github openclaw/openclaw v2026.4.2
openclaw 2026.4.2
on GitHub

5 hours ago

Breaking

  • Plugins/xAI: move x_search settings from the legacy core tools.web.x_search.* path to the plugin-owned plugins.entries.xai.config.xSearch.* path, standardize x_search auth on plugins.entries.xai.config.webSearch.apiKey / XAI_API_KEY, and migrate legacy config with openclaw doctor --fix. (#59674) Thanks @vincentkoc.
  • Plugins/web fetch: move Firecrawl web_fetch config from the legacy core tools.web.fetch.firecrawl.* path to the plugin-owned plugins.entries.firecrawl.config.webFetch.* path, route web_fetch fallback through the new fetch-provider boundary instead of a Firecrawl-only core branch, and migrate legacy config with openclaw doctor --fix. (#59465) Thanks @vincentkoc.

Changes

  • Tasks/Task Flow: restore the core Task Flow substrate with managed-vs-mirrored sync modes, durable flow state/revision tracking, and openclaw flows inspection/recovery primitives so background orchestration can persist and be operated separately from plugin authoring layers. (#58930) Thanks @mbelinky.
  • Tasks/Task Flow: add managed child task spawning plus sticky cancel intent, so external orchestrators can stop scheduling immediately and let parent Task Flows settle to cancelled once active child tasks finish. (#59610) Thanks @mbelinky.
  • Plugins/Task Flow: add a bound api.runtime.taskFlow seam so plugins and trusted authoring layers can create and drive managed Task Flows from host-resolved OpenClaw context without passing owner identifiers on each call. (#59622) Thanks @mbelinky.
  • Android/assistant: add assistant-role entrypoints plus Google Assistant App Actions metadata so Android can launch OpenClaw from the assistant trigger and hand prompts into the chat composer. (#59596) Thanks @obviyus.
  • Exec defaults: make gateway/node host exec default to YOLO mode by requesting security=full with ask=off, and align host approval-file fallbacks plus docs/doctor reporting with that no-prompt default.
  • Providers/runtime: add provider-owned replay hook surfaces for transcript policy, replay cleanup, and reasoning-mode dispatch. (#59143) Thanks @jalehman.
  • Plugins/hooks: add before_agent_reply so plugins can short-circuit the LLM with synthetic replies after inline actions. (#20067) Thanks @JoshuaLelon.
  • Channels/session routing: move provider-specific session conversation grammar into plugin-owned session-key surfaces, preserving Telegram topic routing and Feishu scoped inheritance across bootstrap, model override, restart, and tool-policy paths.
  • Feishu/comments: add a dedicated Drive comment-event flow with comment-thread context resolution, in-thread replies, and feishu_drive comment actions for document collaboration workflows. (#58497) Thanks @wittam-01.
  • Matrix/plugin: emit spec-compliant m.mentions metadata across text sends, media captions, edits, poll fallback text, and action-driven edits so Matrix mentions notify reliably in clients like Element. (#59323) Thanks @gumadeiras.
  • Diffs: add plugin-owned viewerBaseUrl so viewer links can use a stable proxy/public origin without passing baseUrl on every tool call. (#59341) Related #59227. Thanks @gumadeiras.
  • Agents/compaction: resolve agents.defaults.compaction.model consistently for manual /compact and other context-engine compaction paths, so engine-owned compaction uses the configured override model across runtime entrypoints. (#56710) Thanks @oliviareid-svg.
  • Agents/compaction: add agents.defaults.compaction.notifyUser so the 🧹 Compacting context... start notice is opt-in instead of always being shown. (#54251) Thanks @oguricap0327.
  • WhatsApp/reactions: add reactionLevel guidance for agent reactions. Thanks @mcaxtr.
  • Exec approvals/channels: auto-enable DM-first native chat approvals when supported channels can infer approvers from existing owner config, while keeping channel fanout explicit and clarifying forwarding versus native approval client config.

