Changelog

What's New in OpenClaw

Latest releases and updates from the OpenClaw project and community.

openclaw 2026.4.15

View on GitHub

Changes

Anthropic/models: default Anthropic selections, opus aliases, Claude CLI defaults, and bundled image understanding to Claude Opus 4.7.
Google/TTS: add Gemini text-to-speech support to the bundled google plugin, including provider registration, voice selection, WAV reply output, PCM telephony output, and setup/docs guidance. (#67515) Thanks @barronlroth.
Control UI/Overview: add a Model Auth status card showing OAuth token health and provider rate-limit pressure at a glance, with attention callouts when OAuth tokens are expiring or expired. Backed by a new models.authStatus gateway method that strips credentials and caches for 60s. (#66211) Thanks @omarshahine.
Memory/LanceDB: add cloud storage support to memory-lancedb so durable memory indexes can run on remote object storage instead of local disk only. (#63502) Thanks @rugvedS07.
GitHub Copilot/memory search: add a GitHub Copilot embedding provider for memory search, and expose a dedicated Copilot embedding host helper so plugins can reuse the transport while honoring remote overrides, token refresh, and safer payload validation. (#61718) Thanks @feiskyer and @vincentkoc.
Agents/local models: add experimental agents.defaults.experimental.localModelLean: true to drop heavyweight default tools like browser, cron, and message, reducing prompt size for weaker local-model setups without changing the normal path. (#66495) Thanks @ImLukeF.
Packaging/plugins: localize bundled plugin runtime deps to their owning extensions, trim the published docs payload, and tighten install/package-manager guardrails so published builds stay leaner and core stops carrying extension-owned runtime baggage. (#67099) Thanks @vincentkoc.
QA/Matrix: split Matrix live QA into a source-linked qa-matrix runner and keep repo-private qa-* surfaces out of packaged and published builds. (#66723) Thanks @gumadeiras.
Docs/showcase: add a scannable hero, complete section jump links, and a responsive video grid for community examples. (#48493) Thanks @jchopard69.

Fixes

Gateway/tools: anchor trusted local MEDIA: tool-result passthrough on the exact raw name of this run's registered built-in tools, and reject client tool definitions whose names normalize-collide with a built-in or with another client tool in the same request (400 invalid_request_error on both JSON and SSE paths), so a client-supplied tool named like a built-in can no longer inherit its local-media trust. (#67303)
Agents/replay recovery: classify the provider wording 401 input item ID does not belong to this connection as replay-invalid, so users get the existing /new session reset guidance instead of a raw 401-style failure. (#66475) Thanks @dallylee.
Gateway/webchat: enforce localRoots containment on webchat audio embedding path [AI-assisted]. (#67298) Thanks @pgondhi987.
Matrix/pairing: block DM pairing-store entries from authorizing room control commands [AI-assisted]. (#67294) Thanks @pgondhi987.
Docker/build: verify @matrix-org/matrix-sdk-crypto-nodejs native bindings with find under node_modules instead of a hardcoded .pnpm/... path so pnpm v10+ virtual-store layouts no longer fail the image build. (#67143) thanks @ly85206559.
Matrix/E2EE: keep startup bootstrap conservative for passwordless token-auth bots, still attempt the guarded repair pass without requiring channels.matrix.password, and document the remaining password-UIA limitation. (#66228) Thanks @SARAMALI15792.
Cron/announce delivery: suppress mixed-content isolated cron announce replies that end with NO_REPLY so trailing silent sentinels no longer leak summary text to the target channel. (#65004) thanks @neo1027144-creator.
Plugins/bundled channels: partition bundled channel lazy caches by active bundled root so OPENCLAW_BUNDLED_PLUGINS_DIR flips stop reusing stale plugin, setup, secrets, and runtime state. (#67200) Thanks @gumadeiras.
Packaging/plugins: prune common test/spec cargo from bundled plugin runtime dependencies and fail npm release validation if packaged test cargo reappears, keeping published tarballs leaner without plugin-specific special cases. (#67275) thanks @gumadeiras.
Agents/context + Memory: trim default startup/skills prompt budgets, cap memory_get excerpts by default with explicit continuation metadata, and keep QMD reads aligned with the same bounded excerpt contract so long sessions pull less context by default without losing deterministic follow-up reads.
Matrix/commands: skip DM pairing-store reads on room traffic now that room control-command authorization ignores pairing-store entries, keeping the room path narrower without changing room auth behavior. (#67325) Thanks @gumadeiras.
Memory-core/dreaming: skip dreaming narrative transcripts from session-store metadata before bootstrap records land so dream diary prompt/prose lines do not pollute session ingestion. (#67315) thanks @jalehman.
Agents/local models: clarify low-context preflight hints for self-hosted models, point config-backed caps at the relevant OpenClaw setting, and stop suggesting larger models when agents.defaults.contextTokens is the real limit. (#66236) Thanks @ImLukeF.
Dreaming/memory-core: change the default dreaming.storage.mode from inline to separate so Dreaming phase blocks (## Light Sleep, ## REM Sleep) land in memory/dreaming/{phase}/YYYY-MM-DD.md instead of being injected into memory/YYYY-MM-DD.md. Daily memory files no longer get dominated by structured candidate output, and the daily-ingestion scanner that already strips dream marker blocks no longer has to compete with hundreds of phase-block lines on every run. Operators who want the previous behavior can opt in by setting plugins.entries.memory-core.config.dreaming.storage.mode: "inline". (#66412) Thanks @mjamiv.
Control UI/Overview: fix false-positive "missing" alerts on the Model Auth status card for aliased providers, env-backed OAuth with auth.profiles, and unresolvable env SecretRefs. (#67253) Thanks @omarshahine.
Dashboard: constrain exec approval modal overflow on desktop so long command content no longer pushes action buttons out of view. (#67082) Thanks @Ziy1-Tan.
Agents/CLI transcripts: persist successful CLI-backed turns into the OpenClaw session transcript so google-gemini-cli replies appear in session history and the Control UI again. (#67490) Thanks @obviyus.
Discord/tool-call text: strip standalone Gemma-style ... tool-call payloads from visible assistant text without truncating prose examples or trailing replies. (#67318) Thanks @joelnishanth.
WhatsApp/web-session: drain the pending per-auth creds save queue before reopening sockets so reconnect-time auth bootstrap no longer races in-flight creds.json writes and falsely restores from backup. (#67464) Thanks @neeravmakwana.
BlueBubbles/catchup: add a per-message retry ceiling (catchup.maxFailureRetries, default 10) so a persistently-failing message with a malformed payload no longer wedges the catchup cursor forever. After N consecutive processMessage failures against the same GUID, catchup logs a WARN, skips that message on subsequent sweeps, and lets the cursor advance past it. Transient failures still retry from the same point as before. Also fixes a lost-update race in the persistent dedupe file lock that silently dropped inbound GUIDs on concurrent writes, a dedupe file naming migration gap on version upgrade, and a balloon-event bypass that let catchup replay debouncer-coalesced events as standalone messages. (#67426, #66870) Thanks @omarshahine.
Ollama/chat: strip the ollama/ provider prefix from Ollama chat request model ids so configured refs like ollama/qwen3:14b-q8_0 stop 404ing against the Ollama API. (#67457) Thanks @suboss87.
Agents/tools: resolve non-workspace host tilde paths against the OS home directory and keep edit recovery aligned with that same path target, so ~/... host edit/write operations stop failing or reading back the wrong file when OPENCLAW_HOME differs. (#62804) Thanks @stainlu.
Speech/TTS: auto-enable the bundled Microsoft and ElevenLabs speech providers, and route generic TTS directive tokens through the explicit or active provider first so overrides like [[tts:speed=1.2]] stop silently landing on the wrong provider. (#62846) Thanks @stainlu.
OpenAI Codex/models: normalize stale native transport metadata in both runtime resolution and discovery/listing so legacy openai-codex rows with missing api or https://chatgpt.com/backend-api/v1 self-heal to the canonical Codex transport instead of routing requests through broken HTML/Cloudflare paths, combining the original fixes proposed in #66969 (saamuelng601-pixel) and #67159 (hclsys). (#67635)
Agents/failover: treat HTML provider error pages as upstream transport failures for CDN-style 5xx responses without misclassifying embedded body text as API rate limits, while still preserving auth remediation for HTML 401/403 pages and proxy remediation for HTML 407 pages. (#67642) Thanks @stainlu.
Gateway/skills: bump the cached skills-snapshot version whenever a config write touches skills.* (for example skills.allowBundled, skills.entries..enabled, or skills.profile). Existing agent sessions persist a skillsSnapshot in sessions.json that reuses the skill list frozen at session creation; without this invalidation, removing a bundled skill from the allowlist left the old snapshot live and the model kept calling the disabled tool, producing Tool not found loops that ran until the embedded-run timeout. (#67401) Thanks @xantorres.
Agents/tool-loop: enable the unknown-tool stream guard by default. Previously resolveUnknownToolGuardThreshold returned undefined unless tools.loopDetection.enabled was explicitly set to true, which left the protection off in the default configuration. A hallucinated or removed tool (for example himalaya after it was dropped from skills.allowBundled) would then loop "Tool X not found" attempts until the full embedded-run timeout. The guard has no false-positive surface because it only triggers on tools that are objectively not registered in the run, so it now stays on regardless of tools.loopDetection.enabled and still accepts tools.loopDetection.unknownToolThreshold as a per-run override (default 10). (#67401) Thanks @xantorres.
TUI/streaming: add a client-side streaming watchdog to tui-event-handlers so the streaming · Xm Ys activity indicator resets to idle after 30s of delta silence on the active run. Guards against lost or late state: "final" chat events (WS reconnects, gateway restarts, etc.) leaving the TUI stuck on streaming indefinitely; a new system log line surfaces the reset so users know to send a new message to resync. The window is configurable via the new streamingWatchdogMs context option (set to 0 to disable), and the handler now exposes a dispose() that clears the pending timer on shutdown. (#67401) Thanks @xantorres.
Extensions/lmstudio: add exponential backoff to the inference-preload wrapper so an LM Studio model-load failure (for example the built-in memory guardrail rejecting a load because the swap is saturated) no longer produces a WARN line every ~2s for every chat request. The wrapper now records consecutive preload failures per (baseUrl, modelKey, contextLength) tuple with a 5s → 10s → 20s → … → 5min cooldown and skips the preload step entirely while a cooldown is active, letting chat requests proceed directly to the stream (the model is often already loaded via the LM Studio UI). The combined preload failed log line now reports consecutive-failure count and remaining cooldown so operators can act on the real issue instead of drowning in repeated warnings. (#67401) Thanks @xantorres.
Agents/replay: re-run tool/result pairing after strict replay tool-call ID sanitization on outbound requests so Anthropic-compatible providers like MiniMax no longer receive malformed orphan tool-result IDs such as ...toolresult1 during compaction and retry flows. (#67620) Thanks @stainlu.
Gateway/startup: fix spurious SIGUSR1 restart loop on Linux/systemd when plugin auto-enable is the only startup config write; the config hash guard was not captured for that write path, causing chokidar to treat each boot write as an external change and trigger a reload → restart cycle that corrupts manifest.db after repeated cycles. Fixes #67436. (#67557) thanks @openperf
Codex/harness: auto-enable the Codex plugin when codex is selected as an embedded agent harness runtime, including forced default, per-agent, and OPENCLAW_AGENT_RUNTIME paths. (#67474) Thanks @duqaXxX.
OpenAI Codex/CLI: keep resumed codex exec resume runs on the safe non-interactive path without reintroducing the removed dangerous bypass flag by passing the supported --skip-git-repo-check resume arg plus Codex's native sandbox_mode="workspace-write" config override. (#67666) Thanks @plgonzalezrx8.
Codex/app-server: parse Desktop-originated app-server user agents such as Codex Desktop/0.118.0, keeping the version gate working when the Codex CLI inherits a multi-word originator. (#64666) Thanks @cyrusaf.
Cron/announce delivery: keep isolated announce NO_REPLY stripping case-insensitive across direct and text delivery, preserve structured media-only sends when a caption strips silent, and derive main-session awareness from the cleaned payloads so silent captions no longer leak stale NO_REPLY text. (#65016) Thanks @BKF-Gitty.
Sessions/Codex: skip redundant delivery-mirror transcript appends only when the latest assistant message has the same visible text, preventing duplicate visible replies on Codex-backed turns without suppressing repeated answers across turns. (#67185) Thanks @andyylin.
Auto-reply/prompt-cache: keep volatile inbound chat IDs out of the stable system prompt so task-scoped adapters can reuse prompt caches across runs, while preserving conversation metadata for the user turn and media-only messages. (#65071) Thanks @MonkeyLeeT.
BlueBubbles/inbound: restore inbound image attachment downloads on Node 22+ by stripping incompatible bundled-undici dispatchers from the non-SSRF fetch path, accept updated-message webhooks carrying attachments, use event-type-aware dedup keys so attachment follow-ups are not rejected as duplicates, and retry attachment fetch from the BB API when the initial webhook arrives with an empty array. (#64105, #61861, #65430, #67510) Thanks @omarshahine.
Agents/skills: sort prompt-facing available_skills entries by skill name after merging sources so skills.load.extraDirs order no longer changes prompt-cache prefixes. (#64198) Thanks @Bartok9.
Agents/OpenAI Responses: add models.providers.*.models.*.compat.supportsPromptCacheKey so OpenAI-compatible proxies that forward prompt_cache_key can keep prompt caching enabled while incompatible endpoints can still force stripping. (#67427) Thanks @damselem.
Agents/context engines: keep loop-hook and final afterTurn prompt-cache touch metadata aligned with the current assistant turn so cache-aware context engines retain accurate cache TTL state during tool loops. (#67767) thanks @jalehman.
Memory/dreaming: strip AI-facing inbound metadata envelopes from session-corpus user turns before normalization so REM topic extraction sees the user's actual message text, including array-shaped split envelopes. (#66548) Thanks @zqchris.
Agents/errors: detect standalone Cloudflare/CDN HTML challenge pages before transport DNS classification so provider block pages no longer appear as local DNS lookup failures. (#67704) Thanks @chris-yyau.
Security/approvals: redact secrets in exec approval prompts so inline approval review can no longer leak credential material in rendered prompt content. (#61077, #64790)
CLI/configure: re-read the persisted config hash after writes so config updates stop failing with stale-hash races. (#64188, #66528)
CLI/update: prune stale packaged dist chunks after npm upgrades and keep downgrade/verify inventory checks compat-safe so global upgrades stop failing on stale chunk imports. (#66959) Thanks @obviyus.
Onboarding/CLI: fix channel-selection crashes on globally installed CLI setups during onboarding. (#66736)
Video generation/live tests: bound provider polling for live video smoke, default to the fast non-FAL text-to-video path, and use a one-second lobster prompt so release validation no longer waits indefinitely on slow provider queues.
Memory-core/QMD memory_get: reject reads of arbitrary workspace markdown paths and only allow canonical memory files (MEMORY.md, memory.md, DREAMS.md, dreams.md, memory/**) plus exact paths of active indexed QMD workspace documents, so the QMD memory backend can no longer be used as a generic workspace-file read shim that bypasses read tool-policy denials. (#66026) Thanks @eleqtrizit.
Cron/agents: forward embedded-run tool policy and internal event params into the attempt layer so --tools allowlists, cron-owned message-tool suppression, explicit message targeting, and command-path internal events all take effect at runtime again. (#62675) Thanks @hexsprite.
Setup/providers: guard preferred-provider lookup during setup so malformed plugin metadata with a missing provider id no longer crashes the wizard with Cannot read properties of undefined (reading 'trim'). (#66649) Thanks @Tianworld.
Matrix/security: normalize sandboxed profile avatar params, preserve mxc:// avatar URLs, and surface gmail watcher stop failures during reload. (#64701) Thanks @slepybear.
Telegram/documents: drop leaked binary caption bytes from inbound Telegram text handling so document uploads like .mobi or .epub no longer explode prompt token counts. (#66663) Thanks @joelnishanth.
Gateway/auth: resolve the active gateway bearer per-request on the HTTP server and the HTTP upgrade handler via getResolvedAuth(), mirroring the WebSocket path, so a secret rotated through secrets.reload or config hot-reload stops authenticating on /v1/*, /tools/invoke, plugin HTTP routes, and the canvas upgrade path immediately instead of remaining valid on HTTP until gateway restart. (#66651) Thanks @mmaps.
Agents/compaction: cap the compaction reserve-token floor to the model context window so small-context local models (e.g. Ollama with 16K tokens) no longer trigger context-overflow errors or infinite compaction loops on every prompt. (#65671) Thanks @openperf.
Agents/OpenAI Responses: classify the exact Unknown error (no error details in response) transport failure as failover reason unknown so assistant/model fallback still runs for that no-details failure path. (#65254) Thanks @OpenCodeEngineer.
Models/probe: surface invalid-model probe failures as format instead of unknown in models list --probe, and lock the invalid-model fallback path in with regression coverage. (#50028) Thanks @xiwuqi.
Agents/failover: classify OpenAI-compatible finish_reason: network_error stream failures as timeout so model fallback retries continue instead of stopping with an unknown failover reason. (#61784) thanks @lawrence3699.
Onboarding/channels: normalize channel setup metadata before discovery and validation so malformed or mixed-shape channel plugin metadata no longer breaks setup and onboarding channel lists. (#66706) Thanks @darkamenosa.
Slack/native commands: fix option menus for slash commands such as /verbose when Slack renders native buttons by giving each button a unique action ID while still routing them through the shared openclaw_cmdarg* listener. Thanks @Wangmerlyn.
Feishu/webhook: harden the webhook transport and card-action replay guards to fail closed on missing encryptKey and blank callback tokens — refuse to start the webhook transport without an encryptKey, reject unsigned requests when no key is present instead of accepting them, and drop blank card-action tokens before the dedupe claim and dispatcher. Defense-in-depth over the already-closed monitor-account layer. (#66707) Thanks @eleqtrizit.
Agents/workspace files: route agents.files.get, agents.files.set, and workspace listing through the shared fs-safe helpers (openFileWithinRoot/readFileWithinRoot/writeFileWithinRoot), reject symlink aliases for allowlisted agent files, and have fs-safe resolve opened-file real paths from the file descriptor before falling back to path-based realpath so a symlink swap between open and realpath can no longer redirect the validated path off the intended inode. (#66636) Thanks @eleqtrizit.
Gateway/MCP loopback: switch the /mcp bearer comparison from plain !== to constant-time safeEqualSecret (matching the convention every other auth surface in the codebase uses), and reject non-loopback browser-origin requests via checkBrowserOrigin before the auth gate runs. Loopback origins (127.0.0.1:*, localhost:*, same-origin) still go through, including the localhost↔127.0.0.1 host mismatch that browsers flag as Sec-Fetch-Site: cross-site. (#66665) Thanks @eleqtrizit.
Auto-reply/billing: classify pure billing cooldown fallback summaries from structured fallback reasons so users see billing guidance instead of the generic failure reply. (#66363) Thanks @Rohan5commit.
Agents/fallback: preserve the original prompt body on model fallback retries with session history so the retrying model keeps the active task instead of only seeing a generic continue message. (#66029) Thanks @WuKongAI-CMU.
Reply/secrets: resolve active reply channel/account SecretRefs before reply-run message-action discovery so channel token SecretRefs (for example Discord) do not degrade into discovery-time unresolved-secret failures. (#66796) Thanks @joshavant.
Agents/Anthropic: ignore non-positive Anthropic Messages token overrides and fail locally when no positive token budget remains, so invalid max_tokens values no longer reach the provider API. (#66664) thanks @jalehman
Agents/context engines: preserve prompt-only token counts, not full request totals, when deferred maintenance reuses after-turn runtime context so background compaction bookkeeping matches the active prompt window. (#66820) thanks @jalehman.
BlueBubbles/inbound: add a persistent file-backed GUID dedupe so MessagePoller webhook replays after BB Server restart or reconnect no longer cause the agent to re-reply to already-handled messages. (#19176, #12053, #66816) Thanks @omarshahine.
Secrets/plugins/status: align SecretRef inspect-vs-strict handling across plugin preload, read-only status/agents surfaces, and runtime auth paths so unresolved refs no longer crash read-only CLI flows while runtime-required non-env refs stay strict. (#66818) Thanks @joshavant.
Memory/dreaming: stop ordinary transcripts that merely quote the dream-diary prompt from being classified as internal dreaming runs and silently dropped from session recall ingestion. (#66852) Thanks @gumadeiras.
Telegram/documents: sanitize binary reply context and ZIP-like archive extraction so .epub and .mobi uploads can no longer leak raw binary into prompt context through reply metadata or archive-to-text/plain coercion. (#66877) Thanks @martinfrancois.
Telegram/native commands: restore plugin-registry-backed auto defaults for native commands and native skills so Telegram slash commands keep registering when commands.native and commands.nativeSkills stay on auto. (#66843) Thanks @kashevk0.
OpenRouter/Qwen3: parse reasoning_details stream deltas as thinking content without skipping same-chunk tool calls, so Qwen3 replies no longer fail empty on OpenRouter and mixed reasoning/tool-call chunks still execute normally. (#66905) Thanks @bladin.
BlueBubbles/catchup: replay missed webhook messages after gateway restart via a persistent per-account cursor and /api/v1/message/query?after= pass, so messages delivered while the gateway was down no longer disappear. Uses the existing processMessage path and is deduped by #66816's inbound GUID cache. (#66857, #66721) Thanks @omarshahine.
Telegram/native commands: keep Telegram command-sync cache process-local so gateway restarts re-register the menu instead of trusting stale on-disk sync state after Telegram cleared commands out-of-band. (#66730) Thanks @nightq.
Audio/self-hosted STT: restore models.providers.*.request.allowPrivateNetwork for audio transcription so private or LAN speech-to-text endpoints stop tripping SSRF blocks after the v2026.4.14 regression. (#66692) Thanks @jhsmith409.
Auto-reply/media: allow workspace-rooted absolute media paths in auto-reply send flows so valid local media references no longer fail path validation. (#66689)
WhatsApp/Baileys media upload: harden encrypted upload handling so large outbound media sends avoid buffer spikes and reliability regressions. (#65966) Thanks @frankekn.
QQBot/cron: guard against undefined event.content in parseFaceTags and filterInternalMarkers so cron-triggered agent turns with no content payload no longer crash with TypeError: Cannot read properties of undefined (reading 'startsWith'). (#66302) Thanks @xinmotlanthua.
CLI/plugins: stop --dangerously-force-unsafe-install plugin installs from falling back to hook-pack installs after security scan failures, while still preserving non-security fallback behavior for real hook packs. (#58909) Thanks @hxy91819.
Claude CLI/sessions: classify No conversation found with session ID as session_expired so expired CLI-backed conversations clear the stale binding and recover on the next turn. (#65028) thanks @Ivan-Fn.
Context Engine: gracefully fall back to the legacy engine when a third-party context engine plugin fails at resolution time (unregistered id, factory throw, or contract violation), preventing a full gateway outage on every channel. (#66930) Thanks @openperf.
Control UI/chat: keep optimistic user message cards visible during active sends by deferring same-session history reloads until the active run ends, including aborted and errored runs. (#66997) Thanks @scotthuang and @vincentkoc.
Media/Slack: allow host-local CSV and Markdown uploads only when the fallback buffer actually decodes as text, so real plain-text files work without letting opaque non-text blobs renamed to .csv or .md slip past the host-read guard. (#67047) Thanks @Unayung.
Ollama/onboarding: split setup into Cloud + Local, Cloud only, and Local only, support direct OLLAMA_API_KEY cloud setup without a local daemon, and keep Ollama web search on the local-host path. (#67005) Thanks @obviyus.
Webchat/security: reject remote-host file:// URLs in the media embedding path. (#67293) Thanks @pgondhi987.
Dreaming/memory-core: use the ingestion day, not the source file day, for daily recall dedupe so repeat sweeps of the same daily note can increment dailyCount across days instead of stalling at 1. (#67091) Thanks @Bartok9.
Node-host/tools.exec: let approval binding distinguish known native binaries from mutable shell payload files, while still fail-closing unknown or racy file probes so absolute-path node-host commands like /usr/bin/whoami no longer get rejected as unsafe interpreter/runtime commands. (#66731) Thanks @tmimmanuel.

