npm openclaw 2026.4.7
openclaw 2026.4.7
on Node.js NPM

latest releases: 2026.4.8, 2026.4.7-1
7 hours ago

Changes

  • CLI/infer: add a first-class openclaw infer ... hub for provider-backed inference workflows across model, media, web, and embedding tasks. Thanks @Takhoffman.
  • Tools/media generation: auto-fallback across auth-backed image, music, and video providers by default, preserve intent during provider switches, remap size/aspect/resolution/duration hints to the closest supported option, and surface provider capabilities plus mode-aware video-to-video support.
  • Memory/wiki: restore the bundled memory-wiki stack with plugin, CLI, sync/query/apply tooling, memory-host integration, structured claim/evidence fields, compiled digest retrieval, claim-health linting, contradiction clustering, staleness dashboards, and freshness-weighted search. Thanks @vincentkoc.
  • Plugins/webhooks: add a bundled webhook ingress plugin so external automation can create and drive bound TaskFlows through per-route shared-secret endpoints. (#61892) Thanks @mbelinky.
  • Gateway/sessions: add persisted compaction checkpoints plus Sessions UI branch/restore actions so operators can inspect and recover pre-compaction session state. (#62146) Thanks @scoootscooob.
  • Compaction: add pluggable compaction provider registry so plugins can replace the built-in summarization pipeline. Configure via agents.defaults.compaction.provider; falls back to LLM summarization on provider failure. (#56224) Thanks @DhruvBhatia0.
  • Agents/system prompt: add agents.defaults.systemPromptOverride for controlled prompt experiments plus heartbeat prompt-section controls so heartbeat runtime behavior can stay enabled without injecting heartbeat instructions every turn.
  • Providers/Google: add Gemma 4 model support and keep Google fallback resolution on the requested provider path so native Google Gemma routes work again. (#61507) Thanks @eyjohn.
  • Providers/Google: preserve explicit thinking-off semantics for Gemma 4 while still enabling Gemma reasoning support in compatibility wrappers. (#62127) Thanks @romgenie.
  • Providers/Arcee AI: add a bundled Arcee AI provider plugin with Trinity catalog entries, OpenRouter support, and updated onboarding/auth guidance. (#62068) Thanks @arthurbr11.
  • Providers/Anthropic: restore Claude CLI as the preferred local Anthropic path in onboarding, model-auth guidance, doctor flows, and Docker Claude CLI live lanes again.
  • Providers/Ollama: detect vision capability from the /api/show response and set image input on models that support it so Ollama vision models accept image attachments. (#62193) Thanks @BruceMacD.
  • Memory/dreaming: ingest redacted session transcripts into the dreaming corpus with per-day session-corpus notes, cursor checkpointing, and promotion/doctor support. (#62227) Thanks @vignesh07.
  • Providers/inferrs: add string-content compatibility for stricter OpenAI-compatible chat backends, document inferrs setup with a full config example, and add troubleshooting guidance for local backends that pass direct probes but fail on full agent-runtime prompts.
  • Agents/context engine: expose prompt-cache runtime context to context engines and keep current-turn prompt-cache usage aligned with the active attempt instead of stale prior-turn assistant state. (#62179) Thanks @jalehman.
  • Plugin SDK/context engines: pass availableTools and citationsMode into assemble(), and expose memory-artifact and memory-prompt seams so companion plugins and non-legacy context engines can consume active memory state without reaching into internals. Thanks @vincentkoc.
  • ACP/ACPX plugin: bump the bundled acpx pin to 0.5.1 so plugin-local installs and strict version checks pick up the latest published runtime release. (#62148) Thanks @onutc.
  • Discord/events: allow event-create to accept a cover image URL or local file path, load and validate PNG/JPG/GIF event cover media, and pass the encoded image payload through Discord admin action/runtime paths. (#60883) Thanks @bittoby.

Fixes

  • CLI/infer: keep provider-backed infer behavior aligned with actual runtime execution by fixing explicit TTS override handling, profile-aware gateway TTS prefs resolution, per-request transcription prompt/language overrides, image output MIME/extension mismatches, configured web-search fallback behavior, and agent-vs-CLI web-search execution drift.
