docs: full-page sentence-case sweep across 5 worst-offender pages

- channels/msteams: 8 H2/H3 (Federated Authentication, Local Development, Known Limitations, Reply Style, Presentation Cards, Private Channels, etc.)
- auth-credential-semantics: 4 H2 (Stable Probe Reason Codes, Token Credentials, Explicit Auth Order Filtering, Probe Target Resolution)
- tools/browser: preserve brand-named headings (Browserless, WebSocket CDP, Chrome MCP, Control API, Brave); minor cleanup
- security/CONTRIBUTING-THREAT-MODEL: 4 H2/H3 (What We Use, Risk Levels, Review Process; Threat IDs preserved as branded label)
- gateway/multiple-gateways: 4 H2 (Best Recommended Setup, Why This Works, General Multi-Gateway Setup, Isolation Checklist)

docs/auth-credential-semantics.md

@@ -15,7 +15,7 @@ This document defines the canonical credential eligibility and resolution semant
 
 The goal is to keep selection-time and runtime behavior aligned.
 
-## Stable Probe Reason Codes
+## Stable probe reason codes
 
 - `ok`
 - `excluded_by_auth_order`
@@ -25,7 +25,7 @@ The goal is to keep selection-time and runtime behavior aligned.
 - `unresolved_ref`
 - `no_model`
 
-## Token Credentials
+## Token credentials
 
 Token credentials (`type: "token"`) support inline `token` and/or `tokenRef`.
 
@@ -44,7 +44,7 @@ Token credentials (`type: "token"`) support inline `token` and/or `tokenRef`.
 2. For eligible profiles, token material may be resolved from inline value or `tokenRef`.
 3. Unresolvable refs produce `unresolved_ref` in `models status --probe` output.
 
-## Explicit Auth Order Filtering
+## Explicit auth order filtering
 
 - When `auth.order.<provider>` or the auth-store order override is set for a
   provider, `models status --probe` only probes profile ids that remain in the
@@ -54,7 +54,7 @@ Token credentials (`type: "token"`) support inline `token` and/or `tokenRef`.
   `reasonCode: excluded_by_auth_order` and the detail
   `Excluded by auth.order for this provider.`
 
-## Probe Target Resolution
+## Probe target resolution
 
 - Probe targets can come from auth profiles, environment credentials, or
   `models.json`.

docs/channels/msteams.md

@@ -283,7 +283,7 @@ The Teams channel starts automatically when the plugin is available and `msteams
 
 </details>
 
-## Federated Authentication (Certificate + Managed Identity)
+## Federated authentication (certificate plus managed identity)
 
 > Added in 2026.3.24
 
@@ -425,7 +425,7 @@ For AKS deployments using workload identity:
 
 **Default behavior:** When `authType` is not set, OpenClaw defaults to client secret authentication. Existing configurations continue to work without changes.
 
-## Local Development (Tunneling)
+## Local development (tunneling)
 
 Teams can't reach `localhost`. Use a persistent dev tunnel so your URL stays the same across sessions:
 
@@ -495,7 +495,7 @@ The action is gated by `channels.msteams.actions.memberInfo` (default: enabled w
 - In other words, allowlists gate who can trigger the agent; only specific supplemental context paths are filtered today.
 - DM history can be limited with `channels.msteams.dmHistoryLimit` (user turns). Per-user overrides: `channels.msteams.dms["<user_id>"].historyLimit`.
 
-## Current Teams RSC Permissions (Manifest)
+## Current Teams RSC permissions (manifest)
 
 These are the **existing resourceSpecific permissions** in our Teams app manifest. They only apply inside the team/chat where the app is installed.
 
