diff --git a/.github/workflows/mantis-telegram-desktop-proof.yml b/.github/workflows/mantis-telegram-desktop-proof.yml
index 293490539f0..06afa9793cc 100644
--- a/.github/workflows/mantis-telegram-desktop-proof.yml
+++ b/.github/workflows/mantis-telegram-desktop-proof.yml
@@ -48,7 +48,7 @@ concurrency:
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
   NODE_VERSION: "24.x"
-  PNPM_VERSION: "10.33.0"
+  PNPM_VERSION: "11.0.8"
   OPENCLAW_BUILD_PRIVATE_QA: "1"
   OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1"
   CRABBOX_REF: main
diff --git a/.github/workflows/mantis-telegram-live.yml b/.github/workflows/mantis-telegram-live.yml
index 7ef7c993b5e..c08fef6def9 100644
--- a/.github/workflows/mantis-telegram-live.yml
+++ b/.github/workflows/mantis-telegram-live.yml
@@ -44,7 +44,7 @@ concurrency:
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
   NODE_VERSION: "24.x"
-  PNPM_VERSION: "10.33.0"
+  PNPM_VERSION: "11.0.8"
   OPENCLAW_BUILD_PRIVATE_QA: "1"
   OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1"
   CRABBOX_REF: main
diff --git a/AGENTS.md b/AGENTS.md
index 42056f5ff29..0b814b5d808 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -133,7 +133,7 @@ Skills own workflows; root owns hard policy and routing.
 - Never commit real phone numbers, videos, credentials, live config.
 - Secrets: channel/provider creds in `~/.openclaw/credentials/`; model auth profiles in `~/.openclaw/agents/<agentId>/agent/auth-profiles.json`.
 - Env keys: check `~/.profile`; redact output.
-- Dependency patches/overrides/vendor changes need explicit approval. `pnpm.patchedDependencies` exact versions only.
+- Dependency patches/overrides/vendor changes need explicit approval. `pnpm-workspace.yaml` patched dependencies use exact versions only.
 - Carbon pins owner-only: do not change `@buape/carbon` unless Shadow (`@thewilloftheshadow`, verified by `gh`) asks.
 - Releases/publish/version bumps need explicit approval. Use `$openclaw-release-maintainer`.
 - GHSA/advisories: `$openclaw-ghsa-maintainer` / `$security-triage`. Secret scanning: `$openclaw-secret-scanning-maintainer`.
diff --git a/docs/help/testing.md b/docs/help/testing.md
index a7aed699cc5..defc0b7c704 100644
--- a/docs/help/testing.md
+++ b/docs/help/testing.md
@@ -553,8 +553,8 @@ Think of the suites as "increasing realism" (and increasing flakiness/cost):
 
 Native dependency policy:
 
-- Default test installs skip optional native Discord opus builds. Discord voice receive uses the pure-JS `opusscript` decoder, and `@discordjs/opus` stays in `ignoredBuiltDependencies` so local tests and Testbox lanes do not compile the native addon.
-- Use a dedicated Discord voice performance or live lane if you intentionally need to compare a native opus build. Do not add `@discordjs/opus` back to the default `onlyBuiltDependencies`; that makes unrelated install/test loops compile native code.
+- Default test installs skip optional native Discord opus builds. Discord voice receive uses the pure-JS `opusscript` decoder, and `@discordjs/opus` stays disabled in `allowBuilds` so local tests and Testbox lanes do not compile the native addon.
+- Use a dedicated Discord voice performance or live lane if you intentionally need to compare a native opus build. Do not set `@discordjs/opus` to `true` in the default `allowBuilds`; that makes unrelated install/test loops compile native code.
 
