npm openclaw 2026.4.15-beta.1
OpenClaw 2026.4.15-beta.1
on Node.js NPM

15 hours ago

Changes

  • Control UI/Overview: add a Model Auth status card showing OAuth token health and provider rate-limit pressure at a glance, with attention callouts when OAuth tokens are expiring or expired. Backed by a new models.authStatus gateway method that strips credentials and caches for 60s. (#66211) Thanks @omarshahine.
  • Memory/LanceDB: add cloud storage support to memory-lancedb so durable memory indexes can run on remote object storage instead of local disk only. (#63502) Thanks @rugvedS07.
  • GitHub Copilot/memory search: add a GitHub Copilot embedding provider for memory search, and expose a dedicated Copilot embedding host helper so plugins can reuse the transport while honoring remote overrides, token refresh, and safer payload validation. (#61718) Thanks @feiskyer and @vincentkoc.
  • Agents/local models: add experimental agents.defaults.experimental.localModelLean: true to drop heavyweight default tools like browser, cron, and message, reducing prompt size for weaker local-model setups without changing the normal path. (#66495) Thanks @ImLukeF.
  • Packaging/plugins: localize bundled plugin runtime deps to their owning extensions, trim the published docs payload, and tighten install/package-manager guardrails so published builds stay leaner and core stops carrying extension-owned runtime baggage. (#67099) Thanks @vincentkoc.
  • QA/Matrix: split Matrix live QA into a source-linked qa-matrix runner and keep repo-private qa-* surfaces out of packaged and published builds. (#66723) Thanks @gumadeiras.
  • Docs/showcase: add a scannable hero, complete section jump links, and a responsive video grid for community examples. (#48493) Thanks @jchopard69.