Fixes

  • Providers/transport policy: centralize request auth, proxy, TLS, and header shaping across shared HTTP, stream, and websocket paths, block insecure TLS/runtime transport overrides, and keep proxy-hop TLS separate from target mTLS settings. (#59682) Thanks @vincentkoc.
  • Providers/Copilot: classify native GitHub Copilot API hosts in the shared provider endpoint resolver and harden token-derived proxy endpoint parsing so Copilot base URL routing stays centralized and fails closed on malformed hints. (#59644) Thanks @vincentkoc.
  • Providers/streaming headers: centralize default and attribution header merging across OpenAI websocket, embedded-runner, and proxy stream paths so provider-specific headers stay consistent and caller overrides only win where intended. (#59542) Thanks @vincentkoc.
  • Providers/media HTTP: centralize base URL normalization, default auth/header injection, and explicit header override handling across shared OpenAI-compatible audio, Deepgram audio, Gemini media/image, and Moonshot video request paths. (#59469) Thanks @vincentkoc.
  • Providers/OpenAI-compatible routing: centralize native-vs-proxy request policy so hidden attribution and related OpenAI-family defaults only apply on verified native endpoints across stream, websocket, and shared audio HTTP paths. (#59433) Thanks @vincentkoc.
  • Providers/Anthropic routing: centralize native-vs-proxy endpoint classification for direct Anthropic service_tier handling so spoofed or proxied hosts do not inherit native Anthropic defaults. (#59608) Thanks @vincentkoc.
  • Gateway/exec loopback: restore legacy-role fallback for empty paired-device token maps and allow silent local role upgrades so local exec and node clients stop failing with pairing-required errors after 2026.3.31. (#59092) Thanks @openperf.
  • Agents/subagents: pin admin-only subagent gateway calls to operator.admin while keeping agent at least privilege, so sessions_spawn no longer dies on loopback scope-upgrade pairing with close(1008) "pairing required". (#59555) Thanks @openperf.
  • Exec approvals/config: strip invalid security, ask, and askFallback values from ~/.openclaw/exec-approvals.json during normalization so malformed policy enums fall back cleanly to the documented defaults instead of corrupting runtime policy resolution. (#59112) Thanks @openperf.
  • Exec approvals/doctor: report host policy sources from the real approvals file path and ignore malformed host override values when attributing effective policy conflicts. (#59367) Thanks @gumadeiras.
  • Exec/runtime: treat tools.exec.host=auto as routing-only, keep implicit no-config exec on sandbox when available or gateway otherwise, and reject per-call host overrides that would bypass the configured sandbox or host target. (#58897) Thanks @vincentkoc.
  • Slack/mrkdwn formatting: add built-in Slack mrkdwn guidance in inbound context so Slack replies stop falling back to generic Markdown patterns that render poorly in Slack. (#59100) Thanks @jadewon.
  • WhatsApp/presence: send unavailable presence on connect in self-chat mode so personal-phone users stop losing all push notifications while the gateway is running. (#59410) Thanks @mcaxtr.
  • WhatsApp/media: add HTML, XML, and CSS to the MIME map and fall back gracefully for unknown media types instead of dropping the attachment. (#51562) Thanks @bobbyt74.
  • Matrix/onboarding: restore guided setup in openclaw channels add and openclaw configure --section channels, while keeping custom plugin wizards on the shared setupWizard seam. (#59462) Thanks @gumadeiras.
  • Matrix/streaming: keep live partial previews for the current assistant block while preserving completed block updates as separate messages when channels.matrix.blockStreaming is enabled. (#59384) Thanks @gumadeiras.
  • Feishu/comment threads: harden document comment-thread delivery so whole-document comments fall back to add_comment, delayed reply lookups retry more reliably, and user-visible replies avoid reasoning/planning spillover. (#59129) Thanks @wittam-01.
  • MS Teams/streaming: strip already-streamed text from fallback block delivery when replies exceed the 4000-character streaming limit so long responses stop duplicating content. (#59297) Thanks @BradGroux.
  • Slack/thread context: filter thread starter and history by the effective conversation allowlist without dropping valid open-room, DM, or group DM context. (#58380) Thanks @jacobtomlinson.
  • Mattermost/probes: route status probes through the SSRF guard and honor allowPrivateNetwork so connectivity checks stay safe for self-hosted Mattermost deployments. (#58529) Thanks @mappel-nv.
  • Zalo/webhook replay: scope replay dedupe key by chat and sender so reused message IDs across different chats or senders no longer collide, and harden metadata reads for partially missing payloads. (#58444)
  • QQBot/structured payloads: restrict local file paths to QQ Bot-owned media storage, block traversal outside that root, reduce path leakage in logs, and keep inline image data URLs working. (#58453) Thanks @jacobtomlinson.
  • Image generation/providers: route OpenAI, MiniMax, and fal image requests through the shared provider HTTP transport path so custom base URLs, guarded private-network routing, and provider request defaults stay aligned with the rest of provider HTTP. Thanks @vincentkoc.
  • Image generation/providers: stop inferring private-network access from configured OpenAI, MiniMax, and fal image base URLs, and cap shared HTTP error-body reads so hostile or misconfigured endpoints fail closed without relaxing SSRF policy or buffering unbounded error payloads. Thanks @vincentkoc.
  • Browser/host inspection: keep static Chrome inspection helpers out of the activated browser runtime so openclaw doctor browser and related checks do not eagerly load the bundled browser plugin. (#59471) Thanks @vincentkoc.
