Image generation and reference-image editing for OpenAI through Codex OAuth
Image generation support for OpenRouter
Optional per-call timeoutMs for generation tools
Full changelog
2026.4.23
Changes
Providers/OpenAI: add image generation and reference-image editing through Codex OAuth, so openai/gpt-image-2 works without an OPENAI_API_KEY. Fixes #70703.
Providers/OpenRouter: add image generation and reference-image editing through image_generate, so OpenRouter image models work with OPENROUTER_API_KEY. Fixes #55066 via #67668. Thanks @notamicrodose.
Image generation: let agents request provider-supported quality and output format hints, and pass OpenAI-specific background, moderation, compression, and user hints through the image_generate tool. (#70503) Thanks @ottodeng.
Agents/subagents: add optional forked context for native sessions_spawn runs so agents can let a child inherit the requester transcript when needed, while keeping clean isolated sessions as the default; includes prompt guidance, context-engine hook metadata, docs, and QA coverage.
Agents/tools: add optional per-call timeoutMs support for image, video, music, and TTS generation tools so agents can extend provider request timeouts only when a specific generation needs it.
Memory/local embeddings: add configurable memorySearch.local.contextSize with a 4096 default so local embedding contexts can be tuned for constrained hosts without patching the memory host. (#70544) Thanks @aalekh-sarvam.
Dependencies/Pi: update bundled Pi packages to 0.70.0, use Pi's upstream gpt-5.5 catalog metadata for OpenAI and OpenAI Codex, and keep only local gpt-5.5-pro forward-compat handling.
Codex harness: add structured debug logging for embedded harness selection decisions so /status stays simple while gateway logs explain auto-selection and Pi fallback reasons. (#70760) Thanks @100yenadmin.
Fixes
Codex harness: route native request_user_input prompts back to the originating chat, preserve queued follow-up answers, and honor newer app-server command approval amendment decisions.
Codex harness/context-engine: redact context-engine assembly failures before logging, so fallback warnings do not serialize raw error objects. (#70809) Thanks @jalehman.
WhatsApp/onboarding: keep first-run setup entry loading off the Baileys runtime dependency path, so packaged QuickStart installs can show WhatsApp setup before runtime deps are staged. Fixes #70932.
Block streaming: suppress final assembled text after partial block-delivery aborts when the already-sent text chunks exactly cover the final reply, preventing duplicate replies without dropping unrelated short messages. Fixes #70921.
Codex harness/Windows: resolve npm-installed codex.cmd shims through PATHEXT before starting the native app-server, so codex/* models work without a manual .exe shim. Fixes #70913.
Slack/groups: classify MPIM group DMs as group chat context and suppress verbose tool/plan progress on Slack non-DM surfaces, so internal "Working…" traces no longer leak into rooms. Fixes #70912.
Agents/replay: stop OpenAI/Codex transcript replay from synthesizing missing tool results while still preserving synthetic repair on Anthropic, Gemini, and Bedrock transport-owned sessions. (#61556) Thanks @VictorJeon and @vincentkoc.
Telegram/media replies: parse remote markdown image syntax into outbound media payloads on the final reply path, so Telegram group chats stop falling back to plain-text image URLs when the model or a tool emits  instead of a MEDIA: token. (#66191) Thanks @apezam and @vincentkoc.
Agents/WebChat: surface non-retryable provider failures such as billing, auth, and rate-limit errors from the embedded runner instead of logging surface_error and leaving webchat with no rendered error. Fixes #70124. (#70848) Thanks @truffle-dev.
WhatsApp: unify outbound media normalization across direct sends and auto-replies. Thanks @mcaxtr.
Memory/CLI: declare the built-in local embedding provider in the memory-core manifest, so standalone openclaw memory status, index, and search can resolve local embeddings just like the gateway runtime. Fixes #70836. (#70873) Thanks @mattznojassist.
Gateway/WebChat: preserve image attachments for text-only primary models by offloading them as media refs instead of dropping them, so configured image tools can still inspect the original file. Fixes #68513, #44276, #51656, #70212.
Plugins/Google Meet: hang up delegated Twilio calls on leave, clean up Chrome realtime audio bridges when launch fails, and use a flat provider-safe tool schema.
Media understanding: honor explicit image-model configuration before native-vision skips, including agents.defaults.imageModel, tools.media.image.models, and provider image defaults such as MiniMax VL when the active chat model is text-only. Fixes #47614, #63722, #69171.
Codex/media understanding: support codex/* image models through bounded Codex app-server image turns, while keeping openai-codex/* on the OpenAI Codex OAuth route and validating app-server responses against generated protocol contracts. Fixes #70201.
Providers/OpenAI Codex: synthesize the openai-codex/gpt-5.5 OAuth model row when Codex catalog discovery omits it, so cron and subagent runs do not fail with Unknown model while the account is authenticated.
Models/Codex: preserve Codex provider metadata when adding models from chat or CLI commands, so manually added Codex models keep the right auth and routing behavior. (#70820) Thanks @Takhoffman.
Providers/OpenAI: route openai/gpt-image-2 through configured Codex OAuth directly when an openai-codex profile is active, instead of probing OPENAI_API_KEY first.
Providers/OpenAI: harden image generation auth routing and Codex OAuth response parsing so fallback only applies to public OpenAI API routes and bounded SSE results. Thanks @Takhoffman.
OpenAI/image generation: send reference-image edits as guarded multipart uploads instead of JSON data URLs, restoring complex multi-reference gpt-image-2 edits. Fixes #70642. Thanks @dashhuang.
Providers/OpenRouter: send image-understanding prompts as user text before image parts, restoring non-empty vision responses for OpenRouter multimodal models. Fixes #70410.
Providers/Google: honor the private-network SSRF opt-in for Gemini image generation requests, so trusted proxy setups that resolve Google API hosts to private addresses can use image_generate. Fixes #67216.
Agents/transport: stop embedded runs from lowering the process-wide undici stream timeouts, so slow Gemini image generation and other long-running provider requests no longer inherit short run-attempt headers timeouts. Fixes #70423. Thanks @giangthb.
Providers/OpenAI: honor the private-network SSRF opt-in for OpenAI-compatible image generation endpoints, so trusted LocalAI/LAN image_generate routes work without disabling SSRF checks globally. Fixes #62879. Thanks @seitzbg.
Providers/OpenAI: stop advertising the removed gpt-5.3-codex-spark Codex model through fallback catalogs, and suppress stale rows with a GPT-5.5 recovery hint.
Control UI/chat: persist assistant-generated images as authenticated managed media and accept paired-device tokens for assistant media fetches, so webchat history reloads keep showing generated images. (#70719, #70741) Thanks @Patrick-Erichsen.
Control UI/chat: queue Stop-button aborts across Gateway reconnects so a disconnected active run is canceled on reconnect instead of only clearing local UI state. (#70673) Thanks @chinar-amrutkar.
Memory/QMD: recreate stale managed QMD collections when startup repair finds the collection name already exists, so root memory narrows back to MEMORY.md instead of staying on broad workspace markdown indexing.
Agents/OpenAI: surface selected-model capacity failures from PI, Codex, and auto-reply harness paths with a model-switch hint instead of the generic empty-response error. Thanks @vincentkoc.
Plugins/QR: replace legacy qrcode-terminal QR rendering with bounded qrcode-tui helpers for plugin login/setup flows. (#65969) Thanks @vincentkoc.
Voice-call/realtime: wait for OpenAI session configuration before greeting or forwarding buffered audio, and reject non-allowlisted Twilio callers before stream setup. (#43501) Thanks @forrestblount.
ACPX/Codex: stop materializing auth.json bridge files for Codex ACP, Codex app-server, and Codex CLI runs; Codex-owned runtimes now use their normal CODEX_HOME/~/.codex auth path directly.
Auto-reply/system events: route async exec-event completion replies through the persisted session delivery context, so long-running command results return to the originating channel instead of being dropped when live origin metadata is missing. (#70258) Thanks @wzfukui.
Gateway/sessions: extend the webchat session-mutation guard to sessions.compact and sessions.compaction.restore, so WEBCHAT_UI clients are rejected from compaction-side session mutations consistently with the existing patch/delete guards. (#70716) Thanks @drobison00.
QA channel/security: reject non-HTTP(S) inbound attachment URLs before media fetch, and log rejected schemes so suspicious or misconfigured payloads are visible during debugging. (#70708) Thanks @vincentkoc.
Plugins/install: link the host OpenClaw package into external plugins that declare openclaw as a peer dependency, so peer-only plugin SDK imports resolve after install without bundling a duplicate host package. (#70462) Thanks @anishesg.
Plugins/Windows: refresh the packaged plugin SDK alias in place during bundled runtime dependency repair, so gateway and CLI plugin startup no longer race on ENOTEMPTY/EPERM after same-guest npm updates.
Teams/security: require shared Bot Framework audience tokens to name the configured Teams app via verified appid or azp, blocking cross-bot token replay on the global audience. (#70724) Thanks @vincentkoc.
Plugins/startup: resolve bundled plugin Jiti loads relative to the target plugin module instead of the central loader, so Bun global installs no longer hang while discovering bundled image providers. (#70073) Thanks @yidianyiko.
Anthropic/CLI security: derive Claude CLI bypassPermissions from OpenClaw's existing YOLO exec policy, preserve explicit raw Claude --permission-mode overrides, and strip malformed permission-mode args instead of silently falling back to a bypass. (#70723) Thanks @vincentkoc.
Android/security: require loopback-only cleartext gateway connections on Android manual and scanned routes, so private-LAN and link-local ws:// endpoints now fail closed unless TLS is enabled. (#70722) Thanks @vincentkoc.
Pairing/security: require private-IP or loopback hosts for cleartext mobile pairing, and stop treating .local or dotless hostnames as safe cleartext endpoints. (#70721) Thanks @vincentkoc.
Plugins/security: stop setup-api lookup from falling back to the launch directory, so workspace-local extensions/<plugin>/setup-api.* files cannot be executed during provider setup resolution. (#70718) Thanks @drobison00.
Approvals/security: require explicit chat exec-approval enablement instead of auto-enabling approval clients just because approvers resolve from config or owner allowlists. (#70715) Thanks @vincentkoc.
Discord/security: keep native slash-command channel policy from bypassing configured owner or member restrictions, while preserving channel-policy fallback when no stricter access rule exists. (#70711) Thanks @vincentkoc.
Android/security: stop ASK_OPENCLAW intents from auto-sending injected prompts, so external app actions only prefill the draft instead of dispatching it immediately. (#70714) Thanks @vincentkoc.
Secrets/Windows: strip UTF-8 BOMs from file-backed secrets and keep unavailable ACL checks fail-closed unless trusted file or exec providers explicitly opt into allowInsecurePath. (#70662) Thanks @zhanggpcsu.
Agents/image generation: escape ignored override values in tool warnings so parsed MEDIA: directives cannot be injected through unsupported model options. (#70710) Thanks @vincentkoc.
