Changes
- Providers/Kilo Gateway: add first-class
kilocodeprovider support (auth, onboarding, implicit provider detection, model defaults, transcript/cache-ttl handling, and docs), with default modelkilocode/anthropic/claude-opus-4.6. (#20212) Thanks @jrf0110 and @markijbema. - Providers/Vercel AI Gateway: accept Claude shorthand model refs (
vercel-ai-gateway/claude-*) by normalizing to canonical Anthropic-routed model ids. (#23985) Thanks @sallyom, @markbooch, and @vincentkoc. - Docs/Prompt caching: add a dedicated prompt-caching reference covering
cacheRetention, per-agentparamsmerge precedence, Bedrock/OpenRouter behavior, and cache-ttl + heartbeat tuning. Thanks @svenssonaxel. - Gateway/HTTP security headers: add optional
gateway.http.securityHeaders.strictTransportSecuritysupport to emitStrict-Transport-Securityfor direct HTTPS deployments, with runtime wiring, validation, tests, and hardening docs. - Sessions/Cron: harden session maintenance with
openclaw sessions cleanup, per-agent store targeting, disk-budget controls (session.maintenance.maxDiskBytes/highWaterBytes), and safer transcript/archive cleanup + run-log retention behavior. (#24753) thanks @gumadeiras. - Tools/web_search: add
provider: "kimi"(Moonshot) support with key/config schema wiring and a corrected two-step$web_searchtool flow that echoes tool results before final synthesis, including citation extraction from search results. (#16616, #18822) Thanks @adshine. - Media understanding/Video: add a native Moonshot video provider and include Moonshot in auto video key detection, plus refactor video execution to honor
entry/config/providerbaseUrl+header precedence (matching audio behavior). (#12063) Thanks @xiaoyaner0201. - Agents/Config: support per-agent
paramsoverrides merged on top of model defaults (includingcacheRetention) so mixed-traffic agents can tune cache behavior independently. (#17470, #17112) Thanks @rrenamed. - Agents/Bootstrap: cache bootstrap file snapshots per session key and clear them on session reset/delete, reducing prompt-cache invalidations from in-session
AGENTS.md/MEMORY.mdwrites. (#22220) Thanks @anisoptera. - Auto-reply/Abort shortcuts: expand standalone stop phrases (
stop openclaw,stop action,stop run,stop agent,please stop, and related variants) and accept trailing punctuation (for exampleSTOP OPENCLAW!!!) so emergency stop messages are caught more reliably.
Fixes
- Security/Config: redact sensitive-looking dynamic catchall keys in
config.getsnapshots (for exampleenv.*andskills.entries.*.env.*) and preserve round-trip restore behavior for those redacted sentinels. Thanks @merc1305. - Tests/Vitest: tier local parallel worker defaults by host memory, keep gateway serial by default on non-high-memory hosts, and document a low-profile fallback command for memory-constrained land/gate runs to prevent local OOMs. (#24719) Thanks @ngutman.
- WhatsApp/Group policy: fix
groupAllowFromsender filtering whengroupPolicy: "allowlist"is set without explicitgroups— previously all group messages were blocked even for allowlisted senders. (#24670) - Agents/Context pruning: extend
cache-ttleligibility to Moonshot/Kimi and ZAI/GLM providers (including OpenRouter model refs), socontextPruning.mode: "cache-ttl"is no longer silently skipped for those sessions. (#24497) Thanks @lailoo. - Doctor/Memory: query gateway-side default-agent memory embedding readiness during
openclaw doctor(instead of inferring from generic gateway health), and warn when the gateway memory probe is unavailable or not ready while keepingopenclaw configureremediation guidance. (#22327) thanks @therk. - Sessions/Store: canonicalize inbound mixed-case session keys for metadata and route updates, and migrate legacy case-variant entries to a single lowercase key to prevent duplicate sessions and missing TUI/WebUI history. (#9561) Thanks @hillghost86.
