docs: normalize mintlify component closings

docs/automation/cron-jobs.md

@@ -278,7 +278,7 @@ Keep hook endpoints behind loopback, tailnet, or trusted reverse proxy.
 - Keep `hooks.allowRequestSessionKey=false` unless you require caller-selected sessions.
 - If you enable `hooks.allowRequestSessionKey`, also set `hooks.allowedSessionKeyPrefixes` to constrain allowed session key shapes.
 - Hook payloads are wrapped with safety boundaries by default.
-  </Warning>
+</Warning>
 
 ## Gmail PubSub integration
 
@@ -382,7 +382,7 @@ Model override note:
 - Configured fallback chains still apply because cron `--model` is a job primary, not a session `/model` override.
 - Payload `fallbacks` replaces configured fallbacks for that job; `fallbacks: []` disables fallback and makes the run strict.
 - A plain `--model` with no explicit or configured fallback list does not fall through to the agent primary as a silent extra retry target.
-  </Note>
+</Note>
 
 ## Configuration
 

docs/channels/bluebubbles.md

@@ -66,7 +66,7 @@ Current OpenClaw releases bundle BlueBubbles, so normal packaged builds do not n
 - Always set a webhook password.
 - Webhook authentication is always required. OpenClaw rejects BlueBubbles webhook requests unless they include a password/guid that matches `channels.bluebubbles.password` (for example `?password=<password>` or `x-password`), regardless of loopback/proxy topology.
 - Password authentication is checked before reading/parsing full webhook bodies.
-  </Warning>
+</Warning>
 
 ## Keeping Messages.app alive (VM / headless setups)
 

docs/channels/groups.md

@@ -26,7 +26,7 @@ Translation: allowlisted senders can trigger OpenClaw by mentioning it.
 - **DM access** is controlled by `*.allowFrom`.
 - **Group access** is controlled by `*.groupPolicy` + allowlists (`*.groups`, `*.groupAllowFrom`).
 - **Reply triggering** is controlled by mention gating (`requireMention`, `/activation`).
-  </Note>
+</Note>
 
 Quick flow (what happens to a group message):
 

docs/channels/mattermost.md

@@ -418,7 +418,7 @@ External scripts and webhooks can post buttons directly via the Mattermost REST
 4. Action `id` must be **alphanumeric only** (`[a-zA-Z0-9]`). Hyphens and underscores break Mattermost's server-side action routing (returns 404). Strip them before use.
 5. `context.action_id` must match the button's `id` so the confirmation message shows the button name (e.g., "Approve") instead of a raw ID.
 6. `context.action_id` is required — the interaction handler returns 400 without it.
-   </Warning>
+</Warning>
 
 **HMAC token generation**
 

docs/concepts/models.md

@@ -127,7 +127,7 @@ This happens **before** a normal reply is generated, so the message can feel lik
 - Add the model to `agents.defaults.models`, or
 - Clear the allowlist (remove `agents.defaults.models`), or
 - Pick a model from `/model list`.
-  </Warning>
+</Warning>
 
 Example allowlist config:
 

docs/gateway/heartbeat.md

@@ -235,7 +235,7 @@ Use `accountId` to target a specific account on multi-account channels like Tele
 - `main` (default): agent main session.
 - Explicit session key (copy from `openclaw sessions --json` or the [sessions CLI](/cli/sessions)).
 - Session key formats: see [Sessions](/concepts/session) and [Groups](/channels/groups).
-  </ParamField>
+</ParamField>
   <ParamField path="target" type="string">
 - `last`: deliver to the last used external channel.
 - explicit channel: any configured channel or plugin id, for example `discord`, `matrix`, `telegram`, or `whatsapp`.

docs/gateway/pairing.md

@@ -82,7 +82,7 @@ Node pairing is a trust and identity flow plus token issuance. It does **not** p
 
 - Live node commands come from what the node declares on connect after the gateway's global node command policy (`gateway.nodes.allowCommands` and `denyCommands`) is applied.
 - Per-node `system.run` allow and ask policy lives on the node in `exec.approvals.node.*`, not in the pairing record.
-  </Warning>
+</Warning>
 
 ## Node command gating (2026.3.31+)
 

docs/gateway/sandboxing.md

@@ -349,7 +349,7 @@ Example (read-only source + an extra data directory):
 - Sensitive mounts (secrets, SSH keys, service credentials) should be `:ro` unless absolutely required.
 - Combine with `workspaceAccess: "ro"` if you only need read access to the workspace; bind modes stay independent.
 - See [Sandbox vs Tool Policy vs Elevated](/gateway/sandbox-vs-tool-policy-vs-elevated) for how binds interact with tool policy and elevated exec.
-  </Warning>
+</Warning>
 