QQBot/security: require framework auth for /bot-approve so unauthorized QQ senders cannot change exec approval settings through the unauthenticated pre-dispatch slash-command path. (#70706) Thanks @vincentkoc.
MCP/tools: stop the ACPX OpenClaw tools bridge from listing or invoking owner-only tools such as cron, closing a privilege-escalation path for non-owner MCP callers. (#70698) Thanks @vincentkoc.
Feishu/onboarding: load Feishu setup surfaces through a setup-only barrel so first-run setup no longer imports Feishu's Lark SDK before bundled runtime deps are staged. (#70339) Thanks @andrejtr.
Approvals/startup: let native approval handlers report ready after gateway authentication while replaying pending approvals in the background, so slow or failing replay delivery no longer blocks handler startup or amplifies reconnect storms.
WhatsApp/security: keep contact/vCard/location structured-object free text out of the inline message body and render it through fenced untrusted metadata JSON, limiting hidden prompt-injection payloads in names, phone fields, and location labels/comments.
Group-chat/security: keep channel-sourced group names and participant labels out of inline group system prompts and render them through fenced untrusted metadata JSON.
Agents/replay: preserve Kimi-style functions.<name>:<index> tool-call IDs during strict replay sanitization so custom OpenAI-compatible Kimi routes keep multi-turn tool use intact. (#70693) Thanks @geri4.
Discord/replies: preserve final reply permission context through outbound delivery so Discord replies keep the same channel/member routing rules at send time.
Plugins/startup: restore bundled plugin openclaw/plugin-sdk/* resolution from packaged installs and external runtime-deps stage roots, so Telegram/Discord no longer crash-loop with Cannot find package 'openclaw' after missing dependency repair. (#70852) Thanks @simonemacario.
CLI/Claude: run the same prompt-build hooks and trigger/channel context on claude-cli turns as on direct embedded runs, keeping Claude Code sessions aligned with OpenClaw workspace identity, routing, and hook-driven prompt mutations. (#70625) Thanks @mbelinky.
Discord/plugin startup: keep subagent hooks lazy behind Discord's channel entry so packaged entry imports stay narrow and report import failures with the channel id and entry path.
Memory/doctor: keep root durable memory canonicalized on MEMORY.md, stop treating lowercase memory.md as a runtime fallback, and let openclaw doctor --fix merge true split-brain root files into MEMORY.md with a backup. (#70621) Thanks @mbelinky.
Providers/Anthropic Vertex: restore ADC-backed model discovery after the lightweight provider-discovery path by resolving emitted discovery entries, exposing synthetic auth on bootstrap discovery, and honoring copied env snapshots when probing the default GCP ADC path. Fixes #65715. (#65716) Thanks @feiskyer.
Codex harness/status: pin embedded harness selection per session, show active non-PI harness ids such as codex in /status, and keep legacy transcripts on PI until /new or /reset so config changes cannot hot-switch existing sessions.
Gateway/security: fail closed on agent-driven gateway config.apply/config.patch runtime edits by allowlisting a narrow set of agent-tunable prompt, model, and mention-gating paths (including Telegram topic-level requireMention) instead of relying on a hand-maintained denylist of protected subtrees that could miss new sensitive config keys. (#70726) Thanks @drobison00.
Webhooks/security: re-resolve SecretRef-backed webhook route secrets on each request so openclaw secrets reload revokes the previous secret immediately instead of waiting for a gateway restart. (#70727) Thanks @drobison00.
Memory/dreaming: decouple the managed dreaming cron from heartbeat by running it as an isolated lightweight agent turn, so dreaming runs even when heartbeat is disabled for the default agent and is no longer skipped by heartbeat.activeHours. openclaw doctor --fix migrates stale main-session dreaming jobs in persisted cron configs to the new shape. Fixes #69811, #67397, #68972. (#70737) Thanks @jalehman.
Agents/CLI: keep --agent plus --session-id lookup scoped to the requested agent store, so explicit agent resumes cannot select another agent's session. (#70985) Thanks @frankekn.
xAI provider with image generation, text-to-speech, and speech-to-text
Native AWS Bedrock and Tencent Cloud support
Local embedded TUI mode for running without Gateway
Full changelog
2026.4.22
Changes
Providers/xAI: add image generation, text-to-speech, and speech-to-text support, including grok-imagine-image / grok-imagine-image-pro, reference-image edits, six live xAI voices, MP3/WAV/PCM/G.711 TTS formats, grok-stt audio transcription, and xAI realtime transcription for Voice Call streaming. (#68694) Thanks @KateWilkins.
Providers/STT: add Voice Call streaming transcription for Deepgram, ElevenLabs, and Mistral, alongside the existing OpenAI and xAI realtime STT paths; ElevenLabs also gains Scribe v2 batch audio transcription for inbound media.
TUI: add local embedded mode for running terminal chats without a Gateway while keeping plugin approval gates enforced. (#66767) Thanks @fuller-stack-dev.
Onboarding: auto-install missing provider and channel plugins during setup so first-run configuration can complete without manual plugin recovery.
OpenAI/Responses: use OpenAI's native web_search tool automatically for direct OpenAI Responses models when web search is enabled and no managed search provider is pinned; explicit providers such as Brave keep the managed web_search tool.
Models/commands: add /models add <provider> <modelId> so you can register a model from chat and use it without restarting the gateway; keep /models as a simple provider browser while adding clearer add guidance and copy-friendly command examples. (#70211) Thanks @Takhoffman.
WhatsApp: add configurable native reply quoting with replyToMode for WhatsApp conversations. Thanks @mcaxtr.
WhatsApp/groups+direct: forward per-group and per-direct systemPrompt config into inbound context GroupSystemPrompt so configured per-chat behavioral instructions are injected on every turn. Supports "*" wildcard fallback and account-scoped overrides under channels.whatsapp.accounts.<id>.{groups,direct}; account maps fully replace root maps (no deep merge), matching the existing requireMention pattern. Closes #7011. (#59553) Thanks @Bluetegu.
Agents/sessions: add mailbox-style sessions_list filters for label, agent, and search plus visibility-scoped derived title and last-message previews. (#69839) Thanks @dangoZhang.
Control UI/settings+chat: add a browser-local personal identity for the operator (name plus local-safe avatar), route user identity rendering through the shared chat/avatar path used by assistant and agent surfaces, and tighten Quick Settings, agent fallback chips, and narrow-screen chat layouts so personalization no longer wastes space or clips controls. (#70362) Thanks @BunsDev.
Gateway/diagnostics: enable payload-free stability recording by default and add a support-ready diagnostics export with sanitized logs, status, health, config, and stability snapshots for bug reports. (#70324) Thanks @gumadeiras.
Providers/Tencent: add the bundled Tencent Cloud provider plugin with TokenHub onboarding, docs, hy3-preview model catalog entries, and tiered Hy3 pricing metadata. (#68460) Thanks @JuniperSling.
Providers/Amazon Bedrock Mantle: add Claude Opus 4.7 through Mantle's Anthropic Messages route with provider-owned bearer-auth streaming, so the model is actually callable without treating AWS bearer tokens like Anthropic API keys. Thanks @wirjo.
Providers/GPT-5: move the GPT-5 prompt overlay into the shared provider runtime so compatible GPT-5 models receive the same behavior and heartbeat guidance through OpenAI, OpenRouter, OpenCode, Codex, and other GPT providers; add agents.defaults.promptOverlays.gpt5.personality as the global friendly-style toggle while keeping the OpenAI plugin setting as a fallback.
Providers/OpenAI Codex: remove the Codex CLI auth import path from onboarding and provider discovery so OpenClaw no longer copies ~/.codex OAuth material into agent auth stores; use browser login or device pairing instead. (#70390) Thanks @pashpashpash.
CLI/Claude: default claude-cli runs to warm stdio sessions, including custom configs that omit transport fields, and resume from the stored Claude session after Gateway restarts or idle exits. (#69679) Thanks @obviyus.
Pi/models: update the bundled pi packages to 0.68.1 and let the OpenCode Go catalog come from pi instead of plugin-maintained model aliases, adding the refreshed opencode-go/kimi-k2.6, Qwen, GLM, MiMo, and MiniMax entries.
Tokenjuice: add bundled native OpenClaw support for tokenjuice as an opt-in plugin that compacts noisy exec and bash tool results in Pi embedded runs. (#69946) Thanks @vincentkoc.
ACPX: add an explicit openClawToolsMcpBridge option that injects a core OpenClaw MCP server for selected built-in tools, starting with cron.
CLI/doctor plugins: lazy-load doctor plugin paths and prefer installed plugin dist/* runtime entries over source-adjacent JavaScript fallbacks, reducing the measured doctor --non-interactive runtime by about 74% while keeping cold doctor startup on built plugin artifacts. (#69840) Thanks @gumadeiras.
CLI/debugging: add an opt-in temporary debug timing helper for local CLI performance investigations, with readable stderr output, JSONL capture, and docs for removing probes before landing fixes. (#70469) Thanks @shakkernerd.
Docs/i18n: add Thai translation support for the docs site.
Providers/OpenAI-compatible: mark known local backends such as vLLM, SGLang, llama.cpp, LM Studio, LocalAI, Jan, TabbyAPI, and text-generation-webui as streaming-usage compatible, so their token accounting no longer degrades to unknown/stale totals. (#68711) Thanks @gaineyllc.
Providers/OpenAI-compatible: recover streamed token usage from llama.cpp-style timings.prompt_n / timings.predicted_n metadata and sanitize usage counts before accumulation, fixing unknown or stale totals when compatible servers do not emit an OpenAI-shaped usage object. (#41056) Thanks @xaeon2026.
Plugins/startup: prefer native Jiti loading for built bundled plugin dist modules on supported runtimes, cutting measured bundled plugin load time by 82-90% while keeping source TypeScript on the transform path. (#69925) Thanks @aauren.
Plugin SDK/STT: share realtime transcription WebSocket transport and multipart batch transcription form helpers across bundled STT providers, reducing provider plugin boilerplate while preserving proxy capture, reconnects, audio queueing, close flushing, upload filename normalization, and ready handshakes.
Plugin SDK/Pi embedded runs: add a bundled-plugin embedded extension factory seam so native plugins can extend Pi embedded runs with async runtime hooks such as tool_result handling instead of falling back to the older synchronous persistence path. (#69946) Thanks @vincentkoc.
Codex harness/hooks: route native Codex app-server turns through before_prompt_build and emit before_compaction / after_compaction for native compaction items so prompt and compaction hooks stop drifting from Pi. Thanks @vincentkoc.
Codex harness/plugins: add a bundled-plugin Codex app-server extension seam for async tool_result middleware, fire after_tool_call for Codex tool runs, and route mirrored Codex transcript writes through before_message_write so tool integrations stop diverging from Pi. Thanks @vincentkoc.