  • Plugins/media: when plugins.allow is set, capability fallback now merges bundled capability plugin ids into the allowlist (not only plugins.entries), so media understanding providers such as OpenAI-compatible STT load for voice transcription without requiring openai in plugins.allow. (#62205) Thanks @neeravmakwana.
  • Agents/history and replies: buffer phaseless OpenAI WS text until a real assistant phase arrives, keep replay and SSE history sequence tracking aligned, hide commentary and leaked tool XML from user-visible history, and keep history-based follow-up replies on final_answer text only. (#61729, #61747, #61829, #61855, #61954) Thanks @100yenadmin and contributors.
  • Control UI: show /tts audio replies in webchat, detect mistaken ?token= auth links with the correct #token= hint, and keep Copy, Canvas, and mobile exec-approval UI from covering chat content on narrow screens. (#54842, #61514, #61598) Thanks @neeravmakwana.
  • iOS/gateway: replace string-matched connection error UI with structured gateway connection problems, preserve actionable pairing/auth failures over later generic disconnect noise, and surface reusable problem banners and details across onboarding, settings, and root status surfaces. (#62650) Thanks @ngutman.
  • TUI: route /status through the shared session-status command, keep commentary hidden in history, strip raw envelope metadata from async command notices, preserve fallback streaming before per-attempt failures finalize, and restore Kitty keyboard state on exit or fatal crashes. (#49130, #59985, #60043, #61463) Thanks @biefan and contributors.
  • iOS/Watch exec approvals: keep Apple Watch review and approval recovery working while the iPhone is locked or backgrounded, including reconnect recovery, pending approval persistence, notification cleanup, and APNs-backed watch refresh recovery. (#61757) Thanks @ngutman.
  • Agents/context overflow: combine oversized and aggregate tool-result recovery in one pass and restore a total-context overflow backstop so recoverable sessions retry instead of failing early. (#61651) Thanks @Takhoffman.
  • Auth/OpenAI Codex OAuth: reload fresh on-disk credentials inside the locked refresh path and retry once after refresh_token_reused rotates only the stored refresh token, so relogin/restart recovery stops getting stuck on stale cached auth state. Thanks @owen-ever.
  • Auth/OpenAI Codex OAuth: keep native /model ...@profile selections on the target session and honor explicit user-locked auth profiles even when per-agent auth order excludes them. (#62744) Thanks @jalehman.
  • Providers/Anthropic: preserve thinking blocks for Claude Opus 4.5+, Sonnet 4.5+, and newer Claude 4-family models so prompt-cache prefixes keep matching, and skip service_tier injection on OAuth-authenticated stream wrapper requests so Claude OAuth streaming stops failing with HTTP 401. (#60356, #61793)
  • Agents/Claude CLI: surface nested API error messages from structured CLI output so billing/auth/provider failures show the real provider error instead of an opaque CLI failure.
  • Agents/exec: preserve explicit host=node routing under elevated defaults when tools.exec.host=auto, fail loud on invalid elevated cross-host overrides, and keep strictInlineEval commands blocked after approval timeouts instead of falling through to automatic execution. (#61739) Thanks @obviyus.
  • Nodes/exec approvals: keep host=node POSIX transport shell wrappers (/bin/sh -lc ...) aligned with inner-command allowlist analysis so allowlisted scripts stop prompting unnecessarily, while Windows cmd.exe wrapper runs stay approval-gated. (#62401) Thanks @ngutman.
  • Nodes/exec approvals: keep Windows cmd.exe /c wrapper runs approval-gated even when env carriers, including env-assignment carriers, wrap the shell invocation. (#62439) Thanks @ngutman.
  • Gateway tool/exec config: block model-facing gateway config.apply and config.patch writes from changing exec approval paths such as safeBins, safeBinProfiles, safeBinTrustedDirs, and strictInlineEval, while still allowing unchanged structured values through. (#62001) Thanks @eleqtrizit.
  • Host exec/env sanitization: block dangerous Java, Rust, Cargo, Git, Kubernetes, cloud credential, config-path, and Helm env overrides so host-run tools cannot be redirected to attacker-chosen code, config, credentials, or repository state. (#59119, #62002, #62291) Thanks @eleqtrizit and contributors.