openclaw 2026.4.15-beta.2

View on GitHub

Changes

Anthropic/models: default Anthropic selections, opus aliases, Claude CLI defaults, and bundled image understanding to Claude Opus 4.7.
Google/TTS: add Gemini text-to-speech support to the bundled google plugin, including provider registration, voice selection, WAV reply output, PCM telephony output, and setup/docs guidance. (#67515) Thanks @barronlroth.

Fixes

Gateway/tools: anchor trusted local MEDIA: tool-result passthrough on the exact raw name of this run's registered built-in tools, and reject client tool definitions whose names normali

OpenClaw 2026.4.15-beta.1

View on GitHub

Changes

Control UI/Overview: add a Model Auth status card showing OAuth token health and provider rate-limit pressure at a glance, with attention callouts when OAuth tokens are expiring or expired. Backed by a new models.authStatus gateway method that strips credentials and caches for 60s. (#66211) Thanks @omarshahine.
Memory/LanceDB: add cloud storage support to memory-lancedb so durable memory indexes can run on remote object storage instead of local disk only. (#63502) Thanks @rugvedS07.
GitHub Copilot/memory search: add a GitHub Copilot embedding provider for memory search, and expose a dedicated Copilot embedding host helper so plugins can reuse the transport while honoring remote overrides, token refresh, and safer payload validation. (#61718) Thanks @feiskyer and @vincentkoc.
Agents/local models: add experimental agents.defaults.experimental.localModelLean: true to drop heavyweight default tools like browser, cron, and message, reducing prompt size for weaker local-model setups without changing the normal path. (#66495) Thanks @ImLukeF.
Packaging/plugins: localize bundled plugin runtime deps to their owning extensions, trim the published docs payload, and tighten install/package-manager guardrails so published builds stay leaner and core stops carrying extension-owned runtime baggage. (#67099) Thanks @vincentkoc.
QA/Matrix: split Matrix live QA into a source-linked qa-matrix runner and keep repo-private qa-* surfaces out of packaged and published builds. (#66723) Thanks @gumadeiras.
Docs/showcase: add a scannable hero, complete section jump links, and a responsive video grid for community examples. (#48493) Thanks @jchopard69.