Codex harness/hooks: fire llm_input, llm_output, and agent_end for native Codex app-server turns so lifecycle hooks stop drifting from Pi. Thanks @vincentkoc.
QA/Telegram: record per-scenario reply RTT in the live Telegram QA report and summary, starting with the canary response. (#70550) Thanks @obviyus.
Status: add an explicit Runner: field to /status so sessions now report whether they are running on embedded Pi, a CLI-backed provider, or an ACP harness agent/backend such as codex (acp/acpx) or gemini (acp/acpx). (#70595)
Fixes
Thinking defaults/status: raise the implicit default thinking level for reasoning-capable models from legacy off/low fallback behavior to a safe provider-supported medium equivalent when no explicit config default is set, preserve configured-model reasoning metadata when runtime catalog loading is empty, and make /status report the same resolved default as runtime.
Gateway/model pricing: fetch OpenRouter and LiteLLM pricing asynchronously at startup and extend catalog fetch timeouts to 30 seconds, reducing noisy timeout warnings during slow upstream responses.
Agents/sessions: keep daily reset and idle-maintenance bookkeeping from bumping session activity or pruning freshly active routes, so active conversations no longer look newer or disappear for maintenance-only updates.
Plugins/install: add newly installed plugin ids to an existing plugins.allow list before enabling them, so allowlisted configs load installed plugins after restart.
Status: show Fast in /status when fast mode is enabled, including config/default-derived fast mode, and omit it when disabled.
OpenAI/image generation: detect Azure OpenAI-style image endpoints, use Azure api-key auth plus deployment-scoped image URLs, honor AZURE_OPENAI_API_VERSION, and document the Azure setup path so image generation and edits work against Azure-hosted OpenAI resources. (#70570) Thanks @zhanggpcsu.
Telegram/forum topics: cache recovered forum metadata with bounded expiry so supergroup updates no longer need repeated getChat lookups before topic routing.
Onboarding/WeCom: show the official WeCom channel plugin with its native Enterprise WeChat display name and blurb in the external channel catalog.
Models/auth: merge provider-owned default-model additions from openclaw models auth login instead of replacing agents.defaults.models, so re-authenticating an OAuth provider such as OpenAI Codex no longer wipes other providers' aliases and per-model params. Migrations that must rename keys (Anthropic -> Claude CLI) opt in with replaceDefaultModels. Fixes #69414. (#70435) Thanks @neeravmakwana.
Media understanding/audio: prefer configured or key-backed STT providers before auto-detected local Whisper CLIs, so installed local transcription tools no longer shadow API providers such as Groq/OpenAI in tools.media.audio auto mode. Fixes #68727.
Providers/OpenAI: lock the auth picker wording for OpenAI API key, Codex browser login, and Codex device pairing so the setup choices no longer imply a mixed Codex/API-key auth path. (#67848) Thanks @tmlxrd.
Agents/BTW: route /btw side questions through provider stream registration with the session workspace, so Ollama provider URL construction and workspace-scoped hooks apply correctly. Fixes #68336. (#70413) Thanks @suboss87.
Agents/sessions: make session transcript write locks non-reentrant by default, so same-process transcript writers contend unless a helper explicitly opts into nested lock ownership.
ACPX/probe: expose an optional probeAgent plugin config field so the embedded ACP runtime health probe can target a configured agent (for example opencode or claude) instead of hardcoding codex, and stop marking the entire ACP runtime backend unavailable when the default probe agent is simply not installed or not authenticated. (#68409) Thanks @lyfuci.
Memory search: use sqlite-vec KNN for vector recall while preserving full post-filter result limits in multi-model indexes. Fixes #69666. (#69680) Thanks @aalekh-sarvam.
Providers/OpenAI Codex: stop stale per-agent openai-codex:default OAuth profiles from shadowing a newer main-agent identity-scoped profile, and let openclaw doctor offer the matching cleanup. (#70393) Thanks @pashpashpash.
ACPX: route OpenClaw ACP bridge commands through the MCP-free runtime path even when the command is wrapped with env, has bridge flags, or is resumed from persisted session state, so documented acpx openclaw setups no longer fail on per-session MCP injection. (#68741) Thanks @alexlomt.
Codex harness: route Codex-tagged MCP tool approval elicitations through OpenClaw plugin approvals, including current empty-schema app-server requests, while leaving generic user-input prompts fail-closed. (#68807) Thanks @kesslerio.
WhatsApp/outbound: hold an in-memory active-delivery claim while a live outbound send is in flight, so a concurrent reconnect drain no longer re-drives the same pending queue entry and duplicates cron sends 7-12x after the 30-minute inbound-silence watchdog fires mid-delivery. Crash-replay of fresh queue entries left behind by a dead process is preserved because the claim is intentionally process-local. Fixes #70386. (#70428) Thanks @neeravmakwana.
Matrix/commands: keep Matrix DM allowlist state out of room control-command authorization, so trusted DM senders do not accidentally gain room-command access.
Providers/SDK retry: cap long Retry-After sleeps in Stainless-based Anthropic/OpenAI model SDKs so 60s+ retry windows surface immediately for OpenClaw failover instead of blocking the run. (#68474) Thanks @jetd1.
Agents/TTS: preserve spoken text in TTS tool results while defusing reply directives in transcript content, so future turns remember voice replies without treating spoken MEDIA: or voice tags as delivery metadata. (#68869) Thanks @zqchris.
Providers/OpenAI: harden Voice Call realtime transcription against OpenAI Realtime session-update drift, forward language and prompt hints, and add live coverage for realtime STT.
Agents/Pi embedded runs: suppress the "⚠️ Agent couldn't generate a response" warning when the assistant already delivered user-visible content through a messaging tool and the turn ended cleanly (stopReason=stop). Real failure modes (tool errors, provider stopReason=error, interrupted tool use) still surface the existing "verify before retrying" warning. Fixes #70396. (#70425) Thanks @neeravmakwana.
Gateway/Linux: wrap gateway-managed supervisor, PTY, MCP stdio, and browser child processes in a tiny /bin/sh shim that raises the child's own oom_score_adj on Linux, so under cgroup memory pressure the kernel prefers transient workers over the long-lived gateway. Opt out with OPENCLAW_CHILD_OOM_SCORE_ADJ=0. Fixes #70404. (#70419) Thanks @neeravmakwana.
Providers/Moonshot: stop strict-sanitizing Kimi's native tool_call IDs (shaped like functions.<name>:<index>) on the OpenAI-compatible transport, so multi-turn agentic flows through Kimi K2.6 no longer break after 2-3 tool-calling rounds when the serving layer fails to match mangled IDs against the original tool definitions. Adds a sanitizeToolCallIds opt-out to the shared openai-compatible replay family helper and wires Moonshot to it. Fixes #62319. (#70030) Thanks @LeoDu0314.
Dependencies/security: override transitive uuid to 14.0.0, clearing the runtime advisory across dependencies.
Codex harness: ignore dynamic tool descriptions when deciding whether to reuse a native app-server thread while still fingerprinting tool schemas, so channel-specific copy changes no longer reset otherwise compatible Codex conversations. (#69976) Thanks @chen-zhang-cs-code.
Codex harness: expose the Codex app-server model catalog in models list/status, avoid startup hangs from app-server discovery timeouts, and accept current Codex turn-completion notifications so Docker live gateway turns finish reliably.
Codex harness: drop invalid legacy app-server serviceTier values such as "priority" before native thread and turn requests, while keeping supported Codex tiers limited to "fast" and "flex". Fixes #64815.
Codex harness: show bounded, sanitized permission target samples in app-server approval prompts, so native permission requests keep their specific hosts, roots, and paths visible without leaking home usernames or URL credentials. (#70340) Thanks @Lucenx9.
Docs/Codex harness: narrow native compaction docs to the current start/completion signals, without promising a readable summary or kept-entry audit list yet. (#69612) Thanks @91wan.
Providers/Amazon Bedrock: use known context-window metadata for discovered models while keeping the unknown-model fallback conservative, so compaction and overflow handling improve for newer Bedrock models without overstating unlisted model limits. Thanks @wirjo.
Providers/Amazon Bedrock Mantle: refresh IAM-backed bearer tokens at runtime instead of baking discovery-time tokens into provider config, so long-lived Mantle sessions keep working after the initial token ages out. Thanks @wirjo.
Config/includes: write through single-file top-level includes for isolated OpenClaw-owned mutations, so plugins install and plugins update update an included plugins.json5 file instead of flattening modular $include configs. Fixes #41050 and #66048.
Config/reload: plan gateway reloads from source-authored config instead of runtime-materialized snapshots, so plugin update writes no longer trigger false restarts from derived provider/plugin config paths. Fixes #68732.
Plugins/update: skip npm plugin reinstall/config rewrites when the installed version and recorded artifact identity already match the registry target, let bare npm package names resolve back to tracked install records, and point already-installed plugins install attempts at plugins update / --force instead of a hook-pack fallback. Fixes #46955, #67957, and #68073.
Agents/MCP: keep mcp.servers and bundle MCP tools available in Pi embedded coding and messaging sessions while preserving minimal profile and tools.deny: ["bundle-mcp"] opt-out behavior. Fixes #68875 and #68818.
Plugins/startup: tolerate transient bundled-channel catalog/metadata drift while auto-enabling configured plugins, so CLI and gateway startup no longer crash when a channel id is known but its display metadata is unavailable.
CLI/Claude: report CLI-backed reply runs as streaming while Claude/Codex CLI turns are still in flight, so WebChat keeps visible response state until the backend finishes. Fixes #70125.
Slack/streaming: fall back to normal Slack replies for Slack Connect streams rejected before the SDK flushes its local buffer, so short replies no longer disappear or report success before Slack acknowledges delivery. Fixes #70295. (#70370) Thanks @mvanhorn.
Codex harness: rotate the shared app-server websocket client when the configured bearer token changes, so auth-token refreshes reconnect with the new Authorization header instead of reusing a stale socket. (#70328) Thanks @Lucenx9.
Channels/sandbox: derive runtime policy keys for external direct messages that share the main conversation, so sandbox/tool policy no longer treats channel-originated DMs as local main-session runs.
Config/models: merge provider-scoped model allowlist updates and protect model/provider map writes from accidental full replacement, adding config set --merge for additive updates and --replace for intentional clobbers. Fixes #65920, #68392, and #68653.
Agents/Pi auth: preserve AWS SDK-authenticated Bedrock runs for IMDS and task-role setups, clear stale refresh timers on sentinel fallback, and log unexpected runtime-auth prep failures instead of silently leaving the provider unauthenticated. Thanks @wirjo.
Config/gateway: restore last-known-good config on critical clobber signatures such as missing metadata, missing gateway.mode, or sharp size drops, preventing gateway crash loops when a valid backup exists. Fixes #70336.
Config/gateway: recover configs accidentally prefixed with non-JSON output during gateway startup or openclaw doctor --fix, preserving the clobbered file as a backup while leaving normal config reads read-only.