 <AccordionGroup>
   <Accordion title="Projects, shards, and scoped lanes">
diff --git a/extensions/qa-lab/src/mantis/telegram-desktop-builder.runtime.ts b/extensions/qa-lab/src/mantis/telegram-desktop-builder.runtime.ts
index 2f5e10103c7..fb2fbe32ac3 100644
--- a/extensions/qa-lab/src/mantis/telegram-desktop-builder.runtime.ts
+++ b/extensions/qa-lab/src/mantis/telegram-desktop-builder.runtime.ts
@@ -420,7 +420,7 @@ qa_status=0
 {
   set -e
   echo "remote pwd: $(pwd)"
-  sudo corepack enable || sudo npm install -g pnpm@10.33.2
+  sudo corepack enable || sudo npm install -g pnpm@11
   if [ "$hydrate_mode" = "source" ]; then
     if ! command -v make >/dev/null 2>&1 || ! command -v python3 >/dev/null 2>&1; then
       sudo apt-get update -y >>"$out/apt.log" 2>&1 || true
diff --git a/scripts/install-cli.sh b/scripts/install-cli.sh
index 5c008944817..fd5f77982c8 100755
--- a/scripts/install-cli.sh
+++ b/scripts/install-cli.sh
@@ -429,18 +429,18 @@ ensure_pnpm() {
   if detect_pnpm_cmd && pnpm_cmd_is_ready; then
     local current_version
     current_version="$("${PNPM_CMD[@]}" --version 2>/dev/null || true)"
-    if [[ "$current_version" =~ ^10\. ]]; then
+    if [[ "$current_version" =~ ^11\. ]]; then
       return 0
     fi
-    log "Found pnpm ${current_version:-unknown}; upgrading to pnpm@10..."
+    log "Found pnpm ${current_version:-unknown}; upgrading to pnpm@11..."
   fi
 
   if [[ -x "$(node_dir)/bin/corepack" ]]; then
     emit_json "{\"event\":\"step\",\"name\":\"pnpm\",\"status\":\"start\",\"method\":\"corepack\"}"
     log "Installing pnpm via Corepack..."
     "$(node_dir)/bin/corepack" enable >/dev/null 2>&1 || true
-    "$(node_dir)/bin/corepack" prepare pnpm@10 --activate
-    if detect_pnpm_cmd && pnpm_cmd_is_ready && [[ "$("${PNPM_CMD[@]}" --version 2>/dev/null || true)" =~ ^10\. ]]; then
+    "$(node_dir)/bin/corepack" prepare pnpm@11 --activate
+    if detect_pnpm_cmd && pnpm_cmd_is_ready && [[ "$("${PNPM_CMD[@]}" --version 2>/dev/null || true)" =~ ^11\. ]]; then
       emit_json "{\"event\":\"step\",\"name\":\"pnpm\",\"status\":\"ok\"}"
       return 0
     fi
@@ -448,7 +448,7 @@ ensure_pnpm() {
 
   emit_json "{\"event\":\"step\",\"name\":\"pnpm\",\"status\":\"start\",\"method\":\"npm\"}"
   log "Installing pnpm via npm..."
-  SHARP_IGNORE_GLOBAL_LIBVIPS="$SHARP_IGNORE_GLOBAL_LIBVIPS" "$(npm_bin)" install -g --prefix "$PREFIX" pnpm@10
+  SHARP_IGNORE_GLOBAL_LIBVIPS="$SHARP_IGNORE_GLOBAL_LIBVIPS" "$(npm_bin)" install -g --prefix "$PREFIX" pnpm@11
   detect_pnpm_cmd || true
   emit_json "{\"event\":\"step\",\"name\":\"pnpm\",\"status\":\"ok\"}"
   return 0
@@ -524,51 +524,29 @@ EOF
 ensure_pnpm_git_prepare_allowlist() {
   local repo_dir="$1"
   local workspace_file="${repo_dir}/pnpm-workspace.yaml"
-  local package_file="${repo_dir}/package.json"
   local dep="@tloncorp/api"
   local tmp
 