- Telegram/Reactions: soft-fail reaction action errors (policy/token/emoji/API), accept snake_case
message_id, and fallback to inbound message-id context when explicitmessageIdis omitted so DM reactions stay stable without regeneration loops. (#20236, #21001) Thanks @PeterShanxin and @vincentkoc. - Telegram/Polling: scope persisted polling offsets to bot identity and reuse a single awaited runner-stop path on abort/retry, preventing cross-token offset bleed and overlapping pollers during restart/error recovery. (#10850, #11347) Thanks @talhaorak, @anooprdawar, and @vincentkoc.
- Telegram/Reasoning: when
/reasoning offis active, suppress reasoning-only delivery segments and block raw fallback resend of suppressedReasoning:/<think>text, preventing internal reasoning leakage in legacy sessions while preserving answer delivery. (#24626, #24518) - Agents/Reasoning: when model-default thinking is active (for example
thinking=low), keep auto-reasoning disabled unless explicitly enabled, preventingReasoning:thinking-block leakage in channel replies. (#24335, #24290) thanks @Kay-051. - Agents/Reasoning: avoid classifying provider reasoning-required errors as context overflows so these failures no longer trigger compaction-style overflow recovery. (#24593) Thanks @vincentkoc.
- Agents/Models: codify
agents.defaults.model/agents.defaults.imageModelconfig-boundary input asstring | {primary,fallbacks}, split explicit vs effective model resolution, and fixmodels status --agentsource attribution so defaults-inherited agents are labeled asdefaultswhile runtime selection still honors defaults fallback. (#24210) thanks @bianbiandashen. - Agents/Compaction: pass
agentDirinto manual/compactcommand runs so compaction auth/profile resolution stays scoped to the active agent. (#24133) thanks @Glucksberg. - Agents/Compaction: pass model metadata through the embedded runtime so safeguard summarization can run when
ctx.modelis unavailable, avoiding repeated"Summary unavailable due to context limits"fallback summaries. (#3479) Thanks @battman21, @hanxiao and @vincentkoc. - Agents/Compaction: cancel safeguard compaction when summary generation cannot run (missing model/API key or summarization failure), preserving history instead of truncating to fallback
"Summary unavailable"text. (#10711) Thanks @DukeDeSouth and @vincentkoc. - Agents/Tools: make
session_statusread transcript-derived usage mid-turn and tail-read session logs for cache-aware context reporting without full-log scans. (#22387) Thanks @1ucian. - Agents/Overflow: detect additional provider context-overflow error shapes (including
input length+max_tokensexceed-context variants) so failures route through compaction/recovery paths instead of leaking raw provider errors to users. (#9951) Thanks @echoVic and @Glucksberg. - Agents/Overflow: add Chinese context-overflow pattern detection in
isContextOverflowErrorso localized provider errors route through overflow recovery paths. (#22855) Thanks @Clawborn. - Agents/Failover: treat HTTP 502/503/504 errors as failover-eligible transient timeouts so fallback chains can switch providers/models during upstream outages instead of retrying the same failing target. (#20999) Thanks @taw0002 and @vincentkoc.
- Auto-reply/Inbound metadata: hide direct-chat
message_id/message_id_fulland sender metadata only from normalized chat type (not sender-id sentinels), preserving group metadata visibility and preventing sender-id spoofed direct-mode classification. (#24373) thanks @jd316. - Auto-reply/Inbound metadata: move dynamic inbound
flags(reply/forward/thread/history) from system metadata to user-context conversation info, preventing turn-by-turn prompt-cache invalidation from flag toggles. (#21785) Thanks @aidiffuser. - Auto-reply/Sessions: remove auth-key labels from
/newand/resetconfirmation messages so session reset notices never expose API key prefixes or env-key labels in chat output. (#24384, #24409) Thanks @Clawborn. - Slack/Group policy: move Slack account
groupPolicydefaulting to provider-level schema defaults so multi-account configs inherit top-levelchannels.slack.groupPolicyinstead of silently overriding inheritance with per-accountallowlist. (#17579) Thanks @ZetiMente. - Providers/Anthropic: skip
context-1m-*beta injection for OAuth/subscription tokens (sk-ant-oat-*) while preserving OAuth-required betas, avoiding Anthropic 401 auth failures whenparams.context1mis enabled. (#10647, #20354) Thanks @ClumsyWizardHands and @dcruver. - Providers/DashScope: mark DashScope-compatible
openai-completionsendpoints assupportsDeveloperRole=falseso OpenClaw sendssysteminstead of unsupporteddeveloperrole on Qwen/DashScope APIs. (#19130) Thanks @Putzhuawa and @vincentkoc. - Providers/Bedrock: disable prompt-cache retention for non-Anthropic Bedrock models so Nova/Mistral requests do not send unsupported cache metadata. (#20866) Thanks @pierreeurope.