  • Commands/allowlist: require owner authorization for /allowlist add and /allowlist remove before channel resolution, so non-owner but command-authorized senders can no longer persistently rewrite allowlist policy state. (#62383) Thanks @pgondhi987.
  • Feishu/docx uploads: honor tools.fs.workspaceOnly for local upload_file and upload_image paths by forwarding workspace-constrained localRoots into the media loader, so docx uploads can no longer read host-local files outside the workspace when workspace-only mode is active. (#62369) Thanks @pgondhi987.
  • Network/fetch guard: drop request bodies and body-describing headers on cross-origin 307 and 308 redirects by default, so attacker-controlled redirect hops cannot receive secret-bearing POST payloads from SSRF-guarded fetch flows unless a caller explicitly opts in. (#62357) Thanks @pgondhi987.
  • Browser/SSRF: treat main-frame document redirect hops as navigations even when Playwright does not flag them as isNavigationRequest(), so strict private-network blocking still stops forbidden redirect pivots before the browser reaches the internal target. (#62355) Thanks @pgondhi987.
  • Browser/node invoke: block persistent browser profile create, reset, and delete mutations through browser.proxy on both gateway-forwarded node.invoke and the node-host proxy path, even when no profile allowlist is configured. (#60489)
  • Gateway/node pairing: require a fresh pairing request when a previously paired node reconnects with additional declared commands, and keep the live session pinned to the earlier approved command set until the upgrade is approved. (#62658) Thanks @eleqtrizit.
  • Gateway/auth: invalidate existing shared-token and password WebSocket sessions when the configured secret rotates, so stale authenticated sockets cannot stay attached after token or password changes. (#62350) Thanks @pgondhi987.
  • MS Teams/security: validate file-consent upload URLs against HTTPS, Microsoft/SharePoint host allowlists, and private-IP DNS checks before uploading attachments, blocking SSRF-style consent-upload abuse. (#23596)
  • Media/base64 decode guards: enforce byte limits before decoding missed base64-backed Teams, Signal, QQ Bot, and image-tool payloads so oversized inbound media and data URLs no longer bypass pre-decode size checks. (#62007) Thanks @eleqtrizit.
  • Runtime event trust: mark background notifyOnExit summaries, ACP parent-stream relays, and wake-hook payloads as untrusted system events so lower-trust runtime output no longer re-enters later turns as trusted System: text. (#62003)
  • Auto-reply/media: allow managed generated-media MEDIA: paths from normal reply text again while still blocking arbitrary host-local media and document paths, so generated media keep delivering without reopening host-path injection holes.
  • Gateway/status and containers: auto-bind to 0.0.0.0 inside Docker and Podman environments, and probe local TLS gateways over wss:// with self-signed fingerprint forwarding so container startup and loopback TLS status checks work again. (#61818, #61935) Thanks @openperf and contributors.
  • Gateway/OpenAI-compatible HTTP: abort in-flight /v1/chat/completions and /v1/responses turns when clients disconnect so abandoned HTTP requests stop wasting agent runtime. (#54388) Thanks @Lellansin.
  • macOS/gateway version: strip trailing commit metadata from CLI version output before semver parsing so the Mac app recognizes installed gateway versions like OpenClaw 2026.4.2 (d74a122) again. (#61111) Thanks @oliviareid-svg.
  • Sessions/model selection: resolve the explicitly selected session model separately from runtime fallback resolution so session status and live model switching stay aligned with the chosen model.
  • Discord/ACP bindings: canonicalize DM conversation identity across inbound messages, component interactions, native commands, and current-conversation binding resolution so --bind here in Discord DMs keeps routing follow-up replies to the bound agent instead of falling back to the default agent.
  • Discord: recover forwarded referenced message text and attachments when snapshots are missing, use ws:// again for gateway monitor sockets, stop forcing a hardcoded temperature for Codex-backed auto-thread titles, and harden voice receive recovery so rapid speaker restarts keep their next utterance. (#41536, #61670) Thanks @artwalker and contributors.