 ## Images and setup
 

docs/gateway/trusted-proxy-auth.md

@@ -99,7 +99,7 @@ Implications:
 - Internal Gateway clients that do not travel through the reverse proxy should use `gateway.auth.password` / `OPENCLAW_GATEWAY_PASSWORD`, not trusted-proxy identity headers.
 - Non-loopback Control UI deployments still need explicit `gateway.controlUi.allowedOrigins`.
 - **Forwarded-header evidence overrides loopback locality for local direct fallback.** If a request arrives on loopback but carries `X-Forwarded-For` / `X-Forwarded-Host` / `X-Forwarded-Proto` headers pointing at a non-local origin, that evidence disqualifies local-direct password fallback and device-identity gating. With `allowLoopback: true`, trusted-proxy auth can still accept the request as a same-host proxy request, while `requiredHeaders` and `allowUsers` continue to apply.
-  </Warning>
+</Warning>
 
 ### Configuration reference
 

docs/nodes/media-understanding.md

@@ -259,7 +259,7 @@ For CLI entries, **set `capabilities` explicitly** to avoid surprising matches.
 
 - `minimax` and `minimax-portal` image understanding comes from the plugin-owned `MiniMax-VL-01` media provider.
 - The bundled MiniMax text catalog still starts text-only; explicit `models.providers.minimax` entries materialize image-capable M2.7 chat refs.
-  </Note>
+</Note>
 
 ## Model selection guidance
 

docs/tools/acp-agents.md

@@ -323,7 +323,7 @@ top-level `bindings[]` entries.
 - **Telegram forum topic:** `match.channel="telegram"` + `match.peer.id="<chatId>:topic:<topicId>"`
 - **BlueBubbles DM/group:** `match.channel="bluebubbles"` + `match.peer.id="<handle|chat_id:*|chat_guid:*|chat_identifier:*>"`. Prefer `chat_id:*` or `chat_identifier:*` for stable group bindings.
 - **iMessage DM/group:** `match.channel="imessage"` + `match.peer.id="<handle|chat_id:*|chat_guid:*|chat_identifier:*>"`. Prefer `chat_id:*` for stable group bindings.
-  </ParamField>
+</ParamField>
   <ParamField path="bindings[].agentId" type="string">
   The owning OpenClaw agent id.
   </ParamField>
@@ -714,7 +714,7 @@ OpenClaw sandbox.
 - OpenClaw's sandbox policy does **not** wrap ACP harness execution.
 - OpenClaw still enforces ACP feature gates, allowed agents, session ownership, channel bindings, and Gateway delivery policy.
 - Use `runtime: "subagent"` for sandbox-enforced OpenClaw-native work.
-  </Warning>
+</Warning>
 
 Current limitations:
 

docs/tools/exec-approvals.md

@@ -137,7 +137,7 @@ Example schema:
 - `deny` — block.
 - `allowlist` — allow only if allowlist matches.
 - `full` — allow.
-  </ParamField>
+</ParamField>
 
 ### `tools.exec.strictInlineEval`
 
@@ -184,7 +184,7 @@ YOLO is the default host behavior unless you tighten it explicitly:
 - YOLO chooses **how** host exec is approved: `security=full` plus `ask=off`.
 - In YOLO mode, OpenClaw does **not** add a separate heuristic command-obfuscation approval gate or script-preflight rejection layer on top of the configured host exec policy.
 - `auto` does not make gateway routing a free override from a sandboxed session. A per-call `host=node` request is allowed from `auto`; `host=gateway` is only allowed from `auto` when no sandbox runtime is active. For a stable non-auto default, set `tools.exec.host` or use `/exec host=...` explicitly.
-  </Warning>
+</Warning>
 
 CLI-backed providers that expose their own noninteractive permission mode
 can follow this policy. Claude CLI adds
@@ -262,7 +262,7 @@ EOF
 - `openclaw exec-policy` does not synchronize node approvals.
 - `openclaw exec-policy set --host node` is rejected.
 - Node exec approvals are fetched from the node at runtime, so node-targeted updates must use `openclaw approvals --node ...`.
-  </Note>
+</Note>
 
 ### Session-only shortcut