Fixes

Security/approvals: redact secrets in exec approval prompts so inline approval review can no longer leak credential material in rendered prompt content. (#61077, #64790)
CLI/configure: re-read the persisted config hash after writes so config updates stop failing with stale-hash races. (#64188, #66528)
CLI/update: prune stale packaged dist chunks after npm upgrades and keep downgrade/verify inventory checks compat-safe so global upgrades stop failing on stale chunk imports. (#66959) Thanks @obviyus.
Onboarding/CLI: fix channel-selection crashes on globally installed CLI setups during onboarding. (#66736)
Video generation/live tests: bound provider polling for live video smoke, default to the fast non-FAL text-to-video path, and use a one-second lobster prompt so release validation no longer waits indefinitely on slow provider queues.
Memory-core/QMD memory_get: reject reads of arbitrary workspace markdown paths and only allow canonical memory files (MEMORY.md, memory.md, DREAMS.md, dreams.md, memory/**) plus exact paths of active indexed QMD workspace documents, so the QMD memory backend can no longer be used as a generic workspace-file read shim that bypasses read tool-policy denials. (#66026) Thanks @eleqtrizit.
Cron/agents: forward embedded-run tool policy and internal event params into the attempt layer so --tools allowlists, cron-owned message-tool suppression, explicit message targeting, and command-path internal events all take effect at runtime again. (#62675) Thanks @hexsprite.
Setup/providers: guard preferred-provider lookup during setup so malformed plugin metadata with a missing provider id no longer crashes the wizard with Cannot read properties of undefined (reading 'trim'). (#66649) Thanks @Tianworld.
Matrix/security: normalize sandboxed profile avatar params, preserve mxc:// avatar URLs, and surface gmail watcher stop failures during reload. (#64701) Thanks @slepybear.
Telegram/documents: drop leaked binary caption bytes from inbound Telegram text handling so document uploads like .mobi or .epub no longer explode prompt token counts. (#66663) Thanks @joelnishanth.
Gateway/auth: resolve the active gateway bearer per-request on the HTTP server and the HTTP upgrade handler via getResolvedAuth(), mirroring the WebSocket path, so a secret rotated through secrets.reload or config hot-reload stops authenticating on /v1/*, /tools/invoke, plugin HTTP routes, and the canvas upgrade path immediately instead of remaining valid on HTTP until gateway restart. (#66651) Thanks @mmaps.
Agents/compaction: cap the compaction reserve-token floor to the model context window so small-context local models (e.g. Ollama with 16K tokens) no longer trigger context-overflow errors or infinite compaction loops on every prompt. (#65671) Thanks @openperf.
Agents/OpenAI Responses: classify the exact Unknown error (no error details in response) transport failure as failover reason unknown so assistant/model fallback still runs for that no-details failure path. (#65254) Thanks @OpenCodeEngineer.
Models/probe: surface invalid-model probe failures as format instead of unknown in models list --probe, and lock the invalid-model fallback path in with regression coverage. (#50028) Thanks @xiwuqi.
Agents/failover: classify OpenAI-compatible finish_reason: network_error stream failures as timeout so model fallback retries continue instead of stopping with an unknown failover reason. (#61784) thanks @lawrence3699.
Onboarding/channels: normalize channel setup metadata before discovery and validation so malformed or mixed-shape channel plugin metadata no longer breaks setup and onboarding channel lists. (#66706) Thanks @darkamenosa.
Slack/native commands: fix option menus for slash commands such as /verbose when Slack renders native buttons by giving each button a unique action ID while still routing them through the shared openclaw_cmdarg* listener. Thanks @Wangmerlyn.
Feishu/webhook: harden the webhook transport and card-action replay guards to fail closed on missing encryptKey and blank callback tokens — refuse to start the webhook transport without an encryptKey, reject unsigned requests when no key is present instead of accepting them, and drop blank card-action tokens before the dedupe claim and dispatcher. Defense-in-depth over the already-closed monitor-account layer. (#66707) Thanks @eleqtrizit.
Agents/workspace files: route agents.files.get, agents.files.set, and workspace listing through the shared fs-safe helpers (openFileWithinRoot/readFileWithinRoot/writeFileWithinRoot), reject symlink aliases for allowlisted agent files, and have fs-safe resolve opened-file real paths from the file descriptor before falling back to path-based realpath so a symlink swap between open and realpath can no longer redirect the validated path off the intended inode. (#66636) Thanks @eleqtrizit.
Gateway/MCP loopback: switch the /mcp bearer comparison from plain !== to constant-time safeEqualSecret (matching the convention every other auth surface in the codebase uses), and reject non-loopback browser-origin requests via checkBrowserOrigin before the auth gate runs. Loopback origins (127.0.0.1:*, localhost:*, same-origin) still go through, including the localhost↔127.0.0.1 host mismatch that browsers flag as Sec-Fetch-Site: cross-site. (#66665) Thanks @eleqtrizit.
Auto-reply/billing: classify pure billing cooldown fallback summaries from structured fallback reasons so users see billing guidance instead of the generic failure reply. (#66363) Thanks @Rohan5commit.
Agents/fallback: preserve the original prompt body on model fallback retries with session history so the retrying model keeps the active task instead of only seeing a generic continue message. (#66029) Thanks @WuKongAI-CMU.
Reply/secrets: resolve active reply channel/account SecretRefs before reply-run message-action discovery so channel token SecretRefs (for example Discord) do not degrade into discovery-time unresolved-secret failures. (#66796) Thanks @joshavant.
Agents/Anthropic: ignore non-positive Anthropic Messages token overrides and fail locally when no positive token budget remains, so invalid max_tokens values no longer reach the provider API. (#66664) thanks @jalehman
Agents/context engines: preserve prompt-only token counts, not full request totals, when deferred maintenance reuses after-turn runtime context so background compaction bookkeeping matches the active prompt window. (#66820) thanks @jalehman.
BlueBubbles/inbound: add a persistent file-backed GUID dedupe so MessagePoller webhook replays after BB Server restart or reconnect no longer cause the agent to re-reply to already-handled messages. (#19176, #12053, #66816) Thanks @omarshahine.
Secrets/plugins/status: align SecretRef inspect-vs-strict handling across plugin preload, read-only status/agents surfaces, and runtime auth paths so unresolved refs no longer crash read-only CLI flows while runtime-required non-env refs stay strict. (#66818) Thanks @joshavant.
Memory/dreaming: stop ordinary transcripts that merely quote the dream-diary prompt from being classified as internal dreaming runs and silently dropped from session recall ingestion. (#66852) Thanks @gumadeiras.
Telegram/documents: sanitize binary reply context and ZIP-like archive extraction so .epub and .mobi uploads can no longer leak raw binary into prompt context through reply metadata or archive-to-text/plain coercion. (#66877) Thanks @martinfrancois.
Telegram/native commands: restore plugin-registry-backed auto defaults for native commands and native skills so Telegram slash commands keep registering when commands.native and commands.nativeSkills stay on auto. (#66843) Thanks @kashevk0.
OpenRouter/Qwen3: parse reasoning_details stream deltas as thinking content without skipping same-chunk tool calls, so Qwen3 replies no longer fail empty on OpenRouter and mixed reasoning/tool-call chunks still execute normally. (#66905) Thanks @bladin.
fix(bluebubbles): replay missed webhook messages after gateway restart via a persistent per-account cursor and /api/v1/message/query?after= pass, so messages delivered while the gateway was down no longer disappear. Uses the existing processMessage path and is deduped by #66816's inbound GUID cache. (#66857, #66721) Thanks @omarshahine.
Telegram/native commands: keep Telegram command-sync cache process-local so gateway restarts re-register the menu instead of trusting stale on-disk sync state after Telegram cleared commands out-of-band. (#66730) Thanks @nightq.
Audio/self-hosted STT: restore models.providers.*.request.allowPrivateNetwork for audio transcription so private or LAN speech-to-text endpoints stop tripping SSRF blocks after the v2026.4.14 regression. (#66692) Thanks @jhsmith409.
Auto-reply/media: allow workspace-rooted absolute media paths in auto-reply send flows so valid local media references no longer fail path validation. (#66689)
WhatsApp/Baileys media upload: harden encrypted upload handling so large outbound media sends avoid buffer spikes and reliability regressions. (#65966) Thanks @frankekn.
QQBot/cron: guard against undefined event.content in parseFaceTags and filterInternalMarkers so cron-triggered agent turns with no content payload no longer crash with TypeError: Cannot read properties of undefined (reading 'startsWith'). (#66302) Thanks @xinmotlanthua.
CLI/plugins: stop --dangerously-force-unsafe-install plugin installs from falling back to hook-pack installs after security scan failures, while still preserving non-security fallback behavior for real hook packs. (#58909) Thanks @hxy91819.
Claude CLI/sessions: classify No conversation found with session ID as session_expired so expired CLI-backed conversations clear the stale binding and recover on the next turn. (#65028) thanks @Ivan-Fn.
Context Engine: gracefully fall back to the legacy engine when a third-party context engine plugin fails at resolution time (unregistered id, factory throw, or contract violation), preventing a full gateway outage on every channel. (#66930) Thanks @openperf.
Control UI/chat: keep optimistic user message cards visible during active sends by deferring same-session history reloads until the active run ends, including aborted and errored runs. (#66997) Thanks @scotthuang and @vincentkoc.
Media/Slack: allow host-local CSV and Markdown uploads only when the fallback buffer actually decodes as text, so real plain-text files work without letting opaque non-text blobs renamed to .csv or .md slip past the host-read guard. (#67047) Thanks @Unayung.
Ollama/onboarding: split setup into Cloud + Local, Cloud only, and Local only, support direct OLLAMA_API_KEY cloud setup without a local daemon, and keep Ollama web search on the local-host path. (#67005) Thanks @obviyus.
Docker/build: verify @matrix-org/matrix-sdk-crypto-nodejs native bindings with find under node_modules instead of a hardcoded .pnpm/... path so pnpm v10+ virtual-store layouts no longer fail the image build. (#67143) Thanks @ly85206559.
Matrix/E2EE: keep startup bootstrap conservative for passwordless token-auth bots, still attempt the guarded repair pass without requiring channels.matrix.password, and document the remaining password-UIA limitation. (#66228) Thanks @SARAMALI15792.
Cron/announce delivery: suppress mixed-content isolated cron announce replies that end with NO_REPLY so trailing silent sentinels no longer leak summary text to the target channel. (#65004) Thanks @neo1027144-creator.
Plugins/bundled channels: partition bundled channel lazy caches by active bundled root so OPENCLAW_BUNDLED_PLUGINS_DIR flips stop reusing stale plugin, setup, secrets, and runtime state. (#67200) Thanks @gumadeiras.
Packaging/plugins: prune common test/spec cargo from bundled plugin runtime dependencies and fail npm release validation if packaged test cargo reappears, keeping published tarballs leaner without plugin-specific special cases. (#67275) Thanks @gumadeiras.
Agents/context + Memory: trim default startup/skills prompt budgets, cap memory_get excerpts by default with explicit continuation metadata, and keep QMD reads aligned with the same bounded excerpt contract so long sessions pull less context by default without losing deterministic follow-up reads.
Matrix/commands: skip DM pairing-store reads on room traffic now that room control-command authorization ignores pairing-store entries, keeping the room path narrower without changing room auth behavior. (#67325) Thanks @gumadeiras.
Matrix/security: block DM pairing-store entries from authorizing room control commands. (#67294) Thanks @pgondhi987.
Gateway/security: enforce localRoots containment on the webchat audio embedding path. (#67298) Thanks @pgondhi987.
Webchat/security: reject remote-host file:// URLs in the media embedding path. (#67293) Thanks @pgondhi987.
Dreaming/memory-core: use the ingestion day, not the source file day, for daily recall dedupe so repeat sweeps of the same daily note can increment dailyCount across days instead of stalling at 1. (#67091) Thanks @Bartok9.

openclaw 2026.4.14

View on GitHub

OpenClaw 2026.4.14 is another broad quality release focused on model provider with explicit turn improvements for GPT-5 family and channel provider issues. Additionally we improved overal performance with refactors to our underlying core codebase.

Changes

OpenAI Codex/models: add forward-compat support for gpt-5.4-pro, including Codex pricing/limits and list/status visibility before the upstream catalog catches up. (#66453) Thanks @jepson-liu.
Telegram/forum topics: surface human topic names in agent context, prompt metadata, and plugin hook metadata by learning names from Telegram forum service messages. (#65973) Thanks @ptahdunbar.