  • Slack/thread mentions: add channels.slack.thread.requireExplicitMention so Slack channels that already require mentions can also require explicit @bot mentions inside bot-participated threads. (#58276) Thanks @praktika-engineer.
  • Slack/threading: keep legacy thread stickiness for real replies when older callers omit isThreadReply, while still honoring replyToMode for Slack's auto-created top-level thread_ts. (#61835) Thanks @kaonash.
  • Slack/media: keep attachment downloads on the SSRF-guarded dispatcher path so Slack media fetching works on Node 22 without dropping pinned transport enforcement. (#62239) Thanks @openperf.
  • Matrix/onboarding: add an invite auto-join setup step with explicit off warnings and strict stable-target validation so new Matrix accounts stop silently ignoring invited rooms and fresh DM-style invites unless operators opt in. (#62168) Thanks @gumadeiras.
  • Matrix/formatting: preserve multi-paragraph and loose-list rendering in Element so numbered and bulleted Markdown keeps their content attached to the correct list item. (#60997) Thanks @gucasbrg.
  • Telegram/doctor: keep top-level access-control fallback in place during multi-account normalization while still promoting legacy default auth into accounts.default, so existing named bots keep inherited allowlists without dropping the legacy default bot. (#62263) Thanks @obviyus.
  • Plugins/loaders: centralize bundled dist/** Jiti native-load policy and keep channel, public-surface, facade, and config-metadata loader seams off native Jiti on Windows so onboarding and configure flows stop tripping ERR_UNSUPPORTED_ESM_URL_SCHEME. (#62286) Thanks @chen-zhang-cs-code.
  • Plugins/channels: keep bundled channel artifact and secret-contract loading stable under lazy loading, preserve plugin-schema defaults during install, and fix Windows file:// plus native-Jiti plugin loader paths so onboarding, doctor, openclaw secret, and bundled plugin installs work again. (#61832, #61836, #61853, #61856) Thanks @Zeesejo and contributors.
  • Plugins/ClawHub: verify downloaded plugin archives against version metadata SHA-256, fail closed when archive integrity metadata is missing or malformed, and tighten fallback ZIP verification so plugin installs cannot proceed on mismatched or incomplete ClawHub package metadata. (#60517) Thanks @mappel-nv.
  • Plugins/provider hooks: stop recursive provider snapshot loads from overflowing the stack during plugin initialization, while still preserving cached nested provider-hook results. (#61922, #61938, #61946, #61951)
  • Docker/plugins: stop forcing bundled plugin discovery to /app/extensions in runtime images so packaged installs use compiled dist/extensions artifacts again and Node 24 containers do not boot through source-only plugin entry paths. Fixes #62044. (#62316) Thanks @gumadeiras.
  • Providers/Ollama: honor the selected provider's baseUrl during streaming so multi-Ollama setups stop routing every stream to the first configured Ollama endpoint. (#61678)
  • Providers/Ollama: stop warning that Ollama could not be reached when discovery only sees empty default local stubs, while still keeping real explicit Ollama overrides loud when the endpoint is unreachable.
  • Providers/xAI: recognize api.grok.x.ai as an xAI-native endpoint again and keep legacy x_search auth resolution working so older xAI web-search configs continue to load. (#61377) Thanks @jjjojoj.
  • Providers/Mistral: send reasoning_effort for mistral/mistral-small-latest (Mistral Small 4) with thinking-level mapping, and mark the catalog entry as reasoning-capable so adjustable reasoning matches Mistral’s Chat Completions API. (#62162) Thanks @neeravmakwana.
  • OpenAI TTS/Groq: send wav to Groq-compatible speech endpoints, honor explicit responseFormat overrides on OpenAI-compatible paths, and only mark voice-note output as voice-compatible when the actual format is opus. (#62233) Thanks @neeravmakwana.
  • Tools/web_fetch and web_search: fix TypeError: fetch failed caused by undici 8.0 enabling HTTP/2 by default; pinned SSRF-guard dispatchers now explicitly set allowH2: false to restore HTTP/1.1 behavior and keep the custom DNS-pinning lookup compatible. (#61738, #61777) Thanks @zozo123.