Agents/GitHub Copilot: normalize connection-bound Responses item IDs in the Copilot provider wrapper so replayed histories no longer fail after the upstream connection changes. (#69362) Thanks @Menci.
Pi embedded runs: pass real built-in tools into Pi session creation and then narrow active tool names after custom tool registration, so the runner and compaction paths compile cleanly and keep OpenClaw-managed custom tool allowlists without feeding string arrays into createAgentSession. Thanks @vincentkoc.
Agents/OpenAI websocket: route native OpenAI websocket metadata and session-header decisions through the shared endpoint classifier so local mocks and custom models.providers.openai.baseUrl endpoints stay out of the native OpenAI path consistently across embedded-runner and websocket transport code. Thanks @vincentkoc.
Cron/MCP: retire bundled MCP runtimes through one shared cleanup path for isolated cron run ends, persistent cron session rollover, and direct cron deleteAfterRun fallback cleanup. Fixes #69145, #68623, and #68827.
MCP/gateway: tear down stdio MCP process trees on transport close and dispose bundled MCP runtimes during session delete/reset, preventing orphaned wrapper/server processes from accumulating. Fixes #68809 and #69465.
Agents/MCP: retire bundled MCP runtimes after completed one-shot subagent cleanup and nested sessions_send steps, while keeping persistent subagent sessions warm.
Config: render validation warnings with real line breaks instead of a literal \n sequence in CLI/audit output. Fixes #70140.
Cron/doctor: repair malformed persisted cron job IDs through openclaw doctor, including legacy jobId, non-string id, and missing id rows, so cron list no longer needs display-layer coercion for corrupt store data. Fixes #70128.
Discord: normalize prefixed channel targets only at the thread-binding API boundary, so sessions_spawn({ runtime: "acp", thread: true }) can create child threads from Discord channels without breaking current-channel ACP bindings. (#68034) Thanks @Zetarcos.
Discord: harden inbound thread metadata handling against partial Carbon channel getters, so non-command thread messages and queued jobs no longer crash when name, parentId, parent, or ownerId requires fetched raw data.
Discord: let message tool reactions resolve user:<id> DM targets and preserve channels.discord.guilds.<guild>.channels.<channel>.requireMention: false during reply-stage activation fallback. Fixes #70165 and #69441.
Plugins/startup: pre-normalize and cache Jiti alias maps before creating plugin loaders, so module-scoped loader filenames do not reintroduce per-plugin alias-normalization startup cost. Fixes #70186.
ACP/Codex: run the bundled Codex ACP harness with an isolated CODEX_HOME and avoid writing incomplete ChatGPT auth bridge files, so Codex ACP sessions no longer clobber the user's real Codex CLI auth. Fixes #70234. Thanks @Lonobers88.
Gateway/client: keep long-running RPCs such as ACP agent.wait calls in charge of their own timeout instead of closing the websocket on a missed app-level tick while work is still pending.
Telegram/webhooks: lower the grammY webhook callback timeout to 5s so Telegram gets an early 200 response instead of retrying long-running updates as read timeouts. (#70146) Thanks @friday-james.
Telegram/polling: rebuild the polling HTTP transport after getUpdates 409 conflicts, so retries use a fresh TCP connection instead of looping on a Telegram-terminated keep-alive socket. (#69873) Thanks @hclsys.
Media delivery: strip persisted base64 audio payloads from webchat history, resolve stored media://inbound/* attachments before local-root checks, suppress duplicate Telegram voice/audio sends when TTS emits the same media twice, and support custom image-model IDs that already include their provider prefix.
Slack/files: resolve downloadFile bot tokens from the runtime config when callers provide cfg without an explicit token or prebuilt client, preserving cfg-only file downloads outside the action runtime path. (#70160) Thanks @martingarramon.
Slack/HTTP: dispatch registered Request URL webhooks through the same handler registry used by Slack monitor setup, so HTTP-mode Slack events no longer 404 after successful route registration. (#70275) Thanks @FroeMic.
Slack/runtime bindings: route focused Slack thread replies through their bound ACP session instead of preparing replies against the default agent shell. Fixes #67739. Thanks @Frankla20.
CLI/Claude: keep stored Claude CLI sessions through OAuth refresh-token rotation by keying auth epochs on stable account identity instead of mutable OAuth token material. (#70452) Thanks @obviyus.
CLI/Claude: verify stored Claude CLI session ids have a readable project transcript before resuming, clearing phantom bindings with reason=transcript-missing instead of silently starting fresh under --resume. Fixes #70177.
CLI sessions: persist CLI session clearing through the atomic session-store merge path, so expired Claude/Codex CLI bindings are actually removed before retrying without the stale session id. (#70298) Thanks @HFConsultant.
ACP/sessions_spawn: honor explicit model overrides for ACP child sessions instead of silently falling back to the target agent default model. (#70210) Thanks @felix-miao.
Diffs/viewer: re-read remote viewer access policy from live runtime config on each request, so toggling plugins.entries.diffs.config.security.allowRemoteViewer closes proxied viewer access immediately instead of waiting for a restart. Thanks @vincentkoc.
Diffs/tooling: re-read viewerBaseUrl, presentation defaults, and viewer access policy from live runtime config, and fail closed when the live diffs plugin entry disappears instead of reviving startup viewer settings. Thanks @vincentkoc.
Memory/LanceDB: stop resurrecting removed live memory-lancedb hook config from startup snapshots, so deleting or disabling the plugin entry shuts off auto-recall and auto-capture without a restart. Thanks @vincentkoc.
Memory/LanceDB: keep auto-recall and auto-capture hooks wired when those settings start disabled, so turning them on in live config starts recall and capture without waiting for a restart. Thanks @vincentkoc.
Skill Workshop: keep the tool plus before_prompt_build / agent_end hooks wired while the plugin is disabled at startup, so turning the plugin back on in live config starts guidance and capture without waiting for a restart. Thanks @vincentkoc.
Active Memory: stop reviving removed live active-memory config from startup snapshots, so removing the plugin entry turns the hook off immediately instead of waiting for a restart. Thanks @vincentkoc.
GitHub Copilot: re-read plugin discovery config from the live runtime snapshot, so toggling plugins.entries.github-copilot.config.discovery.enabled takes effect without a restart. Thanks @vincentkoc.
Ollama: re-read plugin discovery config from the live runtime snapshot, so toggling plugins.entries.ollama.config.discovery.enabled takes effect without a restart. Thanks @vincentkoc.
OpenAI: re-read the plugin prompt-overlay personality from live runtime config, so GPT-5 system prompt contributions update without a restart when plugins.entries.openai.config.personality changes. Thanks @vincentkoc.
Amazon Bedrock: re-read live discovery and guardrail plugin config, so toggling plugins.entries.amazon-bedrock.config.discovery or plugins.entries.amazon-bedrock.config.guardrail takes effect without a restart. Thanks @vincentkoc.
Codex: re-read the plugin discovery config from the live runtime snapshot, so toggling plugins.entries.codex.config.discovery takes effect without a restart. Thanks @vincentkoc.
Agents/subagents: drop bare NO_REPLY from the parent turn when the session still has pending spawned children, so direct-conversation surfaces such as Telegram DMs no longer rewrite the sentinel into visible fallback chatter while waiting for the child completion event. (#69942) Thanks @neeravmakwana.
Plugins/install: keep bundled plugin dependencies off npm install while repairing them when plugins activate from a packaged install, including Feishu/Lark, Browser, and direct bundled channel setup-entry loads.
CLI/channels: skip and cache bundled channel plugin, setup, and secrets load failures during read-only discovery, so one broken unused bundled channel cannot crash openclaw status or bootstrap secret scans.
Memory/LanceDB: retry initialization after a failed LanceDB load and report unsupported Intel macOS native runtime clearly instead of caching the failure or repeatedly attempting an install that cannot work.
CLI/Claude: hash only static extra system prompt parts when deciding whether to reuse a CLI session, so per-message inbound metadata no longer resets Claude CLI conversations on every turn. (#70122) Thanks @zijunl.
Hooks/Slack: standardize shared message hook routing fields (threadId / replyToId) and stop Slack outbound delivery from re-running message_sending inside the channel adapter, so plugins like thread-ownership make one outbound routing decision per reply. Thanks @vincentkoc.
Auto-reply/media: share one run-scoped reply media context between streamed block delivery and final payload filtering, so a local MEDIA: attachment is staged once and duplicate media sends are suppressed reliably. (#68111) Thanks @ayeshakhalid192007-dev.
Plugins/gateway hooks: expose startup config, workspace dir, and a live cron getter on the typed gateway_start hook, and move memory-core managed dreaming off the internal gateway:startup bridge so cron reconciliation stays on the public plugin hook path. Thanks @vincentkoc.
Plugins/config: read plugin trust decisions from the source config snapshot when a resolved runtime snapshot is active, so plugins.allow remains enforced and doctor/gateway startup no longer warn that the allowlist is empty when it is configured. Fixes #70161. Also fixes #70141.
Agents/openai-completions: enable malformed streamed tool-call argument repair for self-hosted OpenAI-compatible backends such as Kimi/SGLang, so fragmented tool-call arguments no longer reach tools as empty or unusable objects. Fixes #69672. (#70294) Thanks @MonkeyLeeT.
Gateway/restart: preserve group and channel chat context when resuming an agent turn after a Gateway restart, so continuation replies keep the same prompt, routing, and tool-status behavior as the original conversation.
Gateway/pairing: shared-secret loopback CLI clients now silently auto-approve metadata-upgrade pairing (platform / device family refresh) instead of being disconnected with 1008 pairing required. This matches the scope-upgrade and role-upgrade behavior added in #69431 and unblocks non-interactive CLI automation when a paired-device record has a stale platform string (e.g. device key replicated across hosts, install migrated between OSes, or platform-string format changed between OpenClaw versions). Browser / Control-UI clients keep the existing approval-required flow for metadata changes.
Gateway/pairing: treat any forwarded-header evidence (Forwarded, X-Forwarded-*, or X-Real-IP) as proxied WebSocket traffic before pairing locality checks, so reverse-proxy topologies cannot use the loopback shared-secret helper auto-pairing path.
Agents/OpenAI: treat exact NO_REPLY assistant output as a deliberate silent reply in embedded runs, so GPT-5.4 turns with signed reasoning plus a silent final no longer surface a false incomplete-turn error.
Auto-reply/streaming: preserve streamed reply directives through chunk boundaries and phase-aware final_answer delivery, so split MEDIA:<path> lines, voice tags, and reply targets reach channel delivery instead of leaking as text or being dropped. (#70243) Thanks @zqchris.
Anthropic/Claude Opus 4.7: normalize Opus 4.7 and claude-cli Opus 4.7 variants to a 1M context window in resolved runtime metadata and active-agent status/context reporting, so they no longer inherit the stale 200k fallback. Thanks @BunsDev.
