`setUiActionStructuredOutput` in `src/mcp/tools/ui-automation/shared/domain-result.ts` always sets `schemaVersion: '2'` on the envelope, and every UI-action manifest (`manifests/tools/tap.yaml`, `swipe.yaml`, `drag.yaml`, `batch.yaml`, `key_press.yaml`, `key_sequence.yaml`, `long_press.yaml`, `touch.yaml`, `type_text.yaml`, `wait_for_ui.yaml`, `snapshot_ui.yaml`, `button.yaml`) declares `outputSchema.version: "2"`. However, the new rs/1 captures returned by `captureRuntimeSnapshotAfterActionSafely` use `{ type: 'runtime-snapshot', protocol: 'rs/1', elements, actions, ... }`, which only the v3 schema accepts. Either bump the runtime envelope and all UI-action manifests to `"3"`, or keep emitting the legacy compact (`rs`/`targets`/`scroll`/`udid`) capture shape on v2.

The `type-text--success` snapshot test and fixture were deleted with no replacement success-path test, so the `type-text` tool's happy path is no longer verified in snapshot tests at all — only error cases remain.

`runtimeSnapshot: 'full'` is set for **all** schemas when `verbose=true`, but the schema version is only bumped to `'3'` for `UI_ACTION_RESULT_SCHEMA`. For `CAPTURE_SCHEMA` (`snapshot_ui` and similar), callers running with `--output json --verbose` receive a full `RuntimeSnapshotV1` (structured element objects) while `schemaVersion` still says `'2'`, which specifies the compact pipe-delimited string format — breaking schema-version-based parsing.

When `foregroundIncompleteCompletionTapElement` is set (e.g. a "Save" or "Add" button detected alongside "unsaved"/"not added" state signals), `shouldPrioritizeScroll` at line 702 still evaluates to `true` because `COMPLETION_ACTION_TAP_NEXT_STEP_LABELS` entries like "save" are neither content-rich nor low-priority, causing scroll to appear before the critical completion tap in the next-step list. Add `foregroundIncompleteCompletionTapElement === null` as a guard in the `shouldPrioritizeScroll` condition.

Any element whose combined `role + type + subrole + role_description` contains the substring `"text"` is returned as `'text'` before the `image`, `switch`, `slider`, `cell`, `scroll-view`, `list`, or `tab` branches are ever reached; these misclassified elements then only receive `longPress`/`touch` actions (never `tap`) because `isTapRole` excludes `'text'`.

Any element whose combined `role + type + subrole + role_description` contains the substring `"text"` is returned as `'text'` before the `image`, `switch`, `slider`, `cell`, `scroll-view`, `list`, or `tab` branches are ever reached; these misclassified elements then only receive `longPress`/`touch` actions (never `tap`) because `isTapRole` excludes `'text'`.

Any element in `suppressedTargetRefs` that also has both `swipeWithin` and `tap`/`typeText` actions will be excluded from the Targets section (correctly, because it's suppressed) but also excluded from the Scroll section, because `isScrollableRuntimeArea` calls `isLikelyRuntimeTarget(element)` with no `suppressedTargetRefs` argument (defaults to an empty set), so the element is classified as a likely target and filtered out of scroll areas — making it invisible in both rendered sections.

`hasComplexCliParamValue(null)` returns `false` because `value !== null` fails, so `null` param values skip the `--json` path and reach the else branch of the loop, where `formatCliParamValue(null)` returns `shellEscapeArg(JSON.stringify(null))` = `'null'`, producing `--key 'null'` — passing the string literal `"null"` as a CLI flag value instead of omitting the param.

Inside `foregroundScore`, both `findSheetGrabberDescendant` (a linear `find`) and `records.filter(isForegroundCandidateForRoot)` are O(n) operations executed once per unique candidate the first time their score is computed — making the overall function O(n²) over the element list. For complex screens with many AX elements this runs on a performance-critical path (post-action snapshot rendering). Consider pre-grouping records by path prefix or building a parent→children index once before scoring.

Both `getForegroundCompletionSuppressedRuntimeTargetRefs` and `createRuntimeSnapshotNextSteps` independently call `findStoredSnapshotRecords` and `findActiveForegroundRoot` — the latter performs an O(n²) descendant scan across all snapshot records — so every UI action result triggers this expensive pass twice. Consider extracting the shared intermediate state (`recordsByRef`, `foregroundRoot`, filtered elements) into a shared context object or combining the two exported functions.

Both `getForegroundCompletionSuppressedRuntimeTargetRefs` and `createRuntimeSnapshotNextSteps` independently call `findStoredSnapshotRecords` and `findActiveForegroundRoot` — the latter performs an O(n²) descendant scan across all snapshot records — so every UI action result triggers this expensive pass twice. Consider extracting the shared intermediate state (`recordsByRef`, `foregroundRoot`, filtered elements) into a shared context object or combining the two exported functions.