:423, 281656fc017e)
• Runtime surface touched by Zeroconf bump: ZeroconfResolver.ResolveAsync is used by gateway discovery, so the Zeroconf package bump affects mDNS gateway discovery behavior at runtime. (src/OpenClaw.Tray.WinUI/Services/GatewayDiscoveryService.cs:91, 281656fc017e)
• Package versions exist on nuget.org: NuGet flat-container checks found Microsoft.NET.Test.Sdk 18.6.0, System.Security.Cryptography.ProtectedData 10.0.8, and Zeroconf 3.7.16, and nuspec checks showed MIT licenses with expected framework groups/dependencies.

Likely related people:

• Scott Hanselman: Blame shows the current runtime package references and ProtectedData/Zeroconf call sites came through commit e67f5c2, which merged pr-508. (role: introduced behavior; confidence: high; commits: e67f5c2f6e1c; files: src/OpenClaw.Tray.WinUI/OpenClaw.Tray.WinUI.csproj, src/OpenClaw.Tray.WinUI/Services/SettingsManager.cs, src/OpenClaw.Tray.WinUI/Services/GatewayDiscoveryService.cs)
• Peter Steinberger: Recent history shows dependency alignment work in the tray project file shortly before this PR. (role: recent dependency area contributor; confidence: medium; commits: 58dfd7684056; files: src/OpenClaw.Tray.WinUI/OpenClaw.Tray.WinUI.csproj)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	nuget/​system.security.cryptography.protecteddata@​10.0.0 ⏵ 10.0.8
	nuget/​zeroconf@​3.6.11 ⏵ 3.7.16	-6
	nuget/​microsoft.net.test.sdk@​18.4.0 ⏵ 18.6.0

View full report