Gateway/pairing webchat: render /pair qr replies as structured media instead of raw markdown text, preserve inline reply threading and silent-control handling on media replies, avoid persisting sensitive QR images into transcript history, and keep local webchat media embedding behind internal-only trust markers. (#70047) Thanks @BunsDev.
Codex harness: default app-server runs to unchained local execution, so OpenAI heartbeats can use network and shell tools without stalling behind native Codex approvals or the workspace-write sandbox.
Codex harness: fail closed for unknown native app-server approval methods instead of routing unsupported future approval shapes through OpenClaw approval grants. (#70356) Thanks @Lucenx9.
Codex harness: apply the GPT-5 behavior and heartbeat prompt overlay to native Codex app-server runs, so codex/gpt-5.x sessions get the same follow-through, tool-use, and proactive heartbeat guidance as OpenAI GPT-5 runs.
Codex harness: add an explicit Guardian mode for Codex app-server approvals, plus a Docker live probe for approved and ask-back Guardian decisions, while keeping default app-server runs unchained for unattended local heartbeats. The legacy OPENCLAW_CODEX_APP_SERVER_GUARDIAN shortcut is removed; use plugin config appServer.mode: "guardian" or OPENCLAW_CODEX_APP_SERVER_MODE=guardian. Thanks @pashpashpash.
OpenAI/Responses: keep embedded OpenAI Responses runs on HTTP when models.providers.openai.baseUrl points at a local mock or other non-public endpoint, so mocked/custom endpoints no longer drift onto the hardcoded public websocket transport. (#69815) Thanks @vincentkoc.
Channels/config: require resolved runtime config on channel send/action/client helpers and block runtime helper loadConfig() calls, so SecretRefs are resolved at startup/boundaries instead of being re-read during sends.
Discord: pass resolved runtime config through guild and moderation action helpers, so thread-originated Discord commands can run channel, member, role, and guild actions without falling back to runtime config reads. (#70215) Thanks @szponeczek.
CLI/channels: preserve bundled setup promotion metadata when a loaded partial channel plugin omits it, so adding a non-default account still moves legacy single-account fields such as Telegram streaming into accounts.default.
Telegram: keep the sent-message ownership cache isolated per configured session store, so own-message reaction filtering remains correct with custom session.store paths.
Security/update: fail closed when exact pinned npm plugin or hook-pack updates detect integrity drift, and expose aborted plugin drift details in openclaw update --json.
Ollama: forward OpenClaw thinking control to native /api/chat requests as top-level think, so /think off and openclaw agent --thinking off suppress thinking on models such as qwen3 instead of idling until the watchdog fires. Fixes #69902. (#69967) Thanks @WZH8898.
Memory-core/dreaming: suppress the startup-only managed dreaming cron unavailable warning when the cron service is still attaching, while preserving the runtime warning if cron genuinely remains unavailable. Fixes #69939. (#69941) Thanks @Sanjays2402.
Mattermost: suppress reasoning-only payloads even when they arrive as blockquoted > Reasoning: text, preventing /reasoning on from leaking thinking into channel posts. (#69927) Thanks @lawrence3699.
Discord: read channel.parentId through a safe accessor in the slash-command, reaction, and model-picker paths so partial GuildThreadChannel prototype getters no longer throw Cannot access rawData on partial Channel when commands like /new run from inside a thread. Fixes #69861. (#69908) Thanks @neeravmakwana.
Discord: use safe channel name and parent accessors across voice command authorization, so /vc commands from partial Discord thread channels no longer crash on Carbon rawData getters. (#70199) Thanks @hanamizuki.
Discord: make auto-thread parent transcript inheritance opt-in via channels.discord.thread.inheritParent, keeping newly created Discord thread sessions isolated by default while preserving explicit inheritance for configured accounts. Fixes #69907. (#69986) Thanks @Blahdude.
Browser/Chrome MCP: reset cached existing-session control sessions when a navigate_page call times out, so one stuck navigation no longer poisons the browser profile until a gateway restart. (#69733) Thanks @ayeshakhalid192007-dev.
Browser/Chrome MCP: propagate click timeouts and abort signals to existing-session actions so a stuck click fails fast and reconnects instead of poisoning the browser tool until gateway restart. (#63524) Thanks @dongseok0.
Amazon Bedrock/prompt caching: resolve opaque application inference profile targets before injecting Bedrock cache points, require every routed target to support explicit cache points, and retry transient profile lookups instead of caching a false negative for the rest of the process. (#69953) Thanks @anirudhmarc and @vincentkoc.
Gateway/channel health: base stale-socket recovery on provider-proven transport activity instead of inbound app-event freshness, preventing quiet Slack, Discord, Telegram, Matrix, and local-style channels from being restarted solely because no user traffic arrived. (#69833) Thanks @bek91.
OpenCode Go: canonicalize stale bundled opencode-go base URLs from /go or /go/v1 to /zen/go or /zen/go/v1, so older generated model metadata stops hitting the 404 HTML endpoint. (#69898)
CLI/channels: honor channels.<id>.enabled=false as a hard read-only presence opt-out, so env vars, manifest env vars, or stale persisted auth state no longer make disabled channel plugins appear in status, doctor, or setup-only discovery.
Channels/preview streaming: centralize draft-preview finalization so Slack, Discord, Mattermost, and Matrix no longer flush temporary preview messages for media/error finals, and preserve first-reply threading for normal fallback delivery.
Discord: keep slash command follow-up chunks ephemeral when the command is configured for ephemeral replies, so long /status output no longer leaks fallback model or runtime details into the public channel. (#69869) thanks @gumadeiras.
Gateway/session history: re-check current auth and chat.history scope before later SSE keepalives and transcript updates, so active session-history streams close before delivering post-revocation events.
Plugins/discovery: reject package plugin source entries that escape the package directory before explicit runtime entries or inferred built JavaScript peers can be used. (#69868) thanks @gumadeiras.
CLI/channels: resolve channel presence through a shared policy that keeps ambient env vars and stale persisted auth from surfacing disabled bundled plugins in status, doctor, security audit, and cron delivery validation unless the channel or plugin is effectively enabled or explicitly configured. (#69862) Thanks @gumadeiras.
Doctor/plugins: hydrate legacy partial interactive handler state before plugin reload clears dedupe caches, so openclaw doctor and post-update doctor runs no longer crash with Cannot read properties of undefined (reading 'clear'). (#70135) Thanks @ngutman.
Control UI/config: preserve intentionally empty raw config snapshots when clearing pending updates so reset restores the original bytes instead of synthesizing JSON for blank config files. (#68178) Thanks @BunsDev.
memory-core/dreaming: surface a Dreaming status: blocked line in openclaw memory status when dreaming is enabled but the heartbeat that drives the managed cron is not firing for the default agent, and add a Troubleshooting section to the dreaming docs covering the two common causes (per-agent heartbeat blocks excluding main, and heartbeat.every set to 0/empty/invalid), so the silent failure described in #69843 becomes legible on the status surface.
Cron/run-log: report generic message tool sends under the resolved delivery channel when they match the cron target, while preserving account-specific mismatch checks for delivery traces. (#69940) Thanks @davehappyminion.
Doctor/channels: merge configured-channel doctor hooks across read-only, loaded, setup, and runtime plugin discovery so partial adapters no longer hide runtime-only compatibility repair or allowlist warnings, preserve disabled-channel opt-outs, and ignore malformed hook values before they can mask valid fallbacks. (#69919) Thanks @gumadeiras.
Models/CLI: show bundled provider-owned static catalog rows in models list --all before auth is configured, including Kimi K2.6 rows for Moonshot, OpenRouter, and Vercel AI Gateway, while keeping local-only and workspace plugin catalog paths isolated. (#69909) Thanks @shakkernerd.
Models/CLI: clarify that models list --provider expects provider ids and reject display labels before loading model discovery. (#70504) Thanks @shakkernerd.
Configure: skip generic CLI startup bootstrap for openclaw configure and bound hint-only gateway probes so the onboarding TUI reaches its first prompt faster when the Gateway is unavailable. (#69984) Thanks @obviyus.
Agents/harness: surface selected plugin harness failures directly instead of replaying the same turn through embedded PI, preventing misleading secondary PI auth errors and avoiding duplicate side effects.
OpenAI Codex: add a ChatGPT device-code auth option beside browser OAuth, so headless or callback-hostile setups can sign in without relying on the localhost browser callback. (#69557) Thanks @vincentkoc.
CLI sessions: keep provider-owned CLI sessions through implicit daily expiry while preserving explicit reset behavior, and retain Claude CLI binding metadata across gateway agent requests. (#70106) Thanks @obviyus.
CLI/Claude: keep Claude CLI session bindings stable across OAuth access-token refreshes, so gateway restarts continue the same Claude conversation instead of minting a fresh one. (#70132) Thanks @obviyus.
QQBot: add INTERACTION intent (1 << 26) to the gateway constants and include it in the FULL_INTENTS mask so interaction events are received. (#70143) Thanks @cxyhhhhh.
Gateway/restart: preserve one-shot continuation instructions across gateway restarts so agents can resume and reply back to the original chat after reboot. (#63406) Thanks @VACInc.
Gateway/restart: write restart sentinel files atomically so interrupted writes cannot leave a truncated sentinel behind. (#70225) Thanks @obviyus.
Pairing: remove stale pending requests for a device when that paired device is deleted, so an old repair approval cannot recreate the removed device from leftover state.
Security/dotenv: block workspace .env overrides for Matrix, Mattermost, IRC, and Synology endpoint settings so cloned workspaces cannot redirect bundled connector traffic through local endpoint config. (#70240) Thanks @drobison00.
Telegram: require the same /models authorization for group model-picker callbacks, so unauthorized participants can no longer browse or change the session model through inline buttons. (#70235) Thanks @drobison00.
Agents/Pi: keep the filtered tool-name allowlist active for embedded OpenAI/OpenAI Codex GPT-5 runs and compaction sessions, so bundled and client tools still execute after the Pi 0.68.1 session-tool allowlist change instead of stopping at plan-only replies with no tool call. (#70281) Thanks @jalehman.
Agents/Pi: honor explicit strict-agentic execution contracts for incomplete-turn retry guards across providers, so manually opted-in local or compatible models get the same retry behavior without relying on OpenAI model inference. (#66750) Thanks @ziomancer.
OpenShell/sandbox: pin verified file reads to an already-opened descriptor, walk the ancestor chain for symlinked parents on platforms without fd-path readlink, and re-check file identity so parent symlink swaps cannot redirect in-sandbox reads to host files outside the allowed mount root. (#69798) Thanks @drobison00.
Gateway/Control UI: require authenticated Control UI read access before serving /__openclaw/control-ui-config.json when gateway.auth is enabled, so unauthenticated callers can no longer read bootstrap metadata. (#70247) Thanks @drobison00.