  • Tools/web search/Exa: show Exa Search in onboarding and configure provider pickers again by marking the bundled Exa provider as setup-visible. Thanks @vincentkoc.
  • Memory/vector recall: surface explicit warnings when sqlite-vec is unavailable or vector writes are degraded, and strip managed Light Sleep and REM blocks before daily-note ingestion so memory indexing and dreaming stop reporting false-success or re-ingesting staged output. (#61720) Thanks @MonkeyLeeT.
  • Memory/dreaming: make Dreams config reads and writes respect the selected memory slot plugin instead of always targeting memory-core. (#62275) Thanks @SnowSky1.
  • QQ Bot/media: route gateway-side attachment and fallback downloads through guarded QQ/Tencent HTTPS fetches so QQ media handling no longer follows arbitrary remote hosts.
  • Browser/remote CDP: retry the DevTools websocket once after remote browser restarts so healthy remote browser profiles do not fail availability checks during CDP warm-up. (#57397) Thanks @ThanhNguyxn07.
  • UI/light mode: target both root and nested WebKit scrollbar thumbs in the light theme so page-level and container scrollbars stay visible on light backgrounds. (#61753) Thanks @chziyue.
  • Agents/subagents: honor sessions_spawn(lightContext: true) for spawned subagent runs by preserving lightweight bootstrap context through the gateway and embedded runner instead of silently falling back to full workspace bootstrap injection. (#62264) Thanks @theSamPadilla.
  • Cron: load jobId into id when the on-disk store omits id, matching doctor migration and fixing unknown cron job id for hand-edited jobs.json. (#62246) Thanks @neeravmakwana.
  • Agents/model fallback: classify minimal HTTP 404 API errors (for example 404 status code (no body)) as model_not_found so assistant failures throw into the fallback chain instead of stopping at the first fallback candidate. (#62119) Thanks @neeravmakwana.
  • BlueBubbles/network: respect explicit private-network opt-out for loopback and private serverUrl values across account resolution, status probes, monitor startup, and attachment downloads, while keeping public-host attachment hostname pinning intact. (#59373) Thanks @jpreagan.
  • Agents/heartbeat: keep heartbeat runs pinned to the main session so active subagent transcripts are not overwritten by heartbeat status messages. (#61803) Thanks @100yenadmin.
  • Agents/heartbeat: respect disabled heartbeat prompt guidance so operators can suppress heartbeat prompt instructions without disabling heartbeat runtime behavior.
  • Agents/compaction: stop compaction-wait aborts from re-entering prompt failover and replaying completed tool turns. (#62600) Thanks @i-dentifier.
  • Approvals/runtime: move native approval lifecycle assembly into shared core bootstrap/runtime seams driven by channel capabilities and runtime contexts, and remove the legacy bundled approval fallback wiring. (#62135) Thanks @gumadeiras.
  • Security/fetch-guard: stop rejecting operator-configured proxy hostnames against the target-scoped hostname allowlist in SSRF-guarded fetches, restoring proxy-based media downloads for Telegram and other channels. (#62312) Thanks @ademczuk.
  • Logging: make logging.level and logging.consoleLevel honor the documented severity threshold ordering again, and keep child loggers inheriting the parent minLevel. (#44646) Thanks @zhumengzhu.
  • Agents/sessions_send: pass threadId through announce delivery so cross-session notifications land in the correct Telegram forum topic instead of the group's general thread. (#62758) Thanks @jalehman.
  • Daemon/systemd: keep sudo systemctl calls scoped to the invoking user when machine-scoped systemctl fails, while still avoiding machine fallback for permission-denied user bus errors. (#62337) Thanks @Aftabbs.
  • Docs/i18n: relocalize final localized-page links after translation and remove the zh-CN homepage redirect override so localized Mintlify pages resolve to the correct language roots again. (#61796) Thanks @hxy91819.
  • Agents/exec: keep timed-out shell-backgrounded commands on the failed path and point long-running jobs to exec background/yield sessions so process polling is only suggested for registered sessions.
Check out latest releases or
releases around openclaw 2026.4.7

Don't miss a new openclaw release

NewReleases is sending notifications on new releases.

Get notifications