@@ -519,7 +519,7 @@ To add RSC permissions via the Teams CLI:
 teams app rsc add <teamsAppId> ChannelMessage.Read.Group --type Application
 ```
 
-## Example Teams Manifest (redacted)
+## Example Teams manifest (redacted)
 
 Minimal, valid example with the required fields. Replace IDs and URLs.
 
@@ -651,7 +651,7 @@ If you need images/files in **channels** or want to fetch **message history**, y
 
 **Additional permission for user mentions:** User @mentions work out of the box for users in the conversation. However, if you want to dynamically search and mention users who are **not in the current conversation**, add `User.Read.All` (Application) permission and grant admin consent.
 
-## Known Limitations
+## Known limitations
 
 ### Webhook timeouts
 
@@ -714,7 +714,7 @@ Key settings (see `/gateway/configuration` for shared channel patterns):
     - `agent:<agentId>:msteams:channel:<conversationId>`
     - `agent:<agentId>:msteams:group:<conversationId>`
 
-## Reply Style: Threads vs Posts
+## Reply style: threads vs posts
 
 Teams recently introduced two channel UI styles over the same underlying data model:
 
@@ -841,7 +841,7 @@ OpenClaw sends Teams polls as Adaptive Cards (there is no native Teams poll API)
 - The gateway must stay online to record votes.
 - Polls do not auto-post result summaries yet (inspect the store file if needed).
 
-## Presentation Cards
+## Presentation cards
 
 Send semantic presentation payloads to Teams users or conversations using the `message` tool or CLI. OpenClaw renders them as Teams Adaptive Cards from the generic presentation contract.
 
@@ -957,7 +957,7 @@ https://teams.microsoft.com/l/channel/19%3A15bc...%40thread.tacv2/ChannelName?gr
 - Channel ID = path segment after `/channel/` (URL-decoded)
 - **Ignore** the `groupId` query parameter
 
-## Private Channels
+## Private channels
 
 Bots have limited support in private channels:
 

docs/gateway/multiple-gateways.md

@@ -8,7 +8,7 @@ title: "Multiple gateways"
 
 Most setups should use one Gateway because a single Gateway can handle multiple messaging connections and agents. If you need stronger isolation or redundancy (e.g., a rescue bot), run separate Gateways with isolated profiles/ports.
 
-## Best Recommended Setup
+## Best recommended setup
 
 For most users, the simplest rescue-bot setup is:
 
@@ -44,7 +44,7 @@ During `openclaw --profile rescue onboard`:
 If onboarding already installed the rescue service for you, the final
 `gateway install` is not needed.
 
-## Why This Works
+## Why this works
 
 The rescue bot stays independent because it has its own:
 
@@ -75,7 +75,7 @@ In practice, that means the rescue bot gets its own:
 
 The prompts are otherwise the same as normal onboarding.
 
-## General Multi-Gateway Setup
+## General multi-gateway setup
 
 The rescue-bot layout above is the easiest default, but the same isolation
 pattern works for any pair or group of Gateways on one host.
@@ -114,7 +114,7 @@ Use the rescue-bot quickstart when you want a fallback operator lane. Use the
 general profile pattern when you want multiple long-lived Gateways for
 different channels, tenants, workspaces, or operational roles.
 
-## Isolation Checklist
+## Isolation checklist
 
 Keep these unique per Gateway instance:
 

docs/security/CONTRIBUTING-THREAT-MODEL.md

@@ -39,7 +39,7 @@ Attack chains show how multiple threats combine into a realistic attack scenario
 
 Typos, clarifications, outdated info, better examples - PRs welcome, no issue needed.
 
-## What We Use
+## What we use
 
 ### MITRE ATLAS
 
@@ -62,7 +62,7 @@ Each threat gets an ID like `T-EXEC-003`. The categories are:
 
 IDs are assigned by maintainers during review. You don't need to pick one.
 
-### Risk Levels
+### Risk levels
 
 | Level        | Meaning                                                           |
 | ------------ | ----------------------------------------------------------------- |
@@ -73,7 +73,7 @@ IDs are assigned by maintainers during review. You don't need to pick one.
 
 If you're unsure about the risk level, just describe the impact and we'll assess it.
 
-## Review Process
+## Review process
 
 1. **Triage** - We review new submissions within 48 hours
 2. **Assessment** - We verify feasibility, assign ATLAS mapping and threat ID, validate risk level

docs/tools/browser.md

@@ -248,7 +248,7 @@ Browser settings live in `~/.openclaw/openclaw.json`.
 
 </AccordionGroup>
 
-## Use Brave (or another Chromium-based browser)
+## Use Brave or another Chromium-based browser
 
 If your **system default** browser is Chromium-based (Chrome/Brave/Edge/etc),
 OpenClaw uses it automatically. Set `browser.executablePath` to override