Gateway/restart: default session-scoped restart sentinels to a one-shot agent continuation, so chat-initiated Gateway restarts acknowledge successful boot automatically. (#70269) Thanks @obviyus.
Build/npm publish: fail postpublish verification when root dist/* files import bundled plugin runtime dependencies without mirroring them in the root package manifest, so Slack-style plugin deps cannot silently ship on the wrong module-resolution path again. (#60112) thanks @medns.
Auth/commands: require owner identity for owner-enforced commands, preventing non-owner access through permissive fallback (#69774)
Notable features
Image generation defaults to gpt-image-2 with advertised 2K/4K OpenAI size hints
Slack preserves thread aliases in runtime outbound sends
Image generation logs failed provider candidates before fallback
Full changelog
2026.4.21
Changes
OpenAI/images: default the bundled image-generation provider and live media smoke tests to gpt-image-2, and advertise the newer 2K/4K OpenAI size hints in image-generation docs and tool metadata.
Fixes
Plugins/doctor: repair bundled plugin runtime dependencies from doctor paths so packaged installs can recover missing channel/provider dependencies without broad core dependency installs.
Image generation: log failed provider/model candidates at warn level before automatic provider fallback, so OpenAI image failures are visible in the gateway log even when a later provider succeeds.
Auth/commands: require owner identity (an owner-candidate match or internal operator.admin) for owner-enforced commands instead of treating wildcard channel allowFrom or empty owner-candidate lists as sufficient, so non-owner senders can no longer reach owner-only commands through a permissive fallback when enforceOwnerForCommands=true and commands.ownerAllowFrom is unset. (#69774) Thanks @drobison00.
Slack: preserve thread aliases in runtime outbound sends so generic runtime sends stay in the intended Slack thread when the caller supplies threadTs. (#62947) Thanks @bek91.
Browser: reject invalid ax<N> accessibility refs in act paths immediately instead of waiting for the browser action timeout. (#69924) Thanks @Patrick-Erichsen.
npm/install: mirror the node-domexception alias into root package.jsonoverrides, so npm installs stop surfacing the deprecated google-auth-library -> gaxios -> node-fetch -> fetch-blob -> node-domexception chain pulled through Pi/Google runtime deps. Thanks @vincentkoc.
MCP blocks interpreter-startup env keys (NODE_OPTIONS) for stdio servers
Notable features
Tiered model pricing with Moonshot Kimi K2.6/K2.5 cost estimates
Thinking mode keep='all' for kimi-k2.6 and context compaction notices
Per-group system prompts for BlueBubbles and Mattermost streaming improvements
Full changelog
2026.4.20
Changes
Onboard/wizard: restyle the setup security disclaimer with a single yellow warning banner, section headings and bulleted checklists, and un-dim the note body so key guidance is easy to scan; add a loading spinner during the initial model catalog load so the wizard no longer goes blank while it runs; add an "API key" placeholder to provider API key prompts. (#69553) Thanks @Patrick-Erichsen.
Agents/prompts: strengthen the default system prompt and OpenAI GPT-5 overlay with clearer completion bias, live-state checks, weak-result recovery, and verification-before-final guidance.
Models/costs: support tiered model pricing from cached catalogs and configured models, and include bundled Moonshot Kimi K2.6/K2.5 cost estimates for token-usage reports. (#67605) Thanks @sliverp.
Sessions/Maintenance: enforce the built-in entry cap and age prune by default, and prune oversized stores at load time so accumulated cron/executor session backlogs cannot OOM the gateway before the write path runs. (#69404) Thanks @bobrenze-bot.
Plugins/tests: reuse plugin loader alias and Jiti config resolution across repeated same-context loads, reducing import-heavy test overhead. (#69316) Thanks @amknight.
Cron: split runtime execution state into jobs-state.json so jobs.json stays stable for git-tracked job definitions. (#63105) Thanks @Feelw00.
Agents/compaction: send opt-in start and completion notices during context compaction. (#67830) Thanks @feniix.
Moonshot/Kimi: default bundled Moonshot setup, web search, and media-understanding surfaces to kimi-k2.6 while keeping kimi-k2.5 available for compatibility. (#69477) Thanks @scoootscooob.
Moonshot/Kimi: allow thinking.keep = "all" on moonshot/kimi-k2.6, and strip it for other Moonshot models or requests where pinned tool_choice disables thinking. (#68816) Thanks @aniaan.
BlueBubbles/groups: forward per-group systemPrompt config into inbound context GroupSystemPrompt so configured group-specific behavioral instructions (for example threaded-reply and tapback conventions) are injected on every turn. Supports "*" wildcard fallback matching the existing requireMention pattern. Closes #60665. (#69198) Thanks @omarshahine.
Plugins/tasks: add a detached runtime registration contract so plugin executors can own detached task lifecycle and cancellation without reaching into core task internals. (#68915) Thanks @mbelinky.
Terminal/logging: optimize sanitizeForLog() by replacing the iterative control-character stripping loop with a single regex pass while preserving the existing ANSI-first sanitization behavior. (#67205) Thanks @bulutmuf.
QA/CI: make openclaw qa suite and openclaw qa telegram fail by default when scenarios fail, add --allow-failures for artifact-only runs, and tighten live-lane defaults for CI automation. (#69122) Thanks @joshavant.
Mattermost: stream thinking, tool activity, and partial reply text into a single draft preview post that finalizes in place when safe. (#47838) thanks @ninjaa.
Fixes
Exec/YOLO: stop rejecting gateway-host exec in security=full plus ask=off mode via the Python/Node script preflight hardening path, so promptless YOLO exec once again runs direct interpreter stdin and heredoc forms such as node <<'NODE' ... NODE.
OpenAI Codex: normalize legacy openai-completions transport overrides on default OpenAI/Codex and GitHub Copilot-compatible hosts back to the native Codex Responses transport while leaving custom proxies untouched. (#45304, #42194) Thanks @dyss1992 and @DeadlySilent.
Anthropic/plugins: scope Anthropic api: "anthropic-messages" defaulting to Anthropic-owned providers, so openai-codex and other providers without an explicit api no longer get rewritten to the wrong transport. Fixes #64534.
fix(qqbot): add SSRF guard to direct-upload URL paths in uploadC2CMedia and uploadGroupMedia [AI-assisted]. (#69595) Thanks @pgondhi987.
Browser/Chrome MCP: surface DevToolsActivePort attach failures as browser-connectivity errors instead of a generic "waiting for tabs" timeout, and point signed-out fallbacks toward the managed openclaw profile.
Webchat/images: treat inline image attachments as media for empty-turn gating while still ignoring metadata-only blank turns. (#69474) Thanks @Jaswir.
Discord/think: only show adaptive in /think autocomplete for provider/model pairs that actually support provider-managed adaptive thinking, so GPT/OpenAI models no longer advertise an Anthropic-only option.
Thinking: only expose max for models that explicitly support provider max reasoning, and remap stored max settings to the largest supported thinking mode when users switch to another model.
Gateway/usage: bound the cost usage cache with FIFO eviction so date/range lookups cannot grow unbounded. (#68842) Thanks @Feelw00.
OpenAI/Responses: resolve /think levels against each GPT model's supported reasoning efforts so /think off no longer becomes high reasoning or sends unsupported reasoning.effort: "none" payloads.
Lobster/TaskFlow: allow managed approval resumes to use approvalId without a resume token, and persist that id in approval wait state. (#69559) Thanks @kirkluokun.
Plugins/startup: install bundled runtime dependencies into each plugin's own runtime directory, reuse source-checkout repair caches after rebuilds, and log only packages that were actually installed so repeated Gateway starts stay quiet once deps are present.
Plugins/startup: ignore pnpm's npm_execpath when repairing bundled plugin runtime dependencies and skip workspace-only package specs so npm-only install flags or local workspace links do not break packaged plugin startup.
MCP: block interpreter-startup env keys such as NODE_OPTIONS for stdio servers while preserving ordinary credential and proxy env vars. (#69540) Thanks @drobison00.
Agents/shell: ignore non-interactive placeholder shells like /usr/bin/false and /sbin/nologin, falling back to sh so service-user exec runs no longer exit immediately. (#69308) Thanks @sk7n4k3d.
Setup/TUI: relaunch the setup hatch TUI in a fresh process while preserving the configured gateway target and auth source, so onboarding recovers terminal state cleanly without exposing gateway secrets on command-line args. (#69524) Thanks @shakkernerd.
Codex: avoid re-exposing the image-generation tool on native vision turns with inbound images, and keep bare image-model overrides on the configured image provider. (#65061) Thanks @zhulijin1991.
Sessions/reset: clear auto-sourced model, provider, and auth-profile overrides on /new and /reset while preserving explicit user selections, so channel sessions stop staying pinned to runtime fallback choices. (#69419) Thanks @sk7n4k3d.
Sessions/costs: snapshot estimatedCostUsd like token counters so repeated persist paths no longer compound the same run cost by up to dozens of times. (#69403) Thanks @MrMiaigi.
OpenAI Codex: route ChatGPT/Codex OAuth Responses requests through the /backend-api/codex endpoint so openai-codex/gpt-5.4 no longer hits the removed /backend-api/responses alias. (#69336) Thanks @mzogithub.
OpenAI/Responses: omit disabled reasoning payloads when /think off is active, so GPT reasoning models no longer receive unsupported reasoning.effort: "none" requests. (#61982) Thanks @a-tokyo.
Gateway/pairing: treat loopback shared-secret node-host, TUI, and gateway clients as local for pairing decisions, so trusted local tools no longer reconnect as remote clients and fail with pairing required. (#69431) Thanks @SARAMALI15792.
Active Memory: degrade gracefully when memory recall fails during prompt building, logging a warning and letting the reply continue without memory context instead of failing the whole turn. (#69485) Thanks @Magicray1217.
Ollama: add provider-policy defaults for baseUrl and models so implicit local discovery can run before config validation rejects a minimal Ollama provider config. (#69370) Thanks @PratikRai0101.
Agents/model selection: clear transient auto-failover session overrides before each turn so recovered primary models are retried immediately without emitting user-override reset warnings. (#69365) Thanks @hitesh-github99.
Auto-reply: apply silent NO_REPLY policy per conversation type, so direct chats get a helpful rewritten reply while groups and internal deliveries can remain quiet. (#68644) Thanks @Takhoffman.
Telegram/status reactions: honor messages.removeAckAfterReply when lifecycle status reactions are enabled, clearing or restoring the reaction after success/error using the configured hold timings. (#68067) Thanks @poiskgit.
Web search/plugins: resolve plugin-scoped SecretRef API keys for bundled Exa, Firecrawl, Gemini, Kimi, Perplexity, Tavily, and Grok web-search providers when they are selected through the shared web-search config. (#68424) Thanks @afurm.
Telegram/polling: raise the default polling watchdog threshold from 90s to 120s and add configurable channels.telegram.pollingStallThresholdMs (also per-account) so long-running Telegram work gets more room before polling is treated as stalled. (#57737) Thanks @Vitalcheffe.