Fixes

Agents/Ollama: forward the configured embedded-run timeout into the global undici stream timeout tuning so slow local Ollama runs no longer inherit the default stream cutoff instead of the operator-set run timeout. (#63175) Thanks @mindcraftreader and @vincentkoc.
Models/Codex: include apiKey in the codex provider catalog output so the Pi ModelRegistry validator no longer rejects the entry and silently drops all custom models from every provider in models.json. (#66180) Thanks @hoyyeva.
Tools/image+pdf: normalize configured provider/model refs before media-tool registry lookup so image and PDF tool runs stop rejecting valid Ollama vision models as unknown just because the tool path skipped the usual model-ref normalization step. (#59943) Thanks @yqli2420 and @vincentkoc.
Slack/interactions: apply the configured global allowFrom owner allowlist to channel block-action and modal interactive events, require an expected sender id for cross-verification, and reject ambiguous channel types so interactive triggers can no longer bypass the documented allowlist intent in channels without a users list. Open-by-default behavior is preserved when no allowlists are configured. (#66028) Thanks @eleqtrizit.
Media-understanding/attachments: fail closed when a local attachment path cannot be canonically resolved via realpath, so a realpath error can no longer downgrade the canonical-roots allowlist check to a non-canonical comparison; attachments that also have a URL still fall back to the network fetch path. (#66022) Thanks @eleqtrizit.
Agents/gateway-tool: reject config.patch and config.apply calls from the model-facing gateway tool when they would newly enable any flag enumerated by openclaw security audit (for example dangerouslyDisableDeviceAuth, allowInsecureAuth, dangerouslyAllowHostHeaderOriginFallback, hooks.gmail.allowUnsafeExternalContent, tools.exec.applyPatch.workspaceOnly: false); already-enabled flags pass through unchanged so non-dangerous edits in the same patch still apply, and direct authenticated operator RPC behavior is unchanged. (#62006) Thanks @eleqtrizit.
Google image generation: strip a trailing /openai suffix from configured Google base URLs only when calling the native Gemini image API so Gemini image requests stop 404ing without breaking explicit OpenAI-compatible Google endpoints. (#66445) Thanks @dapzthelegend.
Telegram/forum topics: persist learned topic names to the Telegram session sidecar store so agent context can keep using human topic names after a restart instead of relearning from future service metadata. (#66107) Thanks @obviyus.
Doctor/systemd: keep openclaw doctor --repair and service reinstall from re-embedding dotenv-backed secrets in user systemd units, while preserving newer inline overrides over stale state-dir .env values. (#66249) Thanks @tmimmanuel.
Ollama/OpenAI-compat: send stream_options.include_usage for Ollama streaming completions so local Ollama runs report real usage instead of falling back to bogus prompt-token counts that trigger premature compaction. (#64568) Thanks @xchunzhao and @vincentkoc.
Doctor/plugins: cache external preferOver catalog lookups within each plugin auto-enable pass so large agents.list configs no longer peg CPU and repeatedly reread plugin catalogs during doctor/plugins resolution. (#66246) Thanks @yfge.
GitHub Copilot/thinking: allow github-copilot/gpt-5.4 to use xhigh reasoning so Copilot GPT-5.4 matches the rest of the GPT-5.4 family. (#50168) Thanks @jakepresent and @vincentkoc.
Memory/embeddings: preserve non-OpenAI provider prefixes when normalizing OpenAI-compatible embedding model refs so proxy-backed memory providers stop failing with Unknown memory embedding provider. (#66452) Thanks @jlapenna.
Agents/local models: clarify low-context preflight hints for self-hosted models, point config-backed caps at the relevant OpenClaw setting, and stop suggesting larger models when agents.defaults.contextTokens is the real limit. (#66236) Thanks @ImLukeF.
Browser/SSRF: restore hostname navigation under the default browser SSRF policy while keeping explicit strict mode reachable from config, and keep managed loopback CDP /json/new fallback requests on the local CDP control policy so browser follow-up fixes stop regressing normal navigation or self-blocking local CDP control. (#66386) Thanks @obviyus.
Models/Codex: canonicalize the legacy openai-codex/gpt-5.4-codex runtime alias to openai-codex/gpt-5.4 while still honoring alias-specific and canonical per-model overrides. (#43060) Thanks @Sapientropic and @vincentkoc.
Browser/SSRF: preserve explicit strict browser navigation mode for legacy browser.ssrfPolicy.allowPrivateNetwork: false configs by normalizing the legacy alias to the canonical strict marker instead of silently widening those installs to the default non-strict hostname-navigation path.
Onboarding/custom providers: use max_tokens=16 for OpenAI-compatible verification probes so stricter custom endpoints stop rejecting onboarding checks that only need a tiny completion. (#66450) Thanks @WuKongAI-CMU.
Agents/subagents: emit the subagent registry lazy-runtime stub on the stable dist path that both source and bundled runtime imports resolve, so the follow-up dist fix no longer still fails with ERR_MODULE_NOT_FOUND at runtime. (#66420) Thanks @obviyus.
Media-understanding/proxy env: auto-upgrade provider HTTP helper requests to trusted env-proxy mode only when HTTP_PROXY/HTTPS_PROXY is active and the target is not bypassed by NO_PROXY, so remote media-understanding and transcription requests stop failing local DNS pre-resolution in proxy-only environments without widening SSRF bypasses. (#52162) Thanks @mjamiv and @vincentkoc.
Telegram/media downloads: let Telegram media fetches trust an operator-configured explicit proxy for target DNS resolution after hostname-policy checks, so proxy-backed installs stop failing could not download media on Bot API file downloads after the DNS-pinning regression. (#66245) Thanks @dawei41468 and @vincentkoc.
Browser: keep loopback CDP readiness checks reachable under strict SSRF defaults so OpenClaw can reconnect to locally started managed Chrome. (#66354) Thanks @hxy91819.
Agents/context engine: compact engine-owned sessions from the first tool-loop delta and preserve ingest fallback when afterTurn is absent, so long-running tool loops can stay bounded without dropping engine state. (#63555) Thanks @Bikkies.
OpenAI Codex/auth: keep malformed Codex CLI auth-file diagnostics on the debug logger instead of stdout so interactive command output stays clean while auth read failures remain traceable. (#66451) Thanks @SimbaKingjoe.
Discord/native commands: return the real status card for native /status interactions instead of falling through to the synthetic ✅ Done. ack when the generic dispatcher produces no visible reply. (#54629) Thanks @tkozzer and @vincentkoc.
Hooks/Ollama: let LLM-backed session-memory slug generation honor an explicit agents.defaults.timeoutSeconds override instead of always aborting after 15 seconds, so slow local Ollama runs stop silently dropping back to generic filenames. (#66237) Thanks @dmak and @vincentkoc.
Media/transcription: remap .aac filenames to .m4a for OpenAI-compatible audio uploads so AAC voice notes stop failing MIME-sensitive transcription endpoints. (#66446) Thanks @ben-z.
UI/chat: replace marked.js with markdown-it so maliciously crafted markdown can no longer freeze the Control UI via ReDoS. (#46707) Thanks @zhangfnf.
Auto-reply/send policy: keep sendPolicy: "deny" from blocking inbound message processing, so the agent still runs its turn while all outbound delivery is suppressed for observer-style setups. (#65461, #53328) Thanks @omarshahine.
BlueBubbles: lazy-refresh the Private API server-info cache on send when reply threading or message effects are requested but status is unknown, so sends no longer silently degrade to plain messages when the 10-minute cache expires. (#65447, #43764) Thanks @omarshahine.
Heartbeat/security: force owner downgrade for untrusted hook:wake system events [AI-assisted]. (#66031) Thanks @pgondhi987.
Browser/security: enforce SSRF policy on snapshot, screenshot, and tab routes [AI]. (#66040) Thanks @pgondhi987.
Microsoft Teams/security: enforce sender allowlist checks on SSO signin invokes [AI]. (#66033) Thanks @pgondhi987.
Config/security: redact sourceConfig and runtimeConfig alias fields in redactConfigSnapshot [AI]. (#66030) Thanks @pgondhi987.
Agents/context engines: run opt-in turn maintenance as idle-aware background work so the next foreground turn no longer waits on proactive maintenance. (#65233) Thanks @100yenadmin.
Plugins/status: report the registered context-engine IDs in plugins inspect instead of the owning plugin ID, so non-matching engine IDs and multi-engine plugins are classified correctly. (#58766) Thanks @zhuisDEV.
Context engines: reject resolved plugin engines whose reported info.id does not match their registered slot id, so malformed engines fail fast before id-based runtime branches can misbehave. (#63222) Thanks @fuller-stack-dev.
WhatsApp: patch installed Baileys media encryption writes during OpenClaw postinstall so the default npm/install.sh delivery path waits for encrypted media files to finish flushing before readback, avoiding transient ENOENT crashes on image sends. (#65896) Thanks @frankekn.
Gateway/update: unify service entrypoint resolution around the canonical bundled gateway entrypoint so update, reinstall, and doctor repair stop drifting between stale dist/entry.js and current dist/index.js paths. (#65984) Thanks @mbelinky.
Heartbeat/Telegram topics: keep isolated heartbeat replies on the bound forum topic when target=last, instead of dropping them into the group root chat. (#66035) Thanks @mbelinky.
Browser/CDP: let managed local Chrome readiness, status probes, and managed loopback CDP control bypass browser SSRF policy for their own loopback control plane, so OpenClaw no longer misclassifies a healthy child browser as "not reachable after start". (#65695, #66043) Thanks @mbelinky.
Gateway/sessions: stop heartbeat, cron-event, and exec-event turns from overwriting shared-session routing and origin metadata, preventing synthetic heartbeat targets from poisoning later cron or user delivery. (#66073, #63733, #35300) Thanks @mbelinky.
Browser/CDP: let local attach-only manual-cdp profiles reuse the local loopback CDP control plane under strict default policy and remote-class probe timeouts, so tabs/snapshot stop falsely reporting a live local browser session as not running. (#65611, #66080) Thanks @mbelinky.
Cron/scheduler: stop inventing short retries when cron next-run calculation returns no valid future slot, and keep a maintenance wake armed so enabled unscheduled jobs recover without entering a refire loop. (#66019, #66083) Thanks @mbelinky.
Cron/scheduler: preserve the active error-backoff floor when maintenance repair recomputes a missing cron next-run, so recurring errored jobs do not resume early after a transient next-run resolution failure. (#66019, #66083, #66113) Thanks @mbelinky.
Outbound/delivery-queue: persist the originating outbound session context on queued delivery entries and replay it during recovery, so write-ahead-queued sends keep their original outbound media policy context after restart instead of evaluating against a missing session. (#66025) Thanks @eleqtrizit.
Memory/Ollama: restore the built-in ollama embedding adapter in memory-core so explicit memorySearch.provider: "ollama" works again, and include endpoint-aware cache keys so different Ollama hosts do not reuse each other's embeddings. (#63429, #66078, #66163) Thanks @nnish16 and @vincentkoc.
Auto-reply/queue: split collect-mode followup drains into contiguous groups by per-message authorization context (sender id, owner status, exec/bash-elevated overrides), so queued items from different senders or exec configs no longer execute under the last queued run's owner-only and exec-approval context. (#66024) Thanks @eleqtrizit.
Dreaming/memory-core: require a live queued Dreaming cron event before the heartbeat hook runs the sweep, so managed Dreaming no longer replays on later heartbeats after the scheduled run was already consumed. (#66139) Thanks @mbelinky.
Control UI/Dreaming: stop Imported Insights and Memory Palace from calling optional memory-wiki gateway methods when the plugin is off, and refresh config before wiki reloads so the Dreaming tab stops showing misleading unknown-method failures. (#66140) Thanks @mbelinky.
Agents/tools: only mark streamed unknown-tool retries as counted when a streamed message actually classifies an unavailable tool, and keep incomplete streamed tool names from resetting the retry streak before the final assistant message arrives. (#66145) Thanks @dutifulbob.
Memory/active-memory: move recalled memory onto the hidden untrusted prompt-prefix path instead of system prompt injection, label the visible Active Memory status line fields, and include the resolved recall provider/model in gateway debug logs so trace/debug output matches what the model actually saw. (#66144) Thanks @Takhoffman.
Memory/QMD: stop treating legacy lowercase memory.md as a second default root collection, so QMD recall no longer searches phantom memory-alt-* collections and builtin/QMD root-memory fallback stays aligned. (#66141) Thanks @mbelinky.
Agents/subagents: ship dist/agents/subagent-registry.runtime.js in npm builds so runtime: "subagent" runs stop stalling in queued after the registry import fails. (#66189) Thanks @yqli2420 and @vincentkoc.
Agents/OpenAI: map minimal thinking to OpenAI's supported low reasoning effort for GPT-5.4 requests, so embedded runs stop failing request validation. Thanks @steipete.
Voice-call/media-stream: resolve the source IP from trusted forwarding headers for per-IP pending-connection limits when webhookSecurity.trustForwardingHeaders and trustedProxyIPs are configured, and reserve maxConnections capacity for in-flight WebSocket upgrades so concurrent handshakes can no longer momentarily exceed the operator-set cap. (#66027) Thanks @eleqtrizit.
Feishu/allowlist: canonicalize allowlist entries by explicit user/chat kind, strip repeated feishu:/lark: provider prefixes, and stop folding opaque Feishu IDs to lowercase, so allowlist matching no longer crosses user/chat namespaces or widens to case-insensitive ID matches the operator did not intend. (#66021) Thanks @eleqtrizit.
Telegram/status commands: let read-only status slash commands bypass busy topic turns, while keeping /export-session on the normal lane so it cannot interleave with an in-flight session mutation. (#66226) Thanks @VACInc and @vincentkoc.
TTS/reply media: persist OpenClaw temp voice outputs into managed outbound media and allow them through reply-media normalization, so voice-note replies stop silently dropping. (#63511) Thanks @jetd1.
Agents/tools: treat Windows drive-letter paths (C:\\...) as absolute when resolving sandbox and read-tool paths so workspace root is not prepended under POSIX path rules. (#54039) Thanks @ly85206559 and @vincentkoc.
Agents/OpenAI: recover embedded GPT-style runs when reasoning-only or empty turns need bounded continuation, with replay-safe retry gating and incomplete-turn fallback when no visible answer arrives. (#66167) thanks @jalehman
Outbound/relay-status: suppress internal relay-status placeholder payloads (No channel reply., Replied in-thread., Replied in #..., wiki-update status variants ending in No channel reply.) before channel delivery so internal housekeeping text does not leak to users.
Slack/doctor: add a dedicated doctor-contract sidecar so config warmup paths such as openclaw cron no longer fall back to Slack's broader contract surface, which could trigger Slack-related config-read crashes on affected setups. (#63192) Thanks @shhtheonlyperson.
Hooks/session-memory: pass the resolved agent workspace into gateway /new and /reset session-memory hooks so reset snapshots stay scoped to the right agent workspace instead of leaking into the default workspace. (#64735) Thanks @suboss87 and @vincentkoc.
CLI/approvals: raise the default openclaw approvals get gateway timeout and report config-load timeouts explicitly, so slow hosts stop showing a misleading Config unavailable. note when the approvals snapshot succeeds but the follow-up config RPC needs more time. (#66239) Thanks @neeravmakwana.
Media/store: honor configured agent media limits when saving generated media and persisting outbound reply media, so the store no longer hard-stops those flows at 5 MB before the configured limit applies. (#66229) Thanks @neeravmakwana and @vincentkoc.

openclaw 2026.4.14-beta.1

View on GitHub

Changes

Telegram/forum topics: surface human topic names in agent context, prompt metadata, and plugin hook metadata by learning names from Telegram forum service messages. (#65973) Thanks @ptahdunbar.

Fixes

UI/chat: replace marked.js with markdown-it so maliciously crafted markdown can no longer freeze the Control UI via ReDoS. (#46707) Thanks @zhangfnf.
Auto-reply/send policy: keep sendPolicy: "deny" from blocking inbound message processing, so the agent still runs its turn while all outbound delivery is suppressed for observer-style setups. (#65461, #53328) Thanks @omarshahine.
BlueBubbles: lazy-refresh the Private API server-info cache on send when reply threading or message effects are requested but status is unknown, so sends no longer silently degrade to plain messages when the 10-minute cache expires. (#65447, #43764) Thanks @omarshahine.
Heartbeat/security: force owner downgrade for untrusted hook:wake system events [AI-assisted]. (#66031) Thanks @pgondhi987.
Browser/security: enforce SSRF policy on snapshot, screenshot, and tab routes [AI]. (#66040) Thanks @pgondhi987.
Microsoft Teams/security: enforce sender allowlist checks on SSO signin invokes [AI]. (#66033) Thanks @pgondhi987.
Config/security: redact sourceConfig and runtimeConfig alias fields in redactConfigSnapshot [AI]. (#66030) Thanks @pgondhi987.
Agents/context engines: run opt-in turn maintenance as idle-aware background work so the next foreground turn no longer waits on proactive maintenance. (#65233) Thanks @100yenadmin.
Plugins/status: report the registered context-engine IDs in plugins inspect instead of the owning plugin ID, so non-matching engine IDs and multi-engine plugins are classified correctly. (#58766) Thanks @zhuisDEV.
Context engines: reject resolved plugin engines whose reported info.id does not match their registered slot id, so malformed engines fail fast before id-based runtime branches can misbehave. (#63222) Thanks @fuller-stack-dev.
WhatsApp: patch installed Baileys media encryption writes during OpenClaw postinstall so the default npm/install.sh delivery path waits for encrypted media files to finish flushing before readback, avoiding transient ENOENT crashes on image sends. (#65896) Thanks @frankekn.
Gateway/update: unify service entrypoint resolution around the canonical bundled gateway entrypoint so update, reinstall, and doctor repair stop drifting between stale dist/entry.js and current dist/index.js paths. (#65984) Thanks @mbelinky.
Heartbeat/Telegram topics: keep isolated heartbeat replies on the bound forum topic when target=last, instead of dropping them into the group root chat. (#66035) Thanks @mbelinky.
Browser/CDP: let managed local Chrome readiness, status probes, and managed loopback CDP control bypass browser SSRF policy for their own loopback control plane, so OpenClaw no longer misclassifies a healthy child browser as "not reachable after start". (#65695, #66043) Thanks @mbelinky.
Gateway/sessions: stop heartbeat, cron-event, and exec-event turns from overwriting shared-session routing and origin metadata, preventing synthetic heartbeat targets from poisoning later cron or user delivery. (#66073, #63733, #35300) Thanks @mbelinky.
Browser/CDP: let local attach-only manual-cdp profiles reuse the local loopback CDP control plane under strict default policy and remote-class probe timeouts, so tabs/snapshot stop falsely reporting a live local browser session as not running. (#65611, #66080) Thanks @mbelinky.
Cron/scheduler: stop inventing short retries when cron next-run calculation returns no valid future slot, and keep a maintenance wake armed so enabled unscheduled jobs recover without entering a refire loop. (#66019, #66083) Thanks @mbelinky.
Cron/scheduler: preserve the active error-backoff floor when maintenance repair recomputes a missing cron next-run, so recurring errored jobs do not resume early after a transient next-run resolution failure. (#66019, #66083, #66113) Thanks @mbelinky.
Outbound/delivery-queue: persist the originating outbound session context on queued delivery entries and replay it during recovery, so write-ahead-queued sends keep their original outbound media policy context after restart instead of evaluating against a missing session. (#66025) Thanks @eleqtrizit.
Auto-reply/queue: split collect-mode followup drains into contiguous groups by per-message authorization context (sender id, owner status, exec/bash-elevated overrides), so queued items from different senders or exec configs no longer execute under the last queued run's owner-only and exec-approval context. (#66024) Thanks @eleqtrizit.
Dreaming/memory-core: require a live queued Dreaming cron event before the heartbeat hook runs the sweep, so managed Dreaming no longer replays on later heartbeats after the scheduled run was already consumed. (#66139) Thanks @mbelinky.
Control UI/Dreaming: stop Imported Insights and Memory Palace from calling optional memory-wiki gateway methods when the plugin is off, and refresh config before wiki reloads so the Dreaming tab stops showing misleading unknown-method failures. (#66140) Thanks @mbelinky.
Agents/tools: only mark streamed unknown-tool retries as counted when a streamed message actually classifies an unavailable tool, and keep incomplete streamed tool names from resetting the retry streak before the final assistant message arrives. (#66145) Thanks @dutifulbob.
Memory/active-memory: move recalled memory onto the hidden untrusted prompt-prefix path instead of system prompt injection, label the visible Active Memory status line fields, and include the resolved recall provider/model in gateway debug logs so trace/debug output matches what the model actually saw. (#66144) Thanks @Takhoffman.
Memory/QMD: stop treating legacy lowercase memory.md as a second default root collection, so QMD recall no longer searches phantom memory-alt-* collections and builtin/QMD root-memory fallback stays aligned. (#66141) Thanks @mbelinky.
Agents/OpenAI: map minimal thinking to OpenAI's supported low reasoning effort for GPT-5.4 requests, so embedded runs stop failing request validation. Thanks @steipete.
Voice-call/media-stream: resolve the source IP from trusted forwarding headers for per-IP pending-connection limits when webhookSecurity.trustForwardingHeaders and trustedProxyIPs are configured, and reserve maxConnections capacity for in-flight WebSocket upgrades so concurrent handshakes can no longer momentarily exceed the operator-set cap. (#66027) Thanks @eleqtrizit.
Feishu/allowlist: canonicalize allowlist entries by explicit user/chat kind, strip repeated feishu:/lark: provider prefixes, and stop folding opaque Feishu IDs to lowercase, so allowlist matching no longer crosses user/chat namespaces or widens to case-insensitive ID matches the operator did not intend. (#66021) Thanks @eleqtrizit.
TTS/reply media: persist OpenClaw temp voice outputs into managed outbound media and allow them through reply-media normalization, so voice-note replies stop silently dropping. (#63511) Thanks @jetd1.
Agents/tools: treat Windows drive-letter paths (C:\\...) as absolute when resolving sandbox and read-tool paths so workspace root is not prepended under POSIX path rules. (#54039) Thanks @ly85206559 and @vincentkoc.
Agents/OpenAI: recover embedded GPT-style runs when reasoning-only or empty turns need bounded continuation, with replay-safe retry gating and incomplete-turn fallback when no visible answer arrives. (#66167) thanks @jalehman
Outbound/relay-status: suppress internal relay-status placeholder payloads (No channel reply., Replied in-thread., Replied in #..., wiki-update status variants ending in No channel reply.) before channel delivery so internal housekeeping text does not leak to users.
Slack/doctor: add a dedicated doctor-contract sidecar so config warmup paths such as openclaw cron no longer fall back to Slack's broader contract surface, which could trigger Slack-related config-read crashes on affected setups. (#63192) Thanks @shhtheonlyperson.
Hooks/session-memory: pass the resolved agent workspace into gateway /new and /reset session-memory hooks so reset snapshots stay scoped to the right agent workspace instead of leaking into the default workspace. (#64735) Thanks @suboss87 and @vincentkoc.