Fixes

  • Security/approvals: redact secrets in exec approval prompts so inline approval review can no longer leak credential material in rendered prompt content. (#61077, #64790)
  • CLI/configure: re-read the persisted config hash after writes so config updates stop failing with stale-hash races. (#64188, #66528)
  • CLI/update: prune stale packaged dist chunks after npm upgrades and keep downgrade/verify inventory checks compat-safe so global upgrades stop failing on stale chunk imports. (#66959) Thanks @obviyus.
  • Onboarding/CLI: fix channel-selection crashes on globally installed CLI setups during onboarding. (#66736)
  • Video generation/live tests: bound provider polling for live video smoke, default to the fast non-FAL text-to-video path, and use a one-second lobster prompt so release validation no longer waits indefinitely on slow provider queues.
  • Memory-core/QMD memory_get: reject reads of arbitrary workspace markdown paths and only allow canonical memory files (MEMORY.md, memory.md, DREAMS.md, dreams.md, memory/**) plus exact paths of active indexed QMD workspace documents, so the QMD memory backend can no longer be used as a generic workspace-file read shim that bypasses read tool-policy denials. (#66026) Thanks @eleqtrizit.
  • Cron/agents: forward embedded-run tool policy and internal event params into the attempt layer so --tools allowlists, cron-owned message-tool suppression, explicit message targeting, and command-path internal events all take effect at runtime again. (#62675) Thanks @hexsprite.
  • Setup/providers: guard preferred-provider lookup during setup so malformed plugin metadata with a missing provider id no longer crashes the wizard with Cannot read properties of undefined (reading 'trim'). (#66649) Thanks @Tianworld.
  • Matrix/security: normalize sandboxed profile avatar params, preserve mxc:// avatar URLs, and surface gmail watcher stop failures during reload. (#64701) Thanks @slepybear.
  • Telegram/documents: drop leaked binary caption bytes from inbound Telegram text handling so document uploads like .mobi or .epub no longer explode prompt token counts. (#66663) Thanks @joelnishanth.
  • Gateway/auth: resolve the active gateway bearer per-request on the HTTP server and the HTTP upgrade handler via getResolvedAuth(), mirroring the WebSocket path, so a secret rotated through secrets.reload or config hot-reload stops authenticating on /v1/*, /tools/invoke, plugin HTTP routes, and the canvas upgrade path immediately instead of remaining valid on HTTP until gateway restart. (#66651) Thanks @mmaps.
  • Agents/compaction: cap the compaction reserve-token floor to the model context window so small-context local models (e.g. Ollama with 16K tokens) no longer trigger context-overflow errors or infinite compaction loops on every prompt. (#65671) Thanks @openperf.
  • Agents/OpenAI Responses: classify the exact Unknown error (no error details in response) transport failure as failover reason unknown so assistant/model fallback still runs for that no-details failure path. (#65254) Thanks @OpenCodeEngineer.
  • Models/probe: surface invalid-model probe failures as format instead of unknown in models list --probe, and lock the invalid-model fallback path in with regression coverage. (#50028) Thanks @xiwuqi.
  • Agents/failover: classify OpenAI-compatible finish_reason: network_error stream failures as timeout so model fallback retries continue instead of stopping with an unknown failover reason. (#61784) thanks @lawrence3699.
  • Onboarding/channels: normalize channel setup metadata before discovery and validation so malformed or mixed-shape channel plugin metadata no longer breaks setup and onboarding channel lists. (#66706) Thanks @darkamenosa.
  • Slack/native commands: fix option menus for slash commands such as /verbose when Slack renders native buttons by giving each button a unique action ID while still routing them through the shared openclaw_cmdarg* listener. Thanks @Wangmerlyn.
  • Feishu/webhook: harden the webhook transport and card-action replay guards to fail closed on missing encryptKey and blank callback tokens — refuse to start the webhook transport without an encryptKey, reject unsigned requests when no key is present instead of accepting them, and drop blank card-action tokens before the dedupe claim and dispatcher. Defense-in-depth over the already-closed monitor-account layer. (#66707) Thanks @eleqtrizit.
  • Agents/workspace files: route agents.files.get, agents.files.set, and workspace listing through the shared fs-safe helpers (openFileWithinRoot/readFileWithinRoot/writeFileWithinRoot), reject symlink aliases for allowlisted agent files, and have fs-safe resolve opened-file real paths from the file descriptor before falling back to path-based realpath so a symlink swap between open and realpath can no longer redirect the validated path off the intended inode. (#66636) Thanks @eleqtrizit.
  • Gateway/MCP loopback: switch the /mcp bearer comparison from plain !== to constant-time safeEqualSecret (matching the convention every other auth surface in the codebase uses), and reject non-loopback browser-origin requests via checkBrowserOrigin before the auth gate runs. Loopback origins (127.0.0.1:*, localhost:*, same-origin) still go through, including the localhost127.0.0.1 host mismatch that browsers flag as Sec-Fetch-Site: cross-site. (#66665) Thanks @eleqtrizit.
  • Auto-reply/billing: classify pure billing cooldown fallback summaries from structured fallback reasons so users see billing guidance instead of the generic failure reply. (#66363) Thanks @Rohan5commit.
  • Agents/fallback: preserve the original prompt body on model fallback retries with session history so the retrying model keeps the active task instead of only seeing a generic continue message. (#66029) Thanks @WuKongAI-CMU.
  • Reply/secrets: resolve active reply channel/account SecretRefs before reply-run message-action discovery so channel token SecretRefs (for example Discord) do not degrade into discovery-time unresolved-secret failures. (#66796) Thanks @joshavant.
  • Agents/Anthropic: ignore non-positive Anthropic Messages token overrides and fail locally when no positive token budget remains, so invalid max_tokens values no longer reach the provider API. (#66664) thanks @jalehman
  • Agents/context engines: preserve prompt-only token counts, not full request totals, when deferred maintenance reuses after-turn runtime context so background compaction bookkeeping matches the active prompt window. (#66820) thanks @jalehman.
  • BlueBubbles/inbound: add a persistent file-backed GUID dedupe so MessagePoller webhook replays after BB Server restart or reconnect no longer cause the agent to re-reply to already-handled messages. (#19176, #12053, #66816) Thanks @omarshahine.