Telegram/polling: bound the persisted-offset confirmation getUpdates probe with a client-side timeout so a zombie socket cannot hang polling recovery before the runner watchdog starts. (#50368) Thanks @boticlaw.
Agents/Pi runner: retry silent stopReason=error turns with no output when no side effects ran, so non-frontier providers that briefly return empty error turns get another chance instead of ending the session early. (#68310) Thanks @Chased1k.
Plugins/memory: preserve the active memory capability when read-only snapshot plugin loads run, so status and provider discovery paths no longer wipe memory public artifacts. (#69219) Thanks @zeroaltitude.
Plugins: keep only the highest-precedence manifest when distinct discovered plugins share an id, so lower-precedence global or workspace duplicates no longer load beside bundled or config-selected plugins. (#41626) Thanks @Tortes.
Cron/delivery: treat explicit delivery.mode: "none" runs as not requested even if the runner reports delivered: false, so no-delivery cron jobs no longer persist false delivery failures or errors. (#69285) Thanks @matsuri1987.
Plugins/install: repair active and default-enabled bundled plugin runtime dependencies before import in packaged installs, so bundled Discord, WhatsApp, Slack, Telegram, and provider plugins work without putting their dependency trees in core.
BlueBubbles: raise the outbound /api/v1/message/text send timeout default from 10s to 30s, and add a configurable channels.bluebubbles.sendTimeoutMs (also per-account) so macOS 26 setups where Private API iMessage sends stall for 60+ seconds no longer silently lose messages at the 10s abort. Probes, chat lookups, and health checks keep the shorter 10s default. Fixes #67486. (#69193) Thanks @omarshahine.
Agents/bootstrap: budget truncation markers against per-file caps, preserve source content instead of silently wasting bootstrap bytes, and avoid marker-only output in tiny-budget truncation cases. (#69114) Thanks @BKF-Gitty.
Context engine/plugins: stop rejecting third-party context engines whose info.id differs from the registered plugin slot id. The strict-match contract added in 2026.4.14 broke lossless-claw and other plugins whose internal engine id does not equal the slot id they are registered under, producing repeated info.id must match registered id lane failures on every turn. Fixes #66601. (#66678) Thanks @GodsBoy.
Agents/compaction: rename embedded Pi compaction lifecycle events to compaction_start / compaction_end so OpenClaw stays aligned with pi-coding-agent 0.66.1 event naming. (#67713) Thanks @mpz4life.
Security/dotenv: block all OPENCLAW_* keys from untrusted workspace .env files so workspace-local env loading fails closed for new runtime-control variables instead of silently inheriting them. (#473)
Gateway/device pairing: restrict non-admin paired-device sessions (device-token auth) to their own pairing list, approve, and reject actions so a paired device cannot enumerate other devices or approve/reject pairing requests authored by another device. Admin and shared-secret operator sessions retain full visibility. (#69375) Thanks @eleqtrizit.
Agents/gateway tool: extend the agent-facing gateway tool's config mutation guard so model-driven config.patch and config.apply cannot rewrite operator-trusted paths (sandbox, plugin trust, gateway auth/TLS, hook routing and tokens, SSRF policy, MCP servers, workspace filesystem hardening) and cannot bypass the guard by editing per-agent sandbox, tools, or embedded-Pi overrides in place under agents.list[]. (#69377) Thanks @eleqtrizit.
Gateway/websocket broadcasts: require operator.read (or higher) for chat, agent, and tool-result event frames so pairing-scoped and node-role sessions no longer passively receive session chat content, and scope-gate unknown broadcast events by default. Plugin-defined plugin.* broadcasts are scoped to operator.write/admin, and status/transport events (heartbeat, presence, tick, etc.) remain unrestricted. Per-client sequence numbers preserve per-connection monotonicity. (#69373) Thanks @eleqtrizit.
Agents/compaction: always reload embedded Pi resources through an explicit loader and reapply reserve-token overrides so runs without extension factories no longer silently lose compaction settings before session start. (#67146) Thanks @ly85206559.
Memory-core/dreaming: normalize sweep timestamps and reuse hashed narrative session keys for fallback cleanup so Dreaming narrative sub-sessions stop leaking. (#67023) Thanks @chiyouYCH.
Gateway/startup: delay HTTP bind until websocket handlers are attached, so immediate post-startup websocket health/connect probes no longer hit the startup race window. (#43392) Thanks @dalefrieswthat.
Codex/app-server: release the session lane when a downstream consumer throws while draining the turn/completed notification, so follow-up messages after a Codex plugin reply stop queueing behind a stale lane lock. Fixes #67996. (#69072) Thanks @ayeshakhalid192007-dev.
Codex/app-server: default approval handling to on-request so Codex harness sessions do not start with overly permissive tool approvals. (#68721) Thanks @Lucenx9.
Cron/delivery: keep isolated cron chat delivery tools available, resolve channel: "last" targets from the gateway, show delivery previews in cron list/show, and avoid duplicate fallback sends after direct message-tool delivery. (#69587) Thanks @obviyus.
Cron/Telegram: key isolated direct-delivery dedupe to each cron execution instead of the reused session id, so recurring Telegram announce runs no longer report delivered while silently skipping later sends. (#69000) Thanks @obviyus.
Models/Kimi: default bundled Kimi thinking to off and normalize Anthropic-compatible thinking payloads so stale session /think state no longer silently re-enables reasoning on Kimi runs. (#68907) Thanks @frankekn.
Control UI/cron: keep the runtime-only last delivery sentinel from being materialized into persisted cron delivery and failure-alert channel configs when jobs are created or edited. (#68829) Thanks @tianhaocui.
OpenAI/Responses: strip orphaned reasoning blocks before outbound Responses API calls so compacted or restored histories no longer fail on standalone reasoning items. (#55787) Thanks @suboss87.
Cron/CLI: parse PowerShell-style --tools allow-lists the same way as comma-separated input, so cron add and cron edit no longer persist exec read write as one combined tool entry on Windows. (#68858) Thanks @chen-zhang-cs-code.
Browser/user-profile: let existing-session profile="user" tool calls auto-route to a connected browser node or use explicit target="node", while still honoring explicit target="host" pinning. (#48677)
Discord/slash commands: tolerate partial Discord channel metadata in slash-command and model-picker flows so partial channel objects no longer crash when channel names, topics, or thread parent metadata are unavailable. (#68953) Thanks @dutifulbob.
BlueBubbles: consolidate outbound HTTP through a typed BlueBubblesClient that resolves the SSRF policy once at construction so image attachments stop getting blocked on localhost and reactions stop getting blocked on private-IP BB deployments. Fixes #34749 and #59722. (#68234) Thanks @omarshahine.
Cron/gateway: reject ambiguous announce delivery config at add/update time so invalid multi-channel or target-id provider settings fail early instead of persisting broken cron jobs. (#69015) Thanks @obviyus.
Cron/main-session delivery: preserve heartbeat.target="last" through deferred wake queuing, gateway wake forwarding, and same-target wake coalescing so queued cron replies still return to the last active chat. (#69021) Thanks @obviyus.
Cron/gateway: ignore disabled channels when announce delivery ambiguity is checked, and validate main-session delivery patches against the live cron service default agent so hot-reloaded agent config does not falsely reject valid updates. (#69040) Thanks @obviyus.
Matrix/allowlists: hot-reload dm.allowFrom and groupAllowFrom entries on inbound messages while keeping config removals authoritative, so Matrix allowlist changes no longer require a channel restart to add or revoke a sender. (#68546) Thanks @johnlanni.
BlueBubbles: always set method explicitly on outbound text sends ("private-api" when available, "apple-script" otherwise), and prefer Private API on macOS 26 even for plain text. Fixes silent delivery failure on macOS setups without Private API where an omitted method let BB Server fall back to version-dependent default behavior that silently drops the message (#64480), and the AppleScript -1700 error on macOS 26 Tahoe plain text sends (#53159). (#69070) Thanks @xqing3.
Matrix/commands: recognize slash commands that are prefixed with the bot's Matrix mention, so room messages like @bot:server /new trigger the command path without requiring custom mention regexes. (#68570) Thanks @nightq and @johnlanni.
Gateway/pairing: return reason-specific PAIRING_REQUIRED details, remediation hints, and request ids so unapproved-device and scope-upgrade failures surface actionable recovery guidance in the CLI and Control UI. (#69227) Thanks @obviyus.
Agents/subagents: include requested role and runtime timing on subagent failure payloads so parent agents can correlate failed or timed-out child work. (#68726) Thanks @BKF-Gitty.
Gateway/sessions: reject stale agent-scoped sessions after an agent is removed from config while preserving legacy default-agent main-session aliases. (#65986) Thanks @bittoby.
Doctor/gateway: surface pending device pairing requests, scope-upgrade approval drift, and stale device-token mismatch repair steps so openclaw doctor --fix no longer leaves pairing/auth setup failures unexplained. (#69210) Thanks @obviyus.
Cron/isolated-agent: preserve explicit delivery.mode: "none" message targets for isolated runs without inheriting implicit last routing, so agent-initiated Telegram sends keep their authored destination while bare mode:none jobs stay targetless. (#69153) Thanks @obviyus.
Cron/isolated-agent: keep delivery.mode: "none" account-only or thread-only configs from inheriting a stale implicit recipient, so isolated runs only resolve message routing when the job authored an explicit to target. (#69163) Thanks @obviyus.
Gateway/TUI: retry session history while the local gateway is still finishing startup, so openclaw tui reconnects no longer fail on transient chat.history unavailable during gateway startup errors. (#69164) Thanks @shakkernerd.
BlueBubbles/reactions: fall back to love when an agent reacts with an emoji outside the iMessage tapback set (love/like/dislike/laugh/emphasize/question), so wider-vocabulary model reactions like 👀 still produce a visible tapback instead of failing the whole reaction request. Configured ack reactions still validate strictly via the new normalizeBlueBubblesReactionInputStrict path. (#64693) Thanks @zqchris.
BlueBubbles: prefer iMessage over SMS when both chats exist for the same handle, honor explicit sms: targets, and never silently downgrade iMessage-available recipients. (#61781) Thanks @rmartin.
Telegram/setup: require numeric allowFrom user IDs during setup instead of offering unsupported @username DM resolution, and point operators to from.id/getUpdates for discovery. (#69191) Thanks @obviyus.
GitHub Copilot/onboarding: default GitHub Copilot setup to claude-opus-4.6 and keep the bundled default model list aligned, so new Copilot setups no longer start on the older gpt-4o default. (#69207) Thanks @obviyus.
Gateway/status: separate reachability, capability, and read-probe reporting so connect-only or scope-limited sessions no longer look fully healthy, and normalize SSH targets entered as ssh user@host. (#69215) Thanks @obviyus.