openclaw 2026.4.12

View on GitHub

OpenClaw 2026.4.12 is a broad quality release focused on plugin loading, memory and dreaming reliability, new local-model options, and a much smoother Feishu setup path.

Changes

QA/lab: add Convex-backed pooled Telegram credential leasing plus openclaw qa credentials admin commands and broker setup docs. (#65596) Thanks @joshavant.
Memory/Active Memory: add a new optional Active Memory plugin that gives OpenClaw a dedicated memory sub-agent right before the main reply, so ongoing chats can automatically pull in relevant preferences, context, and past details without making users remember to manually say "remember this" or "search memory" first. Includes configurable message/recent/full context modes, live /verbose inspection, advanced prompt/thinking overrides for tuning, and opt-in transcript persistence for debugging. (#63286) Thanks @Takhoffman.
macOS/Talk: add an experimental local MLX speech provider for Talk Mode, with explicit provider selection, local utterance playback, interruption handling, and system-voice fallback. (#63539) Thanks @ImLukeF.
CLI/exec policy: add a local openclaw exec-policy command with show, preset, and set subcommands for synchronizing requested tools.exec.* config with the local exec approvals file, plus follow-up hardening for node-host rejection, rollback safety, and sync conflict detection. (#64050)
Gateway: add a commands.list RPC so remote gateway clients can discover runtime-native, text, skill, and plugin commands with surface-aware naming and serialized argument metadata. (#62656) Thanks @samzong.
Models/providers: add per-provider models.providers.*.request.allowPrivateNetwork for trusted self-hosted OpenAI-compatible endpoints, keep the opt-in scoped to model request surfaces, and refresh cached WebSocket managers when request transport overrides change. (#63671) Thanks @qas.
QA/testing: add a --runner multipass lane for openclaw qa suite so repo-backed QA scenarios can run inside a disposable Linux VM and write back the usual report, summary, and VM logs. (#63426) Thanks @shakkernerd.
Docs i18n: chunk raw doc translation, reject truncated tagged outputs, avoid ambiguous body-only wrapper unwrapping, and recover from terminated Pi translation sessions without changing the default openai/gpt-5.4 path. (#62969, #63808) Thanks @hxy91819.
Control UI/dreaming: simplify the Scene and Diary surfaces, preserve unknown phase state for partial status payloads, and stabilize waiting-entry recency ordering so Dreaming status and review lists stay clear and deterministic. (#64035) Thanks @davemorin.
Gateway: split startup and runtime seams so gateway lifecycle sequencing, reload state, and shutdown behavior stay easier to maintain without changing observed behavior. (#63975) Thanks @gumadeiras.
Matrix/partial streaming: add MSC4357 live markers to draft preview sends and edits so supporting Matrix clients can render a live/typewriter animation and stop it when the final edit lands. (#63513) Thanks @TigerInYourDream.
QA/Telegram: add a live openclaw qa telegram lane for private-group bot-to-bot checks, harden its artifact handling, and preserve native Telegram command reply threading for QA verification. (#64303) Thanks @obviyus.
Models/Codex: add the bundled Codex provider and plugin-owned app-server harness so codex/gpt-* models use Codex-managed auth, native threads, model discovery, and compaction while openai/gpt-* stays on the normal OpenAI provider path. (#64298) Thanks @steipete.
Models/providers: add a bundled LM Studio provider with onboarding, runtime model discovery, stream preload support, and memory-search embeddings for local/self-hosted OpenAI-compatible models. (#53248) Thanks @rugvedS07.
Plugins/loading: narrow CLI, provider, and channel activation to manifest-declared needs, preserve explicit scope and trust boundaries, and centralize manifest-owner policy so startup, command discovery, and runtime activation avoid loading unrelated plugin runtime. (#65120, #65259, #65298, #65429, #65459) Thanks @vincentkoc.
Memory/active-memory: default QMD recall to search and surface better search-path telemetry so memory-backed recall works more predictably out of the box. (#65068) Thanks @Takhoffman.
Docs/providers: expand bundled provider docs with richer capability, env-var, and setup guidance across provider pages.
Docs/memory-wiki: add the recommended QMD + bridge-mode hybrid recipe plus zero-artifact troubleshooting guidance for memory-wiki bridge setups. (#63165) Thanks @sercada and @vincentkoc.

Fixes

Security/busybox: remove busybox/toybox from interpreter-like safe bins (#65713) Thanks @pgondhi987.
Security/Approval: prevent empty approver list from granting explicit approval authorization (#65714) Thanks @pgondhi987.
Security/Shell: broaden shell-wrapper detection and block env-argv assignment injection (#65717) Thanks @pgondhi987.
Gateway/startup: defer scheduled services until sidecars finish, gate chat history and model listing during sidecar resume, and let Control UI retry startup-gated history loads so Sandbox wake resumes channels first. (#65365) Thanks @lml2468.
Control UI/chat: load the live gateway slash-command catalog into the composer and command palette so dock commands, plugin commands, and direct skill aliases appear in chat, while keeping trusted local commands authoritative and bounding remote command metadata. (#65620) Thanks @BunsDev.
CLI/update: respawn tracked plugin refresh from the updated entrypoint after package self-updates so openclaw update stops failing on stale hashed dist/install.runtime-*.js chunk imports. (#65471)
Memory/active-memory: keep recall runs on the resolved channel when wrappers like mx-claw are enabled, improve lexical fallback ranking, and keep lexical boosts out of hybrid search so recall finds the right memories more consistently. (#65049, #65395) Thanks @Takhoffman.
Dreaming: consume managed heartbeat events exactly once, stage light-sleep confidence from all recorded short-term signals, wake scheduled jobs immediately, raise dreaming-only promotion enough to cross the durable-memory gate, and stop dreaming from re-ingesting its own narrative transcripts.
Dreaming/narrative: harden transient narrative cleanup by retrying timed-out deletes, scrubbing stale dreaming session artifacts through the lock-aware session-store path, and isolating transient narrative session keys per workspace. (#65320, #61674)
Memory/wiki: preserve Unicode letters, digits, and combining marks in wiki slugs and contradiction clustering, and cap Unicode filename segments to safe byte lengths so non-ASCII titles stop collapsing or overflowing path limits. (#64742) Thanks @zhouhe-xydt.
Memory/short-term recall: allow nested daily notes under memory/**/YYYY-MM-DD.md to feed short-term recall, while still excluding generated dream reports under memory/dreaming/** so dreaming does not promote its own output. (#64682) Thanks @SARAMALI15792.
UI/WebChat: hide synthetic transcript-repair tool results from chat history reloads so internal recovery markers do not leak into visible chat after reconnects. (#65247) Thanks @wangwllu.
WhatsApp/outbound: fall back to the first mediaUrls entry when mediaUrl is empty so gateway media sends stop silently dropping attachments that already have a resolved media list. (#64394) Thanks @eric-fr4 and @vincentkoc.
Doctor/Discord: stop openclaw doctor --fix from rewriting legacy Discord preview-streaming config into the nested modern shape, so downgrades can still recover without hand-editing channels.discord.streaming. (#65035) Thanks @vincentkoc.
Gateway/auth: blank the shipped example gateway credential in .env.example and fail startup when a copied placeholder token or password is still configured, so operators cannot accidentally launch with a publicly known secret. (#64586) Thanks @navarrotech and @vincentkoc.
Memory/active-memory+dreaming: keep active-memory recall runs on the strongest resolved channel, consume managed dreaming heartbeat events exactly once, stop dreaming from re-ingesting its own narrative transcripts, and add explicit repair/dedupe recovery flows in CLI, doctor, and the Dreams UI.
Agents/queueing: carry orphaned active-turn user text into the next prompt before repairing transcript ordering, so follow-up messages that arrive mid-run are no longer silently dropped. (#65388) Thanks @adminfedres and @vincentkoc.
Gateway/keepalive: stop marking WebSocket tick broadcasts as droppable so slow or backpressured clients do not self-disconnect with tick timeout while long-running work is still alive. (#65256) Thanks @100yenadmin and @vincentkoc.
Matrix/mentions: keep room mention gating strict while accepting visible @displayName Matrix URI labels, so requireMention works for non-OpenClaw Matrix clients again. (#64796) Thanks @hclsys.
Doctor: warn when on-disk agent directories still exist under ~/.openclaw/agents//agent but the matching agents.list[] entries are missing from config. (#65113) Thanks @neeravmakwana.
Telegram: route approval button callback queries onto a separate sequentializer lane so plugin approval clicks can resolve immediately instead of deadlocking behind the blocked agent turn. (#64979) Thanks @nk3750.
Telegram/direct sessions: keep commentary-only assistant fallback payloads out of visible direct delivery, so Codex planning chatter cannot leak into Telegram DMs when a run has no final_answer text.
Gateway/keepalive: stop marking WebSocket tick broadcasts as droppable so slow or backpressured clients do not self-disconnect with tick timeout while long-running work is still alive. (#65436)
Gateway/plugins: always send a non-empty idempotencyKey for plugin subagent runs, so dreaming narrative jobs stop failing gateway schema validation. (#65354) Thanks @CodeForgeNet.
Gateway/auth: blank the shipped example gateway credential in .env.example and fail startup when a copied placeholder token or password is still configured, so operators cannot accidentally launch with a publicly known secret. (#64586) Thanks @navarrotech.
Plugins/memory-core dreaming: keep bundled memory-core loaded alongside an explicit external memory slot owner only when that owner enables dreaming, while preserving plugins.slots.memory = "none" disable semantics. (#65411) Thanks @pradeep7127.
Doctor/Discord: stop openclaw doctor --fix from rewriting legacy Discord preview-streaming config into the nested modern shape, so downgrades can still recover without hand-editing channels.discord.streaming.
Doctor: warn when on-disk agent directories still exist under ~/.openclaw/agents//agent but the matching agents.list[] entries are missing from config. (#65113) Thanks @neeravmakwana.
CLI/plugins: honor memory-wiki when plugins.allow is set for openclaw wiki, and pass the active app config into the metadata registrar so plugin-owned wiki commands resolve the live plugin config instead of falling back to defaults. (#64779, #65012)
QA/packaging: stop packaged QA helpers from crashing when optional scenario execution config is unavailable, so npm distributions can skip the repo-only scenario pack without breaking completion-cache and startup paths. (#65118) Thanks @EdderTalmor.
Media/audio transcription: surface the real provider failure when every audio transcription attempt fails, so status output and the CLI stop collapsing those errors into generic skips. (#65096) Thanks @l0cka.
Infra/net: fix multipart FormData fields (including model) being silently dropped when a guarded runtime fetch body crosses a FormData implementation boundary, restoring OpenAI audio transcription requests that failed with HTTP 400. (#64349) Thanks @petr-sloup.
Dreaming/diary: use the host local timezone for diary timestamps when dreaming.timezone is unset, and include the timezone abbreviation so DREAMS.md and the UI make local or UTC time explicit. (#65034, #65057)
Dreaming/promotion: raise phase reinforcement enough for repeated dreaming-only revisits to clear the default durable-memory gate after multiple days, instead of stalling just below the score threshold. (#64068) Thanks @vincentkoc.
Dreaming/light-sleep: compute staged candidate confidence from all recorded short-term signals instead of recall-only counts, so dreaming-only entries stop rendering as confidence: 0.00. (#64599) Thanks @vincentkoc.
Plugins/memory: restore cached memory capability public artifacts on plugin-registry cache hits so memory-backed artifact surfaces stay visible after warm loads.
Gateway/cron: preserve requested isolated-agent config across runtime reloads so subagent jobs and heartbeat overrides keep the right workspace and heartbeat settings when the hot-loaded snapshot is stale.
Cron/isolated sessions: persist the right transcript path for each isolated run, including fresh session rollovers, so cron runs stop appending to stale session files.
Discord/gateway: clear stale heartbeat timers before reconnecting so zombie gateway callbacks cannot crash the process and drop in-flight replies. (#65009) Thanks @SARAMALI15792.
Matrix/mentions: keep room mention gating strict while accepting visible @displayName Matrix URI labels, so requireMention works for non-OpenClaw Matrix clients again. (#64796) Thanks @hclsys.
Agents/Anthropic replay: preserve immutable signed-thinking replay safety across stored and live reruns, keep non-thinking embedded tool_result user blocks intact, and drop conflicting preserved tool IDs before validation so retries stop degrading into omitted tool calls. (#65126) Thanks @shakkernerd.
Memory/QMD: allow channel sessions in the shipped default QMD scope, while still denying groups.
Memory/QMD: stop registering the legacy lowercase root memory file as a separate default collection, so QMD now prefers MEMORY.md and the memory/ tree without duplicate collection-add warnings.
Memory/memory-core: watch the memory directory directly and ignore non-markdown churn so nested note changes still sync on macOS + Node 25 environments where recursive memory/**/*.md glob watching fails. (#64711) Thanks @jasonxargs-boop and @vincentkoc.
WhatsApp: centralize per-account connection ownership so reconnects, login recovery, and outbound readiness stay attached to the live socket instead of drifting across monitor and login paths. (#65290) Thanks @mcaxtr and @vincentkoc.
iMessage: retry transient watch.subscribe startup failures before tearing down the monitor, and sanitize startup error logging so brief local transport stalls do not immediately bounce the channel or leak raw imsg RPC payloads into logs. (#65393) Thanks @vincentkoc.
CLI/audio providers: report env-authenticated providers as configured in openclaw infer audio providers --json, while keeping trusted workspace provider env lookup defaults stable during auth setup. (#65491)
Plugins/install: reinstall bundled runtime packages when the matching platform native optional child is missing, so packaged Windows installs can recover dependencies that were packed on another host OS.
Memory/QMD: preserve explicit memory.qmd.command paths, create missing agent workspaces before QMD probes, and keep the current Node binary on QMD subprocess PATH so service and gateway environments do not fall back to builtin search unnecessarily.