- Providers/Bedrock: apply Anthropic-Claude cacheRetention defaults and runtime pass-through for
amazon-bedrock/*anthropic.claude*model refs, while keeping non-Anthropic Bedrock models excluded. (#22303) Thanks @snese. - Providers/OpenRouter: remove conflicting top-level
reasoning_effortwhen injecting nestedreasoning.effort, preventing OpenRouter 400 payload-validation failures for reasoning models. (#24120) thanks @tenequm. - Providers/Groq: avoid classifying Groq TPM limit errors as context overflow so throttling paths no longer trigger overflow recovery logic. (#16176) Thanks @dddabtc.
- Gateway/WS: close repeated post-handshake
unauthorized role:*request floods per connection and sample duplicate rejection logs, preventing a single misbehaving client from degrading gateway responsiveness. (#20168) Thanks @acy103, @vibecodooor, and @vincentkoc. - Gateway/Restart: treat child listener PIDs as owned by the service runtime PID during restart health checks to avoid false stale-process kills and restart timeouts on launchd/systemd. (#24696) Thanks @gumadeiras.
- Config/Write: apply
unsetPathswith immutable path-copy updates so config writes never mutate caller-provided objects, and hardenopenclaw config get/set/unsetpath traversal by rejecting prototype-key segments and inherited-property traversal. (#24134) thanks @frankekn. - Channels/WhatsApp: accept
channels.whatsapp.enabledin config validation to match built-in channel auto-enable behavior, preventingUnrecognized key: "enabled"failures during channel setup. (#24263) - Security/Exec: detect obfuscated commands before exec allowlist decisions and require explicit approval for obfuscation patterns. (#8592) Thanks @CornBrother0x and @vincentkoc.
- Security/ACP: harden ACP client permission auto-approval to require trusted core tool IDs, ignore untrusted
toolCall.kindhints, and scopereadauto-approval to the active working directory so unknown tool names and out-of-scope file reads always prompt. This ships in the next npm release. Thanks @nedlir for reporting. - Security/Skills: escape user-controlled prompt, filename, and output-path values in
openai-image-genHTML gallery generation to prevent stored XSS in generatedindex.htmloutput. (#12538) Thanks @CornBrother0x. - Security/Skills: harden
skill-creatorpackaging by skipping symlink entries and rejecting files whose resolved paths escape the selected skill root. (#24260, #16959) Thanks @CornBrother0x and @vincentkoc. - Security/OTEL: redact sensitive values (API keys, tokens, credential fields) from diagnostics-otel log bodies, log attributes, and error/reason span fields before OTLP export. (#12542) Thanks @brandonwise.
- Security/CI: add pre-commit security hook coverage for private-key detection and production dependency auditing, and enforce those checks in CI alongside baseline secret scanning. Thanks @vincentkoc.
- Skills/Python: harden skill script packaging and validation edge cases (self-including
.skilloutputs, CRLF frontmatter parsing, strict--daysvalidation, and safer image file loading), with expanded Python regression coverage. Thanks @vincentkoc. - Skills/Python: add CI + pre-commit linting (
ruff) and pytest discovery coverage for Python scripts/tests underskills/, including package test execution from repo root. Thanks @vincentkoc.