  • Browser/CDP: normalize trailing-dot localhost absolute-form hosts before loopback checks so remote CDP websocket URLs like ws://localhost.:... rewrite back to the configured remote host. (#59236) Thanks @mappel-nv.
  • Agents/output sanitization: strip namespaced antml:thinking blocks from user-visible text so Anthropic-style internal monologue tags do not leak into replies. (#59550) Thanks @obviyus.
  • Kimi Coding/tools: normalize Anthropic tool payloads into the OpenAI-compatible function shape Kimi Coding expects so tool calls stop losing required arguments. (#59440) Thanks @obviyus.
  • Image tool/paths: resolve relative local media paths against the agent workspaceDir instead of process.cwd() so inputs like inbox/receipt.png pass the local-path allowlist reliably. (#57222) Thanks Priyansh Gupta.
  • Podman/launch: remove noisy container output from scripts/run-openclaw-podman.sh and align the Podman install guidance with the quieter startup flow. (#59368) Thanks @sallyom.
  • Plugins/runtime: keep LINE reply directives and browser-backed cleanup/reset flows working even when those plugins are disabled while tightening bundled plugin activation guards. (#59412) Thanks @vincentkoc.
  • ACP/gateway reconnects: keep ACP prompts alive across transient websocket drops while still failing boundedly when reconnect recovery does not complete. (#59473) Thanks @obviyus.
  • ACP/gateway reconnects: reject stale pre-ack ACP prompts after reconnect grace expiry so callers fail cleanly instead of hanging indefinitely when the gateway never confirms the run.
  • Gateway/session kill: enforce HTTP operator scopes on session kill requests and gate authorization before session lookup so unauthenticated callers cannot probe session existence. (#59128) Thanks @jacobtomlinson.
  • MS Teams/logging: format non-Error failures with the shared unknown-error helper so logs stop collapsing caught SDK or Axios objects into [object Object]. (#59321) Thanks @BradGroux.
  • Channels/setup: ignore untrusted workspace channel plugins during setup resolution so a shadowing workspace plugin cannot override built-in channel setup/login flows unless explicitly trusted in config. (#59158) Thanks @mappel-nv.
  • Exec/Windows: restore allowlist enforcement with quote-aware argPattern matching across gateway and node exec, and surface accurate dynamic pre-approved executable hints in the exec tool description. (#56285) Thanks @kpngr.
  • Gateway: prune empty node-pending-work state entries after explicit acknowledgments and natural expiry so the per-node state map no longer grows indefinitely. (#58179) Thanks @gavyngong.
  • Webhooks/secret comparison: replace ad-hoc timing-safe secret comparisons across BlueBubbles, Feishu, Mattermost, Telegram, Twilio, and Zalo webhook handlers with the shared safeEqualSecret helper and reject empty auth tokens in BlueBubbles. (#58432) Thanks @eleqtrizit.
  • OpenShell/mirror: constrain remoteWorkspaceDir and remoteAgentWorkspaceDir to the managed /sandbox and /agent roots, and keep mirror sync from overwriting or removing user-added shell roots during config synchronization. (#58515) Thanks @eleqtrizit.
  • Plugins/activation: preserve explicit, auto-enabled, and default activation provenance plus reason metadata across CLI, gateway bootstrap, and status surfaces so plugin enablement state stays accurate after auto-enable resolution. (#59641) Thanks @vincentkoc.
  • Exec/env: block additional host environment override pivots for package roots, language runtimes, compiler include paths, and credential/config locations so request-scoped exec cannot redirect trusted toolchains or config lookups. (#59233) Thanks @drobison00.
  • Dotenv/workspace overrides: block workspace .env files from overriding OPENCLAW_PINNED_PYTHON and OPENCLAW_PINNED_WRITE_PYTHON so trusted helper interpreters cannot be redirected by repo-local env injection. (#58473) Thanks @eleqtrizit.
  • Plugins/install: accept JSON5 syntax in openclaw.plugin.json and bundle plugin.json manifests during install/validation, so third-party plugins with trailing commas, comments, or unquoted keys no longer fail to install. (#59084) Thanks @singleGanghood.
  • Telegram/exec approvals: rewrite shared /approve … allow-always callback payloads to /approve … always before Telegram button rendering so plugin approval IDs still fit Telegram's callback_data limit and keep the Allow Always action visible. (#59217) Thanks @jameslcowan.
  • Cron/exec timeouts: surface timed-out exec and bash failures in isolated cron runs even when verbose: off, including custom session-target cron jobs, so scheduled runs stop failing silently. (#58247) Thanks @skainguyen1412.
  • Telegram/exec approvals: fall back to the origin session key for async approval followups and keep resume-failure status delivery sanitized so Telegram followups still land without leaking raw exec metadata. (#59351) Thanks @seonang.
  • Node-host/exec approvals: bind pnpm dlx invocations through the approval planner's mutable-script path so the effective runtime command is resolved for approval instead of being left unbound. (#58374)
  • Exec/node hosts: stop forwarding the gateway workspace cwd to remote node exec when no workdir was explicitly requested, so cross-platform node approvals fall back to the node default cwd instead of failing with SYSTEM_RUN_DENIED. (#58977) Thanks @Starhappysh.
  • Exec approvals/channels: decouple initiating-surface approval availability from native delivery enablement so Telegram, Slack, and Discord still expose approvals when approvers exist and native target routing is configured separately. (#59776) Thanks @joelnishanth.
Check out latest releases or
releases around openclaw/openclaw v2026.4.2

Don't miss a new openclaw release

NewReleases is sending notifications on new releases.

Get notifications