openclaw 2026.4.12-beta.1

View on GitHub

Changes

Plugins/loading: narrow CLI, provider, and channel activation to manifest-declared needs, preserve explicit scope and trust boundaries, and centralize manifest-owner policy so startup, command discovery, and runtime activation avoid loading unrelated plugin runtime. (#65120, #65259, #65298, #65429, #65459) Thanks @vincentkoc.
Memory/active-memory: default QMD recall to search and surface better search-path telemetry so memory-backed recall works more predictably out of the box. (#65068) Thanks @Takhoffman.
Docs/providers: expand bundled provider docs with richer capability, env-var, and setup guidance across provider pages.
Docs/memory-wiki: add the recommended QMD + bridge-mode hybrid recipe plus zero-artifact troubleshooting guidance for memory-wiki bridge setups. (#63165) Thanks @sercada and @vincentkoc.

Fixes

CLI/update: respawn tracked plugin refresh from the updated entrypoint after package self-updates so openclaw update stops failing on stale hashed dist/install.runtime-*.js chunk imports. (#65471)
Memory/active-memory: keep recall runs on the resolved channel when wrappers like mx-claw are enabled, improve lexical fallback ranking, and keep lexical boosts out of hybrid search so recall finds the right memories more consistently. (#65049, #65395) Thanks @Takhoffman.
Dreaming: consume managed heartbeat events exactly once, stage light-sleep confidence from all recorded short-term signals, wake scheduled jobs immediately, raise dreaming-only promotion enough to cross the durable-memory gate, and stop dreaming from re-ingesting its own narrative transcripts.
Dreaming/narrative: harden transient narrative cleanup by retrying timed-out deletes, scrubbing stale dreaming session artifacts through the lock-aware session-store path, and isolating transient narrative session keys per workspace. (#65320, #61674)
Memory/wiki: preserve Unicode letters, digits, and combining marks in wiki slugs and contradiction clustering, and cap Unicode filename segments to safe byte lengths so non-ASCII titles stop collapsing or overflowing path limits. (#64742) Thanks @zhouhe-xydt.
Memory/short-term recall: allow nested daily notes under memory/**/YYYY-MM-DD.md to feed short-term recall, while still excluding generated dream reports under memory/dreaming/** so dreaming does not promote its own output. (#64682) Thanks @SARAMALI15792.
UI/WebChat: hide synthetic transcript-repair tool results from chat history reloads so internal recovery markers do not leak into visible chat after reconnects. (#65247) Thanks @wangwllu.
WhatsApp/outbound: fall back to the first mediaUrls entry when mediaUrl is empty so gateway media sends stop silently dropping attachments that already have a resolved media list. (#64394) Thanks @eric-fr4 and @vincentkoc.
Doctor/Discord: stop openclaw doctor --fix from rewriting legacy Discord preview-streaming config into the nested modern shape, so downgrades can still recover without hand-editing channels.discord.streaming. (#65035) Thanks @vincentkoc.
Gateway/auth: blank the shipped example gateway credential in .env.example and fail startup when a copied placeholder token or password is still configured, so operators cannot accidentally launch with a publicly known secret. (#64586) Thanks @navarrotech and @vincentkoc.
Memory/active-memory+dreaming: keep active-memory recall runs on the strongest resolved channel, consume managed dreaming heartbeat events exactly once, stop dreaming from re-ingesting its own narrative transcripts, and add explicit repair/dedupe recovery flows in CLI, doctor, and the Dreams UI.
Agents/queueing: carry orphaned active-turn user text into the next prompt before repairing transcript ordering, so follow-up messages that arrive mid-run are no longer silently dropped. (#65388) Thanks @adminfedres and @vincentkoc.
Gateway/keepalive: stop marking WebSocket tick broadcasts as droppable so slow or backpressured clients do not self-disconnect with tick timeout while long-running work is still alive. (#65256) Thanks @100yenadmin and @vincentkoc.
Matrix/mentions: keep room mention gating strict while accepting visible @displayName Matrix URI labels, so requireMention works for non-OpenClaw Matrix clients again. (#64796) Thanks @hclsys.
Doctor: warn when on-disk agent directories still exist under ~/.openclaw/agents//agent but the matching agents.list[] entries are missing from config. (#65113) Thanks @neeravmakwana.
Telegram: route approval button callback queries onto a separate sequentializer lane so plugin approval clicks can resolve immediately instead of deadlocking behind the blocked agent turn. (#64979) Thanks @nk3750.
Telegram/direct sessions: keep commentary-only assistant fallback payloads out of visible direct delivery, so Codex planning chatter cannot leak into Telegram DMs when a run has no final_answer text.
Gateway/keepalive: stop marking WebSocket tick broadcasts as droppable so slow or backpressured clients do not self-disconnect with tick timeout while long-running work is still alive. (#65436)
Gateway/plugins: always send a non-empty idempotencyKey for plugin subagent runs, so dreaming narrative jobs stop failing gateway schema validation. (#65354) Thanks @CodeForgeNet.
Gateway/auth: blank the shipped example gateway credential in .env.example and fail startup when a copied placeholder token or password is still configured, so operators cannot accidentally launch with a publicly known secret. (#64586) Thanks @navarrotech.
Plugins/memory-core dreaming: keep bundled memory-core loaded alongside an explicit external memory slot owner only when that owner enables dreaming, while preserving plugins.slots.memory = "none" disable semantics. (#65411) Thanks @pradeep7127.
Doctor/Discord: stop openclaw doctor --fix from rewriting legacy Discord preview-streaming config into the nested modern shape, so downgrades can still recover without hand-editing channels.discord.streaming.
Doctor: warn when on-disk agent directories still exist under ~/.openclaw/agents//agent but the matching agents.list[] entries are missing from config. (#65113) Thanks @neeravmakwana.
CLI/plugins: honor memory-wiki when plugins.allow is set for openclaw wiki, and pass the active app config into the metadata registrar so plugin-owned wiki commands resolve the live plugin config instead of falling back to defaults. (#64779, #65012)
QA/packaging: stop packaged QA helpers from crashing when optional scenario execution config is unavailable, so npm distributions can skip the repo-only scenario pack without breaking completion-cache and startup paths. (#65118) Thanks @EdderTalmor.
Media/audio transcription: surface the real provider failure when every audio transcription attempt fails, so status output and the CLI stop collapsing those errors into generic skips. (#65096) Thanks @l0cka.
Infra/net: fix multipart FormData fields (including model) being silently dropped when a guarded runtime fetch body crosses a FormData implementation boundary, restoring OpenAI audio transcription requests that failed with HTTP 400. (#64349) Thanks @petr-sloup.
Dreaming/diary: use the host local timezone for diary timestamps when dreaming.timezone is unset, and include the timezone abbreviation so DREAMS.md and the UI make local or UTC time explicit. (#65034, #65057)
Dreaming/promotion: raise phase reinforcement enough for repeated dreaming-only revisits to clear the default durable-memory gate after multiple days, instead of stalling just below the score threshold. (#64068) Thanks @vincentkoc.
Dreaming/light-sleep: compute staged candidate confidence from all recorded short-term signals instead of recall-only counts, so dreaming-only entries stop rendering as confidence: 0.00. (#64599) Thanks @vincentkoc.
Plugins/memory: restore cached memory capability public artifacts on plugin-registry cache hits so memory-backed artifact surfaces stay visible after warm loads.
Gateway/cron: preserve requested isolated-agent config across runtime reloads so subagent jobs and heartbeat overrides keep the right workspace and heartbeat settings when the hot-loaded snapshot is stale.
Cron/isolated sessions: persist the right transcript path for each isolated run, including fresh session rollovers, so cron runs stop appending to stale session files.
Discord/gateway: clear stale heartbeat timers before reconnecting so zombie gateway callbacks cannot crash the process and drop in-flight replies. (#65009) Thanks @SARAMALI15792.
Matrix/mentions: keep room mention gating strict while accepting visible @displayName Matrix URI labels, so requireMention works for non-OpenClaw Matrix clients again. (#64796) Thanks @hclsys.
Agents/Anthropic replay: preserve immutable signed-thinking replay safety across stored and live reruns, keep non-thinking embedded tool_result user blocks intact, and drop conflicting preserved tool IDs before validation so retries stop degrading into omitted tool calls. (#65126) Thanks @shakkernerd.
Memory/QMD: allow channel sessions in the shipped default QMD scope, while still denying groups.
Memory/QMD: stop registering the legacy lowercase root memory file as a separate default collection, so QMD now prefers MEMORY.md and the memory/ tree without duplicate collection-add warnings.
Memory/memory-core: watch the memory directory directly and ignore non-markdown churn so nested note changes still sync on macOS + Node 25 environments where recursive memory/**/*.md glob watching fails. (#64711) Thanks @jasonxargs-boop and @vincentkoc.
WhatsApp: centralize per-account connection ownership so reconnects, login recovery, and outbound readiness stay attached to the live socket instead of drifting across monitor and login paths. (#65290) Thanks @mcaxtr and @vincentkoc.
iMessage: retry transient watch.subscribe startup failures before tearing down the monitor, and sanitize startup error logging so brief local transport stalls do not immediately bounce the channel or leak raw imsg RPC payloads into logs. (#65393) Thanks @vincentkoc.
CLI/audio providers: report env-authenticated providers as configured in openclaw infer audio providers --json, while keeping trusted workspace provider env lookup defaults stable during auth setup. (#65491)
Plugins/install: reinstall bundled runtime packages when the matching platform native optional child is missing, so packaged Windows installs can recover dependencies that were packed on another host OS.

openclaw 2026.4.11

View on GitHub

Changes

Dreaming/memory-wiki: add ChatGPT import ingestion plus new Imported Insights and Memory Palace diary subtabs so Dreaming can inspect imported source chats, compiled wiki pages, and full source pages directly from the UI. (#64505)
Control UI/webchat: render assistant media/reply/voice directives as structured chat bubbles, add the [embed ...] rich output tag, and gate external embed URLs behind config. (#64104)
Tools/video_generate: add URL-only generated asset delivery, typed providerOptions, reference audio inputs, per-asset role hints, adaptive aspect-ratio support, and a higher image-input cap so video providers can expose richer generation modes without forcing large files into memory. (#61987, #61988) Thanks @xieyongliang.
Feishu: improve document comment sessions with richer context parsing, comment reactions, and typing feedback so document-thread conversations behave more like chat conversations. (#63785)
Microsoft Teams: add reaction support, reaction listing, Graph pagination, and delegated OAuth setup for sending reactions while preserving application-auth read paths. (#51646)
Plugins: allow plugin manifests to declare activation and setup descriptors so plugin setup flows can describe required auth, pairing, and configuration steps without hardcoded core special cases. (#64780)
Ollama: cache /api/show context-window and capability metadata during model discovery so repeated picker refreshes stop refetching unchanged models, while still retrying after empty responses and invalidating on digest changes. (#64753) Thanks @ImLukeF.
Models/providers: surface how configured OpenAI-compatible endpoints are classified in embedded-agent debug logs, so local and proxy routing issues are easier to diagnose. (#64754) Thanks @ImLukeF.
QA/parity: add the GPT-5.4 vs Opus 4.6 agentic parity report gate with shared scenario coverage checks, stricter evidence heuristics, and skipped-scenario accounting for maintainer review. (#64441) Thanks @100yenadmin.