  • Secrets/plugins/status: align SecretRef inspect-vs-strict handling across plugin preload, read-only status/agents surfaces, and runtime auth paths so unresolved refs no longer crash read-only CLI flows while runtime-required non-env refs stay strict. (#66818) Thanks @joshavant.
  • Memory/dreaming: stop ordinary transcripts that merely quote the dream-diary prompt from being classified as internal dreaming runs and silently dropped from session recall ingestion. (#66852) Thanks @gumadeiras.
  • Telegram/documents: sanitize binary reply context and ZIP-like archive extraction so .epub and .mobi uploads can no longer leak raw binary into prompt context through reply metadata or archive-to-text/plain coercion. (#66877) Thanks @martinfrancois.
  • Telegram/native commands: restore plugin-registry-backed auto defaults for native commands and native skills so Telegram slash commands keep registering when commands.native and commands.nativeSkills stay on auto. (#66843) Thanks @kashevk0.
  • OpenRouter/Qwen3: parse reasoning_details stream deltas as thinking content without skipping same-chunk tool calls, so Qwen3 replies no longer fail empty on OpenRouter and mixed reasoning/tool-call chunks still execute normally. (#66905) Thanks @bladin.
  • fix(bluebubbles): replay missed webhook messages after gateway restart via a persistent per-account cursor and /api/v1/message/query?after=<ts> pass, so messages delivered while the gateway was down no longer disappear. Uses the existing processMessage path and is deduped by #66816's inbound GUID cache. (#66857, #66721) Thanks @omarshahine.
  • Telegram/native commands: keep Telegram command-sync cache process-local so gateway restarts re-register the menu instead of trusting stale on-disk sync state after Telegram cleared commands out-of-band. (#66730) Thanks @nightq.
  • Audio/self-hosted STT: restore models.providers.*.request.allowPrivateNetwork for audio transcription so private or LAN speech-to-text endpoints stop tripping SSRF blocks after the v2026.4.14 regression. (#66692) Thanks @jhsmith409.
  • Auto-reply/media: allow workspace-rooted absolute media paths in auto-reply send flows so valid local media references no longer fail path validation. (#66689)
  • WhatsApp/Baileys media upload: harden encrypted upload handling so large outbound media sends avoid buffer spikes and reliability regressions. (#65966) Thanks @frankekn.
  • QQBot/cron: guard against undefined event.content in parseFaceTags and filterInternalMarkers so cron-triggered agent turns with no content payload no longer crash with TypeError: Cannot read properties of undefined (reading 'startsWith'). (#66302) Thanks @xinmotlanthua.
  • CLI/plugins: stop --dangerously-force-unsafe-install plugin installs from falling back to hook-pack installs after security scan failures, while still preserving non-security fallback behavior for real hook packs. (#58909) Thanks @hxy91819.
  • Claude CLI/sessions: classify No conversation found with session ID as session_expired so expired CLI-backed conversations clear the stale binding and recover on the next turn. (#65028) thanks @Ivan-Fn.
  • Context Engine: gracefully fall back to the legacy engine when a third-party context engine plugin fails at resolution time (unregistered id, factory throw, or contract violation), preventing a full gateway outage on every channel. (#66930) Thanks @openperf.
  • Control UI/chat: keep optimistic user message cards visible during active sends by deferring same-session history reloads until the active run ends, including aborted and errored runs. (#66997) Thanks @scotthuang and @vincentkoc.
  • Media/Slack: allow host-local CSV and Markdown uploads only when the fallback buffer actually decodes as text, so real plain-text files work without letting opaque non-text blobs renamed to .csv or .md slip past the host-read guard. (#67047) Thanks @Unayung.
  • Ollama/onboarding: split setup into Cloud + Local, Cloud only, and Local only, support direct OLLAMA_API_KEY cloud setup without a local daemon, and keep Ollama web search on the local-host path. (#67005) Thanks @obviyus.
  • Docker/build: verify @matrix-org/matrix-sdk-crypto-nodejs native bindings with find under node_modules instead of a hardcoded .pnpm/... path so pnpm v10+ virtual-store layouts no longer fail the image build. (#67143) Thanks @ly85206559.
  • Matrix/E2EE: keep startup bootstrap conservative for passwordless token-auth bots, still attempt the guarded repair pass without requiring channels.matrix.password, and document the remaining password-UIA limitation. (#66228) Thanks @SARAMALI15792.
  • Cron/announce delivery: suppress mixed-content isolated cron announce replies that end with NO_REPLY so trailing silent sentinels no longer leak summary text to the target channel. (#65004) Thanks @neo1027144-creator.
  • Plugins/bundled channels: partition bundled channel lazy caches by active bundled root so OPENCLAW_BUNDLED_PLUGINS_DIR flips stop reusing stale plugin, setup, secrets, and runtime state. (#67200) Thanks @gumadeiras.
  • Packaging/plugins: prune common test/spec cargo from bundled plugin runtime dependencies and fail npm release validation if packaged test cargo reappears, keeping published tarballs leaner without plugin-specific special cases. (#67275) Thanks @gumadeiras.
  • Agents/context + Memory: trim default startup/skills prompt budgets, cap memory_get excerpts by default with explicit continuation metadata, and keep QMD reads aligned with the same bounded excerpt contract so long sessions pull less context by default without losing deterministic follow-up reads.
  • Matrix/commands: skip DM pairing-store reads on room traffic now that room control-command authorization ignores pairing-store entries, keeping the room path narrower without changing room auth behavior. (#67325) Thanks @gumadeiras.
  • Matrix/security: block DM pairing-store entries from authorizing room control commands. (#67294) Thanks @pgondhi987.
  • Gateway/security: enforce localRoots containment on the webchat audio embedding path. (#67298) Thanks @pgondhi987.
  • Webchat/security: reject remote-host file:// URLs in the media embedding path. (#67293) Thanks @pgondhi987.
  • Dreaming/memory-core: use the ingestion day, not the source file day, for daily recall dedupe so repeat sweeps of the same daily note can increment dailyCount across days instead of stalling at 1. (#67091) Thanks @Bartok9.
Check out latest releases or
releases around openclaw 2026.4.15-beta.1

Don't miss a new openclaw release

NewReleases is sending notifications on new releases.

Get notifications