-  if [[ -f "$workspace_file" ]] && ! grep -Fq "\"${dep}\"" "$workspace_file" && ! grep -Fq -- "- ${dep}" "$workspace_file"; then
+  if [[ -f "$workspace_file" ]] && ! grep -Fq "\"${dep}\"" "$workspace_file" && ! grep -Fq "${dep}:" "$workspace_file" && ! grep -Fq -- "- ${dep}" "$workspace_file"; then
     tmp="$(mktemp)"
-    if grep -q '^onlyBuiltDependencies:[[:space:]]*$' "$workspace_file"; then
+    if grep -q '^allowBuilds:[[:space:]]*$' "$workspace_file"; then
       awk -v dep="$dep" '
         BEGIN { inserted = 0 }
         {
           print
-          if (!inserted && $0 ~ /^onlyBuiltDependencies:[[:space:]]*$/) {
-            print "  - \"" dep "\""
+          if (!inserted && $0 ~ /^allowBuilds:[[:space:]]*$/) {
+            print "  \"" dep "\": true"
             inserted = 1
           }
         }
       ' "$workspace_file" >"$tmp"
     else
       cat "$workspace_file" >"$tmp"
-      printf '\nonlyBuiltDependencies:\n  - "%s"\n' "$dep" >>"$tmp"
+      printf '\nallowBuilds:\n  "%s": true\n' "$dep" >>"$tmp"
     fi
     mv "$tmp" "$workspace_file"
-  fi
-
-  if [[ -f "$package_file" ]]; then
-    "$(node_bin)" - "$package_file" "$dep" <<'EOF'
-const fs = require("node:fs");
-
-const [packageFile, dep] = process.argv.slice(2);
-const data = JSON.parse(fs.readFileSync(packageFile, "utf8"));
-const list = data.pnpm?.onlyBuiltDependencies;
-if (Array.isArray(list)) {
-  if (!list.includes(dep)) {
-    list.unshift(dep);
-    fs.writeFileSync(packageFile, `${JSON.stringify(data, null, 2)}\n`);
-  }
-  process.exit(0);
-}
-
-if (!data.pnpm || typeof data.pnpm !== "object") {
-  data.pnpm = {};
-}
-data.pnpm.onlyBuiltDependencies = [dep];
-fs.writeFileSync(packageFile, `${JSON.stringify(data, null, 2)}\n`);
-EOF
+  elif [[ ! -f "$workspace_file" ]]; then
+    printf 'allowBuilds:\n  "%s": true\n' "$dep" >"$workspace_file"
   fi
 
   log "Updated pnpm allowlist for git-hosted build dependency: ${dep}"
diff --git a/test/scripts/mantis-telegram-desktop-proof-workflow.test.ts b/test/scripts/mantis-telegram-desktop-proof-workflow.test.ts
index 1ab1cd0633e..168b676712b 100644
--- a/test/scripts/mantis-telegram-desktop-proof-workflow.test.ts
+++ b/test/scripts/mantis-telegram-desktop-proof-workflow.test.ts
@@ -5,6 +5,7 @@ import { parse } from "yaml";
 const PROOF_SCRIPT = "scripts/e2e/telegram-user-crabbox-proof.ts";
 const USER_DRIVER = "scripts/e2e/telegram-user-driver.py";
 const WORKFLOW = ".github/workflows/mantis-telegram-desktop-proof.yml";
+const LIVE_WORKFLOW = ".github/workflows/mantis-telegram-live.yml";
 
 type WorkflowStep = {
   env?: Record<string, string>;
@@ -18,6 +19,7 @@ type WorkflowJob = {
 };
 
 type Workflow = {
+  env?: Record<string, string>;
   jobs?: Record<string, WorkflowJob>;
 };
 
@@ -32,6 +34,14 @@ function workflowStep(name: string): WorkflowStep {
 }
 
 describe("Mantis Telegram Desktop proof workflow", () => {
+  it("runs with the repository pnpm major", () => {
+    const workflow = parse(readFileSync(WORKFLOW, "utf8")) as Workflow;
+    const liveWorkflow = parse(readFileSync(LIVE_WORKFLOW, "utf8")) as Workflow;
+
+    expect(workflow.env?.PNPM_VERSION).toBe("11.0.8");
+    expect(liveWorkflow.env?.PNPM_VERSION).toBe("11.0.8");
+  });
+
   it("uses the repo-owned Telegram user driver by default", () => {
     expect(existsSync(USER_DRIVER)).toBe(true);
     expect(readFileSync(PROOF_SCRIPT, "utf8")).toContain(