Fixes

OpenAI/Codex OAuth: stop rewriting the upstream authorize URL scopes so new Codex sign-ins do not fail with invalid_scope before returning an authorization code. (#64713) Thanks @fuller-stack-dev.
Audio transcription: disable pinned DNS only for OpenAI-compatible multipart requests, while still validating hostnames, so OpenAI, Groq, and Mistral transcription works again without weakening other request paths. (#64766) Thanks @GodsBoy.
macOS/Talk Mode: after granting microphone permission on first enable, continue starting Talk Mode instead of requiring a second toggle. (#62459) Thanks @ggarber.
Control UI/webchat: persist agent-run TTS audio replies into webchat history and preserve interleaved tool card pairing so generated audio and mixed tool output stay attached to the right messages. (#63514) Thanks @bittoby.
WhatsApp: honor the configured default account when the active listener helper is used without an explicit account id, so named default accounts do not get registered under default. (#53918) Thanks @yhyatt.
ACP/agents: suppress commentary-phase child assistant relay text in ACP parent stream updates, so spawned child runs stop leaking internal progress chatter into the parent session. Thanks @vincentkoc.
Agents/timeouts: honor explicit run timeouts in the LLM idle watchdog and align default timeout config so slow models can keep working until the configured limit instead of using the wrong idle window.
Config: include asyncCompletion in the generated zod schema so documented async completion config no longer fails with an unrecognized-key error. (#63618)
Google/Veo: stop sending the unsupported numberOfVideos request field so Gemini Developer API Veo runs do not fail before OpenClaw can complete the intended Google video generation path. (#64723) Thanks @velvet-shark.
QA/packaging: stop packaged CLI startup and completion cache generation from reading repo-only QA scenario markdown, ship the bundled QA scenario pack in npm releases, and keep openclaw completion --write-state working even if QA setup is broken. (#64648) Thanks @obviyus.
Codex/QA: keep Codex app-server coordination chatter out of visible replies, add a live QA leak scenario, and classify leaked harness meta text as a QA failure instead of a successful reply. Thanks @vincentkoc.
WhatsApp: route message react through the gateway-owned action path so reactions use the live WhatsApp listener in both DM and group chats, matching message send and message poll. Thanks @mcaxtr.
Auto-reply/WhatsApp: preserve inbound image attachment notes after media understanding so image edits keep the real saved media path instead of hallucinating a missing local path. (#64918) Thanks @ngutman.
Telegram/sessions: keep topic-scoped session initialization on the canonical topic transcript path when inbound turns omit MessageThreadId, so one topic session no longer alternates between bare and topic-qualified transcript files. (#64869) Thanks @jalehman.
Agents/failover: scope assistant-side fallback classification and surfaced provider errors to the current attempt instead of stale session history, so cross-provider fallback runs stop inheriting the previous provider's failure. (#62907) Thanks @stainlu.
MiniMax/OAuth: write api: "anthropic-messages" and authHeader: true into the minimax-portal config patch during openclaw configure, so re-authenticated portal setups keep Bearer auth routing working. (#64964) Thanks @ryanlee666.

openclaw 2026.4.11-beta.1

View on GitHub

Changes

Dreaming/memory-wiki: add ChatGPT import ingestion plus new Imported Insights and Memory Palace diary subtabs so Dreaming can inspect imported source chats, compiled wiki pages, and full source pages directly from the UI. (#64505)
Control UI/webchat: render assistant media/reply/voice directives as structured chat bubbles, add the [embed ...] rich output tag, and gate external embed URLs behind config. (#64104)
Tools/video_generate: add URL-only generated asset delivery, typed providerOptions, reference audio inputs, per-asset role hints, adaptive aspect-ratio support, and a higher image-input cap so video providers can expose richer generation modes without forcing large files into memory. (#61987, #61988) Thanks @xieyongliang.
Feishu: improve document comment sessions with richer context parsing, comment reactions, and typing feedback so document-thread conversations behave more like chat conversations. (#63785)
Microsoft Teams: add reaction support, reaction listing, Graph pagination, and delegated OAuth setup for sending reactions while preserving application-auth read paths. (#51646)
Plugins: allow plugin manifests to declare activation and setup descriptors so plugin setup flows can describe required auth, pairing, and configuration steps without hardcoded core special cases. (#64780)
Ollama: cache /api/show context-window and capability metadata during model discovery so repeated picker refreshes stop refetching unchanged models, while still retrying after empty responses and invalidating on digest changes. (#64753) Thanks @ImLukeF.
Models/providers: surface how configured OpenAI-compatible endpoints are classified in embedded-agent debug logs, so local and proxy routing issues are easier to diagnose. (#64754) Thanks @ImLukeF.
QA/parity: add the GPT-5.4 vs Opus 4.6 agentic parity report gate with shared scenario coverage checks, stricter evidence heuristics, and skipped-scenario accounting for maintainer review. (#64441) Thanks @100yenadmin.

Fixes

OpenAI/Codex OAuth: stop rewriting the upstream authorize URL scopes so new Codex sign-ins do not fail with invalid_scope before returning an authorization code. (#64713) Thanks @fuller-stack-dev.
Audio transcription: disable pinned DNS only for OpenAI-compatible multipart requests, while still validating hostnames, so OpenAI, Groq, and Mistral transcription works again without weakening other request paths. (#64766) Thanks @GodsBoy.
macOS/Talk Mode: after granting microphone permission on first enable, continue starting Talk Mode instead of requiring a second toggle. (#62459) Thanks @ggarber.
Control UI/webchat: persist agent-run TTS audio replies into webchat history and preserve interleaved tool card pairing so generated audio and mixed tool output stay attached to the right messages. (#63514) Thanks @bittoby.
WhatsApp: honor the configured default account when the active listener helper is used without an explicit account id, so named default accounts do not get registered under default. (#53918) Thanks @yhyatt.
ACP/agents: suppress commentary-phase child assistant relay text in ACP parent stream updates, so spawned child runs stop leaking internal progress chatter into the parent session. Thanks @vincentkoc.
Agents/timeouts: honor explicit run timeouts in the LLM idle watchdog and align default timeout config so slow models can keep working until the configured limit instead of using the wrong idle window.
Config: include asyncCompletion in the generated zod schema so documented async completion config no longer fails with an unrecognized-key error. (#63618)
Google/Veo: stop sending the unsupported numberOfVideos request field so Gemini Developer API Veo runs do not fail before OpenClaw can complete the intended Google video generation path. (#64723) Thanks @velvet-shark.
QA/packaging: stop packaged CLI startup and completion cache generation from reading repo-only QA scenario markdown, ship the bundled QA scenario pack in npm releases, and keep openclaw completion --write-state working even if QA setup is broken. (#64648) Thanks @obviyus.
Codex/QA: keep Codex app-server coordination chatter out of visible replies, add a live QA leak scenario, and classify leaked harness meta text as a QA failure instead of a successful reply. Thanks @vincentkoc.
WhatsApp: route message react through the gateway-owned action path so reactions use the live WhatsApp listener in both DM and group chats, matching message send and message poll. Thanks @mcaxtr.

openclaw 2026.4.10

View on GitHub

2026.4.10

Changes

Models/Codex: add the bundled Codex provider and plugin-owned app-server harness so codex/gpt-* models use Codex-managed auth, native threads, model discovery, and compaction while openai/gpt-* stays on the normal OpenAI provider path. (#64298)
Memory/Active Memory: add a new optional Active Memory plugin that gives OpenClaw a dedicated memory sub-agent right before the main reply, so ongoing chats can automatically pull in relevant preferences, context, and past details without making users remember to manually say "remember this" or "search memory" first. Includes configurable message/recent/full context modes, live /verbose inspection, advanced prompt/thinking overrides for tuning, and opt-in transcript persistence for debugging. Docs: https://docs.openclaw.ai/concepts/active-memory. (#63286) Thanks @Takhoffman.
macOS/Talk: add an experimental local MLX speech provider for Talk Mode, with explicit provider selection, local utterance playback, interruption handling, and system-voice fallback. (#63539) Thanks @ImLukeF.
Tools/video generation: add Seedance 2.0 model refs to the bundled fal provider and submit the provider-specific duration, resolution, audio, and seed metadata fields needed for live Seedance 2.0 runs.
Microsoft Teams: add message actions for pin, unpin, read, react, and listing reactions. (#53432) Thanks @sudie-codes.
QA/Matrix: add a live openclaw qa matrix lane backed by a disposable Matrix homeserver, shared live-transport seams, and Matrix-specific transport coverage for threading, reactions, restart, and allowlist behavior. (#64489) Thanks @gumadeiras.
QA/Telegram: add a live openclaw qa telegram lane for private-group bot-to-bot checks, harden its artifact handling, and preserve native Telegram command reply threading for QA verification. (#64303) Thanks @obviyus.
QA/testing: add a --runner multipass lane for openclaw qa suite so repo-backed QA scenarios can run inside a disposable Linux VM and write back the usual report, summary, and VM logs. (#63426) Thanks @shakkernerd.
CLI/exec policy: add a local openclaw exec-policy command with show, preset, and set subcommands for synchronizing requested tools.exec.* config with the local exec approvals file, plus follow-up hardening for node-host rejection, rollback safety, and sync conflict detection. (#64050)
Gateway: add a commands.list RPC so remote gateway clients can discover runtime-native, text, skill, and plugin commands with surface-aware naming and serialized argument metadata. (#62656) Thanks @samzong.
Models/providers: add per-provider models.providers.*.request.allowPrivateNetwork for trusted self-hosted OpenAI-compatible endpoints, keep the opt-in scoped to model request surfaces, and refresh cached WebSocket managers when request transport overrides change. (#63671) Thanks @qas.
Feishu: standardize request user agents and register the bot as an AI agent so Feishu deployments identify OpenClaw consistently. (#63835) Thanks @evandance.
Matrix/partial streaming: add MSC4357 live markers to draft preview sends and edits so supporting Matrix clients can render a live/typewriter animation and stop it when the final edit lands. (#63513) Thanks @TigerInYourDream.
Control UI/dreaming: simplify the Scene and Diary surfaces, preserve unknown phase state for partial status payloads, and stabilize waiting-entry recency ordering so Dreaming status and review lists stay clear and deterministic. (#64035) Thanks @davemorin.
Agents: add an opt-in strict-agentic embedded Pi execution contract for GPT-5-family runs so plan-only or filler turns keep acting until they hit a real blocker. (#64241) Thanks @100yenadmin.
Agents/OpenAI: add provider-owned OpenAI/Codex tool schema compatibility and surface embedded-run replay/liveness state for long-running runs. (#64300) Thanks @100yenadmin.
Docs i18n: chunk raw doc translation, reject truncated tagged outputs, avoid ambiguous body-only wrapper unwrapping, and recover from terminated Pi translation sessions without changing the default openai/gpt-5.4 path. (#62969, #63808) Thanks @hxy91819.