Slack: fix outbound replies failing with "unresolved SecretRef" for accounts configured via file or exec secret sources; the send path now tolerates the runtime snapshot retaining an unresolved channel SecretRef when a boot-resolved token override is already available. (#68954) Thanks @openperf.
Control UI/device pairing: explain scope and role approval upgrades during reconnects, and show requested versus approved access in the Control UI and openclaw devices so broader reconnects no longer look like lost pairings. (#69221) Thanks @obviyus.
Gateway/Control UI: surface pending scope, role, and device-metadata pairing approvals in auth errors and Control UI hints so broader reconnects no longer look like random auth breakage. (#69226) Thanks @obviyus.
Client tool definitions whose names normalize-collide with built-in or another client tool in the same request now rejected with 400 invalid_request_error on JSON and SSE paths
available_skills entries now sorted by skill name after merging sources; skills.load.extraDirs order no longer affects prompt-cache prefixes
Security fixes
Trusted local MEDIA: tool-result passthrough now anchored to exact raw name of registered built-in tools, preventing client tools from accessing built-in functionality through name collision
Notable features
Gemini text-to-speech support added to bundled google plugin including voice selection, WAV reply output, and PCM telephony output
Full changelog
Changes
Anthropic/models: default Anthropic selections, opus aliases, Claude CLI defaults, and bundled image understanding to Claude Opus 4.7.
Google/TTS: add Gemini text-to-speech support to the bundled google plugin, including provider registration, voice selection, WAV reply output, PCM telephony output, and setup/docs guidance. (#67515) Thanks @barronlroth.
Fixes
Agents/skills: sort prompt-facing available_skills entries by skill name after merging sources so skills.load.extraDirs order no longer changes prompt-cache prefixes. (#64198) Thanks @Bartok9.
Agents/context + Memory: trim default startup/skills prompt budgets, cap memory_get excerpts by default with explicit continuation metadata, and keep QMD reads aligned with the same bounded excerpt contract so long sessions pull less context by default without losing deterministic follow-up reads.
BlueBubbles/inbound: restore inbound image attachment downloads on Node 22+ by stripping incompatible bundled-undici dispatchers from the non-SSRF fetch path, accept updated-message webhooks carrying attachments, use event-type-aware dedup keys so attachment follow-ups are not rejected as duplicates, and retry attachment fetch from the BB API when the initial webhook arrives with an empty array. (#64105, #61861, #65430, #67510) Thanks @omarshahine.
CLI/update: prune stale packaged dist chunks after npm upgrades and keep downgrade/verify inventory checks compat-safe so global upgrades stop failing on stale chunk imports. (#66959) Thanks @obviyus.
Gateway/tools: anchor trusted local MEDIA: tool-result passthrough on the exact raw name of this run's registered built-in tools, and reject client tool definitions whose names normalize-collide with a built-in or with another client tool in the same request (400 invalid_request_error on both JSON and SSE paths), so a client-supplied tool named like a built-in can no longer inherit its local-media trust. (#67303)
OpenAI Codex/models: normalize stale native transport metadata in both runtime resolution and discovery/listing so legacy openai-codex rows with missing api or https://chatgpt.com/backend-api/v1 self-heal to the canonical Codex transport instead of routing requests through broken HTML/Cloudflare paths, combining the original fixes proposed in #66969 (saamuelng601-pixel) and #67159 (hclsys). (#67635)
Untrusted workspace .env files can no longer set runtime-control, browser-control override, or skip-server env vars — audit workspace configurations that relied on these overrides (#62660, #62663)
Legacy Matrix DM policy configs (channels.matrix.dm.policy: 'trusted') should be migrated via openclaw doctor --fix to preserve allowFrom boundaries or default to pairing policy (#62942)
iOS release trains now use explicit CalVer pinned in apps/ios/version.json; use the documented pnpm ios:version:pin -- --from-gateway workflow when promoting a new gateway version (#63001)
Block runtime-control, browser-control override, and skip-server env vars from untrusted workspace .env files; reject unsafe URL-style browser control override specifiers before lazy loading (#62660, #62663)
Sanitize and mark remote node exec.started/exec.finished/exec.denied event summaries as untrusted so node output cannot inject trusted System: content into later turns (#62659)
Notable features
REM backfill lane for historical memory replay via rem-harness --path with diary commit/reset flows and live short-term promotion integration
Structured diary view with timeline navigation, backfill/reset controls, traceable dreaming summaries, and grounded Scene lane with promotion hints
Provider auth aliases (providerAuthAliases in manifests) allowing plugin variants to share env vars, auth profiles, and onboarding choices without core-specific wiring
Fixed startup errors in Telegram, BlueBubbles, Feishu, Google Chat, IRC, Matrix, Mattermost, Microsoft Teams, Nextcloud Talk, Slack, and Zalo by loading contracts through sidecars. Improved Slack proxy support, agent execution reporting, and network fetch behavior.
To maintain legacy session key behavior in hooks, explicitly set hooks.allowRequestSessionKey: true.
Users should configure hooks.defaultSessionKey and hooks.allowedSessionKeyPrefixes for recommended hook context handling.
Breaking changes
POST /hooks/agent now rejects payload sessionKey overrides by default; use hooks.defaultSessionKey or set hooks.allowRequestSessionKey: true for legacy behavior.
Security fixes
Hardened URL-based input_file/input_image handling with SSRF deny policy and hostname allowlists.
Fixed unauthenticated Nostr profile API remote config tampering.
Removed bundled soul-evil hook.
Notable features
Added Z.AI endpoint-specific authentication choices and expanded default wiring.
Updated MiniMax API to use M2.5 and M2.5-Lightning models.
Added CLI support for displaying log timestamps in local timezone via `--local-time`.
Gateway: no more post-compaction amnesia; injected transcript writes now preserve Pi session parentId chain so agents can remember again. (#12283) Thanks @Takhoffman.
{
"summary": "Significant rebranding of the npm package/CLI to `openclaw`. Includes a breaking change where gateway auth \"none\" mode is removed, requiring a token or password. Major updates include Telegram feature expansions, gateway security hardening, and automated config migrations.",
"summary_short": "Rebranded package name and removed unauthenticated gateway mode.",
"severity": "mixed",
"who_should_care": "Users running the gateway without authentication will need to configure a
{
"summary": "Updated iOS minimum version to 18.0. Microsoft Teams is now a plugin. Added provider auth registry for plugin-driven OAuth/API key flows, improved remote CDP/Browserless support, and implemented encrypted storage for app node auth tokens. Added security audit warnings for weak model tiers.",
"summary_short": "Introduced plugin-driven authentication and updated iOS minimum version requirements.",
/ "severity": "mixed",
"who_should_care": "iOS users and developers integrating
{
"summary": "Added web search/fetch tools via Brave API and introduced Chrome extension relay for remote browser control. Expanded security auditing, added plugin HTTP hooks, and introduced new channel support for Matrix and Zalo. Includes significant bug fixes for Telegram, Slack, and WhatsApp.",
"summary_short": "Introduced web search tools, browser control, and expanded plugin support.",
"severity": "mixed",
"who_should_care": "Users managing multi-channel bots, developers implementi
Resolved top-level await warnings in the CLI entrypoint during fresh installs and added a commit hash to the banner for npm installs using the package.json gitHead fallback.
Fixed an issue where the CLI entrypoint was not executable after npm installs and included dist/plugins/ in the npm package to prevent missing module errors.
Users on git installs can now use `clawdbot update` for a safe update process.
The `docker-setup.sh` script now supports optional home volumes and extra bind mounts.
macOS users should note that unsigned launchd overrides are cleared on signed restarts.
Breaking changes
The OpenAI-compatible `/v1/chat/completions` endpoint is disabled by default; it must be enabled via `gateway.http.endpoints.chatCompletions.enabled=true`.
Commands `/config` and `/debug` are now disabled by default and must be explicitly enabled via configuration.
Notable features
New OpenAI-compatible `/v1/chat/completions` HTTP endpoint with SSE streaming and per-agent routing.
Codex CLI fallback with resume support and JSONL parsing capabilities.
Enhanced `clawdbot status` with table-based reporting, log tails, and Tailscale summaries.
{
"summary": "Introduces Microsoft Teams provider support with polling and attachments, along with OpenCode Zen and MiniMax API onboarding. Significant CLI updates include new subcommands for messages and a requirement for the --provider flag. Includes expanded authentication profiles and improved gateway discovery/status tools.",
"summary_short": "Expanded provider support, updated CLI subcommands, and new authentication profiles.",
"severity": "mixed",
"who_should_care": "Users managin
To maintain previous 'open to everyone' behavior, set dmPolicy='open' and include '*' in the relevant allowFrom settings.
Use 'clawdbot pairing list' and 'clawdbot pairing approve' to manage new DM pairing requests.
Use 'agent.userTimezone' to provide the user's local time to the model since timestamps are now UTC.
Breaking changes
Inbound DMs are now locked down by default on Telegram, WhatsApp, Signal, iMessage, Discord, and Slack; requires dmPolicy='pairing' and explicit allowlists to remain open.
Sandbox default agent.sandbox.scope changed to 'agent' (one container/workspace per agent).
Agent envelope timestamps are now UTC (YYYY-MM-DDTHH:mmZ); removed messages.timestampPrefix.
Security fixes
DMs locked down by default across supported providers to prevent unauthorized access.
Notable features
New per-agent sandbox scope defaults and workspace access controls.
Expanded CLI/Gateway/Doctor capabilities including daemon logs, status, and auth migration.
Enhanced provider reliability for Telegram, WhatsApp, Discord, and Slack including improved threading and media handling.
Included missing runtime dist folders (slack, signal, imessage, tui, wizard, control-ui, daemon) in the NPM package to prevent ERR_MODULE_NOT_FOUND errors during Node 25 npx installs.
Included `dist/sessions` in the NPM package to ensure `clawdbot agent` resolves session helpers in npx installs. Added a target for `qrcode-terminal/vendor/QRCode/index.js` to avoid unsupported directory imports in Node 25.
Run `clawdis doctor` to migrate legacy `routing.allowFrom` and `requireMention` configurations.
When using `DISCORD_BOT_TOKEN` or `TELEGRAM_BOT_TOKEN`, you must now explicitly add `discord: { enabled: true }` or `telegram: { enabled: true }` to your config.
Nix mode users: legacy keys will cause a hard failure; ensure all configurations are updated to the new `skills.*` schema.
Breaking changes
Skills config schema moved under `skills.*` (e.g., `skillsLoad.extraDirs` → `skills.load.extraDirs`).
Per-skill config map moved to `skills.entries`.
Session group keys now use `surface:group:<id>` and `surface:channel:<id>`; legacy `group:*` keys migrate on next message.
Notable features
Talk Mode: Continuous speech conversations on macOS/iOS/Android with ElevenLabs TTS and interrupt-on-speech.
Expanded Discord tool actions including reactions, stickers, polls, threads, and moderation gates.
New CLI onboarding wizard for gateway, workspace, and skills setup with automated installers.