Fixes

Browser/security: tighten browser and sandbox navigation defenses across strict SSRF defaults, hostname allowlists, interaction-driven redirects, subframes, CDP discovery, existing sessions, tab actions, noVNC, marker-span sanitization, and Docker CDP source-range enforcement. (#61404, #63332, #63882, #63885, #63889, #64367, #64370, #64371)
Security/tools: harden exec preflight reads, host env denylisting, node output boundaries, outbound host-media reads, profile-mutation authorization, plugin install dependency scanning, ACPX tool hooks, Gmail watcher token redaction, and oversized realtime WebSocket frame handling. (#62333, #62661, #62662, #63277, #63551, #63553, #63886, #63890, #63891, #64459)
OpenAI/Codex: add required Codex OAuth scopes, classify provider/runtime failures more clearly, stop suggesting /elevated full when auto-approved host exec is unavailable, add OpenAI/Codex tool-schema compatibility, and preserve embedded-run replay/liveness truth across compaction retries and mutating side effects. (#64300, #64439) Thanks @100yenadmin.
CLI/WhatsApp media sends: route gateway-mode outbound sends with --media through the channel sendMedia path and preserve media access context, so WhatsApp document and attachment sends stop silently dropping the file while still delivering the caption. (#64478, #64492) Thanks @ShionEria.
Microsoft Teams: restore media downloads for personal DMs, Bot Framework a: conversations, OneDrive/SharePoint shared files, and Graph-backed chat IDs; accept Bot Framework audience tokens; prevent feedback-learning filename collisions; keep long tool chains alive with typing indicators; add SSO sign-in callbacks; inject parent context for thread replies; and deliver cron announcements to Teams conversation IDs. (#54932, #55383, #55386, #58001, #58249, #58774, #59731, #60956, #62219, #62674, #63063, #63942, #63945, #63949, #63951, #63953, #64087, #64088, #64089)
Gateway/tailscale: start Tailscale exposure and the gateway update check before awaiting channel and plugin sidecar startup so remote operators are not locked out when startup sidecars stall.
Gateway/startup: keep WebSocket RPC available while channels and plugin sidecars start, hold chat.history unavailable until startup sidecars finish so synchronous history reads cannot stall startup (reported in #63450), refresh advertised gateway methods after deferred plugin reloads, and enforce the pre-auth WebSocket upgrade budget before the no-handler 503 path so upgrade floods cannot bypass connection limits during that window. (#63480) Thanks @neeravmakwana.
WhatsApp: keep inbound replies, media, composing indicators, and queued outbound deliveries attached to the current socket across reconnect gaps, including fresh retry-eligible sends after the listener comes back. (#30806, #46299, #62892, #63916) Thanks @mcaxtr.
Gateway/thread routing: preserve Slack, Telegram, Mattermost, Matrix, ACP, restart-sentinel, and agent announce delivery targets so subagent, cron, stream-relay, session fallback, and restart messages land back in the originating thread, topic, or room casing. (#54840, #57056, #63143, #63228, #63506, #64343, #64391)
Models/fallback: preserve /models selection across transient primary-model failures and config reloads, allow timeout cooldown probes, classify OpenRouter no-endpoints responses, detect llama.cpp context overflows, and keep provider/runtime context metadata stable through reloads. (#61472, #64196, #64471)
Agents/BTW: keep /btw side questions working after tool-use turns by stripping replayed tool blocks, hidden reasoning, and malformed image payloads, omitting empty tool arrays, allowing Bedrock auth: "aws-sdk", and routing Feishu /btw plus /stop through bounded out-of-band lanes. (#64218, #64219, #64225, #64324) Thanks @ngutman.
Control UI/BTW: render /btw side results as dismissible ephemeral cards in the browser, send /btw immediately during active runs, and clear stale BTW cards on reset flows so webchat matches the intended detached side-question behavior. (#64290) Thanks @ngutman.
Commands/targeting: use the selected agent or session for command output, send policy, usage/cost, context reports, model lists, bash sandbox hints, BTW/compact working directories, plugin commands, and session exports so multi-agent commands describe and mutate the intended target instead of the requester.
Conversation bindings: normalize focused/current conversation ids, preserve binding metadata on account and Discord rebinds, avoid stale Discord lifecycle windows, and keep generic activity touches persisted so reply routing survives rebinds and restarts.
iMessage/self-chat: distinguish normal DM outbound rows from true self-chat using destination_caller_id plus chat participants, preserve multi-handle self-chat aliases, drop ambiguous reflected echoes, and strip wrapped imsg RPC text fields. (#61619, #63868, #63980, #63989, #64000) Thanks @neeravmakwana.
Matrix: keep multi-account room scoping consistent, keep packaged crypto migrations warning-only when appropriate, preserve ordered block streaming, add explicit Matrix block-streaming opt-in, and resolve verification/bootstrap from the packaged runtime entry. (#58449, #59249, #59266, #64373) Thanks @gumadeiras.
Telegram/security: tighten Telegram allowFrom sender validation and keep /whoami allowlist reporting in sync with command auth checks.
Agents/timeouts: extend the default LLM idle window to 120s and keep silent no-token idle timeouts on recovery paths, so slow models can retry or fall back before users see an error.
Gateway/agents: preserve configured model selection and richer IDENTITY.md content across agent create/update flows and workspace moves, and fail safely instead of silently overwriting unreadable identity files. (#61577) Thanks @samzong.
Skills/TaskFlow: restore valid frontmatter fences for the bundled taskflow and taskflow-inbox-triage skills and copy bundled SKILL.md files as hard dist-runtime copies so skills stay discoverable and loadable after updates. (#64166, #64469) Thanks @extrasmall0.
Skills: respect overridden home directories when loading personal skills so service, test, and custom launch environments read the intended user skill directory instead of the process home.
Windows/exec: settle supervisor waits from child exit state after stdout and stderr drain even when close never arrives, so CLI commands stop hanging or dying with forced SIGKILL on Windows. (#64072) Thanks @obviyus.
Browser/sandbox: prevent sandbox browser CDP startup hangs by recreating containers when the browser security hash changes and by waiting on the correct sandbox browser lifecycle. (#62873) Thanks @Syysean.
QQBot/streaming: make block streaming configurable per QQ bot account via streaming.mode ("partial" | "off", default "partial") instead of hardcoding it off, so responses can be delivered incrementally. (#63746)
QQBot/config: allow extra fields in channels.qqbot and channels.qqbot.accounts.* so extended qqbot builds can add new config options without gateway startup failing on schema validation. (#64075) Thanks @WideLee.
Dreaming/gateway: require operator.admin for persistent /dreaming on|off changes and treat missing gateway client scopes as unprivileged instead of silently allowing config writes. (#63872) Thanks @mbelinky.
Gateway/pairing: prefer explicit QR bootstrap auth over earlier Tailscale auth classification so iOS /pair qr silent bootstrap pairing does not fall through to pairing required. (#59232) Thanks @ngutman.
Browser/control: auto-generate browser-control auth tokens for none and trusted-proxy modes, and route browser auth/profile/doctor helpers through the public browser plugin facades. (#63280, #63957) Thanks @pgondhi987.
Browser/act: centralize /act request normalization and execution dispatch while adding stable machine-readable route-level error codes for invalid requests, selector misuse, evaluate-disabled gating, target mismatch, and existing-session unsupported actions. (#63977) Thanks @joshavant.
Security/QQBot: enforce media storage boundaries for all outbound local file paths and route image-size probes through SSRF-guarded media fetching instead of raw fetch(). (#63271, #63495) Thanks @pgondhi987.
Channel setup: ignore workspace plugin shadows when resolving trusted channel setup catalog entries so onboarding and setup flows keep using the bundled, trusted setup contract.
Gateway/memory startup: load the explicitly selected memory-slot plugin during gateway startup, while keeping restrictive allowlists and implicit default memory slots from auto-starting unrelated memory plugins. (#64423) Thanks @EronFan.
Config/plugins: let config writes keep disabled plugin entries without forcing required plugin config schemas or crashing raw plugin validation, and avoid re-activating plugin registry state during schema checks. (#54971, #63296) Thanks @fuller-stack-dev.
Config validation: surface the actual offending field for strict-schema union failures in bindings, including top-level unexpected keys on the matching ACP branch. (#40841) Thanks @Hollychou924.
Wizard/plugin config: coerce integer-typed plugin config fields from interactive text input so integer schema values persist as numbers instead of failing validation. (#63346) Thanks @jalehman.
Daemon/gateway install: preserve safe custom service env vars on forced reinstall, merge prior custom PATH segments behind the managed service PATH, and stop removed managed env keys from persisting as custom carryover. (#63136) Thanks @WarrenJones.
Cron/scheduling: treat nextRunAtMs <= 0 as invalid across cron update, maintenance, timer, and stale-delivery paths so corrupted zero timestamps self-heal instead of causing immediate runs or skipped deliveries. (#63507) Thanks @WarrenJones.
Cron/auth: resolve auth profiles consistently for isolated cron jobs so scheduled runs use the same configured provider credentials as interactive sessions. (#62797) Thanks @neeravmakwana.
Tasks: let openclaw tasks cancel cancel stuck background tasks that never reached a normal terminal state. (#62506) Thanks @neeravmakwana.
Sessions/model selection: preserve catalog-backed session model labels, provider-qualified context limits, and already-qualified session model refs when catalog metadata is unavailable, so model selection and memory/context budgets survive reloads without bogus provider prefixes. (#61382, #62493) Thanks @Mule-ME.
Status: show configured fallback models in /status and shared session status cards so per-agent fallback configuration is visible before a live failover happens. (#33111) Thanks @AnCoSONG.
/context detail now compares the tracked prompt estimate with cached context usage and surfaces untracked provider/runtime overhead when present. (#28391) Thanks @ImLukeF.
Gateway/sessions: scope bare sessions.create aliases like main to the requested agent while preserving the canonical global and unknown sentinel keys. (#58207) Thanks @jalehman.
Gateway/session reset: emit the typed before_reset hook for gateway /new and /reset, preserving reset-hook behavior even when the previous transcript has already been archived. (#53872) Thanks @VACInc.
Plugins/commands: pass the active host sessionKey into plugin command contexts, and include sessionId when it is already available from the active session entry, so bundled and third-party commands can resolve the current conversation reliably. (#59044) Thanks @jalehman.
Agents/auth: honor models.providers.*.authHeader for pi embedded runner model requests by injecting Authorization: Bearer when requested. (#54390) Thanks @lndyzwdxhs.
Claude CLI: clear inherited Anthropic auth/header environment aliases before spawning Claude Code and add sanitized CLI backend auth-env diagnostics for debugging gateway-run provider selection.
Agents/failover: classify AbortError and stream-abort messages as timeout so Ollama NDJSON stream aborts stop showing reason=unknown in model fallback logs. (#58324) Thanks @yelog.
Fireworks/FirePass: disable Kimi K2.5 Turbo reasoning output by forcing thinking off on the FirePass path and hardening the provider wrapper so hidden reasoning no longer leaks into visible replies. (#63607) Thanks @frankekn.
Discord: update Carbon to v0.15.0. Thanks @thewilloftheshadow.
Config/Discord: coerce safe integer numeric Discord IDs to strings during config validation, keep unsafe or precision-losing numeric snowflakes rejected, and align openclaw doctor repair guidance with the same fail-closed behavior. (#45125) Thanks @moliendocode.
BlueBubbles/config: accept enrichGroupParticipantsFromContacts in the core strict config schema so gateways no longer fail validation or startup when the BlueBubbles plugin writes that field. (#56889) Thanks @zqchris.
Feishu/webhooks: read webhook bodies through the pre-auth guard so unauthenticated webhook traffic stays under the same body budget as other protected channel ingress paths.
Tools/web_fetch: add an opt-in tools.web.fetch.ssrfPolicy.allowRfc2544BenchmarkRange config so fake-IP proxy environments that resolve public sites into 198.18.0.0/15 can use web_fetch without weakening the default SSRF block. (#61830) Thanks @xing-xing-coder.
Dreaming/cron: reconcile managed dreaming cron from startup config and runtime lifecycle changes, but only recover managed dreaming cron state during heartbeat-triggered dreaming checks so ordinary chat traffic does not recreate removed jobs. (#63873, #63929, #63938) Thanks @mbelinky.
Memory/lancedb: accept dreaming config when memory-lancedb owns the memory slot so Dreaming surfaces can read slot-owner settings without schema rejection. (#63874) Thanks @mbelinky.
Control UI/dreaming: keep the Dreaming trace area contained and scrollable so overlays no longer cover tabs or blow out the page layout. (#63875) Thanks @mbelinky.
Dreaming/narrative: harden request-scoped diary fallback so scheduled dreaming only falls back on the dedicated subagent-runtime error, stop trusting spoofable raw error-code objects, and avoid leaking workspace paths when local fallback writes fail. (#64156) Thanks @mbelinky.
Dreaming/diary: add idempotent narrative subagent runs, preserve restrictive DREAMS.md permissions during atomic writes, and surface temp cleanup failures so repeated sweeps do not double-run the same narrative request or silently weaken diary safety. (#63876) Thanks @mbelinky.
Heartbeats/sessions: remove stale accumulated isolated heartbeat session keys when the next tick converges them back to the canonical sibling, so repaired sessions stop showing orphaned :heartbeat:heartbeat variants in session listings. (#59606) Thanks @rogerdigital.
Gateway/run cleanup: fix stale run-context TTL cleanup so the new maintenance sweep resets orphaned run sequence state and prevents unbounded run-context growth. (#52731) Thanks @artwalker.
UI/compaction: keep the compaction indicator in a retry-pending state until the run actually finishes, so the UI does not show Context compacted before compaction actually finishes. (#55132) Thanks @mpz4life.
Cron/tool schemas: keep cron tool schemas strict-model-friendly while still preserving failureAlert=false, nullable agentId/sessionKey, and flattened add/update recovery for the newly exposed cron job fields. (#55043) Thanks @brunolorente.
Git metadata: read commit ids from packed refs as well as loose refs so version and status metadata stay accurate after repository maintenance. (#63943)
Gateway: keep commands.list skill entries categorized under tools and include provider-aware plugin nativeName metadata even when scope=text, so remote clients can group skills correctly and map text-surface plugin commands back to native aliases. (#64147)
TUI: reset footer activity to idle when switching sessions so a stale streaming indicator cannot persist after the selection changes. (#63988) Thanks @neeravmakwana.
Claude CLI: stop marking spawned Claude Code runs as host-managed so they keep using normal CLI subscription behavior. (#64023) Thanks @Alex-Alaniz.
Codex auth: brand Codex OAuth flows as OpenClaw in user-visible auth prompts and diagnostics.
Gateway/pairing: fail closed for paired device records that have no device tokens, and reject pairing approvals whose requested scopes do not match the requested device roles.
ACP/gateway chat: classify lifecycle errors before forwarding them to ACP clients so refusals use ACP's refusal stop reason while transient backend errors continue to finish as normal turns.
Claude CLI/skills: pass eligible OpenClaw skills into CLI runs, including native Claude Code skill resolution via a temporary plugin plus per-run skill env/API key injection. (#62686, #62723) Thanks @zomars.
Discord: keep generated auto-thread names working with reasoning models by giving title generation enough output budget for thinking plus visible title text. (#64172) Thanks @hanamizuki.
Heartbeat: ignore doc-only Markdown fence markers in the default HEARTBEAT.md template so comment-only heartbeat scaffolds skip API calls again. (#61690, #63434) Thanks @ravyg.
Reply/skills: keep resolved skill and memory secret config stable through embedded reply runs so raw SecretRefs in secondary skill settings no longer crash replies when the gateway already has the live env. (#64249) Thanks @mbelinky.
Dreaming/startup: keep plugin-registered startup hooks alive across workspace hook reloads and include dreaming startup owners in the gateway startup plugin scope, so managed Dreaming cron registration comes back reliably after gateway boot. (#62327, #64258) Thanks @mbelinky.
Plugins: treat duplicate registerService calls from the same plugin id as idempotent so snapshot and activation loads no longer emit spurious service already registered diagnostics. (#62033, #64128) Thanks @ly85206559.
Discord/TTS: route auto voice replies through the native voice-note path so Discord receives Opus voice messages instead of regular audio attachments. (#64096) Thanks @LiuHuaize.
Config/plugins: use plugin-owned command alias metadata when plugins.allow contains runtime command names like dreaming, and point users at the owning plugin instead of stale plugin-not-found guidance. (#64191, #64242) Thanks @feiskyer.
Agents/Gemini: strip orphaned required entries from Gemini tool schemas so provider validation no longer rejects tools after schema cleanup or union flattening. (#64284) Thanks @xxxxxmax.
Assistant text: strip Qwen-style XML tool call payloads from visible replies so web and channel messages no longer show raw output. (#63999, #64214) Thanks @MoerAI.
Daemon/gateway: prevent systemd restart storms on configuration errors by exiting with EX_CONFIG and adding generated unit restart-prevention guards. (#63913) Thanks @neo1027144-creator.
Agents/exec: prevent gateway crash ("Agent listener invoked outside active run") when a subagent exec tool produces stdout/stderr after the agent run has ended or been aborted. (#62821) Thanks @openperf.
Gateway/OpenAI compat: return real usage for non-stream /v1/chat/completions responses, emit the final usage chunk when stream_options.include_usage=true, and bound usage-gated stream finalization after lifecycle end. (#62986) Thanks @Lellansin.
Agents/subagents: deduplicate delivered completion announces so retry or re-entry cleanup does not inject duplicate internal-context completion turns into the parent session. (#61525) Thanks @100yenadmin.
Agents/exec: keep sandboxed tools.exec.host=auto sessions from honoring per-call host=node or host=gateway overrides while a sandbox runtime is active, and stop advertising node routing in that state so exec stays on the sandbox host. (#63880)
Agents/subagents: preserve archived delete-mode runs until sessions.delete succeeds and prevent overlapping archive sweeps from duplicating in-flight cleanup attempts. (#61801) Thanks @100yenadmin.
Cron/isolated agent: run scheduled agent turns as non-owner senders so owner-only tools stay unavailable during cron execution. (#63878)
Discord/sandbox: include image in sandbox media param normalization so Discord event cover images cannot bypass sandbox path rewriting. (#64377) Thanks @mmaps.
Agents/exec: extend exec completion detection to cover local background exec formats so the owner-downgrade fires correctly for all exec paths. (#64376) Thanks @mmaps.
Hooks/security: mark agent hook system events as untrusted and sanitize hook display names before cron metadata reuse. (#64372) Thanks @eleqtrizit.
Daemon/launchd: keep openclaw gateway stop persistent without uninstalling the macOS LaunchAgent, re-enable it on explicit restart or repair, and harden launchd label handling. (#64447) Thanks @ngutman.
Plugins/context engines: preserve plugins.slots.contextEngine through normalization and keep explicitly selected workspace context-engine plugins enabled, so loader diagnostics and plugin activation stop dropping that slot selection. (#64192) Thanks @hclsys.
Heartbeat: stop top-level interval: and prompt: fields outside the tasks: block from bleeding into the last parsed heartbeat task. (#64488) Thanks @Rahulkumar070.
Agents/OpenAI replay: preserve malformed function-call arguments in stored assistant history, avoid double-encoding preserved raw strings on replay, and coerce replayed string args back to objects at Anthropic and Google provider boundaries. (#61956) Thanks @100yenadmin.
Heartbeat/config: accept and honor agents.defaults.heartbeat.timeoutSeconds and per-agent heartbeat timeout overrides for heartbeat agent turns. (#64491) Thanks @cedillarack.
CLI/devices: make implicit openclaw devices approve selection preview-only and require approving the exact request ID, preventing latest-request races during device pairing. (#64160) Thanks @coygeek.
Media/security: honor sender-scoped toolsBySender policy for outbound host-media reads so denied senders cannot trigger host file disclosure via attachment hydration. (#64459) Thanks @eleqtrizit.
Browser/security: reject strict-policy hostname navigation unless the hostname is an explicit allowlist exception or IP literal, and route CDP HTTP discovery through the pinned SSRF fetch path. (#64367) Thanks @eleqtrizit.
Models/vLLM: ignore empty tool_calls arrays from reasoning-model OpenAI-compatible replies, reset false toolUse stop reasons when no actual tool calls were parsed, and stop sending tool_choice unless tools are present so vLLM reasoning responses no longer hang indefinitely. (#61197, #61534) Thanks @balajisiva.